discord / access Goto Github PK
View Code? Open in Web Editor NEWAccess, a centralized portal for employees to transparently discover, request, and manage their access for all internal systems needed to do their jobs
License: Apache License 2.0
Access, a centralized portal for employees to transparently discover, request, and manage their access for all internal systems needed to do their jobs
License: Apache License 2.0
๐๐ป
Hey guys, I saw your new blog and thought I should check it out.
๐
Upon setting up, while running the flask db upgrade
command to seed the DB, it turns out that it throws up an error.
โ ๏ธ
Error:
Traceback (most recent call last):
File "/home/scott/access/venv/bin/flask", line 8, in <module>
sys.exit(main())
^^^^^^
File "/home/scott/access/venv/lib/python3.11/site-packages/flask/cli.py", line 1107, in main
cli.main()
File "/home/scott/access/venv/lib/python3.11/site-packages/click/core.py", line 1078, in main
rv = self.invoke(ctx)
^^^^^^^^^^^^^^^^
File "/home/scott/access/venv/lib/python3.11/site-packages/click/core.py", line 1688, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/scott/access/venv/lib/python3.11/site-packages/click/core.py", line 1688, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/scott/access/venv/lib/python3.11/site-packages/click/core.py", line 1434, in invoke
return ctx.invoke(self.callback, **ctx.params)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/scott/access/venv/lib/python3.11/site-packages/click/core.py", line 783, in invoke
return __callback(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/scott/access/venv/lib/python3.11/site-packages/click/decorators.py", line 33, in new_func
return f(get_current_context(), *args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/scott/access/venv/lib/python3.11/site-packages/flask/cli.py", line 388, in decorator
return ctx.invoke(f, *args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/scott/access/venv/lib/python3.11/site-packages/click/core.py", line 783, in invoke
return __callback(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/scott/access/venv/lib/python3.11/site-packages/flask_migrate/cli.py", line 154, in upgrade
_upgrade(directory, revision, sql, tag, x_arg)
File "/home/scott/access/venv/lib/python3.11/site-packages/flask_migrate/__init__.py", line 111, in wrapped
f(*args, **kwargs)
File "/home/scott/access/venv/lib/python3.11/site-packages/flask_migrate/__init__.py", line 200, in upgrade
command.upgrade(config, revision, sql=sql, tag=tag)
File "/home/scott/access/venv/lib/python3.11/site-packages/alembic/command.py", line 403, in upgrade
script.run_env()
File "/home/scott/access/venv/lib/python3.11/site-packages/alembic/script/base.py", line 583, in run_env
util.load_python_file(self.dir, "env.py")
File "/home/scott/access/venv/lib/python3.11/site-packages/alembic/util/pyfiles.py", line 95, in load_python_file
module = load_module_py(module_id, path)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/scott/access/venv/lib/python3.11/site-packages/alembic/util/pyfiles.py", line 113, in load_module_py
spec.loader.exec_module(module) # type: ignore
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "<frozen importlib._bootstrap_external>", line 940, in exec_module
File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
File "/home/scott/access/migrations/env.py", line 92, in <module>
run_migrations_online()
File "/home/scott/access/migrations/env.py", line 86, in run_migrations_online
context.run_migrations()
File "<string>", line 8, in run_migrations
File "/home/scott/access/venv/lib/python3.11/site-packages/alembic/runtime/environment.py", line 948, in run_migrations
self.get_context().run_migrations(**kw)
File "/home/scott/access/venv/lib/python3.11/site-packages/alembic/runtime/migration.py", line 627, in run_migrations
step.migration_fn(**kw)
File "/home/scott/access/migrations/versions/d6db40b0805d_initial_migration.py", line 79, in upgrade
sa.UniqueConstraint("email", name=op.f('idx_email'), postgresql_where=sa.text("deleted_at IS NULL")),
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/scott/access/venv/lib/python3.11/site-packages/sqlalchemy/sql/schema.py", line 4340, in __init__
Constraint.__init__(
File "/home/scott/access/venv/lib/python3.11/site-packages/sqlalchemy/sql/schema.py", line 4117, in __init__
self._validate_dialect_kwargs(dialect_kw)
File "/home/scott/access/venv/lib/python3.11/site-packages/sqlalchemy/sql/base.py", line 618, in _validate_dialect_kwargs
raise exc.ArgumentError(
sqlalchemy.exc.ArgumentError: Argument 'postgresql_where' is not accepted by dialect 'postgresql' on behalf of <class 'sqlalchemy.sql.schema.UniqueConstraint'>
๐ก
Keep in mind that I'm not very familiar with Python and databases. So I might be dumb at some times.
I'd like to make some conditional access decisions based on the tags that are applied to an Okta Group within Access.
I have an exploratory branch here if it's useful.
# Auto Approve if "AutoApproval" is applied to Group
if not access_request.request_ownership and "AutoApproval" in group_tags:
logger.info(f"Auto-approving access request {access_request.id} to group {group.name}")
return ConditionalAccessResponse(
approved=True,
reason="Group membership auto-approved based on AutoApproval tag",
ending_at=access_request.request_ending_at,
)
transcript of (Gabriel's half of) a conversation with @somethingnew2-0
why do u use exponential backoff when Okta tells you when u can retry the api call?
access/api/services/okta_service.py
Lines 41 to 66 in 40d8c0b
if u get a 429 error that tells u when to retry, why not look at those headers?
eg (and this isn't perfect, but...)
https://github.com/gabrielsroka/gabrielsroka.github.io/blob/master/console/index.html#L169-L187
ie, if u reach the rate limit at 10:00:00 and it tells u to retry at 10:01:00, there's no point in retrying at 10:00:01.2, 10:00:02.4, 10:00:04.8. ur just gonna get more errors
Okta provides three headers in each response to report on both concurrent and org-wide rate limits.
For org-wide rate limits, the three headers show the limit that is being enforced, when it resets, and how close you are to hitting the limit:
X-Rate-Limit-Limit - the rate limit ceiling that is applicable for the current request.
X-Rate-Limit-Remaining - the number of requests left for the current rate-limit window.
X-Rate-Limit-Reset - the time at which the rate limit resets, specified in UTC epoch time (in seconds).
As a fellow security engineer who works on GitHub's open source IAM system (entitlements), this is really awesome work!
Issue with datetime object comparisons related to timezone awareness and comparison. Report on CloudSec Slack forum as well.
Issue appears when testing the Conditional Access plugin and adding any Group tag to the "Auto-Approved-Group".
File "/Users/jonathan.le/dev/jonathanhle/access/api/operations/approve_access_request.py", line 122, in execute
ModifyGroupUsers(
File "/Users/jonathan.le/dev/jonathanhle/access/api/operations/modify_group_users.py", line 56, in __init__
self.members_added_ended_at = coalesce_ended_at(
^^^^^^^^^^^^^^^^^^
File "/Users/jonathan.le/dev/jonathanhle/access/api/models/tag.py", line 43, in coalesce_ended_at
return min(constraint_ended_at, initial_ended_at)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: can't compare offset-naive and offset-aware datetimes
more converstaions with @somethingnew2-0
i noticed this "pattern" 4 times (paginating thru a given api)
access/api/services/okta_service.py
Lines 96 to 105 in 7fda498
retry
the next()
, too?
i use async generators for it. write it once, factor it out, reuse it everywhere. something like
import asyncio
from okta.client import Client as OktaClient
async def get_applications():
async with OktaClient() as okta_client:
filter = {'filter': 'status eq "ACTIVE"'}
async for app in get_objects(okta_client.list_applications(filter)):
print(f"Application Name: {app.name}")
print(f"Application ID: {app.id}")
async for app_user in get_objects(okta_client.list_application_users(app.id)):
print(app_user.id)
print()
async def get_objects(coro):
objects, resp, _ = await coro
while objects:
for object in objects:
yield object
objects, _ = await resp.next() if resp.has_next() else (None, None)
asyncio.run(get_applications())
but that might not work here. i wrote it a while ago. maybe i should rewrite it
Hello! I just came back from a short break and am poking around at Discord Access again. I'm not sure when, but there seems to be some sort of regression (at least on my local) where non-Okta Admin users are unable to cancel their own Pending Access Requests:
It's running under Python 3.12.3
on my Intel Mac in a VENV (just following the setup on the README).
What I just did 5 minutes ago:
gh repo clone discord/access access-unchanged
CURRENT_OKTA_USER_EMAIL
python3 -m venv venv
. venv/bin/activate
pip install -r requirements.txt
flask db upgrade
flask init <YOUR_OKTA_USER_EMAIL> #where I init with and Okta Admin User
export CURRENT_OKTA_USER_EMAIL="[email protected]". #i switch over with an ENV VAR over to a Okta NonAdmin User
I'm pretty sure I tested non-Okta Admin users being able to cancel their own requests before - is this a regression?
Hi!
I've got a kubernetes deployment of access and I'm getting a blank page when trying to access the UI. Digging into the logs, below is what I'm getting. Can you assist with this?
Thanks!
kubectl -n dev-access logs -f -l app=dev-access
WHERE okta_user.email ILIKE %(email_1)s AND okta_user.deleted_at IS NULL
LIMIT %(param_1)s
2024-05-17 19:53:15,123 INFO sqlalchemy.engine.Engine [cached since 264.8s ago] {'email_1': '[email protected]', 'param_1': 1}
[cached since 264.8s ago] {'email_1': '[email protected]', 'param_1': 1}
2024-05-17 19:53:15,125 INFO sqlalchemy.engine.Engine ROLLBACK
ROLLBACK
[17/May/2024:19:53:15 +0000] "GET /manifest.json HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15"
2024-05-17 19:53:15,127 INFO sqlalchemy.engine.Engine ROLLBACK
ROLLBACK
[17/May/2024:19:53:15 +0000] "GET /static/js/main.764bef9b.js HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4.1 Safari/605.1.15"
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.