Handle a deleted organization triggering auth (#4937)

Related to https://github.com/grafana/oncall-private/issues/2203
2024-08-28 13:32:24 -03:00 · 2024-08-28 13:32:24 -03:00 · d3f034b218
commit d3f034b218
parent 1840f42644
2 changed files with 41 additions and 2 deletions
--- a/engine/apps/grafana_plugin/helpers/gcom.py
+++ b/engine/apps/grafana_plugin/helpers/gcom.py
@ -28,7 +28,13 @@ def check_gcom_permission(token_string: str, context) -> GcomToken:
    stack_id = context["stack_id"]
    org_id = context["org_id"]
    grafana_token = context["grafana_token"]
-    organization = Organization.objects.filter(stack_id=stack_id, org_id=org_id).first()
+    organization = Organization.objects_with_deleted.filter(stack_id=stack_id, org_id=org_id).first()
+
+    if organization and organization.deleted_at:
+        # if an organization has been deleted, it should not be allowed to be automatically reactivated
+        # (it should go through a manual request and process)
+        raise InvalidToken
+
    if (
        organization
        and organization.gcom_token == token_string
--- a/engine/apps/grafana_plugin/tests/test_gcom.py
+++ b/engine/apps/grafana_plugin/tests/test_gcom.py
@ -2,6 +2,7 @@ from unittest.mock import patch

 import pytest

+from apps.auth_token.exceptions import InvalidToken
 from apps.grafana_plugin.helpers.gcom import check_gcom_permission
 from apps.user_management.models import Organization

@ -86,7 +87,8 @@ def test_check_gcom_permission_uniqueness_update_fields(make_organization):

    # organization does not exist in the first check but it is created before the second check
    with patch(
-        "apps.grafana_plugin.helpers.gcom.Organization.objects.filter", return_value=Organization.objects.none()
+        "apps.grafana_plugin.helpers.gcom.Organization.objects_with_deleted.filter",
+        return_value=Organization.objects.none(),
    ):
        with patch(
            "apps.grafana_plugin.helpers.GcomAPIClient.get_instance_info",
@ -106,3 +108,34 @@ def test_check_gcom_permission_uniqueness_update_fields(make_organization):
    assert org.cluster_slug == instance_info["clusterSlug"]
    assert org.api_token == fixed_token
    assert org.gcom_token == gcom_token
+
+
+@pytest.mark.django_db
+def test_check_gcom_permission_undelete_org(make_organization):
+    gcom_token = "gcom:test_token"
+    fixed_token = "fixed_token"
+    instance_info = {
+        "id": 324534,
+        "slug": "testinstance",
+        "url": "http://example.com",
+        "orgId": 5671,
+        "orgSlug": "testorg",
+        "orgName": "Test Org",
+        "regionSlug": "us",
+        "clusterSlug": "us-test",
+    }
+    context = {
+        "stack_id": str(instance_info["id"]),
+        "org_id": str(instance_info["orgId"]),
+        "grafana_token": fixed_token,
+    }
+
+    org = make_organization(stack_id=instance_info["id"], org_id=instance_info["orgId"], api_token="broken_token")
+    org.delete()
+
+    with pytest.raises(InvalidToken):
+        check_gcom_permission(gcom_token, context)
+
+    org.refresh_from_db()
+    # org is still deleted
+    assert org.deleted_at