|
1 | 1 | import hashlib |
2 | 2 | import itertools |
3 | 3 | import sys |
4 | | -import time |
5 | 4 | import uuid |
6 | | -import pytz |
7 | 5 |
|
8 | 6 | import apps.logging.request_logger as logging |
9 | 7 |
|
|
14 | 12 | from django.contrib.auth import get_user_model |
15 | 13 | from django.core.files.storage import default_storage |
16 | 14 | from django.core.validators import RegexValidator |
17 | | -from django.db import models, transaction |
| 15 | +from django.db import models |
18 | 16 | from django.db.models import Q |
19 | 17 | from django.db.models.signals import ( |
20 | 18 | post_delete, |
|
33 | 31 | from waffle import get_waffle_flag_model |
34 | 32 |
|
35 | 33 | from apps.capabilities.models import ProtectedCapability |
36 | | -from apps.authorization.models import DataAccessGrant |
37 | 34 |
|
38 | 35 | TEN_HOURS = "for 10 hours" |
39 | 36 |
|
@@ -237,71 +234,30 @@ def save(self, *args, **kwargs): |
237 | 234 | ): |
238 | 235 | raise ValueError("Invalid data_access_type: " + self.data_access_type) |
239 | 236 |
|
240 | | - flag = get_waffle_flag_model().get("limit_data_access") |
241 | | - if flag.id is not None and flag.is_active_for_user(self.user): |
242 | | - # Check if data_access_type is changed |
243 | | - # if so, need to void all grants associated |
244 | | - |
245 | | - logger = logging.getLogger(logging.AUDIT_APPLICATION_TYPE_CHANGE, None) |
246 | | - |
247 | | - app_type_changed = False |
248 | | - |
249 | | - log_dict = { |
250 | | - "type": "application_data_access_type_change", |
251 | | - } |
252 | | - with transaction.atomic(): |
253 | | - # need to put delete and save in a transaction |
254 | | - app_from_db = None |
255 | | - try: |
256 | | - app_from_db = Application.objects.get(pk=self.id) |
257 | | - if app_from_db is not None: |
258 | | - if self.data_access_type != app_from_db.data_access_type: |
259 | | - # log audit event: application data access type changed |
260 | | - start_time = time.time() |
261 | | - log_dict.update( |
262 | | - { |
263 | | - "application_id": self.id, |
264 | | - "application_name": self.name, |
265 | | - "data_access_type_old": app_from_db.data_access_type, |
266 | | - "data_access_type_new": self.data_access_type, |
267 | | - "grant_start": datetime.now().strftime("%m/%d/%Y, %H:%M:%S"), |
268 | | - } |
269 | | - ) |
270 | | - if self.has_one_time_only_data_access(): |
271 | | - dag_deleted = DataAccessGrant.objects.filter(application=self).delete() |
272 | | - end_time = time.time() |
273 | | - delete_stats = { |
274 | | - "elapsed_seconds": end_time - start_time, |
275 | | - "number_of_grant_deleted": dag_deleted[0], |
276 | | - "grant_delete_complete": datetime.now().strftime("%m/%d/%Y, %H:%M:%S") |
277 | | - } |
278 | | - log_dict.update(delete_stats) |
279 | | - elif "THIRTEEN_MONTH" in self.data_access_type: |
280 | | - grants = DataAccessGrant.objects.filter(application=self) |
281 | | - for grant in grants: |
282 | | - grant.expiration_date = datetime.now().replace( |
283 | | - tzinfo=pytz.UTC |
284 | | - ) + relativedelta(months=+13) |
285 | | - grant.save() |
286 | | - end_time = time.time() |
287 | | - update_stats = { |
288 | | - "elapsed_seconds": end_time - start_time, |
289 | | - "number_of_grants_updated": grants.count(), |
290 | | - "grant_update_complete": datetime.now().strftime("%m/%d/%Y, %H:%M:%S") |
291 | | - } |
292 | | - log_dict.update(update_stats) |
293 | | - app_type_changed = True |
294 | | - except Application.DoesNotExist: |
295 | | - # new app |
296 | | - pass |
297 | | - self.copy_client_secret() |
298 | | - super().save(*args, **kwargs) |
299 | | - if app_type_changed: |
300 | | - log_dict.update({"application_saved_and_grants_updated_or_deleted": "Yes"}) |
| 237 | + # Check if data_access_type is changed |
| 238 | + # if so, log and leave existing access grants unchanged |
| 239 | + app_from_db = None |
| 240 | + try: |
| 241 | + app_from_db = Application.objects.get(pk=self.id) |
| 242 | + |
| 243 | + if app_from_db is not None: |
| 244 | + if self.data_access_type != app_from_db.data_access_type: |
| 245 | + logger = logging.getLogger(logging.AUDIT_APPLICATION_TYPE_CHANGE, None) |
| 246 | + |
| 247 | + # log audit event: application data access type changed |
| 248 | + log_dict = { |
| 249 | + "type": "application_data_access_type_change", |
| 250 | + "application_id": self.id, |
| 251 | + "application_name": self.name, |
| 252 | + "data_access_type_old": app_from_db.data_access_type, |
| 253 | + "data_access_type_new": self.data_access_type, |
| 254 | + } |
301 | 255 | logger.info(log_dict) |
302 | | - else: |
303 | | - self.copy_client_secret() |
304 | | - super().save(*args, **kwargs) |
| 256 | + except Application.DoesNotExist: |
| 257 | + # new app |
| 258 | + pass |
| 259 | + self.copy_client_secret() |
| 260 | + super().save(*args, **kwargs) |
305 | 261 |
|
306 | 262 | # dedicated save for high frequency used first / last active timestamp updates |
307 | 263 | def save_without_validate(self, *args, **kwargs): |
|
0 commit comments