Handle a deleted organization triggering auth (#4937)

Related to grafana/oncall-private#2203
grafana · Aug 28, 2024 · d3f034b · d3f034b
1 parent 1840f42
commit d3f034b
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 2 deletions.
diff --git a/engine/apps/grafana_plugin/helpers/gcom.py b/engine/apps/grafana_plugin/helpers/gcom.py
@@ -28,7 +28,13 @@ def check_gcom_permission(token_string: str, context) -> GcomToken:
     stack_id = context["stack_id"]
     org_id = context["org_id"]
     grafana_token = context["grafana_token"]
-    organization = Organization.objects.filter(stack_id=stack_id, org_id=org_id).first()
+    organization = Organization.objects_with_deleted.filter(stack_id=stack_id, org_id=org_id).first()
+
+    if organization and organization.deleted_at:
+        # if an organization has been deleted, it should not be allowed to be automatically reactivated
+        # (it should go through a manual request and process)
+        raise InvalidToken
+
     if (
         organization
         and organization.gcom_token == token_string

diff --git a/engine/apps/grafana_plugin/tests/test_gcom.py b/engine/apps/grafana_plugin/tests/test_gcom.py
@@ -2,6 +2,7 @@
 
 import pytest
 
+from apps.auth_token.exceptions import InvalidToken
 from apps.grafana_plugin.helpers.gcom import check_gcom_permission
 from apps.user_management.models import Organization
 
@@ -86,7 +87,8 @@ def test_check_gcom_permission_uniqueness_update_fields(make_organization):
 
     # organization does not exist in the first check but it is created before the second check
     with patch(
-        "apps.grafana_plugin.helpers.gcom.Organization.objects.filter", return_value=Organization.objects.none()
+        "apps.grafana_plugin.helpers.gcom.Organization.objects_with_deleted.filter",
+        return_value=Organization.objects.none(),
     ):
         with patch(
             "apps.grafana_plugin.helpers.GcomAPIClient.get_instance_info",
@@ -106,3 +108,34 @@ def test_check_gcom_permission_uniqueness_update_fields(make_organization):
     assert org.cluster_slug == instance_info["clusterSlug"]
     assert org.api_token == fixed_token
     assert org.gcom_token == gcom_token
+
+
+@pytest.mark.django_db
+def test_check_gcom_permission_undelete_org(make_organization):
+    gcom_token = "gcom:test_token"
+    fixed_token = "fixed_token"
+    instance_info = {
+        "id": 324534,
+        "slug": "testinstance",
+        "url": "http://example.com",
+        "orgId": 5671,
+        "orgSlug": "testorg",
+        "orgName": "Test Org",
+        "regionSlug": "us",
+        "clusterSlug": "us-test",
+    }
+    context = {
+        "stack_id": str(instance_info["id"]),
+        "org_id": str(instance_info["orgId"]),
+        "grafana_token": fixed_token,
+    }
+
+    org = make_organization(stack_id=instance_info["id"], org_id=instance_info["orgId"], api_token="broken_token")
+    org.delete()
+
+    with pytest.raises(InvalidToken):
+        check_gcom_permission(gcom_token, context)
+
+    org.refresh_from_db()
+    # org is still deleted
+    assert org.deleted_at