Group permission sets by approval status

Piccirello · Piccirello · commit ea1556023c27 · 2026-04-13T23:34:51.000-07:00
Display permission sets under the groups "Auto approved" and "Requires approval" so that users know what to expect before requesting the permission. This pushes users to request auto approved permissions, which is preferable since those are generally less permissive.
diff --git a/src/main.py b/src/main.py
@@ -739,6 +739,35 @@ def handle_duration_picker_action(ack):  # noqa: ANN201, ANN001
     ack()
 
 
+def classify_auto_approved_permission_sets(  # noqa: PLR0913
+    statements: frozenset[statement.Statement],
+    permission_sets: list[entities.aws.PermissionSet],
+    account_ids: list[str],
+    requester_email: str,
+    user_group_ids: set[str],
+    requester_slack_id: str,
+    approver_group_resolver: Callable[[frozenset[str]], set[str]] | None = None,
+) -> set[str]:
+    """Return ARNs of permission sets that are auto-approved for all given accounts."""
+    auto_approved = set()
+    for ps in permission_sets:
+        if all(
+            access_control.make_decision_on_access_request(
+                statements,
+                account_id=aid,
+                permission_set_name=ps.name,
+                requester_email=requester_email,
+                user_group_ids=user_group_ids,
+                permission_set_arn=ps.arn,
+                requester_slack_id=requester_slack_id,
+                approver_group_resolver=approver_group_resolver,
+            ).grant
+            for aid in account_ids
+        ):
+            auto_approved.add(ps.arn)
+    return auto_approved
+
+
 @app.action(slack_helpers.RequestForAccessView.ACCOUNT_ACTION_ID)
 def handle_account_selection(ack: Ack, body: dict, client: WebClient) -> SlackResponse:
     ack()
@@ -795,10 +824,37 @@ def handle_account_selection(ack: Ack, body: dict, client: WebClient) -> SlackRe
         updated_view = slack_helpers.RequestForAccessView.build_no_permission_sets_view(view_blocks=body["view"]["blocks"])
         return client.views_update(view_id=view_id, view=updated_view)
 
+    # Classify permission sets as auto-approved vs requires-approval
+    user_email = user_view_map.get(f"{view_key}:user_email")
+    auto_approved_arns: set[str] | None = None
+    if user_email:
+        resolver_cache: dict[frozenset[str], set[str]] = {}
+
+        def approver_group_resolver(group_ids: frozenset[str]) -> set[str]:
+            if not group_ids:
+                return set()
+            if group_ids in resolver_cache:
+                return resolver_cache[group_ids]
+            group_users, _ = slack_helpers.resolve_approver_groups(client, group_ids)
+            result = {u.id for u in group_users}
+            resolver_cache[group_ids] = result
+            return result
+
+        auto_approved_arns = classify_auto_approved_permission_sets(
+            statements=cfg.statements,
+            permission_sets=permission_sets,
+            account_ids=account_ids,
+            requester_email=user_email,
+            user_group_ids=user_group_ids,
+            requester_slack_id=user_id,
+            approver_group_resolver=approver_group_resolver,
+        )
+
     updated_view = slack_helpers.RequestForAccessView.update_with_permission_sets(
         view_blocks=body["view"]["blocks"],
         permission_sets=permission_sets,
         display_names=cfg.permission_set_display_names,
+        auto_approved_arns=auto_approved_arns,
     )
     return client.views_update(view_id=view_id, view=updated_view)
 
diff --git a/src/slack_helpers.py b/src/slack_helpers.py
@@ -17,6 +17,7 @@
     InputBlock,
     MarkdownTextObject,
     Option,
+    OptionGroup,
     PlainTextInputElement,
     PlainTextObject,
     SectionBlock,
@@ -140,29 +141,56 @@ def _get_permission_set_display_name(
             name = ps.name
         return name[:75]
 
+    @classmethod
+    def _build_permission_set_option(cls, ps: entities.aws.PermissionSet, display_names: dict[str, str] | None) -> Option:
+        return Option(text=PlainTextObject(text=cls._get_permission_set_display_name(ps, display_names)), value=ps.arn)
+
     @classmethod
     def build_select_permission_set_input_block(
         cls,
         permission_sets: list[entities.aws.PermissionSet],
         display_names: dict[str, str] | None = None,
+        auto_approved_arns: set[str] | None = None,
     ) -> InputBlock:
-        sorted_permission_sets = sorted(
-            permission_sets,
-            key=lambda ps: cls._get_permission_set_display_name(ps, display_names).lower(),
-        )
+        sort_key = lambda ps: cls._get_permission_set_display_name(ps, display_names).lower()  # noqa: E731
+
+        if auto_approved_arns is not None:
+            auto_approved = sorted([ps for ps in permission_sets if ps.arn in auto_approved_arns], key=sort_key)
+            requires_approval = sorted([ps for ps in permission_sets if ps.arn not in auto_approved_arns], key=sort_key)
+            groups = []
+            if auto_approved:
+                groups.append(
+                    OptionGroup(
+                        label=PlainTextObject(text="Auto approved"),
+                        options=[cls._build_permission_set_option(ps, display_names) for ps in auto_approved],
+                    )
+                )
+            if requires_approval:
+                groups.append(
+                    OptionGroup(
+                        label=PlainTextObject(text="Requires approval"),
+                        options=[cls._build_permission_set_option(ps, display_names) for ps in requires_approval],
+                    )
+                )
+            if groups:
+                return InputBlock(
+                    block_id=cls.PERMISSION_SET_BLOCK_ID,
+                    label=PlainTextObject(text="Permission set"),
+                    element=StaticSelectElement(
+                        action_id=cls.PERMISSION_SET_ACTION_ID,
+                        placeholder=PlainTextObject(text="Select permission set"),
+                        option_groups=groups,
+                    ),
+                )
+
+        sorted_permission_sets = sorted(permission_sets, key=sort_key)
         return InputBlock(
             block_id=cls.PERMISSION_SET_BLOCK_ID,
             label=PlainTextObject(text="Permission set"),
             element=StaticSelectElement(
                 action_id=cls.PERMISSION_SET_ACTION_ID,
                 placeholder=PlainTextObject(text="Select permission set"),
-                options=[
-                    Option(
-                        text=PlainTextObject(text=cls._get_permission_set_display_name(ps, display_names)),
-                        value=ps.arn,
-                    )
-                    for ps in sorted_permission_sets
-                ],
+                options=[cls._build_permission_set_option(ps, display_names) for ps in sorted_permission_sets],
             ),
         )
 
@@ -198,6 +226,7 @@ def update_with_permission_sets(
         view_blocks: list,
         permission_sets: list[entities.aws.PermissionSet],
         display_names: dict[str, str] | None = None,
+        auto_approved_arns: set[str] | None = None,
     ) -> View:
         view = cls.build()
         view.submit_disabled = False  # type: ignore[attr-defined]
@@ -206,7 +235,13 @@ def update_with_permission_sets(
         # Insert permission set dropdown after account dropdown
         blocks = insert_blocks(
             blocks=blocks,
-            blocks_to_insert=[cls.build_select_permission_set_input_block(permission_sets, display_names=display_names)],
+            blocks_to_insert=[
+                cls.build_select_permission_set_input_block(
+                    permission_sets,
+                    display_names=display_names,
+                    auto_approved_arns=auto_approved_arns,
+                )
+            ],
             after_block_id=cls.ACCOUNT_BLOCK_ID,
         )
         view.blocks = blocks
diff --git a/src/tests/test_config.py b/src/tests/test_config.py
@@ -134,6 +134,7 @@ def valid_config_dict(
         "max_permissions_duration_time": "24",
         "secondary_fallback_email_domains": secondary_fallback_email_domains,
         "permission_duration_list_override": permission_duration_list_override,
+        "permission_set_display_names": json.dumps({}),
     }
 
 
@@ -418,3 +419,57 @@ def test_load_approval_config_returns_etag(mock_s3_client):
 
     assert etag == '"test-etag"'
     assert data == {"statements": [], "group_statements": []}
+
+
+def test_config_parses_display_names_from_s3(mock_s3_client, monkeypatch):
+    """S3 config with permission_set_display_names is parsed into Config."""
+    import boto3
+
+    s3_config = {
+        "statements": [VALID_STATEMENT_DICT],
+        "group_statements": [VALID_GROUP_STATEMENT_DICT],
+        "permission_set_display_names": {"eks-dev": "EKS access"},
+    }
+    mock_s3_client.get_object.return_value = {"Body": MagicMock(read=lambda: json.dumps(s3_config).encode("utf-8"))}
+    monkeypatch.setattr(boto3, "client", lambda service: mock_s3_client if service == "s3" else MagicMock())
+
+    config_dict = valid_config_dict(secondary_fallback_email_domains_as_json=False, permission_duration_list_override_as_json=False)
+    config_dict["config_s3_key"] = "config/approval-config.json"
+    del config_dict["statements"]
+    del config_dict["group_statements"]
+    del config_dict["permission_set_display_names"]
+
+    cfg = config.Config(**config_dict)
+    assert cfg.permission_set_display_names == {"eks-dev": "EKS access"}
+
+
+def test_config_defaults_empty_display_names_from_s3(mock_s3_client, monkeypatch):
+    """S3 config without permission_set_display_names defaults to empty dict."""
+    import boto3
+
+    s3_config = {
+        "statements": [VALID_STATEMENT_DICT],
+        "group_statements": [VALID_GROUP_STATEMENT_DICT],
+    }
+    mock_s3_client.get_object.return_value = {"Body": MagicMock(read=lambda: json.dumps(s3_config).encode("utf-8"))}
+    monkeypatch.setattr(boto3, "client", lambda service: mock_s3_client if service == "s3" else MagicMock())
+
+    config_dict = valid_config_dict(secondary_fallback_email_domains_as_json=False, permission_duration_list_override_as_json=False)
+    config_dict["config_s3_key"] = "config/approval-config.json"
+    del config_dict["statements"]
+    del config_dict["group_statements"]
+    del config_dict["permission_set_display_names"]
+
+    cfg = config.Config(**config_dict)
+    assert cfg.permission_set_display_names == {}
+
+
+def test_config_parses_display_names_from_env():
+    """Env var path: JSON string is parsed into dict."""
+    config_dict = valid_config_dict(
+        secondary_fallback_email_domains_as_json=False,
+        permission_duration_list_override_as_json=False,
+    )
+    config_dict["permission_set_display_names"] = json.dumps({"admin": "Administrator"})
+    cfg = config.Config(**config_dict)
+    assert cfg.permission_set_display_names == {"admin": "Administrator"}
diff --git a/src/tests/test_main.py b/src/tests/test_main.py
@@ -534,3 +534,96 @@ def process_with_first_failure(**kwargs):
         finally:
             for p in patches:
                 p.stop()
+
+
+class TestClassifyAutoApprovedPermissionSets:
+    """Tests for classify_auto_approved_permission_sets."""
+
+    def _ps(self, name: str, arn: str = "") -> entities.aws.PermissionSet:
+        return entities.aws.PermissionSet(name=name, arn=arn or f"arn:sso:ps/{name}", description=None)
+
+    def _decision(self, grant: bool):
+        import access_control
+
+        reason = access_control.DecisionReason.ApprovalNotRequired if grant else access_control.DecisionReason.RequiresApproval
+        return access_control.AccessRequestDecision(
+            grant=grant,
+            reason=reason,
+            based_on_statements=frozenset(),
+            approvers=frozenset() if grant else frozenset(["approver@test.com"]),
+            approver_groups=frozenset(),
+        )
+
+    def test_auto_approved_for_all_accounts(self, import_main):
+        main = import_main
+        ps = self._ps("ReadOnly")
+
+        with patch.object(main.access_control, "make_decision_on_access_request", return_value=self._decision(grant=True)):
+            result = main.classify_auto_approved_permission_sets(
+                statements=frozenset(),
+                permission_sets=[ps],
+                account_ids=["111", "222"],
+                requester_email="user@test.com",
+                user_group_ids=set(),
+                requester_slack_id="U123",
+            )
+        assert ps.arn in result
+
+    def test_requires_approval_for_all_accounts(self, import_main):
+        main = import_main
+        ps = self._ps("Admin")
+
+        with patch.object(main.access_control, "make_decision_on_access_request", return_value=self._decision(grant=False)):
+            result = main.classify_auto_approved_permission_sets(
+                statements=frozenset(),
+                permission_sets=[ps],
+                account_ids=["111", "222"],
+                requester_email="user@test.com",
+                user_group_ids=set(),
+                requester_slack_id="U123",
+            )
+        assert ps.arn not in result
+
+    def test_mixed_accounts_requires_approval(self, import_main):
+        """PS auto-approved for account 111 but not 222 → not in auto_approved set."""
+        main = import_main
+        ps = self._ps("MixedRole")
+
+        def side_effect(**kwargs):
+            if kwargs.get("account_id") == "111":
+                return self._decision(grant=True)
+            return self._decision(grant=False)
+
+        with patch.object(main.access_control, "make_decision_on_access_request", side_effect=side_effect):
+            result = main.classify_auto_approved_permission_sets(
+                statements=frozenset(),
+                permission_sets=[ps],
+                account_ids=["111", "222"],
+                requester_email="user@test.com",
+                user_group_ids=set(),
+                requester_slack_id="U123",
+            )
+        assert ps.arn not in result
+
+    def test_multiple_permission_sets_classified_independently(self, import_main):
+        """Each PS is classified independently — one can be auto, another manual."""
+        main = import_main
+        ps_auto = self._ps("ReadOnly")
+        ps_manual = self._ps("Admin")
+
+        def side_effect(**kwargs):
+            if kwargs.get("permission_set_name") == "ReadOnly":
+                return self._decision(grant=True)
+            return self._decision(grant=False)
+
+        with patch.object(main.access_control, "make_decision_on_access_request", side_effect=side_effect):
+            result = main.classify_auto_approved_permission_sets(
+                statements=frozenset(),
+                permission_sets=[ps_auto, ps_manual],
+                account_ids=["111"],
+                requester_email="user@test.com",
+                user_group_ids=set(),
+                requester_slack_id="U123",
+            )
+        assert ps_auto.arn in result
+        assert ps_manual.arn not in result
diff --git a/src/tests/test_slack_helpers.py b/src/tests/test_slack_helpers.py
