For Role Requests, filter owners for Role search in the API (#252)

Author: somethingnew2-0

api/swagger.json

@@ -2455,6 +2455,12 @@
             "name": "q",
             "required": false,
             "type": "string"
+          },
+          {
+            "in": "query",
+            "name": "owner_id",
+            "required": false,
+            "type": "string"
           }
         ],
         "responses": {

api/views/resources/role.py

@@ -7,15 +7,15 @@
 from api.apispec import FlaskApiSpecDecorators
 from api.authorization import AuthorizationHelpers
 from api.extensions import db
-from api.models import AppGroup, OktaGroup, OktaGroupTagMap, OktaUserGroupMember, RoleGroup, RoleGroupMap
+from api.models import AppGroup, OktaGroup, OktaGroupTagMap, OktaUser, OktaUserGroupMember, RoleGroup, RoleGroupMap
 from api.operations import ModifyRoleGroups
 from api.operations.constraints import CheckForReason, CheckForSelfAdd
 from api.pagination import paginate
 from api.views.schemas import (
     RoleGroupSchema,
     RoleMemberSchema,
     RolePaginationSchema,
-    SearchPaginationRequestSchema,
+    SearchRolePaginationRequestSchema,
 )
 
 ALL_GROUP_TYPES = with_polymorphic(OktaGroup, [AppGroup, RoleGroup], flat=True)
@@ -238,13 +238,38 @@ def put(self, role_id: str) -> ResponseReturnValue:
 
 
 class RoleList(MethodResource):
-    @FlaskApiSpecDecorators.request_schema(SearchPaginationRequestSchema, location="query")
+    @FlaskApiSpecDecorators.request_schema(SearchRolePaginationRequestSchema, location="query")
     @FlaskApiSpecDecorators.response_schema(RolePaginationSchema)
     def get(self) -> ResponseReturnValue:
-        search_args = SearchPaginationRequestSchema().load(request.args)
+        search_args = SearchRolePaginationRequestSchema().load(request.args)
 
         query = RoleGroup.query.filter(RoleGroup.deleted_at.is_(None)).order_by(func.lower(RoleGroup.name))
 
+        if "owner_id" in search_args:
+            owner_id = search_args["owner_id"]
+            if owner_id == "@me":
+                owner_id = g.current_user_id
+            owner = (
+                OktaUser.query.filter(db.or_(OktaUser.id == owner_id, OktaUser.email.ilike(owner_id)))
+                .order_by(nullsfirst(OktaUser.deleted_at.desc()))
+                .first_or_404()
+            )
+            owner_group_ownerships = (
+                OktaUserGroupMember.query.filter(OktaUserGroupMember.user_id == owner.id)
+                .filter(OktaUserGroupMember.is_owner.is_(True))
+                .filter(
+                    db.or_(
+                        OktaUserGroupMember.ended_at.is_(None),
+                        OktaUserGroupMember.ended_at > db.func.now(),
+                    )
+                )
+            )
+            query = query.filter(
+                RoleGroup.id.in_(
+                    [o.group_id for o in owner_group_ownerships.with_entities(OktaUserGroupMember.group_id).all()]
+                ),
+            )
+
         # Implement basic search with the "q" url parameter
         if "q" in search_args and len(search_args["q"]) > 0:
             like_search = f"%{search_args['q']}%"

api/views/schemas/__init__.py

@@ -33,6 +33,7 @@
     SearchGroupPaginationRequestSchema,
     SearchGroupRoleAuditPaginationRequestSchema,
     SearchPaginationRequestSchema,
+    SearchRolePaginationRequestSchema,
     SearchRoleRequestPaginationRequestSchema,
     SearchUserGroupAuditPaginationRequestSchema,
     TagPaginationSchema,
@@ -76,6 +77,7 @@
     "SearchGroupPaginationRequestSchema",
     "SearchGroupRoleAuditPaginationRequestSchema",
     "SearchPaginationRequestSchema",
+    "SearchRolePaginationRequestSchema",
     "SearchRoleRequestPaginationRequestSchema",
     "SearchUserGroupAuditPaginationRequestSchema",
     "TagPaginationSchema",

api/views/schemas/pagination.py

@@ -26,6 +26,10 @@ class SearchGroupPaginationRequestSchema(SearchPaginationRequestSchema):
     managed = fields.Boolean(load_only=True)
 
 
+class SearchRolePaginationRequestSchema(SearchPaginationRequestSchema):
+    owner_id = fields.String(load_only=True)
+
+
 class AuditOrderBy(Enum):
     moniker = 1  # Enum has a field called "name", so we can't use that
     created_at = 2

src/api/apiComponents.ts

@@ -845,6 +845,7 @@ export type GetRolesQueryParams = {
   page?: number;
   per_page?: number;
   q?: string;
+  owner_id?: string;
 };
 
 export type GetRolesError = Fetcher.ErrorWrapper<{

src/pages/role_requests/Create.tsx

@@ -209,11 +209,10 @@ function CreateRequestContainer(props: CreateRequestContainerProps) {
       page: 0,
       per_page: 10,
       q: roleSearchInput,
+      owner_id: '@me',
     },
   });
   let roleSearchOptions = roleSearchData?.results ?? [];
-  // Filter to only show roles owned by the current user
-  roleSearchOptions = roleSearchOptions.filter((group) => ownedGroups.includes(group.id ?? ''));
 
   const {data: groupSearchData} = useGetGroups({
     queryParams: {