Set can_access_account flag to false when updating creds (#642)

someengineering · Nov 29, 2024 · 5ac207a · 5ac207a
1 parent 36e3109
commit 5ac207a
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 9 deletions.
diff --git a/fixbackend/cloud_accounts/azure_subscription_repo.py b/fixbackend/cloud_accounts/azure_subscription_repo.py
@@ -83,6 +83,8 @@ async def upsert(
                 existing.client_id = client_id
                 existing.client_secret = client_secret
                 existing.created_at = utc()  # update to trigger list_created_after
+                existing.updated_at = utc()
+                existing.can_access_azure_account = False
                 model = existing.to_model()
                 await session.commit()
                 return model
@@ -93,6 +95,7 @@ async def upsert(
                 azure_tenant_id=azure_tenant_id,
                 client_id=client_id,
                 client_secret=client_secret,
+                can_access_azure_account=False,
             )
             session.add(entity)
             await session.commit()

diff --git a/fixbackend/cloud_accounts/service.py b/fixbackend/cloud_accounts/service.py
@@ -838,8 +838,9 @@ async def create_gcp_account(
             raise ResourceNotFound("Organization does not exist")
 
         if existing := await self.cloud_account_repository.get_by_account_id(workspace_id, account_id):
-            log.info("GCP account already exists")
-            return existing
+            if isinstance(existing.state, CloudAccountStates.Configured):
+                log.info("GCP account already exists")
+                return existing
 
         should_be_enabled = await self._should_be_enabled(workspace)
 
@@ -870,8 +871,25 @@ async def create_gcp_account(
             last_degraded_scan_started_at=None,
         )
 
-        result = await self.cloud_account_repository.create(account)
-        log.info(f"GCP cloud Account {account_id} created")
+        if existing:
+
+            def set_state(acc: CloudAccount) -> CloudAccount:
+                return evolve(
+                    acc,
+                    state=CloudAccountStates.Configured(
+                        access=GcpCloudAccess(key_id), enabled=should_be_enabled, scan=should_be_enabled
+                    ),
+                    account_name=account_name,
+                    state_updated_at=utc(),
+                    created_at=created_at,
+                    updated_at=created_at,
+                )
+
+            result = await self.cloud_account_repository.update(existing.id, set_state)
+            log.info(f"GCP cloud Account {account_id} updated from deleted to configured")
+        else:
+            result = await self.cloud_account_repository.create(account)
+            log.info(f"GCP cloud Account {account_id} created")
 
         await self.domain_events.publish(
             CloudAccountConfigured(
@@ -903,8 +921,9 @@ async def create_azure_account(
             raise ResourceNotFound("Organization does not exist")
 
         if existing := await self.cloud_account_repository.get_by_account_id(workspace_id, account_id):
-            log.info("Azure account already exists")
-            return existing
+            if isinstance(existing.state, CloudAccountStates.Configured):
+                log.info("Azure account already exists")
+                return existing
 
         should_be_enabled = await self._should_be_enabled(workspace)
 
@@ -935,8 +954,26 @@ async def create_azure_account(
             last_degraded_scan_started_at=None,
         )
 
-        result = await self.cloud_account_repository.create(account)
-        log.info(f"Azure cloud Account {account_id} created")
+        if existing:
+
+            def set_state(acc: CloudAccount) -> CloudAccount:
+                return evolve(
+                    acc,
+                    state=CloudAccountStates.Configured(
+                        access=AzureCloudAccess(subscription_credentials_id),
+                        enabled=should_be_enabled,
+                        scan=should_be_enabled,
+                    ),
+                    state_updated_at=utc(),
+                    created_at=created_at,
+                    updated_at=created_at,
+                )
+
+            result = await self.cloud_account_repository.update(existing.id, set_state)
+            log.info(f"Azure cloud Account {account_id} updated from deleted to configured")
+        else:
+            result = await self.cloud_account_repository.create(account)
+            log.info(f"Azure cloud Account {account_id} created")
 
         await self.domain_events.publish(
             CloudAccountConfigured(

diff --git a/tests/fixbackend/cloud_accounts/azure_subscription_repo_test.py b/tests/fixbackend/cloud_accounts/azure_subscription_repo_test.py
@@ -34,7 +34,7 @@ async def test_store_azure_subscription(
     client_secret = "foo_bar"
     azure_credentials = await azure_repo.upsert(workspace.id, azure_tenant_id, client_id, client_secret)
 
-    assert azure_credentials.can_access_azure_account is None
+    assert azure_credentials.can_access_azure_account is False
     assert azure_credentials.tenant_id == workspace.id
     assert azure_credentials.azure_tenant_id == azure_tenant_id
     assert azure_credentials.client_id == client_id