1337 email owner as system admin group (un)assigned

.gitignore

@@ -43,6 +43,7 @@ compliance/opencontrols/
 compliance/exports/
 tdrs-backend/tdpservice/static/*
 *gunicorn.log
+*.log
 
 # don't ignore requirements.txt
 !requirements.txt
@@ -115,3 +116,4 @@ cypress.env.json
 
 # DB seeds
 tdrs-backend/*.pg
+tdrs-backend/django.log

tdrs-backend/tdpservice/email/email_enums.py

@@ -16,3 +16,4 @@ class EmailType(Enum):
     ACCOUNT_DEACTIVATED_ADMIN = 'account-deactivated-admin.html'
     UPCOMING_SUBMISSION_DEADLINE = 'upcoming-submission-deadline.html'
     STUCK_FILE_LIST = 'stuck-file-list.html'
+    SYSTEM_ADMIN_ROLE_CHANGED = 'system-admin-role-changed.html'

tdrs-backend/tdpservice/email/helpers/admin_notifications.py

@@ -33,3 +33,37 @@ def email_admin_deactivated_user(user):
             text_message=text_message,
             logger_context=logger_context
         )
+
+def email_system_owner_system_admin_role_change(user, action):
+    """Send an email to the System Owner when a user is assigned or removed from the System Admin role."""
+    from tdpservice.users.models import User
+    from tdpservice.email.email_enums import EmailType
+    from tdpservice.email.email import automated_email, log
+    from tdpservice.email.tasks import get_system_owner_email
+    recipient_email = get_system_owner_email()
+    logger_context = {
+        'user_id': user.id,
+        'object_id': user.id,
+        'object_repr': user.username,
+        'content_type': User,
+    }
+
+    template_path = EmailType.SYSTEM_ADMIN_ROLE_CHANGED.value
+    text_message = 'A user has been assigned or removed from the System Admin role.'
+    subject = 'TDP User Role Change: System Admin'
+    context = {
+        'user': user,
+        'action': action,
+    }
+
+    log(f"Preparing email to System Owner for System Admin role change for user {user.username}",
+        logger_context=logger_context)
+
+    automated_email(
+        email_path=template_path,
+        recipient_email=recipient_email,
+        subject=subject,
+        email_context=context,
+        text_message=text_message,
+        logger_context=logger_context
+    )

tdrs-backend/tdpservice/email/tasks.py

@@ -75,6 +75,14 @@ def get_ofa_admin_user_emails():
         groups__in=Group.objects.filter(name__in=('OFA Admin', 'OFA System Admin'))
     ).values_list('email', flat=True).distinct()
 
+def get_system_owner_email():
+    """Return the email of the System Owner."""
+    try:
+        user_email = User.objects.filter(groups__name='System Owner').values_list('email', flat=True).distinct()
+    except User.DoesNotExist:
+        user_email = [None]
+    return user_email
+
 def get_num_access_requests():
     """Return the number of users requesting access."""
     return User.objects.filter(

tdrs-backend/tdpservice/email/templates/system-admin-role-changed.html

@@ -0,0 +1,18 @@
+{% extends 'base.html' %}
+{% block content %}
+<!-- Body copy -->
+<p style="color: #000000;">
+
+    <p>The following Admin User account for the TANF Data Portal (TDP) has been {{ action }}.</p>
+
+    <p>Account Information:</p>
+    <ul>
+        <li>Name: {{ user.first_name }}</li>
+        <li>Last name: {{ user.last_name }}</li>
+        <li>Email: {{ user.email }}</li>
+    </ul>
+
+    <p>Thank you,</p>
+    TDP Team
+</p>
+{% endblock %}

tdrs-backend/tdpservice/users/apps.py

@@ -8,3 +8,7 @@ class UsersConfig(AppConfig):
 
     name = "tdpservice.users"
     verbose_name = "Users"
+
+    def ready(self):
+        """Import signals."""
+        import tdpservice.users.signals  # noqa

tdrs-backend/tdpservice/users/signals.py

@@ -0,0 +1,30 @@
+"""Signals for the users app."""
+from django.db.models.signals import m2m_changed
+from django.dispatch import receiver
+from tdpservice.users.models import User
+from django.contrib.auth.models import Group
+from tdpservice.email.helpers.admin_notifications import email_system_owner_system_admin_role_change
+
+import logging
+logger = logging.getLogger()
+
+@receiver(m2m_changed, sender=User.groups.through)
+def user_group_changed(sender, instance, action, pk_set, **kwargs):
+    """Send an email to the System Owner when a user is assigned or removed from the System Admin role."""
+    ACTIONS = {
+            'PRE_REMOVE': 'pre_remove',
+            'PRE_ADD': 'pre_add',
+            'PRE_CLEAR': 'pre_clear'
+        }
+    if pk_set:
+        ADMIN_GROUP_PK = Group.objects.get(name="OFA System Admin").pk
+        group_change_list = [pk for pk in pk_set]
+        if ADMIN_GROUP_PK in group_change_list and action == ACTIONS['PRE_ADD']:
+            # EMAIL ADMIN GROUP ADDED to OFA ADMIN
+            email_system_owner_system_admin_role_change(instance, "added")
+        elif ADMIN_GROUP_PK in group_change_list and action == ACTIONS['PRE_REMOVE']:
+            # EMAIL ADMIN GROUP REMOVED from OFA ADMIN
+            email_system_owner_system_admin_role_change(instance, "removed")
+    elif pk_set is None and action == ACTIONS['PRE_CLEAR']:
+        # EMAIL ADMIN GROUP REMOVED from OFA ADMIN
+        email_system_owner_system_admin_role_change(instance, "removed")

tdrs-backend/tdpservice/users/test/test_signals.py

@@ -0,0 +1,37 @@
+"""Test signals."""
+import pytest
+from unittest.mock import patch
+from tdpservice.users.models import User
+from tdpservice.users.test.factories import AdminUserFactory
+from django.contrib.auth.models import Group
+import logging
+import django
+
+
+logger = logging.getLogger(__name__)
+
+
+@pytest.mark.django_db
+def test_my_signal_receiver(mocker):
+    """Test my_signal_receiver."""
+    with patch("django.db.models.signals.m2m_changed.send") as mock_receiver:
+        instance = AdminUserFactory.create()
+        instance.groups.add(Group.objects.get(name="OFA System Admin"))
+
+        mock_receiver.assert_called_with(
+            sender=User.groups.through,
+            instance=instance,
+            action="post_add",
+            pk_set={Group.objects.get(name="OFA System Admin").pk},
+            reverse=False,
+            using="default",
+            model=django.contrib.auth.models.Group,
+        )
+        mock_receiver.call_count = 2  # pre_save and post_save
+
+    with patch(
+        "tdpservice.users.signals.email_system_owner_system_admin_role_change"
+    ) as mock_email_system_owner_system_admin_role_change:
+        instance = AdminUserFactory.create()
+        instance.groups.add(Group.objects.get(name="OFA System Admin"))
+        mock_email_system_owner_system_admin_role_change.assert_called_once()