Make app, group, and tag descriptions requirable (#350)

Co-authored-by: Peter C <[email protected]>

Author: barborico

api/config.py

@@ -89,3 +89,6 @@ def default_user_search() -> list[str]:
 
 # Specify a custom app name
 APP_NAME = os.getenv("APP_NAME", "Access")
+
+# Require descriptions for apps, groups, and tags
+REQUIRE_DESCRIPTIONS = os.getenv("REQUIRE_DESCRIPTIONS", "false").lower() == "true"

api/views/resources/app.py

@@ -92,7 +92,7 @@ def put(self, app: App) -> ResponseReturnValue:
         schema = AppSchema(
             exclude=DEFAULT_SCHEMA_DISPLAY_EXCLUSIONS,
         )
-        app_changes = schema.load(request.json)
+        app_changes = schema.load(request.json, partial=True)
 
         if app_changes.name.lower() != app.name.lower():
             existing_app = (
@@ -131,7 +131,7 @@ def put(self, app: App) -> ResponseReturnValue:
                 abort(400, "Only tags can be modified for the Access application")
 
         old_app_name = app.name
-        app = schema.load(request.json, instance=app)
+        app = schema.load(request.json, instance=app, partial=True)
 
         # Update all app group names when updating app name
         if app.name != old_app_name:

api/views/resources/group.py

@@ -108,7 +108,7 @@ def get(self, group_id: str) -> ResponseReturnValue:
     @FlaskApiSpecDecorators.response_schema(PolymorphicGroupSchema)
     def put(self, group: OktaGroup) -> ResponseReturnValue:
         schema = PolymorphicGroupSchema(exclude=DEFAULT_SCHEMA_DISPLAY_EXCLUSIONS)
-        group_changes = schema.load(request.json)
+        group_changes = schema.load(request.json, partial=True)
         old_group_name = group.name
 
         if not group.is_managed:
@@ -172,7 +172,7 @@ def put(self, group: OktaGroup) -> ResponseReturnValue:
             ).execute()
 
         # Update additional fields like name, description, etc.
-        group = schema.load(request.json, instance=group)
+        group = schema.load(request.json, instance=group, partial=True)
         okta.update_group(group.id, group.name, group.description)
         db.session.commit()
 

api/views/resources/tag.py

@@ -69,7 +69,7 @@ def put(self, tag_id: str) -> ResponseReturnValue:
         )
 
         schema = TagSchema(exclude=DEFAULT_SCHEMA_DISPLAY_EXCLUSIONS)
-        tag_changes = schema.load(request.json)
+        tag_changes = schema.load(request.json, partial=True)
 
         if tag_changes.name.lower() != tag.name.lower():
             existing_tag = (
@@ -80,7 +80,7 @@ def put(self, tag_id: str) -> ResponseReturnValue:
             if existing_tag is not None:
                 abort(400, "Tag already exists with the same name")
 
-        tag = schema.load(request.json, instance=tag)
+        tag = schema.load(request.json, instance=tag, partial=True)
         db.session.commit()
 
         # Handle group time limit constraints when modifying tags

api/views/schemas/core_schemas.py

@@ -1,10 +1,11 @@
-from typing import AbstractSet, Any, Dict, List, Optional, Sequence, cast
+from typing import AbstractSet, Any, Dict, List, Mapping, Optional, Sequence, cast
 
 from flask import current_app
 from marshmallow import Schema, ValidationError, fields, utils, validate, validates_schema
 from marshmallow.schema import SchemaMeta, SchemaOpts
 from marshmallow_sqlalchemy import SQLAlchemyAutoSchema, auto_field
 from sqlalchemy.orm import Session
+
 from api.access_config import get_access_config
 from api.extensions import db
 from api.models import (
@@ -25,6 +26,52 @@
 access_config = get_access_config()
 
 
+def context_aware_description_field() -> fields.Field:
+    """
+    Returns a context-aware description field that reads REQUIRE_DESCRIPTIONS
+    from Flask app config at validation time instead of module import time.
+
+    This allows tests to parametrize the REQUIRE_DESCRIPTIONS setting without
+    needing separate test environments or module reloading.
+    """
+
+    class ContextAwareDescriptionField(fields.String):
+        def deserialize(
+            self, value: Any, attr: Optional[str] = None, data: Optional[Mapping[str, Any]] = None, **kwargs: Any
+        ) -> Any:
+            # Read config at deserialization time (when processing request data)
+            require_descriptions = current_app.config.get("REQUIRE_DESCRIPTIONS", False)
+
+            # Check if field was provided in the input data
+            field_was_provided = data is not None and attr is not None and attr in data
+
+            # If field wasn't provided and descriptions are required, raise error
+            if not field_was_provided and require_descriptions:
+                raise ValidationError("Description is required.")
+
+            # If field wasn't provided and descriptions are not required, return empty string
+            if not field_was_provided:
+                return ""
+
+            # Field was provided, validate it
+            if value == "" and require_descriptions:
+                raise ValidationError("Description must be between 1 and 1024 characters")
+
+            # Use parent deserialization for type conversion
+            if value is None or value == "":
+                return "" if not require_descriptions else self.fail("required")
+
+            result = super().deserialize(value, attr, data, **kwargs)
+
+            # Validate length
+            if result and len(result) > 1024:
+                raise ValidationError("Description must be 1024 characters or less")
+
+            return result
+
+    return ContextAwareDescriptionField(allow_none=True, load_default="", dump_default="")
+
+
 # See https://stackoverflow.com/a/58646612
 class OktaUserGroupMemberSchema(SQLAlchemyAutoSchema):
     group = fields.Nested(lambda: PolymorphicGroupSchema)
@@ -255,7 +302,7 @@ class OktaGroupSchema(SQLAlchemyAutoSchema):
             ),
         ),
     )
-    description = auto_field(load_default="", validate=validate.Length(max=1024))
+    description = context_aware_description_field()
 
     externally_managed_data = fields.Dict()
 
@@ -628,7 +675,7 @@ class RoleGroupSchema(SQLAlchemyAutoSchema):
             ),
         ),
     )
-    description = auto_field(load_default="", validate=validate.Length(max=1024))
+    description = context_aware_description_field()
 
     externally_managed_data = fields.Dict()
 
@@ -847,7 +894,7 @@ class AppGroupSchema(SQLAlchemyAutoSchema):
             ),
         ),
     )
-    description = auto_field(load_default="", validate=validate.Length(max=1024))
+    description = context_aware_description_field()
 
     externally_managed_data = fields.Dict()
 
@@ -1138,7 +1185,7 @@ class InitialAppGroupSchema(Schema):
             ),
         ),
     )
-    description = fields.String(load_default="", validate=validate.Length(max=1024))
+    description = context_aware_description_field()
 
 
 class AppSchema(SQLAlchemyAutoSchema):
@@ -1152,7 +1199,7 @@ class AppSchema(SQLAlchemyAutoSchema):
             ),
         ),
     )
-    description = auto_field(validate=validate.Length(max=1024))
+    description = context_aware_description_field()
 
     initial_owner_id = fields.String(validate=validate.Length(min=1, max=255), load_only=True)
     initial_owner_role_ids = fields.List(fields.String(validate=validate.Length(equal=20)), load_only=True)
@@ -1282,7 +1329,7 @@ def load(
                 exclude=self._polymorphic_fields_intersection(group_class, self.exclude),
                 load_only=self._polymorphic_fields_intersection(group_class, self.load_only),
                 dump_only=self._polymorphic_fields_intersection(group_class, self.dump_only),
-            ).load(data, session=session, instance=instance, transient=transient)
+            ).load(data, session=session, instance=instance, transient=transient, **kwargs)
         else:
             raise ValidationError(f"Unexpected group type, expecting one of {self.TYPE_TO_GROUP_SCHEMA_MAP.keys()}")
         raise ValidationError(f"Unable to validate with: {self.TYPE_TO_GROUP_SCHEMA_MAP}")
@@ -1466,7 +1513,7 @@ class TagSchema(SQLAlchemyAutoSchema):
             ),
         ),
     )
-    description = auto_field(load_default="", validate=validate.Length(max=1024))
+    description = context_aware_description_field()
 
     def validate_constraints(value) -> bool:
         if not isinstance(value, dict):

src/config/accessConfig.ts

@@ -12,3 +12,4 @@ const accessConfig: AccessConfig = ACCESS_CONFIG as AccessConfig;
 export default accessConfig;
 
 export const appName = APP_NAME;
+export const requireDescriptions = REQUIRE_DESCRIPTIONS;

src/globals.d.ts

@@ -1,5 +1,6 @@
 declare const ACCESS_CONFIG: any;
 declare const APP_NAME: string;
+declare const REQUIRE_DESCRIPTIONS: boolean;
 
 interface ImportMetaEnv {
   readonly VITE_API_SERVER_URL: string;

src/pages/apps/CreateUpdate.tsx

@@ -28,7 +28,7 @@ import {
 } from '../../api/apiComponents';
 import {App, AppTagMap, OktaUser, Tag} from '../../api/apiSchemas';
 import {isAccessAdmin, isAppOwnerGroupOwner, ACCESS_APP_RESERVED_NAME} from '../../authorization';
-import accessConfig from '../../config/accessConfig';
+import accessConfig, {requireDescriptions} from '../../config/accessConfig';
 
 interface AppButtonProps {
   setOpen(open: boolean): any;
@@ -181,10 +181,11 @@ function AppDialog(props: AppDialogProps) {
                   return error?.message ?? '';
                 }
                 if (error.type == 'maxLength') {
-                  return 'Name can be at most 1024 characters in length';
+                  return 'Description can be at most 1024 characters in length';
                 }
                 return '';
               }}
+              required={requireDescriptions}
             />
           </FormControl>
           <FormControl margin="normal" fullWidth>

src/pages/groups/CreateUpdate.tsx

@@ -31,7 +31,7 @@ import {
 } from '../../api/apiComponents';
 import {PolymorphicGroup, AppGroup, App, OktaUser, Tag, OktaGroupTagMap} from '../../api/apiSchemas';
 import {canManageGroup, isAccessAdmin, isAppOwnerGroupOwner} from '../../authorization';
-import accessConfig from '../../config/accessConfig';
+import accessConfig, {requireDescriptions} from '../../config/accessConfig';
 
 interface GroupButtonProps {
   defaultGroupType: 'okta_group' | 'app_group' | 'role_group';
@@ -296,10 +296,11 @@ function GroupDialog(props: GroupDialogProps) {
                   return error?.message ?? '';
                 }
                 if (error.type == 'maxLength') {
-                  return 'Name can be at most 1024 characters in length';
+                  return 'Description can be at most 1024 characters in length';
                 }
                 return '';
               }}
+              required={requireDescriptions}
             />
           </FormControl>
           <FormControl margin="normal" fullWidth>

src/pages/tags/CreateUpdate.tsx

@@ -29,7 +29,7 @@ import {
 import NumberInput from '../../components/NumberInput';
 import {OktaUser, Tag} from '../../api/apiSchemas';
 import {isAccessAdmin} from '../../authorization';
-import accessConfig from '../../config/accessConfig';
+import accessConfig, {requireDescriptions} from '../../config/accessConfig';
 
 interface TagButtonProps {
   setOpen(open: boolean): any;
@@ -254,10 +254,11 @@ function TagDialog(props: TagDialogProps) {
                   return error?.message ?? '';
                 }
                 if (error.type == 'maxLength') {
-                  return 'Name can be at most 1024 characters in length';
+                  return 'Description can be at most 1024 characters in length';
                 }
                 return '';
               }}
+              required={requireDescriptions}
             />
           </FormControl>
           <Box sx={{fontWeight: 'medium', fontSize: 18, margin: '8px 0 4px 0'}}>Optional constraints</Box>