From f909797c14b99609d534c31e1e0f375258dbd9fc Mon Sep 17 00:00:00 2001
From: Daisie Huang <daisieh@gmail.com>
Date: Tue, 14 Jan 2025 11:38:21 -0800
Subject: [PATCH] rejected users

---
 src/authx/auth.py | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/src/authx/auth.py b/src/authx/auth.py
index 7cf7bc3..97130aa 100644
--- a/src/authx/auth.py
+++ b/src/authx/auth.py
@@ -697,6 +697,11 @@ def write_user_in_opa(user_dict):
 
 def get_user_in_opa(user_name):
     safe_name = urllib.parse.quote_plus(user_name)
+    response, status_code = get_service_store_secret("opa", key=f"users/rejected_users")
+    if status_code == 200:
+        if safe_name in response["rejected_users"]:
+            return {"error": f"User {safe_name} has been rejected from CanDIG"}, 403
+
     response, status_code = get_service_store_secret("opa", key=f"users/{safe_name}")
     # return 404 if the user is not found
     if status_code == 404:
@@ -721,6 +726,13 @@ def remove_user_from_opa(user_name):
 #####
 
 def add_pending_user_to_opa(user_token):
+    # check to see if this user has already been rejected:
+    response, status_code = get_service_store_secret("opa", key=f"rejected_users")
+    if status_code != 200:
+        return response, status_code
+    if user_name in response["rejected_users"]:
+        return {"error": "This user has already been rejected by CanDIG"}, 403
+
     # NB: any user that has been authenticated by the IDP should be able to add themselves to the pending user list
     response, status_code = get_service_store_secret("opa", key=f"pending_users")
     if status_code != 200:
@@ -783,10 +795,20 @@ def reject_pending_user_in_opa(user_name):
         return response, status_code
     pending_users = response["pending_users"]
 
+    response, status_code = get_service_store_secret("opa", key=f"rejected_users")
+    if status_code != 200:
+        return response, status_code
+    rejected_users = response["rejected_users"]
+
     if user_name in pending_users:
         pending_users.pop(user_name)
         response, status_code = set_service_store_secret("opa", key=f"pending_users", value=json.dumps({"pending_users": pending_users}))
 
+        # add the user to the rejected users, if they're not already there:
+        if user_name not in rejected_users:
+            rejected_users[user_name] = user_dict
+            response, status_code = set_service_store_secret("opa", key=f"pending_users", value=json.dumps({"rejected_users": rejected_users}))
+
     else:
         return {"error": f"no pending user with ID {user_name}"}, 404
     return response, status_code