SUBMIT-711:System - Submission Awaits Manager Review (to EAO Manager) (#797)

Author: don-aot

submit-api/src/submit_api/services/submission_review.py

@@ -18,6 +18,8 @@
 from submit_api.services.consultation_record_service import ConsultationRecordService
 from submit_api.services.iem_service import IEMTermsOfEngagementService
 from submit_api.services.management_plan_service import ManagementPlanService
+from submit_api.services.package_version_service import PackageVersionService
+from submit_api.utils.constants import SUBMISSION_AWAITING_MANAGER_APPROVAL_EMAIL_TEMPLATE
 from submit_api.utils.token_info import TokenInfo
 
 
@@ -132,6 +134,14 @@ def send_recommendation_to_manager(cls, item_id, session):
         item = cls._get_submission_item_by_id(item_id)
         item.status = cls._get_awaiting_manager_review_status(item)
         cls._update_package_status(item.package_id, session)
+        # Notify MPT Managers when MP or Consultation Record requires Manager's approval
+        if item.type.name in (
+            SubmissionItemType.MANAGEMENT_PLAN_FORM.value,
+            SubmissionItemType.CONSULTATION_RECORD.value,
+        ):
+            PackageVersionService.create_email_queue(
+                item.package_id, SUBMISSION_AWAITING_MANAGER_APPROVAL_EMAIL_TEMPLATE
+            )
         current_app.logger.info(f"Recommendation sent to manager for item {item_id}.")
         return item
 

submit-api/src/submit_api/utils/constants.py

@@ -22,4 +22,5 @@
 MANAGEMENT_PLAN_UPDATE_REQUEST_CREATED_EMAIL_TEMPLATE = 'management_plan_update_request_created.html'
 NEW_USER_INVITATION_EMAIL_TEMPLATE = 'new_user_invitation.html'
 MANAGEMENT_PLAN_SUBMISSION_NOTIFY_STAFF_EMAIL_TEMPLATE = 'management_plan_submission_notify_staff.html'
+SUBMISSION_AWAITING_MANAGER_APPROVAL_EMAIL_TEMPLATE = 'submission_awaiting_manager_approval.html'
 MANAGEMENT_PLAN_RESUBMISSION_REQUEST_EMAIL_TEMPLATE = 'resubmission_request.html'

submit-cron/config.py

@@ -95,6 +95,11 @@ class _Config():  # pylint: disable=too-few-public-methods
     # TODO API client wont need user management roles in keycloak.
     KEYCLOAK_ADMIN_USERNAME = os.getenv('KEYCLOAK_ADMIN_USERNAME')
     KEYCLOAK_ADMIN_SECRET = os.getenv('MET_ADMIN_CLIENT_SECRET')
+    # Keycloak client/secret for emailer only (EAO_MANAGER group lookup)
+    KEYCLOAK_EMAILER_CLIENT = os.getenv('KEYCLOAK_EMAILER_CLIENT')
+    KEYCLOAK_EMAILER_SECRET = os.getenv('KEYCLOAK_EMAILER_SECRET')
+
+    CONNECT_TIMEOUT = int(os.getenv('CONNECT_TIMEOUT', 60))
 
     CHES_TOKEN_ENDPOINT = os.getenv('CHES_TOKEN_ENDPOINT')
     CHES_CLIENT_ID = os.getenv('CHES_CLIENT_ID')

submit-cron/sample.env

@@ -17,11 +17,16 @@ WEB_URL=
 # Sending email id
 SENDER_EMAIL=
 
+# Staff notification
+STAFF_SUPPORT_MAIL_ID=
+
 # Condition api url
 CONDITION_API_BASE_URL=
 
 # Keycloak
 KEYCLOAK_BASE_URL=
 KEYCLOAK_REALM_NAME=
 KEYCLOAK_SERVICE_ACCOUNT_ID=
-KEYCLOAK_SERVICE_ACCOUNT_SECRET=
+KEYCLOAK_SERVICE_ACCOUNT_SECRET=
+KEYCLOAK_EMAILER_CLIENT=
+KEYCLOAK_EMAILER_SECRET=

submit-cron/src/submit_cron/services/keycloak_service.py

@@ -0,0 +1,118 @@
+# Copyright © 2024 Province of British Columbia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""Keycloak admin functions – same pattern as submit-api KeycloakService."""
+import requests
+from flask import current_app
+
+
+# Same group path as submit-api (SUBMIT / EAO_MANAGER)
+EAO_MANAGER_GROUP_PATH = "SUBMIT/EAO_MANAGER"
+
+
+class KeycloakService:
+    """Keycloak admin API – same token and request pattern as submit-api."""
+
+    @staticmethod
+    def _get_admin_token():
+        """Create an admin token (same as submit-api KeycloakService._get_admin_token)."""
+        config = current_app.config
+        base_url = config.get("KEYCLOAK_BASE_URL")
+        realm = config.get("KEYCLOAK_REALM_NAME")
+        admin_client_id = config.get("KEYCLOAK_EMAILER_CLIENT")
+        admin_secret = config.get("KEYCLOAK_EMAILER_SECRET")
+        timeout = int(config.get("CONNECT_TIMEOUT", 60))
+        token_url = f"{base_url}/auth/realms/{realm}/protocol/openid-connect/token"
+
+        if not admin_client_id or not admin_secret:
+            raise ValueError(
+                "KEYCLOAK_EMAILER_CLIENT and KEYCLOAK_EMAILER_SECRET must be set in .env"
+            )
+
+        headers = {"Content-Type": "application/x-www-form-urlencoded"}
+        # Use dict so requests form-encodes correctly (handles special chars in secret)
+        data = {
+            "client_id": admin_client_id,
+            "grant_type": "client_credentials",
+            "client_secret": admin_secret,
+        }
+        response = requests.post(
+            token_url,
+            data=data,
+            headers=headers,
+            timeout=timeout,
+        )
+        response.raise_for_status()
+        return response.json().get("access_token")
+
+    @staticmethod
+    def _request_keycloak(relative_url: str):
+        """GET request to Keycloak admin API (same URL pattern as submit-api)."""
+        base_url = current_app.config.get("KEYCLOAK_BASE_URL")
+        realm = current_app.config.get("KEYCLOAK_REALM_NAME")
+        timeout = int(current_app.config.get("CONNECT_TIMEOUT", 60))
+        admin_token = KeycloakService._get_admin_token()
+        headers = {
+            "Content-Type": "application/json",
+            "Authorization": f"Bearer {admin_token}",
+        }
+        url = f"{base_url}/auth/admin/realms/{realm}/{relative_url}"
+        response = requests.get(url, headers=headers, timeout=timeout)
+        response.raise_for_status()
+        return response
+
+    @staticmethod
+    def get_groups(brief_representation: bool = False):
+        """Get all top-level groups."""
+        response = KeycloakService._request_keycloak(
+            f"groups?briefRepresentation={brief_representation}"
+        )
+        return response.json()
+
+    @staticmethod
+    def get_sub_groups(group_id: str):
+        """Return the subgroups of given group."""
+        response = KeycloakService._request_keycloak(f"groups/{group_id}/children")
+        return response.json()
+
+    @staticmethod
+    def get_group_id_by_path(group_path: str) -> str:
+        """Find a Keycloak group by full path (e.g. 'SUBMIT/EAO_MANAGER') and return its ID."""
+        segments = group_path.strip("/").split("/")
+        current_groups = KeycloakService.get_groups(brief_representation=True)
+        current_group = None
+
+        for segment in segments:
+            matched = next((g for g in current_groups if g["name"] == segment), None)
+            if not matched:
+                raise ValueError(f"Group segment '{segment}' not found.")
+            current_group = matched
+            current_groups = KeycloakService.get_sub_groups(current_group["id"])
+
+        return current_group["id"]
+
+    @staticmethod
+    def get_members_for_group(group_id: str):
+        """Get the members of a group (Keycloak user objects with email, etc.)."""
+        response = KeycloakService._request_keycloak(f"groups/{group_id}/members")
+        return response.json()
+
+    @classmethod
+    def get_eao_manager_emails(cls) -> list:
+        """Return email addresses of SUBMIT/EAO_MANAGER group members (same as submit-api flow)."""
+        try:
+            group_id = cls.get_group_id_by_path(EAO_MANAGER_GROUP_PATH)
+            members = cls.get_members_for_group(group_id)
+            return [m.get("email") for m in members if m.get("email")]
+        except (ValueError, requests.RequestException):
+            return []

submit-cron/src/submit_cron/services/mail_service.py

@@ -10,7 +10,7 @@
 from submit_api.utils.constants import (
     MANAGEMENT_PLAN_RESUBMISSION_REQUEST_EMAIL_TEMPLATE, MANAGEMENT_PLAN_SUBMISSION_CONFIRMATION_EMAIL_TEMPLATE,
     MANAGEMENT_PLAN_SUBMISSION_NOTIFY_STAFF_EMAIL_TEMPLATE, MANAGEMENT_PLAN_UPDATE_REQUEST_CREATED_EMAIL_TEMPLATE,
-    NEW_USER_INVITATION_EMAIL_TEMPLATE)
+    NEW_USER_INVITATION_EMAIL_TEMPLATE, SUBMISSION_AWAITING_MANAGER_APPROVAL_EMAIL_TEMPLATE)
 
 from submit_cron.models import db
 from submit_cron.services.ches_service import ChesApiService
@@ -50,7 +50,8 @@ def _get_email_processor(cls, email_entry: EmailQueue) -> callable:
             MANAGEMENT_PLAN_RESUBMISSION_REQUEST_EMAIL_TEMPLATE: cls._process_resubmission_request_email,
             # staff email uses the same content, but just a different template..so reusing the same method passing template name
             MANAGEMENT_PLAN_SUBMISSION_NOTIFY_STAFF_EMAIL_TEMPLATE: partial(cls._process_package_submission_email, template_name=MANAGEMENT_PLAN_SUBMISSION_NOTIFY_STAFF_EMAIL_TEMPLATE),
-            NEW_USER_INVITATION_EMAIL_TEMPLATE: cls._process_new_user_invitation_email
+            NEW_USER_INVITATION_EMAIL_TEMPLATE: cls._process_new_user_invitation_email,
+            SUBMISSION_AWAITING_MANAGER_APPROVAL_EMAIL_TEMPLATE: cls._process_awaiting_manager_approval_email,
         }
         template = email_entry.template_name
         if template not in email_processors:
@@ -115,6 +116,27 @@ def _process_resubmission_request_email(email_entry: EmailQueue):
         email_entry.sent_at = datetime.utcnow()
         db.session.commit()
 
+    @staticmethod
+    def _process_awaiting_manager_approval_email(email_entry: EmailQueue):
+        """Process email notifying MPT Managers that a package awaits Manager's approval."""
+        from submit_cron.services.keycloak_service import KeycloakService
+        package_id = email_entry.entity_id
+        package: PackageModel = db.session.get(PackageModel, package_id)
+        if not package:
+            raise BadRequestError(f"Package with ID {package_id} not found.")
+        manager_emails = KeycloakService.get_eao_manager_emails()
+        if not manager_emails:
+            raise BadRequestError(
+                "No EAO_MANAGER group members with email found (check Keycloak admin config)"
+            )
+        email_details = PackageSubmissionEmailService.prepare_awaiting_manager_approval_email(
+            package, manager_emails
+        )
+        EmailService.send_email(email_details)
+        email_entry.status = EmailStatus.SENT.value
+        email_entry.sent_at = datetime.utcnow()
+        db.session.commit()
+
     @staticmethod
     def _process_new_user_invitation_email(email_entry: EmailQueue):
         """Process email entry for new user invitation."""

submit-cron/src/submit_cron/services/package_submission_email_service.py

@@ -8,8 +8,11 @@
 from submit_api.models.project import Project as ProjectModel
 from submit_api.models.submission import SubmissionType
 from submit_api.models.user import User as UserModel
+from submit_api.enums.item_status import ItemStatus
+from submit_api.models.submission_review_entry import SubmissionReviewEntryType
 from submit_api.utils.constants import (
-    MANAGEMENT_PLAN_SUBMISSION_CONFIRMATION_EMAIL_TEMPLATE, MANAGEMENT_PLAN_SUBMISSION_NOTIFY_STAFF_EMAIL_TEMPLATE)
+    MANAGEMENT_PLAN_SUBMISSION_CONFIRMATION_EMAIL_TEMPLATE, MANAGEMENT_PLAN_SUBMISSION_NOTIFY_STAFF_EMAIL_TEMPLATE,
+    SUBMISSION_AWAITING_MANAGER_APPROVAL_EMAIL_TEMPLATE)
 
 from submit_cron.models import db
 from submit_cron.utils import constants
@@ -69,6 +72,58 @@ def prepare_package_submission_email_confirmation(cls, package: PackageModel, te
 
         return email_details
 
+    @classmethod
+    def prepare_awaiting_manager_approval_email(cls, package: PackageModel, manager_emails: list) -> EmailDetails:
+        """Prepare email notifying MPT Managers that a package has been reviewed and awaits Manager's approval."""
+        sender_email = cls.get_email_sender_for_package_type(package.type.name)
+        if not sender_email:
+            sender_email = current_app.config.get('SENDER_EMAIL', '')
+        if not sender_email:
+            raise BadRequestError(f"Sender email not found for package type: {package.type.name}")
+        account_project = cls._get_account_project_by_id(package.account_project_id)
+        project = cls._get_project_by_id(account_project.project_id)
+        if not project:
+            raise BadRequestError(f"Project not found for account project ID: {account_project.id}")
+        team_member_name = cls._get_reviewer_name_for_awaiting_manager_package(package)
+        subject = f"Submission awaiting Manager approval - {project.name} - {package.name}"
+        email_details = EmailDetails(
+            template_name=SUBMISSION_AWAITING_MANAGER_APPROVAL_EMAIL_TEMPLATE,
+            body_args={
+                'package_name': package.name,
+                'project_name': project.name,
+                'team_member_name': team_member_name,
+            },
+            subject=subject,
+            sender=sender_email,
+            recipients=manager_emails,
+        )
+        return email_details
+
+    @staticmethod
+    def _get_reviewer_name_for_awaiting_manager_package(package: PackageModel) -> str:
+        """Get the name of the team member who sent the package to Manager (from review STAFF_RECOMMENDATION)."""
+        from submit_api.models.submission_review_entry import SubmissionReviewEntry
+        awaiting_statuses = (
+            ItemStatus.MP_AWAITING_MANAGER_APPROVAL,
+            ItemStatus.CC_AWAITING_MANAGER_APPROVAL,
+        )
+        for item in package.items:
+            if item.status not in awaiting_statuses:
+                continue
+            review = getattr(item, 'review', None) or next((r for r in item.reviews if r.active), None)
+            if not review:
+                continue
+            entry = SubmissionReviewEntry.get_review_entry_by_id_and_type(
+                review.id, SubmissionReviewEntryType.STAFF_RECOMMENDATION
+            )
+            if not entry or not entry.updated_by:
+                continue
+            user = entry.updated_by_user
+            if user and getattr(user, 'staff_user', None) and user.staff_user:
+                return user.staff_user.full_name or entry.updated_by
+            return entry.updated_by
+        return 'A team member'
+
     @staticmethod
     def get_email_sender_for_package_type(package_type: str) -> str:
         """Get the email sender for the package type."""

submit-cron/templates/submission_awaiting_manager_approval.html

@@ -0,0 +1,79 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="UTF-8">
+    <title>Submission Awaiting Manager's Approval</title>
+    <style>
+        body {
+          font-family: Arial, sans-serif;
+          color: #003366;
+          background-color: #ffffff;
+          padding: 20px;
+        }
+        .container {
+          max-width: 600px;
+          margin: auto;
+          padding: 20px;
+        }
+        .logo {
+          text-align: left;
+          margin-bottom: 20px;
+        }
+        .logo img {
+          max-width: 220px;
+          height: auto;
+        }
+        .content {
+          font-size: 16px;
+          line-height: 1.6;
+          color: #333;
+          text-align: left;
+        }
+        .grey-box {
+          background-color: #FAF9F8;
+          padding: 16px;
+          border-left: 4px solid #1a5a96;
+          margin: 20px 0;
+        }
+        .grey-box p {
+          margin: 0 0 10px 0;
+        }
+        .grey-box a {
+          color: #1a5a96;
+          font-weight: bold;
+          text-decoration: none;
+        }
+        .footer {
+          font-size: 12px;
+          color: #666;
+          margin-top: 30px;
+          text-align: left;
+        }
+    </style>
+</head>
+<body>
+<div class="container">
+    <div class="logo">
+        <img src={{ logo_url }} alt="EAO Logo"/>
+    </div>
+
+    <div class="content">
+        <p>Hello,</p>
+
+        <p>We want to inform you that <strong>{{ package_name }}</strong> for <strong>{{ project_name }}</strong> has been reviewed by <strong>{{ team_member_name }}</strong> and is awaiting Manager's approval.</p>
+
+        <div class="grey-box">
+            <p>Log in to <a href="https://submit.eao.gov.bc.ca">EPIC.submit</a> to view the submission package.</p>
+        </div>
+
+        <p>Best regards,</p>
+
+        <p>
+            <strong>EAO Management Plan Operations Team</strong><br>
+            B.C. Environmental Assessment Office<br>
+            Government of British Columbia
+        </p>
+    </div>
+</div>
+</body>
+</html>