Reject unapproved broadcast upon cancel API request

When a service sends us a cancel broadcast XML via API, if that
broadcast was not approved yet, reject it.

app/broadcast_message/rest.py

@@ -42,10 +42,10 @@ def _parse_nullable_datetime(dt):
     return dt
 
 
-def _update_broadcast_message(broadcast_message, new_status, updating_user):
+def validate_and_update_broadcast_message_status(broadcast_message, new_status, updating_user, from_api=False):
     if updating_user not in broadcast_message.service.users:
-        #  we allow platform admins to cancel broadcasts
-        if not (new_status == BroadcastStatusType.CANCELLED and updating_user.platform_admin):
+        #  we allow platform admins to cancel broadcasts, and we don't check user if request was done via API
+        if not from_api and not (new_status == BroadcastStatusType.CANCELLED and updating_user.platform_admin):
             raise InvalidRequest(
                 f'User {updating_user.id} cannot update broadcast_message {broadcast_message.id} from other service',
                 status_code=400
@@ -82,6 +82,11 @@ def _update_broadcast_message(broadcast_message, new_status, updating_user):
     )
     broadcast_message.status = new_status
 
+    dao_save_object(broadcast_message)
+
+    if new_status in {BroadcastStatusType.BROADCASTING, BroadcastStatusType.CANCELLED}:
+        _create_broadcast_event(broadcast_message)
+
 
 @broadcast_message_blueprint.route('', methods=['GET'])
 def get_broadcast_messages_for_service(service_id):
@@ -201,11 +206,7 @@ def update_broadcast_message_status(service_id, broadcast_message_id):
     new_status = data['status']
     updating_user = get_user_by_id(data['created_by'])
 
-    _update_broadcast_message(broadcast_message, new_status, updating_user)
-    dao_save_object(broadcast_message)
-
-    if new_status in {BroadcastStatusType.BROADCASTING, BroadcastStatusType.CANCELLED}:
-        _create_broadcast_event(broadcast_message)
+    validate_and_update_broadcast_message_status(broadcast_message, new_status, updating_user)
 
     return jsonify(broadcast_message.serialize()), 200
 

app/broadcast_message/translators.py

@@ -7,6 +7,7 @@ def cap_xml_to_dict(cap_xml):
     return {
         "msgType": cap.alert.msgType.text,
         "reference": cap.alert.identifier.text,
+        "references": cap.alert.references.text,  # references to previous events belonging to the same alert
         "cap_event": cap.alert.info.event.text,
         "category": cap.alert.info.category.text,
         "expires": cap.alert.info.expires.text,

app/dao/broadcast_message_dao.py

@@ -24,6 +24,12 @@ def dao_get_broadcast_message_by_id_and_service_id(broadcast_message_id, service
     ).one()
 
 
+def dao_get_broadcast_message_by_references(references_to_original_broadcast):
+    return BroadcastMessage.query.filter(
+        BroadcastMessage.reference.in_(references_to_original_broadcast),
+    ).one()
+
+
 def dao_get_broadcast_event_by_id(broadcast_event_id):
     return BroadcastEvent.query.filter(BroadcastEvent.id == broadcast_event_id).one()
 

app/v2/broadcast/broadcast_schemas.py

@@ -17,6 +17,12 @@ post_broadcast_schema = {
                 "null",
             ],
         },
+        "references": {
+            "type": [
+                "string",
+                "null",
+            ],
+        },
         "cap_event": {
             "type": [
                 "string",
@@ -63,10 +69,10 @@ post_broadcast_schema = {
             "type": "string",
             "enum": [
                 "Alert",
+                "Cancel",
                 # The following are valid CAP but not supported by our
                 # API at the moment
                 #    "Update",
-                #    "Cancel",
                 #    "Ack",
                 #    "Error",
             ],

app/v2/broadcast/post_broadcast.py

@@ -5,7 +5,9 @@ from notifications_utils.polygons import Polygons
 from notifications_utils.template import BroadcastMessageTemplate
 
 from app import api_user, authenticated_service
+from app.broadcast_message.rest import validate_and_update_broadcast_message_status
 from app.broadcast_message.translators import cap_xml_to_dict
+from app.dao.broadcast_message_dao import dao_get_broadcast_message_by_references
 from app.dao.dao_utils import dao_save_object
 from app.models import BROADCAST_TYPE, BroadcastMessage, BroadcastStatusType
 from app.notifications.validators import check_service_has_permission
@@ -37,52 +39,65 @@ def create_broadcast():
             message='Request data is not valid CAP XML',
             status_code=400,
         )
-
     broadcast_json = cap_xml_to_dict(cap_xml)
 
     validate(broadcast_json, post_broadcast_schema)
-    _validate_template(broadcast_json)
 
-    polygons = Polygons(list(chain.from_iterable((
-        [
-            [[y, x] for x, y in polygon]
-            for polygon in area['polygons']
-        ] for area in broadcast_json['areas']
-    ))))
+    if broadcast_json["msgType"] == "Cancel":
+        references_to_original_broadcast = broadcast_json["references"].split(",")
+        broadcast_message = dao_get_broadcast_message_by_references(references_to_original_broadcast)
+        # do we need to check if service is active?
+        validate_and_update_broadcast_message_status(
+            broadcast_message,
+            BroadcastStatusType.REJECTED,
+            updating_user=None,
+            from_api=True
+        )
+        return jsonify(broadcast_message.serialize()), 201
 
-    if len(polygons) > 12 or polygons.point_count > 250:
-        simple_polygons = polygons.smooth.simplify
     else:
-        simple_polygons = polygons
+        _validate_template(broadcast_json)
 
-    broadcast_message = BroadcastMessage(
-        service_id=authenticated_service.id,
-        content=broadcast_json['content'],
-        reference=broadcast_json['reference'],
-        cap_event=broadcast_json['cap_event'],
-        areas={
-            'names': [
-                area['name'] for area in broadcast_json['areas']
-            ],
-            'simple_polygons': simple_polygons.as_coordinate_pairs_lat_long,
-        },
-        status=BroadcastStatusType.PENDING_APPROVAL,
-        api_key_id=api_user.id,
-        stubbed=authenticated_service.restricted
-        # The client may pass in broadcast_json['expires'] but it’s
-        # simpler for now to ignore it and have the rules around expiry
-        # for broadcasts created with the API match those created from
-        # the admin app
-    )
+        polygons = Polygons(list(chain.from_iterable((
+            [
+                [[y, x] for x, y in polygon]
+                for polygon in area['polygons']
+            ] for area in broadcast_json['areas']
+        ))))
 
-    dao_save_object(broadcast_message)
+        if len(polygons) > 12 or polygons.point_count > 250:
+            simple_polygons = polygons.smooth.simplify
+        else:
+            simple_polygons = polygons
 
-    current_app.logger.info(
-        f'Broadcast message {broadcast_message.id} created for service '
-        f'{authenticated_service.id} with reference {broadcast_json["reference"]}'
-    )
+        broadcast_message = BroadcastMessage(
+            service_id=authenticated_service.id,
+            content=broadcast_json['content'],
+            reference=broadcast_json['reference'],
+            cap_event=broadcast_json['cap_event'],
+            areas={
+                'names': [
+                    area['name'] for area in broadcast_json['areas']
+                ],
+                'simple_polygons': simple_polygons.as_coordinate_pairs_lat_long,
+            },
+            status=BroadcastStatusType.PENDING_APPROVAL,
+            api_key_id=api_user.id,
+            stubbed=authenticated_service.restricted
+            # The client may pass in broadcast_json['expires'] but it’s
+            # simpler for now to ignore it and have the rules around expiry
+            # for broadcasts created with the API match those created from
+            # the admin app
+        )
 
-    return jsonify(broadcast_message.serialize()), 201
+        dao_save_object(broadcast_message)
+
+        current_app.logger.info(
+            f'Broadcast message {broadcast_message.id} created for service '
+            f'{authenticated_service.id} with reference {broadcast_json["reference"]}'
+        )
+
+        return jsonify(broadcast_message.serialize()), 201
 
 
 def _validate_template(broadcast_json):