Fix users synchronization

The LDAP_USER_DN was changed in 0.21.0. This resulted in more entries returned when searching for users and all users being disabled... We were only looking into "OU=ESS Users" before. Inactive users are put under "OU=InActiveUsers" in AD. JIRA INFRA-1026 #action In Progress

Fix users synchronization
d2bb6124 · Benjamin Bertrand · 635bf45b · d2bb6124
Commit d2bb6124 authored 5 years ago by Benjamin Bertrand
--- a/app/commands.py
+++ b/app/commands.py
@@ -22,6 +22,15 @@ from .tasks import TaskWorker
 from . import models, utils, tokens


+def disable_user(user):
+    """Clear users'groups, email and tokens"""
+    user.groups = []
+    user.email = ""
+    # Revoke all user's tokens
+    for token in user.tokens:
+        db.session.delete(token)
+
+
 def sync_user(connection, user):
    """Synchronize the user from the database with information from the LDAP server"""
    search_attr = current_app.config.get("LDAP_USER_LOGIN_ATTR")
@@ -33,26 +42,33 @@ def sync_user(connection, user):
        search_scope=getattr(ldap3, current_app.config.get("LDAP_USER_SEARCH_SCOPE")),
        attributes=current_app.config.get("LDAP_GET_USER_ATTRIBUTES"),
    )
-    if len(connection.response) == 1:
-        ldap_user = connection.response[0]
-        attributes = ldap_user["attributes"]
-        user.display_name = utils.attribute_to_string(attributes["cn"])
-        user.email = utils.attribute_to_string(attributes["mail"])
-        groups = ldap_manager.get_user_groups(
-            dn=ldap3.utils.conv.escape_filter_chars(ldap_user["dn"]),
-            _connection=connection,
-        )
-        user.groups = sorted(
-            [utils.attribute_to_string(group["cn"]) for group in groups]
-        )
-        current_app.logger.info(f"{user} updated")
+    results = [
+        result for result in connection.response if result["type"] == "searchResEntry"
+    ]
+    if len(results) == 1:
+        ldap_user = results[0]
+        # OU=InActiveUsers is specific to ESS AD
+        if "OU=InActiveUsers" in ldap_user["dn"]:
+            current_app.logger.info(f"{user} is inactive. User disabled.")
+            disable_user(user)
+        else:
+            attributes = ldap_user["attributes"]
+            user.display_name = utils.attribute_to_string(attributes["cn"])
+            user.email = utils.attribute_to_string(attributes["mail"])
+            groups = ldap_manager.get_user_groups(
+                dn=ldap3.utils.conv.escape_filter_chars(ldap_user["dn"]),
+                _connection=connection,
+            )
+            user.groups = sorted(
+                [utils.attribute_to_string(group["cn"]) for group in groups]
+            )
+            current_app.logger.info(f"{user} updated")
+    elif len(results) == 0:
+        current_app.logger.warning(f"{user} not found! User disabled.")
+        disable_user(user)
    else:
-        # Clear user's groups
-        user.groups = []
-        # Revoke all user's tokens
-        for token in user.tokens:
-            db.session.delete(token)
-        current_app.logger.info(f"{user} disabled")
+        current_app.logger.warning(f"Too many results for {user}!")
+        current_app.logger.warning(f"results: {results}")
    return user