def _update_attr_owned_by_cis(self, profile_json):
"""Updates the attributes owned by cisv2. Takes profiles profile_json
and returns a profile json with updated values and sigs."""
# New up a a cis_profile object
user = User(user_structure_json=profile_json)
user.update_timestamp("last_modified")
user.last_modified.value = user._get_current_utc_time()
user.sign_attribute("last_modified", "cis")
def _update_attr_owned_by_cis(self, user_id, user):
"""
Updates the attributes owned by CIS itself. Updated attributes:
- last_modified
- active
@user_id str of the user's user_id
@user a cis_profile.User object to update the attributes of
Returns a cis_profile.User object with updated, signed values
"""
logger.info("Updating CIS owned attributes",
extra={"user_id": user_id})
user.update_timestamp("last_modified")
user.last_modified.value = user._get_current_utc_time()
user.sign_attribute("last_modified", "cis")
# Currently we accept LDAP, HRIS and access_provider (auth0) disabling a user (eventually this could be only
# HRIS and Auth0, or HRIS and CIS with write back to auth0)
# Since CIS is authoritative on this attribute, we rewrite it here
if user.active.signature.publisher.name in [
"ldap", "access_provider", "hris"
]:
if self.config("verify_signatures", namespace="cis") == "true":
logger.info("Verifying signature of attribute active",
extra={"user_id": user_id})
user.verify_attribute_signature("active")
else:
logger.warning(
"Verifying CIS owned signatures bypassed due to setting `verify_signatures` being false",
extra={"user_id": user_id},
)
user.sign_attribute("active", "cis")
# Re-verifying signatures for consistency, since we modified them
if self.config("verify_signatures", namespace="cis") == "true":
user.verify_attribute_signature("active")
user.verify_attribute_signature("last_modified")
else:
logger.warning(
"Verifying CIS owned signatures bypassed due to setting `verify_signatures` being false",
extra={"user_id": user_id},
)
return user