def get_identities(user: User) -> Iterable[UserIdentityConfig]:
"""Get objects representing all of a user's identities.
Fetch the identity-related objects from the database and set
their associated statuses. This function is responsible for
setting the status because it depends on the user state and the
full set of available identities.
"""
has_password = user.has_usable_password()
global_identity_objs = list(Identity.objects.filter(user=user))
global_login_id_count = sum(1 for obj in global_identity_objs if supports_login(obj))
def get_global_identity_status(obj: Identity) -> Status:
if not supports_login(obj):
return Status.CAN_DISCONNECT
# Allow global login IDs to be deleted if the user has a
# password or at least one other login ID to fall back on.
# AuthIdentities don't count, because we don't want to risk
# the user getting locked out of their profile if they're
# kicked from the organization.
return (
Status.CAN_DISCONNECT
if has_password or global_login_id_count > 1
else Status.NEEDED_FOR_GLOBAL_AUTH
)
def get_org_identity_status(obj: AuthIdentity) -> Status:
if not obj.auth_provider.flags.allow_unlinked:
return Status.NEEDED_FOR_ORG_AUTH
elif has_password or global_login_id_count > 0:
return Status.CAN_DISCONNECT
else:
# Assume the user has only this AuthIdentity as their
# means of logging in. (They might actually have two or
# more from non-SSO-requiring orgs, but that's so rare
# and weird that we don't care.)
return Status.NEEDED_FOR_GLOBAL_AUTH
social_identities = (
UserIdentityConfig.wrap(obj, Status.CAN_DISCONNECT)
for obj in UserSocialAuth.objects.filter(user=user)
)
global_identities = (
UserIdentityConfig.wrap(obj, get_global_identity_status(obj))
for obj in global_identity_objs
)
org_identities = (
UserIdentityConfig.wrap(obj, get_org_identity_status(obj))
for obj in AuthIdentity.objects.filter(user=user).select_related()
)
return itertools.chain(social_identities, global_identities, org_identities)
