def sync_db_users_against_directory_service(self): """Checks whether the users currently in the DB are still valid. This gets all users in the DB, finds those that match the current domain, and compares them to those found in the domain in Google Directory Service. If a user in the DB is not the domain, then it is presumed to be deleted and will thus be removed from our DB. """ ufo.app.logger.info('Starting user sync.') db_users = models.User.query.all() directory_users = {} config = ufo.get_user_config() with ufo.app.app_context(): credentials = oauth.getSavedCredentials() # TODO this should handle the case where we do not have oauth if not credentials: ufo.app.logger.info('OAuth credentials not set up. Can\'t sync users.') return try: directory_service = google_directory_service.GoogleDirectoryService( credentials) directory_users = directory_service.GetUsersAsDictionary() except errors.HttpError as error: ufo.app.logger.info('Error encountered while requesting users from ' 'directory service: ' + str(error)) return for db_user in db_users: # Don't worry about users from another domain since they won't show up. if db_user.domain != config.domain: ufo.app.logger.info('User ' + db_user.email + ' did not match the ' 'current domain. Ignoring in directory service.') continue # Lookup user in dictionary based on email field. directory_user = directory_users.get(db_user.email, None) # TODO(eholder): Unit test the conditionals here. # Assume deleted if not found, so delete from our db. if directory_user is None: ufo.app.logger.info('User ' + db_user.email + ' was not found in ' 'directory service.') self.perform_configured_action_on_user(config.user_delete_action, db_user) continue if directory_user['suspended']: ufo.app.logger.info('User ' + db_user.email + ' was suspended in ' 'directory service.') self.perform_configured_action_on_user(config.user_revoke_action, db_user) continue
def _get_users_to_add(get_all, group_key, user_key): """Gets a json object containing the requested users if found. If users are found, they are stripped down to only their full name and email to avoid leaking unnecessary information. In the case that the users are not found, an empty list is used. If an httperror is encountered, that error is caught, and the json is still returned with the error inserted and an empty list of users. Args: get_all: A boolean for whether or not to get all users in a domain. group_key: A string identifying a group of users and other groups. user_key: A string identifying an individual user. Returns: A json object with 'directory_users' set to a possibly empty list of user objects. If there is an error, the 'error' field will be set to its text. """ credentials = oauth.getSavedCredentials() # TODO this should handle the case where we do not have oauth if not credentials: dictionary = {'directory_users': [], 'error': 'OAuth is not set up'} json_obj = json.dumps((dictionary)) return flask.Response(ufo.XSSI_PREFIX + json_obj, headers=ufo.JSON_HEADERS) try: directory_service = google_directory_service.GoogleDirectoryService( credentials) directory_users = [] if get_all: directory_users = directory_service.GetUsers() elif group_key is not None and group_key is not '': directory_users = directory_service.GetUsersByGroupKey(group_key) elif user_key is not None and user_key is not '': directory_users = directory_service.GetUserAsList(user_key) users_to_output = [] for directory_user in directory_users: user_for_display = { 'name': directory_user['name']['fullName'], 'email': directory_user['primaryEmail'] } users_to_output.append(user_for_display) json_obj = json.dumps(({'directory_users': users_to_output})) return flask.Response(ufo.XSSI_PREFIX + json_obj, headers=ufo.JSON_HEADERS) except errors.HttpError as error: json_obj = json.dumps(({'directory_users': [], 'error': str(error)})) return flask.Response(ufo.XSSI_PREFIX + json_obj, headers=ufo.JSON_HEADERS)