entrouvert
/
authentic
16
0
Fork 0
Code Issues Pull Requests 32 Releases Activity

unused-accounts: explicitely skip ldap users (#75196)
gitea/authentic/pipeline/head This commit looks good Details

This commit is contained in:
Paul Marillonnet 2023-03-07 11:24:14 +01:00
parent d4b0c13a1b
commit bb1b5e22d5
2 changed files with 19 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
src/authentic2/management/commands/clean-unused-accounts.py
View File

@ -31,7 +31,6 @@ from authentic2.a2_rbac.models import OrganizationalUnit
from authentic2.backends import get_user_queryset
from authentic2.backends.ldap_backend import LDAPBackend
from authentic2.journal_event_types import UserDeletionForInactivity, UserNotificationInactivity
from authentic2.models import UserExternalId
from authentic2.utils.misc import send_templated_mail
logger = logging.getLogger(__name__)
@ -65,7 +64,8 @@ class Command(BaseCommand):
self.now = timezone.now()
self.user_qs = get_user_queryset().exclude(email='')
realms = [block['realm'] for block in LDAPBackend.get_config() if block.get('realm')]
self.user_qs = get_user_queryset().exclude(email='').exclude(userexternalid__source__in=realms)
translation.activate(settings.LANGUAGE_CODE)
try:
@ -75,7 +75,6 @@ class Command(BaseCommand):
def clean_unused_accounts(self):
count = app_settings.A2_CLEAN_UNUSED_ACCOUNTS_MAX_MAIL_PER_PERIOD
realms = [block['realm'] for block in LDAPBackend.get_config() if block.get('realm')]
for ou in OrganizationalUnit.objects.filter(clean_unused_accounts_alert__isnull=False):
alert_delay = timedelta(days=ou.clean_unused_accounts_alert)
deletion_delay = timedelta(days=ou.clean_unused_accounts_deletion)
@ -99,9 +98,7 @@ class Command(BaseCommand):
# send first alert to users having never received an alert beforehand, skipping
# federated users
inactive_users_first_alert = inactive_users.filter(
Q(last_account_deletion_alert__isnull=True)
& Q(oidc_account__isnull=True)
& ~Q(userexternalid__source__in=realms)
Q(last_account_deletion_alert__isnull=True) & Q(oidc_account__isnull=True)
)
days_to_deletion = ou.clean_unused_accounts_deletion - ou.clean_unused_accounts_alert
for user in inactive_users_first_alert[:count]:
@ -117,9 +114,7 @@ class Command(BaseCommand):
# or if user is federated and never logged-in
& (
Q(last_account_deletion_alert__lte=self.now - (deletion_delay - alert_delay))
| Q(last_login__isnull=True)
& Q(oidc_account__isnull=False)
& ~Q(userexternalid__source__in=realms)
| Q(last_login__isnull=True) & Q(oidc_account__isnull=False)
)
)
for user in inactive_users_to_delete[:count]:
@ -129,12 +124,10 @@ class Command(BaseCommand):
ou.clean_unused_accounts_deletion,
)
known_sources = set(UserExternalId.objects.filter(user=user).values_list('source', flat=True))
self.delete_user(
user,
days_of_inactivity=deletion_delay.days,
send_mail=user.last_login
or not (getattr(user, 'oidc_account', None) or known_sources & set(realms)),
send_mail=user.last_login or not getattr(user, 'oidc_account', None),
)
def send_alert(self, user, days_to_deletion, days_of_inactivity):

14
tests/test_commands.py
View File

@ -227,6 +227,20 @@ def test_clean_unused_federated_account_never_logged_in(app, db, simple_user, ma
assert DeletedUser.objects.count() == 1
assert {deleted.old_user_id for deleted in DeletedUser.objects.all()} == {simple_user.id}
ldap_user.last_login = ldap_user.keepalive = now() - datetime.timedelta(days=4)
ldap_user.date_joined = now() - datetime.timedelta(days=5)
ldap_user.save()
call_command('clean-unused-accounts')
assert len(mailoutbox) == 0
assert (
Event.objects.filter(
type__name='user.deletion.inactivity', user=ldap_user, data__email=ldap_user.email
).count()
== 0
)
assert DeletedUser.objects.count() == 1
def test_clean_unused_federated_account_logged_in_untouched(app, db, simple_user, mailoutbox, freezer):
freezer.move_to('2018-01-01')