From dd9e9977aec97787743ce5f043562acb4d1be7e2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20P=C3=A9ters?= <fpeters@entrouvert.com>
Date: Tue, 10 Jul 2018 12:03:05 +0200
Subject: [PATCH] sync-cut: defederate and invalidate email of deleted accounts
 (#25178)

---
 .../management/commands/sync-cut.py           | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/src/authentic2_gnm/management/commands/sync-cut.py b/src/authentic2_gnm/management/commands/sync-cut.py
index 247f308..797d44b 100644
--- a/src/authentic2_gnm/management/commands/sync-cut.py
+++ b/src/authentic2_gnm/management/commands/sync-cut.py
@@ -34,6 +34,28 @@ class Command(BaseCommand):
 
         verbose = int(options['verbosity']) > 0
 
+        # check all existing users
+        def chunks(l, n):
+            for i in range(0, len(l), n):
+                yield l[i:i + n]
+
+        url = settings.CUT_API_BASE_URL + 'users/synchronization/'
+        for provider in OIDCProvider.objects.all():
+            unknown_uuids = []
+            auth = (provider.client_id, provider.client_secret)
+            for accounts in chunks(OIDCAccount.objects.filter(provider=provider), 100):
+                subs = [x.sub for x in accounts]
+                resp = requests.post(url, json={'known_uuids': subs}, auth=auth)
+                unknown_uuids.extend(resp.json().get('unknown_uuids'))
+
+            for account in OIDCAccount.objects.filter(sub__in=unknown_uuids):
+                if verbose:
+                    print 'disabling', account.user.email, account.user.ou
+                account.user.email = account.user.email + '.invalid'
+                account.user.save()
+            OIDCAccount.objects.filter(sub__in=unknown_uuids).delete()
+
+        # get new agents
         cut_agents = OIDCProvider.objects.get(name='cut-agents')
 
         ou_mapping = settings.CUT_GNM_OU_MAPPING