Merge branch 'feature/sign-exclusion' into v2

Author: adorton-adobe

user_sync/config/sign_sync.py

@@ -56,6 +56,19 @@ def config_schema() -> Schema:
         }
     })
 
+def connector_schema() -> Schema:
+    from schema import And, Optional, Or, Regex
+    return Schema({
+        'host': str,
+        Or('integration_key', 'secure_integration_key'): str,
+        'admin_email': str,
+        Optional('create_users'): Optional(bool),
+        Optional('deactivate_users'): Optional(bool),
+        Optional('exclusions'): {
+            Optional('groups'): list,
+            Optional('users'): list,
+        }
+    })
 
 class SignConfigLoader(ConfigLoader):
     """
@@ -96,7 +109,7 @@ def __init__(self, args: dict):
         filename, encoding = self._config_file_info()
         self.config_loader = ConfigFileLoader(encoding, self.ROOT_CONFIG_PATH_KEYS, self.SUB_CONFIG_PATH_KEYS)
         self.raw_config = self._load_raw_config(filename, encoding)
-        self._validate(self.raw_config)
+        self._validate(config_schema, self.raw_config)
         self.main_config = self.load_main_config(filename, self.raw_config)
         self.invocation_options = self.load_invocation_options()
         self.directory_groups = self.load_directory_groups()
@@ -143,10 +156,10 @@ def _load_raw_config(self, filename, encoding) -> dict:
         return self.config_loader.load_root_config(filename)
 
     @staticmethod
-    def _validate(raw_config: dict):
+    def _validate(schm, raw_config: dict):
         from schema import SchemaError
         try:
-            config_schema().validate(raw_config)
+            schm().validate(raw_config)
         except SchemaError as e:
             raise ConfigValidationError(e.code) from e
 
@@ -211,11 +224,14 @@ def get_target_options(self) -> dict[str, dict]:
         if self.DEFAULT_ORG_NAME not in target_configs:
             raise AssertionException(f"'sign_orgs' config must specify a connector with '{self.DEFAULT_ORG_NAME}' key")
         primary_options = self.config_loader.load_sub_config(target_configs[self.DEFAULT_ORG_NAME])
+        self._validate(connector_schema, primary_options)
         all_options = {}
         for target_id, config_file in target_configs.items():
             if target_id == self.DEFAULT_ORG_NAME:
                 continue
-            all_options[target_id] = self.config_loader.load_sub_config(config_file)
+            cfg = self.config_loader.load_sub_config(config_file)
+            self._validate(connector_schema, cfg)
+            all_options[target_id] = cfg
         all_options[self.DEFAULT_ORG_NAME] = primary_options
         return all_options
 

user_sync/connector/connector_sign.py

@@ -27,6 +27,7 @@
 from ..error import AssertionException
 from sign_client.client import SignClient
 from pathlib import Path
+import re
 
 
 class SignConnector(object):
@@ -45,6 +46,20 @@ def __init__(self, caller_options, org_name, test_mode, connection, cache_config
         sign_builder.require_string_value('admin_email')
         self.create_users = sign_builder.require_value('create_users', bool)
         self.deactivate_users = sign_builder.require_value('deactivate_users', bool)
+
+        exclusion_config = caller_config.get_dict_config('exclusions', True)
+        exclusion_builder = OptionsBuilder(exclusion_config)
+        exclusion_builder.set_value('groups', list, [])
+        exclusion_builder.set_value('users', list, [])
+
+        self.exclusion_options = exclusion_builder.get_options()
+
+        if 'users' in self.exclusion_options:
+            compiled_rules = []
+            for rule in self.exclusion_options['users']:
+                compiled_rules.append(re.compile(rule))
+            self.exclusion_options['users'] = compiled_rules
+
         store_path = Path(cache_config['path'])
 
         options = sign_builder.get_options()

user_sync/engine/sign.py

@@ -7,6 +7,7 @@
 from sign_client.error import AssertionException as ClientException
 
 from sign_client.model import DetailedUserInfo, GroupInfo, UserGroupsInfo, UserGroupInfo, DetailedGroupInfo, UserStateInfo
+import re
 
 
 class SignSyncEngine:
@@ -130,6 +131,18 @@ def log_action_summary(self):
         for description, count in self.action_summary.items():
             self.logger.info('  {}: {}'.format(description.rjust(pad, ' '), count))
 
+    def sign_user_excluded(self, user, user_groups, connector):
+        if 'users' in connector.exclusion_options:
+            for rule in connector.exclusion_options['users']:
+                if rule.match(user.email.lower()):
+                    return True
+        if 'groups' in connector.exclusion_options:
+            user_group_names = set([ug.name.lower() for ug in user_groups])
+            for group in connector.exclusion_options['groups']:
+                if group.lower() in user_group_names:
+                    return True
+        return False
+
     def update_sign_users(self, directory_users, sign_connector: SignConnector, org_name):
         """
         Updates user details or inserts new user
@@ -139,9 +152,12 @@ def update_sign_users(self, directory_users, sign_connector: SignConnector, org_
         :return:
         """
         # Fetch the list of active Sign users
-        sign_users = {user.email: user for user in sign_connector.get_users().values() if user.status != 'INACTIVE'}
-        inactive_sign_users = {user.email: user for user in sign_connector.get_users().values() if user.status == 'INACTIVE'}
         sign_user_groups = sign_connector.get_user_groups()
+        all_users = sign_connector.get_users().values()
+        filtered_users = {user.email: user for user in all_users if not self.sign_user_excluded(user, sign_user_groups[user.id], sign_connector)}
+        sign_users = {user.email: user for user in filtered_users.values() if user.status != 'INACTIVE'}
+        inactive_sign_users = {user.email: user for user in filtered_users.values() if user.status == 'INACTIVE'}
+        self.excluded_users = {user.email: user for user in all_users if self.sign_user_excluded(user, sign_user_groups[user.id], sign_connector)}
         self.sign_user_primary_groups[org_name] = {id: [g for g in groups if g.isPrimaryGroup][0] for id, groups in sign_user_groups.items()}
         users_update_list = []
         user_groups_update_list = []
@@ -161,6 +177,9 @@ def update_sign_users(self, directory_users, sign_connector: SignConnector, org_
                 assignment_group = self.default_groups[org_name].groupName
             user_roles = self.retrieve_admin_role(directory_user)
             if sign_user is None:
+                if directory_user['email'] in self.excluded_users:
+                    self.logger.debug("(%s) Found excluded user %s directory user list, skipping", org_name, directory_user['email'])
+                    continue
                 if sign_connector.create_users:
                     inactive_user = inactive_sign_users.get(directory_user_key)
                     # if Standalone user is inactive, we need to reactivate instead of trying to create new account