fix #305: okta connector integration, initial issues

adobeDan · adobeDan · commit ad8ac026fe02 · 2017-11-20T22:21:07.000-08:00
This fixes:

* the okta connector key was being reported as ignored when not used.
* okta connector's `load_users_and_groups` didn't have the current full set of arguments.
* clean up error messages for okta-produced errors
* py2/py3 differences in the definition of `filter` led to uncaught errors in py3
diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
@@ -10,7 +10,7 @@ There is a new command-line argument `--connector` for specifying whether to get
 
 ## Bug Fixes
 
-None is this release candidate.
+[#305](https://github.com/adobe-apiplatform/user-sync.py/issues/305) General issues with Okta connector.
 
 ## Compatibility with Prior Versions
 
diff --git a/user_sync/app.py b/user_sync/app.py
@@ -238,8 +238,8 @@ def create_config_loader_options(args):
     """
     config_options = {
         'delete_strays': False,
-        'directory_connector_type': None,
         'directory_connector_overridden_options': None,
+        'directory_connector_type': None,
         'directory_group_filter': None,
         'directory_group_mapped': False,
         'disentitle_strays': False,
@@ -260,14 +260,14 @@ def create_config_loader_options(args):
         if args.connector_spec:
             raise AssertionException("Must not specify file (%s) with --connector %s" %
                                      (args.connector_spec[0], connector_type))
-            config_options['directory_connector_type'] = connector_type
+        config_options['directory_connector_type'] = connector_type
     elif connector_type == "csv":
         if len(args.connector_spec) != 1:
             raise AssertionException("Must specify a single file with CSV connector")
         config_options['directory_connector_type'] = 'csv'
         config_options['directory_connector_overridden_options'] = {'file_path': args.connector_spec.pop(0)}
     else:
-        raise AssertionException("Unknown --connector type: %s" % connector_type)
+        raise AssertionException("Unknown connector type: %s" % connector_type)
 
     # --users
     users_args = args.users
diff --git a/user_sync/config.py b/user_sync/config.py
@@ -46,8 +46,8 @@ def __init__(self, caller_options):
             # these are in alphabetical order!  Always add new ones that way!
             'delete_strays': False,
             'config_file_encoding': 'utf8',
-            'directory_connector_module_name': None,
             'directory_connector_overridden_options': None,
+            'directory_connector_type': None,
             'directory_group_filter': None,
             'directory_group_mapped': False,
             'disentitle_strays': False,
@@ -138,10 +138,11 @@ def get_directory_connector_configs(self):
         directory_config = self.main_config.get_dict_config('directory_users', True)
         if directory_config is not None:
             connectors_config = directory_config.get_dict_config('connectors', True)
-        # make sure neither ldap nor csv connectors get reported as unused
+        # make sure none of the standard connectors get reported as unused
         if connectors_config:
             connectors_config.get_list('ldap', True)
             connectors_config.get_list('csv', True)
+            connectors_config.get_list('okta', True)
         return connectors_config
 
     def get_directory_connector_options(self, connector_name):
diff --git a/user_sync/connector/directory_okta.py b/user_sync/connector/directory_okta.py
@@ -20,10 +20,10 @@
 
 import okta
 import six
+from okta.framework.OktaError import OktaError
 
 import user_sync.config
 import user_sync.connector.helper
-import user_sync.error
 import user_sync.helper
 import user_sync.identity_type
 from user_sync.error import AssertionException
@@ -44,15 +44,16 @@ def connector_initialize(options):
     return state
 
 
-def connector_load_users_and_groups(state, groups, extended_attributes):
+def connector_load_users_and_groups(state, groups, extended_attributes, all_users):
     """
     :type state: OktaDirectoryConnector
     :type groups: list(str)
     :type extended_attributes: list(str)
+    :type all_users: bool
     :rtype (bool, iterable(dict))
     """
 
-    return state.load_users_and_groups(groups, extended_attributes)
+    return state.load_users_and_groups(groups, extended_attributes, all_users)
 
 
 class OktaDirectoryConnector(object):
@@ -93,17 +94,20 @@ def __init__(self, caller_options):
         try:
             self.users_client = okta.UsersClient(host, api_token)
             self.groups_client = okta.UserGroupsClient(host, api_token)
-        except Exception as e:
-            raise user_sync.error.AssertionException(repr(e))
+        except OktaError as e:
+            raise AssertionException("Error connecting to Okta: %s" % e)
 
         logger.info('Connected')
 
-    def load_users_and_groups(self, groups, extended_attributes):
+    def load_users_and_groups(self, groups, extended_attributes, all_users):
         """
         :type groups: list(str)
         :type extended_attributes: list(str)
+        :type all_users: bool
         :rtype (bool, iterable(dict))
         """
+        if all_users:
+            raise AssertionException("Okta connector has no notion of all users, please specify a --users group")
 
         options = self.options
         all_users_filter = options['all_users_filter']
@@ -140,9 +144,9 @@ def find_group(self, group):
         group_filter_format = options['group_filter_format']
         try:
             results = self.groups_client.get_groups(query=group_filter_format.format(group=group))
-        except Exception as e:
+        except OktaError as e:
             self.logger.warning("Unable to query group")
-            raise user_sync.error.AssertionException(repr(e))
+            raise AssertionException("Okta error querying for group: %s" % e)
 
         if results is None:
             self.logger.warning("No group found for: %s", group)
@@ -156,6 +160,7 @@ def find_group(self, group):
     def iter_group_members(self, group, filter_string, extended_attributes):
         """
         :type group: str
+        :type filter_string: str
         :type extended_attributes: list
         :rtype iterator(str, str)
         """
@@ -169,9 +174,9 @@ def iter_group_members(self, group, filter_string, extended_attributes):
             try:
                 attr_dict = OKTAValueFormatter.get_extended_attribute_dict(user_attribute_names)
                 members = self.groups_client.get_group_all_users(res_group.id, attr_dict)
-            except Exception as e:
+            except OktaError as e:
                 self.logger.warning("Unable to get_group_users")
-                raise user_sync.error.AssertionException(repr(e))
+                raise AssertionException("Okta error querying for group users: %s" % e)
             # Filtering users based all_users_filter query in config
             for member in self.filter_users(members, filter_string):
                 profile = member.profile
@@ -201,7 +206,7 @@ def convert_user(self, record, extended_attributes):
         else:
             try:
                 user['identity_type'] = user_sync.identity_type.parse_identity_type(user_identity_type)
-            except user_sync.error.AssertionException as e:
+            except AssertionException as e:
                 self.logger.warning('Skipping user %s: %s', profile.login, e)
                 return None
 
@@ -250,17 +255,18 @@ def iter_search_result(self, filter_string, attributes):
                 users = self.users_client.get_all_users(query=filter_string, extended_attribute=attr_dict)
             else:
                 users = self.users_client.get_all_users(query=filter_string)
-        except Exception as e:
+        except OktaError as e:
             self.logger.warning("Unable to query users")
-            raise user_sync.error.AssertionException(repr(e))
+            raise AssertionException("Okta error querying for users: %s" % e)
         return users
 
     def filter_users(self, users, filter_string):
         try:
-            result = filter(lambda user: eval(filter_string), users)
+            return list(filter(lambda user: eval(filter_string), users))
+        except SyntaxError as e:
+            raise AssertionException("Invalid syntax in predicate (%s): cannot evaluate" % filter_string)
         except Exception as e:
-            raise AssertionException("Error filtering users: %s" % e)
-        return result
+            raise AssertionException("Error filtering with predicate (%s): %s" % (filter_string, e))
 
 
 class OKTAValueFormatter(object):
