From 1f9d9bd3f930a3938d8a1af6e4863e790abb9de1 Mon Sep 17 00:00:00 2001 From: Valentin Deniaud Date: Mon, 17 May 2021 14:23:35 +0200 Subject: [PATCH] journal_event_types: add ldap user deactivation (#52671) --- src/authentic2/backends/ldap_backend.py | 3 +++ src/authentic2/journal_event_types.py | 18 ++++++++++++++++++ tests/test_ldap.py | 12 +++++++----- 3 files changed, 28 insertions(+), 5 deletions(-) diff --git a/src/authentic2/backends/ldap_backend.py b/src/authentic2/backends/ldap_backend.py index 2a9fc6e0..6606e16e 100644 --- a/src/authentic2/backends/ldap_backend.py +++ b/src/authentic2/backends/ldap_backend.py @@ -54,6 +54,7 @@ from authentic2.a2_rbac.models import Role from authentic2.a2_rbac.utils import get_default_ou from authentic2.backends import is_user_authenticable from authentic2.compat_lasso import lasso +from authentic2.journal_event_types import LdapUserDeactivation from authentic2.ldap_utils import FilterFormatter from authentic2.middleware import StoreRequestMiddleware from authentic2.models import UserExternalId @@ -1511,10 +1512,12 @@ class LDAPBackend(object): external_id__in=eids, user__is_active=True, source=block['realm'] ): eid.user.mark_as_inactive() + LdapUserDeactivation.record(eid.user, 'not-present') # Handle users of old sources uei_qs = UserExternalId.objects.exclude(source__in=[block['realm'] for block in cls.get_config()]) for user in User.objects.filter(userexternalid__in=uei_qs): user.mark_as_inactive() + LdapUserDeactivation.record(user, 'old-source') @classmethod def ad_encoding(cls, s): diff --git a/src/authentic2/journal_event_types.py b/src/authentic2/journal_event_types.py index 95d1a834..8ab9a22b 100644 --- a/src/authentic2/journal_event_types.py +++ b/src/authentic2/journal_event_types.py @@ -346,3 +346,21 @@ class UserEmailChange(EventTypeDefinition): new_email = event.get_data('email') old_email = event.get_data('old_email') return _('email address changed from "{0}" to "{1}"').format(old_email, new_email) + + +class LdapUserDeactivation(EventTypeDefinition): + name = 'ldap.user.deactivation' + label = _('user deactivation') + + @classmethod + def record(cls, user, reason): + super().record(user=user, data={'reason': reason}) + + @classmethod + def get_message(cls, event, context): + reason = event.get_data('reason') + if reason == 'not-present': + return _('automatic deactivation because user was not present in LDAP anymore') + elif reason == 'old-source': + return _('automatic deactivation because user was from an old LDAP source') + return super().get_message(event, context) diff --git a/tests/test_ldap.py b/tests/test_ldap.py index 85180b14..8c14d351 100644 --- a/tests/test_ldap.py +++ b/tests/test_ldap.py @@ -254,9 +254,8 @@ def test_deactivate_orphaned_users(slapd, settings, client, db): ldap_backend.LDAPBackend.deactivate_orphaned_users() - assert ( - ldap_backend.UserExternalId.objects.filter(user__is_active=False, source=block['realm']).count() == 1 - ) + deactivated_user = ldap_backend.UserExternalId.objects.get(user__is_active=False, source=block['realm']) + utils.assert_event('ldap.user.deactivation', user=deactivated_user.user, reason='not-present') # rename source realm settings.LDAP_AUTH_SETTINGS = [ @@ -264,9 +263,12 @@ def test_deactivate_orphaned_users(slapd, settings, client, db): ] ldap_backend.LDAPBackend.deactivate_orphaned_users() - assert ( - ldap_backend.UserExternalId.objects.filter(user__is_active=False, source=block['realm']).count() == 6 + deactivated_users = ldap_backend.UserExternalId.objects.filter( + user__is_active=False, source=block['realm'] ) + assert deactivated_users.count() == 6 + for ldap_user in deactivated_users.exclude(pk=deactivated_user.pk): + utils.assert_event('ldap.user.deactivation', user=ldap_user.user, reason='old-source') @pytest.mark.django_db -- 2.20.1