From c75fdddd3898edbd226ce685f97d7b0ba222fed6 Mon Sep 17 00:00:00 2001 From: Benjamin Dauvergne Date: Mon, 13 Sep 2021 14:30:25 +0200 Subject: [PATCH] provisionning: log received provisionning messages and actions (#56907) --- .../common/management/commands/hobo_notify.py | 5 + hobo/multitenant/utils.py | 15 ++- hobo/provisionning/middleware.py | 6 +- hobo/provisionning/utils.py | 97 ++++++++++++++----- 4 files changed, 96 insertions(+), 27 deletions(-) diff --git a/hobo/agent/common/management/commands/hobo_notify.py b/hobo/agent/common/management/commands/hobo_notify.py index f1fb731..ea62d29 100644 --- a/hobo/agent/common/management/commands/hobo_notify.py +++ b/hobo/agent/common/management/commands/hobo_notify.py @@ -15,6 +15,7 @@ # along with this program. If not, see . import json +import logging import os import sys @@ -24,6 +25,8 @@ from tenant_schemas.utils import tenant_context from hobo.multitenant.middleware import TenantMiddleware from hobo.provisionning.utils import NotificationProcessing, TryAgain +logger = logging.getLogger(__name__) + class Command(BaseCommand, NotificationProcessing): requires_system_checks = False @@ -60,6 +63,8 @@ class Command(BaseCommand, NotificationProcessing): if entity_id not in audience: return object_type = notification['objects']['@type'] + msg = 'received request for %sing %%d %%s objects (Celery)' % action + logger.info(msg, len(notification['objects']['data']), object_type) for i in range(20): try: getattr(cls, 'provision_' + object_type)( diff --git a/hobo/multitenant/utils.py b/hobo/multitenant/utils.py index b36d4f7..1d219d1 100644 --- a/hobo/multitenant/utils.py +++ b/hobo/multitenant/utils.py @@ -12,10 +12,15 @@ def provision_user_groups(user, uuids): return logger = logging.getLogger(__name__) - existing_pks = user.groups.values_list('pk', flat=True) - for role in Role.objects.filter(uuid__in=uuids).exclude(pk__in=existing_pks): + existing_pks = set(user.groups.values_list('pk', flat=True)) + uuids = set(uuids) + not_found = uuids.copy() + for role in Role.objects.filter(uuid__in=uuids): + not_found.discard(role.uuid) + if role.pk in existing_pks: + continue user.groups.through.objects.get_or_create(group=role, user=user) - logger.info(u'adding role %s to %s (%s)', role, user, user.pk) + logger.info('adding role %s to %s (%s)', role, user, user.pk) qs = user.groups.through.objects.filter(user=user, group__role__isnull=False).exclude( group__role__uuid__in=uuids ) @@ -26,4 +31,6 @@ def provision_user_groups(user, uuids): except DatabaseError: pass else: - logger.info(u'removed role %s from %s (%s)', rel.group, user, user.pk) + logger.info('removed role %s from %s (%s)', rel.group, user, user.pk) + for uuid in not_found: + logger.warning('role %s of user %s does not exist', uuid, user) diff --git a/hobo/provisionning/middleware.py b/hobo/provisionning/middleware.py index 3b883f4..d69aee8 100644 --- a/hobo/provisionning/middleware.py +++ b/hobo/provisionning/middleware.py @@ -15,6 +15,7 @@ # along with this program. If not, see . import json +import logging import sys from django.conf import settings @@ -27,6 +28,8 @@ from django.utils.six.moves.urllib.parse import urlparse from hobo.provisionning.utils import NotificationProcessing, TryAgain from hobo.rest_authentication import PublikAuthentication, PublikAuthenticationFailed +logger = logging.getLogger(__name__) + class ProvisionningMiddleware(MiddlewareMixin, NotificationProcessing): def process_request(self, request): @@ -54,6 +57,8 @@ class ProvisionningMiddleware(MiddlewareMixin, NotificationProcessing): full = notification['full'] if 'full' in notification else False data = notification['objects']['data'] + msg = 'received request for %sing %%d %%s objects (HTTP)' % action + logger.info(msg, len(notification['objects']['data']), object_type) if 'uwsgi' in sys.modules: from hobo.provisionning.spooler import provision @@ -69,7 +74,6 @@ class ProvisionningMiddleware(MiddlewareMixin, NotificationProcessing): ) else: self.provision(object_type=object_type, issuer=issuer, action=action, data=data, full=full) - return JsonResponse({'err': 0}) def hobo_specific_setup(self): diff --git a/hobo/provisionning/utils.py b/hobo/provisionning/utils.py index 6d120e5..067320d 100644 --- a/hobo/provisionning/utils.py +++ b/hobo/provisionning/utils.py @@ -26,11 +26,31 @@ from django.db.transaction import atomic from hobo.agent.common.models import Role from hobo.multitenant.utils import provision_user_groups +logger = logging.getLogger(__name__) + class TryAgain(Exception): pass +def user_str(user): + '''Compute a string representation of user''' + s = '' + if user.first_name or user.last_name: + s += '"' + if user.first_name: + s += user.first_name + if user.first_name and user.last_name: + s += ' ' + if user.last_name: + s += user.last_name + s += '" ' + if user.email: + s += user.email + ' ' + s += user.username + return s + + class NotificationProcessing: @classmethod def check_valid_notification(cls, notification): @@ -72,6 +92,17 @@ class NotificationProcessing: try: with atomic(): if action == 'provision': + new = False + updated = set() + attributes = { + 'first_name': o['first_name'][:30], + 'last_name': o['last_name'][:150], + 'email': o['email'][:254], + 'username': o['uuid'][:150], + 'is_superuser': o['is_superuser'], + 'is_staff': o['is_superuser'], + 'is_active': o.get('is_active', True), + } assert cls.check_valid_user(o) try: mellon_user = UserSAMLIdentifier.objects.get(issuer=issuer, name_id=o['uuid']) @@ -83,19 +114,22 @@ class NotificationProcessing: ) except User.DoesNotExist: # temp user object - random_uid = str(random.randint(1, 10000000000000)) - user = User.objects.create(username=random_uid) + user = User.objects.create(**attributes) + new = True mellon_user = UserSAMLIdentifier.objects.create( user=user, issuer=issuer, name_id=o['uuid'] ) - user.first_name = o['first_name'][:30] - user.last_name = o['last_name'][:150] - user.email = o['email'][:254] - user.username = o['uuid'][:150] - user.is_superuser = o['is_superuser'] - user.is_staff = o['is_superuser'] - user.is_active = o.get('is_active', True) - user.save() + if not new: + for key in attributes: + if getattr(user, key) != attributes[key]: + setattr(user, key, attributes[key]) + updated.add(key) + if updated: + user.save() + if new: + logger.info('provisionned new user %s', user_str(user)) + if updated: + logger.info('updated user %s(%s)', user_str(user), updated) role_uuids = [role['uuid'] for role in o.get('roles', [])] provision_user_groups(user, role_uuids) elif action == 'deprovision': @@ -104,10 +138,16 @@ class NotificationProcessing: except IntegrityError: raise TryAgain if full and action == 'provision': - for usi in UserSAMLIdentifier.objects.exclude(name_id__in=uuids): + qs = UserSAMLIdentifier.objects.exclude(name_id__in=uuids) + for user in qs: + logger.info('deprovisionning user %s', user_str(user)) + for usi in qs: usi.user.delete() elif action == 'deprovision': - for user in User.objects.filter(saml_identifiers__name_id__in=uuids): + qs = User.objects.filter(saml_identifiers__name_id__in=uuids) + for user in qs: + logger.info('deprovisionning user %s', user_str(user)) + for user in qs: user.delete() group_name_max_length = Group._meta.get_field('name').max_length @@ -125,17 +165,17 @@ class NotificationProcessing: @classmethod def provision_role(cls, issuer, action, data, full=False): - logger = logging.getLogger(__name__) uuids = set() for o in data: assert 'uuid' in o uuids.add(o['uuid']) if action == 'provision': + created = False + save = False assert cls.check_valid_role(o) role_name = cls.truncate_role_name(o['name']) try: role = Role.objects.get(uuid=o['uuid']) - created = False except Role.DoesNotExist: try: with atomic(): @@ -144,17 +184,16 @@ class NotificationProcessing: defaults={ 'uuid': o['uuid'], 'description': o['description'], - 'details': o.get('details', u''), + 'details': o.get('details', ''), 'emails': o.get('emails', []), 'emails_to_members': o.get('emails_to_members', True), }, ) except IntegrityError: # Can happen if uuid and name already exist - logger.error(u'cannot provision role "%s" (%s)', o['name'], o['uuid']) + logger.error('cannot provision role "%s" (%s)', o['name'], o['uuid']) continue if not created: - save = False if role.name != role_name: role.name = role_name save = True @@ -164,8 +203,8 @@ class NotificationProcessing: if role.description != o['description']: role.description = o['description'] save = True - if role.details != o.get('details', u''): - role.details = o.get('details', u'') + if role.details != o.get('details', ''): + role.details = o.get('details', '') save = True if role.emails != o.get('emails', []): role.emails = o.get('emails', []) @@ -179,13 +218,27 @@ class NotificationProcessing: role.save() except IntegrityError: # Can happen if uuid and name already exist - logger.error(u'cannot provision role "%s" (%s)', o['name'], o['uuid']) + logger.error('cannot provision role "%s" (%s)', o['name'], o['uuid']) continue + if created: + logger.info('provisionned new role %s (%s)', o['name'], o['uuid']) + if save: + logger.info('updated role %s (%s)', o['name'], o['uuid']) if full and action == 'provision': - for role in Role.objects.exclude(uuid__in=uuids): + qs = Role.objects.exclude(uuid__in=uuids) + logger.info( + 'deprovisionning roles %s', + ', '.join('%s (%s)' % (name, uuid) for name, uuid in qs.values_list('name', 'uuid')), + ) + for role in qs: role.delete() elif action == 'deprovision': - for role in Role.objects.filter(uuid__in=uuids): + qs = Role.objects.filter(uuid__in=uuids) + logger.info( + 'deprovisionning roles %s', + ', '.join('%s (%s)' % (name, uuid) for name, uuid in qs.values_list('name', 'uuid')), + ) + for role in qs: role.delete() @classmethod -- 2.32.0.rc0