Implement primary group logic

adorton-adobe · adorton-adobe · commit 253505d5277f · 2024-06-07T10:58:19.000-06:00
diff --git a/examples/sign/sign-sync-config.yml b/examples/sign/sign-sync-config.yml
@@ -67,6 +67,19 @@ user_management:
   #   group_admin: True
   #   account_admin: True
   
+# # when UMG is enabled, primary_group_rules is required to specify rules
+# # primary group designation. sync tool will log warning if this is present
+# # with UMG disabled. omitting it with UMG enabled will cause an error
+# primary_group_rules:
+#   # sign_groups list can specify groups that aren't necessarily assigned
+#   # the user in the sync tool
+#   - sign_groups:
+#       - Sign Group 1
+#       - Sign Group 2
+#     # assign the primary group only if the user is a member of all groups
+#     # specified in sign_groups
+#     primary_group: Sign Group 2
+
 # Logging options
 logging:
   log_to_file: True
diff --git a/tests/fixture/sign-sync-config.yml b/tests/fixture/sign-sync-config.yml
@@ -57,6 +57,19 @@ user_management:
     admin_groups:
       - Sign Users
 
+# when UMG is enabled, primary_group_rules is required to specify rules
+# primary group designation. sync tool will log warning if this is present
+# with UMG disabled. omitting it with UMG enabled will cause an error
+primary_group_rules:
+  # sign_groups list can specify groups that aren't necessarily assigned
+  # the user in the sync tool
+  - sign_groups:
+      - Sign Group 1
+      - Sign Group 2
+    # assign the primary group only if the user is a member of all groups
+    # specified in sign_groups
+    primary_group: Sign Group 2
+
 # Logging options
 logging:
   log_to_file: True
diff --git a/user_sync/config/sign_sync.py b/user_sync/config/sign_sync.py
@@ -41,6 +41,10 @@ def config_schema() -> Schema:
             Optional('admin_groups'): Or(None, [And(str, len)]),
             Optional('account_admin', default=False): Or(bool, None)
         }],
+        Optional('primary_group_rules'): [{
+            'sign_groups': [And(str, len)],
+            'primary_group': And(str, len),
+        }],
         Optional('account_admin_groups'): list,
         'cache': {
             'path': And(str, len),
@@ -267,9 +271,16 @@ def _groupify(self, group_name):
         return group
 
     def load_primary_group_rules(self, umg):
-        # group_config = self.main_config.get_list_config('user_management', True)
-        # return primary_group_rules
-        return []
+        primary_group_rules = []
+        group_config = self.main_config.get_list_config('primary_group_rules', True)
+        for mapping in group_config.iter_dict_configs():
+            sign_groups = mapping.get_list('sign_groups')
+            primary_group = mapping.get_string('primary_group')
+            primary_group_rules.append({
+                'sign_groups': set([g.lower() for g in sign_groups]),
+                'primary_group': primary_group
+            })
+        return primary_group_rules
 
     def get_directory_connector_module_name(self) -> str:
         # these .get()s can be safely chained because we've already validated the config schema
diff --git a/user_sync/engine/sign.py b/user_sync/engine/sign.py
@@ -287,9 +287,25 @@ def update_sign_users(self, directory_users, sign_connector: SignConnector, org_
                             status='DELETED',
                         )
 
+                # figure out primary group for user
+                sign_groups = set([g.lower() for g in groups_to_update.keys()])\
+                              .union(set([g.lower() for g in assigned_groups.keys()]))
+                desired_pg = self.resolve_primary_group(sign_groups)
+                current_pg = [g.name.lower() for g in assigned_groups.values() if g.isPrimaryGroup]
+                if current_pg:
+                    current_pg = current_pg[0]
+                else:
+                    current_pg = None
+
+                if desired_pg is None:
+                    raise AssertionException(f"Can't identify a primary group for user '{sign_user.email}'")
+
+                if current_pg is None or desired_pg.lower() != current_pg:
+                    self.logger.debug(f"Primary group of '{sign_user.email}' is '{desired_pg}'")
+                    groups_to_update[desired_pg.lower()].isPrimaryGroup = True
 
                 if groups_to_update:
-                    group_update_data = UserGroupsInfo(groupInfoList=groups_to_update)
+                    group_update_data = UserGroupsInfo(groupInfoList=list(groups_to_update.values()))
                     user_groups_update_list.append((sign_user.id, group_update_data))
 
         sign_connector.update_users(users_update_list)
@@ -300,6 +316,12 @@ def update_sign_users(self, directory_users, sign_connector: SignConnector, org_
                 self.total_sign_only_user_count += 1
                 self.sign_only_users_by_org[org_name][user] = data
 
+    def resolve_primary_group(self, sign_groups):
+        rules = self.options['primary_group_rules']
+        for r in rules:
+            if set(sign_groups).intersection(r['sign_groups']) == r['sign_groups']:
+                return r['primary_group']
+
     @staticmethod
     def get_primary_group(user, sign_user_groups) -> UserGroupInfo:
         user_groups = sign_user_groups.get(user.id)
@@ -459,27 +481,32 @@ def insert_new_users(self, org_name: str, sign_connector: SignConnector, directo
                 groups = assignment_groups
             else:
                 groups = assignment_groups[0:1]
-            groups_to_assign = []
+            groups_to_assign = {}
             for group in groups:
                 wants_group_admin = False
                 if is_umg:
                     wants_group_admin = directory_user['is_group_admin']
                 else:
                     wants_group_admin = group in directory_user['admin_groups']
                 group_to_assign = self.sign_groups[org_name][group.group_name.lower()]
-                groups_to_assign.append(UserGroupInfo(
+                groups_to_assign[group_to_assign.groupName.lower()] = UserGroupInfo(
                     id=group_to_assign.groupId,
                     name=group_to_assign.groupName,
                     isGroupAdmin=wants_group_admin,
                     isPrimaryGroup=False,
                     status='ACTIVE',
-                ))
+                )
                 self.logger.info(f"{self.org_string(sign_connector.console_org)}Assigning '{new_user.email}' to group '{group_to_assign.groupName}', group admin?: {wants_group_admin}")
+            primary_group = self.resolve_primary_group(groups_to_assign.keys())
+            if primary_group is None:
+                raise AssertionException(f"Can't identify a primary group for user '{new_user.email}'")
+            self.logger.debug(f"Primary group of '{new_user.email}' is '{primary_group}'")
+            groups_to_assign[primary_group.lower()].isPrimaryGroup = True
             user_id = sign_connector.insert_user(new_user)
             self.sign_users_created.add(directory_user['email'])
             self.logger.info(f"{self.org_string(sign_connector.console_org)}Inserted sign user '{new_user.email}', admin?: {new_user.isAccountAdmin}")
 
-            group_update_data = UserGroupsInfo(groupInfoList=groups_to_assign)
+            group_update_data = UserGroupsInfo(groupInfoList=list(groups_to_assign.values()))
             sign_connector.update_user_group_single(user_id, group_update_data)
         except ClientException as e:
             self.logger.error(format(e))
