implement UMG for new and existing users (partial)

Author: adorton-adobe

user_sync/config/sign_sync.py

@@ -187,11 +187,7 @@ def load_directory_groups(self) -> Dict[str, AdobeGroup]:
             for sg in sign_group:
                 # AdobeGroup will return the same memory instance of a pre-existing group,
                 # so we create it no matter what
-                group = AdobeGroup.create(sg)
-                if group is None:
-                    raise AssertionException('Bad Sign group: "{}" in directory group: "{}"'.format(sign_group, dir_group))
-                if group.umapi_name is None:
-                    group.umapi_name = self.DEFAULT_ORG_NAME
+                group = self._groupify(sg)
 
                 # Note checking a memory equivalency, not group name
                 # the groups in group_mapping are stored in order of YML file - important
@@ -224,8 +220,10 @@ def load_group_admin_mappings(self, umg):
         group_admin_mappings = {}
         group_config = self.main_config.get_list_config('user_management', True)
         for mapping in group_config.iter_dict_configs():
-            dir_group = mapping.get_string('directory_group')
+            dir_group = mapping.get_string('directory_group').lower()
             sign_group = mapping.get_list('sign_group', True)
+            if sign_group is not None:
+                sign_group = [sg.lower() for sg in sign_group]
 
             group_admin = mapping.get_bool('group_admin', True)
             if (sign_group is None or not len(sign_group)) and group_admin:
@@ -238,19 +236,20 @@ def load_group_admin_mappings(self, umg):
                     raise AssertionException("If UMG is enabled, then at least one Sign group is required in a mapping that enables group admin")
                 continue
 
-            group = AdobeGroup.create(sign_group[0])
-            if group is None:
-                raise AssertionException('Bad Sign group: "{}" in directory group: "{}"'.format(sign_group, dir_group))
-            if group.umapi_name is None:
-                group.umapi_name = self.DEFAULT_ORG_NAME
-
             admin_groups = mapping.get_list('admin_groups', True)
             using_admin_groups = admin_groups is not None and len(admin_groups)
 
+            # if group_admin flag is True and we're not using admin_groups list, then
+            # map the first item in sign_group list and move on
             if group_admin and not using_admin_groups:
+                group = self._groupify(sign_group[0])
                 if dir_group not in group_admin_mappings:
                     group_admin_mappings[dir_group] = set()
                 group_admin_mappings[dir_group].add(group)
+                continue
+
+            if not group_admin:
+                continue
 
             if not using_admin_groups:
                 continue
@@ -260,15 +259,31 @@ def load_group_admin_mappings(self, umg):
                 continue
 
             for ag in admin_groups:
+                ag = ag.lower()
                 if ag not in sign_group:
                     self.logger.warn("Skipping admin group '%s' because it isn't specified in 'sign_group'", ag)
                     continue
                 if dir_group not in group_admin_mappings:
                     group_admin_mappings[dir_group] = set()
-                group_admin_mappings[dir_group].add(ag)
+                group_admin_mappings[dir_group].add(self._groupify(ag))
 
         return group_admin_mappings
 
+    def _groupify(self, group_name):
+        """For a given group name, return AdobeGroup with proper primary
+           target, error checking, etc"""
+        group = AdobeGroup.create(group_name.lower())
+        if group is None:
+            raise AssertionException(f"Bad sign group '{group_name}' specified")
+        if group.umapi_name is None:
+            group.umapi_name = self.DEFAULT_ORG_NAME
+        return group
+
+    def load_primary_group_rules(self, umg):
+        # group_config = self.main_config.get_list_config('user_management', True)
+        # return primary_group_rules
+        return []
+
     def get_directory_connector_module_name(self) -> str:
         # these .get()s can be safely chained because we've already validated the config schema
         return self.main_config.get_dict('identity_source').get('type')
@@ -315,6 +330,7 @@ def get_engine_options(self) -> dict:
         options['cache'] = self.main_config.get_dict('cache')
         options['account_admin_groups'] = self.load_account_admin_groups()
         options['group_admin_mappings'] = self.load_group_admin_mappings(options['user_sync']['umg'])
+        options['primary_group_rules'] = self.load_primary_group_rules(options['user_sync']['umg'])
         return options
 
     def check_unused_config_keys(self):

user_sync/engine/sign.py

@@ -69,6 +69,7 @@ def __init__(self, caller_options, target_options: dict[str, dict]):
         self.sign_users_matched_no_updates = set()
         self.directory_users_excluded = set()
         self.sign_only_users_by_org: dict[str, dict[str, DetailedUserInfo]] = {}
+        self.target_groups_by_org = {}
         self.total_sign_only_user_count = 0
 
     def get_groups(self, org):
@@ -92,6 +93,9 @@ def run(self, directory_groups, directory_connector):
         for org_name in self.connectors:
             self.sign_groups[org_name] = self.get_groups(org_name)
             self.default_groups[org_name] = self.get_default_group(org_name)
+            self.target_groups_by_org[org_name] = set([group for groups in [g['groups']
+                                                                            for g in directory_groups.values()]
+                                                       for group in groups if group.umapi_name == org_name])
 
         for org_name, sign_connector in self.connectors.items():
             self.sign_user_groups[org_name] = sign_connector.get_user_groups()
@@ -203,6 +207,7 @@ def update_sign_users(self, directory_users, sign_connector: SignConnector, org_
                     self.directory_users_excluded.add(directory_user['email'])
                     continue
             else:
+                is_umg = self.options['user_sync']['umg']
                 # do not update if admin status should not change
                 if sign_user.isAccountAdmin != directory_user['is_admin']:
                     # Update existing users
@@ -214,45 +219,68 @@ def update_sign_users(self, directory_users, sign_connector: SignConnector, org_
                     user_data.isAccountAdmin = directory_user['is_admin']
                     self.sign_users_role_updates.add(sign_user.email)
                     users_update_list.append(user_data)
+
                 # manage primary group asssignment
-                # current_group: UserGroupInfo = self.sign_user_primary_groups[org_name][sign_user.id]
-                current_group = self.get_primary_group(sign_user, self.sign_user_groups[org_name])
-                should_be_group_admin = directory_user['is_group_admin']
-                is_group_admin = current_group.isGroupAdmin
+                current_groups = self.sign_user_groups[org_name].get(sign_user.id)
+
+                assigned_groups = {}
+                if current_groups is not None:
+                    assigned_groups = {g.name.lower(): g for g in current_groups}
+                if not is_umg:
+                    g = self.get_primary_group(sign_user, self.sign_user_groups[org_name])
+                    assigned_groups = {g.name.lower(): g}
 
-                assignment_group = None
+                desired_groups = set()
                 if directory_user['sign_groups']:
-                    assignment_group = directory_user['sign_groups'][0].group_name
+                    desired_groups = set([g.group_name.lower() for g in directory_user['sign_groups']])
                 else:
-                    assignment_group = self.get_primary_group(sign_user, self.sign_user_groups[org_name])
-
-                updated_group_info = False
-                group_to_assign = UserGroupInfo(
-                    id=current_group.id,
-                    name=current_group.name,
-                    isGroupAdmin=is_group_admin,
-                    isPrimaryGroup=current_group.isPrimaryGroup,
-                    status=current_group.status,
-                    createdDate=current_group.createdDate,
-                    settings=current_group.settings,
-                )
-
-                if current_group.name.lower() != assignment_group.lower():
-                    assignment_group_info: GroupInfo = self.sign_groups[org_name][assignment_group.lower()]
-                    self.logger.info(f"Assigning primary group '{assignment_group}' to user {sign_user.email}")
-                    group_to_assign.id = assignment_group_info.groupId
-                    group_to_assign.name = assignment_group_info.groupName
-                    self.sign_users_group_updates.add(sign_user.email)
-                    updated_group_info=True
-
-                if is_group_admin != should_be_group_admin:
-                    self.logger.info(f"Changing group Admin role for user '{sign_user.email}', status? {should_be_group_admin}")
-                    group_to_assign.isGroupAdmin = should_be_group_admin
-                    self.sign_users_role_updates.add(sign_user.email)
-                    updated_group_info=True
+                    desired_groups = set([self.get_primary_group(sign_user, self.sign_user_groups[org_name]).name.lower()])
+                if not is_umg:
+                    desired_groups = set([directory_user['sign_roups'][0].group_name.lower()])
+                target_groups = set([g.group_name.lower() for g in self.target_groups_by_org[org_name]])
+
+                groups_to_assign = []
+                for dg in desired_groups:
+                    group_info = self.sign_groups[org_name].get(dg)
+                    if group_info is None:
+                        raise AssertionException(f"'{dg}' isn't a valid Sign group")
+
+                    assigned_group = assigned_groups.get(group_info.groupName.lower())
+
+                    wants_group_admin = False
+                    if is_umg:
+                        wants_group_admin = directory_user['is_group_admin']
+                    else:
+                        wants_group_admin = dg in directory_user['admin_groups']
+
+                    change_group_admin = (assigned_group is None and
+                                          wants_group_admin) or \
+                                         (assigned_group is not None and
+                                          assigned_group.isGroupAdmin is not wants_group_admin)
+
+                    if assigned_group is not None and not change_group_admin:
+                        continue
+
+                    if assigned_group is None:
+                        self.logger.info(f"Assigning group '{group_info.groupId}' to user {sign_user.email}")
+                        self.sign_users_group_updates.add(sign_user.email)
+
+                    admin_status = False if not wants_group_admin and assigned_group.isGroupAdmin is not wants_group_admin else True
 
-                if updated_group_info:
-                    group_update_data = UserGroupsInfo(groupInfoList=[group_to_assign])
+                    if change_group_admin:
+                        self.logger.info(f"Changing group Admin role for user '{sign_user.email}', status? {admin_status}")
+                        self.sign_users_role_updates.add(sign_user.email)
+
+                    groups_to_assign.append(UserGroupInfo(
+                        id=group_info.groupId,
+                        name=group_info.groupName,
+                        isGroupAdmin=admin_status,
+                        isPrimaryGroup=False,
+                        status='ACTIVE',
+                    ))
+
+                if groups_to_assign:
+                    group_update_data = UserGroupsInfo(groupInfoList=groups_to_assign)
                     user_groups_update_list.append((sign_user.id, group_update_data))
 
         sign_connector.update_users(users_update_list)
@@ -375,14 +403,15 @@ def get_directory_user_key(self, directory_user):
 
     @staticmethod
     def resolve_group_mappings(directory_groups, group_mapping, account_admin_groups, group_admin_mapping) -> dict:
-        matched_groups = []
+        matched_groups = set()
 
         matched_mappings = [m for g, m in group_mapping.items() if g in directory_groups]
         matched_mappings.sort(key=lambda x: x['priority'])
 
-        for g in matched_mappings:
-            if g['groups']:
-                matched_groups.extend(g['groups'])
+        for m in matched_mappings:
+            if m['groups']:
+                for g in m['groups']:
+                    matched_groups.add(g)
 
         is_admin = False
         for g in directory_groups:
@@ -400,7 +429,7 @@ def resolve_group_mappings(directory_groups, group_mapping, account_admin_groups
                 is_group_admin = True
                 admin_groups.update(target_groups)
 
-        return matched_groups, is_admin, is_group_admin, admin_groups
+        return list(matched_groups), is_admin, is_group_admin, admin_groups
 
     def insert_new_users(self, org_name: str, sign_connector: SignConnector, directory_user: dict, assignment_groups):
         """
@@ -416,23 +445,33 @@ def insert_new_users(self, org_name: str, sign_connector: SignConnector, directo
             lastName=directory_user['lastname'],
         )
         try:
+            is_umg = self.options['user_sync']['umg']
+            if is_umg:
+                groups = assignment_groups
+            else:
+                groups = assignment_groups[0:1]
+            groups_to_assign = []
+            for group in groups:
+                wants_group_admin = False
+                if is_umg:
+                    wants_group_admin = directory_user['is_group_admin']
+                else:
+                    wants_group_admin = group in directory_user['admin_groups']
+                group_to_assign = self.sign_groups[org_name][group.group_name.lower()]
+                groups_to_assign.append(UserGroupInfo(
+                    id=group_to_assign.groupId,
+                    name=group_to_assign.groupName,
+                    isGroupAdmin=wants_group_admin,
+                    isPrimaryGroup=False,
+                    status='ACTIVE',
+                ))
+                self.logger.info(f"{self.org_string(sign_connector.console_org)}Assigning '{new_user.email}' to group '{group_to_assign.groupName}', group admin?: {wants_group_admin}")
             user_id = sign_connector.insert_user(new_user)
             self.sign_users_created.add(directory_user['email'])
             self.logger.info(f"{self.org_string(sign_connector.console_org)}Inserted sign user '{new_user.email}', admin?: {new_user.isAccountAdmin}")
 
-            assignment_group = assignment_groups[0].group_name
-            group_to_assign: GroupInfo = self.sign_groups[org_name][assignment_group.lower()]
-
-            group_update_data = UserGroupsInfo(groupInfoList=[UserGroupInfo(
-                id=group_to_assign.groupId,
-                name=group_to_assign.groupName,
-                isGroupAdmin=directory_user['is_group_admin'],
-                isPrimaryGroup=True,
-                status='ACTIVE',
-            )])
-
+            group_update_data = UserGroupsInfo(groupInfoList=groups_to_assign)
             sign_connector.update_user_group_single(user_id, group_update_data)
-            self.logger.info(f"{self.org_string(sign_connector.console_org)}Assigned '{new_user.email}' to group '{group_to_assign.groupName}', group admin?: {directory_user['is_group_admin']}")
         except ClientException as e:
             self.logger.error(format(e))