add error handling + get the ou path from the cli input/defaults

ministryofjustice · Feb 28, 2024 · d2db0e3 · d2db0e3
1 parent e342a53
commit d2db0e3
Show file tree

Hide file tree

Showing 2 changed files with 85 additions and 46 deletions.
diff --git a/cli/__init__.py b/cli/__init__.py
@@ -186,21 +186,37 @@ def deactivate_crc_users(
     user_ou,
     root_dn,
 ):
-    cli.ldap.user.deactivate_crc_users(
+    cli.ldap_cmds.user.deactivate_crc_users(
         user_ou,
         root_dn,
     )
 
+
 @click.command()
-def user_expiry():
-    cli.ldap.user.user_expiry()
+@click.option(
+    "-u",
+    "--user-ou",
+    help="OU to add users to, defaults to ou=Users",
+    default="ou=Users",
+)
+@click.option(
+    "-r",
+    "--root-dn",
+    help="Root DN to add users to, defaults to dc=moj,dc=com",
+    default="dc=moj,dc=com",
+)
+def user_expiry(user_ou, root_dn):
+    cli.ldap_cmds.user.user_expiry(user_ou=user_ou, root_dn=root_dn)
+
+
 # from cli.ldap import test
 
 main_group.add_command(add_roles_to_users)
 main_group.add_command(rbac_uplift)
 main_group.add_command(update_user_home_areas)
 main_group.add_command(update_user_roles)
 main_group.add_command(deactivate_crc_users)
+main_group.add_command(user_expiry)
 
 logger.configure_logging()
 

diff --git a/cli/ldap_cmds/user.py b/cli/ldap_cmds/user.py
@@ -14,6 +14,7 @@
 )
 from ldap3 import (
     MODIFY_REPLACE,
+    MODIFY_DELETE,
     DEREF_NEVER,
 )
 
@@ -494,64 +495,86 @@ def deactivate_crc_users(
     connection.close()
 
 
-def user_expiry():
+def user_expiry(
+    user_ou,
+    root_dn,
+):
     date_str = f"{datetime.now().strftime('%Y%m%d')}000000Z"
+    log.info(f"Expiring users with end date {date_str}")
+
     ldap_connection_lock = ldap_connect(
         env.vars.get("LDAP_HOST"),
         env.vars.get("LDAP_USER"),
         env.secrets.get("LDAP_BIND_PASSWORD"),
     )
-    ldap_connection_lock.search(
-        ",".join(
-            [
-                user_ou,
-                root_dn,
-            ]
-        ),
-        f"(&(!(pwdAccountLockedTime=*))(|(&(endDate=*)(!(endDate>=${date_str})))(&(startDate=*)(!(startDate<=${date_str})))))",
-    )
+    try:
+        ldap_connection_lock.search(
+            ",".join(
+                [
+                    user_ou,
+                    root_dn,
+                ]
+            ),
+            f"(&(!(pwdAccountLockedTime=*))(|(&(endDate=*)(!(endDate>={date_str})))(&(startDate=*)(!(startDate<={date_str})))))",
+            attributes=["cn"],
+        )
+    except Exception as e:
+        log.exception(f"Failed to search for users \n Exception: {e}")
+
     found_users = [entry.entry_dn for entry in ldap_connection_lock.entries]
     log.debug(found_users)
     for user in found_users:
-        ldap_connection_lock.modify(
-            user,
-            {
-                "pwdAccountLockedTime": [
-                    (
-                        MODIFY_REPLACE,
-                        ["000001010000Z"],
-                    )
-                ]
-            },
-        )
-        log.info(f"Locked user {user}")
+        try:
+            ldap_connection_lock.modify(
+                user,
+                {
+                    "pwdAccountLockedTime": [
+                        (
+                            MODIFY_REPLACE,
+                            ["000001010000Z"],
+                        )
+                    ]
+                },
+            )
+            log.info(f"Locked user {user}")
+        except Exception as e:
+            log.exception(f"Failed to unlock user {user} \n Exception: {e}")
 
     ldap_connection_unlock = ldap_connect(
         env.vars.get("LDAP_HOST"),
         env.vars.get("LDAP_USER"),
         env.secrets.get("LDAP_BIND_PASSWORD"),
     )
-    ldap_connection_unlock.search(
-        ",".join(
-            [
-                user_ou,
-                root_dn,
-            ]
-        ),
-        f"(&(pwdAccountLockedTime=000001010000Z)(|(!(endDate=*))(endDate>=${date_str}))(|(!(startDate=*))(startDate<=${date_str})))",
-    )
+
+    try:
+        ldap_connection_unlock.search(
+            ",".join(
+                [
+                    user_ou,
+                    root_dn,
+                ]
+            ),
+            f"(&(pwdAccountLockedTime=000001010000Z)(|(!(endDate=*))(endDate>={date_str}))(|(!(startDate=*))(startDate<={date_str})))",
+            attributes=["cn"],
+        )
+    except Exception as e:
+        log.exception(f"Failed to search for users \n Exception: {e}")
+
     found_users = [entry.entry_dn for entry in ldap_connection_unlock.entries]
     log.debug(found_users)
     for user in found_users:
-        ldap_connection_unlock.modify(
-            user,
-            {
-                "pwdAccountLockedTime": [
-                    (
-                        MODIFY_DELETE,
-                        ["000001010000Z"],
-                    )
-                ]
-            },
-        )
-        log.info(f"Unlocked user {user}")
+        try:
+            ldap_connection_unlock.modify(
+                user,
+                {
+                    "pwdAccountLockedTime": [
+                        (
+                            MODIFY_DELETE,
+                            ["000001010000Z"],
+                        )
+                    ]
+                },
+            )
+            log.info(f"Unlocked user {user}")
+        except Exception as e:
+            log.exception(f"Failed to unlock user {user} \n Exception: {e}")