API Reference¶

apps.eu_tools.user_lifecycle.models.task.PauseTaskException `dataclass` ¶

PauseTaskException(
    resume_label,
    cancel_label,
    pinged_groups=None,
    pinged_user=None,
    additional_context=None,
)

Bases: Exception

additional_context `class-attribute` `instance-attribute` ¶

additional_context = None

cancel_label `instance-attribute` ¶

cancel_label

pinged_groups `class-attribute` `instance-attribute` ¶

pinged_groups = None

pinged_user `class-attribute` `instance-attribute` ¶

pinged_user = None

resume_label `instance-attribute` ¶

resume_label

apps.eu_tools.user_lifecycle.models.task.PauseTaskTrigger ¶

call ¶

__call__(
    resume_label,
    cancel_label,
    pinged_groups=None,
    pinged_user=None,
    additional_context=None,
)

Source code in apps/eu_tools/user_lifecycle/models/task.py

def __call__(  # type: ignore[no-untyped-def]
    self,
    resume_label: str,
    cancel_label: str,
    pinged_groups: list[str] | None = None,
    pinged_user: str | None = None,
    additional_context: dict[str, str] | None = None,
):
    raise PauseTaskException(
        resume_label,
        cancel_label,
        pinged_groups,
        pinged_user,
        additional_context,
    )

apps.eu_tools.user_lifecycle.models.task.UserLifecycleOffboardingTask ¶

UserLifecycleOffboardingTask(user)

Bases: UserLifecycleTask, ABC

Source code in apps/eu_tools/user_lifecycle/models/task.py

def __init__(self, user: AlanUser) -> None:
    self.user = user
    if self.id is None:
        raise RuntimeError(
            f"Missing UserLifecycleTask unique identifier for {self.__class__.name}"
        )
    if self.label is None:
        raise RuntimeError(
            f"Missing UserLifecycleTask label for {self.__class__.name}"
        )
    if self.channel is None:
        raise RuntimeError(
            f"Missing UserLifecycleTask channel for {self.__class__.name}"
        )
    task_state = (
        current_session.scalars(
            select(UserLifecycleTaskStatus).filter_by(task_id=self.id)
        )
        .unique()
        .first()
    )
    self._quiet = task_state.quiet if task_state else False

channel `property` ¶

channel

apps.eu_tools.user_lifecycle.models.task.UserLifecycleOnboardingTask ¶

UserLifecycleOnboardingTask(user)

Bases: UserLifecycleTask

Source code in apps/eu_tools/user_lifecycle/models/task.py

def __init__(self, user: AlanUser) -> None:
    self.user = user
    if self.id is None:
        raise RuntimeError(
            f"Missing UserLifecycleTask unique identifier for {self.__class__.name}"
        )
    if self.label is None:
        raise RuntimeError(
            f"Missing UserLifecycleTask label for {self.__class__.name}"
        )
    if self.channel is None:
        raise RuntimeError(
            f"Missing UserLifecycleTask channel for {self.__class__.name}"
        )
    task_state = (
        current_session.scalars(
            select(UserLifecycleTaskStatus).filter_by(task_id=self.id)
        )
        .unique()
        .first()
    )
    self._quiet = task_state.quiet if task_state else False

onboarding_offset_in_days `class-attribute` `instance-attribute` ¶

onboarding_offset_in_days = {alaner: 0, external: 0}

provider `instance-attribute` ¶

provider

run ¶

run(logger, _pause_callback, dry_run)

Source code in apps/eu_tools/user_lifecycle/models/task.py

def run(
    self,
    logger: BoundLogger,
    _pause_callback: PauseTaskTrigger,
    dry_run: bool,
) -> list[str] | None:
    return self.provider.provision_user(self.user, logger, dry_run)

should_run ¶

should_run(_logger)

Source code in apps/eu_tools/user_lifecycle/models/task.py

def should_run(self, _logger: BoundLogger) -> bool:
    if not self.user.is_started_on(
        utctoday() + timedelta(days=self.onboarding_offset_in_days[self.user.type])
    ):
        return False

    if self.user.is_ended:
        return False

    if self.user.type == AlanAccountType.alaner and not is_allowed_to_onboard(
        cast("Alaner", self.user)
    ):
        return False

    return True

apps.eu_tools.user_lifecycle.models.task.UserLifecycleTask ¶

UserLifecycleTask(user)

Bases: ABC

Source code in apps/eu_tools/user_lifecycle/models/task.py

def __init__(self, user: AlanUser) -> None:
    self.user = user
    if self.id is None:
        raise RuntimeError(
            f"Missing UserLifecycleTask unique identifier for {self.__class__.name}"
        )
    if self.label is None:
        raise RuntimeError(
            f"Missing UserLifecycleTask label for {self.__class__.name}"
        )
    if self.channel is None:
        raise RuntimeError(
            f"Missing UserLifecycleTask channel for {self.__class__.name}"
        )
    task_state = (
        current_session.scalars(
            select(UserLifecycleTaskStatus).filter_by(task_id=self.id)
        )
        .unique()
        .first()
    )
    self._quiet = task_state.quiet if task_state else False

channel `instance-attribute` ¶

channel

id `instance-attribute` ¶

id

label `instance-attribute` ¶

label

max_fails_before_deactivation `class-attribute` `instance-attribute` ¶

max_fails_before_deactivation = 5

process_cancel ¶

process_cancel(
    reporter,
    message_ts,
    dry_run,
    task_log_id=None,
    task_log=None,
)

Source code in apps/eu_tools/user_lifecycle/models/task.py

def process_cancel(
    self,
    reporter: UserLifecycleSlackReporter,
    message_ts: str,
    dry_run: bool,
    task_log_id: UUID | None = None,
    task_log: UserLifecycleTaskLog | None = None,
) -> bool:
    logger = self._get_logger(dry_run)

    if current_auth_context.is_anonymous:
        return False

    canceled_by = current_auth_context.real_principal_as(Alaner)
    if self.should_cancel(canceled_by, logger, reporter):
        logger.info(
            f"Canceling UserLifecycleTask {self.id} for {self.user.full_name}",
            canceled_by=canceled_by.id,
        )
        reporter.stop(
            self.label,
            channel=self.channel,
            task_id=self.id,
            success=False,
            message_ts=message_ts,
            additional_context=[f"Canceled by <@{canceled_by.slack_id}>"],
        )
        if not dry_run:
            task_log = (
                task_log
                if task_log
                else current_session.get(UserLifecycleTaskLog, task_log_id)
            )
            task_log.canceled_at = datetime.utcnow()  # type: ignore[union-attr]
            task_log.canceled_by = canceled_by.id  # type: ignore[union-attr]
            task_log.permalink = get_permalink(  # type: ignore[union-attr]
                mandatory(get_channel_id(self.channel)),
                message_ts,
            )

            current_session.commit()

        logger.info(
            f"Canceled UserLifecycleTask {self.id} for {self.user.full_name}",
            canceled_by=canceled_by.id,
        )
        return True
    return False

process_resume ¶

process_resume(
    reporter,
    message_ts,
    dry_run,
    task_log_id=None,
    task_log=None,
)

Source code in apps/eu_tools/user_lifecycle/models/task.py

def process_resume(
    self,
    reporter: UserLifecycleSlackReporter,
    message_ts: str,
    dry_run: bool,
    task_log_id: UUID | None = None,
    task_log: UserLifecycleTaskLog | None = None,
) -> bool:
    logger = self._get_logger(dry_run)

    if current_auth_context.is_anonymous:
        return False

    resumed_by = current_auth_context.real_principal_as(Alaner)

    try:
        if self.should_resume(resumed_by, logger, reporter):
            logger.info(
                f"Resuming UserLifecycleTask {self.id} for {self.user.full_name}",
                resumed_by=resumed_by.id,
            )

            reporter.resume(
                self.label,
                channel=self.channel,
                task_id=self.id,
                message_ts=message_ts,
                additional_context=[f"Resumed by <@{resumed_by.slack_id}>"],
            )

            if not dry_run:
                task_log = (
                    task_log
                    if task_log
                    else current_session.get(UserLifecycleTaskLog, task_log_id)
                )
                task_log.resumed_at = datetime.utcnow()  # type: ignore[union-attr]
                task_log.resumed_by = resumed_by.id  # type: ignore[union-attr]
                task_log.permalink = get_permalink(  # type: ignore[union-attr]
                    mandatory(get_channel_id(self.channel)), message_ts
                )

                current_session.commit()

            additional_context = self.resume(logger, dry_run) or []
            additional_context.append(f"Resumed by <@{resumed_by.slack_id}>")
            reporter.stop(
                self.label,
                channel=self.channel,
                task_id=self.id,
                success=True,
                message_ts=message_ts,
                additional_context=additional_context,
            )
            if not dry_run:
                task_log = (
                    task_log
                    if task_log
                    else current_session.get(UserLifecycleTaskLog, task_log_id)
                )
                task_log.completed_at = datetime.utcnow()  # type: ignore[union-attr]
                task_log.permalink = get_permalink(  # type: ignore[union-attr]
                    mandatory(get_channel_id(self.channel)), message_ts
                )

                current_session.commit()

            logger.info(
                f"Completed UserLifecycleTask {self.id} for {self.user.full_name}",
                resumed_by=resumed_by.id,
            )
            return True

    except Exception:
        current_session.rollback()  # In case the session is invalid, e.g. after an IntegrityError
        reporter.stop(
            self.label,
            channel=self.channel,
            task_id=self.id,
            success=False,
            message_ts=message_ts,
            additional_context=[f"Resumed by <@{resumed_by.slack_id}>"],
            error_occurred=True,
        )
        if not dry_run:
            task_log = (
                task_log
                if task_log
                else current_session.get(UserLifecycleTaskLog, task_log_id)
            )
            task_log.failed_at = datetime.utcnow()  # type: ignore[union-attr]
            task_log.permalink = get_permalink(  # type: ignore[union-attr]
                mandatory(get_channel_id(self.channel)), message_ts
            )

            current_session.commit()

        logger.exception(
            f"Failed UserLifecycleTask {self.id} for {self.user.full_name}"
        )
    return False

process_run ¶

process_run(reporter, dry_run)

Source code in apps/eu_tools/user_lifecycle/models/task.py

@tracer.wrap()
def process_run(self, reporter: UserLifecycleSlackReporter, dry_run: bool) -> None:
    logger = self._get_logger(dry_run)

    try:
        message_ts = None
        task_log = None
        thread_ts = None

        if not dry_run:
            task_log = UserLifecycleTaskLog(
                task_id=self.id,
                alaner_id=(
                    cast("Alaner", self.user).id
                    if self.user.type == AlanAccountType.alaner
                    else None
                ),
                external_user_id=(
                    self.user.id
                    if self.user.type == AlanAccountType.external
                    else None
                ),
                service_account_id=(
                    self.user.id
                    if self.user.type == AlanAccountType.service_account
                    else None
                ),
                started_at=datetime.utcnow(),
                correlation_id=g.correlation_id,
            )
            current_session.add(task_log)
            current_session.commit()

        should_run_start = time.perf_counter()
        should_run_result = self.should_run(logger)
        should_run_duration_ms = (time.perf_counter() - should_run_start) * 1000
        metrics.distribution(
            "user_lifecycle.task.should_run.duration",
            should_run_duration_ms,
            tags=[f"task_id:{self.id}", f"result:{should_run_result}"],
        )

        if should_run_result:
            logger.info(
                f"Starting UserLifecycleTask {self.id} for {self.user.name if self.user.type == AlanAccountType.service_account else self.user.full_name}"
            )
            if not self.quiet:
                message_ts, thread_ts = reporter.start(
                    self.label,
                    channel=self.channel,
                    task_id=self.id,
                )

            if not dry_run and message_ts:
                task_log.permalink = get_permalink(  # type: ignore[union-attr]
                    mandatory(get_channel_id(self.channel)),
                    message_ts,
                )
                if thread_ts:
                    task_log.thread_permalink = get_permalink(  # type: ignore[union-attr]
                        mandatory(get_channel_id(self.channel)),
                        thread_ts,
                    )

                current_session.commit()

            additional_context = self.run(logger, PauseTaskTrigger(), dry_run) or []

            if not self.quiet:
                message_ts = reporter.stop(
                    self.label,
                    channel=self.channel,
                    task_id=self.id,
                    success=True,
                    message_ts=message_ts,
                    additional_context=additional_context,
                )
            if not dry_run:
                task_log.completed_at = datetime.utcnow()  # type: ignore[union-attr]
                current_session.commit()

            logger.info(
                f"Completed UserLifecycleTask {self.id} for {self.user.name if self.user.type == AlanAccountType.service_account else self.user.full_name}"
            )
        else:
            logger.info(
                f"Skipping UserLifecycleTask {self.id} for {self.user.name if self.user.type == AlanAccountType.service_account else self.user.full_name}"
            )
            if not dry_run:
                task_log.skipped_at = datetime.utcnow()  # type: ignore[union-attr]
                if message_ts:
                    task_log.permalink = get_permalink(  # type: ignore[union-attr]
                        mandatory(get_channel_id(self.channel)),
                        message_ts,
                    )
                current_session.commit()

    except PauseTaskException as pte:
        message_ts = reporter.pause(
            self.label,
            dry_run=dry_run,
            resume_label=pte.resume_label,
            cancel_label=pte.cancel_label,
            channel=self.channel,
            task_id=self.id,
            task_log_id=task_log.id if task_log else None,
            user_id=self.user.id,
            message_ts=message_ts,
            pinged_groups=pte.pinged_groups,
            pinged_user=pte.pinged_user,
            additional_context=pte.additional_context,
            is_manual_action=self.requires_manual_action,
        )
        if not dry_run:
            task_log.paused_at = datetime.utcnow()  # type: ignore[union-attr]
            if message_ts:
                task_log.permalink = get_permalink(  # type: ignore[union-attr]
                    mandatory(get_channel_id(self.channel)),
                    message_ts,
                )

            current_session.commit()

        logger.info(
            f"Paused UserLifecycleTask {self.id} for {self.user.name if self.user.type == AlanAccountType.service_account else self.user.full_name}"
        )

    except Exception:
        current_session.rollback()  # In case the session is invalid, e.g. after an IntegrityError
        logger.exception(
            f"Failed UserLifecycleTask {self.id} for {self.user.name if self.user.type == AlanAccountType.service_account else self.user.full_name}"
        )
        message_ts = reporter.stop(
            self.label,
            channel=self.channel,
            task_id=self.id,
            success=False,
            message_ts=message_ts,
            error_occurred=True,
        )
        previous_fails = self._get_recent_fails()  # type: ignore[no-untyped-call]
        if previous_fails >= self.max_fails_before_deactivation:
            task_status = (
                current_session.execute(
                    select(UserLifecycleTaskStatus).filter(
                        UserLifecycleTaskStatus.task_id == self.id
                    )
                )
                .scalars()
                .unique()
                .one()
            )
            if not task_status.deactivated_at:
                task_status.deactivated_at = datetime.utcnow()
                task_status.deactivation_reason = f"Automatically deactivated, the task failed more than {self.max_fails_before_deactivation} times"
                reporter.notify_of_task_deactivation(
                    channel="#alan_home_alerts" if not dry_run else "#eng_sandbox",
                    task_id=self.id,
                    task_label=self.label,
                    fails_threshold=self.max_fails_before_deactivation,
                )
        if not dry_run:
            task_log.failed_at = datetime.utcnow()  # type: ignore[union-attr]
            if message_ts:
                task_log.permalink = get_permalink(  # type: ignore[union-attr]
                    mandatory(get_channel_id(self.channel)),
                    message_ts,
                )

            current_session.commit()

        else:
            current_session.rollback()

provider `class-attribute` `instance-attribute` ¶

provider = None

quiet `property` ¶

quiet

rank `class-attribute` `instance-attribute` ¶

rank = 999

ranked_subclasses `classmethod` ¶

ranked_subclasses()

Source code in apps/eu_tools/user_lifecycle/models/task.py

@classmethod
def ranked_subclasses(cls):  # type: ignore[no-untyped-def]
    task_activity = {
        task.task_id: task.is_active
        for task in current_session.scalars(select(UserLifecycleTaskStatus))
        .unique()
        .all()  # noqa: ALN085
    }
    return filter(
        # The default value is True to ease the development process
        lambda subclass: getattr(subclass, "id", None) is not None
        and task_activity.get(subclass.id),
        sorted(subclasses_recursive(cls), key=attrgetter("rank")),
    )

requires_manual_action `class-attribute` `instance-attribute` ¶

requires_manual_action = False

resume ¶

resume(logger, dry_run)

Source code in apps/eu_tools/user_lifecycle/models/task.py

def resume(self, logger: BoundLogger, dry_run: bool) -> list[str] | None:  # noqa: ARG002
    return []

run `abstractmethod` ¶

run(logger, pause_callback, dry_run)

Source code in apps/eu_tools/user_lifecycle/models/task.py

@abstractmethod
def run(
    self,
    logger: BoundLogger,
    pause_callback: PauseTaskTrigger,
    dry_run: bool,
) -> list[str] | None:
    pass

should_cancel ¶

should_cancel(canceled_by, logger, reporter)

Source code in apps/eu_tools/user_lifecycle/models/task.py

def should_cancel(
    self,
    canceled_by: Alaner,
    logger: BoundLogger,  # noqa: ARG002
    reporter: UserLifecycleSlackReporter,
) -> bool:
    if has_permission(
        canceled_by, EmployeePermission.eu_tools_user_lifecycle_resume_task
    ):
        return True
    else:
        reporter.handle_permission_issues(self.channel, canceled_by.slack_id)
        return False

should_resume ¶

should_resume(resumed_by, logger, reporter)

Source code in apps/eu_tools/user_lifecycle/models/task.py

def should_resume(
    self,
    resumed_by: Alaner,
    logger: BoundLogger,
    reporter: UserLifecycleSlackReporter,
) -> bool:
    if has_permission(
        resumed_by, EmployeePermission.eu_tools_user_lifecycle_resume_task
    ):
        return self.should_run(logger)
    else:
        reporter.handle_permission_issues(self.channel, resumed_by.slack_id)
        return False

should_run `abstractmethod` ¶

should_run(logger)

Source code in apps/eu_tools/user_lifecycle/models/task.py

@abstractmethod
def should_run(self, logger: BoundLogger) -> bool:
    return False

user `instance-attribute` ¶

user = user

apps.eu_tools.user_lifecycle.models.check.AccountOffboardingProcess ¶

Bases: AlanBaseEnum

automatic `class-attribute` `instance-attribute` ¶

automatic = 'automatic'

manual `class-attribute` `instance-attribute` ¶

manual = 'manual'

apps.eu_tools.user_lifecycle.models.check.AnomalousAccount `dataclass` ¶

AnomalousAccount(
    id,
    label,
    created_on=None,
    created_by=None,
    url=None,
    pretty_label=None,
    additional_context=None,
)

Bases: DataClassJsonMixin

additional_context `class-attribute` `instance-attribute` ¶

additional_context = None

created_by `class-attribute` `instance-attribute` ¶

created_by = None

created_on `class-attribute` `instance-attribute` ¶

created_on = None

id `instance-attribute` ¶

id

label `instance-attribute` ¶

label

pretty_label `class-attribute` `instance-attribute` ¶

pretty_label = None

url `class-attribute` `instance-attribute` ¶

url = None

apps.eu_tools.user_lifecycle.models.check.MANUAL_OFFBOARDING_GRACE_DAYS `module-attribute` ¶

MANUAL_OFFBOARDING_GRACE_DAYS = 5

apps.eu_tools.user_lifecycle.models.check.UserLifecycleAnomalyCheck ¶

UserLifecycleAnomalyCheck(dry_run=False)

Bases: ABC

Source code in apps/eu_tools/user_lifecycle/models/check.py

def __init__(self, dry_run: bool | None = False) -> None:
    self.dry_run = dry_run or False
    if self.id is None:
        raise RuntimeError(
            f"Missing UserLifecycleCheck unique identifier for {self.__class__.name}"
        )
    if self.label is None:
        raise RuntimeError(
            f"Missing UserLifecycleCheck label for {self.__class__.name}"
        )
    if self.channel is None:
        raise RuntimeError(
            f"Missing UserLifecycleCheck channel for {self.__class__.name}"
        )

action_label `class-attribute` `instance-attribute` ¶

action_label = None

active `class-attribute` `instance-attribute` ¶

active = True

anomaly_description `abstractmethod` ¶

anomaly_description(plural=False)

Source code in apps/eu_tools/user_lifecycle/models/check.py

@abstractmethod
def anomaly_description(self, plural: bool = False) -> str:
    pass

can_cancel_or_resume ¶

can_cancel_or_resume(alaner)

Source code in apps/eu_tools/user_lifecycle/models/check.py

def can_cancel_or_resume(self, alaner: Alaner) -> bool:
    required_permissions = {EmployeePermission.eu_tools_user_lifecycle_resume_check}

    if self.resolution_permitted_for is not None:
        required_permissions.update(self.resolution_permitted_for)

    if not has_permission(alaner, required_permissions):
        self.handle_permission_issues(alaner.slack_id)
        return False
    return True

channel `instance-attribute` ¶

channel

cta `class-attribute` `instance-attribute` ¶

cta = None

dry_run `class-attribute` `instance-attribute` ¶

dry_run = dry_run or False

emoji `instance-attribute` ¶

emoji

find_and_track_anomalies ¶

find_and_track_anomalies(logger)

Source code in apps/eu_tools/user_lifecycle/models/check.py

def find_and_track_anomalies(self, logger: BoundLogger) -> list[AnomalousAccount]:
    unknown_accounts = self.find_anomalies(logger)
    self._track_anomalies(unknown_accounts, logger)
    unknown_accounts = self.remove_justified_anomalies(unknown_accounts, logger)
    return unknown_accounts

find_anomalies `abstractmethod` ¶

find_anomalies(logger)

Source code in apps/eu_tools/user_lifecycle/models/check.py

@abstractmethod
def find_anomalies(self, logger: BoundLogger) -> list[AnomalousAccount]:
    pass

fix_anomaly `abstractmethod` ¶

fix_anomaly(account, logger)

Source code in apps/eu_tools/user_lifecycle/models/check.py

@abstractmethod
def fix_anomaly(
    self,
    account: AnomalousAccount,
    logger: BoundLogger,
) -> list[str] | None:
    pass

fix_description `instance-attribute` ¶

fix_description

handle_permission_issues ¶

handle_permission_issues(slack_id)

Source code in apps/eu_tools/user_lifecycle/models/check.py

def handle_permission_issues(self, slack_id: str | None) -> None:
    if slack_id:
        notify_user_of_permission_issues(
            slack_id=slack_id,
            channel_id=self.channel if not self.dry_run else "#eng_sandbox",
            thread_ts=self.thread_ts,
        )

id `instance-attribute` ¶

id

label `instance-attribute` ¶

label

main_message `class-attribute` `instance-attribute` ¶

main_message = None

post_pre_context ¶

post_pre_context()

Use this method if you need to share additional context as first message in the thread, before listing anomalous accounts

Source code in apps/eu_tools/user_lifecycle/models/check.py

def post_pre_context(self) -> None:
    """
    Use this method if you need to share additional context as first message in the thread, before listing anomalous accounts
    """
    return

process_cancel ¶

process_cancel(
    account, message_ts, check_log_id, thread_ts=None
)

Source code in apps/eu_tools/user_lifecycle/models/check.py

def process_cancel(
    self,
    account: AnomalousAccount,
    message_ts: str,
    check_log_id: UUID | None,
    thread_ts: str | None = None,
) -> None:
    self.thread_ts = thread_ts
    if current_auth_context.is_anonymous:
        return
    canceled_by = current_auth_context.real_principal_as(Alaner)

    if self.can_cancel_or_resume(canceled_by):
        logger = self._get_logger()  # type: ignore[no-untyped-call]
        logger.info(
            f"Canceling check for account {account.id} by {canceled_by.slack_handle}",
            account_id=account.id,
        )
        text = f"<{account.url}|{account.label}>" if account.url else account.label
        context = self._get_context_for(account)

        self._post_or_update_message(
            text,
            ":notdone:",
            message_ts=message_ts,
            account_id=account.id,
            blocks=[
                ContextBlock(elements=context),
                ContextBlock(
                    elements=[
                        MarkdownTextObject(
                            text=f"Canceled by <@{canceled_by.slack_id}>"
                        )
                    ]
                ),
            ],
        )
        if not self.dry_run:
            check_log = current_session.get(
                UserLifecycleProvisioningCheckLog, check_log_id
            )
            check_log.canceled_at = datetime.utcnow()  # type: ignore[union-attr]
            check_log.canceled_by = canceled_by.id  # type: ignore[union-attr]
            current_session.commit()

process_resume ¶

process_resume(
    account, message_ts, check_log_id, thread_ts=None
)

Source code in apps/eu_tools/user_lifecycle/models/check.py

def process_resume(
    self,
    account: AnomalousAccount,
    message_ts: str,
    check_log_id: UUID | None,
    thread_ts: str | None = None,
) -> None:
    self.thread_ts = thread_ts
    if current_auth_context.is_anonymous:
        return
    resumed_by = current_auth_context.real_principal_as(Alaner)

    if self.can_cancel_or_resume(resumed_by):
        logger = self._get_logger()  # type: ignore[no-untyped-call]
        logger.info(
            f"About to {self.fix_description} account {account.id} by {resumed_by.slack_handle}",
            account_id=account.id,
        )
        text = f"<{account.url}|{account.label}>" if account.url else account.label
        context = self._get_context_for(account)
        blocks = [
            ContextBlock(elements=context),
            ContextBlock(
                elements=[
                    MarkdownTextObject(text=f"Resumed by <@{resumed_by.slack_id}>")
                ]
            ),
        ]

        self._post_or_update_message(
            text,
            ":loading:",
            message_ts=message_ts,
            account_id=account.id,
            blocks=blocks,
        )
        if not self.dry_run:
            check_log = current_session.get(
                UserLifecycleProvisioningCheckLog, check_log_id
            )
            check_log.resumed_at = datetime.utcnow()  # type: ignore[union-attr]
            check_log.resumed_by = resumed_by.id  # type: ignore[union-attr]
            current_session.commit()

        try:
            additional_context = self.fix_anomaly(account, logger)
            self._mark_anomaly_as_resolved(account, logger)
            if additional_context:
                blocks.extend(
                    [
                        ContextBlock(
                            elements=[
                                MarkdownTextObject(
                                    text=context,
                                )
                            ]
                        )
                        for context in additional_context
                    ]
                )

            self._post_or_update_message(
                text,
                ":check:",
                message_ts=message_ts,
                account_id=account.id,
                blocks=blocks,
            )
            if not self.dry_run:
                check_log.completed_at = datetime.utcnow()  # type: ignore[union-attr]
                current_session.commit()
        except Exception:
            self._post_or_update_message(
                text,
                ":notdone:",
                message_ts=message_ts,
                account_id=account.id,
                blocks=blocks,
            )
            logger.exception(
                f"Failed to {self.fix_description} account {account.id} for provider {self.label}",
                account_id=account.id,
            )
            if not self.dry_run:
                check_log.failed_at = datetime.utcnow()  # type: ignore[union-attr]
                current_session.commit()

process_run ¶

process_run()

Source code in apps/eu_tools/user_lifecycle/models/check.py

def process_run(self) -> None:
    logger = self._get_logger()  # type: ignore[no-untyped-call]

    if anomalies := self.find_and_track_anomalies(logger):
        self.post_pre_context()

    alan_home_base_url = (
        "https://home.alan.com" if not self.dry_run else "http://localhost:8885"
    )

    for account in anomalies:
        logger.info(
            f"Found {self.anomaly_description()} {account.pretty_label or account.label} for provider {self.label}",
            account_id=account.id,
        )
        text = f"<{account.url}|{account.label}>" if account.url else account.label
        context = self._get_context_for(account)

        check_log = None
        if not self.dry_run:
            check_log = UserLifecycleProvisioningCheckLog(
                check_id=self.id,
                account_id=str(account.id),
                started_at=datetime.utcnow(),
            )
            current_session.add(check_log)
            current_session.commit()

        payload = dumps(
            {
                "check_id": self.id,
                "account": account.to_dict(),
                "check_log_id": str(check_log.id) if check_log else None,
                "dry_run": self.dry_run,
            }
        )

        action_blocks = (
            [
                ActionsBlock(
                    elements=[
                        ButtonElement(
                            text="Ignore",
                            action_id="user_lifecycle_check_cancel",
                            value=payload,
                        ),
                        ButtonElement(
                            text=self.action_label,
                            action_id="user_lifecycle_check_resume",
                            value=payload,
                            style="danger",
                        ),
                        LinkButtonElement(
                            text="Justify",
                            url=f"{alan_home_base_url}/anomalies?account={account.id}&provider={self.id}&mail={account.pretty_label or account.label}",
                            action_id="user_lifecycle_check_justify",
                        ),
                    ]
                ),
            ]
            if self.action_label
            else []
        )
        message_ts = self._post_or_update_message(
            text,
            ":paused:",
            account_id=account.id,
            blocks=[
                ContextBlock(elements=context),
                *action_blocks,
            ],
        )
        if not self.dry_run:
            if check_log:
                check_log.permalink = get_permalink(
                    mandatory(get_channel_id(self.channel)), message_ts
                )
            current_session.commit()

provider `class-attribute` `instance-attribute` ¶

provider = None

rank `class-attribute` `instance-attribute` ¶

rank = 999

ranked_subclasses `classmethod` ¶

ranked_subclasses()

Source code in apps/eu_tools/user_lifecycle/models/check.py

@classmethod
def ranked_subclasses(cls):  # type: ignore[no-untyped-def]
    return filter(
        lambda subclass: subclass.active and getattr(subclass, "id", None),
        sorted(subclasses_recursive(cls), key=attrgetter("rank")),
    )

remove_justified_anomalies ¶

remove_justified_anomalies(unknown_accounts, logger)

Source code in apps/eu_tools/user_lifecycle/models/check.py

def remove_justified_anomalies(
    self,
    unknown_accounts: list[AnomalousAccount],
    logger: BoundLogger,  # noqa: ARG002
) -> list[AnomalousAccount]:
    provider_name = self.id

    justified_anomalies = self._get_anomalies_for_provider(provider_name, True)
    justified_anomalies_keys = {
        (anomaly.provider, anomaly.account_id) for anomaly in justified_anomalies
    }

    return [
        account
        for account in unknown_accounts
        if self._get_anomaly_key(account) not in justified_anomalies_keys
    ]

resolution_permitted_for `class-attribute` `instance-attribute` ¶

resolution_permitted_for = None

thread_ts `class-attribute` `instance-attribute` ¶

thread_ts = None

apps.eu_tools.user_lifecycle.models.check.UserLifecycleProvisioningCheck ¶

UserLifecycleProvisioningCheck(dry_run=False)

Bases: UserLifecycleAnomalyCheck, ABC

Source code in apps/eu_tools/user_lifecycle/models/check.py

def __init__(self, dry_run: bool | None = False) -> None:
    self.dry_run = dry_run or False
    if self.id is None:
        raise RuntimeError(
            f"Missing UserLifecycleCheck unique identifier for {self.__class__.name}"
        )
    if self.label is None:
        raise RuntimeError(
            f"Missing UserLifecycleCheck label for {self.__class__.name}"
        )
    if self.channel is None:
        raise RuntimeError(
            f"Missing UserLifecycleCheck channel for {self.__class__.name}"
        )

anomaly_description ¶

anomaly_description(plural=False)

Source code in apps/eu_tools/user_lifecycle/models/check.py

def anomaly_description(self, plural: bool = False) -> str:
    return "unknown accounts" if plural else "unknown account"

fix_description `class-attribute` `instance-attribute` ¶

fix_description = 'deprovision'

apps.eu_tools.user_lifecycle.models.check.active_alan_users ¶

active_alan_users(
    with_externals,
    with_future=False,
    offboarding=AccountOffboardingProcess.automatic,
)

Source code in apps/eu_tools/user_lifecycle/models/check.py

def active_alan_users(
    with_externals: bool,
    with_future: bool = False,
    offboarding: AccountOffboardingProcess = AccountOffboardingProcess.automatic,
) -> set[str]:
    grace_days = (
        MANUAL_OFFBOARDING_GRACE_DAYS
        if offboarding == AccountOffboardingProcess.manual
        else 0
    )

    def filter_for_today(user_class):  # type: ignore[no-untyped-def]
        if with_future:
            filter_condition = not_(user_class.is_ended_on(utctoday(), grace_days))
        else:
            filter_condition = user_class.is_active_on(utctoday(), grace_days)

        return filter_condition

    all_internals = {
        u.email
        for u in current_session.query(Alaner).filter(filter_for_today(Alaner))  # type: ignore[no-untyped-call] # noqa: ALN085
    }
    if with_externals:
        all_externals = {
            u.email
            for u in current_session.query(ExternalUser).filter(  # noqa: ALN085
                filter_for_today(ExternalUser)  # type: ignore[no-untyped-call]
            )
        }
    else:
        all_externals = set()

    return all_internals | all_externals

apps.eu_tools.user_lifecycle.models.provider.UserLifecycleProvider ¶

Bases: ABC

deprovision_user `abstractmethod` `classmethod` ¶

deprovision_user(user_id, logger, dry_run)

Source code in apps/eu_tools/user_lifecycle/models/provider.py

@classmethod
@abstractmethod
def deprovision_user(cls, user_id: str, logger: BoundLogger, dry_run: bool):  # type: ignore[no-untyped-def]
    pass

description `instance-attribute` ¶

description

get_all_users `abstractmethod` `classmethod` ¶

get_all_users()

When a provider supports the concept of "inactive" accounts, these accounts should be included in the results returned by this method. It's the consumer's responsibility to filter the accounts based on their active status.

Source code in apps/eu_tools/user_lifecycle/models/provider.py

@classmethod
@abstractmethod
def get_all_users(cls) -> dict:  # type: ignore[type-arg]
    """
    When a provider supports the concept of "inactive" accounts,
    these accounts should be included in the results returned by this method.
    It's the consumer's responsibility to filter the accounts based on their active status.
    """

get_target_roles `classmethod` ¶

get_target_roles(user)

Source code in apps/eu_tools/user_lifecycle/models/provider.py

@classmethod
def get_target_roles(cls, user: AlanUser) -> set[str]:
    from apps.eu_tools.user_lifecycle.business_logic import has_role  # noqa: ALN009

    target_roles = set()
    for role, provider_roles in cls.role_mapping.items():
        if has_role(user, role):
            target_roles.update(provider_roles)
    return target_roles

id `instance-attribute` ¶

id

provision_user `abstractmethod` `classmethod` ¶

provision_user(user, logger, dry_run)

Source code in apps/eu_tools/user_lifecycle/models/provider.py

@classmethod
@abstractmethod
def provision_user(
    cls, user: AlanUser, logger: BoundLogger, dry_run: bool
) -> list[str] | None:
    pass

role_mapping `instance-attribute` ¶

role_mapping

update_roles `abstractmethod` `classmethod` ¶

update_roles(user, logger, dry_run)

Source code in apps/eu_tools/user_lifecycle/models/provider.py

@classmethod
@abstractmethod
def update_roles(
    cls,
    user: AlanUser,
    logger: BoundLogger,
    dry_run: bool,
) -> tuple[set[str], set[str]]:
    pass

apps.eu_tools.user_lifecycle.models.role_definition.BaseRoleDefinition ¶

Bases: ABC

__generated_by__ `class-attribute` `instance-attribute` ¶

__generated_by__ = None

__init_subclass__ ¶

__init_subclass__(**kwargs)

Source code in apps/eu_tools/user_lifecycle/models/role_definition.py

def __init_subclass__(cls, **kwargs: Any) -> None:
    super().__init_subclass__(**kwargs)

    # Skip validation for abstract classes
    if inspect.isabstract(cls):
        return

    # Validate grant_management_access_policy params if defined on this class
    if "grant_management_access_policy" in cls.__dict__:
        policy_or_policies = cls.grant_management_access_policy
        if policy_or_policies is not None:
            policies = (
                policy_or_policies
                if isinstance(policy_or_policies, list)
                else [policy_or_policies]
            )
            available_params = _ALWAYS_AVAILABLE_PARAMS | set(
                cls.__metadata__.keys()
            )
            for policy in policies:
                _validate_grant_management_policy(
                    policy, available_params, cls.__name__
                )

metadata `class-attribute` `instance-attribute` ¶

__metadata__ = dict()

can_be_requested `class-attribute` `instance-attribute` ¶

can_be_requested = True

current_grantees `classmethod` ¶

current_grantees()

Source code in apps/eu_tools/user_lifecycle/models/role_definition.py

@classmethod
def current_grantees(cls) -> set[AlanUser]:
    return cls.grantees_at(utctoday())

description `instance-attribute` ¶

description

grant_management_access_policy `class-attribute` `instance-attribute` ¶

grant_management_access_policy = None

grant_management_permitted_for `class-attribute` `instance-attribute` ¶

grant_management_permitted_for = set()

grantees_at `classmethod` ¶

grantees_at(date_or_datetime)

Source code in apps/eu_tools/user_lifecycle/models/role_definition.py

@classmethod
def grantees_at(
    cls, date_or_datetime: datetime.date | datetime.datetime
) -> set[AlanUser]:
    return set(
        role_grant.grantee
        for role_grant in current_session.scalars(
            select(RoleGrant).where(
                RoleGrant.role_id == cls.role_id,
                RoleGrant.is_active_at(date_or_datetime),
            )
        )
        if role_grant.grantee is not None
        and not role_grant.grantee.is_ended_on(
            date_or_datetime.date()
            if isinstance(date_or_datetime, datetime.datetime)
            else date_or_datetime
        )
    )

role_grant_rule_ids `abstractmethod` `classmethod` ¶

role_grant_rule_ids()

Source code in apps/eu_tools/user_lifecycle/models/role_definition.py

@classmethod
@abstractmethod
def role_grant_rule_ids(cls) -> list[str]:
    pass

role_id `instance-attribute` ¶

role_id

self_service_duration `class-attribute` `instance-attribute` ¶

self_service_duration = 0

self_service_permitted_for `class-attribute` `instance-attribute` ¶

self_service_permitted_for = set()

slack_handle_to_ping `class-attribute` `instance-attribute` ¶

slack_handle_to_ping = None

apps.eu_tools.user_lifecycle.models.role_definition.RoleDefinition ¶

Bases: BaseRoleDefinition, ABC

apps.eu_tools.user_lifecycle.models.role_definition.RoleDefinitionGenerator ¶

Bases: ABC

role_definitions `abstractmethod` `classmethod` ¶

role_definitions()

Source code in apps/eu_tools/user_lifecycle/models/role_definition.py

@classmethod
@abstractmethod
def role_definitions(cls) -> list[type[BaseRoleDefinition]]:
    pass

apps.eu_tools.user_lifecycle.models.role_definition.get_all_role_definitions ¶

get_all_role_definitions()

Source code in apps/eu_tools/user_lifecycle/models/role_definition.py

@cached_for(minutes=10, local_ram_cache_only=True, no_serialization=True)
def get_all_role_definitions() -> dict[str, type[BaseRoleDefinition]]:
    role_definitions: dict[str, type[BaseRoleDefinition]] = {
        role_definition.role_id: role_definition  # type:ignore[type-abstract]
        for role_definition in RoleDefinition.__subclasses__()
    }

    role_definitions.update(
        {
            role_definition.role_id: role_definition
            for role_definition_generator in RoleDefinitionGenerator.__subclasses__()
            for role_definition in role_definition_generator.role_definitions()
        }
    )

    return role_definitions

apps.eu_tools.user_lifecycle.models.role_grant.RoleGrant ¶

Bases: BaseModel

repr ¶

__repr__()

Source code in apps/eu_tools/user_lifecycle/models/role_grant.py

def __repr__(self) -> str:
    return f"<{self.__class__.__name__} [{self.id}]: {self.role_id}>"

__table_args__ `class-attribute` `instance-attribute` ¶

__table_args__ = (
    CheckConstraint(
        "(grantee_alaner_id IS NOT NULL)::int + (grantee_external_user_id IS NOT NULL)::int + (grantee_service_account_id IS NOT NULL)::int = 1",
        name="role_grant_grantee_is_not_null",
    ),
    CheckConstraint(
        "(role_request_id IS NULL) != (rule_id IS NULL)",
        name="role_grant_rule_or_request_is_not_null",
    ),
    UniqueConstraint(
        "grantee_alaner_id",
        "role_id",
        "role_request_id",
        name="single_request_for_alaners",
    ),
    UniqueConstraint(
        "grantee_external_user_id",
        "role_id",
        "role_request_id",
        name="single_request_for_external_users",
    ),
    UniqueConstraint(
        "grantee_service_account_id",
        "role_id",
        "role_request_id",
        name="single_request_for_service_accounts",
    ),
    ExcludeConstraint(
        (grantee_alaner_id, "="),
        (role_id, "="),
        (rule_id, "="),
        (text("tsrange(starts_at, ends_at, '[)')"), "&&"),
        name="no_overlapping_grants_for_alaners",
    ),
    ExcludeConstraint(
        (grantee_external_user_id, "="),
        (role_id, "="),
        (rule_id, "="),
        (text("tsrange(starts_at, ends_at, '[)')"), "&&"),
        name="no_overlapping_grants_for_external_users",
    ),
)

tablename `class-attribute` `instance-attribute` ¶

__tablename__ = 'role_grant'

ends_at `class-attribute` `instance-attribute` ¶

ends_at = mapped_column(DateTime)

grantee `property` ¶

grantee

grantee_alaner_id `class-attribute` `instance-attribute` ¶

grantee_alaner_id = mapped_column(Integer, index=True)

grantee_external_user_id `class-attribute` `instance-attribute` ¶

grantee_external_user_id = mapped_column(
    UUID(as_uuid=True), index=True
)

grantee_service_account_id `class-attribute` `instance-attribute` ¶

grantee_service_account_id = mapped_column(
    UUID(as_uuid=True), index=True
)

is_active ¶

is_active()

Source code in apps/eu_tools/user_lifecycle/models/role_grant.py

@is_active.expression  # type: ignore[no-redef]
def is_active(cls):
    return cls.is_active_at(func.now())

is_active_at ¶

is_active_at(date)

Source code in apps/eu_tools/user_lifecycle/models/role_grant.py

@is_active_at.expression  # type: ignore[no-redef]
def is_active_at(cls, date):
    return (cls.starts_at <= date) & ~((cls.ends_at != None) & (cls.ends_at < date))

role_id `class-attribute` `instance-attribute` ¶

role_id = mapped_column(Text, nullable=False, index=True)

role_request `class-attribute` `instance-attribute` ¶

role_request = relationship(
    "RoleRequest",
    foreign_keys=role_request_id,
    primaryjoin="RoleRequest.id == RoleGrant.role_request_id",
    back_populates="role_grant",
    uselist=False,
    remote_side="RoleRequest.id",
)

role_request_id `class-attribute` `instance-attribute` ¶

role_request_id = mapped_column(
    UUID(as_uuid=True), index=True
)

rule_id `class-attribute` `instance-attribute` ¶

rule_id = mapped_column(Text)

starts_at `class-attribute` `instance-attribute` ¶

starts_at = mapped_column(DateTime, nullable=False)

apps.eu_tools.user_lifecycle.models.role_request.RoleRequest ¶

Bases: BaseModel

repr ¶

__repr__()

Source code in apps/eu_tools/user_lifecycle/models/role_request.py

def __repr__(self) -> str:
    return f"<{self.__class__.__name__} [{self.id}]: {self.role_id}>"

__table_args__ `class-attribute` `instance-attribute` ¶

__table_args__ = (
    CheckConstraint(
        "(grantee_alaner_id IS NOT NULL)::int + (grantee_external_user_id IS NOT NULL)::int + (grantee_service_account_id IS NOT NULL)::int = 1",
        name="role_request_grantee_is_not_null",
    ),
)

tablename `class-attribute` `instance-attribute` ¶

__tablename__ = 'role_request'

approved_at `class-attribute` `instance-attribute` ¶

approved_at = mapped_column(DateTime)

approver `class-attribute` `instance-attribute` ¶

approver = relationship(
    "Alaner",
    foreign_keys=approver_id,
    primaryjoin="Alaner.id == RoleRequest.approver_id",
    uselist=False,
    remote_side="Alaner.id",
)

approver_id `class-attribute` `instance-attribute` ¶

approver_id = mapped_column(Integer)

ends_at `class-attribute` `instance-attribute` ¶

ends_at = mapped_column(DateTime, nullable=False)

grantee `property` ¶

grantee

grantee_alaner_id `class-attribute` `instance-attribute` ¶

grantee_alaner_id = mapped_column(Integer)

grantee_external_user_id `class-attribute` `instance-attribute` ¶

grantee_external_user_id = mapped_column(UUID(as_uuid=True))

grantee_service_account_id `class-attribute` `instance-attribute` ¶

grantee_service_account_id = mapped_column(
    UUID(as_uuid=True)
)

permalink `class-attribute` `instance-attribute` ¶

permalink = mapped_column(Text)

request_reason `class-attribute` `instance-attribute` ¶

request_reason = mapped_column(Text, nullable=False)

requested_at `class-attribute` `instance-attribute` ¶

requested_at = mapped_column(DateTime, nullable=False)

requester `class-attribute` `instance-attribute` ¶

requester = relationship(
    "Alaner",
    foreign_keys=requester_id,
    primaryjoin="Alaner.id == RoleRequest.requester_id",
    uselist=False,
    remote_side="Alaner.id",
)

requester_id `class-attribute` `instance-attribute` ¶

requester_id = mapped_column(Integer, nullable=False)

rescinded_at `class-attribute` `instance-attribute` ¶

rescinded_at = mapped_column(DateTime)

rescinder `class-attribute` `instance-attribute` ¶

rescinder = relationship(
    "Alaner",
    foreign_keys=rescinder_id,
    primaryjoin="Alaner.id == RoleRequest.rescinder_id",
    uselist=False,
    remote_side="Alaner.id",
)

rescinder_id `class-attribute` `instance-attribute` ¶

rescinder_id = mapped_column(Integer)

rescission_reason `class-attribute` `instance-attribute` ¶

rescission_reason = mapped_column(Text)

role_grant `class-attribute` `instance-attribute` ¶

role_grant = relationship(
    RoleGrant,
    primaryjoin="RoleRequest.id == foreign(RoleGrant.role_request_id)",
    back_populates="role_request",
    uselist=False,
    remote_side="RoleGrant.role_request_id",
)

role_id `class-attribute` `instance-attribute` ¶

role_id = mapped_column(Text, nullable=False)

starts_at `class-attribute` `instance-attribute` ¶

starts_at = mapped_column(DateTime, nullable=False)

apps.eu_tools.user_lifecycle.models.role_grant_rule_definition.BaseRoleGrantRuleDefinition ¶

Bases: ABC

description `instance-attribute` ¶

description

grantees_definition `abstractmethod` `classmethod` ¶

grantees_definition()

Source code in apps/eu_tools/user_lifecycle/models/role_grant_rule_definition.py

@classmethod
@abstractmethod
def grantees_definition(cls) -> set[AlanUser]:
    pass

non_empty_check `class-attribute` `instance-attribute` ¶

non_empty_check = True

rule_id `instance-attribute` ¶

rule_id

apps.eu_tools.user_lifecycle.models.role_grant_rule_definition.RoleGrantRuleDefinition ¶

Bases: BaseRoleGrantRuleDefinition, ABC

apps.eu_tools.user_lifecycle.models.role_grant_rule_definition.RoleGrantRuleGenerator ¶

Bases: ABC

role_grant_rules `abstractmethod` `classmethod` ¶

role_grant_rules()

Source code in apps/eu_tools/user_lifecycle/models/role_grant_rule_definition.py

@classmethod
@abstractmethod
def role_grant_rules(cls) -> dict[str, type[BaseRoleGrantRuleDefinition]]:
    pass

rule_ids_for `classmethod` ¶

rule_ids_for(*names)

Source code in apps/eu_tools/user_lifecycle/models/role_grant_rule_definition.py

@classmethod
def rule_ids_for(cls, *names: str) -> list[str]:
    return [cls._rule_id_for(name) for name in names]