Merge pull request #385 from bcgov/fix/delete-limit

fix: deletion limit

Author: jlangy

docker/kc-cron-job/remove-inactive-idir-users.js

@@ -1,6 +1,8 @@
 const _ = require('lodash');
 const async = require('async');
+const { promisify } = require('util');
 const axios = require('axios');
+const { parseString } = require('xml2js');
 const { getAdminClient, log, getPgClient, sendRcNotification, handleError, deleteLegacyData } = require('./helpers');
 const jwt = require('jsonwebtoken');
 const { ConfidentialClientApplication } = require('@azure/msal-node');
@@ -10,6 +12,9 @@ const MS_GRAPH_IDIR_GUID_ATTRIBUTE = 'onPremisesExtensionAttributes/extensionAtt
 
 require('dotenv').config();
 
+// NOTE: this is per runner, e.g with 5 in prod 50 is the total user deletion limit
+const MAX_DELETED_USERS_PER_RUNNER = 30;
+
 let devMsalInstance;
 let testMsalInstance;
 let prodMsalInstance;
@@ -85,7 +90,11 @@ async function getAzureAccessToken(env) {
   }
 }
 
-async function checkUserExistsAtIDIM({ property = MS_GRAPH_IDIR_GUID_ATTRIBUTE, matchKey = '', env }) {
+/*
+  This function checks existence using MS Graph. Currently has issues with being out of sync with IDIM, so is unused.
+  Keeping the function in case the sync issue can be resolved.
+*/
+async function checkUserExistsAtEntra({ property = MS_GRAPH_IDIR_GUID_ATTRIBUTE, matchKey = '', env }) {
   try {
     const accessToken = await getAzureAccessToken(env);
     const options = {
@@ -111,6 +120,124 @@ async function checkUserExistsAtIDIM({ property = MS_GRAPH_IDIR_GUID_ATTRIBUTE,
   }
 }
 
+const parseStringSync = promisify(parseString);
+
+function getWebServiceInfo({ env = 'dev' }) {
+  const requestHeaders = {
+    'Content-Type': 'text/xml;charset=UTF-8',
+    authorization: `Basic ${process.env.BCEID_SERVICE_BASIC_AUTH}`
+  };
+
+  const requesterIdirGuid = process.env.BCEID_REQUESTER_IDIR_GUID || '';
+
+  let serviceUrl = '';
+  let serviceId = '';
+  if (env === 'dev') {
+    serviceUrl = 'https://gws2.development.bceid.ca';
+    serviceId = process.env.BCEID_SERVICE_ID_DEV || '';
+  } else if (env === 'test') {
+    serviceUrl = 'https://gws2.test.bceid.ca';
+    serviceId = process.env.BCEID_SERVICE_ID_TEST || '';
+  } else if (env === 'prod') {
+    serviceUrl = 'https://gws2.bceid.ca';
+    serviceId = process.env.BCEID_SERVICE_ID_PROD || '';
+  }
+
+  return { requestHeaders, requesterIdirGuid, serviceUrl, serviceId };
+}
+
+const generateXML = (
+  {
+    property = 'userId',
+    matchKey = '',
+    matchType = 'Exact',
+    serviceId = '',
+    requesterIdirGuid = '',
+    page = 1,
+    limit = 1
+  },
+  requestType = 'searchInternalAccount'
+) => {
+  if (requestType === 'getAccountDetail') {
+    return `<?xml version="1.0" encoding="UTF-8"?>
+    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:V10="http://www.bceid.ca/webservices/Client/V10/">
+        <soapenv:Header />
+        <soapenv:Body>
+            <V10:getAccountDetail>
+             <V10:accountDetailRequest>
+                <V10:onlineServiceId>${serviceId}</V10:onlineServiceId>
+                <V10:requesterAccountTypeCode>Internal</V10:requesterAccountTypeCode>
+                <V10:requesterUserGuid>${requesterIdirGuid}</V10:requesterUserGuid>
+                <V10:${property}>${matchKey}</V10:${property}>
+                <V10:accountTypeCode>Internal</V10:accountTypeCode>
+             </V10:accountDetailRequest>
+          </V10:getAccountDetail>
+        </soapenv:Body>
+    </soapenv:Envelope>`;
+  } else {
+    return `<?xml version="1.0" encoding="UTF-8"?>
+<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:V10="http://www.bceid.ca/webservices/Client/V10/">
+    <soapenv:Header />
+    <soapenv:Body>
+        <V10:searchInternalAccount>
+            <V10:internalAccountSearchRequest>
+                <V10:onlineServiceId>${serviceId}</V10:onlineServiceId>
+                <V10:requesterAccountTypeCode>Internal</V10:requesterAccountTypeCode>
+                <V10:requesterUserGuid>${requesterIdirGuid}</V10:requesterUserGuid>
+                <requesterAccountTypeCode>Internal</requesterAccountTypeCode>
+                <V10:pagination>
+                    <V10:pageSizeMaximum>${String(limit || 100)}</V10:pageSizeMaximum>
+                    <V10:pageIndex>${String(page || 1)}</V10:pageIndex>
+                </V10:pagination>
+                <V10:sort>
+                    <V10:direction>Ascending</V10:direction>
+                    <V10:onProperty>UserId</V10:onProperty>
+                </V10:sort>
+                <V10:accountMatch>
+                    <V10:${property}>
+                       <V10:value>${matchKey}</V10:value>
+                       <V10:matchPropertyUsing>${matchType}</V10:matchPropertyUsing>
+                    </V10:${property}>
+                 </V10:accountMatch>
+            </V10:internalAccountSearchRequest>
+        </V10:searchInternalAccount>
+    </soapenv:Body>
+</soapenv:Envelope>`;
+  }
+};
+
+async function checkUserExistsAtIDIM({ property = 'userGuid', matchKey = '', env = 'prod' }) {
+  const { requestHeaders, requesterIdirGuid, serviceUrl, serviceId } = getWebServiceInfo({ env });
+  const xml = generateXML({ property, matchKey, serviceId, requesterIdirGuid }, 'getAccountDetail');
+
+  try {
+    const response = await axios.post(`${serviceUrl}/webservices/client/V10/BCeIDService.asmx?WSDL`, xml, {
+      headers: requestHeaders,
+      timeout: 10000
+    });
+
+    const { data: body } = response;
+
+    const result = await parseStringSync(body);
+    const data = _.get(result, 'soap:Envelope.soap:Body.0.getAccountDetailResponse.0.getAccountDetailResult.0');
+    if (!data) throw Error('no data');
+
+    const status = _.get(data, 'code.0');
+    const failureCode = _.get(data, 'failureCode.0');
+    const failMessage = _.get(data, 'message.0');
+    if (status === 'Success' && failureCode === 'Void') {
+      return 'exists';
+    } else if (status === 'Failed' && failureCode === 'NoResults') {
+      return 'notexists';
+    } else {
+      log(`${env}: [${status}][${failureCode}] ${property}: ${matchKey}: ${String(failMessage)})`);
+    }
+    return 'error';
+  } catch (error) {
+    throw new Error(error);
+  }
+}
+
 async function getUserRolesMappings(adminClient, userId) {
   try {
     const clientRoles = [];
@@ -205,6 +332,8 @@ async function removeStaleUsersByEnv(env = 'dev', pgClient, runnerName, startFro
             await pgClient.query({ text, values });
             deletedUserCount++;
             log(`[${runnerName}] ${username} has been deleted from ${env} environment`);
+
+            if (deletedUserCount > MAX_DELETED_USERS_PER_RUNNER) break;
           } else continue;
         }
       }
@@ -213,7 +342,7 @@ async function removeStaleUsersByEnv(env = 'dev', pgClient, runnerName, startFro
       if (count < max || total === 10000) break;
 
       // max 50 users can be deleted by a runner at a time
-      if (deletedUserCount > 50) break;
+      if (deletedUserCount > MAX_DELETED_USERS_PER_RUNNER) break;
 
       await adminClient.reauth();
       first = first + max;

docker/kc-cron-job/yarn.lock

@@ -15,17 +15,17 @@
     "@jridgewell/gen-mapping" "^0.3.0"
     "@jridgewell/trace-mapping" "^0.3.9"
 
-"@azure/msal-common@14.12.0":
-  version "14.12.0"
-  resolved "https://registry.yarnpkg.com/@azure/msal-common/-/msal-common-14.12.0.tgz#844abe269b071f8fa8949dadc2a7b65bbb147588"
-  integrity sha512-IDDXmzfdwmDkv4SSmMEyAniJf6fDu3FJ7ncOjlxkDuT85uSnLEhZi3fGZpoR7T4XZpOMx9teM9GXBgrfJgyeBw==
+"@azure/msal-common@14.15.0":
+  version "14.15.0"
+  resolved "https://registry.yarnpkg.com/@azure/msal-common/-/msal-common-14.15.0.tgz#0e27ac0bb88fe100f4f8d1605b64d5c268636a55"
+  integrity sha512-ImAQHxmpMneJ/4S8BRFhjt1MZ3bppmpRPYYNyzeQPeFN288YKbb8TmmISQEbtfkQ1BPASvYZU5doIZOPBAqENQ==
 
 "@azure/msal-node@^2.9.2":
-  version "2.9.2"
-  resolved "https://registry.yarnpkg.com/@azure/msal-node/-/msal-node-2.9.2.tgz#e6d3c1661012c1bd0ef68e328f73a2fdede52931"
-  integrity sha512-8tvi6Cos3m+0KmRbPjgkySXi+UQU/QiuVRFnrxIwt5xZlEEFa69O04RTaNESGgImyBBlYbo2mfE8/U8Bbdk1WQ==
+  version "2.14.0"
+  resolved "https://registry.yarnpkg.com/@azure/msal-node/-/msal-node-2.14.0.tgz#7881895d41b03d8b9b38a29550ba3bbb15f73b3c"
+  integrity sha512-rrfzIpG3Q1rHjVYZmHAEDidWAZZ2cgkxlIcMQ8dHebRISaZ2KCV33Q8Vs+uaV6lxweROabNxKFlR2lIKagZqYg==
   dependencies:
-    "@azure/msal-common" "14.12.0"
+    "@azure/msal-common" "14.15.0"
     jsonwebtoken "^9.0.0"
     uuid "^8.3.0"