oidc: make person_id optional arg for external accounts

CERNDocumentServer · Sep 14, 2023 · 7a6ed92 · 7a6ed92
1 parent f486bb9
commit 7a6ed92
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 4 deletions.
diff --git a/site/cds_rdm/ldap/api.py b/site/cds_rdm/ldap/api.py
@@ -82,6 +82,10 @@ def update_invenio_users_from_ldap(remote_accounts, ldap_users_map, log_func):
         # fetching the user on the next iteration
         for remote_account in remote_accounts:
             invenio_user = InvenioUser(remote_account)
+            if not invenio_user.data.get("remote_account_person_id"):
+                # not a CERN user
+                continue
+
             # use `dict.pop` to remove from `ldap_users_map` the users found
             # in Invenio, so the remaining will be the ones to be added
             # later on

diff --git a/site/cds_rdm/ldap/utils.py b/site/cds_rdm/ldap/utils.py
@@ -103,13 +103,16 @@ def __init__(self, remote_account):
 
     def _get_full_user_info(self):
         """Serialize data from user db models."""
+        person_id = self.remote_account.extra_data.get("person_id")
+        person_id = str(person_id) if person_id else None
+
         user_info = dict(
             user_profile_full_name=self.user_profile.full_name,
             user_email=self.user.email,
             user_username=self.user.username,
             user_identity_id=self.user_identity.id,
             remote_account_id=self.remote_account.id,
-            remote_account_person_id=str(self.remote_account.extra_data["person_id"]),
+            remote_account_person_id=person_id,
             remote_account_department=self.remote_account.extra_data.get("department"),
         )
         return user_info

diff --git a/site/cds_rdm/oidc.py b/site/cds_rdm/oidc.py
@@ -48,12 +48,15 @@ def cern_setup_handler(remote, token, resp):
     with db.session.begin_nested():
         # fetch the user's Keycloak ID and set it in extra_data
         keycloak_id = token_user_info["sub"]
-        cern_person_id = token_user_info["cern_person_id"]
         token.remote_account.extra_data = {
-            "keycloak_id": keycloak_id,
-            "person_id": cern_person_id,  # Required to properly sync the users
+            "keycloak_id": keycloak_id
         }
 
+        # only available to CERN users
+        cern_person_id = token_user_info.get("cern_person_id", None)
+        if cern_person_id:
+            token.remote_account.extra_data["person_id"] = cern_person_id
+
         user = token.remote_account.user
         external_id = {"id": keycloak_id, "method": remote.name}