feat: syncing groups to Arborist policies

fence/resources/cognito/groups.py

@@ -1,7 +1,9 @@
 from flask_sqlalchemy_session import current_session
 
+import fence.scripting.fence_create
 
-def sync_gen3_users_authz_from_adfs_groups(email, groups, db_session=None):
+
+def sync_gen3_users_authz_from_adfs_groups(email, groups):
     """
     Sync the authorization of users in the Gen3 database with the groups
     they are in on the ADFS server.
@@ -14,10 +16,26 @@ def sync_gen3_users_authz_from_adfs_groups(email, groups, db_session=None):
         dict: dictionary of users that were synced and the groups they were
             synced with
     """
-    db_session = db_session or current_session
-
     # for each group, assign current user the following resources:
     # /cohort-middleware/{group}
     # with both role_ids: 'cohort_middleware_admin' and 'cohort_middleware_outputs_admin_reader'
-    for group in groups:
-        pass
+    db_session = db_session or current_session
+    _sync_adfs_groups(
+        email,
+        groups,
+        db_session=db_session,
+    )
+
+
+def _sync_adfs_groups(gen3_user, groups, db_session=None):
+    db_session = db_session or current_session
+
+    default_args = fence.scripting.fence_create.get_default_init_syncer_inputs(
+        authz_provider="Cognito"
+    )
+    syncer = fence.scripting.fence_create.init_syncer(**default_args)
+
+    groups = syncer.sync_single_user_groups(
+        gen3_user,
+        groups,
+    )

fence/sync/sync_users.py

@@ -2417,3 +2417,62 @@ def sync_single_user_visas(self, user, ga4gh_visas, sess=None, expires=None):
             self.logger.error("No arborist client set; skipping arborist sync")
 
         return parsed_visas
+
+    def sync_single_user_groups(self, user, groups, sess=None):
+        """
+        Sync a single user's groups during login
+
+        Args:
+            user (userdatamodel.user.User): Fence user whose visas'
+                                            authz info is being synced
+            groups (list): a list of groups that the user is a member of
+
+        Return:
+            list of successfully assigned groups
+        """
+        try:
+            user_yaml = UserYAML.from_file(
+                self.sync_from_local_yaml_file, encrypted=False, logger=self.logger
+            )
+        except (EnvironmentError, AssertionError) as e:
+            self.logger.error(str(e))
+            self.logger.error("aborting early")
+            raise
+
+        user_projects = dict()
+        projects = {}
+
+        for group in groups:
+            project = {}
+            try:
+                # not sure what to do here
+                pass
+            except Exception:
+                self.logger.warning(f"ignoring group: {group}")
+                continue
+            projects = {**projects, **project}
+
+        user_projects[user.username] = projects
+        user_projects = self.parse_projects(user_projects)
+
+        # update arborist db (user access)
+        if self.arborist_client:
+            self.logger.info("Synchronizing arborist with authorization info...")
+            success = self._update_authz_in_arborist(
+                sess,
+                user_projects,
+                user_yaml=user_yaml,
+                single_user_sync=True,
+            )
+            if success:
+                self.logger.info(
+                    "Finished synchronizing authorization info to arborist"
+                )
+            else:
+                self.logger.error(
+                    "Could not synchronize authorization info successfully to arborist"
+                )
+        else:
+            self.logger.error("No arborist client set; skipping arborist sync")
+
+        return