Merge pull request #1225 from uc-cdis/fix/revoke-policies-on-usersync

Reorganize revoke mfa policy to account for arborist lower case usern…
uc-cdis · Feb 17, 2025 · 7dcce30 · 7dcce30
2 parents 43933e5 + 4b43d46
commit 7dcce30
Showing 1 changed file with 3 additions and 7 deletions.
diff --git a/fence/sync/sync_users.py b/fence/sync/sync_users.py
@@ -1900,23 +1900,19 @@ def _revoke_all_policies_preserve_mfa(self, username, idp=None):
         If MFA is enabled for the user's idp, check if they have the /multifactor_auth resource and restore the
         mfa_policy after revoking all policies.
         """
-        user_data_from_arborist = None
-        try:
-            user_data_from_arborist = self.arborist_client.get_user(username)
-        except ArboristError:
-            # user doesn't exist in Arborist, nothing to revoke
-            return
 
         is_mfa_enabled = "multifactor_auth_claim_info" in config["OPENID_CONNECT"].get(
             idp, {}
         )
+
         if not is_mfa_enabled:
             # TODO This should be a diff, not a revocation of all policies.
             self.arborist_client.revoke_all_policies_for_user(username)
             return
 
         policies = []
         try:
+            user_data_from_arborist = self.arborist_client.get_user(username)
             policies = user_data_from_arborist["policies"]
         except Exception as e:
             self.logger.error(
@@ -1927,7 +1923,7 @@ def _revoke_all_policies_preserve_mfa(self, username, idp=None):
             self.arborist_client.revoke_all_policies_for_user(username)
 
         if "mfa_policy" in policies:
-            status_code = self.arborist_client.grant_user_policy(username, "mfa_policy")
+            self.arborist_client.grant_user_policy(username, "mfa_policy")
 
     def _update_authz_in_arborist(
         self,