nresare · dzolotusky · Nov 15, 2021 · Nov 15, 2021
diff --git a/github_user_management/__main__.py b/github_user_management/__main__.py
@@ -36,6 +36,11 @@
                                   "dc=spotify,dc=net"))
 domain = click.option("--domain", "-d", type=click.STRING,
                       default="spotify.com")
+remove_nonemployee = click.option("--remove-nonemployee", "-r", type=click.BOOL,
+                                  default=False, is_flag=True)
+remove_nonmatching = click.option("--remove-nonmatching", "-r", type=click.BOOL,
+                                  default=False, is_flag=True)
+
 
 
 def apply_params(click_objects):
@@ -60,10 +65,10 @@ def add_ldap_users_to_employees(gh_token, ldap_url, ldap_base, gh_url):
 
 
 @main.command(help="Check GitHub users in LDAP")
-@apply_params([gh_token, ldap_url, ldap_base, gh_url, gh_org])
-def check_github_users_in_ldap(gh_token, ldap_url, ldap_base, gh_url, gh_org):
+@apply_params([gh_token, ldap_url, ldap_base, gh_url, gh_org, remove_nonemployee, remove_nonmatching])
+def check_github_users_in_ldap(gh_token, ldap_url, ldap_base, gh_url, gh_org, remove_nonemployee, remove_nonmatching):
     check_github.check_github_usernames(
-        gh_token, ldap_url, ldap_base, gh_url, gh_org
+        gh_token, ldap_url, ldap_base, gh_url, gh_org, remove_nonemployee, remove_nonmatching
     )
 
 

diff --git a/github_user_management/add_ldap_users_to_employees.py b/github_user_management/add_ldap_users_to_employees.py
@@ -15,4 +15,4 @@ def check_github_usernames(github_token, ldap_url, ldap_base, github_url):
                 print ("ldap user %s doesn't have a valid github user: %s"
                        % (user, github_user))
             else:
-                print github_user
+                print (github_user)
diff --git a/github_user_management/check_github_users_in_ldap.py b/github_user_management/check_github_users_in_ldap.py
@@ -11,39 +11,45 @@ def print_dict_keys_per_value(d, exclude, check_existence_for_these):
     for k in d:
         by_value[d[k]].append(k)
     printed_categories = []
-    for v in sorted(by_value.iterkeys()):
+    for v in sorted(by_value.keys()):
         if v in exclude:
             continue
-        print v
+        print("%s (%i)" % (v, len(by_value[v])))
         printed_categories.append(v)
         for k in sorted(by_value[v]):
-            print " " + k
+            print(" " + k)
     for cat in check_existence_for_these:
         if cat not in printed_categories:
-            print "Good news, category %s is empty!" % cat
+            print("Good news, category %s is empty!" % cat)
 
 
-def check_github_usernames(github_token, ldap_url, ldap_base, github_url, org):
+def check_github_usernames(github_token, ldap_url, ldap_base, github_url, org, remove_nonemployee, remove_nonmatching):
     gc = github_client.GithubClient(github_token, github_url)
 
     members = dict(
-        map(lambda x: (x.lower(), "github"), gc.get_members(org))
+        map(lambda x: (x.lower(), "only_in_github"), gc.get_members(org))
     )
 
     with ldap_client.LdapClient(ldap_url, ldap_base) as lc:
         for user, shell, github_user in lc.get_github_users():
-            github_user = github_user.lower()
-            if shell == '/dev/null':
-                if github_user in members:
+            github_user = github_user.lower().decode('UTF-8')
+            if shell.decode('UTF-8') == '/dev/null':
+                if github_user in members and members[github_user] == 'only_in_github':
                     members[github_user] = 'github_user_that_quit'
+                    if remove_nonemployee:
+                        gc.remove_member(org, github_user)
                 continue
             if github_user not in members:
                 members[github_user] = 'to_add_to_github'
             else:
                 members[github_user] = 'matching'
                 # print "matching %s@spotify.com" % user
 
+        if remove_nonmatching:
+            for non_matching_member in [m for m in members if members[m] == 'only_in_github']:
+                gc.remove_member(org, non_matching_member)
+
     print_dict_keys_per_value(
         members, ("matching", "to_add_to_github"),
-        ("github", "github_user_that_quit")
+        ("only_in_github", "github_user_that_quit")
     )
diff --git a/github_user_management/clients/github_client.py b/github_user_management/clients/github_client.py
@@ -31,6 +31,10 @@ def get(self, url):
         return requests.get(url, headers={
             'Authorization': 'token ' + self.auth_token})
 
+    def delete(self, url):
+        return requests.delete(url, headers={
+            'Authorization': 'token ' + self.auth_token})
+
     def get_user(self, username):
         result = self.get("%s/users/%s" % (self.github_base_url, username))
         if result.status_code == 404:
@@ -53,6 +57,12 @@ def get_members(self, org_name, role='all'):
             self.github_base_url, org_name, role)
         return (m['login'] for m in self.traverse_pagination(url))
 
+    def remove_member(self, org_name, member_username):
+        url = "%s/orgs/%s/memberships/%s" % (
+            self.github_base_url, org_name, member_username)
+        response = self.delete(url)
+        return response.status_code == 204
+
 
 def yield_org_keys(auth_token, github_base_url, org_name):
     client = GithubClient(auth_token, github_base_url)

diff --git a/github_user_management/get_keys_for_org.py b/github_user_management/get_keys_for_org.py
@@ -8,4 +8,4 @@ def main(github_token, github_url, org):
             github_token, github_url, org):
         with open("keys/%s-%s" % (member, id), 'w') as f:
             f.write(key)
-            print member
+            print (member)
diff --git a/github_user_management/github_details_for_users.py b/github_user_management/github_details_for_users.py
@@ -11,6 +11,6 @@ def print_details_for_users(users_filename, token, github_url):
             user = gc.get_user(u)
             email = user["email"]
             if email:
-                print "Email for %s is %s" % (u, email)
+                print ("Email for %s is %s" % (u, email))
             else:
-                print "no email for user " + u
+                print ("no email for user " + u)
diff --git a/github_user_management/org_owners_without_ldap_connection.py b/github_user_management/org_owners_without_ldap_connection.py
@@ -17,12 +17,12 @@ def print_email_if_available(github_members, ldap_url, ldap_base, domain):
             else:
                 missing_ldap_mappings.append(user)
 
-    print "there are %d users" % len(users)
-    print ", ".join(users)
+    print ("there are %d users" % len(users))
+    print (", ".join(users))
 
     if missing_ldap_mappings:
-        print "\nDrop these users from the team (they lack LDAP mapping)"
+        print ("\nDrop these users from the team (they lack LDAP mapping)")
         for user in missing_ldap_mappings:
-            print user
+            print (user)
     else:
-        print "\nNo users lacking LDAP mapping. Yay!"
+        print ("\nNo users lacking LDAP mapping. Yay!")
diff --git a/requirements.txt b/requirements.txt
@@ -1,6 +1,6 @@
 requests==2.20.0
-python-ldap==2.4.27
-click==6.6
+python-ldap==3.3.0
+click==8.0.3
 # from requests[security]
 cryptography==3.2
 ndg-httpsclient==0.4.2