From a1196635cbc212163cd09c7d932d9ebc4dda34b3 Mon Sep 17 00:00:00 2001
From: Nicholas Flynt <nicholas.flynt@suse.com>
Date: Fri, 4 Aug 2023 14:38:46 -0400
Subject: [PATCH] Add an option to automatically delete missing-guid users

This is only available when running the standalone script. At Rancher
startup this option is set to false, so missing users will be logged
instead and require manual intervention.
---
 cleanup/ad-guid-unmigration.sh      |  7 ++++++-
 cleanup/ad-guid-unmigration.yaml    |  6 ++++--
 cmd/agent/main.go                   |  2 +-
 pkg/agent/clean/active_directory.go | 20 ++++++++++++++++----
 4 files changed, 27 insertions(+), 8 deletions(-)

diff --git a/cleanup/ad-guid-unmigration.sh b/cleanup/ad-guid-unmigration.sh
index dfe8a734551..0d0c9f33287 100755
--- a/cleanup/ad-guid-unmigration.sh
+++ b/cleanup/ad-guid-unmigration.sh
@@ -23,6 +23,7 @@ show_usage() {
 	echo ""
 	echo "Flags:"
 	echo -e "\t-dry-run Display the resources that would will be updated without making changes"
+    echo -e "\t-delete-missing Permanently remove user objects whose GUID cannot be found in Active Directory"
 }
 
 if [ $# -lt 1 ]
@@ -45,7 +46,11 @@ yaml=$(cat ad-guid-unmigration.yaml | sed -e 's=agent_image='"$agent_image"'=')
 if [ "$2" = "-dry-run" ]
 then
     # Uncomment the env var for dry-run mode
-    yaml=$(sed -e 's/# // ' <<< "$yaml")
+    yaml=$(sed -e 's/#dryrun // ' <<< "$yaml")
+elif [ "$2" = "-delete-missing" ]
+then
+    # Instead uncomment the env var for missing user cleanup
+    yaml=$(sed -e 's/#deletemissing // ' <<< "$yaml")
 fi
 
 echo "$yaml" | kubectl apply -f -
diff --git a/cleanup/ad-guid-unmigration.yaml b/cleanup/ad-guid-unmigration.yaml
index c6dedbf922e..a0a85471697 100644
--- a/cleanup/ad-guid-unmigration.yaml
+++ b/cleanup/ad-guid-unmigration.yaml
@@ -38,8 +38,10 @@ spec:
         - env:
             - name: AD_GUID_CLEANUP
               value: "true"
-            # - name: DRY_RUN
-              # value: "true"
+            #dryrun - name: DRY_RUN
+              #dryrun value: "true"
+            #deletemissing - name: AD_DELETE_MISSING_GUID_USERS
+              #deletemissing value: "true"
           image: agent_image
           imagePullPolicy: Always
           command: ["agent"]
diff --git a/cmd/agent/main.go b/cmd/agent/main.go
index 9290e753496..f3314b4240c 100644
--- a/cmd/agent/main.go
+++ b/cmd/agent/main.go
@@ -81,7 +81,7 @@ func main() {
 			}
 			err = bindingErr
 		} else if os.Getenv("AD_GUID_CLEANUP") == "true" {
-			err = clean.UnmigrateAdGUIDUsers(nil, false)
+			err = clean.UnmigrateAdGUIDUsers(nil, false, false)
 		} else {
 			err = run(ctx)
 		}
diff --git a/pkg/agent/clean/active_directory.go b/pkg/agent/clean/active_directory.go
index 5c1d752f15c..9294888533a 100644
--- a/pkg/agent/clean/active_directory.go
+++ b/pkg/agent/clean/active_directory.go
@@ -303,15 +303,19 @@ func UnmigrateAdGUIDUsersOnce(sc *config.ScaledContext) error {
 			return nil
 		}
 	}
-	return UnmigrateAdGUIDUsers(&sc.RESTConfig, false)
+	return UnmigrateAdGUIDUsers(&sc.RESTConfig, false, false)
 }
 
 // UnmigrateAdGUIDUsers will cycle through all users, ctrb, ptrb, tokens and migrate them to an
 // appropriate DN-based PrincipalID.
-func UnmigrateAdGUIDUsers(clientConfig *restclient.Config, dryRun bool) error {
+func UnmigrateAdGUIDUsers(clientConfig *restclient.Config, dryRun bool, deleteMissingUsers bool) error {
 	if dryRun || os.Getenv("DRY_RUN") == "true" {
 		logrus.Infof("[%v] DRY_RUN is true, no objects will be deleted/modified", listAdUsersOperation)
 		dryRun = true
+		deleteMissingUsers = false
+	} else if deleteMissingUsers || os.Getenv("AD_DELETE_MISSING_GUID_USERS") == "true" {
+		logrus.Infof("[%v] AD_DELETE_MISSING_GUID_USERS is true, GUID-based users not present in Active Directory will be deleted", listAdUsersOperation)
+		deleteMissingUsers = true
 	}
 
 	sc, adConfig, err := prepareClientContexts(clientConfig)
@@ -353,8 +357,16 @@ func UnmigrateAdGUIDUsers(clientConfig *restclient.Config, dryRun bool) error {
 	for _, user := range skippedUsers {
 		logrus.Errorf("[%v] Unable to migrate user %v due to a connection failure. This user will be skipped!", listAdUsersOperation, user.originalUser.Name)
 	}
-	for _, user := range missingUsers {
-		logrus.Errorf("[%v] User %v with GUID %v does not seem to exist in Active Directory. They may have been deleted. This user will be skipped!", listAdUsersOperation, user.originalUser.Name, user.guid)
+	for _, missingUser := range missingUsers {
+		if deleteMissingUsers {
+			logrus.Infof("[%v] User %v with GUID %v does not seem to exist in Active Directory, and deleteMissingUsers is true. Proceeding to delete this user permanently.", listAdUsersOperation, missingUser.originalUser.Name, missingUser.guid)
+			err = sc.Management.Users("").Delete(missingUser.originalUser.Name, &metav1.DeleteOptions{})
+			if err != nil {
+				logrus.Errorf("[%v] failed to delete missing user '%v' with: %v", listAdUsersOperation, missingUser.originalUser.Name, err)
+			}
+		} else {
+			logrus.Errorf("[%v] User %v with GUID %v does not seem to exist in Active Directory. They may have been deleted. This user will be skipped!", listAdUsersOperation, missingUser.originalUser.Name, missingUser.guid)
+		}
 	}
 
 	for _, userToMigrate := range usersToMigrate {