fix: ignore Keycloak groups which are not Lagoon groups

If the Keycloak Group ID doesn't appear in the Lagoon groups-projects mapping table then there's no way to know which regex to use for the role generation, so there's no way to create an Opensearch role.
uselagoon · May 6, 2024 · 174bb66 · 174bb66
1 parent ad0f049
commit 174bb66
Show file tree

Hide file tree

Showing 5 changed files with 30 additions and 12 deletions.
diff --git a/internal/sync/indexpatterns.go b/internal/sync/indexpatterns.go
@@ -179,7 +179,7 @@ func generateIndexPatterns(
 	var patterns []string
 	var err error
 	for _, group := range groups {
-		if isProjectGroup(log, group) {
+		if !isLagoonGroup(group, groupProjectsMap) || isProjectGroup(log, group) {
 			continue
 		}
 		patterns, err = generateIndexPatternsForGroup(log, group, projectNames,

diff --git a/internal/sync/roles.go b/internal/sync/roles.go
@@ -58,6 +58,17 @@ func isProjectGroup(log *zap.Logger, group keycloak.Group) bool {
 	return true
 }
 
+// isLagoonGroup inspects the given group to determine if it is a Lagoon group.
+//
+// It checks if the group ID appears in the groupProjectsMap.
+func isLagoonGroup(
+	group keycloak.Group,
+	groupProjectsMap map[string][]int,
+) bool {
+	_, ok := groupProjectsMap[group.ID]
+	return ok
+}
+
 // projectGroupRoleName generates the name of a project group role from the
 // ID of the group's project.
 func projectGroupRoleName(
@@ -175,8 +186,8 @@ func generateRegularGroupRole(
 // generateRoles returns a slice of roles generated from the given slice of
 // keycloak Groups.
 //
-// Any groups which are not recognized as project groups are assumed to be
-// Lagoon groups.
+// Any groups which are not recognized as either project groups or regular
+// Lagoon groups are ignored.
 func generateRoles(
 	log *zap.Logger,
 	groups []keycloak.Group,
@@ -195,7 +206,7 @@ func generateRoles(
 					zap.String("group name", group.Name), zap.Error(err))
 				continue
 			}
-		} else {
+		} else if isLagoonGroup(group, groupProjectsMap) {
 			name, role, err =
 				generateRegularGroupRole(log, group, projectNames, groupProjectsMap)
 			if err != nil {

diff --git a/internal/sync/rolesmapping.go b/internal/sync/rolesmapping.go
@@ -57,8 +57,8 @@ func calculateRoleMappingDiff(
 // generateRolesMapping returns a slice of rolesmapping generated from the
 // given slice of keycloak Groups.
 //
-// Any groups which are not recognized as project groups are assumed to be
-// Lagoon groups.
+// Any groups which are not recognized as either project groups or regular
+// Lagoon groups are ignored.
 func generateRolesMapping(
 	log *zap.Logger,
 	groups []keycloak.Group,
@@ -82,7 +82,7 @@ func generateRolesMapping(
 					Users:           []string{},
 				},
 			}
-		} else {
+		} else if isLagoonGroup(group, groupProjectsMap) {
 			rolesmapping[group.Name] = opensearch.RoleMapping{
 				RoleMappingPermissions: opensearch.RoleMappingPermissions{
 					BackendRoles:    []string{group.Name},

diff --git a/internal/sync/sync.go b/internal/sync/sync.go
@@ -108,7 +108,7 @@ func Sync(ctx context.Context, log *zap.Logger, l LagoonDBService,
 	for _, object := range objects {
 		switch object {
 		case "tenants":
-			syncTenants(ctx, log, groupsSansGlobal, o, dryRun)
+			syncTenants(ctx, log, groupsSansGlobal, groupProjectsMap, o, dryRun)
 		case "roles":
 			syncRoles(ctx, log, groups, projectNames, roles, groupProjectsMap, o, dryRun)
 		case "rolesmapping":

diff --git a/internal/sync/tenants.go b/internal/sync/tenants.go
@@ -57,10 +57,11 @@ func calculateTenantDiff(existing, required map[string]opensearch.Tenant) (
 func generateTenants(
 	log *zap.Logger,
 	groups []keycloak.Group,
+	groupProjectsMap map[string][]int,
 ) map[string]opensearch.Tenant {
 	tenants := map[string]opensearch.Tenant{}
 	for _, group := range groups {
-		if isProjectGroup(log, group) {
+		if !isLagoonGroup(group, groupProjectsMap) || isProjectGroup(log, group) {
 			continue
 		}
 		tenants[group.Name] = opensearch.Tenant{
@@ -90,8 +91,14 @@ func filterTenants(
 }
 
 // syncTenants reconciles Opensearch tenants with Lagoon keycloak groups.
-func syncTenants(ctx context.Context, log *zap.Logger, groups []keycloak.Group,
-	o OpensearchService, dryRun bool) {
+func syncTenants(
+	ctx context.Context,
+	log *zap.Logger,
+	groups []keycloak.Group,
+	groupProjectsMap map[string][]int,
+	o OpensearchService,
+	dryRun bool,
+) {
 	// get tenants from Opensearch
 	existing, err := o.Tenants(ctx)
 	if err != nil {
@@ -101,7 +108,7 @@ func syncTenants(ctx context.Context, log *zap.Logger, groups []keycloak.Group,
 	// ignore non-lagoon tenants
 	existing = filterTenants(existing)
 	// generate the tenants required by Lagoon
-	required := generateTenants(log, groups)
+	required := generateTenants(log, groups, groupProjectsMap)
 	// calculate tenants to add/remove
 	toCreate, toDelete := calculateTenantDiff(existing, required)
 	for _, name := range toDelete {