diff --git a/internal/sync/indexpatterns.go b/internal/sync/indexpatterns.go index 7db8fa6..345c722 100644 --- a/internal/sync/indexpatterns.go +++ b/internal/sync/indexpatterns.go @@ -179,7 +179,7 @@ func generateIndexPatterns( var patterns []string var err error for _, group := range groups { - if isProjectGroup(log, group) { + if !isLagoonGroup(group, groupProjectsMap) || isProjectGroup(log, group) { continue } patterns, err = generateIndexPatternsForGroup(log, group, projectNames, diff --git a/internal/sync/roles.go b/internal/sync/roles.go index e7af613..a1162fb 100644 --- a/internal/sync/roles.go +++ b/internal/sync/roles.go @@ -58,6 +58,17 @@ func isProjectGroup(log *zap.Logger, group keycloak.Group) bool { return true } +// isLagoonGroup inspects the given group to determine if it is a Lagoon group. +// +// It checks if the group ID appears in the groupProjectsMap. +func isLagoonGroup( + group keycloak.Group, + groupProjectsMap map[string][]int, +) bool { + _, ok := groupProjectsMap[group.ID] + return ok +} + // projectGroupRoleName generates the name of a project group role from the // ID of the group's project. func projectGroupRoleName( @@ -175,8 +186,8 @@ func generateRegularGroupRole( // generateRoles returns a slice of roles generated from the given slice of // keycloak Groups. // -// Any groups which are not recognized as project groups are assumed to be -// Lagoon groups. +// Any groups which are not recognized as either project groups or regular +// Lagoon groups are ignored. func generateRoles( log *zap.Logger, groups []keycloak.Group, @@ -195,7 +206,7 @@ func generateRoles( zap.String("group name", group.Name), zap.Error(err)) continue } - } else { + } else if isLagoonGroup(group, groupProjectsMap) { name, role, err = generateRegularGroupRole(log, group, projectNames, groupProjectsMap) if err != nil { diff --git a/internal/sync/rolesmapping.go b/internal/sync/rolesmapping.go index a216dc6..cebcf6f 100644 --- a/internal/sync/rolesmapping.go +++ b/internal/sync/rolesmapping.go @@ -57,8 +57,8 @@ func calculateRoleMappingDiff( // generateRolesMapping returns a slice of rolesmapping generated from the // given slice of keycloak Groups. // -// Any groups which are not recognized as project groups are assumed to be -// Lagoon groups. +// Any groups which are not recognized as either project groups or regular +// Lagoon groups are ignored. func generateRolesMapping( log *zap.Logger, groups []keycloak.Group, @@ -82,7 +82,7 @@ func generateRolesMapping( Users: []string{}, }, } - } else { + } else if isLagoonGroup(group, groupProjectsMap) { rolesmapping[group.Name] = opensearch.RoleMapping{ RoleMappingPermissions: opensearch.RoleMappingPermissions{ BackendRoles: []string{group.Name}, diff --git a/internal/sync/sync.go b/internal/sync/sync.go index 9e37325..667ef92 100644 --- a/internal/sync/sync.go +++ b/internal/sync/sync.go @@ -108,7 +108,7 @@ func Sync(ctx context.Context, log *zap.Logger, l LagoonDBService, for _, object := range objects { switch object { case "tenants": - syncTenants(ctx, log, groupsSansGlobal, o, dryRun) + syncTenants(ctx, log, groupsSansGlobal, groupProjectsMap, o, dryRun) case "roles": syncRoles(ctx, log, groups, projectNames, roles, groupProjectsMap, o, dryRun) case "rolesmapping": diff --git a/internal/sync/tenants.go b/internal/sync/tenants.go index 82466ff..a50a4bb 100644 --- a/internal/sync/tenants.go +++ b/internal/sync/tenants.go @@ -57,10 +57,11 @@ func calculateTenantDiff(existing, required map[string]opensearch.Tenant) ( func generateTenants( log *zap.Logger, groups []keycloak.Group, + groupProjectsMap map[string][]int, ) map[string]opensearch.Tenant { tenants := map[string]opensearch.Tenant{} for _, group := range groups { - if isProjectGroup(log, group) { + if !isLagoonGroup(group, groupProjectsMap) || isProjectGroup(log, group) { continue } tenants[group.Name] = opensearch.Tenant{ @@ -90,8 +91,14 @@ func filterTenants( } // syncTenants reconciles Opensearch tenants with Lagoon keycloak groups. -func syncTenants(ctx context.Context, log *zap.Logger, groups []keycloak.Group, - o OpensearchService, dryRun bool) { +func syncTenants( + ctx context.Context, + log *zap.Logger, + groups []keycloak.Group, + groupProjectsMap map[string][]int, + o OpensearchService, + dryRun bool, +) { // get tenants from Opensearch existing, err := o.Tenants(ctx) if err != nil { @@ -101,7 +108,7 @@ func syncTenants(ctx context.Context, log *zap.Logger, groups []keycloak.Group, // ignore non-lagoon tenants existing = filterTenants(existing) // generate the tenants required by Lagoon - required := generateTenants(log, groups) + required := generateTenants(log, groups, groupProjectsMap) // calculate tenants to add/remove toCreate, toDelete := calculateTenantDiff(existing, required) for _, name := range toDelete {