looks... good I guess?

appuio · Aug 31, 2023 · 280aad9 · 280aad9
1 parent f354592
commit 280aad9
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 1 deletion.
diff --git a/pkg/keycloakClient.go b/pkg/keycloakClient.go
@@ -70,6 +70,13 @@ func (this *KeycloakGroup) IsSameOrganization(other *KeycloakGroup) bool {
 	return this.GetPathElements()[0] == other.GetPathElements()[0] && this.GetPathElements()[1] == other.GetPathElements()[1]
 }
 
+func (this *KeycloakGroup) GetOrganizationName() string {
+	if len(this.GetPathElements()) < 2 {
+		return ""
+	}
+	return this.GetPathElements()[1]
+}
+
 func (this *KeycloakUser) GetDisplayName() string {
 	if this.FirstName == "" && this.LastName == "" {
 		return this.Email
@@ -196,6 +203,8 @@ func (this *KeycloakClient) GetGroups(token string) ([]*KeycloakGroup, error) {
 	return keycloakGroups, nil
 }
 
+// This returns all Keycloak groups with two-level path "/organizations/[ORGNAME]", but not "/organizations/[ORGNAME]/[TEAMNAME]"
+// The returned groups may have subgroups (teams), but the subgroups themselves are not part of the list.
 func (this *KeycloakClient) GetOrganizations(token string) ([]*KeycloakGroup, error) {
 	allGroups, err := this.GetGroups(token)
 	if err != nil {

diff --git a/pkg/reconcile.go b/pkg/reconcile.go
@@ -137,7 +137,8 @@ func getGrafanaPermissionsMap(keycloakUserGroups map[*KeycloakUser][]*KeycloakGr
 			}
 			for _, group := range groups {
 				if keycloakOrganization.IsSameOrganization(group) {
-					permissionsMap[keycloakOrganization.Name] = append(permissionsMap[keycloakOrganization.Name], GrafanaPermissionSpec{Uid: keycloakUser.Username, PermittedRoles: []string{"Editor", "Viewer"}})
+					permissionsMap[keycloakOrganization.GetOrganizationName()] = append(permissionsMap[keycloakOrganization.GetOrganizationName()], GrafanaPermissionSpec{Uid: keycloakUser.Username, PermittedRoles: []string{"Editor", "Viewer"}})
+					continue userLoop // don't try to find further permissions, otherwise we may get more than one permission for the same user on the same org
 				}
 			}
 		}

diff --git a/pkg/reconcilePermissions.go b/pkg/reconcilePermissions.go
@@ -3,6 +3,7 @@ package controller
 import (
 	"context"
 	"errors"
+	"fmt"
 	grafana "github.com/grafana/grafana-api-golang-client"
 	"k8s.io/klog/v2"
 	"k8s.io/utils/strings/slices"
@@ -21,6 +22,12 @@ func reconcilePermissions(ctx context.Context, grafanaPermissionsMap map[string]
 
 		for _, permission := range permissions {
 			var desiredOrgUser *grafana.OrgUser
+
+			x := ""
+			for _, u := range initialOrgUsers {
+				x = x + u.Login + "|"
+			}
+
 			for i, ou := range initialOrgUsers {
 				if ou.Login == permission.Uid {
 					desiredOrgUser = &ou
@@ -31,6 +38,17 @@ func reconcilePermissions(ctx context.Context, grafanaPermissionsMap map[string]
 				}
 			}
 
+			if desiredOrgUser == nil {
+				fmt.Printf("searching for %s in %s...not found\n", permission.Uid, x)
+				fmt.Printf("permissions exist for users: ")
+				for _, p := range permissions {
+					fmt.Printf("%s|", p.Uid)
+				}
+				fmt.Printf("\n")
+			} else {
+				//fmt.Print("found\n")
+			}
+
 			if desiredOrgUser == nil {
 				klog.Infof("User '%s' should have access to org '%s' (%d), adding", permission.Uid, grafanaOrg.Name, grafanaOrg.ID)
 				err := grafanaClient.AddOrgUser(grafanaOrg.ID, permission.Uid, permission.PermittedRoles[0])