From 280aad961876fa8a4eb5768b4700aa700c170349 Mon Sep 17 00:00:00 2001 From: David Gubler Date: Thu, 31 Aug 2023 10:49:39 +0200 Subject: [PATCH] looks... good I guess? --- pkg/keycloakClient.go | 9 +++++++++ pkg/reconcile.go | 3 ++- pkg/reconcilePermissions.go | 18 ++++++++++++++++++ 3 files changed, 29 insertions(+), 1 deletion(-) diff --git a/pkg/keycloakClient.go b/pkg/keycloakClient.go index 1b1c102..5155873 100644 --- a/pkg/keycloakClient.go +++ b/pkg/keycloakClient.go @@ -70,6 +70,13 @@ func (this *KeycloakGroup) IsSameOrganization(other *KeycloakGroup) bool { return this.GetPathElements()[0] == other.GetPathElements()[0] && this.GetPathElements()[1] == other.GetPathElements()[1] } +func (this *KeycloakGroup) GetOrganizationName() string { + if len(this.GetPathElements()) < 2 { + return "" + } + return this.GetPathElements()[1] +} + func (this *KeycloakUser) GetDisplayName() string { if this.FirstName == "" && this.LastName == "" { return this.Email @@ -196,6 +203,8 @@ func (this *KeycloakClient) GetGroups(token string) ([]*KeycloakGroup, error) { return keycloakGroups, nil } +// This returns all Keycloak groups with two-level path "/organizations/[ORGNAME]", but not "/organizations/[ORGNAME]/[TEAMNAME]" +// The returned groups may have subgroups (teams), but the subgroups themselves are not part of the list. func (this *KeycloakClient) GetOrganizations(token string) ([]*KeycloakGroup, error) { allGroups, err := this.GetGroups(token) if err != nil { diff --git a/pkg/reconcile.go b/pkg/reconcile.go index 2e66e01..e75a04a 100644 --- a/pkg/reconcile.go +++ b/pkg/reconcile.go @@ -137,7 +137,8 @@ func getGrafanaPermissionsMap(keycloakUserGroups map[*KeycloakUser][]*KeycloakGr } for _, group := range groups { if keycloakOrganization.IsSameOrganization(group) { - permissionsMap[keycloakOrganization.Name] = append(permissionsMap[keycloakOrganization.Name], GrafanaPermissionSpec{Uid: keycloakUser.Username, PermittedRoles: []string{"Editor", "Viewer"}}) + permissionsMap[keycloakOrganization.GetOrganizationName()] = append(permissionsMap[keycloakOrganization.GetOrganizationName()], GrafanaPermissionSpec{Uid: keycloakUser.Username, PermittedRoles: []string{"Editor", "Viewer"}}) + continue userLoop // don't try to find further permissions, otherwise we may get more than one permission for the same user on the same org } } } diff --git a/pkg/reconcilePermissions.go b/pkg/reconcilePermissions.go index b9792e2..8626918 100644 --- a/pkg/reconcilePermissions.go +++ b/pkg/reconcilePermissions.go @@ -3,6 +3,7 @@ package controller import ( "context" "errors" + "fmt" grafana "github.com/grafana/grafana-api-golang-client" "k8s.io/klog/v2" "k8s.io/utils/strings/slices" @@ -21,6 +22,12 @@ func reconcilePermissions(ctx context.Context, grafanaPermissionsMap map[string] for _, permission := range permissions { var desiredOrgUser *grafana.OrgUser + + x := "" + for _, u := range initialOrgUsers { + x = x + u.Login + "|" + } + for i, ou := range initialOrgUsers { if ou.Login == permission.Uid { desiredOrgUser = &ou @@ -31,6 +38,17 @@ func reconcilePermissions(ctx context.Context, grafanaPermissionsMap map[string] } } + if desiredOrgUser == nil { + fmt.Printf("searching for %s in %s...not found\n", permission.Uid, x) + fmt.Printf("permissions exist for users: ") + for _, p := range permissions { + fmt.Printf("%s|", p.Uid) + } + fmt.Printf("\n") + } else { + //fmt.Print("found\n") + } + if desiredOrgUser == nil { klog.Infof("User '%s' should have access to org '%s' (%d), adding", permission.Uid, grafanaOrg.Name, grafanaOrg.ID) err := grafanaClient.AddOrgUser(grafanaOrg.ID, permission.Uid, permission.PermittedRoles[0])