feat: Add ability to remove all permissions on auto_assign_org (#12)

appuio · Feb 12, 2024 · cf98a43 · cf98a43
1 parent 31d98b9
commit cf98a43
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 47 deletions.
diff --git a/docker-compose-dev.yml b/docker-compose-dev.yml
@@ -19,6 +19,7 @@ services:
       - GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://id.test.vshn.net/auth/realms/VSHN-main-dev-realm/protocol/openid-connect/token
       - GF_SERVER_DOMAIN=operator-dev-grafana.apps.cloudscale-lpg-2.appuio.cloud
       - GF_SERVER_ROOT_URL=https://operator-dev-grafana.apps.cloudscale-lpg-2.appuio.cloud
+      - GF_USERS_AUTO_ASSIGN_ORG_ID=83
     ports:
       - "3000:3000"
     labels:

diff --git a/main.go b/main.go
@@ -40,6 +40,7 @@ func main() {
 	if config.GrafanaDatasourcePassword != "" {
 		grafanaDatasourcePasswordHidden = "***hidden***"
 	}
+	config.GrafanaClearAutoAssignOrg = os.Getenv("GRAFANA_CLEAR_AUTO_ASSIGN_ORG") == "true"
 
 	keycloakUrl := os.Getenv("KEYCLOAK_URL")
 	keycloakRealm := os.Getenv("KEYCLOAK_REALM")
@@ -51,23 +52,22 @@ func main() {
 		keycloakPasswordHidden = "***hidden***"
 	}
 	keycloakAdminGroupPath := os.Getenv("KEYCLOAK_ADMIN_GROUP_PATH")
-	keycloakAutoAssignOrgGroupPath := os.Getenv("KEYCLOAK_AUTO_ASSIGN_ORG_GROUP_PATH")
 
 	klog.Infof("GRAFANA_URL:                         %s\n", grafanaUrl)
 	klog.Infof("GRAFANA_USERNAME:                    %s\n", grafanaUsername)
 	klog.Infof("GRAFANA_PASSWORD:                    %s\n", grafanaPasswordHidden)
 	klog.Infof("GRAFANA_DATASOURCE_URL:              %s\n", config.GrafanaDatasourceUrl)
 	klog.Infof("GRAFANA_DATASOURCE_USERNAME:         %s\n", config.GrafanaDatasourceUsername)
 	klog.Infof("GRAFANA_DATASOURCE_PASSWORD:         %s\n", grafanaDatasourcePasswordHidden)
+	klog.Infof("GRAFANA_CLEAR_AUTO_ASSIGN_ORG:       %t\n", config.GrafanaClearAutoAssignOrg)
 	klog.Infof("KEYCLOAK_URL:                        %s\n", keycloakUrl)
 	klog.Infof("KEYCLOAK_REALM:                      %s\n", keycloakRealm)
 	klog.Infof("KEYCLOAK_USERNAME:                   %s\n", keycloakUsername)
 	klog.Infof("KEYCLOAK_PASSWORD:                   %s\n", keycloakPasswordHidden)
 	klog.Infof("KEYCLOAK_CLIENT_ID:                  %s\n", keycloakClientId)
 	klog.Infof("KEYCLOAK_ADMIN_GROUP_PATH:           %s\n", keycloakAdminGroupPath)
-	klog.Infof("KEYCLOAK_AUTO_ASSIGN_ORG_GROUP_PATH: %s\n", keycloakAutoAssignOrgGroupPath)
 
-	keycloakClient, err := controller.NewKeycloakClient(keycloakUrl, keycloakRealm, keycloakUsername, keycloakPassword, keycloakClientId, keycloakAdminGroupPath, keycloakAutoAssignOrgGroupPath)
+	keycloakClient, err := controller.NewKeycloakClient(keycloakUrl, keycloakRealm, keycloakUsername, keycloakPassword, keycloakClientId, keycloakAdminGroupPath)
 	if err != nil {
 		klog.Errorf("Could not create keycloakClient client: %v\n", err)
 		os.Exit(1)

diff --git a/pkg/keycloakClient.go b/pkg/keycloakClient.go
@@ -14,16 +14,15 @@ import (
 )
 
 type KeycloakClient struct {
-	baseURL                url.URL
-	username               string
-	password               string
-	clientId               string
-	realm                  string
-	adminGroupPath         string
-	autoAssignOrgGroupPath string
-	country                string
-	adminGroup             *KeycloakGroup
-	client                 *http.Client
+	baseURL        url.URL
+	username       string
+	password       string
+	clientId       string
+	realm          string
+	adminGroupPath string
+	country        string
+	adminGroup     *KeycloakGroup
+	client         *http.Client
 }
 
 type KeycloakUser struct {
@@ -91,7 +90,7 @@ func (this *KeycloakUser) GetDisplayName() string {
 	return this.FirstName + " " + this.LastName
 }
 
-func NewKeycloakClient(baseURL string, realm string, username string, password string, clientId string, adminGroupPath string, autoAssignOrgGroupPath string) (*KeycloakClient, error) {
+func NewKeycloakClient(baseURL string, realm string, username string, password string, clientId string, adminGroupPath string) (*KeycloakClient, error) {
 	u, err := url.Parse(baseURL)
 	if err != nil {
 		return nil, err
@@ -104,14 +103,13 @@ func NewKeycloakClient(baseURL string, realm string, username string, password s
 	}
 
 	return &KeycloakClient{
-		baseURL:                *u,
-		client:                 cli,
-		realm:                  realm,
-		username:               username,
-		password:               password,
-		clientId:               clientId,
-		adminGroupPath:         adminGroupPath,
-		autoAssignOrgGroupPath: autoAssignOrgGroupPath,
+		baseURL:        *u,
+		client:         cli,
+		realm:          realm,
+		username:       username,
+		password:       password,
+		clientId:       clientId,
+		adminGroupPath: adminGroupPath,
 	}, nil
 }
 

diff --git a/pkg/reconcile.go b/pkg/reconcile.go
@@ -10,6 +10,7 @@ type Config struct {
 	GrafanaDatasourceUrl      string
 	GrafanaDatasourceUsername string
 	GrafanaDatasourcePassword string
+	GrafanaClearAutoAssignOrg bool
 }
 
 var (
@@ -67,39 +68,25 @@ outAdmins:
 	}
 	klog.Infof("Found %d admin users", len(keycloakAdmins))
 
-	klog.Infof("Extracting auto_assign_org users...")
-	var keycloakAutoAssignOrgUsers []*KeycloakUser
-outAutoAssignOrgUsers:
-	for _, user := range keycloakUsers {
-		for _, group := range keycloakUserGroups[user] {
-			if group.Path == keycloakClient.autoAssignOrgGroupPath {
-				keycloakAutoAssignOrgUsers = append(keycloakAutoAssignOrgUsers, user)
-				continue outAutoAssignOrgUsers
-			}
+	if config.GrafanaClearAutoAssignOrg {
+		klog.Infof("Fetching auto_assign_org_id...")
+		autoAssignOrgId, err := grafanaClient.GetAutoAssignOrgId()
+		if err != nil {
+			return err
+		}
+		klog.Infof("Removing members of auto_assign_org %d", autoAssignOrgId)
+		var permissions []GrafanaPermissionSpec
+		err = reconcileSingleOrgPermissions(ctx, permissions, autoAssignOrgId, grafanaClient)
+		if err != nil {
+			return err
 		}
 	}
-	klog.Infof("Found %d auto_assign_org users", len(keycloakAutoAssignOrgUsers))
 
 	grafanaOrgsMap, err := reconcileAllOrgs(ctx, config, keycloakOrganizations, grafanaClient, dashboards)
 	if err != nil {
 		return err
 	}
 
-	klog.Infof("Fetching auto_assign_org_id...")
-	autoAssignOrgId, err := grafanaClient.GetAutoAssignOrgId()
-	if err != nil {
-		return err
-	}
-	klog.Infof("Checking permissions of auto_assign_org %d", autoAssignOrgId)
-	var permissions []GrafanaPermissionSpec
-	for _, keycloakAutoAssignOrgUser := range keycloakAutoAssignOrgUsers {
-		permissions = append(permissions, GrafanaPermissionSpec{Uid: keycloakAutoAssignOrgUser.Username, PermittedRoles: []string{"Viewer", "Editor", "Admin"}})
-	}
-	err = reconcileSingleOrgPermissions(ctx, permissions, autoAssignOrgId, grafanaClient)
-	if err != nil {
-		return err
-	}
-
 	klog.Infof("Checking permissions of normal orgs...")
 	grafanaPermissionsMap := getGrafanaPermissionsMap(keycloakUserGroups, keycloakAdmins, keycloakOrganizations)
 	err = reconcilePermissions(ctx, grafanaPermissionsMap, grafanaOrgsMap, grafanaClient)