From cf98a437d41a8f74ebd9bb15bca631b6573caf64 Mon Sep 17 00:00:00 2001 From: David Gubler Date: Mon, 12 Feb 2024 16:10:07 +0100 Subject: [PATCH] feat: Add ability to remove all permissions on auto_assign_org (#12) --- docker-compose-dev.yml | 1 + main.go | 6 +++--- pkg/keycloakClient.go | 36 +++++++++++++++++------------------- pkg/reconcile.go | 37 ++++++++++++------------------------- 4 files changed, 33 insertions(+), 47 deletions(-) diff --git a/docker-compose-dev.yml b/docker-compose-dev.yml index 8f89114..fff507e 100644 --- a/docker-compose-dev.yml +++ b/docker-compose-dev.yml @@ -19,6 +19,7 @@ services: - GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://id.test.vshn.net/auth/realms/VSHN-main-dev-realm/protocol/openid-connect/token - GF_SERVER_DOMAIN=operator-dev-grafana.apps.cloudscale-lpg-2.appuio.cloud - GF_SERVER_ROOT_URL=https://operator-dev-grafana.apps.cloudscale-lpg-2.appuio.cloud + - GF_USERS_AUTO_ASSIGN_ORG_ID=83 ports: - "3000:3000" labels: diff --git a/main.go b/main.go index 6114557..3be12d8 100644 --- a/main.go +++ b/main.go @@ -40,6 +40,7 @@ func main() { if config.GrafanaDatasourcePassword != "" { grafanaDatasourcePasswordHidden = "***hidden***" } + config.GrafanaClearAutoAssignOrg = os.Getenv("GRAFANA_CLEAR_AUTO_ASSIGN_ORG") == "true" keycloakUrl := os.Getenv("KEYCLOAK_URL") keycloakRealm := os.Getenv("KEYCLOAK_REALM") @@ -51,7 +52,6 @@ func main() { keycloakPasswordHidden = "***hidden***" } keycloakAdminGroupPath := os.Getenv("KEYCLOAK_ADMIN_GROUP_PATH") - keycloakAutoAssignOrgGroupPath := os.Getenv("KEYCLOAK_AUTO_ASSIGN_ORG_GROUP_PATH") klog.Infof("GRAFANA_URL: %s\n", grafanaUrl) klog.Infof("GRAFANA_USERNAME: %s\n", grafanaUsername) @@ -59,15 +59,15 @@ func main() { klog.Infof("GRAFANA_DATASOURCE_URL: %s\n", config.GrafanaDatasourceUrl) klog.Infof("GRAFANA_DATASOURCE_USERNAME: %s\n", config.GrafanaDatasourceUsername) klog.Infof("GRAFANA_DATASOURCE_PASSWORD: %s\n", grafanaDatasourcePasswordHidden) + klog.Infof("GRAFANA_CLEAR_AUTO_ASSIGN_ORG: %t\n", config.GrafanaClearAutoAssignOrg) klog.Infof("KEYCLOAK_URL: %s\n", keycloakUrl) klog.Infof("KEYCLOAK_REALM: %s\n", keycloakRealm) klog.Infof("KEYCLOAK_USERNAME: %s\n", keycloakUsername) klog.Infof("KEYCLOAK_PASSWORD: %s\n", keycloakPasswordHidden) klog.Infof("KEYCLOAK_CLIENT_ID: %s\n", keycloakClientId) klog.Infof("KEYCLOAK_ADMIN_GROUP_PATH: %s\n", keycloakAdminGroupPath) - klog.Infof("KEYCLOAK_AUTO_ASSIGN_ORG_GROUP_PATH: %s\n", keycloakAutoAssignOrgGroupPath) - keycloakClient, err := controller.NewKeycloakClient(keycloakUrl, keycloakRealm, keycloakUsername, keycloakPassword, keycloakClientId, keycloakAdminGroupPath, keycloakAutoAssignOrgGroupPath) + keycloakClient, err := controller.NewKeycloakClient(keycloakUrl, keycloakRealm, keycloakUsername, keycloakPassword, keycloakClientId, keycloakAdminGroupPath) if err != nil { klog.Errorf("Could not create keycloakClient client: %v\n", err) os.Exit(1) diff --git a/pkg/keycloakClient.go b/pkg/keycloakClient.go index 8e57e3b..bef5bf8 100644 --- a/pkg/keycloakClient.go +++ b/pkg/keycloakClient.go @@ -14,16 +14,15 @@ import ( ) type KeycloakClient struct { - baseURL url.URL - username string - password string - clientId string - realm string - adminGroupPath string - autoAssignOrgGroupPath string - country string - adminGroup *KeycloakGroup - client *http.Client + baseURL url.URL + username string + password string + clientId string + realm string + adminGroupPath string + country string + adminGroup *KeycloakGroup + client *http.Client } type KeycloakUser struct { @@ -91,7 +90,7 @@ func (this *KeycloakUser) GetDisplayName() string { return this.FirstName + " " + this.LastName } -func NewKeycloakClient(baseURL string, realm string, username string, password string, clientId string, adminGroupPath string, autoAssignOrgGroupPath string) (*KeycloakClient, error) { +func NewKeycloakClient(baseURL string, realm string, username string, password string, clientId string, adminGroupPath string) (*KeycloakClient, error) { u, err := url.Parse(baseURL) if err != nil { return nil, err @@ -104,14 +103,13 @@ func NewKeycloakClient(baseURL string, realm string, username string, password s } return &KeycloakClient{ - baseURL: *u, - client: cli, - realm: realm, - username: username, - password: password, - clientId: clientId, - adminGroupPath: adminGroupPath, - autoAssignOrgGroupPath: autoAssignOrgGroupPath, + baseURL: *u, + client: cli, + realm: realm, + username: username, + password: password, + clientId: clientId, + adminGroupPath: adminGroupPath, }, nil } diff --git a/pkg/reconcile.go b/pkg/reconcile.go index bcc631c..40a32b8 100644 --- a/pkg/reconcile.go +++ b/pkg/reconcile.go @@ -10,6 +10,7 @@ type Config struct { GrafanaDatasourceUrl string GrafanaDatasourceUsername string GrafanaDatasourcePassword string + GrafanaClearAutoAssignOrg bool } var ( @@ -67,39 +68,25 @@ outAdmins: } klog.Infof("Found %d admin users", len(keycloakAdmins)) - klog.Infof("Extracting auto_assign_org users...") - var keycloakAutoAssignOrgUsers []*KeycloakUser -outAutoAssignOrgUsers: - for _, user := range keycloakUsers { - for _, group := range keycloakUserGroups[user] { - if group.Path == keycloakClient.autoAssignOrgGroupPath { - keycloakAutoAssignOrgUsers = append(keycloakAutoAssignOrgUsers, user) - continue outAutoAssignOrgUsers - } + if config.GrafanaClearAutoAssignOrg { + klog.Infof("Fetching auto_assign_org_id...") + autoAssignOrgId, err := grafanaClient.GetAutoAssignOrgId() + if err != nil { + return err + } + klog.Infof("Removing members of auto_assign_org %d", autoAssignOrgId) + var permissions []GrafanaPermissionSpec + err = reconcileSingleOrgPermissions(ctx, permissions, autoAssignOrgId, grafanaClient) + if err != nil { + return err } } - klog.Infof("Found %d auto_assign_org users", len(keycloakAutoAssignOrgUsers)) grafanaOrgsMap, err := reconcileAllOrgs(ctx, config, keycloakOrganizations, grafanaClient, dashboards) if err != nil { return err } - klog.Infof("Fetching auto_assign_org_id...") - autoAssignOrgId, err := grafanaClient.GetAutoAssignOrgId() - if err != nil { - return err - } - klog.Infof("Checking permissions of auto_assign_org %d", autoAssignOrgId) - var permissions []GrafanaPermissionSpec - for _, keycloakAutoAssignOrgUser := range keycloakAutoAssignOrgUsers { - permissions = append(permissions, GrafanaPermissionSpec{Uid: keycloakAutoAssignOrgUser.Username, PermittedRoles: []string{"Viewer", "Editor", "Admin"}}) - } - err = reconcileSingleOrgPermissions(ctx, permissions, autoAssignOrgId, grafanaClient) - if err != nil { - return err - } - klog.Infof("Checking permissions of normal orgs...") grafanaPermissionsMap := getGrafanaPermissionsMap(keycloakUserGroups, keycloakAdmins, keycloakOrganizations) err = reconcilePermissions(ctx, grafanaPermissionsMap, grafanaOrgsMap, grafanaClient)