fixing defect with SAML origin users not being properly mapped for op…

…timized user role mapping

organization/orgs.go

@@ -200,8 +200,6 @@ func (m *DefaultOrgManager) updateOrgUsers(config *ldap.Config, input *InputUpda
 		return err
 	}
 
-	lo.G.Info("User sync for org : ", org.Entity.Name)
-
 	err = m.UserMgr.UpdateOrgUsers(
 		config, uaacUsers, UpdateUsersInput{
 			OrgName:       org.Entity.Name,

organization/users.go

@@ -59,13 +59,9 @@ func (m *UserManager) UpdateOrgUsers(config *ldap.Config, uaacUsers map[string]s
 			return err
 		}
 		for _, user := range ldapUsers {
-			if _, ok := orgUsers[strings.ToLower(user.UserID)]; !ok {
-				err = m.updateLdapUser(config, updateUsersInput.OrgGUID, updateUsersInput.Role, updateUsersInput.OrgName, uaacUsers, user)
-				if err != nil {
-					return err
-				}
-			} else {
-				delete(orgUsers, strings.ToLower(user.UserID))
+			err = m.updateLdapUser(config, updateUsersInput.OrgGUID, updateUsersInput.Role, updateUsersInput.OrgName, uaacUsers, user, orgUsers)
+			if err != nil {
+				return err
 			}
 		}
 	} else {
@@ -102,7 +98,7 @@ func (m *UserManager) UpdateOrgUsers(config *ldap.Config, uaacUsers map[string]s
 
 func (m *UserManager) updateLdapUser(config *ldap.Config, orgGUID string,
 	role string, orgName string, uaacUsers map[string]string,
-	user ldap.User) error {
+	user ldap.User, orgUsers map[string]string) error {
 
 	userID := user.UserID
 	externalID := user.UserDN
@@ -112,24 +108,27 @@ func (m *UserManager) updateLdapUser(config *ldap.Config, orgGUID string,
 	}
 	userID = strings.ToLower(userID)
 
-	if _, userExists := uaacUsers[userID]; !userExists {
-		lo.G.Info("User", userID, "doesn't exist in cloud foundry, so creating user")
-		if err := m.UAACMgr.CreateExternalUser(userID, user.Email, externalID, config.Origin); err != nil {
-			lo.G.Info("Unable to create user", userID)
+	if _, ok := orgUsers[userID]; !ok {
+		if _, userExists := uaacUsers[userID]; !userExists {
+			lo.G.Info("User", userID, "doesn't exist in cloud foundry, so creating user")
+			if err := m.UAACMgr.CreateExternalUser(userID, user.Email, externalID, config.Origin); err != nil {
+				lo.G.Info("Unable to create user", userID)
+			} else {
+				uaacUsers[userID] = userID
+				if err := m.addUserToOrgAndRole(userID, orgGUID, role, orgName); err != nil {
+					lo.G.Error(err)
+					return err
+				}
+			}
 		} else {
-			uaacUsers[userID] = userID
 			if err := m.addUserToOrgAndRole(userID, orgGUID, role, orgName); err != nil {
 				lo.G.Error(err)
 				return err
 			}
 		}
 	} else {
-		if err := m.addUserToOrgAndRole(userID, orgGUID, role, orgName); err != nil {
-			lo.G.Error(err)
-			return err
-		}
+		delete(orgUsers, strings.ToLower(user.UserID))
 	}
-
 	return nil
 }
 

space/spaces.go

@@ -189,7 +189,6 @@ func (m *DefaultSpaceManager) UpdateSpaceUsers(configDir, ldapBindPassword strin
 
 func (m *DefaultSpaceManager) updateSpaceUsers(config *ldap.Config, input *InputUpdateSpaces, uaacUsers map[string]string) error {
 	if space, err := m.FindSpace(input.Org, input.Space); err == nil {
-		lo.G.Info("User sync for space", space.Entity.Name)
 		if err = m.UserMgr.UpdateSpaceUsers(config, uaacUsers, UpdateUsersInput{
 			SpaceName:     space.Entity.Name,
 			SpaceGUID:     space.MetaData.GUID,

space/users.go

@@ -49,24 +49,22 @@ type UpdateUsersInput struct {
 func (m *UserManager) UpdateSpaceUsers(config *ldap.Config, uaacUsers map[string]string, updateUsersInput UpdateUsersInput) error {
 
 	spaceUsers, err := m.cloudController.GetCFUsers(updateUsersInput.SpaceGUID, SPACES, updateUsersInput.Role)
-
 	if err != nil {
 		return err
 	}
+
+	lo.G.Debug(fmt.Sprintf("SpaceUsers before: %v", spaceUsers))
 	if config.Enabled {
 		var ldapUsers []ldap.User
 		ldapUsers, err = m.getLdapUsers(config, updateUsersInput.LdapGroupName, updateUsersInput.LdapUsers)
 		if err != nil {
 			return err
 		}
+		lo.G.Debug(fmt.Sprintf("LdapUsers: %v", ldapUsers))
 		for _, user := range ldapUsers {
-			if _, ok := spaceUsers[strings.ToLower(user.UserID)]; !ok {
-				err = m.updateLdapUser(config, updateUsersInput.SpaceGUID, updateUsersInput.OrgGUID, updateUsersInput.Role, updateUsersInput.OrgName, updateUsersInput.SpaceName, uaacUsers, user)
-				if err != nil {
-					return err
-				}
-			} else {
-				delete(spaceUsers, strings.ToLower(user.UserID))
+			err = m.updateLdapUser(config, updateUsersInput.SpaceGUID, updateUsersInput.OrgGUID, updateUsersInput.Role, updateUsersInput.OrgName, updateUsersInput.SpaceName, uaacUsers, user, spaceUsers)
+			if err != nil {
+				return err
 			}
 		}
 	} else {
@@ -98,12 +96,14 @@ func (m *UserManager) UpdateSpaceUsers(config *ldap.Config, uaacUsers map[string
 	} else {
 		lo.G.Info(fmt.Sprintf("not removing users add enable-remove-users: true to spaceConfig for org/space: %s/%s", updateUsersInput.OrgName, updateUsersInput.SpaceName))
 	}
+
+	lo.G.Debug(fmt.Sprintf("SpaceUsers after: %v", spaceUsers))
 	return nil
 }
 
 func (m *UserManager) updateLdapUser(config *ldap.Config, spaceGUID, orgGUID string,
 	role string, orgName, spaceName string, uaacUsers map[string]string,
-	user ldap.User) error {
+	user ldap.User, spaceUsers map[string]string) error {
 
 	userID := user.UserID
 	externalID := user.UserDN
@@ -113,20 +113,25 @@ func (m *UserManager) updateLdapUser(config *ldap.Config, spaceGUID, orgGUID str
 	}
 	userID = strings.ToLower(userID)
 
-	if _, userExists := uaacUsers[userID]; !userExists {
-		lo.G.Info("User", userID, "doesn't exist in cloud foundry, so creating user")
-		if err := m.UAACMgr.CreateExternalUser(userID, user.Email, externalID, config.Origin); err != nil {
-			lo.G.Info("Unable to create user", userID)
+	if _, ok := spaceUsers[userID]; !ok {
+		lo.G.Debug(fmt.Sprintf("User[%s] not found in: %v", userID, spaceUsers))
+		if _, userExists := uaacUsers[userID]; !userExists {
+			lo.G.Info("User", userID, "doesn't exist in cloud foundry, so creating user")
+			if err := m.UAACMgr.CreateExternalUser(userID, user.Email, externalID, config.Origin); err != nil {
+				lo.G.Info("Unable to create user", userID)
+			} else {
+				uaacUsers[userID] = userID
+				if err := m.addUserToOrgAndRole(userID, orgGUID, spaceGUID, role, orgName, spaceName); err != nil {
+					return err
+				}
+			}
 		} else {
-			uaacUsers[userID] = userID
 			if err := m.addUserToOrgAndRole(userID, orgGUID, spaceGUID, role, orgName, spaceName); err != nil {
 				return err
 			}
 		}
 	} else {
-		if err := m.addUserToOrgAndRole(userID, orgGUID, spaceGUID, role, orgName, spaceName); err != nil {
-			return err
-		}
+		delete(spaceUsers, strings.ToLower(user.UserID))
 	}
 	return nil
 }

space/users_test.go

@@ -140,6 +140,38 @@ var _ = Describe("given SpaceManager", func() {
 			Ω(ok).Should(BeTrue())
 		})
 
+		It("update other origin users where users are in uaac and already in space", func() {
+			config := &l.Config{
+				Enabled: true,
+				Origin:  "other",
+			}
+			uaacUsers := make(map[string]string)
+			uaacUsers["[email protected]"] = "[email protected]"
+			spaceUsers := make(map[string]string)
+			spaceUsers["[email protected]"] = "[email protected]"
+			updateUsersInput := UpdateUsersInput{
+				SpaceGUID:     "my-space-guid",
+				OrgGUID:       "my-org-guid",
+				Role:          "my-role",
+				LdapGroupName: "ldap-group-name",
+			}
+
+			ldapGroupUsers := []l.User{l.User{
+				UserDN: "user-dn",
+				UserID: "user-id",
+				Email:  "[email protected]",
+			}}
+
+			mockCloudController.EXPECT().GetCFUsers("my-space-guid", "spaces", "my-role").Return(spaceUsers, nil)
+			mockLdap.EXPECT().GetUserIDs(config, "ldap-group-name").Return(ldapGroupUsers, nil)
+
+			err := userManager.UpdateSpaceUsers(config, uaacUsers, updateUsersInput)
+			Ω(err).Should(BeNil())
+			Ω(len(uaacUsers)).Should(BeEquivalentTo(1))
+			_, ok := uaacUsers["[email protected]"]
+			Ω(ok).Should(BeTrue())
+		})
+
 		It("update ldap users where users are not in uaac", func() {
 			config := &l.Config{
 				Enabled: true,
@@ -269,8 +301,8 @@ var _ = Describe("given SpaceManager", func() {
 			uaacUsers["user-1"] = "user-1"
 			uaacUsers["user-2"] = "user-2"
 			spaceUsers := make(map[string]string)
-			spaceUsers["user-1"] = "user-1"
-			spaceUsers["user-2"] = "user-2"
+			spaceUsers["user-1"] = "asfdsdf-1"
+			spaceUsers["user-2"] = "asdfsaf-2"
 			updateUsersInput := UpdateUsersInput{
 				SpaceGUID: "my-space-guid",
 				OrgGUID:   "my-org-guid",