Merge pull request #161 from uselagoon/multi-project-project-default-groups

Update roles and rolesmapping handling to match Lagoon permission logic

Author: smlx

internal/sync/roles.go

@@ -3,7 +3,6 @@ package sync
 import (
 	"context"
 	"fmt"
-	"strings"
 
 	"github.com/uselagoon/lagoon-opensearch-sync/internal/keycloak"
 	"github.com/uselagoon/lagoon-opensearch-sync/internal/opensearch"
@@ -69,40 +68,13 @@ func isLagoonGroup(
 	return ok
 }
 
-// projectGroupRoleName generates the name of a project group role from the
-// ID of the group's project.
-func projectGroupRoleName(
-	group keycloak.Group,
-	groupProjectsMap map[string][]int,
-) (string, error) {
-	projectIDs, ok := groupProjectsMap[group.ID]
-	if !ok {
-		return "", fmt.Errorf("missing project group ID %s in groupProjectsMap",
-			group.ID)
-	}
-	if len(projectIDs) != 1 {
-		return "", fmt.Errorf("too many projects in group ID %s: %d", group.ID,
-			len(projectIDs))
-	}
-	if projectIDs[0] < 0 {
-		return "", fmt.Errorf("invalid project ID in group ID %s: %d", group.ID,
-			projectIDs[0])
-	}
-	return fmt.Sprintf("p%d", projectIDs[0]), nil
-}
-
-// generateProjectGroupRole constructs an opensearch.Role from the given
-// keycloak group corresponding to a Lagoon project group.
-func generateProjectGroupRole(
-	group keycloak.Group,
-	groupProjectsMap map[string][]int,
-) (string, *opensearch.Role, error) {
-	name, err := projectGroupRoleName(group, groupProjectsMap)
-	if err != nil {
-		return "", nil,
-			fmt.Errorf("couldn't generate project group role name: %v", err)
-	}
-	return name, &opensearch.Role{
+// generateProjectRole constructs an opensearch.Role from the given
+// project ID and project name.
+func generateProjectRole(
+	id int,
+	name string,
+) (string, *opensearch.Role) {
+	return fmt.Sprintf("p%d", id), &opensearch.Role{
 		RolePermissions: opensearch.RolePermissions{
 			// use an empty slice instead of omitting this entirely because the
 			// Opensearch API errors if this field is omitted.
@@ -115,8 +87,7 @@ func generateProjectGroupRole(
 					},
 					IndexPatterns: []string{
 						fmt.Sprintf(
-							`/^(application|container|lagoon|router)-logs-%s-_-.+/`,
-							strings.TrimPrefix(group.Name, "project-")),
+							`/^(application|container|lagoon|router)-logs-%s-_-.+/`, name),
 					},
 				},
 			},
@@ -127,7 +98,7 @@ func generateProjectGroupRole(
 				},
 			},
 		},
-	}, nil
+	}
 }
 
 // generateRegularGroupRole constructs an opensearch.Role from the given
@@ -184,10 +155,12 @@ func generateRegularGroupRole(
 }
 
 // generateRoles returns a slice of roles generated from the given slice of
-// keycloak Groups.
+// keycloak Groups, and the projectNames map.
 //
 // Any groups which are not recognized as either project groups or regular
 // Lagoon groups are ignored.
+//
+// All projectNames map entries generate a single role.
 func generateRoles(
 	log *zap.Logger,
 	groups []keycloak.Group,
@@ -199,14 +172,7 @@ func generateRoles(
 	var role *opensearch.Role
 	var err error
 	for _, group := range groups {
-		if isProjectGroup(log, group) {
-			name, role, err = generateProjectGroupRole(group, groupProjectsMap)
-			if err != nil {
-				log.Warn("couldn't generate role for project group",
-					zap.String("group name", group.Name), zap.Error(err))
-				continue
-			}
-		} else if isLagoonGroup(group, groupProjectsMap) {
+		if isLagoonGroup(group, groupProjectsMap) && !isProjectGroup(log, group) {
 			name, role, err =
 				generateRegularGroupRole(log, group, projectNames, groupProjectsMap)
 			if err != nil {
@@ -219,6 +185,10 @@ func generateRoles(
 			roles[name] = *role
 		}
 	}
+	for pid, pname := range projectNames {
+		name, role = generateProjectRole(pid, pname)
+		roles[name] = *role
+	}
 	return roles
 }
 

internal/sync/roles_test.go

@@ -70,7 +70,7 @@ func TestGenerateRoles(t *testing.T) {
 		input  generateRolesInput
 		expect generateRolesOutput
 	}{
-		"generate roles for regular group": {
+		"generate roles for regular group and projects": {
 			input: generateRolesInput{
 				groups: []keycloak.Group{
 					{
@@ -121,10 +121,98 @@ func TestGenerateRoles(t *testing.T) {
 							},
 						},
 					},
+					"p31": {
+						RolePermissions: opensearch.RolePermissions{
+							ClusterPermissions: []string{},
+							IndexPermissions: []opensearch.IndexPermission{
+								{
+									AllowedActions: []string{
+										"read",
+										"indices:monitor/settings/get",
+									},
+									IndexPatterns: []string{
+										"/^(application|container|lagoon|router)-logs-drupal9-base-_-.+/",
+									},
+								},
+							},
+							TenantPermissions: []opensearch.TenantPermission{
+								{
+									AllowedActions: []string{"kibana_all_read"},
+									TenantPatterns: []string{"global_tenant"},
+								},
+							},
+						},
+					},
+					"p34": {
+						RolePermissions: opensearch.RolePermissions{
+							ClusterPermissions: []string{},
+							IndexPermissions: []opensearch.IndexPermission{
+								{
+									AllowedActions: []string{
+										"read",
+										"indices:monitor/settings/get",
+									},
+									IndexPatterns: []string{
+										"/^(application|container|lagoon|router)-logs-somelongerprojectname-_-.+/",
+									},
+								},
+							},
+							TenantPermissions: []opensearch.TenantPermission{
+								{
+									AllowedActions: []string{"kibana_all_read"},
+									TenantPatterns: []string{"global_tenant"},
+								},
+							},
+						},
+					},
+					"p35": {
+						RolePermissions: opensearch.RolePermissions{
+							ClusterPermissions: []string{},
+							IndexPermissions: []opensearch.IndexPermission{
+								{
+									AllowedActions: []string{
+										"read",
+										"indices:monitor/settings/get",
+									},
+									IndexPatterns: []string{
+										"/^(application|container|lagoon|router)-logs-drupal10-prerelease-_-.+/",
+									},
+								},
+							},
+							TenantPermissions: []opensearch.TenantPermission{
+								{
+									AllowedActions: []string{"kibana_all_read"},
+									TenantPatterns: []string{"global_tenant"},
+								},
+							},
+						},
+					},
+					"p36": {
+						RolePermissions: opensearch.RolePermissions{
+							ClusterPermissions: []string{},
+							IndexPermissions: []opensearch.IndexPermission{
+								{
+									AllowedActions: []string{
+										"read",
+										"indices:monitor/settings/get",
+									},
+									IndexPatterns: []string{
+										"/^(application|container|lagoon|router)-logs-delta-backend-_-.+/",
+									},
+								},
+							},
+							TenantPermissions: []opensearch.TenantPermission{
+								{
+									AllowedActions: []string{"kibana_all_read"},
+									TenantPatterns: []string{"global_tenant"},
+								},
+							},
+						},
+					},
 				},
 			},
 		},
-		"generate roles for project group": {
+		"generate roles for projects ignoring project group": {
 			input: generateRolesInput{
 				groups: []keycloak.Group{
 					{
@@ -148,6 +236,28 @@ func TestGenerateRoles(t *testing.T) {
 			},
 			expect: generateRolesOutput{
 				roles: map[string]opensearch.Role{
+					"p26": {
+						RolePermissions: opensearch.RolePermissions{
+							ClusterPermissions: []string{},
+							IndexPermissions: []opensearch.IndexPermission{
+								{
+									AllowedActions: []string{
+										"read",
+										"indices:monitor/settings/get",
+									},
+									IndexPatterns: []string{
+										"/^(application|container|lagoon|router)-logs-abc-_-.+/",
+									},
+								},
+							},
+							TenantPermissions: []opensearch.TenantPermission{
+								{
+									AllowedActions: []string{"kibana_all_read"},
+									TenantPatterns: []string{"global_tenant"},
+								},
+							},
+						},
+					},
 					"p27": {
 						RolePermissions: opensearch.RolePermissions{
 							ClusterPermissions: []string{},
@@ -170,6 +280,121 @@ func TestGenerateRoles(t *testing.T) {
 							},
 						},
 					},
+					"p48": {
+						RolePermissions: opensearch.RolePermissions{
+							ClusterPermissions: []string{},
+							IndexPermissions: []opensearch.IndexPermission{
+								{
+									AllowedActions: []string{
+										"read",
+										"indices:monitor/settings/get",
+									},
+									IndexPatterns: []string{
+										"/^(application|container|lagoon|router)-logs-somelongprojectname-_-.+/",
+									},
+								},
+							},
+							TenantPermissions: []opensearch.TenantPermission{
+								{
+									AllowedActions: []string{"kibana_all_read"},
+									TenantPatterns: []string{"global_tenant"},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		"generate roles for multi-project project group": {
+			input: generateRolesInput{
+				groups: []keycloak.Group{
+					{
+						ID: "3fc60c90-b72d-4704-8a57-80438adac98d",
+						GroupUpdateRepresentation: keycloak.GroupUpdateRepresentation{
+							Name: "project-beta-ui",
+							Attributes: map[string][]string{
+								"type": {`project-default-group`},
+							},
+						},
+					},
+				},
+				projectNames: map[int]string{
+					26: "abc",
+					27: "beta-ui",
+					48: "somelongprojectname",
+				},
+				groupProjectsMap: map[string][]int{
+					"3fc60c90-b72d-4704-8a57-80438adac98d": {48, 27, 26},
+				},
+			},
+			expect: generateRolesOutput{
+				roles: map[string]opensearch.Role{
+					"p26": {
+						RolePermissions: opensearch.RolePermissions{
+							ClusterPermissions: []string{},
+							IndexPermissions: []opensearch.IndexPermission{
+								{
+									AllowedActions: []string{
+										"read",
+										"indices:monitor/settings/get",
+									},
+									IndexPatterns: []string{
+										"/^(application|container|lagoon|router)-logs-abc-_-.+/",
+									},
+								},
+							},
+							TenantPermissions: []opensearch.TenantPermission{
+								{
+									AllowedActions: []string{"kibana_all_read"},
+									TenantPatterns: []string{"global_tenant"},
+								},
+							},
+						},
+					},
+					"p27": {
+						RolePermissions: opensearch.RolePermissions{
+							ClusterPermissions: []string{},
+							IndexPermissions: []opensearch.IndexPermission{
+								{
+									AllowedActions: []string{
+										"read",
+										"indices:monitor/settings/get",
+									},
+									IndexPatterns: []string{
+										"/^(application|container|lagoon|router)-logs-beta-ui-_-.+/",
+									},
+								},
+							},
+							TenantPermissions: []opensearch.TenantPermission{
+								{
+									AllowedActions: []string{"kibana_all_read"},
+									TenantPatterns: []string{"global_tenant"},
+								},
+							},
+						},
+					},
+					"p48": {
+						RolePermissions: opensearch.RolePermissions{
+							ClusterPermissions: []string{},
+							IndexPermissions: []opensearch.IndexPermission{
+								{
+									AllowedActions: []string{
+										"read",
+										"indices:monitor/settings/get",
+									},
+									IndexPatterns: []string{
+										"/^(application|container|lagoon|router)-logs-somelongprojectname-_-.+/",
+									},
+								},
+							},
+							TenantPermissions: []opensearch.TenantPermission{
+								{
+									AllowedActions: []string{"kibana_all_read"},
+									TenantPatterns: []string{"global_tenant"},
+								},
+							},
+						},
+					},
 				},
 			},
 		},