Skip to content

Commit

Permalink
feat: Add ability to remove all permissions on auto_assign_org
Browse files Browse the repository at this point in the history
  • Loading branch information
davidgubler committed Feb 12, 2024
1 parent 31d98b9 commit b23ddf2
Show file tree
Hide file tree
Showing 4 changed files with 33 additions and 47 deletions.
1 change: 1 addition & 0 deletions docker-compose-dev.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ services:
- GF_AUTH_GENERIC_OAUTH_TOKEN_URL=https://id.test.vshn.net/auth/realms/VSHN-main-dev-realm/protocol/openid-connect/token
- GF_SERVER_DOMAIN=operator-dev-grafana.apps.cloudscale-lpg-2.appuio.cloud
- GF_SERVER_ROOT_URL=https://operator-dev-grafana.apps.cloudscale-lpg-2.appuio.cloud
- GF_USERS_AUTO_ASSIGN_ORG_ID=83
ports:
- "3000:3000"
labels:
Expand Down
6 changes: 3 additions & 3 deletions main.go
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ func main() {
if config.GrafanaDatasourcePassword != "" {
grafanaDatasourcePasswordHidden = "***hidden***"
}
config.GrafanaClearAutoAssignOrg = os.Getenv("GRAFANA_CLEAR_AUTO_ASSIGN_ORG") == "true"

keycloakUrl := os.Getenv("KEYCLOAK_URL")
keycloakRealm := os.Getenv("KEYCLOAK_REALM")
Expand All @@ -51,23 +52,22 @@ func main() {
keycloakPasswordHidden = "***hidden***"
}
keycloakAdminGroupPath := os.Getenv("KEYCLOAK_ADMIN_GROUP_PATH")
keycloakAutoAssignOrgGroupPath := os.Getenv("KEYCLOAK_AUTO_ASSIGN_ORG_GROUP_PATH")

klog.Infof("GRAFANA_URL: %s\n", grafanaUrl)
klog.Infof("GRAFANA_USERNAME: %s\n", grafanaUsername)
klog.Infof("GRAFANA_PASSWORD: %s\n", grafanaPasswordHidden)
klog.Infof("GRAFANA_DATASOURCE_URL: %s\n", config.GrafanaDatasourceUrl)
klog.Infof("GRAFANA_DATASOURCE_USERNAME: %s\n", config.GrafanaDatasourceUsername)
klog.Infof("GRAFANA_DATASOURCE_PASSWORD: %s\n", grafanaDatasourcePasswordHidden)
klog.Infof("GRAFANA_CLEAR_AUTO_ASSIGN_ORG: %t\n", config.GrafanaClearAutoAssignOrg)
klog.Infof("KEYCLOAK_URL: %s\n", keycloakUrl)
klog.Infof("KEYCLOAK_REALM: %s\n", keycloakRealm)
klog.Infof("KEYCLOAK_USERNAME: %s\n", keycloakUsername)
klog.Infof("KEYCLOAK_PASSWORD: %s\n", keycloakPasswordHidden)
klog.Infof("KEYCLOAK_CLIENT_ID: %s\n", keycloakClientId)
klog.Infof("KEYCLOAK_ADMIN_GROUP_PATH: %s\n", keycloakAdminGroupPath)
klog.Infof("KEYCLOAK_AUTO_ASSIGN_ORG_GROUP_PATH: %s\n", keycloakAutoAssignOrgGroupPath)

keycloakClient, err := controller.NewKeycloakClient(keycloakUrl, keycloakRealm, keycloakUsername, keycloakPassword, keycloakClientId, keycloakAdminGroupPath, keycloakAutoAssignOrgGroupPath)
keycloakClient, err := controller.NewKeycloakClient(keycloakUrl, keycloakRealm, keycloakUsername, keycloakPassword, keycloakClientId, keycloakAdminGroupPath)
if err != nil {
klog.Errorf("Could not create keycloakClient client: %v\n", err)
os.Exit(1)
Expand Down
36 changes: 17 additions & 19 deletions pkg/keycloakClient.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,16 +14,15 @@ import (
)

type KeycloakClient struct {
baseURL url.URL
username string
password string
clientId string
realm string
adminGroupPath string
autoAssignOrgGroupPath string
country string
adminGroup *KeycloakGroup
client *http.Client
baseURL url.URL
username string
password string
clientId string
realm string
adminGroupPath string
country string
adminGroup *KeycloakGroup
client *http.Client
}

type KeycloakUser struct {
Expand Down Expand Up @@ -91,7 +90,7 @@ func (this *KeycloakUser) GetDisplayName() string {
return this.FirstName + " " + this.LastName
}

func NewKeycloakClient(baseURL string, realm string, username string, password string, clientId string, adminGroupPath string, autoAssignOrgGroupPath string) (*KeycloakClient, error) {
func NewKeycloakClient(baseURL string, realm string, username string, password string, clientId string, adminGroupPath string) (*KeycloakClient, error) {
u, err := url.Parse(baseURL)
if err != nil {
return nil, err
Expand All @@ -104,14 +103,13 @@ func NewKeycloakClient(baseURL string, realm string, username string, password s
}

return &KeycloakClient{
baseURL: *u,
client: cli,
realm: realm,
username: username,
password: password,
clientId: clientId,
adminGroupPath: adminGroupPath,
autoAssignOrgGroupPath: autoAssignOrgGroupPath,
baseURL: *u,
client: cli,
realm: realm,
username: username,
password: password,
clientId: clientId,
adminGroupPath: adminGroupPath,
}, nil
}

Expand Down
37 changes: 12 additions & 25 deletions pkg/reconcile.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ type Config struct {
GrafanaDatasourceUrl string
GrafanaDatasourceUsername string
GrafanaDatasourcePassword string
GrafanaClearAutoAssignOrg bool
}

var (
Expand Down Expand Up @@ -67,39 +68,25 @@ outAdmins:
}
klog.Infof("Found %d admin users", len(keycloakAdmins))

klog.Infof("Extracting auto_assign_org users...")
var keycloakAutoAssignOrgUsers []*KeycloakUser
outAutoAssignOrgUsers:
for _, user := range keycloakUsers {
for _, group := range keycloakUserGroups[user] {
if group.Path == keycloakClient.autoAssignOrgGroupPath {
keycloakAutoAssignOrgUsers = append(keycloakAutoAssignOrgUsers, user)
continue outAutoAssignOrgUsers
}
if config.GrafanaClearAutoAssignOrg {
klog.Infof("Fetching auto_assign_org_id...")
autoAssignOrgId, err := grafanaClient.GetAutoAssignOrgId()
if err != nil {
return err
}
klog.Infof("Removing members of auto_assign_org %d", autoAssignOrgId)
var permissions []GrafanaPermissionSpec
err = reconcileSingleOrgPermissions(ctx, permissions, autoAssignOrgId, grafanaClient)
if err != nil {
return err
}
}
klog.Infof("Found %d auto_assign_org users", len(keycloakAutoAssignOrgUsers))

grafanaOrgsMap, err := reconcileAllOrgs(ctx, config, keycloakOrganizations, grafanaClient, dashboards)
if err != nil {
return err
}

klog.Infof("Fetching auto_assign_org_id...")
autoAssignOrgId, err := grafanaClient.GetAutoAssignOrgId()
if err != nil {
return err
}
klog.Infof("Checking permissions of auto_assign_org %d", autoAssignOrgId)
var permissions []GrafanaPermissionSpec
for _, keycloakAutoAssignOrgUser := range keycloakAutoAssignOrgUsers {
permissions = append(permissions, GrafanaPermissionSpec{Uid: keycloakAutoAssignOrgUser.Username, PermittedRoles: []string{"Viewer", "Editor", "Admin"}})
}
err = reconcileSingleOrgPermissions(ctx, permissions, autoAssignOrgId, grafanaClient)
if err != nil {
return err
}

klog.Infof("Checking permissions of normal orgs...")
grafanaPermissionsMap := getGrafanaPermissionsMap(keycloakUserGroups, keycloakAdmins, keycloakOrganizations)
err = reconcilePermissions(ctx, grafanaPermissionsMap, grafanaOrgsMap, grafanaClient)
Expand Down

0 comments on commit b23ddf2

Please sign in to comment.