From 82efbbb8c6ad336b0106d278ed2ec867cc244201 Mon Sep 17 00:00:00 2001
From: Renan Campos <rcampos@redhat.com>
Date: Mon, 16 Sep 2024 15:43:44 -0400
Subject: [PATCH] updating wif logic for determining role updates

The prior check was lead to custom roles being updated during every wif
creation call if the permission set provided was not in the exact order
that is returned by GCP- emperically found to be alphabetical. With this
change, this assumption is no longer necassary.
---
 cmd/ocm/gcp/gcp-client-shim.go | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/cmd/ocm/gcp/gcp-client-shim.go b/cmd/ocm/gcp/gcp-client-shim.go
index cc90f9e7..b9f35d05 100644
--- a/cmd/ocm/gcp/gcp-client-shim.go
+++ b/cmd/ocm/gcp/gcp-client-shim.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"fmt"
 	"log"
-	"reflect"
 	"strings"
 	"time"
 
@@ -252,7 +251,7 @@ func (c *shim) createOrUpdateRoles(
 		}
 
 		// Update role if permissions have changed
-		if !reflect.DeepEqual(existingRole.IncludedPermissions, permissions) {
+		if c.roleRequiresUpdate(permissions, existingRole.IncludedPermissions) {
 			existingRole.IncludedPermissions = permissions
 			_, err := c.updateRole(ctx, existingRole, c.fmtRoleResourceId(role))
 			if err != nil {
@@ -264,6 +263,25 @@ func (c *shim) createOrUpdateRoles(
 	return nil
 }
 
+func (c *shim) roleRequiresUpdate(
+	newPermissions []string,
+	existingPermissions []string,
+) bool {
+	permissionMap := map[string]bool{}
+	for _, permission := range existingPermissions {
+		permissionMap[permission] = true
+	}
+	if len(permissionMap) != len(newPermissions) {
+		return true
+	}
+	for _, permission := range newPermissions {
+		if !permissionMap[permission] {
+			return true
+		}
+	}
+	return false
+}
+
 func (c *shim) bindRolesToServiceAccount(
 	ctx context.Context,
 	serviceAccount *cmv1.WifServiceAccount,