Support mapping team-members to SCIM id's in order to align with user…

…Ids used in auth (#125) * initial commit * cleanup * put configuration into api * cosmetics * consistent use of context * cleanup * use latest release, no need for the scim stuff in go-github * take v4 apiurl as this varies between gh-server and .com * use patched version of go-githubapp api * check in regenerated code * move to v39 of api, which aligns with current branch of go-githubapp * Update README.md Co-authored-by: Andrew Block <[email protected]> Co-authored-by: Andrew Block <[email protected]>
redhat-cop · Sep 20, 2021 · 30f6e97 · 30f6e97
1 parent 68097b3
commit 30f6e97
Show file tree

Hide file tree

Showing 7 changed files with 148 additions and 35 deletions.
diff --git a/README.md b/README.md
@@ -178,7 +178,7 @@ When authenticating as a Github App, the following keys are required:
 In GitHub, go to developer-settings -> github apps.
 * Create a new app, it does not need webhook callbacks.
 * Generate a private-key and download it
-* Under "permissions and events" the app will need read-only access to the "Members" permission in the "Organization" section.
+* Under "permissions and events", the app will need read-only access to the "Members" permission in the "Organization" section. NOTE: If you enable `mapByScimId`, this permissions needs to be _Read & Write_, though the operator only does read-only operations. The reason for this is the use of the v4 graphql api-endpoint.
 * Take note of the "App ID" as you need it for later.
 * Install the app to your organization.
 

diff --git a/api/v1alpha1/groupsync_types.go b/api/v1alpha1/groupsync_types.go
@@ -205,11 +205,22 @@ type GitHubProvider struct {
 	// +kubebuilder:validation:Optional
 	Teams []string `json:"teams,omitempty"`
 
+	// Map users by SCIM Id. This will usually match your IDP id, like UPN when using AAD.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Map users by SCIM-ID",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:text"}
+	// +kubebuilder:validation:Optional
+	MapByScimId bool `json:"mapByScimId,omitempty"`
+
 	// URL is the location of the GitHub server
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="GitHub URL",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:text"}
 	// +kubebuilder:validation:Required
 	// +kubebuilder:default="https://api.github.com/"
 	URL *string `json:"url,omitempty"`
+
+	// V4URL is the location of the GitHub server graphql endpoint.
+	// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="GitHub v4URL (graphql)",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:text"}
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default="https://api.github.com/graphql"
+	V4URL *string `json:"v4url,omitempty"`
 }
 
 // GitLabProvider represents integration with GitLab

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/redhatcop.redhat.io_groupsyncs.yaml b/config/crd/bases/redhatcop.redhat.io_groupsyncs.yaml
@@ -119,6 +119,9 @@ spec:
                           insecure:
                             description: Insecure specifies whether to allow for unverified certificates to be used when communicating to GitHab
                             type: boolean
+                          mapByScimId:
+                            description: Map users by SCIM Id. This will usually match your IDP id, like UPN when using AAD.
+                            type: boolean
                           organization:
                             description: Organization represents the location to source teams to synchronize
                             type: string
@@ -131,6 +134,10 @@ spec:
                             default: https://api.github.com/
                             description: URL is the location of the GitHub server
                             type: string
+                          v4url:
+                            default: https://api.github.com/graphql
+                            description: V4URL is the location of the GitHub server graphql endpoint.
+                            type: string
                         required:
                           - credentialsSecret
                         type: object

diff --git a/go.mod b/go.mod
@@ -6,20 +6,21 @@ require (
 	github.com/Nerzal/gocloak/v5 v5.1.0
 	github.com/go-logr/logr v0.4.0
 	github.com/go-openapi/spec v0.19.3
-	github.com/google/go-github/v38 v38.1.0
+	github.com/google/go-github/v39 v39.0.0
 	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79
 	github.com/hashicorp/go-cleanhttp v0.5.1
 	github.com/okta/okta-sdk-golang/v2 v2.3.0
 	github.com/onsi/ginkgo v1.16.4
 	github.com/onsi/gomega v1.13.0
 	github.com/openshift/api v3.9.1-0.20190924102528-32369d4db2ad+incompatible
 	github.com/openshift/library-go v0.0.0-20200527213645-a9b77f5402e3
-	github.com/palantir/go-githubapp v0.9.2-0.20210830144646-08ca97a77f90
+	github.com/palantir/go-githubapp v0.9.2-0.20210913152418-062be9630ea5
 	github.com/prometheus/client_golang v1.7.1
 	github.com/prometheus/common v0.10.0
 	github.com/redhat-cop/operator-utils v1.1.4
 	github.com/robfig/cron v0.0.0-20170526150127-736158dc09e1
 	github.com/robfig/cron/v3 v3.0.1
+	github.com/shurcooL/githubv4 v0.0.0-20210725200734-83ba7b4c9228
 	github.com/xanzy/go-gitlab v0.38.2
 	github.com/yaegashi/msgraph.go v0.1.4
 	golang.org/x/oauth2 v0.0.0-20210113205817-d3ed898aa8a3