Skip to content

Commit

Permalink
Merge pull request #58 from ConductorOne/ggreer/faster-group-membership
Browse files Browse the repository at this point in the history 
Get group membership faster.
  • Loading branch information
@ggreer
ggreer authored Aug 19, 2024
2 parents a33b148 + debe0f3 commit d29dfb0
Showing 1 changed file with 34 additions and 39 deletions.
73 changes: 34 additions & 39 deletions pkg/connector/group.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -129,6 +129,23 @@ func (g *groupResourceType) Entitlements(ctx context.Context, resource *v2.Resou
return rv, "", nil, nil
}

// newGrantFromDN - create a `Grant` from a given group and user distinguished name.
func newGrantFromDN(resource *v2.Resource, userDN string) *v2.Grant {
g := grant.NewGrant(
// remove group profile from grant so we're not saving all group memberships in every grant
&v2.Resource{
Id: resource.Id,
},
groupMemberEntitlement,
// remove user profile from grant so we're not saving repetitive user info in every grant
&v2.ResourceId{
ResourceType: resourceTypeUser.Id,
Resource: userDN,
},
)
return g
}

func (g *groupResourceType) Grants(ctx context.Context, resource *v2.Resource, token *pagination.Token) ([]*v2.Grant, string, annotations.Annotations, error) {
l := ctxzap.Extract(ctx)

Expand Down Expand Up @@ -197,52 +214,30 @@ func (g *groupResourceType) Grants(ctx context.Context, resource *v2.Resource, t
var memberEntry []*ldap.Entry

if parsedDN, err := ldap3.ParseDN(memberId); err == nil {
memberEntry, _, err = g.client.LdapSearch(
ctx,
"",
nil,
"",
1,
parsedDN.String(),
)
if err != nil {
// TODO: collect errors
l.Error("ldap-connector: failed to get user", zap.String("member_id", memberId), zap.String("parseDN", parsedDN.String()), zap.Error(err))
}
} else {
// Group member doesn't look like it is a DN, search for it as a UID
memberEntry, _, err = g.client.LdapSearch(
ctx,
fmt.Sprintf(groupMemberFilter, memberId),
nil,
"",
1,
"",
)
if err != nil {
// TODO: collect errors
l.Error("ldap-connector: failed to get user", zap.String("member_id", memberId), zap.Error(err))
}
g := newGrantFromDN(resource, parsedDN.String())
rv = append(rv, g)
continue
}

// Group member doesn't look like it is a DN, search for it as a UID
memberEntry, _, err = g.client.LdapSearch(
ctx,
fmt.Sprintf(groupMemberFilter, memberId),
nil,
"",
1,
"",
)
if err != nil {
// TODO: collect errors
l.Error("ldap-connector: failed to get user", zap.String("member_id", memberId), zap.Error(err))
}
if len(memberEntry) == 0 {
l.Error("ldap-connector: failed to find user with dn or UID", zap.String("member_id", memberId))
}

for _, e := range memberEntry {
g := grant.NewGrant(
// remove group profile from grant so we're not saving all group memberships in every grant
&v2.Resource{
Id: resource.Id,
},
groupMemberEntitlement,
// remove user profile from grant so we're not saving repetitive user info in every grant
&v2.ResourceId{
ResourceType: resourceTypeUser.Id,
Resource: e.DN,
},
)

g := newGrantFromDN(resource, e.DN)
rv = append(rv, g)
}
}
Expand Down

0 comments on commit d29dfb0

Please sign in to comment.