(ctx context.Context, db database.Store, user database.User, params RoleParams)
| 72 | } |
| 73 | |
| 74 | func (s AGPLIDPSync) SyncRoles(ctx context.Context, db database.Store, user database.User, params RoleParams) error { |
| 75 | // Nothing happens if sync is not enabled |
| 76 | if !params.SyncEntitled { |
| 77 | return nil |
| 78 | } |
| 79 | |
| 80 | // nolint:gocritic // all syncing is done as a system user |
| 81 | ctx = dbauthz.AsSystemRestricted(ctx) |
| 82 | |
| 83 | err := db.InTx(func(tx database.Store) error { |
| 84 | if params.SyncSiteWide { |
| 85 | if err := s.syncSiteWideRoles(ctx, tx, user, params); err != nil { |
| 86 | return err |
| 87 | } |
| 88 | } |
| 89 | |
| 90 | // sync roles per organization |
| 91 | orgMemberships, err := tx.OrganizationMembers(ctx, database.OrganizationMembersParams{ |
| 92 | OrganizationID: uuid.Nil, |
| 93 | UserID: user.ID, |
| 94 | IncludeSystem: false, |
| 95 | GithubUserID: 0, |
| 96 | }) |
| 97 | if err != nil { |
| 98 | return xerrors.Errorf("get organizations by user id: %w", err) |
| 99 | } |
| 100 | |
| 101 | // Sync for each organization |
| 102 | // If a key for a given org exists in the map, the user's roles will be |
| 103 | // updated to the value of that key. |
| 104 | expectedRoles := make(map[uuid.UUID][]rbac.RoleIdentifier) |
| 105 | existingRoles := make(map[uuid.UUID][]string) |
| 106 | allExpected := make([]rbac.RoleIdentifier, 0) |
| 107 | for _, member := range orgMemberships { |
| 108 | orgID := member.OrganizationMember.OrganizationID |
| 109 | settings, err := s.RoleSyncSettings(ctx, orgID, tx) |
| 110 | if err != nil { |
| 111 | // No entry means no role syncing for this organization |
| 112 | continue |
| 113 | } |
| 114 | |
| 115 | if settings.Field == "" { |
| 116 | // Explicitly disabled role sync for this organization |
| 117 | continue |
| 118 | } |
| 119 | |
| 120 | existingRoles[orgID] = member.OrganizationMember.Roles |
| 121 | orgRoleClaims, err := s.RolesFromClaim(settings.Field, params.MergedClaims) |
| 122 | if err != nil { |
| 123 | s.Logger.Error(ctx, "failed to parse roles from claim", |
| 124 | slog.F("field", settings.Field), |
| 125 | slog.F("organization_id", orgID), |
| 126 | slog.F("user_id", user.ID), |
| 127 | slog.F("username", user.Username), |
| 128 | slog.Error(err), |
| 129 | ) |
| 130 | |
| 131 | // TODO: If rolesync fails, we might want to reset a user's |
nothing calls this directly
no test coverage detected