Add logic to migrate list of allowed users

rancher · Aug 15, 2023 · 80ea848 · 80ea848
1 parent c12dcef
commit 80ea848
Show file tree

Hide file tree

Showing 2 changed files with 65 additions and 2 deletions.
diff --git a/pkg/agent/clean/ad_unmigration/ldap.go b/pkg/agent/clean/ad_unmigration/ldap.go
@@ -286,3 +286,52 @@ func updateADConfigMigrationStatus(status map[string]string, sc *config.ScaledCo
 
 	return nil
 }
+
+func migrateAllowedUserPrincipals(workunits *[]migrateUserWorkUnit, sc *config.ScaledContext, dryRun bool) error {
+	authConfigObj, err := sc.Management.AuthConfigs("").ObjectClient().UnstructuredClient().Get("activedirectory", metav1.GetOptions{})
+	if err != nil {
+		logrus.Errorf("[%v] failed to obtain activedirecotry authConfigObj: %v", migrateAdUserOperation, err)
+		return err
+	}
+
+	// Create an empty unstructured object to hold the decoded JSON
+	storedADConfig := &unstructured.Unstructured{}
+	storedADConfig, ok := authConfigObj.(*unstructured.Unstructured)
+	if !ok {
+		return fmt.Errorf("[%v] expected unstructured authconfig, got %T", migrateAdUserOperation, authConfigObj)
+	}
+
+	unstructuredMaybeList := storedADConfig.UnstructuredContent()["allowedPrincipalIds"]
+	listOfMaybeStrings, ok := unstructuredMaybeList.([]interface{})
+	if !ok {
+		return fmt.Errorf("[%v] expected list for allowed principal ids, got %T", migrateAdUserOperation, unstructuredMaybeList)
+	}
+
+	adWorkUnitsByPrincipal := map[string]int{}
+	for i, workunit := range *workunits {
+		adWorkUnitsByPrincipal[activeDirectoryPrefix+workunit.guid] = i
+	}
+
+	for i, item := range listOfMaybeStrings {
+		principalId, ok := item.(string)
+		if !ok {
+			return fmt.Errorf("[%v] expected string for allowed principal id, found instead %T", migrateAdUserOperation, item)
+		}
+		if j, exists := adWorkUnitsByPrincipal[principalId]; exists {
+			newPrincipalId := activeDirectoryPrefix + (*workunits)[j].distinguishedName
+			if dryRun {
+				logrus.Infof("[%v] DRY RUN: would migrate allowed user %v to %v", migrateAdUserOperation,
+					principalId, newPrincipalId)
+			} else {
+				listOfMaybeStrings[i] = newPrincipalId
+			}
+		}
+	}
+
+	if !dryRun {
+		storedADConfig.UnstructuredContent()["allowedPrincipalIds"] = listOfMaybeStrings
+	}
+
+	_, err = sc.Management.AuthConfigs("").ObjectClient().UnstructuredClient().Update("activedirectory", storedADConfig)
+	return err
+}
diff --git a/pkg/agent/clean/ad_unmigration/migrate.go b/pkg/agent/clean/ad_unmigration/migrate.go
@@ -95,7 +95,12 @@ func scaledContext(restConfig *restclient.Config) (*config.ScaledContext, error)
 // UnmigrateAdGUIDUsersOnce will ensure that the migration script will run only once.  cycle through all users, ctrb, ptrb, tokens and migrate them to an
 // appropriate DN-based PrincipalID.
 func UnmigrateAdGUIDUsersOnce(sc *config.ScaledContext) error {
-	migrationConfigMap, _ := sc.Core.ConfigMaps(activedirectory.StatusConfigMapNamespace).GetNamespaced(activedirectory.StatusConfigMapNamespace, activedirectory.StatusConfigMapName, metav1.GetOptions{})
+	migrationConfigMap, err := sc.Core.ConfigMaps(activedirectory.StatusConfigMapNamespace).GetNamespaced(activedirectory.StatusConfigMapNamespace, activedirectory.StatusConfigMapName, metav1.GetOptions{})
+	if err != nil {
+		logrus.Errorf("[%v] unable to check unmigration configmap: %v", migrateAdUserOperation, err)
+		logrus.Errorf("[%v] cannot determine if it is safe to proceed. refusing to run", migrateAdUserOperation)
+		return nil
+	}
 	if migrationConfigMap != nil {
 		migrationStatus := migrationConfigMap.Data[activedirectory.StatusMigrationField]
 		switch migrationStatus {
@@ -129,7 +134,12 @@ func UnmigrateAdGUIDUsers(clientConfig *restclient.Config, dryRun bool, deleteMi
 		return err
 	}
 
-	migrationConfigMap, _ := sc.Core.ConfigMaps(activedirectory.StatusConfigMapNamespace).GetNamespaced(activedirectory.StatusConfigMapNamespace, activedirectory.StatusConfigMapName, metav1.GetOptions{})
+	migrationConfigMap, err := sc.Core.ConfigMaps(activedirectory.StatusConfigMapNamespace).GetNamespaced(activedirectory.StatusConfigMapNamespace, activedirectory.StatusConfigMapName, metav1.GetOptions{})
+	if err != nil {
+		logrus.Errorf("[%v] unable to check unmigration configmap: %v", migrateAdUserOperation, err)
+		logrus.Errorf("[%v] cannot determine if it is safe to proceed. refusing to run", migrateAdUserOperation)
+		return nil
+	}
 	if migrationConfigMap != nil {
 		migrationStatus := migrationConfigMap.Data[activedirectory.StatusMigrationField]
 		switch migrationStatus {
@@ -176,6 +186,10 @@ func UnmigrateAdGUIDUsers(clientConfig *restclient.Config, dryRun bool, deleteMi
 	if err != nil {
 		return err
 	}
+	err = migrateAllowedUserPrincipals(&usersToMigrate, sc, dryRun)
+	if err != nil {
+		return err
+	}
 
 	for _, user := range skippedUsers {
 		logrus.Errorf("[%v] unable to migrate user '%v' due to a connection failure; this user will be skipped", migrateAdUserOperation, user.originalUser.Name)