@@ -65,13 +65,17 @@ func (s AGPLIDPSync) SyncGroups(ctx context.Context, db database.Store, user dat
6565}
6666
6767// Figure out which organizations the user is a member of.
68+ // The "Everyone" group is always included, so we can infer organization
69+ // membership via the groups the user is in.
6870userOrgs := make (map [uuid.UUID ][]database.GetGroupsRow )
6971for _ ,g := range userGroups {
7072g := g
7173userOrgs [g .Group .OrganizationID ]= append (userOrgs [g .Group .OrganizationID ],g )
7274}
7375
7476// For each org, we need to fetch the sync settings
77+ // This loop also handles any legacy settings for the default
78+ // organization.
7579orgSettings := make (map [uuid.UUID ]GroupSyncSettings )
7680for orgID := range userOrgs {
7781orgResolver := s .Manager .OrganizationResolver (tx ,orgID )
@@ -97,16 +101,23 @@ func (s AGPLIDPSync) SyncGroups(ctx context.Context, db database.Store, user dat
97101orgSettings [orgID ]= * settings
98102}
99103
100- // collect all diffs to do 1 sql update for all orgs
104+ // groupIDsToAdd & groupIDsToRemove are the final group differences
105+ // needed to be applied to user. The loop below will iterate over all
106+ // organizations the user is in, and determine the diffs.
107+ // The diffs are applied as a batch sql query, rather than each
108+ // organization having to execute a query.
101109groupIDsToAdd := make ([]uuid.UUID ,0 )
102110groupIDsToRemove := make ([]uuid.UUID ,0 )
103111// For each org, determine which groups the user should land in
104112for orgID ,settings := range orgSettings {
105113if settings .Field == "" {
106114// No group sync enabled for this org, so do nothing.
115+ // The user can remain in their groups for this org.
107116continue
108117}
109118
119+ // expectedGroups is the set of groups the IDP expects the
120+ // user to be a member of.
110121expectedGroups ,err := settings .ParseClaims (orgID ,params .MergedClaims )
111122if err != nil {
112123s .Logger .Debug (ctx ,"failed to parse claims for groups" ,
@@ -117,7 +128,7 @@ func (s AGPLIDPSync) SyncGroups(ctx context.Context, db database.Store, user dat
117128// Unsure where to raise this error on the UI or database.
118129continue
119130}
120- // Everyone group is always implied.
131+ // Everyone group is always implied, so include it .
121132expectedGroups = append (expectedGroups ,ExpectedGroup {
122133OrganizationID :orgID ,
123134GroupID :& orgID ,
@@ -134,6 +145,7 @@ func (s AGPLIDPSync) SyncGroups(ctx context.Context, db database.Store, user dat
134145GroupName :& f .Group .Name ,
135146}
136147})
148+
137149add ,remove := slice .SymmetricDifferenceFunc (existingGroupsTyped ,expectedGroups ,func (a ,b ExpectedGroup )bool {
138150// Must match
139151if a .OrganizationID != b .OrganizationID {
@@ -150,10 +162,10 @@ func (s AGPLIDPSync) SyncGroups(ctx context.Context, db database.Store, user dat
150162})
151163
152164for _ ,r := range remove {
153- // This should never happen. All group removals come from the
154- // existing set, which come from the db. All groups from the
155- // database have IDs. This code is purely defensive.
156165if r .GroupID == nil {
166+ // This should never happen. All group removals come from the
167+ // existing set, which come from the db. All groups from the
168+ // database have IDs. This code is purely defensive.
157169detail := "user:" + user .Username
158170if r .GroupName != nil {
159171detail += fmt .Sprintf (" from group %s" ,* r .GroupName )
@@ -166,6 +178,11 @@ func (s AGPLIDPSync) SyncGroups(ctx context.Context, db database.Store, user dat
166178// HandleMissingGroups will add the new groups to the org if
167179// the settings specify. It will convert all group names into uuids
168180// for easier assignment.
181+ // TODO: This code should be batched at the end of the for loop.
182+ // Optimizing this is being pushed because if AutoCreate is disabled,
183+ // this code will only add cost on the first login for each user.
184+ // AutoCreate is usually disabled for large deployments.
185+ // For small deployments, this is less of a problem.
169186assignGroups ,err := settings .HandleMissingGroups (ctx ,tx ,orgID ,add )
170187if err != nil {
171188return xerrors .Errorf ("handle missing groups: %w" ,err )
@@ -174,6 +191,8 @@ func (s AGPLIDPSync) SyncGroups(ctx context.Context, db database.Store, user dat
174191groupIDsToAdd = append (groupIDsToAdd ,assignGroups ... )
175192}
176193
194+ // ApplyGroupDifference will take the total adds and removes, and apply
195+ // them.
177196err = s .ApplyGroupDifference (ctx ,tx ,user ,groupIDsToAdd ,groupIDsToRemove )
178197if err != nil {
179198return xerrors .Errorf ("apply group difference: %w" ,err )
@@ -190,8 +209,6 @@ func (s AGPLIDPSync) SyncGroups(ctx context.Context, db database.Store, user dat
190209
191210// ApplyGroupDifference will add and remove the user from the specified groups.
192211func (s AGPLIDPSync )ApplyGroupDifference (ctx context.Context ,tx database.Store ,user database.User ,add []uuid.UUID ,removeIDs []uuid.UUID )error {
193- // Always do group removal before group add. This way if there is an error,
194- // we error on the underprivileged side.
195212if len (removeIDs )> 0 {
196213removedGroupIDs ,err := tx .RemoveUserFromGroups (ctx , database.RemoveUserFromGroupsParams {
197214UserID :user .ID ,