adds sync org middleware

timbastin · timbastin · commit 519b51cd7687 · 2025-08-04T13:40:35.000+02:00
diff --git a/cmd/devguard/api/api.go b/cmd/devguard/api/api.go
@@ -253,6 +253,26 @@ func neededScope(neededScopes []string) core.MiddlewareFunc {
 	}
 }
 
+func externalEntityProviderOrgSyncMiddleware(externalEntityProviderService core.ExternalEntityProviderService) core.MiddlewareFunc {
+	limiter := map[string]time.Time{}
+	return func(next echo.HandlerFunc) echo.HandlerFunc {
+		return func(ctx core.Context) error {
+
+			key := core.GetSession(ctx).GetUserID()
+			if _, ok := limiter[key]; !ok || time.Now().After(limiter[key]) {
+				slog.Info("syncing external entity provider orgs", "userID", key)
+				limiter[key] = time.Now().Add(15 * time.Minute)
+				go func() {
+					if err := externalEntityProviderService.SyncOrgs(ctx); err != nil {
+						slog.Error("could not sync external entity provider orgs", "err", err, "userID", key)
+					}
+				}()
+			}
+			return next(ctx)
+		}
+	}
+}
+
 func externalEntityProviderRefreshMiddleware(externalEntityProviderService core.ExternalEntityProviderService) core.MiddlewareFunc {
 	limiter := map[string]time.Time{}
 
@@ -521,7 +541,7 @@ func BuildRouter(db core.DB) *echo.Echo {
 	apiV1Router.GET("/lookup/", assetController.HandleLookup)
 
 	// everything below this line is protected by the session middleware
-	sessionRouter := apiV1Router.Group("", auth.SessionMiddleware(core.NewAdminClient(ory), patService))
+	sessionRouter := apiV1Router.Group("", auth.SessionMiddleware(core.NewAdminClient(ory), patService), externalEntityProviderOrgSyncMiddleware(externalEntityProviderService))
 	sessionRouter.GET("/oauth2/gitlab/:integrationName/", integrationController.GitLabOauth2Login)
 	sessionRouter.GET("/oauth2/gitlab/callback/:integrationName/", integrationController.GitLabOauth2Callback)
 
diff --git a/internal/core/common_interfaces.go b/internal/core/common_interfaces.go
@@ -223,6 +223,7 @@ type InvitationRepository interface {
 
 type ExternalEntityProviderService interface {
 	RefreshExternalEntityProviderProjects(ctx Context, org models.Org, user string) error
+	SyncOrgs(c echo.Context) error
 }
 
 type ProjectService interface {
diff --git a/internal/core/integrations/external_entity_provider_service.go b/internal/core/integrations/external_entity_provider_service.go
@@ -52,28 +52,40 @@ func (s externalEntityProviderService) TriggerSync(c echo.Context) error {
 	return echo.NewHTTPError(400, "organization is not an external entity provider")
 }
 
-func (s externalEntityProviderService) syncOrgs(c echo.Context) error {
+func (s externalEntityProviderService) SyncOrgs(c echo.Context) error {
 	// return the enabled git providers as well
 	thirdPartyIntegration := core.GetThirdPartyIntegration(c)
-	orgs, err := thirdPartyIntegration.ListOrgs(c)
-	if err != nil {
-		return fmt.Errorf("could not list organizations: %w", err)
-	}
-	// make sure, that the third party organizations exists inside the database
-	if err := s.organizationRepository.Upsert(utils.Ptr(utils.Map(orgs, utils.Ptr)), []clause.Column{
-		{Name: "external_entity_provider_id"},
-	}, nil); err != nil {
-		return fmt.Errorf("could not upsert organizations: %w", err)
-	}
-	return nil
+	userID := core.GetSession(c).GetUserID()
+	_, err, _ := s.singleFlightGroup.Do("syncOrgs/"+userID, func() (any, error) {
+		orgs, err := thirdPartyIntegration.ListOrgs(c)
+		if err != nil {
+			return nil, fmt.Errorf("could not list organizations: %w", err)
+		}
+
+		orgsPtr := utils.Map(orgs, utils.Ptr)
+
+		// make sure, that the third party organizations exists inside the database
+		if err := s.organizationRepository.Upsert(&orgsPtr, []clause.Column{
+			{Name: "external_entity_provider_id"},
+		}, nil); err != nil {
+			return nil, fmt.Errorf("could not upsert organizations: %w", err)
+		}
+
+		// make sure the user is a member of the organizations
+		for _, org := range orgsPtr {
+			if err := s.rbacProvider.GetDomainRBAC(org.GetID().String()).GrantRole(userID, core.RoleMember); err != nil {
+				slog.Warn("could not grant role for user in organization", "user", userID, "orgID", org.GetID(), "err", err)
+			}
+		}
+
+		return nil, nil
+	})
+
+	return err
 }
 
 func (s externalEntityProviderService) RefreshExternalEntityProviderProjects(ctx core.Context, org models.Org, user string) error {
-	err := s.syncOrgs(ctx)
-	if err != nil {
-		slog.Warn("could not sync organizations", "orgID", org.GetID(), "user", user, "err", err)
-		return err
-	}
+
 	_, err, shared := s.singleFlightGroup.Do(org.ID.String()+"/"+user, func() (any, error) {
 		if org.ExternalEntityProviderID == nil {
 			return nil, fmt.Errorf("organization %s does not have an external entity provider configured", org.GetID())
diff --git a/internal/core/integrations/gitlabint/gitlab_integration.go b/internal/core/integrations/gitlabint/gitlab_integration.go
@@ -245,7 +245,7 @@ func (g *GitlabIntegration) HasAccessToExternalEntityProvider(ctx core.Context,
 
 func (g *GitlabIntegration) checkIfTokenIsValid(ctx core.Context, token models.GitLabOauth2Token) bool {
 	// create a new gitlab batch client
-	gitlabClient, err := g.clientFactory.FromOauth2Token(token, true)
+	gitlabClient, err := g.clientFactory.FromOauth2Token(token, false)
 	if err != nil {
 		slog.Error("failed to create gitlab batch client", "err", err)
 		return false

Original file line number	Diff line number	Diff line change
`@@ -223,6 +223,7 @@ type InvitationRepository interface {`
`223`	`223`
`224`	`224`	`type ExternalEntityProviderService interface {`
`225`	`225`	`RefreshExternalEntityProviderProjects(ctx Context, org models.Org, user string) error`
	`226`	`+ SyncOrgs(c echo.Context) error`
`226`	`227`	`}`
`227`	`228`
`228`	`229`	`type ProjectService interface {`