Add mechanism for synchronizing group membership to Okta

Author: the-maldridge

go.sum

@@ -38,6 +38,7 @@ github.com/cznic/strutil v0.0.0-20181122101858-275e90344537/go.mod h1:AHHPPPXTw0
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/edsrzf/mmap-go v1.0.0/go.mod h1:YO35OhQPt3KJa3ryjFM5Bs14WD66h8eGKpfaBNrHW5M=
 github.com/facebookgo/ensure v0.0.0-20160127193407-b4ab57deab51/go.mod h1:Yg+htXGokKKdzcwhuNDwVvN+uBxDGXJ7G/VN1d8fa64=

impl/groupsync.go

@@ -0,0 +1,95 @@
+package impl
+
+import (
+	"time"
+
+	"github.com/NetAuth/NetAuth/pkg/client"
+
+	pb "github.com/NetAuth/Protocol"
+)
+
+func (o OktaPlugin) groupSyncTimer() {
+	ticker := time.NewTicker(cfg.GetDuration("interval"))
+
+	for range ticker.C {
+		o.syncGroups()
+	}
+}
+
+func (o OktaPlugin) syncGroups() {
+	c, err := client.New()
+	groups, err := c.SearchGroups("*")
+	if err != nil {
+		appLogger.Warn("Not running syncGroups()", "error", err)
+		return
+	}
+
+	// Filter on manageable groups
+	oktaGroups := make(map[string]pb.Group)
+	for _, g := range groups.GetGroups() {
+		oktaID := getGroupOktaID(*g)
+		if oktaID != "" {
+			oktaGroups[oktaID] = *g
+		}
+	}
+
+	// Compute what we want the groups to look like
+	want := make(map[string]map[string]struct{})
+	for gid, g := range oktaGroups {
+		want[gid] = make(map[string]struct{})
+
+		members, err := c.ListGroupMembers(g.GetName())
+		if err != nil {
+			appLogger.Warn("Failed to get memberships", "group", g.GetName(), "error", err)
+			continue
+		}
+		for _, e := range members {
+			if id := getEntityOktaID(*e); id != "" {
+				want[gid][id] = struct{}{}
+			}
+		}
+	}
+
+	// Get existing memberships
+	for gid := range oktaGroups {
+		users, _, err := o.c.Group.ListGroupUsers(gid, nil)
+		if err != nil {
+			appLogger.Warn("Not updating membership for group",
+				"group", oktaGroups[gid].Name,
+				"error", err)
+			continue
+		}
+		for i := range users {
+			if _, ok := want[gid][users[i].Id]; ok {
+				// User is already there, drop it from
+				// the want list
+				delete(want[gid], users[i].Id)
+			} else {
+				// User is there and shouldn't be, get
+				// rid of them.
+				_, err := o.c.Group.RemoveGroupUser(gid, users[i].Id)
+				if err != nil {
+					appLogger.Warn("Failed to remove user from group",
+						"group", gid,
+						"user", users[i].Id,
+						"error", err)
+				}
+				appLogger.Trace("Removing okta user",
+					"group", gid,
+					"user", users[i].Id)
+			}
+		}
+	}
+
+	// Add the remaining users
+	for gid := range oktaGroups {
+		for user := range want[gid] {
+			if _, err := o.c.Group.AddUserToGroup(gid, user); err != nil {
+				appLogger.Warn("Failed to add user to group",
+					"group", gid,
+					"user", user,
+					"error", err)
+			}
+		}
+	}
+}

impl/main.go

@@ -3,6 +3,7 @@ package impl
 import (
 	"context"
 	"os"
+	"time"
 
 	"github.com/hashicorp/go-hclog"
 	"github.com/okta/okta-sdk-golang/okta"
@@ -38,6 +39,9 @@ func init() {
 	viper.SetDefault("plugin.okta.orgurl", "")
 	viper.SetDefault("plugin.okta.tokan", "")
 	viper.SetDefault("plugin.okta.domain", "")
+	viper.SetDefault("plugin.okta.interval", time.Minute*20)
+
+	viper.Set("client.ServiceName", "okta-groupsync")
 
 	cfg = viper.Sub("plugin.okta")
 }
@@ -54,8 +58,13 @@ func New() tree.Plugin {
 		appLogger.Error("Okta Error during initailization", "error", err)
 	}
 
-	return OktaPlugin{
+	x := OktaPlugin{
 		NullPlugin: tree.NullPlugin{},
 		c:          client,
 	}
+
+	x.syncGroups()
+	go x.groupSyncTimer()
+
+	return x
 }