Skip to content

Commit

Permalink
Fetching group members from groups rather than memberships of each pr…
Browse files Browse the repository at this point in the history
…incipal
  • Loading branch information
mvbrock committed Jan 11, 2025
1 parent acf1415 commit 3c90b4d
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 11 deletions.
8 changes: 0 additions & 8 deletions lib/msgraph/paginated.go
Original file line number Diff line number Diff line change
Expand Up @@ -109,14 +109,6 @@ func (c *Client) IterateServicePrincipals(ctx context.Context, f func(principal
return iterateSimple(c, ctx, "servicePrincipals", f)
}

// IterateUserMemberships lists all group memberships for a given user ID as directory objects.
// `f` will be called for each directory object in the result set.
// if `f` returns `false`, the iteration is stopped (equivalent to `break` in a normal loop).
// Ref: [https://learn.microsoft.com/en-us/graph/api/group-list-memberof].
func (c *Client) IterateUserMemberships(ctx context.Context, userID string, f func(object *DirectoryObject) bool) error {
return iterateSimple(c, ctx, path.Join("users", userID, "memberOf"), f)
}

// IterateGroupMembers lists all members for the given Entra ID group using pagination.
// `f` will be called for each object in the result set.
// if `f` returns `false`, the iteration is stopped (equivalent to `break` in a normal loop).
Expand Down
19 changes: 16 additions & 3 deletions lib/srv/discovery/fetchers/azure-sync/memberships.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,25 +20,38 @@ package azuresync

import (
"context"

"github.com/gravitational/trace"
"golang.org/x/sync/errgroup"

accessgraphv1alpha "github.com/gravitational/teleport/gen/proto/go/accessgraph/v1alpha"
"github.com/gravitational/teleport/lib/msgraph"
)

const groupType = "group"

const parallelism = 10 //nolint:unused // invoked in a dependent PR

// expandMemberships adds membership data to AzurePrincipal objects by querying the Graph API for group memberships
func expandMemberships(ctx context.Context, cli *msgraph.Client, principals []*accessgraphv1alpha.AzurePrincipal) ([]*accessgraphv1alpha.AzurePrincipal, error) { //nolint:unused // invoked in a dependent PR
// Map principals by ID
var principalsMap = make(map[string]*accessgraphv1alpha.AzurePrincipal)
for _, principal := range principals {
principalsMap[principal.Id] = principal
}
// Iterate through the Azure groups and add the group ID as a membership for its corresponding principal
eg, _ := errgroup.WithContext(ctx)
eg.SetLimit(parallelism)
errCh := make(chan error, len(principals))
for _, principal := range principals {
if principal.ObjectType != "group" {
continue
}
group := principal
eg.Go(func() error {
err := cli.IterateUserMemberships(ctx, principal.Id, func(obj *msgraph.DirectoryObject) bool {
principal.MemberOf = append(principal.MemberOf, *obj.ID)
err := cli.IterateGroupMembers(ctx, group.Id, func(member msgraph.GroupMember) bool {
if memberPrincipal, ok := principalsMap[*member.GetID()]; ok {
memberPrincipal.MemberOf = append(memberPrincipal.MemberOf, group.Id)
}
return true
})
if err != nil {
Expand Down

0 comments on commit 3c90b4d

Please sign in to comment.