feat(sonarqube): make admin group path configurable though console

Co-authered-by: William Phetsinorath <william.phetsinorath@shikanime.studio>
Signed-off-by: William Phetsinorath <william.phetsinorath-open@interieur.gouv.fr>

Author: shikanime

packages/shared/src/utils/const.ts

@@ -1,4 +1,3 @@
-export const adminGroupPath = '/admin'
 export const deleteValidationInput = 'DELETE'
 export const forbiddenRepoNames = ['mirror', 'infra-apps', 'infra-observability']
 

plugins/sonarqube/src/functions.ts

@@ -1,22 +1,12 @@
-import { adminGroupPath } from '@cpn-console/shared'
-import type { Project, StepCall } from '@cpn-console/hooks'
-import { generateProjectKey, parseError } from '@cpn-console/hooks'
+import type { AdminRole, Project, StepCall } from '@cpn-console/hooks'
+import { generateProjectKey, parseError, specificallyEnabled } from '@cpn-console/hooks'
 import type { VaultProjectApi } from '@cpn-console/vault-plugin/types/vault-project-api.js'
-import { ensureGroupExists, findGroupByName } from './group.js'
+import { addUserToGroup, ensureGroupExists, getGroupMembers, removeUserFromGroup } from './group.js'
 import type { VaultSonarSecret } from './tech.js'
 import { getAxiosInstance } from './tech.js'
-import type { SonarUser } from './user.js'
-import { ensureUserExists } from './user.js'
-import type { SonarPaging } from './project.js'
+import { ensureUserExists, getUser } from './user.js'
 import { createDsoRepository, deleteDsoRepository, ensureRepositoryConfiguration, files, findSonarProjectsForDsoProjects } from './project.js'
-
-const globalPermissions = [
-  'admin',
-  'profileadmin',
-  'gateadmin',
-  'scan',
-  'provisioning',
-]
+import { DEFAULT_ADMIN_GROUP_PATH, DEFAULT_READONLY_GROUP_PATH } from './infos.js'
 
 const projectPermissions = [
   'admin',
@@ -25,75 +15,163 @@ const projectPermissions = [
   'securityhotspotadmin',
   'scan',
   'user',
-]
+] as const
 
-export async function initSonar() {
-  await setTemplatePermisions()
-  await createAdminGroup()
-  await setAdminPermisions()
-}
+const readonlyProjectPermissions = [
+  'codeviewer',
+  'user',
+  'scan',
+  'issueadmin',
+  'securityhotspotadmin',
+] as const
 
-async function createAdminGroup() {
-  const axiosInstance = getAxiosInstance()
-  const adminGroup = await findGroupByName(adminGroupPath)
-  if (!adminGroup) {
-    await axiosInstance({
-      method: 'post',
-      params: {
-        name: adminGroupPath,
-        description: 'DSO platform admins',
+export const upsertAdminRole: StepCall<AdminRole> = async (payload) => {
+  try {
+    const role = payload.args
+    const adminGroupPath = payload.config.sonarqube?.adminGroupPath ?? DEFAULT_ADMIN_GROUP_PATH
+    const readonlyGroupPath = payload.config.sonarqube?.readonlyGroupPath ?? DEFAULT_READONLY_GROUP_PATH
+    if (!readonlyGroupPath) {
+      throw new Error('readonlyGroupPath is required')
+    }
+    const purge = payload.config.sonarqube?.purge
+    if (!adminGroupPath) {
+      throw new Error('adminGroupPath is required')
+    }
+
+    let managedGroupPath: string | undefined
+
+    if (role.oidcGroup === adminGroupPath) {
+      managedGroupPath = adminGroupPath
+      await ensureAdminTemplateExists(adminGroupPath)
+      await ensureGroupExists(adminGroupPath)
+      await setTemplateGroupPermissions(adminGroupPath, projectPermissions, adminGroupPath)
+    } else if (role.oidcGroup === readonlyGroupPath) {
+      managedGroupPath = readonlyGroupPath
+      await ensureReadonlyTemplateExists(readonlyGroupPath)
+      await ensureGroupExists(readonlyGroupPath)
+      await setTemplateGroupPermissions(readonlyGroupPath, readonlyProjectPermissions, readonlyGroupPath)
+    }
+
+    if (!managedGroupPath) {
+      return {
+        status: {
+          result: 'OK',
+          message: 'Not a managed role for SonarQube plugin',
+        },
+      }
+    }
+
+    const groupMembers = await getGroupMembers(managedGroupPath)
+
+    await Promise.all([
+      ...role.members.map((member) => {
+        if (!groupMembers.includes(member.email)) {
+          return addUserToGroup(managedGroupPath, member.email)
+            .catch((error) => {
+              console.warn(`Failed to add user ${member.email} to group ${managedGroupPath}`, error)
+            })
+        }
+        return undefined
+      }),
+      ...groupMembers.map((memberEmail) => {
+        if (!role.members.some(m => m.email === memberEmail)) {
+          if (specificallyEnabled(purge)) {
+            return removeUserFromGroup(managedGroupPath, memberEmail)
+              .catch((error) => {
+                console.warn(`Failed to remove user ${memberEmail} from group ${managedGroupPath}`, error)
+              })
+          }
+        }
+        return undefined
+      }),
+    ])
+
+    return {
+      status: {
+        result: 'OK',
+        message: 'Admin role synced',
       },
-      url: 'user_groups/create',
-    })
+    }
+  } catch (error) {
+    return {
+      error: parseError(error),
+      status: {
+        result: 'KO',
+        message: 'An error occured while syncing admin role',
+      },
+    }
   }
 }
 
-async function setAdminPermisions() {
+async function setTemplateGroupPermissions(groupName: string, permissions: readonly string[], templateName: string) {
   const axiosInstance = getAxiosInstance()
-  for (const permission of globalPermissions) {
-    await axiosInstance({
+  await Promise.all(permissions.map(permission =>
+    axiosInstance({
       method: 'post',
       params: {
-        groupName: adminGroupPath,
+        groupName,
+        templateName,
         permission,
       },
-      url: 'permissions/add_group',
-    })
-  }
+      url: 'permissions/add_group_to_template',
+    }),
+  ))
 }
 
-async function setTemplatePermisions() {
+async function ensureAdminTemplateExists(adminTemplateName: string) {
   const axiosInstance = getAxiosInstance()
+
+  // Create Admin Template
   await axiosInstance({
     method: 'post',
-    params: { name: 'Forge Default' },
+    params: { name: adminTemplateName },
     url: 'permissions/create_template',
     validateStatus: code => [200, 400].includes(code),
   })
-  for (const permission of projectPermissions) {
-    await axiosInstance({
+
+  // Add Project Creator and sonar-administrators to Admin Template
+  await Promise.all(projectPermissions.map(permission =>
+    axiosInstance({
       method: 'post',
       params: {
-        templateName: 'Forge Default',
+        templateName: adminTemplateName,
         permission,
       },
       url: 'permissions/add_project_creator_to_template',
-    })
-    await axiosInstance({
+    }),
+  ))
+  await setTemplateGroupPermissions('sonar-administrators', projectPermissions, adminTemplateName)
+}
+
+async function ensureReadonlyTemplateExists(readonlyTemplateName: string) {
+  const axiosInstance = getAxiosInstance()
+
+  // Create Readonly Template
+  await axiosInstance({
+    method: 'post',
+    params: { name: readonlyTemplateName },
+    url: 'permissions/create_template',
+    validateStatus: code => [200, 400].includes(code),
+  })
 
+  // Add Project Creator and sonar-administrators to Readonly Template
+  await Promise.all(projectPermissions.map(permission =>
+    axiosInstance({
       method: 'post',
       params: {
-        groupName: 'sonar-administrators',
-        templateName: 'Forge Default',
+        templateName: readonlyTemplateName,
         permission,
       },
-      url: 'permissions/add_group_to_template',
-    })
-  }
+      url: 'permissions/add_project_creator_to_template',
+    }),
+  ))
+  await setTemplateGroupPermissions('sonar-administrators', projectPermissions, readonlyTemplateName)
+
+  // Set Readonly Template as Default
   await axiosInstance({
     method: 'post',
     params: {
-      templateName: 'Forge Default',
+      templateName: readonlyTemplateName,
     },
     url: 'permissions/set_default_template',
   })
@@ -166,7 +244,9 @@ export const setVariables: StepCall<Project> = async (payload) => {
       ...project.repositories.map(async (repo) => {
         const projectKey = generateProjectKey(projectSlug, repo.internalRepoName)
         const repoId = await payload.apis.gitlab.getProjectId(repo.internalRepoName)
-        if (!repoId) return
+        if (!repoId) {
+          throw new Error(`Unable to find GitLab project for repository ${repo.internalRepoName}`)
+        }
         const listVars = await gitlabApi.getGitlabRepoVariables(repoId)
         return [
           await gitlabApi.setGitlabRepoVariable(repoId, listVars, {
@@ -231,13 +311,7 @@ export const deleteProject: StepCall<Project> = async (payload) => {
   try {
     const sonarRepositories = await findSonarProjectsForDsoProjects(projectSlug)
     await Promise.all(sonarRepositories.map(repo => deleteRepo(repo.key)))
-    const users: { paging: SonarPaging, users: SonarUser[] } = (await axiosInstance({
-      url: 'users/search',
-      params: {
-        q: username,
-      },
-    }))?.data
-    const user = users.users.find(u => u.login === username)
+    const user = await getUser(username)
     if (!user) {
       return {
         status: {

plugins/sonarqube/src/group.ts

@@ -1,6 +1,26 @@
 import { getAxiosInstance } from './tech.js'
 import type { SonarPaging } from './project.js'
+import { find, getAll, iter } from './utils.js'
 
+export async function getGroupMembers(groupName: string): Promise<string[]> {
+  const axiosInstance = getAxiosInstance()
+  const users = await getAll<{ login: string }>(iter(async (page, pageSize) => {
+    const response = await axiosInstance({
+      url: 'user_groups/users',
+      params: {
+        name: groupName,
+        p: page,
+        ps: pageSize,
+      },
+    })
+    const data: { paging: SonarPaging, users: { login: string }[] } = response.data
+    return {
+      items: data.users,
+      paging: data.paging,
+    }
+  }))
+  return users.map(u => u.login)
+}
 export interface SonarGroup {
   id: string
   name: string
@@ -9,15 +29,23 @@ export interface SonarGroup {
   default: boolean
 }
 
-export async function findGroupByName(name: string): Promise<void | SonarGroup> {
+export async function findGroupByName(name: string): Promise<SonarGroup | undefined> {
   const axiosInstance = getAxiosInstance()
-  const groupsSearch: { paging: SonarPaging, groups: SonarGroup[] } = (await axiosInstance({
-    url: 'user_groups/search',
-    params: {
-      q: name,
-    },
-  }))?.data
-  return groupsSearch.groups.find(g => g.name === name)
+  return find<SonarGroup>(iter(async (page, pageSize) => {
+    const response = await axiosInstance({
+      url: 'user_groups/search',
+      params: {
+        q: name,
+        p: page,
+        ps: pageSize,
+      },
+    })
+    const data: { paging: SonarPaging, groups: SonarGroup[] } = response.data
+    return {
+      items: data.groups,
+      paging: data.paging,
+    }
+  }), group => group.name === name)
 }
 
 export async function ensureGroupExists(groupName: string) {
@@ -33,3 +61,27 @@ export async function ensureGroupExists(groupName: string) {
     })
   }
 }
+
+export async function addUserToGroup(groupName: string, login: string) {
+  const axiosInstance = getAxiosInstance()
+  await axiosInstance({
+    url: 'user_groups/add_user',
+    method: 'post',
+    params: {
+      name: groupName,
+      login,
+    },
+  })
+}
+
+export async function removeUserFromGroup(groupName: string, login: string) {
+  const axiosInstance = getAxiosInstance()
+  await axiosInstance({
+    url: 'user_groups/remove_user',
+    method: 'post',
+    params: {
+      name: groupName,
+      login,
+    },
+  })
+}

plugins/sonarqube/src/index.ts

@@ -1,19 +1,23 @@
-import type { HookStepsNames, Plugin } from '@cpn-console/hooks'
+import type { DeclareModuleGenerator, HookStepsNames, Plugin } from '@cpn-console/hooks'
 import { getStatus } from './check.js'
-import { deleteProject, initSonar, setVariables, upsertProject } from './functions.js'
+import { deleteProject, setVariables, upsertAdminRole, upsertProject } from './functions.js'
 import infos from './infos.js'
 import monitor from './monitor.js'
 
-function start(_options: unknown) {
+function start() {
   try {
-    initSonar()
     getStatus()
   } catch (_error) {}
 }
 
 export const plugin: Plugin = {
   infos,
   subscribedHooks: {
+    upsertAdminRole: {
+      steps: {
+        main: upsertAdminRole,
+      },
+    },
     upsertProject: {
       steps: {
         main: upsertProject,
@@ -34,4 +38,5 @@ declare module '@cpn-console/hooks' {
   interface PluginResult {
     errors?: Partial<Record<HookStepsNames, unknown>>
   }
+  interface Config extends DeclareModuleGenerator<typeof infos, 'global'> {}
 }