diff --git a/README.md b/README.md index 1b0a87b9..a8598fb2 100644 --- a/README.md +++ b/README.md @@ -112,6 +112,8 @@ Flags: -u, --google-admin string Google Admin Email -c, --google-credentials string set the path to find credentials for Google (default "credentials.json") -h, --help help for ssosync + --ignore-groups strings ignores these groups + --ignore-users strings ignores these users --log-format string log format (default "text") --log-level string log level (default "warn") -v, --version version for ssosync @@ -129,6 +131,8 @@ The output of the command when run without 'debug' turned on looks like this: 2020-05-26T12:08:15.703+0100 INFO internal/sync.go:183 Done sync groups ``` +You can ignore users to be synced by setting `--ignore-users user1@example.com,user2@example.com` or `SSOSYNC_IGNORE_USERS=user1@example.com,user2@example.com`. Groups are ignored by setting `--ignore-groups group1@example.com,group1@example.com` or `SSOSYNC_IGNORE_GROUPS=group1@example.com,group1@example.com`. + ## AWS Lambda Usage NOTE: Using Lambda may incur costs in your AWS account. Please make sure you have checked diff --git a/cmd/root.go b/cmd/root.go index f657d590..3728d48d 100644 --- a/cmd/root.go +++ b/cmd/root.go @@ -95,7 +95,7 @@ func initConfig() { viper.SetEnvPrefix("ssosync") viper.AutomaticEnv() - for _, e := range []string{"google_admin", "google_credentials", "scim_access_token", "scim_endpoint", "log_level", "log_format"} { + for _, e := range []string{"google_admin", "google_credentials", "scim_access_token", "scim_endpoint", "log_level", "log_format", "ignore_users", "ignore_groups"} { if err := viper.BindEnv(e); err != nil { log.Fatalf(errors.Wrap(err, "cannot bind environment variable").Error()) } @@ -152,6 +152,8 @@ func addFlags(cmd *cobra.Command, cfg *config.Config) { rootCmd.Flags().StringVarP(&cfg.SCIMEndpoint, "endpoint", "e", "", "SCIM Endpoint") rootCmd.Flags().StringVarP(&cfg.GoogleCredentials, "google-credentials", "c", config.DefaultGoogleCredentials, "set the path to find credentials for Google") rootCmd.Flags().StringVarP(&cfg.GoogleAdmin, "google-admin", "u", "", "Google Admin Email") + rootCmd.Flags().StringSliceVar(&cfg.IgnoreUsers, "ignore-users", []string{}, "ignores these users") + rootCmd.Flags().StringSliceVar(&cfg.IgnoreGroups, "ignore-groups", []string{}, "ignores these groups") } func logConfig(cfg *config.Config) { diff --git a/internal/config/config.go b/internal/config/config.go index 4a3e9de8..e464435c 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -18,6 +18,10 @@ type Config struct { SCIMAccessToken string `mapstructure:"scim_access_token"` // IsLambda ... IsLambda bool + // Ignore users ... + IgnoreUsers []string `mapstructure:"ignore_users"` + // Ignore groups ... + IgnoreGroups []string `mapstructure:"ignore_groups"` } const ( diff --git a/internal/sync.go b/internal/sync.go index 50f9b889..d636bc2a 100644 --- a/internal/sync.go +++ b/internal/sync.go @@ -37,15 +37,17 @@ type SyncGSuite interface { type syncGSuite struct { aws aws.Client google google.Client + cfg *config.Config users map[string]*aws.User } // New will create a new SyncGSuite object -func New(a aws.Client, g google.Client) SyncGSuite { +func New(cfg *config.Config, a aws.Client, g google.Client) SyncGSuite { return &syncGSuite{ aws: a, google: g, + cfg: cfg, users: make(map[string]*aws.User), } } @@ -84,6 +86,10 @@ func (s *syncGSuite) SyncUsers() error { } for _, u := range googleUsers { + if s.ignoreUser(u.PrimaryEmail) { + continue + } + ll := log.WithFields(log.Fields{ "email": u.PrimaryEmail, }) @@ -136,8 +142,12 @@ func (s *syncGSuite) SyncGroups() error { correlatedGroups := make(map[string]*aws.Group) for _, g := range googleGroups { + if s.ignoreGroup(g.Email) { + continue + } + log := log.WithFields(log.Fields{ - "group": g.Name, + "group": g.Email, }) log.Debug("Check group") @@ -205,17 +215,6 @@ func (s *syncGSuite) SyncGroups() error { } } - // log.Info("Clean up AWS groups") - // for _, g := range awsGroups { - // if _, ok := correlatedGroups[g.DisplayName]; !ok { - // log.Info("Delete Group in AWS", zap.String("group", g.DisplayName)) - // err := s.aws.DeleteGroup(&g) - // if err != nil { - // return err - // } - // } - // } - return nil } @@ -249,7 +248,7 @@ func DoSync(ctx context.Context, cfg *config.Config) error { return err } - c := New(awsClient, googleClient) + c := New(cfg, awsClient, googleClient) err = c.SyncUsers() if err != nil { return err @@ -262,3 +261,23 @@ func DoSync(ctx context.Context, cfg *config.Config) error { return nil } + +func (s *syncGSuite) ignoreUser(name string) bool { + for _, u := range s.cfg.IgnoreUsers { + if u == name { + return true + } + } + + return false +} + +func (s *syncGSuite) ignoreGroup(name string) bool { + for _, g := range s.cfg.IgnoreGroups { + if g == name { + return true + } + } + + return false +}