diff --git a/.github/workflows/release-deploy.yml b/.github/workflows/release-deploy.yml new file mode 100644 index 0000000..22815ec --- /dev/null +++ b/.github/workflows/release-deploy.yml @@ -0,0 +1,42 @@ +name: 'Release: Deploy PR' + +on: + pull_request: + branches: [ master ] + types: [ closed ] + +jobs: + release-deploy: + if: github.event.pull_request.merged == true # only run on PR merge + runs-on: ubuntu-latest + steps: + + - name: Configure release + run: | + PR_TITLE=$(jq -r ".pull_request.title" $GITHUB_EVENT_PATH) + PR_BODY=$(jq -r ".pull_request.body" $GITHUB_EVENT_PATH) + RELEASE_TAG=$(echo "${PR_TITLE}" | grep -oP "(?<=^Release: )v\d+\.\d+\.\d+(-rc\.\d+)?$") + + if [[ "${RELEASE_TAG}" =~ -rc\.[0-9]+$ ]]; then + RELEASE_PRERELEASE=true + else + RELEASE_PRERELEASE=false + fi + + echo "PR_TITLE=${PR_TITLE}" >> $GITHUB_ENV + echo "RELEASE_TAG=${RELEASE_TAG}" >> $GITHUB_ENV + echo "RELEASE_PRERELEASE=${RELEASE_PRERELEASE}" >> $GITHUB_ENV + + echo 'PR_BODY<> $GITHUB_ENV + echo "${PR_BODY}" >> $GITHUB_ENV + echo 'END_OF_PR_BODY' >> $GITHUB_ENV + + - name: Create release + uses: ncipollo/release-action@v1 + with: + token: ${{ secrets.BOT_GITHUB_TOKEN }} + commit: '${{ github.sha }}' + tag: '${{ env.RELEASE_TAG }}' + body: '${{ env.PR_BODY }}' + draft: false + prerelease: ${{ env.RELEASE_PRERELEASE }} diff --git a/.github/workflows/release-prepare.yml b/.github/workflows/release-prepare.yml new file mode 100644 index 0000000..303087f --- /dev/null +++ b/.github/workflows/release-prepare.yml @@ -0,0 +1,113 @@ +name: 'Release: Prepare PR' + +on: + push: + branches: [ develop ] + +env: + GITHUB_USERNAME: jarvus-bot + GITHUB_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }} + RELEASE_BRANCH: master + +jobs: + release-prepare: + runs-on: ubuntu-latest + steps: + + - uses: actions/checkout@v2 + with: + fetch-depth: 0 + + # - uses: mxschmitt/action-tmate@v3 + + - name: Create/update pull request + run: | + # get latest release tag + latest_release=$(git describe --tags --abbrev=0 "origin/${RELEASE_BRANCH}") + latest_release_bumped=$(echo $latest_release | awk -F. -v OFS=. '{$NF++;print}') + + + # create or update PR + pr_body="$(cat < /tmp/pr.json + pr_number=$(hub pr list -h develop -f '%I') + echo "Opened PR #${pr_number}" + fi + + + # build changelog + commits=$( + git log \ + --first-parent \ + --reverse \ + --format="%H" \ + "origin/${RELEASE_BRANCH}..develop" + ) + + changelog=() + + while read -r commit; do + subject="$(git show -s --format=%s "${commit}")" + line="" + + if [[ "${subject}" =~ Merge\ pull\ request\ \#([0-9]+) ]]; then + line="$(hub pr show -f '%t [%i] @%au' "${BASH_REMATCH[1]}" || true)" + fi + + if [ -z "${line}" ]; then + author="$(hub api "/repos/${GITHUB_REPOSITORY}/commits/${commit}" -H Accept:application/vnd.github.v3+json | jq -r '.author.login')" + if [ -n "${author}" ]; then + author="@${author}" + else + author="$(git show -s --format=%ae "${commit}")" + fi + + line="${subject} ${author}" + fi + + # move ticket number prefix into to existing square brackets at end + line="$(echo "${line}" | perl -pe 's/^([A-Z]+-[0-9]+):?\s*(.*?)\s*\[([^]]+)\]\s*(\S+)$/\2 [\3, \1] \4/')" + + # move ticket number prefix into to new square brackets at end + line="$(echo "${line}" | perl -pe 's/^([A-Z]+-[0-9]+):?\s*(.*?)\s*(\S+)$/\2 [\1] \3/')" + + # combine doubled square brackets at the end + line="$(echo "${line}" | perl -pe 's/^\s*(.*?)\s*\[([A-Z]+-[0-9]+)\]\s*\[([^]]+)\]\s*(\S+)$/\1 [\3, \2] \4/')" + + changelog+=("- ${line}") + done <<< "${commits}" + + + # create or update comment + comment_body="$(cat <> $GITHUB_ENV + else + echo 'PR title must match format "Release: vX.Y.Z(-rc.#)?"' + exit 1 + fi + + # check that tag doesn't exist + if git ls-remote --exit-code "https://${GITHUB_ACTOR}:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}" "refs/tags/${RELEASE_TAG}"; then + echo "The PR title's version exists already" + exit 1 + fi diff --git a/README.md b/README.md index e77945c..3d7ada1 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,20 @@ # slate-connector-looker Synchronize users from Slate to Looker + +## What gets pushed + +### Permissions & Roles + +We are currently adding the following groups/roles/custom attributes in Looker: + +- Role: `Admin` -- Network hub users that have been manually promoted to Administrator or Developer in the hub. This is currently being done directly in the DB. +- Role: `Staff(explore)` -- Slate network site users that are Administrator or Developer's in their respective slate site. +- Role: `Staff(view)` -- Slate network site users that have Staff account level in their respective slate site. This likely needs to be expanded to include Teacher account level slate accounts. +- Group: `[School] Administrators` -- Slate network site users that are Admin/Dev in their respective slate sites. +- Group: `[School] Staff` -- Slate network site users that are Staff/Teacher in their respective slate sites. +- Group: `[School] Students` -- Slate network site users that are Students in their respective slate sites. + +### Custom Attributes + +- `school`: Set from Slate Network School record config. This is currently only editable directly from the DB. It is also currently only set during the sync workflow when the user has only one school association. This seems fine, however we will likely need to create another workflow for updating this value via a multi-school hub user workflow. +- `student_id`: Set from the slate network users StudentNumber in their respective slate instance. diff --git a/html-templates/connectors/looker/createJob.tpl b/html-templates/connectors/looker/createJob.tpl index 7564f71..d72a9e4 100644 --- a/html-templates/connectors/looker/createJob.tpl +++ b/html-templates/connectors/looker/createJob.tpl @@ -1,9 +1,9 @@ {extends designs/site.tpl} -{block title}Push to Canvas — {$dwoo.parent}{/block} +{block title}Push to Looker — {$dwoo.parent}{/block} {block content} -

Push to Canvas

+

Push to Looker

Input

Run from template

@@ -56,6 +56,18 @@

+
+ Network Schools + {foreach from=\Slate\NetworkHub\School::getAll() item=School} +

+ +

+ {/foreach} +
+
User Accounts

diff --git a/php-classes/Slate/Connectors/Looker/Connector.php b/php-classes/Slate/Connectors/Looker/Connector.php index 8b5f9c9..6172e88 100644 --- a/php-classes/Slate/Connectors/Looker/Connector.php +++ b/php-classes/Slate/Connectors/Looker/Connector.php @@ -22,6 +22,8 @@ use Emergence\People\ContactPoint\Email AS EmailContactPoint; use Emergence\Util\Data AS DataUtil; +use Slate\NetworkHub\SchoolUser; + class Connector extends SAML2Connector implements ISynchronize { public static $title = 'Looker'; @@ -53,6 +55,7 @@ protected static function _getJobConfig(array $requestData) $config['clientId'] = $requestData['clientId']; $config['clientSecret'] = $requestData['clientSecret']; $config['pushUsers'] = !empty($requestData['pushUsers']); + $config['pushSchools'] = $requestData['schools']; return $config; } @@ -119,18 +122,8 @@ public static function pushUser(IPerson $User, LoggerInterface $logger = null, $ { $logger = static::getLogger($logger); - // get mapping - $mappingData = [ - 'ContextClass' => $User->getRootClass(), - 'ContextID' => $User->ID, - 'Connector' => static::getConnectorId(), - 'ExternalKey' => 'user[id]' - ]; - - $Mapping = Mapping::getByWhere($mappingData); - // sync account - if ($Mapping) { + if ($Mapping = static::getUserMapping($User)) { $logger->debug( 'Found mapping to Looker user {lookerUserId}, checking for updates...', [ @@ -141,6 +134,10 @@ public static function pushUser(IPerson $User, LoggerInterface $logger = null, $ // check for any changes $lookerUser = LookerAPI::getUserById($Mapping->ExternalIdentifier, ['fields' => 'id,first_name,last_name,email,group_ids,role_ids']); + if (isset($lookerUser['message']) && $lookerUser['message'] === 'Not found') { + throw new SyncException('Failed to find Looker User with ID '. $Mapping->ExternalIdentifier); + } + $lookerUserChanges = []; if ($lookerUser['first_name'] != $User->FirstName) { @@ -267,14 +264,13 @@ public static function pushUser(IPerson $User, LoggerInterface $logger = null, $ ); } - $mappingData['ExternalIdentifier'] = $lookerResponse['id']; - $Mapping = Mapping::create($mappingData, true); + $Mapping = static::createUserMapping($User, $lookerResponse['id']); $credentialsResponse = LookerAPI::createUserEmailCredentials($Mapping->ExternalIdentifier, [ 'email' => $User->Email ]); - $logger->notice( + $logger->debug( 'Created Looker user credentials for {slateEmail}', [ 'slateEmail' => $User->Email, @@ -335,6 +331,29 @@ public static function pushUser(IPerson $User, LoggerInterface $logger = null, $ } } + protected static function getUserMappingData(IPerson $User) + { + return [ + 'ContextClass' => $User->getRootClass(), + 'ContextID' => $User->ID, + 'Connector' => static::getConnectorId(), + 'ExternalKey' => 'user[id]' + ]; + } + + protected static function getUserMapping(IPerson $User) + { + return Mapping::getByWhere(static::getUserMappingData($User)); + } + + protected static function createUserMapping(IPerson $User, $externalIdentifier) + { + $mappingData = static::getUserMappingData($User); + $mappingData['ExternalIdentifier'] = $externalIdentifier; + + return Mapping::create($mappingData, true); + } + protected static function getUserRoles(IPerson $User) { $roleIds = []; @@ -376,18 +395,23 @@ protected static function syncUserRoles(IPerson $User, array $lookerUser, Logger if (!$pretend) { $lookerResponse = LookerAPI::updateUserRoles($lookerUser['id'], $rolesToAdd); - if (empty($lookerResponse) || !is_array($lookerResponse)) { + if ( + empty($lookerResponse) || + !is_array($lookerResponse) || + (!empty($lookerResponse['message']) && $lookerResponse['message'] == 'Not found') + ) { $logger->error('Unexpected response syncing user roles', [ 'lookerResponse' => $lookerResponse ]); - return new SyncException( + throw new SyncException( 'Unable to sync user roles.', [ 'lookerResponse' => $lookerResponse ] ); } + $userRoleIds = []; foreach ($lookerResponse as $userRoleData) { $userRoleIds[] = $userRoleData['id']; @@ -399,7 +423,7 @@ protected static function syncUserRoles(IPerson $User, array $lookerUser, Logger 'rolesToAdd' => $rolesToAdd ]); - return new SyncException( + throw new SyncException( 'Unable to sync user roles.', [ 'lookerResponse' => $lookerResponse @@ -538,7 +562,7 @@ protected static function getUserCustomAttributes(IPerson $User) } if (isset(static::$customAttributesByUser) && is_callable(static::$customAttributesByUser)) { - $customAttributes = array_merge($customAttributes, call_user_func(static::$customAttributesByUser, $User)); + $customAttributes = array_merge($customAttributes, call_user_func(static::$customAttributesByUser, $User, $School)); } return $customAttributes; @@ -549,15 +573,16 @@ protected static function syncUserCustomAttributes(IPerson $User, array $lookerU $userCustomAttributes = static::getUserCustomAttributes($User); $customAttributesToAdd = []; - if (!empty($lookerUser)) { - $currentUserCustomAttributes = LookerAPI::getUserCustomAttributes($lookerUser['id']); + + if ($UserMapping = static::getUserMapping($User)) { + $currentUserCustomAttributes = LookerAPI::getUserCustomAttributes($UserMapping->ExternalIdentifier); } else { $currentUserCustomAttributes = []; } if (!empty($currentUserCustomAttributes)) { foreach ($currentUserCustomAttributes as $lookerCustomAttribute) { - if (!array_key_exists($lookerCustomAttribute['name'], $userCustomAttributes)) { + if (!isset($lookerCustomAttribute['name']) || !array_key_exists($lookerCustomAttribute['name'], $userCustomAttributes)) { continue; } @@ -572,10 +597,9 @@ protected static function syncUserCustomAttributes(IPerson $User, array $lookerU if (empty($customAttributesToAdd)) { $logger->debug( - 'User Custom Attributes verified', + 'User Custom Attributes verified. ({remote})', [ - 'local' => $customAttributesToAdd, - 'remote' => $userCustomAttributes + 'remote' => !empty($currentUserCustomAttributes) ? join(' | ', array_map(function($c) { return "$c[name]: $c[value]"; }, $currentUserCustomAttributes)) : [] ] ); return new SyncResult( @@ -596,7 +620,6 @@ protected static function syncUserCustomAttributes(IPerson $User, array $lookerU if (!$pretend) { $lookerResponse = LookerAPI::updateUserCustomAttribute($lookerUser['id'], $customAttributeId, $customAttributeToAdd); if ($lookerResponse['value'] != $customAttributeToAdd['value']) { - \MICS::dump($lookerResponse, 'looker response'); $logger->error( 'Error updating user Custom Attribute {customAttributeName} => {customAttributeValue}', [ @@ -631,6 +654,33 @@ protected static function syncUserCustomAttributes(IPerson $User, array $lookerU } } + protected static function getUsersFromJob(IJob $Job) + { + $userConditions = []; + if (!empty($Job->Config['pushSchools'])) { + $userConditions['ID'] = [ + 'values' => array_keys( + SchoolUser::getAllByWhere([ + 'SchoolID' => [ + 'values' => $Job->Config['pushSchools'], + 'operator' => 'IN' + ] + ], [ + 'indexField' => 'PersonID' + ]) + ), + 'operator' => 'IN' + ]; + } + + return User::getAllByWhere(array_merge([ + 'AccountLevel' => [ + 'value' => 'Disabled', + 'operator' => '!=' + ] + ], $userConditions)); + } + // task handlers public static function pushUsers(IJob $Job, $pretend = true) { @@ -645,7 +695,7 @@ public static function pushUsers(IJob $Job, $pretend = true) ]; // iterate over Slate users - $UsersToSync = User::getAllByWhere('Username IS NOT NULL AND AccountLevel != "Disabled"'); + $UsersToSync = static::getUsersFromJob($Job); foreach ($UsersToSync AS $User) { $Job->debug(