get group counts and store on profile, skip work if counts are 0

laurenleach · laurenleach · commit e95c2686767f · 2025-08-20T21:01:41.000-07:00
diff --git a/pkg/connector/client/client.go b/pkg/connector/client/client.go
@@ -17,6 +17,19 @@ import (
 	"google.golang.org/grpc/status"
 )
 
+const graphQLApiPath = "https://gitlab.com/api/graphql"
+
+const groupCountQuery = `query GetGroupsWithMemberCount($groupIds: [ID!]!) {
+  groups(ids: $groupIds) {
+    nodes {
+      id
+      groupMembersCount
+      descendantGroupsCount
+      projectsCount
+    }
+  }
+}`
+
 type GitlabClient struct {
 	httpClient            *uhttp.BaseHttpClient
 	baseURL               string
@@ -160,6 +173,51 @@ func (c *GitlabClient) ListGroups(ctx context.Context, nextLink string) ([]*Grou
 	return groups, newNextLink, rateLimitDesc, nil
 }
 
+func (c *GitlabClient) ListGroupsWithCounts(ctx context.Context, groupIds []string) ([]GroupWithCount, *v2.RateLimitDescription, error) {
+	variables := map[string]interface{}{
+		"groupIds": groupIds,
+	}
+
+	payload := map[string]interface{}{
+		"query":     groupCountQuery,
+		"variables": variables,
+	}
+
+	options := []uhttp.RequestOption{
+		uhttp.WithAcceptJSONHeader(),
+		uhttp.WithJSONBody(payload),
+		uhttp.WithBearerToken(c.accessToken),
+	}
+
+	graphQLURL, err := url.Parse(graphQLApiPath)
+	if err != nil {
+		return nil, nil, fmt.Errorf("gitlab-connector: failed to parse graphql url: %w", err)
+	}
+
+	var rateLimitData v2.RateLimitDescription
+	var errorResponse GitlabError
+	res := &GroupCountsListResponse{}
+	doOptions := []uhttp.DoOption{
+		uhttp.WithRatelimitData(&rateLimitData),
+		uhttp.WithErrorResponse(&errorResponse),
+		uhttp.WithJSONResponse(&res),
+	}
+
+	req, err := c.httpClient.NewRequest(ctx, http.MethodPost, graphQLURL, options...)
+	if err != nil {
+		return nil, &rateLimitData, err
+	}
+	resp, err := c.httpClient.Do(
+		req,
+		doOptions...,
+	)
+	if err != nil {
+		return nil, &rateLimitData, fmt.Errorf("gitlab-connector: failed to list group with counts: %w", err)
+	}
+	defer resp.Body.Close()
+	return res.Data.Groups.Nodes, &rateLimitData, nil
+}
+
 // GetGroup retrieves a specific group by ID.
 func (c *GitlabClient) GetGroup(ctx context.Context, groupID string) (*Group, *v2.RateLimitDescription, error) {
 	var group Group
diff --git a/pkg/connector/client/models.go b/pkg/connector/client/models.go
@@ -103,6 +103,21 @@ type AddProjectMemberRequest struct {
 	AccessLevel AccessLevelValue `json:"access_level"`
 }
 
+type GroupWithCount struct {
+	Id                    string `json:"id"`
+	GroupMembersCount     int    `json:"groupMembersCount"`
+	DescendantGroupsCount int    `json:"descendantGroupsCount"`
+	ProjectsCount         int    `json:"projectsCount"`
+}
+
+type GroupCountsListResponse struct {
+	Data struct {
+		Groups struct {
+			Nodes []GroupWithCount `json:"nodes"`
+		} `json:"groups"`
+	} `json:"data"`
+}
+
 type ISOTime time.Time
 
 // ISO 8601 date format.
diff --git a/pkg/connector/groups.go b/pkg/connector/groups.go
@@ -23,6 +23,10 @@ import (
 	"google.golang.org/protobuf/proto"
 )
 
+const projectsCountProfileKey = "projects_count"
+const groupMembersCountProfileKey = "group_members_count"
+const descendantGroupsCountProfileKey = "descendant_groups_count"
+
 type groupBuilder struct {
 	client *client.GitlabClient
 }
@@ -61,12 +65,31 @@ func (o *groupBuilder) List(ctx context.Context, parentResourceID *v2.ResourceId
 	if err != nil {
 		return nil, "", outputAnnotations, err
 	}
+	groupIds := make([]string, 0)
+	for _, g := range groups {
+		gId := gitlabFullGroupID(g.ID)
+		groupIds = append(groupIds, gId)
+	}
+
+	groupsWithCounts, rateLimitDesc, err := o.client.ListGroupsWithCounts(ctx, groupIds)
+	if rateLimitDesc != nil {
+		outputAnnotations.WithRateLimiting(rateLimitDesc)
+	}
+	if err != nil {
+		return nil, "", outputAnnotations, err
+	}
+
+	groupCountMap := make(map[string]*client.GroupWithCount)
+	for _, gc := range groupsWithCounts {
+		groupCountMap[gc.Id] = &gc
+	}
 
 	outResources := make([]*v2.Resource, 0, len(groups))
 	for _, group := range groups {
 		parentResourceID = getParentGroup(group.ParentID)
-
-		resource, err := groupResource(group, parentResourceID, o.client.IsOnPremise)
+		fullGroupID := gitlabFullGroupID(group.ID)
+		groupCounts := groupCountMap[fullGroupID]
+		resource, err := groupResource(ctx, group, parentResourceID, o.client.IsOnPremise, groupCounts)
 		if err != nil {
 			return nil, "", outputAnnotations, err
 		}
@@ -116,6 +139,16 @@ func (o *groupBuilder) Entitlements(_ context.Context, resource *v2.Resource, _
 }
 
 func (o *groupBuilder) Grants(ctx context.Context, resource *v2.Resource, pToken *pagination.Token) ([]*v2.Grant, string, annotations.Annotations, error) {
+	groupTrait, err := resourceSdk.GetGroupTrait(resource)
+	if err != nil {
+		return nil, "", nil, fmt.Errorf("okta-connectorv2: failed to get group trait: %w", err)
+	}
+	groupMembersCount, ok := resourceSdk.GetProfileInt64Value(groupTrait.Profile, groupMembersCountProfileKey)
+
+	if ok && groupMembersCount == 0 {
+		return nil, "", nil, nil
+	}
+
 	var outGrants []*v2.Grant
 	var outputAnnotations = annotations.New()
 	var users []*client.GroupMember
@@ -270,7 +303,7 @@ func (o *groupBuilder) Revoke(ctx context.Context, grant *v2.Grant) (annotations
 	return outputAnnotations, nil
 }
 
-func groupResource(group *client.Group, parentResourceID *v2.ResourceId, isOnPremise bool) (*v2.Resource, error) {
+func groupResource(ctx context.Context, group *client.Group, parentResourceID *v2.ResourceId, isOnPremise bool, groupCounts *client.GroupWithCount) (*v2.Resource, error) {
 	profile := map[string]interface{}{
 		"id":          group.ID,
 		"name":        group.Name,
@@ -288,8 +321,16 @@ func groupResource(group *client.Group, parentResourceID *v2.ResourceId, isOnPre
 		profile["parent_group_id"] = group.ParentID
 	}
 
+	hasProjects := true
+	if groupCounts != nil {
+		hasProjects = groupCounts.ProjectsCount > 0
+		profile["projects_count"] = groupCounts.ProjectsCount
+		profile["group_members_count"] = groupCounts.GroupMembersCount
+		profile["descendant_groups_count"] = groupCounts.DescendantGroupsCount
+	}
+
 	annos := make([]proto.Message, 0)
-	if parentResourceID == nil {
+	if parentResourceID == nil && hasProjects {
 		annos = append(annos, &v2.ChildResourceType{ResourceTypeId: projectResourceType.Id})
 	}
 
diff --git a/pkg/connector/helpers.go b/pkg/connector/helpers.go
@@ -32,3 +32,7 @@ func parseAccessLevelFromEntitlementID(entitlementID string) (int, error) {
 	}
 	return int(levelValue), nil
 }
+
+func gitlabFullGroupID(groupId int) string {
+	return fmt.Sprintf("gid://gitlab/Group/%d", groupId)
+}

Original file line number	Diff line number	Diff line change
`@@ -32,3 +32,7 @@ func parseAccessLevelFromEntitlementID(entitlementID string) (int, error) {`
`32`	`32`	`}`
`33`	`33`	`return int(levelValue), nil`
`34`	`34`	`}`
	`35`	`+`
	`36`	`+func gitlabFullGroupID(groupId int) string {`
	`37`	`+ return fmt.Sprintf("gid://gitlab/Group/%d", groupId)`
	`38`	`+}`