feat: add support for external user aliases (#1847)

* feat: add support for external user aliases

* chore: fix tests + logic

* chore: remove scraper id from external user alias

* chore: update schema

* chore: fix lint

Author: yashmehrotra

chart/crds/configs.flanksource.com_scrapeconfigs.yaml

@@ -2567,6 +2567,8 @@ spec:
                           type: object
                         connection:
                           type: string
+                        depth:
+                          type: integer
                         destination:
                           description: |-
                             Destination is the full path to where the contents of the URL should be downloaded to.
@@ -7855,6 +7857,8 @@ spec:
                       properties:
                         address:
                           type: string
+                        connection:
+                          type: string
                         index:
                           type: string
                         limit:
@@ -7948,7 +7952,6 @@ spec:
                               type: object
                           type: object
                       required:
-                      - address
                       - index
                       - query
                       type: object

config/schemas/config_exec.schema.json

@@ -477,6 +477,9 @@
         "branch": {
           "type": "string"
         },
+        "depth": {
+          "type": "integer"
+        },
         "destination": {
           "type": "string"
         }

config/schemas/config_logs.schema.json

@@ -485,6 +485,9 @@
     },
     "OpenSearchConfig": {
       "properties": {
+        "connection": {
+          "type": "string"
+        },
         "address": {
           "type": "string"
         },
@@ -507,7 +510,6 @@
       "additionalProperties": false,
       "type": "object",
       "required": [
-        "address",
         "index",
         "query"
       ]

config/schemas/scrape_config.schema.json

@@ -1444,6 +1444,9 @@
         "branch": {
           "type": "string"
         },
+        "depth": {
+          "type": "integer"
+        },
         "destination": {
           "type": "string"
         }
@@ -2410,6 +2413,9 @@
     },
     "OpenSearchConfig": {
       "properties": {
+        "connection": {
+          "type": "string"
+        },
         "address": {
           "type": "string"
         },
@@ -2432,7 +2438,6 @@
       "additionalProperties": false,
       "type": "object",
       "required": [
-        "address",
         "index",
         "query"
       ]

db/update.go

@@ -397,6 +397,44 @@ func extractChanges(ctx api.ScrapeContext, result *v1.ScrapeResult, ci *models.C
 
 var OrphanCache = cache.New(60*time.Minute, 10*time.Minute)
 
+// ExternalUserCache stores alias -> external_user_id mapping
+var ExternalUserCache = cache.New(time.Hour, 10*time.Minute)
+
+// findExternalUserIDByAliases looks up an external user ID by aliases
+// It first checks the cache, then queries the DB. Returns the ID if found, uuid.Nil otherwise.
+func findExternalUserIDByAliases(ctx api.ScrapeContext, aliases []string) (uuid.UUID, error) {
+	for _, alias := range aliases {
+		if cachedID, ok := ExternalUserCache.Get(alias); ok {
+			return cachedID.(uuid.UUID), nil
+		}
+	}
+
+	// Query DB for any matching alias
+	for _, alias := range aliases {
+		var existingUser dutyModels.ExternalUser
+		err := ctx.DB().
+			Select("id").
+			Where("? = ANY(aliases)", alias).
+			Where("deleted_at IS NULL").
+			First(&existingUser).Error
+
+		if err != nil {
+			if !errors.Is(err, gorm.ErrRecordNotFound) {
+				return uuid.Nil, fmt.Errorf("failed to query external user by alias: %w", err)
+			}
+			continue
+		}
+
+		// Found in DB, populate cache for all aliases and return
+		for _, a := range aliases {
+			ExternalUserCache.Set(a, existingUser.ID, cache.DefaultExpiration)
+		}
+		return existingUser.ID, nil
+	}
+
+	return uuid.Nil, nil
+}
+
 func upsertAnalysis(ctx api.ScrapeContext, result *v1.ScrapeResult) error {
 	var ci *models.ConfigItem
 	var err error
@@ -624,9 +662,25 @@ func saveResults(ctx api.ScrapeContext, results []v1.ScrapeResult) (v1.ScrapeSum
 
 	for _, externalUser := range extractResult.externalUsers {
 		externalUser.ScraperID = lo.Ternary(externalUser.ScraperID == uuid.Nil, lo.FromPtr(scraperID), externalUser.ScraperID)
+
+		if len(externalUser.Aliases) > 0 {
+			existingID, err := findExternalUserIDByAliases(ctx, externalUser.Aliases)
+			if err != nil {
+				return summary, fmt.Errorf("failed to find external user by aliases: %w", err)
+			}
+			if existingID != uuid.Nil {
+				externalUser.ID = existingID
+			}
+		}
+
 		if err := ctx.DB().Save(&externalUser).Error; err != nil {
 			return summary, fmt.Errorf("failed to save external user: %w", err)
 		}
+
+		// Update cache for all aliases
+		for _, alias := range externalUser.Aliases {
+			ExternalUserCache.Set(alias, externalUser.ID, cache.DefaultExpiration)
+		}
 	}
 
 	for _, externalGroup := range extractResult.externalGroups {

fixtures/data/external_users_test.json

@@ -2,17 +2,17 @@
   "id": "test-org-1",
   "external_users": [
     {
-      "id": "018e4c6a-1111-7000-8000-000000000001",
       "name": "John Doe",
       "account_id": "org-123",
       "user_type": "human",
-      "email": "[email protected]"
+      "email": "[email protected]",
+      "aliases": ["john-doe", "[email protected]"]
     },
     {
-      "id": "018e4c6a-1111-7000-8000-000000000002",
       "name": "Service Bot",
       "account_id": "org-123",
-      "user_type": "service"
+      "user_type": "service",
+      "aliases": ["service-bot", "bot-001"]
     }
   ],
   "external_groups": [
@@ -44,15 +44,5 @@
       "role_type": "custom",
       "description": "Read-only access"
     }
-  ],
-  "external_user_groups": [
-    {
-      "external_user_id": "018e4c6a-1111-7000-8000-000000000001",
-      "external_group_id": "018e4c6a-2222-7000-8000-000000000001"
-    },
-    {
-      "external_user_id": "018e4c6a-1111-7000-8000-000000000002",
-      "external_group_id": "018e4c6a-2222-7000-8000-000000000002"
-    }
   ]
 }

scrapers/aws/cloudtrail.go

@@ -51,7 +51,7 @@ var LastEventTime = sync.Map{}
 type CloudTrailEvent struct {
 	AWSRegion          string `json:"awsRegion"`
 	RecipientAccountID string `json:"recipientAccountId"`
-	UserIdentity struct {
+	UserIdentity       struct {
 		Type           string `json:"type"`
 		Arn            string `json:"arn"`
 		Username       string `json:"userName"`

scrapers/run_test.go

@@ -723,16 +723,8 @@ var _ = Describe("External users e2e test", Ordered, func() {
 	})
 
 	AfterAll(func() {
-		// Clean up external_user_groups first (foreign key constraint)
-		err := DefaultContext.DB().Where("external_user_id IN (?)",
-			[]string{
-				"018e4c6a-1111-7000-8000-000000000001",
-				"018e4c6a-1111-7000-8000-000000000002",
-			}).Delete(&dutymodels.ExternalUserGroup{}).Error
-		Expect(err).NotTo(HaveOccurred(), "failed to delete external user groups")
-
 		// Clean up external users
-		err = DefaultContext.DB().Where("scraper_id = ?", scraperModel.ID).Delete(&dutymodels.ExternalUser{}).Error
+		err := DefaultContext.DB().Where("scraper_id = ?", scraperModel.ID).Delete(&dutymodels.ExternalUser{}).Error
 		Expect(err).NotTo(HaveOccurred(), "failed to delete external users")
 
 		// Clean up external groups
@@ -748,19 +740,29 @@ var _ = Describe("External users e2e test", Ordered, func() {
 		Expect(err).NotTo(HaveOccurred(), "failed to delete scrape config")
 	})
 
-	It("should scrape and save external users, groups, roles, and user-group mappings", func() {
+	It("should scrape and save external users, groups, and roles", func() {
 		_, err := RunScraper(scraperCtx)
 		Expect(err).To(BeNil())
 	})
 
-	It("should have saved external users to the database", func() {
+	It("should have saved external users to the database with aliases", func() {
 		var users []dutymodels.ExternalUser
 		err := DefaultContext.DB().Where("scraper_id = ?", scraperModel.ID).Find(&users).Error
 		Expect(err).NotTo(HaveOccurred())
 		Expect(users).To(HaveLen(2))
 
 		userNames := lo.Map(users, func(u dutymodels.ExternalUser, _ int) string { return u.Name })
 		Expect(userNames).To(ContainElements("John Doe", "Service Bot"))
+
+		// Verify aliases are saved
+		for _, user := range users {
+			switch user.Name {
+			case "John Doe":
+				Expect(user.Aliases).To(ContainElements("john-doe", "[email protected]"))
+			case "Service Bot":
+				Expect(user.Aliases).To(ContainElements("service-bot", "bot-001"))
+			}
+		}
 	})
 
 	It("should have saved external groups to the database", func() {
@@ -783,14 +785,56 @@ var _ = Describe("External users e2e test", Ordered, func() {
 		Expect(roleNames).To(ContainElements("Admin", "Reader"))
 	})
 
-	It("should have saved external user groups to the database", func() {
-		var userGroups []dutymodels.ExternalUserGroup
-		err := DefaultContext.DB().Where("external_user_id IN (?)",
-			[]string{
-				"018e4c6a-1111-7000-8000-000000000001",
-				"018e4c6a-1111-7000-8000-000000000002",
-			}).Find(&userGroups).Error
+	It("should upsert external users by alias on second scrape (not create duplicates)", func() {
+		// Get existing user IDs before second scrape
+		var usersBefore []dutymodels.ExternalUser
+		err := DefaultContext.DB().Where("scraper_id = ?", scraperModel.ID).Find(&usersBefore).Error
+		Expect(err).NotTo(HaveOccurred())
+		Expect(usersBefore).To(HaveLen(2))
+
+		userIDsBefore := lo.Map(usersBefore, func(u dutymodels.ExternalUser, _ int) uuid.UUID { return u.ID })
+
+		// Clear cache to ensure we test DB lookup path
+		db.ExternalUserCache.Flush()
+
+		// Run scraper again
+		_, err = RunScraper(scraperCtx)
+		Expect(err).To(BeNil())
+
+		// Verify same number of users (no duplicates)
+		var usersAfter []dutymodels.ExternalUser
+		err = DefaultContext.DB().Where("scraper_id = ?", scraperModel.ID).Find(&usersAfter).Error
 		Expect(err).NotTo(HaveOccurred())
-		Expect(userGroups).To(HaveLen(2))
+		Expect(usersAfter).To(HaveLen(2))
+
+		// Verify same IDs were used (upsert, not insert)
+		userIDsAfter := lo.Map(usersAfter, func(u dutymodels.ExternalUser, _ int) uuid.UUID { return u.ID })
+		Expect(userIDsAfter).To(ConsistOf(userIDsBefore))
+	})
+
+	It("should use cache for external user lookup on subsequent scrapes", func() {
+		// Clear cache first
+		db.ExternalUserCache.Flush()
+
+		// Run scraper to populate cache
+		_, err := RunScraper(scraperCtx)
+		Expect(err).To(BeNil())
+
+		// Verify cache is populated for all aliases (key is just the alias)
+		johnDoeID, found := db.ExternalUserCache.Get("john-doe")
+		Expect(found).To(BeTrue())
+		Expect(johnDoeID).NotTo(Equal(uuid.Nil))
+
+		jdoeID, found := db.ExternalUserCache.Get("[email protected]")
+		Expect(found).To(BeTrue())
+		Expect(jdoeID).To(Equal(johnDoeID)) // Same user, same ID
+
+		serviceBotID, found := db.ExternalUserCache.Get("service-bot")
+		Expect(found).To(BeTrue())
+		Expect(serviceBotID).NotTo(Equal(uuid.Nil))
+
+		bot001ID, found := db.ExternalUserCache.Get("bot-001")
+		Expect(found).To(BeTrue())
+		Expect(bot001ID).To(Equal(serviceBotID)) // Same user, same ID
 	})
 })