Merge pull request #10 from linuxfoundation/misc-fixes

Optimize User Service lookups

Author: emsearcy

charts/lfx-v1-sync-helper/Chart.yaml

@@ -5,4 +5,4 @@ apiVersion: v2
 name: lfx-v1-sync-helper
 description: LFX Platform v1 Sync Helper chart
 type: application
-version: 0.2.1
+version: 0.2.2

charts/lfx-v1-sync-helper/values.yaml

@@ -19,9 +19,6 @@ app:
     # NATS_URL is required
     NATS_URL:
       value: nats://lfx-platform-nats.lfx.svc.cluster.local:4222
-    # DEBUG is optional
-    DEBUG:
-      value: "false"
     # PORT is optional
     PORT:
       value: "8080"

v1-sync-helper/client_committees.go

@@ -9,11 +9,12 @@ import (
 	"fmt"
 
 	committeeservice "github.com/linuxfoundation/lfx-v2-committee-service/gen/committee_service"
+	"github.com/nats-io/nats.go/jetstream"
 )
 
 // fetchCommitteeBase fetches an existing committee base from the Committee Service API.
 func fetchCommitteeBase(ctx context.Context, committeeUID string) (*committeeservice.CommitteeBaseWithReadonlyAttributes, string, error) {
-	token, err := generateCachedJWTToken(committeeServiceAudience, UserInfo{})
+	token, err := generateCachedJWTToken(committeeServiceAudience, "", nil)
 	if err != nil {
 		return nil, "", err
 	}
@@ -35,8 +36,8 @@ func fetchCommitteeBase(ctx context.Context, committeeUID string) (*committeeser
 }
 
 // createCommittee creates a new committee via the Committee Service API.
-func createCommittee(ctx context.Context, payload *committeeservice.CreateCommitteePayload, userInfo UserInfo) (*committeeservice.CommitteeFullWithReadonlyAttributes, error) {
-	token, err := generateCachedJWTToken(committeeServiceAudience, userInfo)
+func createCommittee(ctx context.Context, payload *committeeservice.CreateCommitteePayload, v1Principal string, mappingsKV jetstream.KeyValue) (*committeeservice.CommitteeFullWithReadonlyAttributes, error) {
+	token, err := generateCachedJWTToken(committeeServiceAudience, v1Principal, mappingsKV)
 	if err != nil {
 		return nil, err
 	}
@@ -52,7 +53,7 @@ func createCommittee(ctx context.Context, payload *committeeservice.CreateCommit
 }
 
 // updateCommittee updates a committee by separately handling base and settings if there are changes.
-func updateCommittee(ctx context.Context, payload *committeeservice.UpdateCommitteeBasePayload, userInfo UserInfo) error {
+func updateCommittee(ctx context.Context, payload *committeeservice.UpdateCommitteeBasePayload, v1Principal string, mappingsKV jetstream.KeyValue) error {
 	// Fetch current committee base.
 	currentBase, baseETag, err := fetchCommitteeBase(ctx, *payload.UID)
 	if err != nil {
@@ -73,7 +74,7 @@ func updateCommittee(ctx context.Context, payload *committeeservice.UpdateCommit
 	baseChanged := !committeeBasesEqual(currentBase, updatedBase)
 
 	if baseChanged {
-		token, err := generateCachedJWTToken(committeeServiceAudience, userInfo)
+		token, err := generateCachedJWTToken(committeeServiceAudience, v1Principal, mappingsKV)
 		if err != nil {
 			return fmt.Errorf("failed to generate token for committee base update: %w", err)
 		}
@@ -103,8 +104,8 @@ func committeeBasesEqual(a, b *committeeservice.CommitteeBaseWithReadonlyAttribu
 }
 
 // createCommitteeMember creates a new committee member via the Committee Service API.
-func createCommitteeMember(ctx context.Context, payload *committeeservice.CreateCommitteeMemberPayload, userInfo UserInfo) (*committeeservice.CommitteeMemberFullWithReadonlyAttributes, error) {
-	token, err := generateCachedJWTToken(committeeServiceAudience, userInfo)
+func createCommitteeMember(ctx context.Context, payload *committeeservice.CreateCommitteeMemberPayload, v1Principal string, mappingsKV jetstream.KeyValue) (*committeeservice.CommitteeMemberFullWithReadonlyAttributes, error) {
+	token, err := generateCachedJWTToken(committeeServiceAudience, v1Principal, mappingsKV)
 	if err != nil {
 		return nil, err
 	}
@@ -121,7 +122,7 @@ func createCommitteeMember(ctx context.Context, payload *committeeservice.Create
 
 // fetchCommitteeMember fetches an existing committee member from the Committee Service API.
 func fetchCommitteeMember(ctx context.Context, committeeUID, memberUID string) (*committeeservice.CommitteeMemberFullWithReadonlyAttributes, string, error) {
-	token, err := generateCachedJWTToken(committeeServiceAudience, UserInfo{})
+	token, err := generateCachedJWTToken(committeeServiceAudience, "", nil)
 	if err != nil {
 		return nil, "", err
 	}
@@ -145,7 +146,7 @@ func fetchCommitteeMember(ctx context.Context, committeeUID, memberUID string) (
 }
 
 // updateCommitteeMember updates an existing committee member via the Committee Service API.
-func updateCommitteeMember(ctx context.Context, payload *committeeservice.UpdateCommitteeMemberPayload, userInfo UserInfo) error {
+func updateCommitteeMember(ctx context.Context, payload *committeeservice.UpdateCommitteeMemberPayload, v1Principal string, mappingsKV jetstream.KeyValue) error {
 	// Fetch current committee member for comparison.
 	currentMember, etag, err := fetchCommitteeMember(ctx, payload.UID, payload.MemberUID)
 	if err != nil {
@@ -156,7 +157,7 @@ func updateCommitteeMember(ctx context.Context, payload *committeeservice.Update
 	memberChanged := !committeeMembersEqual(currentMember, payload)
 
 	if memberChanged {
-		token, err := generateCachedJWTToken(committeeServiceAudience, userInfo)
+		token, err := generateCachedJWTToken(committeeServiceAudience, v1Principal, mappingsKV)
 		if err != nil {
 			return fmt.Errorf("failed to generate token for committee member update: %w", err)
 		}

v1-sync-helper/client_projects.go

@@ -9,11 +9,12 @@ import (
 	"fmt"
 
 	projectservice "github.com/linuxfoundation/lfx-v2-project-service/api/project/v1/gen/project_service"
+	"github.com/nats-io/nats.go/jetstream"
 )
 
 // fetchProjectBase fetches an existing project base from the Project Service API.
 var fetchProjectBase = func(ctx context.Context, projectUID string) (*projectservice.ProjectBase, string, error) {
-	token, err := generateCachedJWTToken(projectServiceAudience, UserInfo{})
+	token, err := generateCachedJWTToken(projectServiceAudience, "", nil)
 	if err != nil {
 		return nil, "", err
 	}
@@ -36,7 +37,7 @@ var fetchProjectBase = func(ctx context.Context, projectUID string) (*projectser
 
 // fetchProjectSettings fetches an existing project settings from the Project Service API.
 func fetchProjectSettings(ctx context.Context, projectUID string) (*projectservice.ProjectSettings, string, error) {
-	token, err := generateCachedJWTToken(projectServiceAudience, UserInfo{})
+	token, err := generateCachedJWTToken(projectServiceAudience, "", nil)
 	if err != nil {
 		return nil, "", err
 	}
@@ -58,8 +59,8 @@ func fetchProjectSettings(ctx context.Context, projectUID string) (*projectservi
 }
 
 // createProject creates a new project via the Project Service API.
-func createProject(ctx context.Context, payload *projectservice.CreateProjectPayload, userInfo UserInfo) (*projectservice.ProjectFull, error) {
-	token, err := generateCachedJWTToken(projectServiceAudience, userInfo)
+func createProject(ctx context.Context, payload *projectservice.CreateProjectPayload, v1Principal string, mappingsKV jetstream.KeyValue) (*projectservice.ProjectFull, error) {
+	token, err := generateCachedJWTToken(projectServiceAudience, v1Principal, mappingsKV)
 	if err != nil {
 		return nil, err
 	}
@@ -75,7 +76,7 @@ func createProject(ctx context.Context, payload *projectservice.CreateProjectPay
 }
 
 // updateProject updates a project by separately handling base and settings if there are changes.
-func updateProject(ctx context.Context, basePayload *projectservice.UpdateProjectBasePayload, settingsPayload *projectservice.UpdateProjectSettingsPayload, userInfo UserInfo) error {
+func updateProject(ctx context.Context, basePayload *projectservice.UpdateProjectBasePayload, settingsPayload *projectservice.UpdateProjectSettingsPayload, v1Principal string, mappingsKV jetstream.KeyValue) error {
 	// Fetch current project base.
 	currentBase, baseETag, err := fetchProjectBase(ctx, *basePayload.UID)
 	if err != nil {
@@ -113,7 +114,7 @@ func updateProject(ctx context.Context, basePayload *projectservice.UpdateProjec
 	baseChanged := !projectBasesEqual(currentBase, updatedBase)
 
 	if baseChanged {
-		token, err := generateCachedJWTToken(projectServiceAudience, userInfo)
+		token, err := generateCachedJWTToken(projectServiceAudience, v1Principal, mappingsKV)
 		if err != nil {
 			return fmt.Errorf("failed to generate token for base update: %w", err)
 		}
@@ -156,7 +157,7 @@ func updateProject(ctx context.Context, basePayload *projectservice.UpdateProjec
 		}
 
 		if settingsChanged {
-			token, err := generateCachedJWTToken(projectServiceAudience, userInfo)
+			token, err := generateCachedJWTToken(projectServiceAudience, v1Principal, mappingsKV)
 			if err != nil {
 				return fmt.Errorf("failed to generate token for settings update: %w", err)
 			}

v1-sync-helper/config.go

@@ -23,7 +23,7 @@ var projectAllowlist = []string{
 	// "lfenergy",
 }
 
-// ProjectFamilyAllowlist contains the list of projects slugs that are allowed
+// projectFamilyAllowlist contains the list of project slugs that are allowed
 // to be synced along with their child projects. *All entries must be
 // lowercase* (lookups downcase for case-insensitive matching).
 var projectFamilyAllowlist = []string{

v1-sync-helper/handlers.go

@@ -27,32 +27,6 @@ func shouldSkipSync(ctx context.Context, v1Data map[string]any) bool {
 	return false
 }
 
-// extractUserInfo extracts user information from v1 data for API calls and JWT impersonation.
-func extractUserInfo(ctx context.Context, v1Data map[string]any, mappingsKV jetstream.KeyValue) UserInfo {
-	// Extract platform ID from lastmodifiedbyid
-	if lastModifiedBy, ok := v1Data["lastmodifiedbyid"].(string); ok && lastModifiedBy != "" {
-		// Check if this is a machine user with @clients suffix
-		if strings.HasSuffix(lastModifiedBy, "@clients") {
-			// Machine user - pass through with @clients only on principal
-			return UserInfo{
-				Username:  strings.TrimSuffix(lastModifiedBy, "@clients"), // Subject without @clients
-				Email:     "",                                             // No email for machine users
-				Principal: lastModifiedBy,                                 // Principal includes @clients
-			}
-		}
-
-		// Regular platform ID - look up via v1 API
-		userInfo, err := getUserInfoFromV1(ctx, lastModifiedBy, mappingsKV)
-		if err != nil || userInfo.Username == "" {
-			logger.With(errKey, err, "platform_id", lastModifiedBy).WarnContext(ctx, "failed to get user info from v1 API, falling back to service account")
-			return UserInfo{} // Empty UserInfo triggers fallback to v1_sync_helper@clients
-		}
-
-		return userInfo
-	}
-	return UserInfo{}
-}
-
 // kvHandler processes KV bucket updates from Meltano
 func kvHandler(entry jetstream.KeyValueEntry, v1KV jetstream.KeyValue, mappingsKV jetstream.KeyValue) {
 	ctx := context.Background()
@@ -89,16 +63,13 @@ func handleKVPut(ctx context.Context, entry jetstream.KeyValueEntry, _ jetstream
 		return
 	}
 
-	// Extract user information for API calls and JWT impersonation
-	userInfo := extractUserInfo(ctx, v1Data, mappingsKV)
-
 	// Determine the object type based on the key pattern
 	if strings.HasPrefix(key, "salesforce-project__c.") {
-		handleProjectUpdate(ctx, key, v1Data, userInfo, mappingsKV)
+		handleProjectUpdate(ctx, key, v1Data, mappingsKV)
 	} else if strings.HasPrefix(key, "platform-collaboration__c.") {
-		handleCommitteeUpdate(ctx, key, v1Data, userInfo, mappingsKV)
+		handleCommitteeUpdate(ctx, key, v1Data, mappingsKV)
 	} else if strings.HasPrefix(key, "platform-community__c.") {
-		handleCommitteeMemberUpdate(ctx, key, v1Data, userInfo, mappingsKV)
+		handleCommitteeMemberUpdate(ctx, key, v1Data, mappingsKV)
 	} else {
 		logger.With("key", key).DebugContext(ctx, "unknown object type, ignoring")
 	}

v1-sync-helper/handlers_committees.go

@@ -133,12 +133,18 @@ func mapTypeToCategory(ctx context.Context, typeVal, committeeName string) *stri
 }
 
 // handleCommitteeUpdate processes a committee update from the KV bucket.
-func handleCommitteeUpdate(ctx context.Context, key string, v1Data map[string]any, userInfo UserInfo, mappingsKV jetstream.KeyValue) {
+func handleCommitteeUpdate(ctx context.Context, key string, v1Data map[string]any, mappingsKV jetstream.KeyValue) {
 	// Check if we should skip this sync operation.
 	if shouldSkipSync(ctx, v1Data) {
 		return
 	}
 
+	// Extract v1Principal from lastmodifiedbyid for JWT generation.
+	v1Principal := ""
+	if lastModifiedBy, ok := v1Data["lastmodifiedbyid"].(string); ok && lastModifiedBy != "" {
+		v1Principal = lastModifiedBy
+	}
+
 	// Extract committee SFID.
 	sfid, ok := v1Data["sfid"].(string)
 	if !ok || sfid == "" {
@@ -169,7 +175,7 @@ func handleCommitteeUpdate(ctx context.Context, key string, v1Data map[string]an
 			return
 		}
 
-		err = updateCommittee(ctx, payload, userInfo)
+		err = updateCommittee(ctx, payload, v1Principal, mappingsKV)
 		uid = existingUID
 	} else {
 		// Check if parent project exists in mappings before creating new committee.
@@ -193,7 +199,7 @@ func handleCommitteeUpdate(ctx context.Context, key string, v1Data map[string]an
 		}
 
 		var response *committeeservice.CommitteeFullWithReadonlyAttributes
-		response, err = createCommittee(ctx, payload, userInfo)
+		response, err = createCommittee(ctx, payload, v1Principal, mappingsKV)
 		if response != nil && response.UID != nil {
 			uid = *response.UID
 		}
@@ -353,12 +359,18 @@ func mapV1DataToCommitteeUpdateBasePayload(ctx context.Context, committeeUID str
 }
 
 // handleCommitteeMemberUpdate processes a committee member update from platform-community__c records.
-func handleCommitteeMemberUpdate(ctx context.Context, key string, v1Data map[string]any, userInfo UserInfo, mappingsKV jetstream.KeyValue) {
+func handleCommitteeMemberUpdate(ctx context.Context, key string, v1Data map[string]any, mappingsKV jetstream.KeyValue) {
 	// Check if we should skip this sync operation.
 	if shouldSkipSync(ctx, v1Data) {
 		return
 	}
 
+	// Extract v1Principal from lastmodifiedbyid for JWT generation.
+	v1Principal := ""
+	if lastModifiedBy, ok := v1Data["lastmodifiedbyid"].(string); ok && lastModifiedBy != "" {
+		v1Principal = lastModifiedBy
+	}
+
 	// Extract committee member SFID.
 	sfid, ok := v1Data["sfid"].(string)
 	if !ok || sfid == "" {
@@ -419,7 +431,7 @@ func handleCommitteeMemberUpdate(ctx context.Context, key string, v1Data map[str
 			return
 		}
 
-		err = updateCommitteeMember(ctx, payload, userInfo)
+		err = updateCommitteeMember(ctx, payload, v1Principal, mappingsKV)
 		memberUID = existingMemberUID
 	} else {
 		// Create new committee member.
@@ -434,7 +446,7 @@ func handleCommitteeMemberUpdate(ctx context.Context, key string, v1Data map[str
 		}
 
 		var response *committeeservice.CommitteeMemberFullWithReadonlyAttributes
-		response, err = createCommitteeMember(ctx, payload, userInfo)
+		response, err = createCommitteeMember(ctx, payload, v1Principal, mappingsKV)
 		if response != nil && response.UID != nil {
 			memberUID = *response.UID
 		}

v1-sync-helper/handlers_projects.go

@@ -125,12 +125,18 @@ func mapAdminCategoryToCategory(adminCategory string) *string {
 }
 
 // handleProjectUpdate processes a project update from the KV bucket.
-func handleProjectUpdate(ctx context.Context, key string, v1Data map[string]any, userInfo UserInfo, mappingsKV jetstream.KeyValue) {
+func handleProjectUpdate(ctx context.Context, key string, v1Data map[string]any, mappingsKV jetstream.KeyValue) {
 	// Check if we should skip this sync operation.
 	if shouldSkipSync(ctx, v1Data) {
 		return
 	}
 
+	// Extract v1Principal from lastmodifiedbyid for JWT generation.
+	v1Principal := ""
+	if lastModifiedBy, ok := v1Data["lastmodifiedbyid"].(string); ok && lastModifiedBy != "" {
+		v1Principal = lastModifiedBy
+	}
+
 	// Extract project SFID (primary key).
 	sfid, ok := v1Data["sfid"].(string)
 	if !ok || sfid == "" {
@@ -172,7 +178,7 @@ func handleProjectUpdate(ctx context.Context, key string, v1Data map[string]any,
 			return
 		}
 
-		err = updateProject(ctx, payload, settingsPayload, userInfo)
+		err = updateProject(ctx, payload, settingsPayload, v1Principal, mappingsKV)
 		uid = existingUID
 	} else {
 		// Check allowlist before creating new project.
@@ -194,7 +200,7 @@ func handleProjectUpdate(ctx context.Context, key string, v1Data map[string]any,
 		}
 
 		var response *projectservice.ProjectFull
-		response, err = createProject(ctx, payload, userInfo)
+		response, err = createProject(ctx, payload, v1Principal, mappingsKV)
 		if response != nil && response.UID != nil {
 			uid = *response.UID
 		}

v1-sync-helper/lfx_v1_client.go

@@ -643,28 +643,40 @@ func parseWebsiteURL(website string) string {
 }
 
 // getUserInfoFromV1 converts a Platform ID to LFX username and email using v1 API with caching
-func getUserInfoFromV1(ctx context.Context, platformID string, mappingsKV jetstream.KeyValue) (UserInfo, error) {
+func getUserInfoFromV1(ctx context.Context, platformID string, mappingsKV jetstream.KeyValue) UserInfo {
 	if platformID == "" {
-		return UserInfo{}, nil
+		return UserInfo{}
+	}
+
+	if platformID == "platform" {
+		return UserInfo{}
+	}
+
+	// Check if this is a machine user with @clients suffix.
+	if strings.HasSuffix(platformID, "@clients") {
+		// Machine user - pass through with @clients only on principal.
+		return UserInfo{
+			Username:  strings.TrimSuffix(platformID, "@clients"), // Subject without @clients.
+			Email:     "",                                         // No email for machine users.
+			Principal: platformID,                                 // Principal includes @clients.
+		}
 	}
 
 	user, err := lookupUser(ctx, platformID, mappingsKV)
 	if err != nil {
 		logger.With(errKey, err, "platform_id", platformID).WarnContext(ctx, "failed to lookup user from v1 API, falling back to service account")
-		return UserInfo{}, nil // Return empty to trigger fallback
+		return UserInfo{} // Return empty to trigger fallback
 	}
 
 	// Check for cached error/invalid states
 	if user.Username == "" {
 		logger.With("platform_id", platformID).WarnContext(ctx, "user has empty username, falling back to service account")
-		return UserInfo{}, nil // Return empty to trigger fallback
+		return UserInfo{} // Return empty to trigger fallback
 	}
 
 	// Return user info for JWT impersonation
-	userInfo := UserInfo{
+	return UserInfo{
 		Username: user.Username,
 		Email:    user.Email,
 	}
-
-	return userInfo, nil
 }