awslabs · ChrisPates · Jun 21, 2024 · Jun 20, 2024 · Jun 20, 2024 · Jun 20, 2024
diff --git a/internal/google/client.go b/internal/google/client.go
@@ -113,7 +113,6 @@ func (c *client) GetUsers(query string) ([]*admin.User, error) {
                         u = append(u, users.Users...)
                         return nil
                 })
-		return u, err
         } else {
 
 	        // The Google api doesn't support multi-part queries, but we do so we need to split into an array of query strings
@@ -128,6 +127,16 @@ func (c *client) GetUsers(query string) ([]*admin.User, error) {
 		}
 	}
 
+	// some people prefer to go by a mononym
+	// Google directory will accept a 'zero width space' for an empty name but will not accept a 'space'
+	// but
+	// Identity Store will accept and a 'space' for an empty name but not a 'zero width space'
+	// So we need to replace any 'zero width space' strings with a single 'space' to allow comparison and sync
+	for _, user := range u {
+		user.Name.GivenName = strings.Replace(user.Name.GivenName, string('\u200B'), " ", -1)
+        	user.Name.FamilyName = strings.Replace(user.Name.FamilyName, string('\u200B'), " ", -1)
+	}
+
 	// Check we've got some users otherwise something is wrong.
         if len(u) == 0 {
                 return u, errors.New("google api returned 0 users?")

diff --git a/internal/sync.go b/internal/sync.go
@@ -294,6 +294,8 @@
 	if err != nil {
 		return err
 	}
+	log.WithField("googleGroups", googleGroups).Debug("Groups to sync")
+	log.WithField("googleUsers", googleUsers).Debug("Users to sync")
 
 	log.Info("get existing aws groups")
 	awsGroups, err := s.GetGroups()
@@ -352,7 +354,7 @@
 			&identitystore.DeleteUserInput{IdentityStoreId: &s.cfg.IdentityStoreID, UserId: &awsUserFull.ID},
 		)
 		if err != nil {
-			log.Error("error deleting user")
+			log.WithField("user", awsUser).Error("error deleting user")
 			return err
 		}
 	}
@@ -377,7 +379,7 @@
 			awsUser.Username,
 			awsUser.Active))
 		if err != nil {
-			log.Error("error updating user")
+		 	log.WithField("user", awsUser).Error("error updating user")
 			return err
 		}
 	}
@@ -391,12 +393,12 @@
 		log.Info("creating user")
 		_, err := s.aws.CreateUser(awsUser)
 		if err != nil {
 			errHttp := new(aws.ErrHttpNotOK)
 			if errors.As(err, &errHttp) && errHttp.StatusCode == 409 {
 				log.WithField("user", awsUser.Username).Warn("user already exists")
 				continue
 			}
-			log.Error("error creating user")
+			log.WithField("user", awsUser).Error("error creating user")
 			return err
 		}
 	}
@@ -531,6 +533,7 @@
                 return nil, nil, nil, err
         }
         for _, u := range googleUsers {
+		log.WithField("email", u).Debug("processing member of gUserDetailCache")
                 gUserDetailCache[u.PrimaryEmail] = u
         }
 
@@ -552,7 +555,7 @@
 
         log.Debug("process users from google, filtering as required")
 	for _, u := range googleUsers {
-		log.WithField("email", u.PrimaryEmail).Debug("processing member")
+		log.WithField("email", u).Debug("processing userMatch")
 
                 // Remove any users that should be ignored
 		if s.ignoreUser(u.PrimaryEmail) {
@@ -627,6 +630,7 @@
 // getGroupOperations returns the groups of AWS that must be added, deleted and are equals
 func getGroupOperations(awsGroups []*aws.Group, googleGroups []*admin.Group) (add []*aws.Group, delete []*aws.Group, equals []*aws.Group) {
 
+ 	log.Debug("getGroupOperations()")
 	awsMap := make(map[string]*aws.Group)
 	googleMap := make(map[string]struct{})
 
@@ -640,16 +644,19 @@
 
 	// AWS Groups found and not found in google
 	for _, gGroup := range googleGroups {
-		if _, found := awsMap[gGroup.Name]; found {
+		if _, found := awsMap[gGroup.Name]; found {	
+		 	log.WithField("gGroup", gGroup).Debug("equals")
 			equals = append(equals, awsMap[gGroup.Name])
 		} else {
+		 	log.WithField("gGroup", gGroup).Debug("add")
 			add = append(add, aws.NewGroup(gGroup.Name))
 		}
 	}
 
 	// Google Groups founds and not in aws
 	for _, awsGroup := range awsGroups {
 		if _, found := googleMap[awsGroup.DisplayName]; !found {
+		 	log.WithField("awsGroup", awsGroup).Debug("delete")
 			delete = append(delete, aws.NewGroup(awsGroup.DisplayName))
 		}
 	}
@@ -660,6 +667,7 @@
 // getUserOperations returns the users of AWS that must be added, deleted, updated and are equals
 func getUserOperations(awsUsers []*aws.User, googleUsers []*admin.User) (add []*aws.User, delete []*aws.User, update []*aws.User, equals []*aws.User) {
 
+	log.Debug("getUserOperations()")
 	awsMap := make(map[string]*aws.User)
 	googleMap := make(map[string]struct{})
 
@@ -677,18 +685,24 @@
 			if awsUser.Active == gUser.Suspended ||
 				awsUser.Name.GivenName != gUser.Name.GivenName ||
 				awsUser.Name.FamilyName != gUser.Name.FamilyName {
+				log.WithField("gUser", gUser).Debug("update")
+				log.WithField("awsUser", awsUser).Debug("update")
 				update = append(update, aws.NewUser(gUser.Name.GivenName, gUser.Name.FamilyName, gUser.PrimaryEmail, !gUser.Suspended))
+
 			} else {
+			        log.WithField("awsUser", awsUser).Debug("equals")
 				equals = append(equals, awsUser)
 			}
 		} else {
+		        log.WithField("gUser", gUser).Debug("add")
 			add = append(add, aws.NewUser(gUser.Name.GivenName, gUser.Name.FamilyName, gUser.PrimaryEmail, !gUser.Suspended))
 		}
 	}
 
 	// Google Users founds and not in aws
 	for _, awsUser := range awsUsers {
 		if _, found := googleMap[awsUser.Username]; !found {
+			log.WithField("awsUser", awsUser).Debug("delete")
 			delete = append(delete, aws.NewUser(awsUser.Name.GivenName, awsUser.Name.FamilyName, awsUser.Username, awsUser.Active))
 		}
 	}
@@ -699,6 +713,7 @@
 // groupUsersOperations returns the groups and its users of AWS that must be delete from these groups and what are equals
 func getGroupUsersOperations(gGroupsUsers map[string][]*admin.User, awsGroupsUsers map[string][]*aws.User) (delete map[string][]*aws.User, equals map[string][]*aws.User) {
 
+ 	log.Debug("getGroupUsersOperations()")
 	mbG := make(map[string]map[string]struct{})
 
 	// get user in google groups that are in aws groups and
@@ -790,7 +805,7 @@
 	if err != nil {
 	        log.WithField("error", err).Warn("Problem performing test query against Identity Store")
 		return err
 	} else {
 	        log.WithField("Groups", response).Info("Test call for groups successful")

        }
@@ -869,7 +884,7 @@
 	return awsGroups, nil
 }

 func ListGroupsPagesCallbackFn(page *identitystore.ListGroupsOutput, lastPage bool) bool {
 	// Loop through each Group returned
 	for _, group := range page.Groups {
 		// Convert to native Group object
@@ -901,7 +916,7 @@
 	return awsUsers, nil
 }

 func ListUsersPagesCallbackFn(page *identitystore.ListUsersOutput, lastPage bool) bool {
 	// Loop through each User in ListUsersOutput and convert to native User object
 	for _, user := range page.Users {
 		awsUsers = append(awsUsers, ConvertSdkUserObjToNative(user))
@@ -909,7 +924,7 @@
 	return !lastPage
 }

 func ConvertSdkUserObjToNative(user *identitystore.User) *aws.User {
 	// Convert emails into native Email object
 	userEmails := make([]aws.UserEmail, 0)

@@ -953,7 +968,7 @@
 	}
 }

 func CreateUserIDtoUserObjMap(awsUsers []*aws.User) map[string]*aws.User {
 	awsUsersMap := make(map[string]*aws.User)

 	for _, awsUser := range awsUsers {
@@ -963,7 +978,7 @@
 	return awsUsersMap
 }

 var ListGroupMembershipPagesCallbackFn func(page *identitystore.ListGroupMembershipsOutput, lastPage bool) bool

 func (s *syncGSuite) GetGroupMembershipsLists(awsGroups []*aws.Group, awsUsersMap map[string]*aws.User) (map[string][]*aws.User, error) {
 	awsGroupsUsers := make(map[string][]*aws.User)