qontract-reconcile 0.10.1rc1037__py3-none-any.whl → 0.10.1rc1039__py3-none-any.whl

{qontract_reconcile-0.10.1rc1037.dist-info → qontract_reconcile-0.10.1rc1039.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: qontract-reconcile
-Version: 0.10.1rc1037
+Version: 0.10.1rc1039
 Summary: Collection of tools to reconcile services with their desired state as defined in the app-interface DB.
 Home-page: https://github.com/app-sre/qontract-reconcile
 Author: Red Hat App-SRE Team

{qontract_reconcile-0.10.1rc1037.dist-info → qontract_reconcile-0.10.1rc1039.dist-info}/RECORD

@@ -35,7 +35,7 @@ reconcile/gitlab_labeler.py,sha256=4xJHmVX155fclrHqkR926sL1GH6RTN5XfZ8PnqNXbRA,4
 reconcile/gitlab_members.py,sha256=PrJE9OhDRdGG_gHM_77nQojLb4B18jtUu8DxgLsRS88,8417
 reconcile/gitlab_mr_sqs_consumer.py,sha256=O46mdziPgGOndbU-0_UJKJVUaiEoVzJPEgKm4_UvYoI,2571
 reconcile/gitlab_owners.py,sha256=sn9njaKOtqcvnhi2qtm-faAfAR4zNqflbSuusA9RUuI,13456
-reconcile/gitlab_permissions.py,sha256=wq0jbWWPN5iOWnRLuZeemCgKh4a_iGy2d4Iq3WFJykM,3636
+reconcile/gitlab_permissions.py,sha256=tEjbpr-QH03vZ4L6CuVJhkgA3oaB_gyJ7d58MTR4JJQ,7389
 reconcile/gitlab_projects.py,sha256=K3tFf_aD1W4Ijp5q-9Qek3kwFGEWPcZ1kd7tzFJ4GyQ,1781
 reconcile/integrations_manager.py,sha256=gvOhVklJDeMPURxLjV30Q4hnLET3BZ-NeEEtQBoo_E0,9500
 reconcile/jenkins_base.py,sha256=0Gocu3fU2YTltaxBlbDQOUvP-7CP2OSQV1ZRwtWeVXw,875
@@ -181,8 +181,8 @@ reconcile/cna/assets/asset_factory.py,sha256=7T7X_J6xIsoGETqBRI45_EyIKEdQcnRPt_G
 reconcile/cna/assets/null.py,sha256=85mVh97atCoC0aLuX47poTZiyOthmziJeBsUw0c924w,1658
 reconcile/dynatrace_token_provider/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 reconcile/dynatrace_token_provider/dependencies.py,sha256=FuRUnK18EyJIIgFwQBZSskIG08mN2VQAcAcaJFTf8zc,2812
-reconcile/dynatrace_token_provider/integration.py,sha256=OaRX5B8KiBvXQ57U8dLchlY2pqep5OM1p8HUNJGKGkc,23196
-reconcile/dynatrace_token_provider/metrics.py,sha256=xiKkl8fTEBQaXJelGCPNTZhHAWdO1M3pCXNr_Tei63c,1285
+reconcile/dynatrace_token_provider/integration.py,sha256=kECEWCIU_rTX7BeFm85Hjpx76GRm3Y54BFUwxQcLW7E,24682
+reconcile/dynatrace_token_provider/metrics.py,sha256=oP-6NTZENFdvWiS0krnmX6tq3xyOzQ8e6vS0CZWYUuw,1496
 reconcile/dynatrace_token_provider/model.py,sha256=gkpqo5rRRueBXnIMjp4EEHqBUBuU65TRI8zpdb8GJ0A,241
 reconcile/dynatrace_token_provider/ocm.py,sha256=iHMsgbsLs-dlrB9UXmWNDF7E4UDe49JOsLa9rnowKfo,4282
 reconcile/dynatrace_token_provider/validate.py,sha256=40_9QmHoB3-KBc0k_0D4QO00PpNNPS-gU9Z6cIcWga8,1920
@@ -519,7 +519,7 @@ reconcile/test/test_github_repo_invites.py,sha256=WrPn5ROAoJYK0ihzlZcFR0V9Pu2HcM
 reconcile/test/test_gitlab_housekeeping.py,sha256=ScD9Tgf9OOgGfAFfTy6Kn2222l2wH_A3gMRKdpvoWe0,10053
 reconcile/test/test_gitlab_labeler.py,sha256=PmYXiU2g0_O5OTdMGPzdeqBAfat92U9bhjjfeyiGSmQ,4336
 reconcile/test/test_gitlab_members.py,sha256=yjfQRUFG_F0kLYegax4_ec5VIBAnCPrvAgqMcN1GXzc,9985
-reconcile/test/test_gitlab_permissions.py,sha256=vPFEsdjyP-lO8pc2rN6acMns3Sjz9YJs16msbBR8DZc,2736
+reconcile/test/test_gitlab_permissions.py,sha256=aMf5SUeVp-aQ1bWGQPQLYa85auzRlyfZVTWqyybJ6mo,5850
 reconcile/test/test_instrumented_wrappers.py,sha256=CZzhnQH0c4i7-Rxjg7-0dfFMvVPegLHL46z5NHOOCwo,608
 reconcile/test/test_integrations_manager.py,sha256=xpyQAVz57wAbovrcQzAeuyq8VzdItUyW2d2kp1WW_5c,38184
 reconcile/test/test_jenkins_worker_fleets.py,sha256=o1jlT7OBBSgu0M3iI4xMdz_x6SciF7yhNBpLk5gTJfg,2361
@@ -676,7 +676,7 @@ reconcile/utils/filtering.py,sha256=S4PbMHuFr3ED0P2Q_ea5CAaB7FimI62B-F5YTaKrphA,
 reconcile/utils/git.py,sha256=JkpbUO10oBTtNHZ1IhjyG6dTOUizc7I5H0vm7NvDVNw,1409
 reconcile/utils/git_secrets.py,sha256=y1rEhwA8DyDpBSAEuhMS7Y2X3mpxT2zQ4zyDFkhLe_g,1936
 reconcile/utils/github_api.py,sha256=R8OvqyPdnRqvP-Efnv9RvIcbBlb4M0KC4RlbnJMD0Tg,2426
-reconcile/utils/gitlab_api.py,sha256=WfhLhOp3-cOwgptiCNPhWja74Lo41ZIlJ6HFSWaIDRw,30512
+reconcile/utils/gitlab_api.py,sha256=C1nsHQKKybsmFdaG9vsItBjJm69ym4VWbqbKfAEf7oY,29305
 reconcile/utils/gpg.py,sha256=EKG7_fdMv8BMlV5yUdPiqoTx-KrzmVSEAl2sLkaKwWI,1123
 reconcile/utils/gql.py,sha256=C0thIm_k9MBldfqwHzyqtYZk9sIvMdm9IbbnXLGwjD8,14158
 reconcile/utils/grouping.py,sha256=vr9SFHZ7bqmHYrvYcEZt-Er3-yQYfAAdq5sHLZVmXPY,456
@@ -867,8 +867,8 @@ tools/test/test_qontract_cli.py,sha256=_D61RFGAN5x44CY1tYbouhlGXXABwYfxKSWSQx3Jr
 tools/test/test_saas_promotion_state.py,sha256=dy4kkSSAQ7bC0Xp2CociETGN-2aABEfL6FU5D9Jl00Y,6056
 tools/test/test_sd_app_sre_alert_report.py,sha256=v363r9zM7__0kR5K6mvJoGFcM9BvE33fWAayrqkpojA,2116
 tools/test/test_sre_checkpoints.py,sha256=SKqPPTl9ua0RFdSSofnoQX-JZE6dFLO3LRhfQzqtfh8,2607
-qontract_reconcile-0.10.1rc1037.dist-info/METADATA,sha256=6F_72A6-bCXEcMeL8AmkvcyhzIc8L2tYbszCURoyl8w,2213
-qontract_reconcile-0.10.1rc1037.dist-info/WHEEL,sha256=eOLhNAGa2EW3wWl_TU484h7q1UNgy0JXjjoqKoxAAQc,92
-qontract_reconcile-0.10.1rc1037.dist-info/entry_points.txt,sha256=GKQqCl2j2X1BJQ69een6rHcR26PmnxnONLNOQB-nRjY,491
-qontract_reconcile-0.10.1rc1037.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
-qontract_reconcile-0.10.1rc1037.dist-info/RECORD,,
+qontract_reconcile-0.10.1rc1039.dist-info/METADATA,sha256=Lg9_6kfW_Ccmxbo_ROXjegslf_Ji5aZZwd8RHgra-Xc,2213
+qontract_reconcile-0.10.1rc1039.dist-info/WHEEL,sha256=eOLhNAGa2EW3wWl_TU484h7q1UNgy0JXjjoqKoxAAQc,92
+qontract_reconcile-0.10.1rc1039.dist-info/entry_points.txt,sha256=GKQqCl2j2X1BJQ69een6rHcR26PmnxnONLNOQB-nRjY,491
+qontract_reconcile-0.10.1rc1039.dist-info/top_level.txt,sha256=l5ISPoXzt0SdR4jVdkfa7RPSKNc8zAHYWAnR-Dw8Ey8,24
+qontract_reconcile-0.10.1rc1039.dist-info/RECORD,,

reconcile/dynatrace_token_provider/integration.py

@@ -1,14 +1,17 @@
 import base64
 import hashlib
 import logging
+from collections import Counter, defaultdict
 from collections.abc import Iterable, Mapping, MutableMapping
 from datetime import timedelta
+from threading import Lock
 from typing import Any
 
 from reconcile.dynatrace_token_provider.dependencies import Dependencies
 from reconcile.dynatrace_token_provider.metrics import (
     DTPClustersManagedGauge,
     DTPOrganizationErrorRate,
+    DTPTokensManagedGauge,
 )
 from reconcile.dynatrace_token_provider.model import DynatraceAPIToken, K8sSecret
 from reconcile.dynatrace_token_provider.ocm import (
@@ -56,6 +59,11 @@ class ReconcileErrorSummary(Exception):
 class DynatraceTokenProviderIntegration(
     QontractReconcileIntegration[DynatraceTokenProviderIntegrationParams]
 ):
+    def __init__(self, params: DynatraceTokenProviderIntegrationParams) -> None:
+        super().__init__(params=params)
+        self._lock = Lock()
+        self._managed_tokens_cnt: dict[str, Counter[str]] = defaultdict(Counter)
+
     @property
     def name(self) -> str:
         return QONTRACT_INTEGRATION
@@ -70,6 +78,22 @@ class DynatraceTokenProviderIntegration(
         dependencies.populate_all()
         self.reconcile(dry_run=dry_run, dependencies=dependencies)
 
+    def _token_cnt(self, dt_tenant_id: str, ocm_env_name: str) -> None:
+        with self._lock:
+            self._managed_tokens_cnt[ocm_env_name][dt_tenant_id] += 1
+
+    def _expose_token_metrics(self) -> None:
+        for ocm_env_name, counter_by_tenant_id in self._managed_tokens_cnt.items():
+            for dt_tenant_id, cnt in counter_by_tenant_id.items():
+                metrics.set_gauge(
+                    DTPTokensManagedGauge(
+                        integration=self.name,
+                        ocm_env=ocm_env_name,
+                        dt_tenant_id=dt_tenant_id,
+                    ),
+                    cnt,
+                )
+
     def reconcile(self, dry_run: bool, dependencies: Dependencies) -> None:
         token_specs = list(dependencies.token_spec_by_name.values())
         validate_token_specs(specs=token_specs)
@@ -86,13 +110,6 @@ class DynatraceTokenProviderIntegration(
                     )
                 except Exception as e:
                     unhandled_exceptions.append(f"{ocm_env_name}: {e}")
-                metrics.set_gauge(
-                    DTPClustersManagedGauge(
-                        integration=self.name,
-                        ocm_env=ocm_env_name,
-                    ),
-                    len(clusters),
-                )
                 if not clusters:
                     continue
                 if self.params.ocm_organization_ids:
@@ -101,8 +118,16 @@ class DynatraceTokenProviderIntegration(
                         for cluster in clusters
                         if cluster.organization_id in self.params.ocm_organization_ids
                     ]
+
                 existing_dtp_tokens: dict[str, dict[str, str]] = {}
 
+                metrics.set_gauge(
+                    DTPClustersManagedGauge(
+                        integration=self.name,
+                        ocm_env=ocm_env_name,
+                    ),
+                    len(clusters),
+                )
                 for cluster in clusters:
                     try:
                         with DTPOrganizationErrorRate(
@@ -162,11 +187,13 @@ class DynatraceTokenProviderIntegration(
                                 existing_dtp_tokens=existing_dtp_tokens[tenant_id],
                                 tenant_id=tenant_id,
                                 token_spec=token_spec,
+                                ocm_env_name=ocm_env_name,
                             )
                     except Exception as e:
                         unhandled_exceptions.append(
                             f"{ocm_env_name}/{cluster.organization_id}/{cluster.external_id}: {e}"
                         )
+                self._expose_token_metrics()
 
         if unhandled_exceptions:
             raise ReconcileErrorSummary(unhandled_exceptions)
@@ -180,6 +207,7 @@ class DynatraceTokenProviderIntegration(
         existing_dtp_tokens: MutableMapping[str, str],
         tenant_id: str,
         token_spec: DynatraceTokenProviderTokenSpecV1,
+        ocm_env_name: str,
     ) -> None:
         if cluster.organization_id not in token_spec.ocm_org_ids:
             logging.info(
@@ -247,6 +275,8 @@ class DynatraceTokenProviderIntegration(
                 existing_dtp_tokens=existing_dtp_tokens,
                 dt_client=dt_client,
                 cluster_uuid=cluster.external_id,
+                dt_tenant_id=tenant_id,
+                ocm_env_name=ocm_env_name,
             )
             if has_diff:
                 if not dry_run:
@@ -302,6 +332,8 @@ class DynatraceTokenProviderIntegration(
         cluster_uuid: str,
         dt_client: DynatraceClient,
         token_name_in_dt_api: str,
+        ocm_env_name: str,
+        dt_tenant_id: str,
         dry_run: bool,
     ) -> None:
         """
@@ -311,6 +343,7 @@ class DynatraceTokenProviderIntegration(
         A list query on the tokens does not return each tokens configuration.
         We encode the token configuration in the token name to save API calls.
         """
+        self._token_cnt(dt_tenant_id=dt_tenant_id, ocm_env_name=ocm_env_name)
         expected_name = self.dynatrace_token_name(spec=spec, cluster_uuid=cluster_uuid)
         if token_name_in_dt_api != expected_name:
             logging.info(
@@ -329,6 +362,8 @@ class DynatraceTokenProviderIntegration(
         existing_dtp_tokens: MutableMapping[str, str],
         dt_client: DynatraceClient,
         cluster_uuid: str,
+        ocm_env_name: str,
+        dt_tenant_id: str,
     ) -> tuple[bool, Iterable[K8sSecret]]:
         has_diff = False
         desired: list[K8sSecret] = []
@@ -362,6 +397,8 @@ class DynatraceTokenProviderIntegration(
                         dt_client=dt_client,
                         dry_run=dry_run,
                         token_name_in_dt_api=existing_dtp_tokens[cur_token.id],
+                        dt_tenant_id=dt_tenant_id,
+                        ocm_env_name=ocm_env_name,
                     )
                     desired_tokens.append(cur_token)
             desired.append(

reconcile/dynatrace_token_provider/metrics.py

@@ -50,3 +50,13 @@ class DTPClustersManagedGauge(DTPBaseMetric, GaugeMetric):
     @classmethod
     def name(cls) -> str:
         return "dtp_clusters_managed"
+
+
+class DTPTokensManagedGauge(DTPBaseMetric, GaugeMetric):
+    "Gauge for the number of tokens DTP manages"
+
+    dt_tenant_id: str
+
+    @classmethod
+    def name(cls) -> str:
+        return "dtp_tokens_managed"

reconcile/gitlab_permissions.py

@@ -1,21 +1,146 @@
 import itertools
 import logging
+from dataclasses import dataclass
 from typing import Any
 
-from gitlab.const import MAINTAINER_ACCESS
+from gitlab.v4.objects import (
+    GroupProject,
+    Project,
+)
 from sretoolbox.utils import threaded
 
 from reconcile import queries
 from reconcile.utils import batches
 from reconcile.utils.defer import defer
+from reconcile.utils.differ import diff_mappings
 from reconcile.utils.gitlab_api import GitLabApi
 from reconcile.utils.unleash import get_feature_toggle_state
 
 QONTRACT_INTEGRATION = "gitlab-permissions"
 APP_SRE_GROUP_NAME = "app-sre"
+GROUP_ACCESS = "maintainer"
 PAGE_SIZE = 100
 
 
+@dataclass
+class GroupSpec:
+    group_name: str
+    group_access_level: int
+
+
+class GroupAccessLevelError(Exception):
+    pass
+
+
+class GroupPermissionHandler:
+    def __init__(
+        self, gl: GitLabApi, group_name: str, access: str, dry_run: bool
+    ) -> None:
+        self.gl = gl
+        self.dry_run = dry_run
+        self.access_level_string = access
+        self.access_level = self.gl.get_access_level(access)
+        self.group = self.gl.get_group(group_name)
+
+    def run(self, repos: list[str]) -> None:
+        # filter projects belonging to the same group and remove it from the state data
+        filtered_project_repos = self.filter_group_owned_projects(repos)
+        desired_state = {
+            project_repo_url: GroupSpec(self.group.name, self.access_level)
+            for project_repo_url in filtered_project_repos
+        }
+        # get all projects shared with group
+        shared_projects = self.gl.get_items(self.group.shared_projects.list)
+        current_state = {
+            project.web_url: self.extract_group_spec(project)
+            for project in shared_projects
+        }
+        self.reconcile(desired_state, current_state)
+
+    def filter_group_owned_projects(self, repos: list[str]) -> set[str]:
+        # get only the projects that are owned by  group and its sub groups
+        query = {"with_shared": False, "include_subgroups": True}
+        group_owned_projects = self.gl.get_items(
+            self.group.projects.list, query_parameters=query
+        )
+        group_owned_repo_list = {project.web_url for project in group_owned_projects}
+        return set(repos) - group_owned_repo_list
+
+    def extract_group_spec(self, project: GroupProject) -> GroupSpec:
+        return next(
+            GroupSpec(
+                group_name=self.group.name,
+                group_access_level=group["group_access_level"],
+            )
+            for group in project.shared_with_groups
+            if group["group_id"] == self.group.id
+        )
+
+    def can_share_project(self, project: Project) -> bool:
+        # check if user have access greater or equal access to be shared with the group
+        user = project.members_all.get(id=self.gl.user.id)
+        return user.access_level >= self.access_level
+
+    def reconcile(
+        self,
+        desired_state: dict[str, GroupSpec],
+        current_state: dict[str, GroupSpec],
+    ) -> None:
+        # get the diff data
+        diff_data = diff_mappings(
+            current=current_state,
+            desired=desired_state,
+            equal=lambda current, desired: current.group_access_level
+            == desired.group_access_level,
+        )
+        errors: list[Exception] = []
+        for repo in diff_data.add:
+            project = self.gl.get_project(repo)
+            if not self.can_share_project(project):
+                errors.append(
+                    GroupAccessLevelError(
+                        f"{repo} is not shared with {self.gl.user.username} as {self.access_level_string}"
+                    )
+                )
+                continue
+            logging.info([
+                "share",
+                repo,
+                self.group.name,
+                self.access_level_string,
+            ])
+            if not self.dry_run:
+                self.gl.share_project_with_group(
+                    project=project,
+                    group_id=self.group.id,
+                    access_level=self.access_level,
+                )
+        for repo in diff_data.change:
+            project = self.gl.get_project(repo)
+            if not self.can_share_project(project):
+                errors.append(
+                    GroupAccessLevelError(
+                        f"{repo} is not shared with {self.gl.user.username} as {self.access_level_string}"
+                    )
+                )
+                continue
+            logging.info([
+                "reshare",
+                repo,
+                self.group.name,
+                self.access_level_string,
+            ])
+            if not self.dry_run:
+                self.gl.share_project_with_group(
+                    project=project,
+                    group_id=self.group.id,
+                    access_level=self.access_level,
+                    reshare=True,
+                )
+        if errors:
+            raise ExceptionGroup("Reconcile errors occurred", errors)
+
+
 def get_members_to_add(repo, gl, app_sre):
     maintainers = get_all_app_sre_maintainers(repo, gl, app_sre)
     if maintainers is None:
@@ -56,7 +181,10 @@ def run(dry_run, thread_pool_size=10, defer=None):
         default=False,
     )
     if share_with_group_enabled:
-        share_project_with_group(gl, repos, dry_run)
+        group_permission_handler = GroupPermissionHandler(
+            gl=gl, group_name=APP_SRE_GROUP_NAME, access=GROUP_ACCESS, dry_run=dry_run
+        )
+        group_permission_handler.run(repos=repos)
     else:
         share_project_with_group_members(gl, repos, thread_pool_size, dry_run)
 
@@ -75,26 +203,6 @@ def share_project_with_group_members(
             gl.add_project_member(m["repo"], m["user"])
 
 
-def share_project_with_group(gl: GitLabApi, repos: list[str], dry_run: bool) -> None:
-    # get repos not owned by app-sre
-    non_app_sre_project_repos = {repo for repo in repos if "/app-sre/" not in repo}
-    group_id, shared_projects = gl.get_group_id_and_shared_projects(APP_SRE_GROUP_NAME)
-    shared_project_repos = shared_projects.keys()
-    repos_to_share = non_app_sre_project_repos - shared_project_repos
-    repos_to_reshare = {
-        repo
-        for repo in non_app_sre_project_repos
-        if (group_data := shared_projects.get(repo))
-        and group_data["group_access_level"] < MAINTAINER_ACCESS
-    }
-    for repo in repos_to_share:
-        gl.share_project_with_group(repo_url=repo, group_id=group_id, dry_run=dry_run)
-    for repo in repos_to_reshare:
-        gl.share_project_with_group(
-            repo_url=repo, group_id=group_id, dry_run=dry_run, reshare=True
-        )
-
-
 def early_exit_desired_state(*args, **kwargs) -> dict[str, Any]:
     instance = queries.get_gitlab_instance()
     return {

reconcile/test/test_gitlab_permissions.py

@@ -1,7 +1,17 @@
 from unittest.mock import MagicMock, create_autospec
 
 import pytest
-from gitlab.v4.objects import CurrentUser, GroupMember
+from gitlab.v4.objects import (
+    CurrentUser,
+    Group,
+    GroupMember,
+    GroupProjectManager,
+    Project,
+    ProjectMember,
+    ProjectMemberAllManager,
+    SharedProject,
+    SharedProjectManager,
+)
 from pytest_mock import MockerFixture
 
 from reconcile import gitlab_permissions
@@ -23,6 +33,7 @@ def mocked_gl() -> MagicMock:
     gl.server = "test_server"
     gl.user = create_autospec(CurrentUser)
     gl.user.username = "test_name"
+    gl.user.id = 1234
     return gl
 
 
@@ -49,13 +60,25 @@ def test_run_share_with_group(
     mocker.patch(
         "reconcile.gitlab_permissions.get_feature_toggle_state"
     ).return_value = True
-    mocked_gl.get_group_id_and_shared_projects.return_value = (
-        1234,
-        {"https://test.com": {"group_access_level": 30}},
+    group = create_autospec(Group, id=1234)
+    group.name = "app-sre"
+    group.projects = create_autospec(GroupProjectManager)
+    group.shared_projects = create_autospec(SharedProjectManager)
+    mocked_gl.get_items.side_effect = [
+        [],
+        [],
+    ]
+    mocked_gl.get_group.return_value = group
+    mocked_gl.get_access_level.return_value = 40
+    project = create_autospec(Project, web_url="https://test.com")
+    project.members_all = create_autospec(ProjectMemberAllManager)
+    project.members_all.get.return_value = create_autospec(
+        ProjectMember, id=mocked_gl.user.id, access_level=40
     )
+    mocked_gl.get_project.return_value = project
     gitlab_permissions.run(False, thread_pool_size=1)
     mocked_gl.share_project_with_group.assert_called_once_with(
-        repo_url="https://test-gitlab.com", group_id=1234, dry_run=False
+        project, group_id=1234, access_level=40
     )
 
 
@@ -66,11 +89,76 @@ def test_run_reshare_with_group(
     mocker.patch(
         "reconcile.gitlab_permissions.get_feature_toggle_state"
     ).return_value = True
-    mocked_gl.get_group_id_and_shared_projects.return_value = (
-        1234,
-        {"https://test-gitlab.com": {"group_access_level": 30}},
+    group = create_autospec(Group, id=1234)
+    group.name = "app-sre"
+    group.projects = create_autospec(GroupProjectManager)
+    group.shared_projects = create_autospec(SharedProjectManager)
+    mocked_gl.get_items.side_effect = [
+        [],
+        [
+            create_autospec(
+                SharedProject,
+                web_url="https://test-gitlab.com",
+                shared_with_groups=[
+                    {
+                        "group_access_level": 30,
+                        "group_name": "app-sre",
+                        "group_id": 1234,
+                    }
+                ],
+            )
+        ],
+    ]
+    mocked_gl.get_group.return_value = group
+    mocked_gl.get_access_level.return_value = 40
+    project = create_autospec(Project, web_url="https://test-gitlab.com")
+    project.members_all = create_autospec(ProjectMemberAllManager)
+    project.members_all.get.return_value = create_autospec(
+        ProjectMember, id=mocked_gl.user.id, access_level=40
     )
+    mocked_gl.get_project.return_value = project
     gitlab_permissions.run(False, thread_pool_size=1)
     mocked_gl.share_project_with_group.assert_called_once_with(
-        repo_url="https://test-gitlab.com", group_id=1234, dry_run=False, reshare=True
+        project=project, group_id=1234, access_level=40, reshare=True
+    )
+
+
+def test_run_share_with_group_failed(
+    mocked_queries: MagicMock, mocker: MockerFixture, mocked_gl: MagicMock
+) -> None:
+    mocker.patch("reconcile.gitlab_permissions.GitLabApi").return_value = mocked_gl
+    mocker.patch(
+        "reconcile.gitlab_permissions.get_feature_toggle_state"
+    ).return_value = True
+    group = create_autospec(Group, id=1234)
+    group.name = "app-sre"
+    group.projects = create_autospec(GroupProjectManager)
+    group.shared_projects = create_autospec(SharedProjectManager)
+    group.projects = create_autospec(GroupProjectManager)
+    group.shared_projects = create_autospec(SharedProjectManager)
+    mocked_gl.get_items.side_effect = [
+        [],
+        [
+            create_autospec(
+                SharedProject,
+                web_url="https://test-gitlab.com",
+                shared_with_groups=[
+                    {
+                        "group_access_level": 30,
+                        "group_name": "app-sre",
+                        "group_id": 134,
+                    }
+                ],
+            )
+        ],
+    ]
+    mocked_gl.get_group.return_value = group
+    mocked_gl.get_access_level.return_value = 40
+    project = create_autospec(Project)
+    project.members_all = create_autospec(ProjectMemberAllManager)
+    project.members_all.get.return_value = create_autospec(
+        ProjectMember, id=mocked_gl.user.id, access_level=10
     )
+    mocked_gl.get_project.return_value = project
+    with pytest.raises(Exception):
+        gitlab_permissions.run(False, thread_pool_size=1)

reconcile/utils/gitlab_api.py

@@ -262,51 +262,16 @@ class GitLabApi:  # pylint: disable=too-many-public-methods
 
     def share_project_with_group(
         self,
-        repo_url: str,
+        project: Project,
         group_id: int,
-        dry_run: bool,
-        access: str = "maintainer",
+        access_level: int,
         reshare: bool = False,
     ) -> None:
-        project = self.get_project(repo_url)
-        if project is None:
-            return None
-        access_level = self.get_access_level(access)
-        # check if we have 'access_level' access so we can  add the group with same role.
-        members = self.get_items(
-            project.members_all.list, query_parameters={"user_ids": self.user.id}
-        )
-        if not any(
-            self.user.id == member.id and member.access_level >= access_level
-            for member in members
-        ):
-            logging.error(
-                "%s is not shared with %s as %s",
-                repo_url,
-                self.user.username,
-                access,
-            )
-            return None
-        logging.info(["add_group_as_maintainer", repo_url, group_id])
-        if not dry_run:
-            if reshare:
-                gitlab_request.labels(integration=INTEGRATION_NAME).inc()
-                project.unshare(group_id)
+        if reshare:
             gitlab_request.labels(integration=INTEGRATION_NAME).inc()
-            project.share(group_id, access_level)
-
-    def get_group_id_and_shared_projects(
-        self, group_name: str
-    ) -> tuple[int, dict[str, Any]]:
+            project.unshare(group_id)
         gitlab_request.labels(integration=INTEGRATION_NAME).inc()
-        group = self.gl.groups.get(group_name)
-        shared_projects = self.get_items(group.projects.list)
-        return group.id, {
-            project.web_url: shared_group
-            for project in shared_projects
-            for shared_group in project.shared_with_groups
-            if shared_group["group_id"] == group.id
-        }
+        project.share(group_id, access_level)
 
     @staticmethod
     def _is_bot_username(username: str) -> bool:
@@ -419,6 +384,10 @@ class GitLabApi:  # pylint: disable=too-many-public-methods
         group = self.gl.groups.get(group_name)
         return group.id, [p.name for p in self.get_items(group.projects.list)]
 
+    def get_group(self, group_name: str) -> Group:
+        gitlab_request.labels(integration=INTEGRATION_NAME).inc()
+        return self.gl.groups.get(group_name)
+
     def create_project(self, group_id, project):
         gitlab_request.labels(integration=INTEGRATION_NAME).inc()
         self.gl.projects.create({"name": project, "namespace_id": group_id})