src-auth-perms-sync 0.3.0__tar.gz → 0.3.1__tar.gz

{src_auth_perms_sync-0.3.0 → src_auth_perms_sync-0.3.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: src-auth-perms-sync
-Version: 0.3.0
+Version: 0.3.1
 Summary: Set Sourcegraph permissions from authentication provider data
 Project-URL: Homepage, https://github.com/sourcegraph/src-auth-perms-sync
 Project-URL: Issues, https://github.com/sourcegraph/src-auth-perms-sync/issues

{src_auth_perms_sync-0.3.0 → src_auth_perms_sync-0.3.1}/dev/TODO.md

@@ -1,21 +1,5 @@
 # TODO
 
-## High priority: Sync modes
-
-### Fast
-
-- Additive modes, to add new users’ perms quickly,
-  without the extraneous load on the database of a full sync
-- Take a list of usernames and/or email addresses as input,
-  query users on the instance for these,
-  then trigger a perms sync for found users
-- Query the instance for all new users, which do not yet have explicit perms
-- Query the instance for all new repos, which do not yet have explicit perms
-
-### Full: Overwrite all perms
-
-- Separate full sync mode with an arg
-
 ## High priority: Remote trigger on demand
 
 - Sourcegraph webhook for new user coming in v7.4.0

{src_auth_perms_sync-0.3.0 → src_auth_perms_sync-0.3.1}/dev/memory-efficiency-generate.py

@@ -551,7 +551,7 @@ def list_external_services(client: src.SourcegraphClient) -> list[ExternalServic
             )
         )
     if not services:
-        raise SystemExit("No external services found on the Sourcegraph instance")
+        raise SystemExit("No code hosts found on the Sourcegraph instance")
     return services
 
 

{src_auth_perms_sync-0.3.0 → src_auth_perms_sync-0.3.1}/dev/memory-efficiency.md

@@ -298,6 +298,39 @@ Important requirements:
 Expected benefit: replace hundreds or thousands of per-repo resolver SQL spans
 per request with one indexed `user_repo_permissions` join per user batch.
 
+The `get --users-without-explicit-perms` path also needs a cheaper presence
+check. Today it has to ask
+`User.permissionsInfo.repositories(source: API, first: 1)` for every candidate
+user, in aliased batches. Recent test runs show the client can parallelize
+those batches, but the Sourcegraph frontend / load balancer can still return
+502/503s under that resolver load. Add one or both direct APIs:
+
+```graphql
+type ExplicitRepositoryPermissionPresence {
+  userID: ID!
+  hasExplicitRepositoryPermissions: Boolean!
+}
+
+extend type Query {
+  explicitRepositoryPermissionPresenceForUsers(
+    userIDs: [ID!]!
+    source: PermissionSource = API
+  ): [ExplicitRepositoryPermissionPresence!]!
+
+  usersWithoutExplicitRepositoryPermissions(
+    createdAt: DateTimeFilter
+    source: PermissionSource = API
+    first: Int
+    after: String
+  ): UserConnection!
+}
+```
+
+Expected benefit: `src-auth-perms-sync get --users-without-explicit-perms`
+can either check explicit-permission presence for candidate users in one indexed
+batch query, or ask Sourcegraph for the filtered user set directly instead of
+probing every user through the expensive permissions connection resolver.
+
 The stress profile also needs attention on the write path. A purpose-built
 bulk overwrite API that accepts many repo/user edges at once, streams or stages
 the input server-side, and avoids repeated per-repo permission reconciliation
@@ -324,7 +357,10 @@ Request: add a bulk explicit-permissions read API that accepts many user IDs and
 returns compact permission edges (`userID`, `repositoryID`, `repositoryName`,
 `updatedAt`) for `source: API`, without resolving full `Repository` GraphQL
 objects. A single indexed query over `user_repo_permissions` joined to `repo`
-should be enough for each user batch.
+should be enough for each user batch. Also add a cheaper presence/filter path
+for `get --users-without-explicit-perms`: either `userID -> has explicit API
+repo permissions` for many users, or a direct query for users without explicit
+API repo permissions, optionally filtered by `createdAt`.
 
 Acceptance criteria:
 
@@ -336,6 +372,9 @@ Acceptance criteria:
   latency visible.
 - `src-auth-perms-sync` can replace its aliased
   `User.permissionsInfo.repositories(source: API)` calls with this API.
+- `src-auth-perms-sync get --users-without-explicit-perms` can stop probing
+  every candidate user through `User.permissionsInfo.repositories(source: API,
+  first: 1)`.
 - Follow-up: evaluate a bulk overwrite API for large full-set applies. The
   stress run planned roughly 10 million grants and observed
   `permsStore.upsertUserRepoPermissions-range1` averaging about 2.5s per call.

{src_auth_perms_sync-0.3.0 → src_auth_perms_sync-0.3.1}/dev/test-end-to-end.py

@@ -1575,6 +1575,12 @@ def invalid_configuration_cases(config: EndToEndConfig) -> list[CommandCase]:
                 expected_exit_code=2,
                 must_contain=("choose at most one",),
             ),
+            CommandCase(
+                name="invalid-set-full-and-created-after",
+                arguments=("set", "--full", "--created-after", config.future_date),
+                expected_exit_code=2,
+                must_contain=("--full cannot be combined with --created-after",),
+            ),
             CommandCase(
                 name="invalid-user-filter-conflict",
                 arguments=("get", "--users", config.user, "--users-without-explicit-perms"),
@@ -1682,10 +1688,9 @@ def read_only_cases(config: EndToEndConfig) -> list[CommandCase]:
 def run_safe_set_cases(config: EndToEndConfig, runner: CommandPermutationRunner) -> None:
     runner.run(
         CommandCase(
-            name="set-explicit-full-no-op-apply",
+            name="set-created-after-no-op-apply",
             arguments=(
                 "set",
-                "--full",
                 "--created-after",
                 config.future_date,
                 "--apply",
@@ -1693,8 +1698,8 @@ def run_safe_set_cases(config: EndToEndConfig, runner: CommandPermutationRunner)
                 "--parallelism",
                 str(config.parallelism),
             ),
-            expected_log_command="set_full",
-            must_contain=("No repos resolved across any mapping",),
+            expected_log_command="set_created_after",
+            must_contain=("No users selected",),
         )
     )
 

{src_auth_perms_sync-0.3.0 → src_auth_perms_sync-0.3.1}/src/src_auth_perms_sync/cli.py

@@ -47,6 +47,10 @@ GET_CONFIG_FIELDS = src.config_field_names(
     "users",
     "users_without_explicit_perms",
     "created_after",
+    "repos",
+    "repos_without_explicit_perms",
+    "repos_created_after",
+    "no_backup",
     "explicit_permissions_batch_size",
     *COMMON_CONFIG_FIELDS,
 )
@@ -56,6 +60,9 @@ SET_CONFIG_FIELDS = src.config_field_names(
     "users",
     "users_without_explicit_perms",
     "created_after",
+    "repos",
+    "repos_without_explicit_perms",
+    "repos_created_after",
     "sync_saml_organizations",
     "apply",
     "no_backup",
@@ -79,27 +86,47 @@ LogCommandName: TypeAlias = Literal[
     "set_full",
     "set_users",
     "set_users_without_explicit_perms",
+    "set_created_after",
+    "set_repos",
+    "set_repos_without_explicit_perms",
+    "set_repos_created_after",
     "restore",
     "sync_saml_orgs",
     "set_full_sync_saml_orgs",
     "set_users_sync_saml_orgs",
     "set_users_without_explicit_perms_sync_saml_orgs",
+    "set_created_after_sync_saml_orgs",
+    "set_repos_sync_saml_orgs",
+    "set_repos_without_explicit_perms_sync_saml_orgs",
+    "set_repos_created_after_sync_saml_orgs",
 ]
 
 SET_COMMAND_LOG_NAMES: dict[permission_types.SetCommandMode, LogCommandName] = {
     "full": "set_full",
     "users": "set_users",
     "users_without_explicit_perms": "set_users_without_explicit_perms",
+    "created_after": "set_created_after",
+    "repos": "set_repos",
+    "repos_without_explicit_perms": "set_repos_without_explicit_perms",
+    "repos_created_after": "set_repos_created_after",
 }
 SET_COMMAND_ARTIFACT_NAMES: dict[permission_types.SetCommandMode, str] = {
     "full": "set-{run_mode}",
     "users": "set-add-users-{run_mode}",
     "users_without_explicit_perms": "set-add-users-without-explicit-perms-{run_mode}",
+    "created_after": "set-add-users-created-after-{run_mode}",
+    "repos": "set-repos-{run_mode}",
+    "repos_without_explicit_perms": "set-repos-without-explicit-perms-{run_mode}",
+    "repos_created_after": "set-repos-created-after-{run_mode}",
 }
 SYNC_SET_COMMAND_LOG_NAMES: dict[permission_types.SetCommandMode, LogCommandName] = {
     "full": "set_full_sync_saml_orgs",
     "users": "set_users_sync_saml_orgs",
     "users_without_explicit_perms": "set_users_without_explicit_perms_sync_saml_orgs",
+    "created_after": "set_created_after_sync_saml_orgs",
+    "repos": "set_repos_sync_saml_orgs",
+    "repos_without_explicit_perms": "set_repos_without_explicit_perms_sync_saml_orgs",
+    "repos_created_after": "set_repos_created_after_sync_saml_orgs",
 }
 SYNC_SET_COMMAND_ARTIFACT_NAMES: dict[permission_types.SetCommandMode, str] = {
     "full": "set-sync-saml-orgs-{run_mode}",
@@ -107,6 +134,10 @@ SYNC_SET_COMMAND_ARTIFACT_NAMES: dict[permission_types.SetCommandMode, str] = {
     "users_without_explicit_perms": (
         "set-add-users-without-explicit-perms-sync-saml-orgs-{run_mode}"
     ),
+    "created_after": "set-add-users-created-after-sync-saml-orgs-{run_mode}",
+    "repos": "set-repos-sync-saml-orgs-{run_mode}",
+    "repos_without_explicit_perms": ("set-repos-without-explicit-perms-sync-saml-orgs-{run_mode}"),
+    "repos_created_after": "set-repos-created-after-sync-saml-orgs-{run_mode}",
 }
 
 
@@ -178,7 +209,10 @@ class Config(src.SourcegraphClientConfig, src.LoggingConfig, src.OpenTelemetryCo
         env_var="SRC_AUTH_PERMS_SYNC_FULL",
         cli_flag="--full",
         cli_action="store_true",
-        help="With the set command: run the full overwrite reconciliation mode (default)",
+        help=(
+            "With the set command: run full overwrite reconciliation "
+            "(default only when no user filter is set)"
+        ),
         help_group="Permission sync",
     )
     users: tuple[str, ...] = src.config_field(
@@ -206,6 +240,31 @@ class Config(src.SourcegraphClientConfig, src.LoggingConfig, src.OpenTelemetryCo
         help="Process Sourcegraph users created on or after this date",
         help_group="User filters",
     )
+    repos: tuple[str, ...] = src.config_field(
+        default=(),
+        env_var="SRC_AUTH_PERMS_SYNC_REPOS",
+        cli_flag="--repos",
+        metavar="REPOS",
+        help="Process comma-delimited Sourcegraph repository names",
+        help_group="Repo filters",
+    )
+    repos_without_explicit_perms: bool = src.config_field(
+        default=False,
+        env_var="SRC_AUTH_PERMS_SYNC_REPOS_WITHOUT_EXPLICIT_PERMS",
+        cli_flag="--repos-without-explicit-perms",
+        cli_action="store_true",
+        help="Process Sourcegraph repositories without explicit permissions",
+        help_group="Repo filters",
+    )
+    repos_created_after: str | None = src.config_field(
+        default=None,
+        env_var="SRC_AUTH_PERMS_SYNC_REPOS_CREATED_AFTER",
+        cli_flag="--repos-created-after",
+        metavar="YYYY-MM-DD",
+        pattern=r"^\d{4}-\d{2}-\d{2}$",
+        help="Process Sourcegraph repositories created on or after this date",
+        help_group="Repo filters",
+    )
     sync_saml_organizations: bool = src.config_field(
         default=False,
         env_var="SRC_AUTH_PERMS_SYNC_SYNC_SAML_ORGS",
@@ -227,7 +286,7 @@ class Config(src.SourcegraphClientConfig, src.LoggingConfig, src.OpenTelemetryCo
         env_var="SRC_AUTH_PERMS_SYNC_NO_BACKUP",
         cli_flag="--no-backup",
         cli_action="store_true",
-        help="With mutating commands: skip before/after snapshots and validation",
+        help="Skip before/after snapshot artifacts and validation where supported",
         help_group="Mutation",
     )
     parallelism: int = src.config_field(
@@ -329,6 +388,7 @@ def validate_config(command_name: CommandName, config: Config) -> None:
     """Validate cross-field CLI/config constraints."""
     validate_command_options(command_name, config)
     validate_user_filter_selection(command_name, config)
+    validate_repository_filter_selection(command_name, config)
     validate_set_mode_selection(command_name, config)
 
 
@@ -336,8 +396,6 @@ def validate_command_options(command_name: CommandName, config: Config) -> None:
     """Validate options that only make sense with specific commands."""
     if command_name == "get" and config.apply:
         config_error("--apply cannot be used with the read-only get command")
-    if command_name == "get" and config.no_backup:
-        config_error("--no-backup cannot be used with the read-only get command")
     if config.sync_saml_organizations and command_name != "set":
         config_error("--sync-saml-orgs can only be combined with set")
     if command_name == "restore" and config.restore_path is None:
@@ -360,6 +418,34 @@ def validate_user_filter_selection(command_name: CommandName, config: Config) ->
         )
 
 
+def validate_repository_filter_selection(command_name: CommandName, config: Config) -> None:
+    """Validate repo-scope filters and their compatible commands."""
+    repository_filter_count = sum(
+        (
+            bool(config.repos),
+            config.repos_without_explicit_perms,
+            config.repos_created_after is not None,
+        )
+    )
+    if repository_filter_count > 1:
+        config_error(
+            "choose only one of --repos, --repos-without-explicit-perms, or --repos-created-after"
+        )
+
+    repository_filter_selected = repository_filter_count > 0
+    repository_filter_allowed = command_name in {"get", "set"}
+    if repository_filter_selected and not repository_filter_allowed:
+        config_error(
+            "--repos, --repos-without-explicit-perms, and --repos-created-after require get or set"
+        )
+
+    user_filter_selected = any(
+        (bool(config.users), config.users_without_explicit_perms, config.created_after is not None)
+    )
+    if repository_filter_selected and user_filter_selected:
+        config_error("choose either user filters or repo filters, not both")
+
+
 def validate_set_mode_selection(command_name: CommandName, config: Config) -> None:
     """Validate set command mode flags."""
     if config.full and command_name != "set":
@@ -368,9 +454,29 @@ def validate_set_mode_selection(command_name: CommandName, config: Config) -> No
     if command_name != "set":
         return
 
-    if sum((config.full, bool(config.users), config.users_without_explicit_perms)) > 1:
+    if config.full and config.created_after is not None:
+        config_error(
+            "--full cannot be combined with --created-after because full mode "
+            "overwrites mapped repos; omit --full to add grants for new users"
+        )
+
+    if (
+        sum(
+            (
+                config.full,
+                bool(config.users),
+                config.users_without_explicit_perms,
+                bool(config.repos),
+                config.repos_without_explicit_perms,
+                config.repos_created_after is not None,
+            )
+        )
+        > 1
+    ):
         config_error(
-            "with set, choose at most one of --full, --users, or --users-without-explicit-perms"
+            "with set, choose at most one of --full, --users, "
+            "--users-without-explicit-perms, --repos, "
+            "--repos-without-explicit-perms, or --repos-created-after"
         )
 
 
@@ -387,9 +493,27 @@ def set_command_options(config: Config) -> permission_types.SetCommandOptions:
             mode="users_without_explicit_perms",
             user_created_after=config.created_after,
         )
+    if config.created_after is not None:
+        return permission_types.SetCommandOptions(
+            mode="created_after",
+            user_created_after=config.created_after,
+        )
+    if config.repos:
+        return permission_types.SetCommandOptions(
+            mode="repos",
+            repository_names=config.repos,
+        )
+    if config.repos_without_explicit_perms:
+        return permission_types.SetCommandOptions(
+            mode="repos_without_explicit_perms",
+        )
+    if config.repos_created_after is not None:
+        return permission_types.SetCommandOptions(
+            mode="repos_created_after",
+            repository_created_after=config.repos_created_after,
+        )
     return permission_types.SetCommandOptions(
         mode="full",
-        user_created_after=config.created_after,
     )
 
 
@@ -507,12 +631,7 @@ def require_set_input_file(maps_path: Path) -> None:
 
 def run_fields(config: Config, command: ResolvedCommand, endpoint: str) -> dict[str, object]:
     """Return run-level fields for structured logging."""
-    return {
-        "cli_cmd": command.log_name,
-        "base_cmd": command.name,
-        "set_mode": command.set_mode,
-        "sync_saml_orgs_flag": command.sync_saml_organizations,
-        "apply_flag": config.apply,
+    fields: dict[str, object] = {
         "endpoint": endpoint,
         "parallelism": config.parallelism,
         "explicit_permissions_batch_size": config.explicit_permissions_batch_size,
@@ -520,13 +639,28 @@ def run_fields(config: Config, command: ResolvedCommand, endpoint: str) -> dict[
         "open_telemetry": config.open_telemetry,
         "max_attempts": config.max_attempts,
         "http_timeout_seconds": config.http_timeout_seconds,
-        "no_backup": config.no_backup,
         "sample_interval": config.sample_interval,
-        "user_created_after": config.created_after,
         "artifacts_dir": str(backups.endpoint_artifacts_directory(endpoint)),
         "python_version": sys.version.split()[0],
         "pid": os.getpid(),
     }
+    if command.name != "get":
+        fields["apply"] = config.apply
+    if config.no_backup:
+        fields["no_backup"] = True
+    if command.set_mode is not None:
+        fields["set_mode"] = command.set_mode
+    if command.sync_saml_organizations:
+        fields["sync_saml_orgs"] = True
+    if config.created_after is not None:
+        fields["created_after"] = config.created_after
+    if config.repos:
+        fields["repos"] = config.repos
+    if config.repos_without_explicit_perms:
+        fields["repos_without_explicit_perms"] = True
+    if config.repos_created_after is not None:
+        fields["repos_created_after"] = config.repos_created_after
+    return fields
 
 
 def run_with_client(
@@ -683,6 +817,9 @@ def run_get(
         user_identifiers=config.users,
         users_without_explicit_perms=config.users_without_explicit_perms,
         user_created_after=config.created_after,
+        repository_names=config.repos,
+        repositories_without_explicit_perms=config.repos_without_explicit_perms,
+        repository_created_after=config.repos_created_after,
         parallelism=config.parallelism,
         explicit_permissions_batch_size=config.explicit_permissions_batch_size,
         bind_id_mode=sourcegraph_site_config.bind_id_mode,
@@ -690,6 +827,7 @@ def run_get(
             sourcegraph_site_config.saml_groups_attribute_name_by_config_id
         ),
         auth_providers_by_config_id=sourcegraph_site_config.auth_providers_by_config_id,
+        do_backup=not config.no_backup,
         retain_saml_group_users=False,
         worker_pool=worker_pool,
     )
@@ -767,7 +905,7 @@ def _run_or_raise(command_name: CommandName, config: Config) -> None:
         backups.run_artifacts_context(run_directory, run_timestamp),
         src.logging(
             config,
-            command=command.log_name,
+            command=command.name,
             git_cwd=__file__,
             logging_config=logging_settings,
             run_fields=run_fields(config, command, endpoint),