From b35702e0d86bc6e9fa789045fa455ba836886b52 Mon Sep 17 00:00:00 2001
From: Chad Roberts <chad.roberts@suse.com>
Date: Tue, 1 Oct 2024 06:29:29 -0400
Subject: [PATCH] Use the userClient instead of userCache when cleaning up auth
 provider users. (#47311)

---
 pkg/auth/cleanup/service.go      |  8 +++-----
 pkg/auth/cleanup/service_test.go | 33 +++++++++++++++++++-------------
 2 files changed, 23 insertions(+), 18 deletions(-)

diff --git a/pkg/auth/cleanup/service.go b/pkg/auth/cleanup/service.go
index ea8d3058956..0b6ece2caf3 100644
--- a/pkg/auth/cleanup/service.go
+++ b/pkg/auth/cleanup/service.go
@@ -21,7 +21,6 @@ var errAuthConfigNil = errors.New("cannot get auth provider if its config is nil
 type Service struct {
 	secretsInterface corev1.SecretInterface
 
-	userCache  controllers.UserCache
 	userClient controllers.UserClient
 
 	clusterRoleTemplateBindingsCache  controllers.ClusterRoleTemplateBindingCache
@@ -39,7 +38,6 @@ func NewCleanupService(secretsInterface corev1.SecretInterface, c controllers.In
 	return &Service{
 		secretsInterface: secretsInterface,
 
-		userCache:  c.User().Cache(),
 		userClient: c.User(),
 
 		clusterRoleTemplateBindingsCache:  c.ClusterRoleTemplateBinding().Cache(),
@@ -156,12 +154,12 @@ func (s *Service) deleteUsers(config *v3.AuthConfig) error {
 	if config == nil {
 		return errAuthConfigNil
 	}
-	users, err := s.userCache.List(labels.Everything())
+	users, err := s.userClient.List(v1.ListOptions{})
 	if err != nil {
 		return fmt.Errorf("failed to list users: %w", err)
 	}
 
-	for _, u := range users {
+	for _, u := range users.Items {
 		providerName := getProviderNameFromPrincipalNames(u.PrincipalIDs...)
 		if providerName == config.Name {
 			// A fully external user (who was never local) has no password.
@@ -171,7 +169,7 @@ func (s *Service) deleteUsers(config *v3.AuthConfig) error {
 					return err
 				}
 			} else {
-				if err := s.resetLocalUser(u); err != nil {
+				if err := s.resetLocalUser(&u); err != nil {
 					return fmt.Errorf("failed to reset local user: %w", err)
 				}
 			}
diff --git a/pkg/auth/cleanup/service_test.go b/pkg/auth/cleanup/service_test.go
index a73e5b4c6cc..5295baee3a6 100644
--- a/pkg/auth/cleanup/service_test.go
+++ b/pkg/auth/cleanup/service_test.go
@@ -73,6 +73,12 @@ func TestRunCleanup(t *testing.T) {
 			PrincipalIDs: []string{"azuread_group://rick", "local://rick"},
 			Password:     "secret",
 		},
+		"boss": {
+			ObjectMeta: metav1.ObjectMeta{
+				Name:   "boss",
+				Labels: map[string]string{"authz.management.cattle.io/bootstrapping": "admin-user"}},
+			PrincipalIDs: []string{"local://boss", "azuread_user://authprincipal"},
+		},
 	}
 
 	var secretStore = map[string]*v1.Secret{
@@ -196,17 +202,6 @@ func newMockCleanupService(t *testing.T,
 		return nil
 	}).AnyTimes()
 
-	userCache := fake.NewMockNonNamespacedCacheInterface[*v3.User](ctrl)
-	userCache.EXPECT().List(gomock.Any()).DoAndReturn(func(_ labels.Selector) ([]*v3.User, error) {
-		var lst []*v3.User
-		for _, v := range userStore {
-			lst = append(lst, v)
-		}
-		return lst, nil
-	}).AnyTimes()
-	userCache.EXPECT().Get(gomock.Any()).DoAndReturn(func(name string) (*v3.User, error) {
-		return userStore[name], nil
-	}).AnyTimes()
 	userClient := fake.NewMockNonNamespacedClientInterface[*v3.User, *v3.UserList](ctrl)
 	userClient.EXPECT().Delete(gomock.Any(), gomock.Any()).DoAndReturn(func(name string, _ *metav1.DeleteOptions) error {
 		delete(userStore, name)
@@ -215,7 +210,20 @@ func newMockCleanupService(t *testing.T,
 	userClient.EXPECT().Update(gomock.Any()).DoAndReturn(func(user *v3.User) (*v3.User, error) {
 		userStore[user.Name] = user
 		return user, nil
-	})
+	}).AnyTimes()
+	userClient.EXPECT().List(gomock.Any()).DoAndReturn(func(opts metav1.ListOptions) (*v3.UserList, error) {
+		var lst v3.UserList
+		for _, v := range userStore {
+			selector, err := labels.Parse(opts.LabelSelector)
+			if err != nil {
+				return nil, err
+			}
+			if selector.Matches(labels.Set(v.Labels)) {
+				lst.Items = append(lst.Items, *v)
+			}
+		}
+		return &lst, nil
+	}).AnyTimes()
 
 	return Service{
 		secretsInterface:                  getSecretInterfaceMock(secretStore),
@@ -225,7 +233,6 @@ func newMockCleanupService(t *testing.T,
 		projectRoleTemplateBindingsClient: prtbClient,
 		clusterRoleTemplateBindingsCache:  crtbCache,
 		clusterRoleTemplateBindingsClient: crtbClient,
-		userCache:                         userCache,
 		userClient:                        userClient,
 	}
 }