CH-220 separate groups and organizations from Keycloak

Author: filippomc

infrastructure/common-images/cloudharness-django/libraries/cloudharness-django/cloudharness_django/admin.py

@@ -4,7 +4,7 @@
 from django.contrib.auth.models import User, Group
 
 from admin_extra_buttons.api import ExtraButtonsMixin, button
-from .models import Member
+from .models import Member, Organization, OrganizationMember
 
 
 # Register your models here.
@@ -13,6 +13,46 @@
 admin.site.unregister(Group)
 
 
+class OrganizationMemberInline(admin.TabularInline):
+    model = OrganizationMember
+    extra = 0
+    autocomplete_fields = ['user']
+    readonly_fields = []
+
+
+@admin.register(Organization)
+class OrganizationAdmin(ExtraButtonsMixin, admin.ModelAdmin):
+    list_display = ['name', 'kc_id', 'members_count']
+    search_fields = ['name', 'kc_id']
+    list_filter = [('kc_id', admin.EmptyFieldListFilter)]
+    readonly_fields = ['kc_id']
+    inlines = [OrganizationMemberInline]
+
+    def get_readonly_fields(self, request, obj=None):
+        """Make kc_id readonly only for existing objects."""
+        if obj:
+            return ['kc_id']
+        return []
+
+    @admin.display(description='Members')
+    def members_count(self, obj):
+        return obj.members.count()
+
+    @button()
+    def sync_keycloak(self, request):
+        from cloudharness_django.services import get_user_service
+        get_user_service().sync_kc_users_groups()
+        self.message_user(request, 'Keycloak organizations synced.')
+
+
+@admin.register(OrganizationMember)
+class OrganizationMemberAdmin(admin.ModelAdmin):
+    list_display = ['user', 'organization']
+    search_fields = ['user__username', 'user__email', 'organization__name']
+    list_filter = ['organization']
+    autocomplete_fields = ['user', 'organization']
+
+
 class MemberAdmin(admin.StackedInline):
     model = Member
 
@@ -38,7 +78,6 @@ def sync_keycloak(self, request):
 
 
 class CHGroupAdmin(ExtraButtonsMixin, GroupAdmin):
-
     def has_add_permission(self, request):
         return settings.DEBUG
 

infrastructure/common-images/cloudharness-django/libraries/cloudharness-django/cloudharness_django/migrations/0002_organization_organizationmember.py

@@ -0,0 +1,40 @@
+# Generated by Django 3.2.11 on 2026-01-28 00:00
+
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('auth', '0012_alter_user_first_name_max_length'),
+        ('cloudharness_django', '0001_initial'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='Organization',
+            fields=[
+                ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('name', models.CharField(max_length=256, unique=True)),
+                ('kc_id', models.CharField(db_index=True, max_length=100, null=True, blank=True, unique=True)),
+            ],
+            options={
+                'verbose_name': 'Organization',
+                'verbose_name_plural': 'Organizations',
+            },
+        ),
+        migrations.CreateModel(
+            name='OrganizationMember',
+            fields=[
+                ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('user', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='organization_memberships', to='auth.user')),
+                ('organization', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='members', to='cloudharness_django.organization')),
+            ],
+            options={
+                'verbose_name': 'Organization Member',
+                'verbose_name_plural': 'Organization Members',
+                'unique_together': {('user', 'organization')},
+            },
+        ),
+    ]

infrastructure/common-images/cloudharness-django/libraries/cloudharness-django/cloudharness_django/models.py

@@ -19,3 +19,39 @@ class Member(models.Model):
 
     def __str__(self):
         return f"{self.user.first_name} {self.user.last_name}"
+
+
+class Organization(models.Model):
+    """
+    Represents a Keycloak organization synced to Django.
+    This is the base organization model - applications can extend it with
+    additional fields by creating a OneToOne relationship.
+    Organizations can be created without kc_id and will be synced by name
+    when a matching Keycloak organization is found.
+    """
+    name = models.CharField(max_length=256, unique=True)
+    kc_id = models.CharField(max_length=100, db_index=True, null=True, blank=True, unique=True)
+
+    class Meta:
+        verbose_name = "Organization"
+        verbose_name_plural = "Organizations"
+
+    def __str__(self):
+        return self.name
+
+
+class OrganizationMember(models.Model):
+    """
+    Represents membership of a User in a Keycloak Organization.
+    A user can belong to multiple organizations.
+    """
+    user = models.ForeignKey(User, on_delete=models.CASCADE, related_name='organization_memberships')
+    organization = models.ForeignKey(Organization, on_delete=models.CASCADE, related_name='members')
+
+    class Meta:
+        verbose_name = "Organization Member"
+        verbose_name_plural = "Organization Members"
+        unique_together = ('user', 'organization')
+
+    def __str__(self):
+        return f"{self.user.username} - {self.organization.name}"

infrastructure/common-images/cloudharness-django/libraries/cloudharness-django/cloudharness_django/services/user.py

@@ -1,7 +1,7 @@
 from django.contrib.auth.models import User, Group
 from django.db import transaction
 
-from cloudharness_django.models import Team, Member
+from cloudharness_django.models import Team, Member, Organization, OrganizationMember
 from cloudharness_django.services.auth import AuthService, AuthorizationLevel
 from cloudharness import models as ch_models
 
@@ -141,19 +141,23 @@ def sync_kc_user(self, kc_user: ch_models.User, is_superuser=False, delete=False
         return user
 
     def sync_kc_user_groups(self, kc_user: ch_models.User):
-        # Sync the user usergroups and memberships using kc_id for reliable lookups
+        # Sync the user usergroups (not organizations) using kc_id for reliable lookups
         user = get_user_by_kc_id(kc_user.id)
 
         if user is None:
             raise ValueError(f"Django user not found for Keycloak user {kc_user.id}")
 
         user_groups = []
-        for kc_group in [*kc_user.user_groups, *kc_user.organizations]:
+        # Only sync user_groups, not organizations (organizations are handled separately)
+        for kc_group in kc_user.user_groups or []:
             group, _ = Group.objects.get_or_create(name=kc_group.name)
             user_groups.append(group)
         user.groups.set(user_groups)
         user.save()
 
+        # Sync organization memberships separately
+        self.sync_kc_user_organizations(kc_user)
+
         # Ensure the member relationship exists and is correct
         try:
             member = user.member
@@ -164,6 +168,70 @@ def sync_kc_user_groups(self, kc_user: ch_models.User):
             member = Member(user=user, kc_id=kc_user.id)
             member.save()
 
+    def sync_kc_organization(self, kc_org: ch_models.Organization) -> Organization:
+        """
+        Sync a single Keycloak organization to Django.
+        First tries to find by kc_id, then by name (for organizations created without kc_id).
+        Updates the kc_id if found by name.
+
+        :param kc_org: Keycloak organization object
+        :return: Django Organization instance
+        """
+        org = None
+
+        # First try to find by kc_id
+        try:
+            org = Organization.objects.get(kc_id=kc_org.id)
+            # Update name if changed
+            if org.name != kc_org.name:
+                org.name = kc_org.name
+                org.save()
+        except Organization.DoesNotExist:
+            # Try to find by name (for organizations created without kc_id)
+            try:
+                org = Organization.objects.get(name=kc_org.name, kc_id__isnull=True)
+                # Update with kc_id from Keycloak
+                org.kc_id = kc_org.id
+                org.save()
+            except Organization.DoesNotExist:
+                # Create new organization
+                org = Organization.objects.create(
+                    kc_id=kc_org.id,
+                    name=kc_org.name
+                )
+        return org
+
+    def sync_kc_user_organizations(self, kc_user: ch_models.User):
+        """
+        Sync the user's organization memberships from Keycloak to Django.
+        Creates Organization records if they don't exist and manages OrganizationMember relationships.
+
+        :param kc_user: Keycloak user object with organizations attribute
+        """
+        user = get_user_by_kc_id(kc_user.id)
+
+        if user is None:
+            raise ValueError(f"Django user not found for Keycloak user {kc_user.id}")
+
+        # Get current organization memberships
+        current_org_ids = set()
+
+        # Sync each organization the user belongs to
+        for kc_org in kc_user.organizations or []:
+            org = self.sync_kc_organization(kc_org)
+            current_org_ids.add(org.id)
+
+            # Create membership if it doesn't exist
+            OrganizationMember.objects.get_or_create(
+                user=user,
+                organization=org
+            )
+
+        # Remove memberships that no longer exist in Keycloak
+        OrganizationMember.objects.filter(user=user).exclude(
+            organization_id__in=current_org_ids
+        ).delete()
+
     def sync_kc_users_groups(self):
         # cache all admin users to minimize KC rest api calls
         all_admin_users = self.auth_client.get_client_role_members(