From 7f11772b05458b56b1c222aa68ff562d4202bf37 Mon Sep 17 00:00:00 2001
From: Andrew Dryga <a@firezone.dev>
Date: Thu, 19 Sep 2024 11:35:42 -0600
Subject: [PATCH] fix(portal): Fallback to the user token if service account
 token is not available (#6764)

---
 .../google_workspace/jobs/sync_directory.ex   | 11 +++++++
 .../jobs/sync_directory_test.exs              | 32 ++++++++++++++++++-
 2 files changed, 42 insertions(+), 1 deletion(-)

diff --git a/elixir/apps/domain/lib/domain/auth/adapters/google_workspace/jobs/sync_directory.ex b/elixir/apps/domain/lib/domain/auth/adapters/google_workspace/jobs/sync_directory.ex
index e0980efaf..c51015347 100644
--- a/elixir/apps/domain/lib/domain/auth/adapters/google_workspace/jobs/sync_directory.ex
+++ b/elixir/apps/domain/lib/domain/auth/adapters/google_workspace/jobs/sync_directory.ex
@@ -30,6 +30,17 @@ defmodule Domain.Auth.Adapters.GoogleWorkspace.Jobs.SyncDirectory do
         {:error, :missing_service_account_key} ->
           provider.adapter_state["access_token"]
 
+        {:error, {401, _response} = reason} ->
+          Logger.warning("Failed to fetch service account token",
+            account_id: provider.account_id,
+            account_slug: provider.account.slug,
+            provider_id: provider.id,
+            provider_adapter: provider.adapter,
+            reason: inspect(reason)
+          )
+
+          provider.adapter_state["access_token"]
+
         {:error, reason} ->
           Logger.error("Failed to fetch service account token",
             reason: inspect(reason),
diff --git a/elixir/apps/domain/test/domain/auth/adapters/google_workspace/jobs/sync_directory_test.exs b/elixir/apps/domain/test/domain/auth/adapters/google_workspace/jobs/sync_directory_test.exs
index cb9959996..2f86546e7 100644
--- a/elixir/apps/domain/test/domain/auth/adapters/google_workspace/jobs/sync_directory_test.exs
+++ b/elixir/apps/domain/test/domain/auth/adapters/google_workspace/jobs/sync_directory_test.exs
@@ -48,7 +48,37 @@ defmodule Domain.Auth.Adapters.GoogleWorkspace.Jobs.SyncDirectoryTest do
                       %{req_headers: [{"authorization", "Bearer GOOGLE_0AUTH_ACCESS_TOKEN"} | _]}}
     end
 
-    test "uses admin user token as a fallback", %{provider: provider} do
+    test "uses admin user token as a fallback when service account is not configured" do
+      bypass = Bypass.open()
+      GoogleWorkspaceDirectory.override_token_endpoint("http://localhost:#{bypass.port}/")
+
+      Bypass.stub(bypass, "POST", "/token", fn conn ->
+        Plug.Conn.send_resp(
+          conn,
+          401,
+          Jason.encode!(%{
+            "error" => "unauthorized_client",
+            "error_description" =>
+              "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."
+          })
+        )
+      end)
+
+      GoogleWorkspaceDirectory.override_endpoint_url("http://localhost:#{bypass.port}/")
+      GoogleWorkspaceDirectory.mock_groups_list_endpoint(bypass, [])
+      GoogleWorkspaceDirectory.mock_organization_units_list_endpoint(bypass, [])
+      GoogleWorkspaceDirectory.mock_users_list_endpoint(bypass, [])
+
+      {:ok, pid} = Task.Supervisor.start_link()
+      assert execute(%{task_supervisor: pid}) == :ok
+
+      assert_receive {:bypass_request,
+                      %{req_headers: [{"authorization", "Bearer OIDC_ACCESS_TOKEN"} | _]}}
+    end
+
+    test "uses admin user token as a fallback when service account token is not set", %{
+      provider: provider
+    } do
       bypass = Bypass.open()
 
       GoogleWorkspaceDirectory.override_endpoint_url("http://localhost:#{bypass.port}/")