feat: add additional patch routes for group and role idp sync (#16351)

2025-07-18 14:17:22 +00:00 · 2025-01-31 12:14:24 -07:00
parent e37b7fc481
commit 0e2ae10b47
13 changed files with 1749 additions and 75 deletions
--- a/enterprise/coderd/idpsync.go
+++ b/enterprise/coderd/idpsync.go
@ -61,7 +61,6 @@ func (api *API) patchGroupIDPSyncSettings(rw http.ResponseWriter, r *http.Reques
 	ctx := r.Context()
 	org := httpmw.OrganizationParam(r)
 	auditor := *api.AGPL.Auditor.Load()
-
 	aReq, commitAudit := audit.InitRequest[idpsync.GroupSyncSettings](rw, &audit.RequestParams{
 		Audit:          auditor,
 		Log:            api.Logger,
@ -104,7 +103,7 @@ func (api *API) patchGroupIDPSyncSettings(rw http.ResponseWriter, r *http.Reques
 	}
 	aReq.Old = *existing

-	err = api.IDPSync.UpdateGroupSettings(sysCtx, org.ID, api.Database, idpsync.GroupSyncSettings{
+	err = api.IDPSync.UpdateGroupSyncSettings(sysCtx, org.ID, api.Database, idpsync.GroupSyncSettings{
 		Field:             req.Field,
 		Mapping:           req.Mapping,
 		RegexFilter:       req.RegexFilter,
@ -132,6 +131,153 @@ func (api *API) patchGroupIDPSyncSettings(rw http.ResponseWriter, r *http.Reques
 	})
 }

+// @Summary Update group IdP Sync config
+// @ID update-group-idp-sync-config
+// @Security CoderSessionToken
+// @Produce json
+// @Accept json
+// @Tags Enterprise
+// @Success 200 {object} codersdk.GroupSyncSettings
+// @Param organization path string true "Organization ID or name" format(uuid)
+// @Param request body codersdk.PatchGroupIDPSyncConfigRequest true "New config values"
+// @Router /organizations/{organization}/settings/idpsync/groups/config [patch]
+func (api *API) patchGroupIDPSyncConfig(rw http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	org := httpmw.OrganizationParam(r)
+	auditor := *api.AGPL.Auditor.Load()
+	aReq, commitAudit := audit.InitRequest[idpsync.GroupSyncSettings](rw, &audit.RequestParams{
+		Audit:          auditor,
+		Log:            api.Logger,
+		Request:        r,
+		Action:         database.AuditActionWrite,
+		OrganizationID: org.ID,
+	})
+	defer commitAudit()
+
+	if !api.Authorize(r, policy.ActionUpdate, rbac.ResourceIdpsyncSettings.InOrg(org.ID)) {
+		httpapi.Forbidden(rw)
+		return
+	}
+
+	var req codersdk.PatchGroupIDPSyncConfigRequest
+	if !httpapi.Read(ctx, rw, r, &req) {
+		return
+	}
+
+	var settings idpsync.GroupSyncSettings
+	//nolint:gocritic // Requires system context to update runtime config
+	sysCtx := dbauthz.AsSystemRestricted(ctx)
+	err := database.ReadModifyUpdate(api.Database, func(tx database.Store) error {
+		existing, err := api.IDPSync.GroupSyncSettings(sysCtx, org.ID, tx)
+		if err != nil {
+			return err
+		}
+		aReq.Old = *existing
+
+		settings = idpsync.GroupSyncSettings{
+			Field:             req.Field,
+			RegexFilter:       req.RegexFilter,
+			AutoCreateMissing: req.AutoCreateMissing,
+			LegacyNameMapping: existing.LegacyNameMapping,
+			Mapping:           existing.Mapping,
+		}
+
+		err = api.IDPSync.UpdateGroupSyncSettings(sysCtx, org.ID, tx, settings)
+		if err != nil {
+			return err
+		}
+
+		return nil
+	})
+	if err != nil {
+		httpapi.InternalServerError(rw, err)
+		return
+	}
+
+	aReq.New = settings
+	httpapi.Write(ctx, rw, http.StatusOK, codersdk.GroupSyncSettings{
+		Field:             settings.Field,
+		RegexFilter:       settings.RegexFilter,
+		AutoCreateMissing: settings.AutoCreateMissing,
+		LegacyNameMapping: settings.LegacyNameMapping,
+		Mapping:           settings.Mapping,
+	})
+}
+
+// @Summary Update group IdP Sync mapping
+// @ID update-group-idp-sync-mapping
+// @Security CoderSessionToken
+// @Produce json
+// @Accept json
+// @Tags Enterprise
+// @Success 200 {object} codersdk.GroupSyncSettings
+// @Param organization path string true "Organization ID or name" format(uuid)
+// @Param request body codersdk.PatchGroupIDPSyncMappingRequest true "Description of the mappings to add and remove"
+// @Router /organizations/{organization}/settings/idpsync/groups/mapping [patch]
+func (api *API) patchGroupIDPSyncMapping(rw http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	org := httpmw.OrganizationParam(r)
+	auditor := *api.AGPL.Auditor.Load()
+	aReq, commitAudit := audit.InitRequest[idpsync.GroupSyncSettings](rw, &audit.RequestParams{
+		Audit:          auditor,
+		Log:            api.Logger,
+		Request:        r,
+		Action:         database.AuditActionWrite,
+		OrganizationID: org.ID,
+	})
+	defer commitAudit()
+
+	if !api.Authorize(r, policy.ActionUpdate, rbac.ResourceIdpsyncSettings.InOrg(org.ID)) {
+		httpapi.Forbidden(rw)
+		return
+	}
+
+	var req codersdk.PatchGroupIDPSyncMappingRequest
+	if !httpapi.Read(ctx, rw, r, &req) {
+		return
+	}
+
+	var settings idpsync.GroupSyncSettings
+	//nolint:gocritic // Requires system context to update runtime config
+	sysCtx := dbauthz.AsSystemRestricted(ctx)
+	err := database.ReadModifyUpdate(api.Database, func(tx database.Store) error {
+		existing, err := api.IDPSync.GroupSyncSettings(sysCtx, org.ID, tx)
+		if err != nil {
+			return err
+		}
+		aReq.Old = *existing
+
+		newMapping := applyIDPSyncMappingDiff(existing.Mapping, req.Add, req.Remove)
+		settings = idpsync.GroupSyncSettings{
+			Field:             existing.Field,
+			RegexFilter:       existing.RegexFilter,
+			AutoCreateMissing: existing.AutoCreateMissing,
+			LegacyNameMapping: existing.LegacyNameMapping,
+			Mapping:           newMapping,
+		}
+
+		err = api.IDPSync.UpdateGroupSyncSettings(sysCtx, org.ID, tx, settings)
+		if err != nil {
+			return err
+		}
+
+		return nil
+	})
+	if err != nil {
+		httpapi.InternalServerError(rw, err)
+		return
+	}
+
+	aReq.New = settings
+	httpapi.Write(ctx, rw, http.StatusOK, codersdk.GroupSyncSettings{
+		Field:             settings.Field,
+		RegexFilter:       settings.RegexFilter,
+		AutoCreateMissing: settings.AutoCreateMissing,
+		LegacyNameMapping: settings.LegacyNameMapping,
+		Mapping:           settings.Mapping,
+	})
+}
+
 // @Summary Get role IdP Sync settings by organization
 // @ID get-role-idp-sync-settings-by-organization
 // @Security CoderSessionToken
@ -203,7 +349,7 @@ func (api *API) patchRoleIDPSyncSettings(rw http.ResponseWriter, r *http.Request
 	}
 	aReq.Old = *existing

-	err = api.IDPSync.UpdateRoleSettings(sysCtx, org.ID, api.Database, idpsync.RoleSyncSettings{
+	err = api.IDPSync.UpdateRoleSyncSettings(sysCtx, org.ID, api.Database, idpsync.RoleSyncSettings{
 		Field:   req.Field,
 		Mapping: req.Mapping,
 	})
@ -225,6 +371,141 @@ func (api *API) patchRoleIDPSyncSettings(rw http.ResponseWriter, r *http.Request
 	})
 }

+// @Summary Update role IdP Sync config
+// @ID update-role-idp-sync-config
+// @Security CoderSessionToken
+// @Produce json
+// @Accept json
+// @Tags Enterprise
+// @Success 200 {object} codersdk.RoleSyncSettings
+// @Param organization path string true "Organization ID or name" format(uuid)
+// @Param request body codersdk.PatchRoleIDPSyncConfigRequest true "New config values"
+// @Router /organizations/{organization}/settings/idpsync/roles/config [patch]
+func (api *API) patchRoleIDPSyncConfig(rw http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	org := httpmw.OrganizationParam(r)
+	auditor := *api.AGPL.Auditor.Load()
+	aReq, commitAudit := audit.InitRequest[idpsync.RoleSyncSettings](rw, &audit.RequestParams{
+		Audit:          auditor,
+		Log:            api.Logger,
+		Request:        r,
+		Action:         database.AuditActionWrite,
+		OrganizationID: org.ID,
+	})
+	defer commitAudit()
+
+	if !api.Authorize(r, policy.ActionUpdate, rbac.ResourceIdpsyncSettings.InOrg(org.ID)) {
+		httpapi.Forbidden(rw)
+		return
+	}
+
+	var req codersdk.PatchRoleIDPSyncConfigRequest
+	if !httpapi.Read(ctx, rw, r, &req) {
+		return
+	}
+
+	var settings idpsync.RoleSyncSettings
+	//nolint:gocritic // Requires system context to update runtime config
+	sysCtx := dbauthz.AsSystemRestricted(ctx)
+	err := database.ReadModifyUpdate(api.Database, func(tx database.Store) error {
+		existing, err := api.IDPSync.RoleSyncSettings(sysCtx, org.ID, tx)
+		if err != nil {
+			return err
+		}
+		aReq.Old = *existing
+
+		settings = idpsync.RoleSyncSettings{
+			Field:   req.Field,
+			Mapping: existing.Mapping,
+		}
+
+		err = api.IDPSync.UpdateRoleSyncSettings(sysCtx, org.ID, tx, settings)
+		if err != nil {
+			return err
+		}
+
+		return nil
+	})
+	if err != nil {
+		httpapi.InternalServerError(rw, err)
+		return
+	}
+
+	aReq.New = settings
+	httpapi.Write(ctx, rw, http.StatusOK, codersdk.RoleSyncSettings{
+		Field:   settings.Field,
+		Mapping: settings.Mapping,
+	})
+}
+
+// @Summary Update role IdP Sync mapping
+// @ID update-role-idp-sync-mapping
+// @Security CoderSessionToken
+// @Produce json
+// @Accept json
+// @Tags Enterprise
+// @Success 200 {object} codersdk.RoleSyncSettings
+// @Param organization path string true "Organization ID or name" format(uuid)
+// @Param request body codersdk.PatchRoleIDPSyncMappingRequest true "Description of the mappings to add and remove"
+// @Router /organizations/{organization}/settings/idpsync/roles/mapping [patch]
+func (api *API) patchRoleIDPSyncMapping(rw http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	org := httpmw.OrganizationParam(r)
+	auditor := *api.AGPL.Auditor.Load()
+	aReq, commitAudit := audit.InitRequest[idpsync.RoleSyncSettings](rw, &audit.RequestParams{
+		Audit:          auditor,
+		Log:            api.Logger,
+		Request:        r,
+		Action:         database.AuditActionWrite,
+		OrganizationID: org.ID,
+	})
+	defer commitAudit()
+
+	if !api.Authorize(r, policy.ActionUpdate, rbac.ResourceIdpsyncSettings.InOrg(org.ID)) {
+		httpapi.Forbidden(rw)
+		return
+	}
+
+	var req codersdk.PatchRoleIDPSyncMappingRequest
+	if !httpapi.Read(ctx, rw, r, &req) {
+		return
+	}
+
+	var settings idpsync.RoleSyncSettings
+	//nolint:gocritic // Requires system context to update runtime config
+	sysCtx := dbauthz.AsSystemRestricted(ctx)
+	err := database.ReadModifyUpdate(api.Database, func(tx database.Store) error {
+		existing, err := api.IDPSync.RoleSyncSettings(sysCtx, org.ID, tx)
+		if err != nil {
+			return err
+		}
+		aReq.Old = *existing
+
+		newMapping := applyIDPSyncMappingDiff(existing.Mapping, req.Add, req.Remove)
+		settings = idpsync.RoleSyncSettings{
+			Field:   existing.Field,
+			Mapping: newMapping,
+		}
+
+		err = api.IDPSync.UpdateRoleSyncSettings(sysCtx, org.ID, tx, settings)
+		if err != nil {
+			return err
+		}
+
+		return nil
+	})
+	if err != nil {
+		httpapi.InternalServerError(rw, err)
+		return
+	}
+
+	aReq.New = settings
+	httpapi.Write(ctx, rw, http.StatusOK, codersdk.RoleSyncSettings{
+		Field:   settings.Field,
+		Mapping: settings.Mapping,
+	})
+}
+
 // @Summary Get organization IdP Sync settings
 // @ID get-organization-idp-sync-settings
 // @Security CoderSessionToken
@ -349,7 +630,7 @@ func (api *API) patchOrganizationIDPSyncConfig(rw http.ResponseWriter, r *http.R
 		return
 	}

-	var settings *idpsync.OrganizationSyncSettings
+	var settings idpsync.OrganizationSyncSettings
 	//nolint:gocritic // Requires system context to update runtime config
 	sysCtx := dbauthz.AsSystemRestricted(ctx)
 	err := database.ReadModifyUpdate(api.Database, func(tx database.Store) error {
@ -359,16 +640,13 @@ func (api *API) patchOrganizationIDPSyncConfig(rw http.ResponseWriter, r *http.R
 		}
 		aReq.Old = *existing

-		err = api.IDPSync.UpdateOrganizationSyncSettings(sysCtx, tx, idpsync.OrganizationSyncSettings{
+		settings = idpsync.OrganizationSyncSettings{
 			Field:         req.Field,
 			AssignDefault: req.AssignDefault,
 			Mapping:       existing.Mapping,
-		})
-		if err != nil {
-			return err
 		}

-		settings, err = api.IDPSync.OrganizationSyncSettings(sysCtx, tx)
+		err = api.IDPSync.UpdateOrganizationSyncSettings(sysCtx, tx, settings)
 		if err != nil {
 			return err
 		}
@ -380,7 +658,7 @@ func (api *API) patchOrganizationIDPSyncConfig(rw http.ResponseWriter, r *http.R
 		return
 	}

-	aReq.New = *settings
+	aReq.New = settings
 	httpapi.Write(ctx, rw, http.StatusOK, codersdk.OrganizationSyncSettings{
 		Field:         settings.Field,
 		Mapping:       settings.Mapping,
@ -428,27 +706,7 @@ func (api *API) patchOrganizationIDPSyncMapping(rw http.ResponseWriter, r *http.
 		}
 		aReq.Old = *existing

-		newMapping := make(map[string][]uuid.UUID)
-
-		// Copy existing mapping
-		for key, ids := range existing.Mapping {
-			newMapping[key] = append(newMapping[key], ids...)
-		}
-
-		// Add unique entries
-		for _, mapping := range req.Add {
-			if !slice.Contains(newMapping[mapping.Given], mapping.Gets) {
-				newMapping[mapping.Given] = append(newMapping[mapping.Given], mapping.Gets)
-			}
-		}
-
-		// Remove entries
-		for _, mapping := range req.Remove {
-			newMapping[mapping.Given] = slices.DeleteFunc(newMapping[mapping.Given], func(u uuid.UUID) bool {
-				return u == mapping.Gets
-			})
-		}
-
+		newMapping := applyIDPSyncMappingDiff(existing.Mapping, req.Add, req.Remove)
 		settings = idpsync.OrganizationSyncSettings{
 			Field:         existing.Field,
 			Mapping:       newMapping,
@ -581,3 +839,31 @@ func (api *API) idpSyncClaimFieldValues(orgID uuid.UUID, rw http.ResponseWriter,

 	httpapi.Write(ctx, rw, http.StatusOK, fieldValues)
 }
+
+func applyIDPSyncMappingDiff[IDType uuid.UUID | string](
+	previous map[string][]IDType,
+	add, remove []codersdk.IDPSyncMapping[IDType],
+) map[string][]IDType {
+	next := make(map[string][]IDType)
+
+	// Copy existing mapping
+	for key, ids := range previous {
+		next[key] = append(next[key], ids...)
+	}
+
+	// Add unique entries
+	for _, mapping := range add {
+		if !slice.Contains(next[mapping.Given], mapping.Gets) {
+			next[mapping.Given] = append(next[mapping.Given], mapping.Gets)
+		}
+	}
+
+	// Remove entries
+	for _, mapping := range remove {
+		next[mapping.Given] = slices.DeleteFunc(next[mapping.Given], func(u IDType) bool {
+			return u == mapping.Gets
+		})
+	}
+
+	return next
+}