feat: add additional patch routes for group and role idp sync (#16351)

2025-07-09 11:45:56 +00:00 · 2025-01-31 12:14:24 -07:00
parent e37b7fc481
commit 0e2ae10b47
13 changed files with 1749 additions and 75 deletions
--- a/enterprise/coderd/idpsync_test.go
+++ b/enterprise/coderd/idpsync_test.go
@ -141,6 +141,171 @@ func TestPatchGroupSyncSettings(t *testing.T) {
 	})
 }

+func TestPatchGroupSyncConfig(t *testing.T) {
+	t.Parallel()
+
+	t.Run("OK", func(t *testing.T) {
+		t.Parallel()
+
+		owner, user := coderdenttest.New(t, &coderdenttest.Options{
+			LicenseOptions: &coderdenttest.LicenseOptions{
+				Features: license.Features{
+					codersdk.FeatureCustomRoles:           1,
+					codersdk.FeatureMultipleOrganizations: 1,
+				},
+			},
+		})
+
+		orgID := user.OrganizationID
+		orgAdmin, _ := coderdtest.CreateAnotherUser(t, owner, orgID, rbac.ScopedRoleOrgAdmin(user.OrganizationID))
+
+		mapping := map[string][]uuid.UUID{"wibble": {uuid.New()}}
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+		_, err := orgAdmin.PatchGroupIDPSyncSettings(ctx, orgID.String(), codersdk.GroupSyncSettings{
+			Field:             "wibble",
+			RegexFilter:       regexp.MustCompile("wib{2,}le"),
+			AutoCreateMissing: false,
+			Mapping:           mapping,
+		})
+
+		require.NoError(t, err)
+
+		fetchedSettings, err := orgAdmin.GroupIDPSyncSettings(ctx, orgID.String())
+		require.NoError(t, err)
+		require.Equal(t, "wibble", fetchedSettings.Field)
+		require.Equal(t, "wib{2,}le", fetchedSettings.RegexFilter.String())
+		require.Equal(t, false, fetchedSettings.AutoCreateMissing)
+		require.Equal(t, mapping, fetchedSettings.Mapping)
+
+		ctx = testutil.Context(t, testutil.WaitShort)
+		settings, err := orgAdmin.PatchGroupIDPSyncConfig(ctx, orgID.String(), codersdk.PatchGroupIDPSyncConfigRequest{
+			Field:             "wobble",
+			RegexFilter:       regexp.MustCompile("wob{2,}le"),
+			AutoCreateMissing: true,
+		})
+
+		require.NoError(t, err)
+		require.Equal(t, "wobble", settings.Field)
+		require.Equal(t, "wob{2,}le", settings.RegexFilter.String())
+		require.Equal(t, true, settings.AutoCreateMissing)
+		require.Equal(t, mapping, settings.Mapping)
+
+		fetchedSettings, err = orgAdmin.GroupIDPSyncSettings(ctx, orgID.String())
+		require.NoError(t, err)
+		require.Equal(t, "wobble", fetchedSettings.Field)
+		require.Equal(t, "wob{2,}le", fetchedSettings.RegexFilter.String())
+		require.Equal(t, true, fetchedSettings.AutoCreateMissing)
+		require.Equal(t, mapping, fetchedSettings.Mapping)
+	})
+
+	t.Run("NotAuthorized", func(t *testing.T) {
+		t.Parallel()
+
+		owner, user := coderdenttest.New(t, &coderdenttest.Options{
+			LicenseOptions: &coderdenttest.LicenseOptions{
+				Features: license.Features{
+					codersdk.FeatureCustomRoles:           1,
+					codersdk.FeatureMultipleOrganizations: 1,
+				},
+			},
+		})
+
+		member, _ := coderdtest.CreateAnotherUser(t, owner, user.OrganizationID)
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+		_, err := member.PatchGroupIDPSyncConfig(ctx, user.OrganizationID.String(), codersdk.PatchGroupIDPSyncConfigRequest{})
+		var apiError *codersdk.Error
+		require.ErrorAs(t, err, &apiError)
+		require.Equal(t, http.StatusForbidden, apiError.StatusCode())
+	})
+}
+
+func TestPatchGroupSyncMapping(t *testing.T) {
+	t.Parallel()
+
+	t.Run("OK", func(t *testing.T) {
+		t.Parallel()
+
+		owner, user := coderdenttest.New(t, &coderdenttest.Options{
+			LicenseOptions: &coderdenttest.LicenseOptions{
+				Features: license.Features{
+					codersdk.FeatureCustomRoles:           1,
+					codersdk.FeatureMultipleOrganizations: 1,
+				},
+			},
+		})
+
+		orgID := user.OrganizationID
+		orgAdmin, _ := coderdtest.CreateAnotherUser(t, owner, orgID, rbac.ScopedRoleOrgAdmin(user.OrganizationID))
+		// These IDs are easier to visually diff if the test fails than truly random
+		// ones.
+		orgs := []uuid.UUID{
+			uuid.MustParse("00000000-b8bd-46bb-bb6c-6c2b2c0dd2ea"),
+			uuid.MustParse("01000000-fbe8-464c-9429-fe01a03f3644"),
+			uuid.MustParse("02000000-0926-407b-9998-39af62e3d0c5"),
+		}
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+		_, err := orgAdmin.PatchGroupIDPSyncSettings(ctx, orgID.String(), codersdk.GroupSyncSettings{
+			Field:             "wibble",
+			RegexFilter:       regexp.MustCompile("wib{2,}le"),
+			AutoCreateMissing: true,
+			Mapping:           map[string][]uuid.UUID{"wobble": {orgs[0]}},
+		})
+		require.NoError(t, err)
+
+		ctx = testutil.Context(t, testutil.WaitShort)
+		settings, err := orgAdmin.PatchGroupIDPSyncMapping(ctx, orgID.String(), codersdk.PatchGroupIDPSyncMappingRequest{
+			Add: []codersdk.IDPSyncMapping[uuid.UUID]{
+				{Given: "wibble", Gets: orgs[0]},
+				{Given: "wobble", Gets: orgs[1]},
+				{Given: "wobble", Gets: orgs[2]},
+			},
+			// Remove takes priority over Add, so "3" should not actually be added to wooble.
+			Remove: []codersdk.IDPSyncMapping[uuid.UUID]{
+				{Given: "wobble", Gets: orgs[1]},
+			},
+		})
+
+		expected := map[string][]uuid.UUID{
+			"wibble": {orgs[0]},
+			"wobble": {orgs[0], orgs[2]},
+		}
+
+		require.NoError(t, err)
+		require.Equal(t, expected, settings.Mapping)
+
+		fetchedSettings, err := orgAdmin.GroupIDPSyncSettings(ctx, orgID.String())
+		require.NoError(t, err)
+		require.Equal(t, "wibble", fetchedSettings.Field)
+		require.Equal(t, "wib{2,}le", fetchedSettings.RegexFilter.String())
+		require.Equal(t, true, fetchedSettings.AutoCreateMissing)
+		require.Equal(t, expected, fetchedSettings.Mapping)
+	})
+
+	t.Run("NotAuthorized", func(t *testing.T) {
+		t.Parallel()
+
+		owner, user := coderdenttest.New(t, &coderdenttest.Options{
+			LicenseOptions: &coderdenttest.LicenseOptions{
+				Features: license.Features{
+					codersdk.FeatureCustomRoles:           1,
+					codersdk.FeatureMultipleOrganizations: 1,
+				},
+			},
+		})
+
+		member, _ := coderdtest.CreateAnotherUser(t, owner, user.OrganizationID)
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+		_, err := member.PatchGroupIDPSyncMapping(ctx, user.OrganizationID.String(), codersdk.PatchGroupIDPSyncMappingRequest{})
+		var apiError *codersdk.Error
+		require.ErrorAs(t, err, &apiError)
+		require.Equal(t, http.StatusForbidden, apiError.StatusCode())
+	})
+}
+
 func TestGetRoleSyncSettings(t *testing.T) {
 	t.Parallel()

@ -233,6 +398,150 @@ func TestPatchRoleSyncSettings(t *testing.T) {
 	})
 }

+func TestPatchRoleSyncConfig(t *testing.T) {
+	t.Parallel()
+
+	t.Run("OK", func(t *testing.T) {
+		t.Parallel()
+
+		owner, user := coderdenttest.New(t, &coderdenttest.Options{
+			LicenseOptions: &coderdenttest.LicenseOptions{
+				Features: license.Features{
+					codersdk.FeatureCustomRoles:           1,
+					codersdk.FeatureMultipleOrganizations: 1,
+				},
+			},
+		})
+
+		orgID := user.OrganizationID
+		orgAdmin, _ := coderdtest.CreateAnotherUser(t, owner, orgID, rbac.ScopedRoleOrgAdmin(user.OrganizationID))
+
+		mapping := map[string][]string{"wibble": {"group-01"}}
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+		_, err := orgAdmin.PatchRoleIDPSyncSettings(ctx, orgID.String(), codersdk.RoleSyncSettings{
+			Field:   "wibble",
+			Mapping: mapping,
+		})
+
+		require.NoError(t, err)
+
+		fetchedSettings, err := orgAdmin.RoleIDPSyncSettings(ctx, orgID.String())
+		require.NoError(t, err)
+		require.Equal(t, "wibble", fetchedSettings.Field)
+		require.Equal(t, mapping, fetchedSettings.Mapping)
+
+		ctx = testutil.Context(t, testutil.WaitShort)
+		settings, err := orgAdmin.PatchRoleIDPSyncConfig(ctx, orgID.String(), codersdk.PatchRoleIDPSyncConfigRequest{
+			Field: "wobble",
+		})
+
+		require.NoError(t, err)
+		require.Equal(t, "wobble", settings.Field)
+		require.Equal(t, mapping, settings.Mapping)
+
+		fetchedSettings, err = orgAdmin.RoleIDPSyncSettings(ctx, orgID.String())
+		require.NoError(t, err)
+		require.Equal(t, "wobble", fetchedSettings.Field)
+		require.Equal(t, mapping, fetchedSettings.Mapping)
+	})
+
+	t.Run("NotAuthorized", func(t *testing.T) {
+		t.Parallel()
+
+		owner, user := coderdenttest.New(t, &coderdenttest.Options{
+			LicenseOptions: &coderdenttest.LicenseOptions{
+				Features: license.Features{
+					codersdk.FeatureCustomRoles:           1,
+					codersdk.FeatureMultipleOrganizations: 1,
+				},
+			},
+		})
+
+		member, _ := coderdtest.CreateAnotherUser(t, owner, user.OrganizationID)
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+		_, err := member.PatchGroupIDPSyncConfig(ctx, user.OrganizationID.String(), codersdk.PatchGroupIDPSyncConfigRequest{})
+		var apiError *codersdk.Error
+		require.ErrorAs(t, err, &apiError)
+		require.Equal(t, http.StatusForbidden, apiError.StatusCode())
+	})
+}
+
+func TestPatchRoleSyncMapping(t *testing.T) {
+	t.Parallel()
+
+	t.Run("OK", func(t *testing.T) {
+		t.Parallel()
+
+		owner, user := coderdenttest.New(t, &coderdenttest.Options{
+			LicenseOptions: &coderdenttest.LicenseOptions{
+				Features: license.Features{
+					codersdk.FeatureCustomRoles:           1,
+					codersdk.FeatureMultipleOrganizations: 1,
+				},
+			},
+		})
+
+		orgID := user.OrganizationID
+		orgAdmin, _ := coderdtest.CreateAnotherUser(t, owner, orgID, rbac.ScopedRoleOrgAdmin(user.OrganizationID))
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+		_, err := orgAdmin.PatchRoleIDPSyncSettings(ctx, orgID.String(), codersdk.RoleSyncSettings{
+			Field:   "wibble",
+			Mapping: map[string][]string{"wobble": {"group-00"}},
+		})
+		require.NoError(t, err)
+
+		ctx = testutil.Context(t, testutil.WaitShort)
+		settings, err := orgAdmin.PatchRoleIDPSyncMapping(ctx, orgID.String(), codersdk.PatchRoleIDPSyncMappingRequest{
+			Add: []codersdk.IDPSyncMapping[string]{
+				{Given: "wibble", Gets: "group-00"},
+				{Given: "wobble", Gets: "group-01"},
+				{Given: "wobble", Gets: "group-02"},
+			},
+			// Remove takes priority over Add, so "3" should not actually be added to wooble.
+			Remove: []codersdk.IDPSyncMapping[string]{
+				{Given: "wobble", Gets: "group-01"},
+			},
+		})
+
+		expected := map[string][]string{
+			"wibble": {"group-00"},
+			"wobble": {"group-00", "group-02"},
+		}
+
+		require.NoError(t, err)
+		require.Equal(t, expected, settings.Mapping)
+
+		fetchedSettings, err := orgAdmin.RoleIDPSyncSettings(ctx, orgID.String())
+		require.NoError(t, err)
+		require.Equal(t, "wibble", fetchedSettings.Field)
+		require.Equal(t, expected, fetchedSettings.Mapping)
+	})
+
+	t.Run("NotAuthorized", func(t *testing.T) {
+		t.Parallel()
+
+		owner, user := coderdenttest.New(t, &coderdenttest.Options{
+			LicenseOptions: &coderdenttest.LicenseOptions{
+				Features: license.Features{
+					codersdk.FeatureCustomRoles:           1,
+					codersdk.FeatureMultipleOrganizations: 1,
+				},
+			},
+		})
+
+		member, _ := coderdtest.CreateAnotherUser(t, owner, user.OrganizationID)
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+		_, err := member.PatchGroupIDPSyncMapping(ctx, user.OrganizationID.String(), codersdk.PatchGroupIDPSyncMappingRequest{})
+		var apiError *codersdk.Error
+		require.ErrorAs(t, err, &apiError)
+		require.Equal(t, http.StatusForbidden, apiError.StatusCode())
+	})
+}
+
 func TestGetOrganizationSyncSettings(t *testing.T) {
 	t.Parallel()

@ -416,11 +725,6 @@ func TestPatchOrganizationSyncMapping(t *testing.T) {
 			uuid.MustParse("00000000-b8bd-46bb-bb6c-6c2b2c0dd2ea"),
 			uuid.MustParse("01000000-fbe8-464c-9429-fe01a03f3644"),
 			uuid.MustParse("02000000-0926-407b-9998-39af62e3d0c5"),
-			uuid.MustParse("03000000-92f6-4bfd-bba6-0f54667b131c"),
-			uuid.MustParse("04000000-b9d0-46fe-910f-6e2ea0c62caa"),
-			uuid.MustParse("05000000-67c0-4c19-a52d-0dc3f65abee0"),
-			uuid.MustParse("06000000-a8a8-4a2c-bdd0-b59aa6882b55"),
-			uuid.MustParse("07000000-5390-4cc7-a9c8-e4330a683ae7"),
 		}

 		ctx := testutil.Context(t, testutil.WaitShort)
@ -428,23 +732,18 @@ func TestPatchOrganizationSyncMapping(t *testing.T) {
 		settings, err := owner.PatchOrganizationIDPSyncMapping(ctx, codersdk.PatchOrganizationIDPSyncMappingRequest{
 			Add: []codersdk.IDPSyncMapping[uuid.UUID]{
 				{Given: "wibble", Gets: orgs[0]},
-				{Given: "wibble", Gets: orgs[1]},
 				{Given: "wobble", Gets: orgs[0]},
 				{Given: "wobble", Gets: orgs[1]},
 				{Given: "wobble", Gets: orgs[2]},
-				{Given: "wobble", Gets: orgs[3]},
-				{Given: "wooble", Gets: orgs[0]},
 			},
-			// Remove takes priority over Add, so "3" should not actually be added to wooble.
 			Remove: []codersdk.IDPSyncMapping[uuid.UUID]{
-				{Given: "wobble", Gets: orgs[3]},
+				{Given: "wobble", Gets: orgs[1]},
 			},
 		})

 		expected := map[string][]uuid.UUID{
-			"wibble": {orgs[0], orgs[1]},
-			"wobble": {orgs[0], orgs[1], orgs[2]},
-			"wooble": {orgs[0]},
+			"wibble": {orgs[0]},
+			"wobble": {orgs[0], orgs[2]},
 		}

 		require.NoError(t, err)
@ -453,33 +752,6 @@ func TestPatchOrganizationSyncMapping(t *testing.T) {
 		fetchedSettings, err := owner.OrganizationIDPSyncSettings(ctx)
 		require.NoError(t, err)
 		require.Equal(t, expected, fetchedSettings.Mapping)
-
-		ctx = testutil.Context(t, testutil.WaitShort)
-		settings, err = owner.PatchOrganizationIDPSyncMapping(ctx, codersdk.PatchOrganizationIDPSyncMappingRequest{
-			Add: []codersdk.IDPSyncMapping[uuid.UUID]{
-				{Given: "wibble", Gets: orgs[2]},
-				{Given: "wobble", Gets: orgs[3]},
-				{Given: "wooble", Gets: orgs[0]},
-			},
-			// Remove takes priority over Add, so `f` should not actually be added.
-			Remove: []codersdk.IDPSyncMapping[uuid.UUID]{
-				{Given: "wibble", Gets: orgs[0]},
-				{Given: "wobble", Gets: orgs[1]},
-			},
-		})
-
-		expected = map[string][]uuid.UUID{
-			"wibble": {orgs[1], orgs[2]},
-			"wobble": {orgs[0], orgs[2], orgs[3]},
-			"wooble": {orgs[0]},
-		}
-
-		require.NoError(t, err)
-		require.Equal(t, expected, settings.Mapping)
-
-		fetchedSettings, err = owner.OrganizationIDPSyncSettings(ctx)
-		require.NoError(t, err)
-		require.Equal(t, expected, fetchedSettings.Mapping)
 	})

 	t.Run("NotAuthorized", func(t *testing.T) {