mirror of
https://github.com/coder/coder.git
synced 2025-07-13 21:36:50 +00:00
chore: implement organization sync and create idpsync package (#14432)
* chore: implement filters for the organizations query * chore: implement organization sync and create idpsync package Organization sync can now be configured to assign users to an org based on oidc claims.
This commit is contained in:
Steven Masley
GitHub
25
enterprise/coderd/enidpsync/enidpsync.go
Normal file
25
enterprise/coderd/enidpsync/enidpsync.go
Normal file
@ -0,0 +1,25 @@
|
||||
package enidpsync
|
||||
|
||||
import (
|
||||
"cdr.dev/slog"
|
||||
|
||||
"github.com/coder/coder/v2/coderd/entitlements"
|
||||
"github.com/coder/coder/v2/coderd/idpsync"
|
||||
)
|
||||
|
||||
// EnterpriseIDPSync enabled syncing user information from an external IDP.
|
||||
// The sync is an enterprise feature, so this struct wraps the AGPL implementation
|
||||
// and extends it with enterprise capabilities. These capabilities can entirely
|
||||
// be changed in the Parsing, and leaving the "syncing" part (which holds the
|
||||
// more complex logic) to the shared AGPL implementation.
|
||||
type EnterpriseIDPSync struct {
|
||||
entitlements *entitlements.Set
|
||||
*idpsync.AGPLIDPSync
|
||||
}
|
||||
|
||||
func NewSync(logger slog.Logger, set *entitlements.Set, settings idpsync.SyncSettings) *EnterpriseIDPSync {
|
||||
return &EnterpriseIDPSync{
|
||||
entitlements: set,
|
||||
AGPLIDPSync: idpsync.NewAGPLSync(logger.With(slog.F("enterprise_capable", "true")), settings),
|
||||
}
|
||||
}
|
||||
73
enterprise/coderd/enidpsync/organizations.go
Normal file
73
enterprise/coderd/enidpsync/organizations.go
Normal file
@ -0,0 +1,73 @@
|
||||
package enidpsync
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
|
||||
"github.com/golang-jwt/jwt/v4"
|
||||
"github.com/google/uuid"
|
||||
|
||||
"cdr.dev/slog"
|
||||
"github.com/coder/coder/v2/coderd/database/dbauthz"
|
||||
"github.com/coder/coder/v2/coderd/idpsync"
|
||||
"github.com/coder/coder/v2/coderd/util/slice"
|
||||
"github.com/coder/coder/v2/codersdk"
|
||||
)
|
||||
|
||||
func (e EnterpriseIDPSync) OrganizationSyncEnabled() bool {
|
||||
return e.entitlements.Enabled(codersdk.FeatureMultipleOrganizations) && e.OrganizationField != ""
|
||||
}
|
||||
|
||||
func (e EnterpriseIDPSync) ParseOrganizationClaims(ctx context.Context, mergedClaims jwt.MapClaims) (idpsync.OrganizationParams, *idpsync.HTTPError) {
|
||||
if !e.OrganizationSyncEnabled() {
|
||||
// Default to agpl if multi-org is not enabled
|
||||
return e.AGPLIDPSync.ParseOrganizationClaims(ctx, mergedClaims)
|
||||
}
|
||||
|
||||
// nolint:gocritic // all syncing is done as a system user
|
||||
ctx = dbauthz.AsSystemRestricted(ctx)
|
||||
userOrganizations := make([]uuid.UUID, 0)
|
||||
|
||||
// Pull extra organizations from the claims.
|
||||
if e.OrganizationField != "" {
|
||||
organizationRaw, ok := mergedClaims[e.OrganizationField]
|
||||
if ok {
|
||||
parsedOrganizations, err := idpsync.ParseStringSliceClaim(organizationRaw)
|
||||
if err != nil {
|
||||
return idpsync.OrganizationParams{}, &idpsync.HTTPError{
|
||||
Code: http.StatusBadRequest,
|
||||
Msg: "Failed to sync organizations from the OIDC claims",
|
||||
Detail: err.Error(),
|
||||
RenderStaticPage: false,
|
||||
RenderDetailMarkdown: false,
|
||||
}
|
||||
}
|
||||
|
||||
// Keep track of which claims are not mapped for debugging purposes.
|
||||
var ignored []string
|
||||
for _, parsedOrg := range parsedOrganizations {
|
||||
if mappedOrganization, ok := e.OrganizationMapping[parsedOrg]; ok {
|
||||
// parsedOrg is in the mapping, so add the mapped organizations to the
|
||||
// user's organizations.
|
||||
userOrganizations = append(userOrganizations, mappedOrganization...)
|
||||
} else {
|
||||
ignored = append(ignored, parsedOrg)
|
||||
}
|
||||
}
|
||||
|
||||
e.Logger.Debug(ctx, "parsed organizations from claim",
|
||||
slog.F("len", len(parsedOrganizations)),
|
||||
slog.F("ignored", ignored),
|
||||
slog.F("organizations", parsedOrganizations),
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
return idpsync.OrganizationParams{
|
||||
// If the field is not set, then sync is not enabled.
|
||||
SyncEnabled: e.OrganizationField != "",
|
||||
IncludeDefault: e.OrganizationAssignDefault,
|
||||
// Do not return duplicates
|
||||
Organizations: slice.Unique(userOrganizations),
|
||||
}, nil
|
||||
}
|
||||
272
enterprise/coderd/enidpsync/organizations_test.go
Normal file
272
enterprise/coderd/enidpsync/organizations_test.go
Normal file
@ -0,0 +1,272 @@
|
||||
package enidpsync_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"testing"
|
||||
|
||||
"github.com/golang-jwt/jwt/v4"
|
||||
"github.com/google/uuid"
|
||||
"github.com/prometheus/client_golang/prometheus"
|
||||
"github.com/stretchr/testify/require"
|
||||
|
||||
"cdr.dev/slog/sloggers/slogtest"
|
||||
"github.com/coder/coder/v2/coderd/coderdtest"
|
||||
"github.com/coder/coder/v2/coderd/database"
|
||||
"github.com/coder/coder/v2/coderd/database/db2sdk"
|
||||
"github.com/coder/coder/v2/coderd/database/dbauthz"
|
||||
"github.com/coder/coder/v2/coderd/database/dbgen"
|
||||
"github.com/coder/coder/v2/coderd/database/dbtestutil"
|
||||
"github.com/coder/coder/v2/coderd/entitlements"
|
||||
"github.com/coder/coder/v2/coderd/idpsync"
|
||||
"github.com/coder/coder/v2/coderd/rbac"
|
||||
"github.com/coder/coder/v2/codersdk"
|
||||
"github.com/coder/coder/v2/enterprise/coderd/enidpsync"
|
||||
"github.com/coder/coder/v2/testutil"
|
||||
)
|
||||
|
||||
type ExpectedUser struct {
|
||||
SyncError bool
|
||||
Organizations []uuid.UUID
|
||||
}
|
||||
|
||||
type Expectations struct {
|
||||
Name string
|
||||
Claims jwt.MapClaims
|
||||
// Parse
|
||||
ParseError func(t *testing.T, httpErr *idpsync.HTTPError)
|
||||
ExpectedParams idpsync.OrganizationParams
|
||||
// Mutate allows mutating the user before syncing
|
||||
Mutate func(t *testing.T, db database.Store, user database.User)
|
||||
Sync ExpectedUser
|
||||
}
|
||||
|
||||
type OrganizationSyncTestCase struct {
|
||||
Settings idpsync.SyncSettings
|
||||
Entitlements *entitlements.Set
|
||||
Exps []Expectations
|
||||
}
|
||||
|
||||
func TestOrganizationSync(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
if dbtestutil.WillUsePostgres() {
|
||||
t.Skip("Skipping test because it populates a lot of db entries, which is slow on postgres")
|
||||
}
|
||||
|
||||
requireUserOrgs := func(t *testing.T, db database.Store, user database.User, expected []uuid.UUID) {
|
||||
t.Helper()
|
||||
|
||||
// nolint:gocritic // in testing
|
||||
members, err := db.OrganizationMembers(dbauthz.AsSystemRestricted(context.Background()), database.OrganizationMembersParams{
|
||||
UserID: user.ID,
|
||||
})
|
||||
require.NoError(t, err)
|
||||
|
||||
foundIDs := db2sdk.List(members, func(m database.OrganizationMembersRow) uuid.UUID {
|
||||
return m.OrganizationMember.OrganizationID
|
||||
})
|
||||
require.ElementsMatch(t, expected, foundIDs, "match user organizations")
|
||||
}
|
||||
|
||||
entitled := entitlements.New()
|
||||
entitled.Update(func(entitlements *codersdk.Entitlements) {
|
||||
entitlements.Features[codersdk.FeatureMultipleOrganizations] = codersdk.Feature{
|
||||
Entitlement: codersdk.EntitlementEntitled,
|
||||
Enabled: true,
|
||||
Limit: nil,
|
||||
Actual: nil,
|
||||
}
|
||||
})
|
||||
|
||||
testCases := []struct {
|
||||
Name string
|
||||
Case func(t *testing.T, db database.Store) OrganizationSyncTestCase
|
||||
}{
|
||||
{
|
||||
Name: "SingleOrgDeployment",
|
||||
Case: func(t *testing.T, db database.Store) OrganizationSyncTestCase {
|
||||
def, _ := db.GetDefaultOrganization(context.Background())
|
||||
other := dbgen.Organization(t, db, database.Organization{})
|
||||
return OrganizationSyncTestCase{
|
||||
Entitlements: entitled,
|
||||
Settings: idpsync.SyncSettings{
|
||||
OrganizationField: "",
|
||||
OrganizationMapping: nil,
|
||||
OrganizationAssignDefault: true,
|
||||
},
|
||||
Exps: []Expectations{
|
||||
{
|
||||
Name: "NoOrganizations",
|
||||
Claims: jwt.MapClaims{},
|
||||
ExpectedParams: idpsync.OrganizationParams{
|
||||
SyncEnabled: false,
|
||||
IncludeDefault: true,
|
||||
Organizations: []uuid.UUID{},
|
||||
},
|
||||
Sync: ExpectedUser{
|
||||
Organizations: []uuid.UUID{},
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "AlreadyInOrgs",
|
||||
Claims: jwt.MapClaims{},
|
||||
ExpectedParams: idpsync.OrganizationParams{
|
||||
SyncEnabled: false,
|
||||
IncludeDefault: true,
|
||||
Organizations: []uuid.UUID{},
|
||||
},
|
||||
Mutate: func(t *testing.T, db database.Store, user database.User) {
|
||||
dbgen.OrganizationMember(t, db, database.OrganizationMember{
|
||||
UserID: user.ID,
|
||||
OrganizationID: def.ID,
|
||||
})
|
||||
dbgen.OrganizationMember(t, db, database.OrganizationMember{
|
||||
UserID: user.ID,
|
||||
OrganizationID: other.ID,
|
||||
})
|
||||
},
|
||||
Sync: ExpectedUser{
|
||||
Organizations: []uuid.UUID{def.ID, other.ID},
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "MultiOrgWithDefault",
|
||||
Case: func(t *testing.T, db database.Store) OrganizationSyncTestCase {
|
||||
def, _ := db.GetDefaultOrganization(context.Background())
|
||||
one := dbgen.Organization(t, db, database.Organization{})
|
||||
two := dbgen.Organization(t, db, database.Organization{})
|
||||
three := dbgen.Organization(t, db, database.Organization{})
|
||||
return OrganizationSyncTestCase{
|
||||
Entitlements: entitled,
|
||||
Settings: idpsync.SyncSettings{
|
||||
OrganizationField: "organizations",
|
||||
OrganizationMapping: map[string][]uuid.UUID{
|
||||
"first": {one.ID},
|
||||
"second": {two.ID},
|
||||
"third": {three.ID},
|
||||
},
|
||||
OrganizationAssignDefault: true,
|
||||
},
|
||||
Exps: []Expectations{
|
||||
{
|
||||
Name: "NoOrganizations",
|
||||
Claims: jwt.MapClaims{},
|
||||
ExpectedParams: idpsync.OrganizationParams{
|
||||
SyncEnabled: true,
|
||||
IncludeDefault: true,
|
||||
Organizations: []uuid.UUID{},
|
||||
},
|
||||
Sync: ExpectedUser{
|
||||
Organizations: []uuid.UUID{def.ID},
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "AlreadyInOrgs",
|
||||
Claims: jwt.MapClaims{
|
||||
"organizations": []string{"second", "extra"},
|
||||
},
|
||||
ExpectedParams: idpsync.OrganizationParams{
|
||||
SyncEnabled: true,
|
||||
IncludeDefault: true,
|
||||
Organizations: []uuid.UUID{two.ID},
|
||||
},
|
||||
Mutate: func(t *testing.T, db database.Store, user database.User) {
|
||||
dbgen.OrganizationMember(t, db, database.OrganizationMember{
|
||||
UserID: user.ID,
|
||||
OrganizationID: def.ID,
|
||||
})
|
||||
dbgen.OrganizationMember(t, db, database.OrganizationMember{
|
||||
UserID: user.ID,
|
||||
OrganizationID: one.ID,
|
||||
})
|
||||
},
|
||||
Sync: ExpectedUser{
|
||||
Organizations: []uuid.UUID{def.ID, two.ID},
|
||||
},
|
||||
},
|
||||
{
|
||||
Name: "ManyClaims",
|
||||
Claims: jwt.MapClaims{
|
||||
// Add some repeats
|
||||
"organizations": []string{"second", "extra", "first", "third", "second", "second"},
|
||||
},
|
||||
ExpectedParams: idpsync.OrganizationParams{
|
||||
SyncEnabled: true,
|
||||
IncludeDefault: true,
|
||||
Organizations: []uuid.UUID{
|
||||
two.ID, one.ID, three.ID,
|
||||
},
|
||||
},
|
||||
Mutate: func(t *testing.T, db database.Store, user database.User) {
|
||||
dbgen.OrganizationMember(t, db, database.OrganizationMember{
|
||||
UserID: user.ID,
|
||||
OrganizationID: def.ID,
|
||||
})
|
||||
dbgen.OrganizationMember(t, db, database.OrganizationMember{
|
||||
UserID: user.ID,
|
||||
OrganizationID: one.ID,
|
||||
})
|
||||
},
|
||||
Sync: ExpectedUser{
|
||||
Organizations: []uuid.UUID{def.ID, one.ID, two.ID, three.ID},
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
for _, tc := range testCases {
|
||||
tc := tc
|
||||
t.Run(tc.Name, func(t *testing.T) {
|
||||
t.Parallel()
|
||||
ctx := testutil.Context(t, testutil.WaitMedium)
|
||||
logger := slogtest.Make(t, &slogtest.Options{})
|
||||
|
||||
rdb, _ := dbtestutil.NewDB(t)
|
||||
db := dbauthz.New(rdb, rbac.NewAuthorizer(prometheus.NewRegistry()), logger, coderdtest.AccessControlStorePointer())
|
||||
caseData := tc.Case(t, rdb)
|
||||
if caseData.Entitlements == nil {
|
||||
caseData.Entitlements = entitlements.New()
|
||||
}
|
||||
|
||||
// Create a new sync object
|
||||
sync := enidpsync.NewSync(logger, caseData.Entitlements, caseData.Settings)
|
||||
for _, exp := range caseData.Exps {
|
||||
t.Run(exp.Name, func(t *testing.T) {
|
||||
params, httpErr := sync.ParseOrganizationClaims(ctx, exp.Claims)
|
||||
if exp.ParseError != nil {
|
||||
exp.ParseError(t, httpErr)
|
||||
return
|
||||
}
|
||||
require.Nil(t, httpErr, "no parse error")
|
||||
|
||||
require.Equal(t, exp.ExpectedParams.SyncEnabled, params.SyncEnabled, "match enabled")
|
||||
require.Equal(t, exp.ExpectedParams.IncludeDefault, params.IncludeDefault, "match include default")
|
||||
if exp.ExpectedParams.Organizations == nil {
|
||||
exp.ExpectedParams.Organizations = []uuid.UUID{}
|
||||
}
|
||||
require.ElementsMatch(t, exp.ExpectedParams.Organizations, params.Organizations, "match organizations")
|
||||
|
||||
user := dbgen.User(t, db, database.User{})
|
||||
if exp.Mutate != nil {
|
||||
exp.Mutate(t, rdb, user)
|
||||
}
|
||||
|
||||
err := sync.SyncOrganizations(ctx, rdb, user, params)
|
||||
if exp.Sync.SyncError {
|
||||
require.Error(t, err)
|
||||
return
|
||||
}
|
||||
require.NoError(t, err)
|
||||
requireUserOrgs(t, db, user, exp.Sync.Organizations)
|
||||
})
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user