feat: get and update group IdP Sync settings (#14647)

--------- Co-authored-by: Steven Masley <stevenmasley@gmail.com>
2025-07-15 22:20:27 +00:00 · 2024-09-16 11:01:37 -06:00
parent 2df9a3e554
commit 5ed065d88d
18 changed files with 797 additions and 67 deletions
--- a/enterprise/coderd/coderd.go
+++ b/enterprise/coderd/coderd.go
@ -287,6 +287,10 @@ func New(ctx context.Context, options *Options) (_ *API, err error) {
 			r.Post("/organizations/{organization}/members/roles", api.postOrgRoles)
 			r.Put("/organizations/{organization}/members/roles", api.putOrgRoles)
 			r.Delete("/organizations/{organization}/members/roles/{roleName}", api.deleteOrgRole)
+			r.Route("/organizations/{organization}/settings", func(r chi.Router) {
+				r.Get("/idpsync/groups", api.groupIDPSyncSettings)
+				r.Patch("/idpsync/groups", api.patchGroupIDPSyncSettings)
+			})
 		})

 		r.Group(func(r chi.Router) {
--- a/enterprise/coderd/idpsync.go
+++ b/enterprise/coderd/idpsync.go
@ -0,0 +1,79 @@
+package coderd
+
+import (
+	"net/http"
+
+	"github.com/coder/coder/v2/coderd/database/dbauthz"
+	"github.com/coder/coder/v2/coderd/httpapi"
+	"github.com/coder/coder/v2/coderd/httpmw"
+	"github.com/coder/coder/v2/coderd/idpsync"
+	"github.com/coder/coder/v2/coderd/rbac"
+	"github.com/coder/coder/v2/coderd/rbac/policy"
+)
+
+// @Summary Get group IdP Sync settings by organization
+// @ID get-group-idp-sync-settings-by-organization
+// @Security CoderSessionToken
+// @Produce json
+// @Tags Enterprise
+// @Param organization path string true "Organization ID" format(uuid)
+// @Success 200 {object} idpsync.GroupSyncSettings
+// @Router /organizations/{organization}/settings/idpsync/groups [get]
+func (api *API) groupIDPSyncSettings(rw http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	org := httpmw.OrganizationParam(r)
+
+	if !api.Authorize(r, policy.ActionRead, rbac.ResourceIdpsyncSettings.InOrg(org.ID)) {
+		httpapi.Forbidden(rw)
+		return
+	}
+
+	//nolint:gocritic // Requires system context to read runtime config
+	sysCtx := dbauthz.AsSystemRestricted(ctx)
+	settings, err := api.IDPSync.GroupSyncSettings(sysCtx, org.ID, api.Database)
+	if err != nil {
+		httpapi.InternalServerError(rw, err)
+		return
+	}
+
+	httpapi.Write(ctx, rw, http.StatusOK, settings)
+}
+
+// @Summary Update group IdP Sync settings by organization
+// @ID update-group-idp-sync-settings-by-organization
+// @Security CoderSessionToken
+// @Produce json
+// @Tags Enterprise
+// @Param organization path string true "Organization ID" format(uuid)
+// @Success 200 {object} idpsync.GroupSyncSettings
+// @Router /organizations/{organization}/settings/idpsync/groups [patch]
+func (api *API) patchGroupIDPSyncSettings(rw http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	org := httpmw.OrganizationParam(r)
+
+	if !api.Authorize(r, policy.ActionUpdate, rbac.ResourceIdpsyncSettings.InOrg(org.ID)) {
+		httpapi.Forbidden(rw)
+		return
+	}
+
+	var req idpsync.GroupSyncSettings
+	if !httpapi.Read(ctx, rw, r, &req) {
+		return
+	}
+
+	//nolint:gocritic // Requires system context to update runtime config
+	sysCtx := dbauthz.AsSystemRestricted(ctx)
+	err := api.IDPSync.UpdateGroupSettings(sysCtx, org.ID, api.Database, req)
+	if err != nil {
+		httpapi.InternalServerError(rw, err)
+		return
+	}
+
+	settings, err := api.IDPSync.GroupSyncSettings(sysCtx, org.ID, api.Database)
+	if err != nil {
+		httpapi.InternalServerError(rw, err)
+		return
+	}
+
+	httpapi.Write(ctx, rw, http.StatusOK, settings)
+}
--- a/enterprise/coderd/idpsync_test.go
+++ b/enterprise/coderd/idpsync_test.go
@ -0,0 +1,172 @@
+package coderd_test
+
+import (
+	"net/http"
+	"regexp"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/v2/coderd/coderdtest"
+	"github.com/coder/coder/v2/coderd/database/dbauthz"
+	"github.com/coder/coder/v2/coderd/idpsync"
+	"github.com/coder/coder/v2/coderd/rbac"
+	"github.com/coder/coder/v2/coderd/runtimeconfig"
+	"github.com/coder/coder/v2/codersdk"
+	"github.com/coder/coder/v2/enterprise/coderd/coderdenttest"
+	"github.com/coder/coder/v2/enterprise/coderd/license"
+	"github.com/coder/coder/v2/testutil"
+	"github.com/coder/serpent"
+)
+
+func TestGetGroupSyncConfig(t *testing.T) {
+	t.Parallel()
+
+	t.Run("OK", func(t *testing.T) {
+		t.Parallel()
+
+		dv := coderdtest.DeploymentValues(t)
+		dv.Experiments = []string{
+			string(codersdk.ExperimentCustomRoles),
+			string(codersdk.ExperimentMultiOrganization),
+		}
+
+		owner, db, user := coderdenttest.NewWithDatabase(t, &coderdenttest.Options{
+			Options: &coderdtest.Options{
+				DeploymentValues: dv,
+			},
+			LicenseOptions: &coderdenttest.LicenseOptions{
+				Features: license.Features{
+					codersdk.FeatureCustomRoles:           1,
+					codersdk.FeatureMultipleOrganizations: 1,
+				},
+			},
+		})
+		orgAdmin, _ := coderdtest.CreateAnotherUser(t, owner, user.OrganizationID, rbac.ScopedRoleOrgAdmin(user.OrganizationID))
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+		dbresv := runtimeconfig.OrganizationResolver(user.OrganizationID, runtimeconfig.NewStoreResolver(db))
+		entry := runtimeconfig.MustNew[*idpsync.GroupSyncSettings]("group-sync-settings")
+		//nolint:gocritic // Requires system context to set runtime config
+		err := entry.SetRuntimeValue(dbauthz.AsSystemRestricted(ctx), dbresv, &idpsync.GroupSyncSettings{Field: "august"})
+		require.NoError(t, err)
+
+		settings, err := orgAdmin.GroupIDPSyncSettings(ctx, user.OrganizationID.String())
+		require.NoError(t, err)
+		require.Equal(t, "august", settings.Field)
+	})
+
+	t.Run("Legacy", func(t *testing.T) {
+		t.Parallel()
+
+		dv := coderdtest.DeploymentValues(t)
+		dv.Experiments = []string{
+			string(codersdk.ExperimentCustomRoles),
+			string(codersdk.ExperimentMultiOrganization),
+		}
+		dv.OIDC.GroupField = "legacy-group"
+		dv.OIDC.GroupRegexFilter = serpent.Regexp(*regexp.MustCompile("legacy-filter"))
+		dv.OIDC.GroupMapping = serpent.Struct[map[string]string]{
+			Value: map[string]string{
+				"foo": "bar",
+			},
+		}
+
+		owner, user := coderdenttest.New(t, &coderdenttest.Options{
+			Options: &coderdtest.Options{
+				DeploymentValues: dv,
+			},
+			LicenseOptions: &coderdenttest.LicenseOptions{
+				Features: license.Features{
+					codersdk.FeatureCustomRoles:           1,
+					codersdk.FeatureMultipleOrganizations: 1,
+				},
+			},
+		})
+		orgAdmin, _ := coderdtest.CreateAnotherUser(t, owner, user.OrganizationID, rbac.ScopedRoleOrgAdmin(user.OrganizationID))
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+
+		settings, err := orgAdmin.GroupIDPSyncSettings(ctx, user.OrganizationID.String())
+		require.NoError(t, err)
+		require.Equal(t, dv.OIDC.GroupField.Value(), settings.Field)
+		require.Equal(t, dv.OIDC.GroupRegexFilter.String(), settings.RegexFilter.String())
+		require.Equal(t, dv.OIDC.GroupMapping.Value, settings.LegacyNameMapping)
+	})
+}
+
+func TestPostGroupSyncConfig(t *testing.T) {
+	t.Parallel()
+
+	t.Run("OK", func(t *testing.T) {
+		t.Parallel()
+
+		dv := coderdtest.DeploymentValues(t)
+		dv.Experiments = []string{
+			string(codersdk.ExperimentCustomRoles),
+			string(codersdk.ExperimentMultiOrganization),
+		}
+
+		owner, user := coderdenttest.New(t, &coderdenttest.Options{
+			Options: &coderdtest.Options{
+				DeploymentValues: dv,
+			},
+			LicenseOptions: &coderdenttest.LicenseOptions{
+				Features: license.Features{
+					codersdk.FeatureCustomRoles:           1,
+					codersdk.FeatureMultipleOrganizations: 1,
+				},
+			},
+		})
+
+		orgAdmin, _ := coderdtest.CreateAnotherUser(t, owner, user.OrganizationID, rbac.ScopedRoleOrgAdmin(user.OrganizationID))
+
+		// Test as org admin
+		ctx := testutil.Context(t, testutil.WaitShort)
+		settings, err := orgAdmin.PatchGroupIDPSyncSettings(ctx, user.OrganizationID.String(), codersdk.GroupSyncSettings{
+			Field: "august",
+		})
+		require.NoError(t, err)
+		require.Equal(t, "august", settings.Field)
+
+		fetchedSettings, err := orgAdmin.GroupIDPSyncSettings(ctx, user.OrganizationID.String())
+		require.NoError(t, err)
+		require.Equal(t, "august", fetchedSettings.Field)
+	})
+
+	t.Run("NotAuthorized", func(t *testing.T) {
+		t.Parallel()
+
+		dv := coderdtest.DeploymentValues(t)
+		dv.Experiments = []string{
+			string(codersdk.ExperimentCustomRoles),
+			string(codersdk.ExperimentMultiOrganization),
+		}
+
+		owner, user := coderdenttest.New(t, &coderdenttest.Options{
+			Options: &coderdtest.Options{
+				DeploymentValues: dv,
+			},
+			LicenseOptions: &coderdenttest.LicenseOptions{
+				Features: license.Features{
+					codersdk.FeatureCustomRoles:           1,
+					codersdk.FeatureMultipleOrganizations: 1,
+				},
+			},
+		})
+
+		member, _ := coderdtest.CreateAnotherUser(t, owner, user.OrganizationID)
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+		_, err := member.PatchGroupIDPSyncSettings(ctx, user.OrganizationID.String(), codersdk.GroupSyncSettings{
+			Field: "august",
+		})
+		var apiError *codersdk.Error
+		require.ErrorAs(t, err, &apiError)
+		require.Equal(t, http.StatusForbidden, apiError.StatusCode())
+
+		_, err = member.GroupIDPSyncSettings(ctx, user.OrganizationID.String())
+		require.ErrorAs(t, err, &apiError)
+		require.Equal(t, http.StatusForbidden, apiError.StatusCode())
+	})
+}