chore: move organizatinon sync to runtime configuration (#15431)

Moves the configuration from environment to database backed, to allow
configuring organization sync at runtime.

enterprise/coderd/idpsync.go

@@ -44,8 +44,10 @@ func (api *API) groupIDPSyncSettings(rw http.ResponseWriter, r *http.Request) {
 // @ID update-group-idp-sync-settings-by-organization
 // @Security CoderSessionToken
 // @Produce json
+// @Accept json
 // @Tags Enterprise
 // @Param organization path string true "Organization ID" format(uuid)
+// @Param request body codersdk.GroupSyncSettings true "New settings"
 // @Success 200 {object} codersdk.GroupSyncSettings
 // @Router /organizations/{organization}/settings/idpsync/groups [patch]
 func (api *API) patchGroupIDPSyncSettings(rw http.ResponseWriter, r *http.Request) {
@@ -57,7 +59,7 @@ func (api *API) patchGroupIDPSyncSettings(rw http.ResponseWriter, r *http.Reques
 		return
 	}
 
-	var req idpsync.GroupSyncSettings
+	var req codersdk.GroupSyncSettings
 	if !httpapi.Read(ctx, rw, r, &req) {
 		return
 	}
@@ -78,7 +80,13 @@ func (api *API) patchGroupIDPSyncSettings(rw http.ResponseWriter, r *http.Reques
 
 	//nolint:gocritic // Requires system context to update runtime config
 	sysCtx := dbauthz.AsSystemRestricted(ctx)
-	err := api.IDPSync.UpdateGroupSettings(sysCtx, org.ID, api.Database, req)
+	err := api.IDPSync.UpdateGroupSettings(sysCtx, org.ID, api.Database, idpsync.GroupSyncSettings{
+		Field:             req.Field,
+		Mapping:           req.Mapping,
+		RegexFilter:       req.RegexFilter,
+		AutoCreateMissing: req.AutoCreateMissing,
+		LegacyNameMapping: req.LegacyNameMapping,
+	})
 	if err != nil {
 		httpapi.InternalServerError(rw, err)
 		return
@@ -90,7 +98,13 @@ func (api *API) patchGroupIDPSyncSettings(rw http.ResponseWriter, r *http.Reques
 		return
 	}
 
-	httpapi.Write(ctx, rw, http.StatusOK, settings)
+	httpapi.Write(ctx, rw, http.StatusOK, codersdk.GroupSyncSettings{
+		Field:             settings.Field,
+		Mapping:           settings.Mapping,
+		RegexFilter:       settings.RegexFilter,
+		AutoCreateMissing: settings.AutoCreateMissing,
+		LegacyNameMapping: settings.LegacyNameMapping,
+	})
 }
 
 // @Summary Get role IdP Sync settings by organization
@@ -125,8 +139,10 @@ func (api *API) roleIDPSyncSettings(rw http.ResponseWriter, r *http.Request) {
 // @ID update-role-idp-sync-settings-by-organization
 // @Security CoderSessionToken
 // @Produce json
+// @Accept json
 // @Tags Enterprise
 // @Param organization path string true "Organization ID" format(uuid)
+// @Param request body codersdk.RoleSyncSettings true "New settings"
 // @Success 200 {object} codersdk.RoleSyncSettings
 // @Router /organizations/{organization}/settings/idpsync/roles [patch]
 func (api *API) patchRoleIDPSyncSettings(rw http.ResponseWriter, r *http.Request) {
@@ -138,14 +154,17 @@ func (api *API) patchRoleIDPSyncSettings(rw http.ResponseWriter, r *http.Request
 		return
 	}
 
-	var req idpsync.RoleSyncSettings
+	var req codersdk.RoleSyncSettings
 	if !httpapi.Read(ctx, rw, r, &req) {
 		return
 	}
 
 	//nolint:gocritic // Requires system context to update runtime config
 	sysCtx := dbauthz.AsSystemRestricted(ctx)
-	err := api.IDPSync.UpdateRoleSettings(sysCtx, org.ID, api.Database, req)
+	err := api.IDPSync.UpdateRoleSettings(sysCtx, org.ID, api.Database, idpsync.RoleSyncSettings{
+		Field:   req.Field,
+		Mapping: req.Mapping,
+	})
 	if err != nil {
 		httpapi.InternalServerError(rw, err)
 		return
@@ -157,5 +176,82 @@ func (api *API) patchRoleIDPSyncSettings(rw http.ResponseWriter, r *http.Request
 		return
 	}
 
+	httpapi.Write(ctx, rw, http.StatusOK, codersdk.RoleSyncSettings{
+		Field:   settings.Field,
+		Mapping: settings.Mapping,
+	})
+}
+
+// @Summary Get organization IdP Sync settings
+// @ID get-organization-idp-sync-settings
+// @Security CoderSessionToken
+// @Produce json
+// @Tags Enterprise
+// @Success 200 {object} codersdk.OrganizationSyncSettings
+// @Router /settings/idpsync/organization [get]
+func (api *API) organizationIDPSyncSettings(rw http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	if !api.Authorize(r, policy.ActionRead, rbac.ResourceIdpsyncSettings) {
+		httpapi.Forbidden(rw)
+		return
+	}
+
+	//nolint:gocritic // Requires system context to read runtime config
+	sysCtx := dbauthz.AsSystemRestricted(ctx)
+	settings, err := api.IDPSync.OrganizationSyncSettings(sysCtx, api.Database)
+	if err != nil {
+		httpapi.InternalServerError(rw, err)
+		return
+	}
+
 	httpapi.Write(ctx, rw, http.StatusOK, settings)
 }
+
+// @Summary Update organization IdP Sync settings
+// @ID update-organization-idp-sync-settings
+// @Security CoderSessionToken
+// @Produce json
+// @Accept json
+// @Tags Enterprise
+// @Success 200 {object} codersdk.OrganizationSyncSettings
+// @Param request body codersdk.OrganizationSyncSettings true "New settings"
+// @Router /settings/idpsync/organization [patch]
+func (api *API) patchOrganizationIDPSyncSettings(rw http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	if !api.Authorize(r, policy.ActionUpdate, rbac.ResourceIdpsyncSettings) {
+		httpapi.Forbidden(rw)
+		return
+	}
+
+	var req codersdk.OrganizationSyncSettings
+	if !httpapi.Read(ctx, rw, r, &req) {
+		return
+	}
+
+	//nolint:gocritic // Requires system context to update runtime config
+	sysCtx := dbauthz.AsSystemRestricted(ctx)
+	err := api.IDPSync.UpdateOrganizationSettings(sysCtx, api.Database, idpsync.OrganizationSyncSettings{
+		Field: req.Field,
+		// We do not check if the mappings point to actual organizations.
+		Mapping:       req.Mapping,
+		AssignDefault: req.AssignDefault,
+	})
+	if err != nil {
+		httpapi.InternalServerError(rw, err)
+		return
+	}
+
+	settings, err := api.IDPSync.OrganizationSyncSettings(sysCtx, api.Database)
+	if err != nil {
+		httpapi.InternalServerError(rw, err)
+		return
+	}
+
+	httpapi.Write(ctx, rw, http.StatusOK, codersdk.OrganizationSyncSettings{
+		Field:         settings.Field,
+		Mapping:       settings.Mapping,
+		AssignDefault: settings.AssignDefault,
+	})
+}