feat: implement patch and get api methods for role sync (#14692)

* feat: implement patch and get api methods for role sync

enterprise/coderd/coderd.go

@@ -286,9 +286,18 @@ func New(ctx context.Context, options *Options) (_ *API, err error) {
 			r.Post("/organizations/{organization}/members/roles", api.postOrgRoles)
 			r.Put("/organizations/{organization}/members/roles", api.putOrgRoles)
 			r.Delete("/organizations/{organization}/members/roles/{roleName}", api.deleteOrgRole)
+		})
+
+		r.Group(func(r chi.Router) {
+			r.Use(
+				apiKeyMiddleware,
+				httpmw.ExtractOrganizationParam(api.Database),
+			)
 			r.Route("/organizations/{organization}/settings", func(r chi.Router) {
 				r.Get("/idpsync/groups", api.groupIDPSyncSettings)
 				r.Patch("/idpsync/groups", api.patchGroupIDPSyncSettings)
+				r.Get("/idpsync/roles", api.roleIDPSyncSettings)
+				r.Patch("/idpsync/roles", api.patchRoleIDPSyncSettings)
 			})
 		})
 

enterprise/coderd/idpsync.go

@@ -17,7 +17,7 @@ import (
 // @Produce json
 // @Tags Enterprise
 // @Param organization path string true "Organization ID" format(uuid)
-// @Success 200 {object} idpsync.GroupSyncSettings
+// @Success 200 {object} codersdk.GroupSyncSettings
 // @Router /organizations/{organization}/settings/idpsync/groups [get]
 func (api *API) groupIDPSyncSettings(rw http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
@@ -45,7 +45,7 @@ func (api *API) groupIDPSyncSettings(rw http.ResponseWriter, r *http.Request) {
 // @Produce json
 // @Tags Enterprise
 // @Param organization path string true "Organization ID" format(uuid)
-// @Success 200 {object} idpsync.GroupSyncSettings
+// @Success 200 {object} codersdk.GroupSyncSettings
 // @Router /organizations/{organization}/settings/idpsync/groups [patch]
 func (api *API) patchGroupIDPSyncSettings(rw http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
@@ -77,3 +77,70 @@ func (api *API) patchGroupIDPSyncSettings(rw http.ResponseWriter, r *http.Reques
 
 	httpapi.Write(ctx, rw, http.StatusOK, settings)
 }
+
+// @Summary Get role IdP Sync settings by organization
+// @ID get-role-idp-sync-settings-by-organization
+// @Security CoderSessionToken
+// @Produce json
+// @Tags Enterprise
+// @Param organization path string true "Organization ID" format(uuid)
+// @Success 200 {object} codersdk.RoleSyncSettings
+// @Router /organizations/{organization}/settings/idpsync/roles [get]
+func (api *API) roleIDPSyncSettings(rw http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	org := httpmw.OrganizationParam(r)
+
+	if !api.Authorize(r, policy.ActionRead, rbac.ResourceIdpsyncSettings.InOrg(org.ID)) {
+		httpapi.Forbidden(rw)
+		return
+	}
+
+	//nolint:gocritic // Requires system context to read runtime config
+	sysCtx := dbauthz.AsSystemRestricted(ctx)
+	settings, err := api.IDPSync.RoleSyncSettings(sysCtx, org.ID, api.Database)
+	if err != nil {
+		httpapi.InternalServerError(rw, err)
+		return
+	}
+
+	httpapi.Write(ctx, rw, http.StatusOK, settings)
+}
+
+// @Summary Update role IdP Sync settings by organization
+// @ID update-role-idp-sync-settings-by-organization
+// @Security CoderSessionToken
+// @Produce json
+// @Tags Enterprise
+// @Param organization path string true "Organization ID" format(uuid)
+// @Success 200 {object} codersdk.RoleSyncSettings
+// @Router /organizations/{organization}/settings/idpsync/roles [patch]
+func (api *API) patchRoleIDPSyncSettings(rw http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	org := httpmw.OrganizationParam(r)
+
+	if !api.Authorize(r, policy.ActionUpdate, rbac.ResourceIdpsyncSettings.InOrg(org.ID)) {
+		httpapi.Forbidden(rw)
+		return
+	}
+
+	var req idpsync.RoleSyncSettings
+	if !httpapi.Read(ctx, rw, r, &req) {
+		return
+	}
+
+	//nolint:gocritic // Requires system context to update runtime config
+	sysCtx := dbauthz.AsSystemRestricted(ctx)
+	err := api.IDPSync.UpdateRoleSettings(sysCtx, org.ID, api.Database, req)
+	if err != nil {
+		httpapi.InternalServerError(rw, err)
+		return
+	}
+
+	settings, err := api.IDPSync.RoleSyncSettings(sysCtx, org.ID, api.Database)
+	if err != nil {
+		httpapi.InternalServerError(rw, err)
+		return
+	}
+
+	httpapi.Write(ctx, rw, http.StatusOK, settings)
+}

enterprise/coderd/idpsync_test.go

@@ -170,3 +170,122 @@ func TestPostGroupSyncConfig(t *testing.T) {
 		require.Equal(t, http.StatusForbidden, apiError.StatusCode())
 	})
 }
+
+func TestGetRoleSyncConfig(t *testing.T) {
+	t.Parallel()
+
+	t.Run("OK", func(t *testing.T) {
+		t.Parallel()
+
+		dv := coderdtest.DeploymentValues(t)
+		dv.Experiments = []string{
+			string(codersdk.ExperimentCustomRoles),
+			string(codersdk.ExperimentMultiOrganization),
+		}
+
+		owner, _, _, user := coderdenttest.NewWithAPI(t, &coderdenttest.Options{
+			Options: &coderdtest.Options{
+				DeploymentValues: dv,
+			},
+			LicenseOptions: &coderdenttest.LicenseOptions{
+				Features: license.Features{
+					codersdk.FeatureCustomRoles:           1,
+					codersdk.FeatureMultipleOrganizations: 1,
+				},
+			},
+		})
+		orgAdmin, _ := coderdtest.CreateAnotherUser(t, owner, user.OrganizationID, rbac.ScopedRoleOrgAdmin(user.OrganizationID))
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+		settings, err := orgAdmin.PatchRoleIDPSyncSettings(ctx, user.OrganizationID.String(), codersdk.RoleSyncSettings{
+			Field: "august",
+			Mapping: map[string][]string{
+				"foo": {"bar"},
+			},
+		})
+		require.NoError(t, err)
+		require.Equal(t, "august", settings.Field)
+		require.Equal(t, map[string][]string{"foo": {"bar"}}, settings.Mapping)
+
+		settings, err = orgAdmin.RoleIDPSyncSettings(ctx, user.OrganizationID.String())
+		require.NoError(t, err)
+		require.Equal(t, "august", settings.Field)
+		require.Equal(t, map[string][]string{"foo": {"bar"}}, settings.Mapping)
+	})
+}
+
+func TestPostRoleSyncConfig(t *testing.T) {
+	t.Parallel()
+
+	t.Run("OK", func(t *testing.T) {
+		t.Parallel()
+
+		dv := coderdtest.DeploymentValues(t)
+		dv.Experiments = []string{
+			string(codersdk.ExperimentCustomRoles),
+			string(codersdk.ExperimentMultiOrganization),
+		}
+
+		owner, user := coderdenttest.New(t, &coderdenttest.Options{
+			Options: &coderdtest.Options{
+				DeploymentValues: dv,
+			},
+			LicenseOptions: &coderdenttest.LicenseOptions{
+				Features: license.Features{
+					codersdk.FeatureCustomRoles:           1,
+					codersdk.FeatureMultipleOrganizations: 1,
+				},
+			},
+		})
+
+		orgAdmin, _ := coderdtest.CreateAnotherUser(t, owner, user.OrganizationID, rbac.ScopedRoleOrgAdmin(user.OrganizationID))
+
+		// Test as org admin
+		ctx := testutil.Context(t, testutil.WaitShort)
+		settings, err := orgAdmin.PatchRoleIDPSyncSettings(ctx, user.OrganizationID.String(), codersdk.RoleSyncSettings{
+			Field: "august",
+		})
+		require.NoError(t, err)
+		require.Equal(t, "august", settings.Field)
+
+		fetchedSettings, err := orgAdmin.RoleIDPSyncSettings(ctx, user.OrganizationID.String())
+		require.NoError(t, err)
+		require.Equal(t, "august", fetchedSettings.Field)
+	})
+
+	t.Run("NotAuthorized", func(t *testing.T) {
+		t.Parallel()
+
+		dv := coderdtest.DeploymentValues(t)
+		dv.Experiments = []string{
+			string(codersdk.ExperimentCustomRoles),
+			string(codersdk.ExperimentMultiOrganization),
+		}
+
+		owner, user := coderdenttest.New(t, &coderdenttest.Options{
+			Options: &coderdtest.Options{
+				DeploymentValues: dv,
+			},
+			LicenseOptions: &coderdenttest.LicenseOptions{
+				Features: license.Features{
+					codersdk.FeatureCustomRoles:           1,
+					codersdk.FeatureMultipleOrganizations: 1,
+				},
+			},
+		})
+
+		member, _ := coderdtest.CreateAnotherUser(t, owner, user.OrganizationID)
+
+		ctx := testutil.Context(t, testutil.WaitShort)
+		_, err := member.PatchRoleIDPSyncSettings(ctx, user.OrganizationID.String(), codersdk.RoleSyncSettings{
+			Field: "august",
+		})
+		var apiError *codersdk.Error
+		require.ErrorAs(t, err, &apiError)
+		require.Equal(t, http.StatusForbidden, apiError.StatusCode())
+
+		_, err = member.RoleIDPSyncSettings(ctx, user.OrganizationID.String())
+		require.ErrorAs(t, err, &apiError)
+		require.Equal(t, http.StatusForbidden, apiError.StatusCode())
+	})
+}