MostUsing
diff --git a/‎coderd/database/dbmetrics/dbmetrics.go
Lines changed: 2 additions & 2 deletions b/‎coderd/database/dbmetrics/dbmetrics.go
Lines changed: 2 additions & 2 deletions
diff --git a/‎coderd/database/models.go
Lines changed: 1 addition & 1 deletion b/‎coderd/database/models.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/database/querier.go
Lines changed: 1 addition & 1 deletion b/‎coderd/database/querier.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/idpsync/idpsync.go
Lines changed: 125 additions & 0 deletions b/‎coderd/idpsync/idpsync.go
Lines changed: 125 additions & 0 deletions
diff --git a/‎coderd/userauth_internal_test.go renamed to ‎coderd/idpsync/idpsync_test.go
Lines changed: 4 additions & 2 deletions b/‎coderd/userauth_internal_test.go renamed to ‎coderd/idpsync/idpsync_test.go
Lines changed: 4 additions & 2 deletions
diff --git a/‎coderd/idpsync/organization.go
Lines changed: 127 additions & 0 deletions b/‎coderd/idpsync/organization.go
Lines changed: 127 additions & 0 deletions
@@ -0,0 +1,125 @@
+package idpsync
+
+import (
+	"net/http"
+	"strings"
+
+	"github.com/google/uuid"
+	"golang.org/x/xerrors"
+
+	"cdr.dev/slog"
+	"github.com/coder/coder/v2/coderd/entitlements"
+	"github.com/coder/coder/v2/coderd/httpapi"
+	"github.com/coder/coder/v2/codersdk"
+	"github.com/coder/coder/v2/site"
+)
+
+// IDPSync is the configuration for syncing user information from an external
+// IDP. All related code to syncing user information should be in this package.
+type IDPSync struct {
+	logger       slog.Logger
+	entitlements *entitlements.Set
+
+	// OrganizationField selects the claim field to be used as the created user's
+	// organizations. If the field is the empty string, then no organization updates
+	// will ever come from the OIDC provider.
+	OrganizationField string
+	// OrganizationMapping controls how organizations returned by the OIDC provider get mapped
+	OrganizationMapping map[string][]uuid.UUID
+	// OrganizationAlwaysAssign will ensure all users that authenticate will be
+	// placed into the specified organizations.
+	OrganizationAlwaysAssign []uuid.UUID
+}
+
+func NewSync(logger slog.Logger, set *entitlements.Set) *IDPSync {
+	return &IDPSync{
+		logger:       logger.Named("idp-sync"),
+		entitlements: set,
+	}
+}
+
+// ParseStringSliceClaim parses the claim for groups and roles, expected []string.
+//
+// Some providers like ADFS return a single string instead of an array if there
+// is only 1 element. So this function handles the edge cases.
+func ParseStringSliceClaim(claim interface{}) ([]string, error) {
+	groups := make([]string, 0)
+	if claim == nil {
+		return groups, nil
+	}
+
+	// The simple case is the type is exactly what we expected
+	asStringArray, ok := claim.([]string)
+	if ok {
+		return asStringArray, nil
+	}
+
+	asArray, ok := claim.([]interface{})
+	if ok {
+		for i, item := range asArray {
+			asString, ok := item.(string)
+			if !ok {
+				return nil, xerrors.Errorf("invalid claim type. Element %d expected a string, got: %T", i, item)
+			}
+			groups = append(groups, asString)
+		}
+		return groups, nil
+	}
+
+	asString, ok := claim.(string)
+	if ok {
+		if asString == "" {
+			// Empty string should be 0 groups.
+			return []string{}, nil
+		}
+		// If it is a single string, first check if it is a csv.
+		// If a user hits this, it is likely a misconfiguration and they need
+		// to reconfigure their IDP to send an array instead.
+		if strings.Contains(asString, ",") {
+			return nil, xerrors.Errorf("invalid claim type. Got a csv string (%q), change this claim to return an array of strings instead.", asString)
+		}
+		return []string{asString}, nil
+	}
+
+	// Not sure what the user gave us.
+	return nil, xerrors.Errorf("invalid claim type. Expected an array of strings, got: %T", claim)
+}
+
+// HttpError is a helper struct for returning errors from the IDP sync process.
+// A regular error is not sufficient because many of these errors are surfaced
+// to a user logging in, and the errors should be descriptive.
+type HttpError struct {
+	Code                 int
+	Msg                  string
+	Detail               string
+	RenderStaticPage     bool
+	RenderDetailMarkdown bool
+}
+
+func (e HttpError) Write(rw http.ResponseWriter, r *http.Request) {
+	if e.RenderStaticPage {
+		site.RenderStaticErrorPage(rw, r, site.ErrorPageData{
+			Status:       e.Code,
+			HideStatus:   true,
+			Title:        e.Msg,
+			Description:  e.Detail,
+			RetryEnabled: false,
+			DashboardURL: "/login",
+
+			RenderDescriptionMarkdown: e.RenderDetailMarkdown,
+		})
+		return
+	}
+	httpapi.Write(r.Context(), rw, e.Code, codersdk.Response{
+		Message: e.Msg,
+		Detail:  e.Detail,
+	})
+}
+
+func (e HttpError) Error() string {
+	if e.Detail != "" {
+		return e.Detail
+	}
+
+	return e.Msg
+}
@@ -1,10 +1,12 @@
-package coderd
+package idpsync_test
 
 import (
 	"encoding/json"
 	"testing"
 
 	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/v2/coderd/idpsync"
 )
 
 func TestParseStringSliceClaim(t *testing.T) {
@@ -123,7 +125,7 @@ func TestParseStringSliceClaim(t *testing.T) {
 				require.NoError(t, err, "unmarshal json claim")
 			}
 
-			found, err := parseStringSliceClaim(c.GoClaim)
+			found, err := idpsync.ParseStringSliceClaim(c.GoClaim)
 			if c.ErrorExpected {
 				require.Error(t, err)
 			} else {
 
@@ -0,0 +1,127 @@
+package idpsync
+
+import (
+	"context"
+	"database/sql"
+	"net/http"
+
+	"github.com/google/uuid"
+	"golang.org/x/xerrors"
+
+	"cdr.dev/slog"
+	"github.com/coder/coder/v2/coderd/database"
+	"github.com/coder/coder/v2/coderd/database/db2sdk"
+	"github.com/coder/coder/v2/coderd/database/dbauthz"
+	"github.com/coder/coder/v2/coderd/database/dbtime"
+	"github.com/coder/coder/v2/coderd/util/slice"
+)
+
+func (s IDPSync) ParseOrganizationClaims(ctx context.Context, mergedClaims map[string]interface{}) (OrganizationParams, *HttpError) {
+	// nolint:gocritic // all syncing is done as a system user
+	ctx = dbauthz.AsSystemRestricted(ctx)
+
+	// Copy in the always included static set of organizations.
+	userOrganizations := make([]uuid.UUID, len(s.OrganizationAlwaysAssign))
+	copy(userOrganizations, s.OrganizationAlwaysAssign)
+
+	// Pull extra organizations from the claims.
+	if s.OrganizationField != "" {
+		organizationRaw, ok := mergedClaims[s.OrganizationField]
+		if ok {
+			parsedOrganizations, err := ParseStringSliceClaim(organizationRaw)
+			if err != nil {
+				return OrganizationParams{}, &HttpError{
+					Code:                 http.StatusBadRequest,
+					Msg:                  "Failed to sync organizations from the OIDC claims",
+					Detail:               err.Error(),
+					RenderStaticPage:     false,
+					RenderDetailMarkdown: false,
+				}
+			}
+
+			// Keep track of which claims are not mapped for debugging purposes.
+			var ignored []string
+			for _, parsedOrg := range parsedOrganizations {
+				if mappedOrganization, ok := s.OrganizationMapping[parsedOrg]; ok {
+					// parsedOrg is in the mapping, so add the mapped organizations to the
+					// user's organizations.
+					userOrganizations = append(userOrganizations, mappedOrganization...)
+				} else {
+					ignored = append(ignored, parsedOrg)
+				}
+			}
+
+			s.logger.Debug(ctx, "parsed organizations from claim",
+				slog.F("len", len(parsedOrganizations)),
+				slog.F("ignored", ignored),
+				slog.F("organizations", parsedOrganizations),
+			)
+		}
+	}
+
+	return OrganizationParams{
+		Organizations: userOrganizations,
+	}, nil
+}
+
+type OrganizationParams struct {
+	// Organizations is the list of organizations the user should be a member of
+	// assuming syncing is turned on.
+	Organizations []uuid.UUID
+}
+
+func (s IDPSync) SyncOrganizations(ctx context.Context, tx database.Store, user database.User, params OrganizationParams) error {
+	// nolint:gocritic // all syncing is done as a system user
+	ctx = dbauthz.AsSystemRestricted(ctx)
+
+	existingOrgs, err := tx.GetOrganizationsByUserID(ctx, user.ID)
+	if err != nil {
+		return xerrors.Errorf("failed to get user organizations: %w", err)
+	}
+
+	existingOrgIDs := db2sdk.List(existingOrgs, func(org database.Organization) uuid.UUID {
+		return org.ID
+	})
+
+	// Find the difference in the expected and the existing orgs, and
+	// correct the set of orgs the user is a member of.
+	add, remove := slice.SymmetricDifference(existingOrgIDs, params.Organizations)
+	notExists := make([]uuid.UUID, 0)
+	for _, orgID := range add {
+		//nolint:gocritic // System actor being used to assign orgs
+		_, err := tx.InsertOrganizationMember(dbauthz.AsSystemRestricted(ctx), database.InsertOrganizationMemberParams{
+			OrganizationID: orgID,
+			UserID:         user.ID,
+			CreatedAt:      dbtime.Now(),
+			UpdatedAt:      dbtime.Now(),
+			Roles:          []string{},
+		})
+		if err != nil {
+			if xerrors.Is(err, sql.ErrNoRows) {
+				notExists = append(notExists, orgID)
+				continue
+			}
+			return xerrors.Errorf("add user to organization: %w", err)
+		}
+	}
+
+	for _, orgID := range remove {
+		//nolint:gocritic // System actor being used to assign orgs
+		err := tx.DeleteOrganizationMember(dbauthz.AsSystemRestricted(ctx), database.DeleteOrganizationMemberParams{
+			OrganizationID: orgID,
+			UserID:         user.ID,
+		})
+		if err != nil {
+			return xerrors.Errorf("remove user from organization: %w", err)
+		}
+	}
+
+	if len(notExists) > 0 {
+		s.logger.Debug(ctx, "organizations do not exist but attempted to use in org sync",
+			slog.F("not_found", notExists),
+			slog.F("user_id", user.ID),
+			slog.F("username", user.Username),
+		)
+	}
+	return nil
+}