@@ -1217,8 +1217,10 @@ type oauthLoginParams struct {
12171217 // to the Groups provided.
12181218 UsingGroups bool
12191219 CreateMissingGroups bool
1220- Groups map [uuid.UUID ][]string
1221- GroupFilter * regexp.Regexp
1220+ // These are the group names from the IDP. Internally, they will map to
1221+ // some organization groups.
1222+ Groups []string
1223+ GroupFilter * regexp.Regexp
12221224 // Is UsingRoles is true, then the user will be assigned
12231225 // the roles provided.
12241226 UsingRoles bool
@@ -1301,7 +1303,6 @@ func (api *API) oauthLogin(r *http.Request, params *oauthLoginParams) ([]*http.C
13011303 link database.UserLink
13021304 err error
13031305 )
1304-
13051306 user = params .User
13061307 link = params .Link
13071308
@@ -1457,23 +1458,50 @@ func (api *API) oauthLogin(r *http.Request, params *oauthLoginParams) ([]*http.C
14571458 }
14581459
14591460 // Ensure groups are correct.
1461+ // This places all groups into the default organization.
1462+ // To go multi-org, we need to add a mapping feature here to know which
1463+ // groups go to which orgs.
14601464 if params .UsingGroups {
14611465 filtered := params .Groups
14621466 if params .GroupFilter != nil {
1463- // For each org, filter the groups.
1464- for orgID , groups := range filtered {
1465- filteredList := make ([]string , 0 , len (groups ))
1466- for _ , group := range groups {
1467- if params .GroupFilter .MatchString (group ) {
1468- filteredList = append (filteredList , group )
1469- }
1467+ filtered = make ([]string , 0 , len (params .Groups ))
1468+ for _ , group := range params .Groups {
1469+ if params .GroupFilter .MatchString (group ) {
1470+ filtered = append (filtered , group )
14701471 }
1471- filtered [orgID ] = filteredList
14721472 }
14731473 }
14741474
1475+ //nolint:gocritic // No user present in the context.
1476+ defaultOrganization , err := tx .GetDefaultOrganization (dbauthz .AsSystemRestricted (ctx ))
1477+ if err != nil {
1478+ // If there is no default org, then we can't assign groups.
1479+ // By default, we assume all groups belong to the default org.
1480+ return xerrors .Errorf ("get default organization: %w" , err )
1481+ }
1482+
1483+ //nolint:gocritic // No user present in the context.
1484+ memberships , err := tx .GetOrganizationMembershipsByUserID (dbauthz .AsSystemRestricted (ctx ), user .ID )
1485+ if err != nil {
1486+ return xerrors .Errorf ("get organization memberships: %w" , err )
1487+ }
1488+
1489+ inDefault := false
1490+ for _ , membership := range memberships {
1491+ if membership .OrganizationID == defaultOrganization .ID {
1492+ inDefault = true
1493+ break
1494+ }
1495+ }
1496+
1497+ if ! inDefault {
1498+ return xerrors .Errorf ("user %s is not a member of the default organization, cannot assign to groups in the org" , user .ID )
1499+ }
1500+
14751501 //nolint:gocritic
1476- err := api .Options .SetUserGroups (dbauthz .AsSystemRestricted (ctx ), logger , tx , user .ID , filtered , params .CreateMissingGroups )
1502+ err = api .Options .SetUserGroups (dbauthz .AsSystemRestricted (ctx ), logger , tx , user .ID , map [uuid.UUID ][]string {
1503+ defaultOrganization .ID : filtered ,
1504+ }, params .CreateMissingGroups )
14771505 if err != nil {
14781506 return xerrors .Errorf ("set user groups: %w" , err )
14791507 }
0 commit comments