Add new entitlement to control this feature

Emyrk · Emyrk · commit 5e3b6f88cf71 · 2023-07-20T08:41:34.000-04:00
diff --git a/codersdk/deployment.go b/codersdk/deployment.go
@@ -40,6 +40,7 @@ const (
 	FeatureBrowserOnly                FeatureName = "browser_only"
 	FeatureSCIM                       FeatureName = "scim"
 	FeatureTemplateRBAC               FeatureName = "template_rbac"
+	FeatureUserRoleManagement         FeatureName = "user_role_management"
 	FeatureHighAvailability           FeatureName = "high_availability"
 	FeatureMultipleGitAuth            FeatureName = "multiple_git_auth"
 	FeatureExternalProvisionerDaemons FeatureName = "external_provisioner_daemons"
@@ -61,6 +62,7 @@ var FeatureNames = []FeatureName{
 	FeatureAppearance,
 	FeatureAdvancedTemplateScheduling,
 	FeatureWorkspaceProxy,
+	FeatureUserRoleManagement,
 }
 
 // Humanize returns the feature name in a human-readable format.
diff --git a/enterprise/coderd/userauth.go b/enterprise/coderd/userauth.go
@@ -6,6 +6,7 @@ import (
 	"github.com/google/uuid"
 	"golang.org/x/xerrors"
 
+	"cdr.dev/slog"
 	"github.com/coder/coder/coderd"
 	"github.com/coder/coder/coderd/database"
 	"github.com/coder/coder/codersdk"
@@ -53,6 +54,17 @@ func (api *API) setUserGroups(ctx context.Context, db database.Store, userID uui
 }
 
 func (api *API) setUserSiteRoles(ctx context.Context, db database.Store, userID uuid.UUID, roles []string) error {
+	api.entitlementsMu.RLock()
+	enabled := api.entitlements.Features[codersdk.FeatureUserRoleManagement].Enabled
+	api.entitlementsMu.RUnlock()
+
+	if !enabled {
+		api.Logger.Warn(ctx, "attempted to assign OIDC user roles without enterprise entitlement, roles left unchanged.",
+			slog.F("user_id", userID), slog.F("roles", roles),
+		)
+		return nil
+	}
+
 	// Should this be feature protected?
 	return db.InTx(func(tx database.Store) error {
 		_, err := coderd.UpdateSiteUserRoles(ctx, db, database.UpdateUserRolesParams{
