handle allow list

Emyrk · Emyrk · commit 7d4977ee7fb9 · 2024-09-05T12:25:35.000-05:00
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -312,11 +312,7 @@ func New(options *Options) *API {
 	)
 
 	if options.IDPSync == nil {
-		options.IDPSync = idpsync.NewAGPLSync(options.Logger, idpsync.DeploymentSyncSettings{
-			OrganizationField:         options.DeploymentValues.OIDC.OrganizationField.Value(),
-			OrganizationMapping:       options.DeploymentValues.OIDC.OrganizationMapping.Value,
-			OrganizationAssignDefault: options.DeploymentValues.OIDC.OrganizationAssignDefault.Value(),
-		})
+		options.IDPSync = idpsync.NewAGPLSync(options.Logger, options.RuntimeConfig, idpsync.FromDeploymentValues(options.DeploymentValues))
 	}
 
 	experiments := ReadExperiments(
diff --git a/coderd/idpsync/group.go b/coderd/idpsync/group.go
@@ -266,3 +266,11 @@ func (s GroupSyncSettings) HandleMissingGroups(ctx context.Context, tx database.
 
 	return addIDs, nil
 }
+
+func ConvertAllowList(allowList []string) map[string]struct{} {
+	allowMap := make(map[string]struct{}, len(allowList))
+	for _, group := range allowList {
+		allowMap[group] = struct{}{}
+	}
+	return allowMap
+}
diff --git a/coderd/idpsync/idpsync.go b/coderd/idpsync/idpsync.go
@@ -63,6 +63,29 @@ type DeploymentSyncSettings struct {
 	// placed into the default organization. This is mostly a hack to support
 	// legacy deployments.
 	OrganizationAssignDefault bool
+
+	// GroupField at the deployment level is used for deployment level group claim
+	// settings.
+	GroupField string
+	// GroupAllowList (if set) will restrict authentication to only users who
+	// have at least one group in this list.
+	// A map representation is used for easier lookup.
+	GroupAllowList map[string]struct{}
+}
+
+func FromDeploymentValues(dv *codersdk.DeploymentValues) DeploymentSyncSettings {
+	if dv == nil {
+		panic("Developer error: DeploymentValues should not be nil")
+	}
+	return DeploymentSyncSettings{
+		OrganizationField:         dv.OIDC.OrganizationField.Value(),
+		OrganizationMapping:       dv.OIDC.OrganizationMapping.Value,
+		OrganizationAssignDefault: dv.OIDC.OrganizationAssignDefault.Value(),
+
+		GroupField:     dv.OIDC.GroupField.Value(),
+		GroupAllowList: ConvertAllowList(dv.OIDC.GroupAllowList.Value()),
+	}
+
 }
 
 type SyncSettings struct {
diff --git a/coderd/userauth.go b/coderd/userauth.go
@@ -1142,7 +1142,7 @@ func (api *API) oidcGroups(ctx context.Context, mergedClaims map[string]interfac
 				slog.F("allow_list_count", len(api.OIDCConfig.GroupAllowList)),
 				slog.F("user_group_count", len(groups)),
 			)
-			detail := "Ask an administrator to add one of your groups to the whitelist"
+			detail := "Ask an administrator to add one of your groups to the allow list"
 			if len(groups) == 0 {
 				detail = "You are currently not a member of any groups! Ask an administrator to add you to an authorized group to login."
 			}
diff --git a/enterprise/coderd/coderd.go b/enterprise/coderd/coderd.go
@@ -113,11 +113,7 @@ func New(ctx context.Context, options *Options) (_ *API, err error) {
 	options.Database = cryptDB
 
 	if options.IDPSync == nil {
-		options.IDPSync = enidpsync.NewSync(options.Logger, options.Entitlements, idpsync.SyncSettings{
-			OrganizationField:         options.DeploymentValues.OIDC.OrganizationField.Value(),
-			OrganizationMapping:       options.DeploymentValues.OIDC.OrganizationMapping.Value,
-			OrganizationAssignDefault: options.DeploymentValues.OIDC.OrganizationAssignDefault.Value(),
-		})
+		options.IDPSync = enidpsync.NewSync(options.Logger, options.RuntimeConfig, options.Entitlements, idpsync.FromDeploymentValues(options.DeploymentValues))
 	}
 
 	api := &API{
diff --git a/enterprise/coderd/enidpsync/groups.go b/enterprise/coderd/enidpsync/groups.go
@@ -2,6 +2,7 @@ package enidpsync
 
 import (
 	"context"
+	"net/http"
 
 	"github.com/golang-jwt/jwt/v4"
 
@@ -11,7 +12,6 @@ import (
 
 func (e EnterpriseIDPSync) GroupSyncEnabled() bool {
 	return e.entitlements.Enabled(codersdk.FeatureTemplateRBAC)
-
 }
 
 // ParseGroupClaims parses the user claims and handles deployment wide group behavior.
@@ -23,6 +23,46 @@ func (e EnterpriseIDPSync) ParseGroupClaims(ctx context.Context, mergedClaims jw
 		return e.AGPLIDPSync.ParseGroupClaims(ctx, mergedClaims)
 	}
 
+	if e.GroupField != "" && len(e.GroupAllowList) > 0 {
+		groupsRaw, ok := mergedClaims[e.GroupField]
+		if !ok {
+			return idpsync.GroupParams{}, &idpsync.HTTPError{
+				Code:             http.StatusForbidden,
+				Msg:              "Not a member of an allowed group",
+				Detail:           "You have no groups in your claims!",
+				RenderStaticPage: true,
+			}
+		}
+		parsedGroups, err := idpsync.ParseStringSliceClaim(groupsRaw)
+		if err != nil {
+			return idpsync.GroupParams{}, &idpsync.HTTPError{
+				Code:             http.StatusBadRequest,
+				Msg:              "Failed read groups from claims for allow list check. Ask an administrator for help.",
+				Detail:           err.Error(),
+				RenderStaticPage: true,
+			}
+		}
+
+		inAllowList := false
+	AllowListCheckLoop:
+		for _, group := range parsedGroups {
+			if _, ok := e.GroupAllowList[group]; ok {
+				inAllowList = true
+				break AllowListCheckLoop
+			}
+		}
+
+		if !inAllowList {
+			return idpsync.GroupParams{}, &idpsync.HTTPError{
+				Code:             http.StatusForbidden,
+				Msg:              "Not a member of an allowed group",
+				Detail:           "Ask an administrator to add one of your groups to the allow list.",
+				RenderStaticPage: true,
+			}
+		}
+
+	}
+
 	return idpsync.GroupParams{
 		SyncEnabled:  e.OrganizationSyncEnabled(),
 		MergedClaims: mergedClaims,
diff --git a/enterprise/coderd/enidpsync/groups_test.go b/enterprise/coderd/enidpsync/groups_test.go
@@ -0,0 +1,35 @@
+package enidpsync_test
+
+import (
+	"testing"
+
+	"github.com/golang-jwt/jwt/v4"
+	"github.com/stretchr/testify/require"
+
+	"cdr.dev/slog/sloggers/slogtest"
+	"github.com/coder/coder/v2/coderd/entitlements"
+	"github.com/coder/coder/v2/coderd/idpsync"
+	"github.com/coder/coder/v2/coderd/runtimeconfig"
+	"github.com/coder/coder/v2/enterprise/coderd/enidpsync"
+	"github.com/coder/coder/v2/testutil"
+)
+
+func TestEnterpriseParseGroupClaims(t *testing.T) {
+	t.Parallel()
+
+	t.Run("NoEntitlements", func(t *testing.T) {
+		t.Parallel()
+
+		s := enidpsync.NewSync(slogtest.Make(t, &slogtest.Options{}),
+			runtimeconfig.NewNoopManager(),
+			entitlements.New(),
+			idpsync.DeploymentSyncSettings{})
+
+		ctx := testutil.Context(t, testutil.WaitMedium)
+
+		params, err := s.ParseGroupClaims(ctx, jwt.MapClaims{})
+		require.Nil(t, err)
+
+		require.False(t, params.SyncEnabled)
+	})
+}

Original file line number	Diff line number	Diff line change
`@@ -312,11 +312,7 @@ func New(options Options) API {`
`312`	`312`	`)`
`313`	`313`
`314`	`314`	`if options.IDPSync == nil {`
`315`		`- options.IDPSync = idpsync.NewAGPLSync(options.Logger, idpsync.DeploymentSyncSettings{`
`316`		`- OrganizationField: options.DeploymentValues.OIDC.OrganizationField.Value(),`
`317`		`- OrganizationMapping: options.DeploymentValues.OIDC.OrganizationMapping.Value,`
`318`		`- OrganizationAssignDefault: options.DeploymentValues.OIDC.OrganizationAssignDefault.Value(),`
`319`		`- })`
	`315`	`+ options.IDPSync = idpsync.NewAGPLSync(options.Logger, options.RuntimeConfig, idpsync.FromDeploymentValues(options.DeploymentValues))`
`320`	`316`	`}`
`321`	`317`
`322`	`318`	`experiments := ReadExperiments(`
Original file line number	Diff line number	Diff line change
`@@ -1142,7 +1142,7 @@ func (api *API) oidcGroups(ctx context.Context, mergedClaims map[string]interfac`
`1142`	`1142`	`slog.F("allow_list_count", len(api.OIDCConfig.GroupAllowList)),`
`1143`	`1143`	`slog.F("user_group_count", len(groups)),`
`1144`	`1144`	`)`
`1145`		`- detail := "Ask an administrator to add one of your groups to the whitelist"`
	`1145`	`+ detail := "Ask an administrator to add one of your groups to the allow list"`
`1146`	`1146`	`if len(groups) == 0 {`
`1147`	`1147`	`detail = "You are currently not a member of any groups! Ask an administrator to add you to an authorized group to login."`
`1148`	`1148`	`}`