wip

Emyrk · Emyrk · commit 99c97c215e63 · 2024-09-09T16:31:05.000-05:00
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -276,13 +276,6 @@ func New(options *Options) *API {
 	if options.Entitlements == nil {
 		options.Entitlements = entitlements.New()
 	}
-	if options.IDPSync == nil {
-		options.IDPSync = idpsync.NewAGPLSync(options.Logger, idpsync.SyncSettings{
-			OrganizationField:         options.DeploymentValues.OIDC.OrganizationField.Value(),
-			OrganizationMapping:       options.DeploymentValues.OIDC.OrganizationMapping.Value,
-			OrganizationAssignDefault: options.DeploymentValues.OIDC.OrganizationAssignDefault.Value(),
-		})
-	}
 	if options.NewTicker == nil {
 		options.NewTicker = func(duration time.Duration) (tick <-chan time.Time, done func()) {
 			ticker := time.NewTicker(duration)
@@ -318,6 +311,14 @@ func New(options *Options) *API {
 		options.AccessControlStore,
 	)
 
+	if options.IDPSync == nil {
+		options.IDPSync = idpsync.NewAGPLSync(options.Logger, idpsync.SyncSettings{
+			OrganizationField:         options.DeploymentValues.OIDC.OrganizationField.Value(),
+			OrganizationMapping:       options.DeploymentValues.OIDC.OrganizationMapping.Value,
+			OrganizationAssignDefault: options.DeploymentValues.OIDC.OrganizationAssignDefault.Value(),
+		})
+	}
+
 	experiments := ReadExperiments(
 		options.Logger, options.DeploymentValues.Experiments.Value(),
 	)
diff --git a/coderd/idpsync/group.go b/coderd/idpsync/group.go
@@ -0,0 +1,79 @@
+package idpsync
+
+import (
+	"context"
+
+	"github.com/golang-jwt/jwt/v4"
+	"github.com/google/uuid"
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/v2/coderd/database"
+	"github.com/coder/coder/v2/coderd/database/dbauthz"
+)
+
+type GroupParams struct {
+	// SyncEnabled if false will skip syncing the user's groups
+	SyncEnabled  bool
+	MergedClaims jwt.MapClaims
+}
+
+func (AGPLIDPSync) GroupSyncEnabled() bool {
+	// AGPL does not support syncing groups.
+	return false
+}
+
+func (s AGPLIDPSync) ParseGroupClaims(_ context.Context, _ jwt.MapClaims) (GroupParams, *HTTPError) {
+	return GroupParams{
+		SyncEnabled: s.GroupSyncEnabled(),
+	}, nil
+}
+
+// TODO: Group allowlist behavior should probably happen at this step.
+func (s AGPLIDPSync) SyncGroups(ctx context.Context, db database.Store, user database.User, params GroupParams) error {
+	// Nothing happens if sync is not enabled
+	if !params.SyncEnabled {
+		return nil
+	}
+
+	// nolint:gocritic // all syncing is done as a system user
+	ctx = dbauthz.AsSystemRestricted(ctx)
+
+	db.InTx(func(tx database.Store) error {
+		userGroups, err := db.GetGroups(ctx, database.GetGroupsParams{
+			HasMemberID: user.ID,
+		})
+		if err != nil {
+			return xerrors.Errorf("get user groups: %w", err)
+		}
+
+		// Figure out which organizations the user is a member of.
+		userOrgs := make(map[uuid.UUID][]database.GetGroupsRow)
+		for _, g := range userGroups {
+			g := g
+			userOrgs[g.Group.OrganizationID] = append(userOrgs[g.Group.OrganizationID], g)
+		}
+
+		// Force each organization, we sync the groups.
+		db.RemoveUserFromAllGroups(ctx, user.ID)
+
+		return nil
+	}, nil)
+
+	//
+	//tx.InTx(func(tx database.Store) error {
+	//	// When setting the user's groups, it's easier to just clear their groups and re-add them.
+	//	// This ensures that the user's groups are always in sync with the auth provider.
+	//	 err := tx.RemoveUserFromAllGroups(ctx, user.ID)
+	//	if err != nil {
+	//		return err
+	//	}
+	//
+	//	for _, org := range userOrgs {
+	//
+	//	}
+	//
+	//	return nil
+	//}, nil)
+
+	return nil
+}
diff --git a/coderd/idpsync/idpsync.go b/coderd/idpsync/idpsync.go
@@ -3,6 +3,7 @@ package idpsync
 import (
 	"context"
 	"net/http"
+	"regexp"
 	"strings"
 
 	"github.com/golang-jwt/jwt/v4"
@@ -29,6 +30,11 @@ type IDPSync interface {
 	// SyncOrganizations assigns and removed users from organizations based on the
 	// provided params.
 	SyncOrganizations(ctx context.Context, tx database.Store, user database.User, params OrganizationParams) error
+
+	GroupSyncEnabled() bool
+	// ParseGroupClaims takes claims from an OIDC provider, and returns the
+	// group sync params for assigning users into groups.
+	ParseGroupClaims(ctx context.Context, _ jwt.MapClaims) (GroupParams, *HTTPError)
 }
 
 // AGPLIDPSync is the configuration for syncing user information from an external
@@ -50,17 +56,13 @@ type SyncSettings struct {
 	// placed into the default organization. This is mostly a hack to support
 	// legacy deployments.
 	OrganizationAssignDefault bool
-}
 
-type OrganizationParams struct {
-	// SyncEnabled if false will skip syncing the user's organizations.
-	SyncEnabled bool
-	// IncludeDefault is primarily for single org deployments. It will ensure
-	// a user is always inserted into the default org.
-	IncludeDefault bool
-	// Organizations is the list of organizations the user should be a member of
-	// assuming syncing is turned on.
-	Organizations []uuid.UUID
+	// Group options here are set by the deployment config and only apply to
+	// the default organization.
+	GroupField          string
+	CreateMissingGroups bool
+	GroupMapping        map[string]string
+	GroupFilter         *regexp.Regexp
 }
 
 func NewAGPLSync(logger slog.Logger, settings SyncSettings) *AGPLIDPSync {
diff --git a/coderd/idpsync/organization.go b/coderd/idpsync/organization.go
@@ -16,6 +16,17 @@ import (
 	"github.com/coder/coder/v2/coderd/util/slice"
 )
 
+type OrganizationParams struct {
+	// SyncEnabled if false will skip syncing the user's organizations.
+	SyncEnabled bool
+	// IncludeDefault is primarily for single org deployments. It will ensure
+	// a user is always inserted into the default org.
+	IncludeDefault bool
+	// Organizations is the list of organizations the user should be a member of
+	// assuming syncing is turned on.
+	Organizations []uuid.UUID
+}
+
 func (AGPLIDPSync) OrganizationSyncEnabled() bool {
 	// AGPL does not support syncing organizations.
 	return false
diff --git a/enterprise/coderd/coderd.go b/enterprise/coderd/coderd.go
@@ -80,13 +80,6 @@ func New(ctx context.Context, options *Options) (_ *API, err error) {
 	if options.Entitlements == nil {
 		options.Entitlements = entitlements.New()
 	}
-	if options.IDPSync == nil {
-		options.IDPSync = enidpsync.NewSync(options.Logger, options.Entitlements, idpsync.SyncSettings{
-			OrganizationField:         options.DeploymentValues.OIDC.OrganizationField.Value(),
-			OrganizationMapping:       options.DeploymentValues.OIDC.OrganizationMapping.Value,
-			OrganizationAssignDefault: options.DeploymentValues.OIDC.OrganizationAssignDefault.Value(),
-		})
-	}
 
 	ctx, cancelFunc := context.WithCancel(ctx)
 
@@ -118,6 +111,15 @@ func New(ctx context.Context, options *Options) (_ *API, err error) {
 	}
 
 	options.Database = cryptDB
+
+	if options.IDPSync == nil {
+		options.IDPSync = enidpsync.NewSync(options.Logger, options.Entitlements, idpsync.SyncSettings{
+			OrganizationField:         options.DeploymentValues.OIDC.OrganizationField.Value(),
+			OrganizationMapping:       options.DeploymentValues.OIDC.OrganizationMapping.Value,
+			OrganizationAssignDefault: options.DeploymentValues.OIDC.OrganizationAssignDefault.Value(),
+		})
+	}
+
 	api := &API{
 		ctx:     ctx,
 		cancel:  cancelFunc,
diff --git a/enterprise/coderd/enidpsync/enidpsync.go b/enterprise/coderd/enidpsync/enidpsync.go
@@ -2,7 +2,6 @@ package enidpsync
 
 import (
 	"cdr.dev/slog"
-
 	"github.com/coder/coder/v2/coderd/entitlements"
 	"github.com/coder/coder/v2/coderd/idpsync"
 )
diff --git a/enterprise/coderd/enidpsync/groups.go b/enterprise/coderd/enidpsync/groups.go
@@ -0,0 +1,28 @@
+package enidpsync
+
+import (
+	"context"
+
+	"github.com/golang-jwt/jwt/v4"
+
+	"github.com/coder/coder/v2/coderd/idpsync"
+	"github.com/coder/coder/v2/codersdk"
+)
+
+func (e EnterpriseIDPSync) GroupSyncEnabled() bool {
+	return e.entitlements.Enabled(codersdk.FeatureTemplateRBAC)
+
+}
+
+// ParseGroupClaims returns the groups from the external IDP.
+// TODO: Implement group allow_list behavior here since that is deployment wide.
+func (e EnterpriseIDPSync) ParseGroupClaims(ctx context.Context, mergedClaims jwt.MapClaims) (idpsync.GroupParams, *idpsync.HTTPError) {
+	if !e.GroupSyncEnabled() {
+		return e.AGPLIDPSync.ParseGroupClaims(ctx, mergedClaims)
+	}
+
+	return idpsync.GroupParams{
+		SyncEnabled:  e.OrganizationSyncEnabled(),
+		MergedClaims: mergedClaims,
+	}, nil
+}

Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,6 @@ package enidpsync`
`2`	`2`
`3`	`3`	`import (`
`4`	`4`	`"cdr.dev/slog"`
`5`		`-`
`6`	`5`	`"github.com/coder/coder/v2/coderd/entitlements"`
`7`	`6`	`"github.com/coder/coder/v2/coderd/idpsync"`
`8`	`7`	`)`