chore: implement change set operation for org sync

Emyrk · Emyrk · commit a89f76b60570 · 2024-08-22T12:31:38.000-05:00
add/remove users to/from orgs based on expected set
diff --git a/coderd/rbac/roles.go b/coderd/rbac/roles.go
@@ -764,29 +764,9 @@ func SiteRoles() []Role {
 // RBAC checks can be applied using "ActionCreate" and "ActionDelete" for
 // "added" and "removed" roles respectively.
 func ChangeRoleSet(from []RoleIdentifier, to []RoleIdentifier) (added []RoleIdentifier, removed []RoleIdentifier) {
-	has := make(map[RoleIdentifier]struct{})
-	for _, exists := range from {
-		has[exists] = struct{}{}
-	}
-
-	for _, roleName := range to {
-		// If the user already has the role assigned, we don't need to check the permission
-		// to reassign it. Only run permission checks on the difference in the set of
-		// roles.
-		if _, ok := has[roleName]; ok {
-			delete(has, roleName)
-			continue
-		}
-
-		added = append(added, roleName)
-	}
-
-	// Remaining roles are the ones removed/deleted.
-	for roleName := range has {
-		removed = append(removed, roleName)
-	}
-
-	return added, removed
+	return slice.SymmetricDifferenceFunc(from, to, func(a, b RoleIdentifier) bool {
+		return a.Name == b.Name && a.OrganizationID == b.OrganizationID
+	})
 }
 
 // Permissions is just a helper function to make building roles that list out resources
diff --git a/coderd/userauth.go b/coderd/userauth.go
@@ -25,6 +25,8 @@ import (
 	"golang.org/x/xerrors"
 
 	"cdr.dev/slog"
+	"github.com/coder/coder/v2/coderd/database/db2sdk"
+	"github.com/coder/coder/v2/coderd/util/slice"
 
 	"github.com/coder/coder/v2/coderd/apikey"
 	"github.com/coder/coder/v2/coderd/audit"
@@ -1430,6 +1432,7 @@ func (api *API) oauthLogin(r *http.Request, params *oauthLoginParams) ([]*http.C
 		// This can happen if a user is a built-in user but is signing in
 		// with OIDC for the first time.
 		if user.ID == uuid.Nil {
+			// TODO: Remove this, and only use params
 			// Until proper multi-org support, all users will be added to the default organization.
 			// The default organization should always be present.
 			//nolint:gocritic
@@ -1540,6 +1543,74 @@ func (api *API) oauthLogin(r *http.Request, params *oauthLoginParams) ([]*http.C
 			}
 		}
 
+		if params.UsingOrganizations {
+			var expected []uuid.UUID
+			// ignored keeps track of which configured organization syncs were
+			// ignored. Ignored options are no-ops.
+			ignored := make([]string, 0)
+			for _, orgSearch := range params.Organizations {
+				orgID, err := uuid.Parse(orgSearch)
+				if err == nil {
+					expected = append(expected, orgID)
+					continue
+				}
+				//nolint:gocritic // System actor being used to assign orgs
+				org, err := tx.GetOrganizationByName(dbauthz.AsSystemRestricted(ctx), orgSearch)
+				if err == nil {
+					expected = append(expected, org.ID)
+					continue
+				}
+				ignored = append(ignored, orgSearch)
+			}
+
+			if params.AssignDefaultOrganization {
+				//nolint:gocritic // System actor being used to assign orgs
+				defaultOrg, err := tx.GetDefaultOrganization(dbauthz.AsSystemRestricted(ctx))
+				if err != nil {
+					return xerrors.Errorf("get default organization: %w", err)
+				}
+				expected = append(expected, defaultOrg.ID)
+			}
+
+			// Sync the user's organizations to the ones provided.
+			//nolint:gocritic // Using to system to ensure all memberships are returned
+			existingOrgs, err := tx.GetOrganizationsByUserID(dbauthz.AsSystemRestricted(ctx), user.ID)
+			if err != nil {
+				return xerrors.Errorf("get user organizations: %w", err)
+			}
+
+			have := db2sdk.List(existingOrgs, func(org database.Organization) uuid.UUID {
+				return org.ID
+			})
+			// Find the difference in the expected and the existing orgs, and
+			// correct the set of orgs the user is a member of.
+			add, remove := slice.SymmetricDifference(have, expected)
+			for _, orgID := range add {
+				//nolint:gocritic // System actor being used to assign orgs
+				_, err := tx.InsertOrganizationMember(dbauthz.AsSystemRestricted(ctx), database.InsertOrganizationMemberParams{
+					OrganizationID: orgID,
+					UserID:         user.ID,
+					CreatedAt:      dbtime.Now(),
+					UpdatedAt:      dbtime.Now(),
+					Roles:          []string{},
+				})
+				if err != nil {
+					return xerrors.Errorf("add user to organization: %w", err)
+				}
+			}
+
+			for _, orgID := range remove {
+				//nolint:gocritic // System actor being used to assign orgs
+				err := tx.DeleteOrganizationMember(dbauthz.AsSystemRestricted(ctx), database.DeleteOrganizationMemberParams{
+					OrganizationID: orgID,
+					UserID:         user.ID,
+				})
+				if err != nil {
+					return xerrors.Errorf("remove user from organization: %w", err)
+				}
+			}
+		}
+
 		// Ensure groups are correct.
 		// This places all groups into the default organization.
 		// To go multi-org, we need to add a mapping feature here to know which
diff --git a/coderd/util/slice/slice.go b/coderd/util/slice/slice.go
@@ -4,6 +4,43 @@ import (
 	"golang.org/x/exp/constraints"
 )
 
+// SymmetricDifference returns the elements that need to be added and removed
+// to get from set 'a' to set 'b'.
+// In classical set theory notation, SymmetricDifference returns
+// all elements of {add} and {remove} together. It is more useful to
+// return them as their own slices.
+// Example:
+//
+//	a := []int{1, 3, 4}
+//	b := []int{1, 2}
+//	add, remove := SymmetricDifference(a, b)
+//	fmt.Println(add)    // [2]
+//	fmt.Println(remove) // [3, 4]
+func SymmetricDifference[T comparable](a, b []T) (add []T, remove []T) {
+	return Difference(b, a), Difference(a, b)
+}
+
+// Difference returns the elements in 'a' that are not in 'b'.
+func Difference[T comparable](a []T, b []T) []T {
+	return DifferenceFunc(a, b, func(a, b T) bool {
+		return a == b
+	})
+}
+
+func SymmetricDifferenceFunc[T any](a, b []T, equal func(a, b T) bool) (add []T, remove []T) {
+	return DifferenceFunc(a, b, equal), DifferenceFunc(b, a, equal)
+}
+
+func DifferenceFunc[T any](a []T, b []T, equal func(a, b T) bool) []T {
+	tmp := make([]T, 0, len(a))
+	for _, v := range a {
+		if !ContainsCompare(b, v, equal) {
+			tmp = append(tmp, v)
+		}
+	}
+	return tmp
+}
+
 // ToStrings works for any type where the base type is a string.
 func ToStrings[T ~string](a []T) []string {
 	tmp := make([]string, 0, len(a))
diff --git a/coderd/util/slice/slice_test.go b/coderd/util/slice/slice_test.go
@@ -11,6 +11,52 @@ import (
 	"github.com/coder/coder/v2/coderd/util/slice"
 )
 
+func TestSymmetricDifference(t *testing.T) {
+	t.Parallel()
+
+	t.Run("Simple", func(t *testing.T) {
+		add, remove := slice.SymmetricDifference([]int{1, 3, 4}, []int{1, 2})
+		require.ElementsMatch(t, []int{2}, add)
+		require.ElementsMatch(t, []int{3, 4}, remove)
+	})
+
+	t.Run("Large", func(t *testing.T) {
+		add, remove := slice.SymmetricDifference(
+			[]int{1, 2, 3, 4, 5, 10, 11, 12, 13, 14, 15},
+			[]int{1, 3, 7, 9, 11, 13, 17},
+		)
+		require.ElementsMatch(t, []int{7, 9, 17}, add)
+		require.ElementsMatch(t, []int{2, 4, 5, 10, 12, 14, 15}, remove)
+	})
+
+	t.Run("AddOnly", func(t *testing.T) {
+		add, remove := slice.SymmetricDifference(
+			[]int{1, 2},
+			[]int{1, 2, 3, 4, 5, 6, 7, 8, 9},
+		)
+		require.ElementsMatch(t, []int{3, 4, 5, 6, 7, 8, 9}, add)
+		require.ElementsMatch(t, []int{}, remove)
+	})
+
+	t.Run("RemoveOnly", func(t *testing.T) {
+		add, remove := slice.SymmetricDifference(
+			[]int{1, 2, 3, 4, 5, 6, 7, 8, 9},
+			[]int{1, 2},
+		)
+		require.ElementsMatch(t, []int{}, add)
+		require.ElementsMatch(t, []int{3, 4, 5, 6, 7, 8, 9}, remove)
+	})
+
+	t.Run("Equal", func(t *testing.T) {
+		add, remove := slice.SymmetricDifference(
+			[]int{1, 2, 3, 4, 5, 6, 7, 8, 9},
+			[]int{1, 2, 3, 4, 5, 6, 7, 8, 9},
+		)
+		require.ElementsMatch(t, []int{}, add)
+		require.ElementsMatch(t, []int{}, remove)
+	})
+}
+
 func TestSameElements(t *testing.T) {
 	t.Parallel()
 
