|
| 1 | +package idpsync |
| 2 | + |
| 3 | +import ( |
| 4 | + "context" |
| 5 | + |
| 6 | + "github.com/golang-jwt/jwt/v4" |
| 7 | + |
| 8 | + "github.com/coder/coder/v2/coderd/database" |
| 9 | + "github.com/coder/coder/v2/coderd/database/dbauthz" |
| 10 | + "github.com/coder/coder/v2/coderd/runtimeconfig" |
| 11 | +) |
| 12 | + |
| 13 | +type RoleParams struct { |
| 14 | + // SyncEnabled if false will skip syncing the user's roles |
| 15 | + SyncEnabled bool |
| 16 | + MergedClaims jwt.MapClaims |
| 17 | +} |
| 18 | + |
| 19 | +func (AGPLIDPSync) RoleSyncEnabled() bool { |
| 20 | + // AGPL does not support syncing groups. |
| 21 | + return false |
| 22 | +} |
| 23 | +func (s AGPLIDPSync) RoleSyncSettings() runtimeconfig.RuntimeEntry[*RoleSyncSettings] { |
| 24 | + return s.Role |
| 25 | +} |
| 26 | + |
| 27 | +func (s AGPLIDPSync) ParseRoleClaims(_ context.Context, _ jwt.MapClaims) (RoleParams, *HTTPError) { |
| 28 | + return RoleParams{ |
| 29 | + SyncEnabled: s.RoleSyncEnabled(), |
| 30 | + }, nil |
| 31 | +} |
| 32 | + |
| 33 | +func (s AGPLIDPSync) SyncRoles(ctx context.Context, db database.Store, user database.User, params RoleParams) error { |
| 34 | + // Nothing happens if sync is not enabled |
| 35 | + if !params.SyncEnabled { |
| 36 | + return nil |
| 37 | + } |
| 38 | + |
| 39 | + // nolint:gocritic // all syncing is done as a system user |
| 40 | + ctx = dbauthz.AsSystemRestricted(ctx) |
| 41 | + |
| 42 | + return nil |
| 43 | +} |
| 44 | + |
| 45 | +type RoleSyncSettings struct { |
| 46 | + // Field selects the claim field to be used as the created user's |
| 47 | + // groups. If the group field is the empty string, then no group updates |
| 48 | + // will ever come from the OIDC provider. |
| 49 | + Field string `json:"field"` |
| 50 | + // Mapping maps from an OIDC group --> Coder organization role |
| 51 | + Mapping map[string][]string `json:"mapping"` |
| 52 | +} |
0 commit comments