feat(enterprise/scim): add support for multi-organization

coadler · coadler · commit b49ea6f76d6d · 2024-09-16T17:33:56.000Z
diff --git a/codersdk/deployment.go b/codersdk/deployment.go
@@ -366,6 +366,7 @@ type DeploymentValues struct {
 	AgentFallbackTroubleshootingURL serpent.URL                          `json:"agent_fallback_troubleshooting_url,omitempty" typescript:",notnull"`
 	BrowserOnly                     serpent.Bool                         `json:"browser_only,omitempty" typescript:",notnull"`
 	SCIMAPIKey                      serpent.String                       `json:"scim_api_key,omitempty" typescript:",notnull"`
+	SCIMOrganization                serpent.String                       `json:"scim_organization,omitempty" typescript:",notnull"`
 	ExternalTokenEncryptionKeys     serpent.StringArray                  `json:"external_token_encryption_keys,omitempty" typescript:",notnull"`
 	Provisioner                     ProvisionerConfig                    `json:"provisioner,omitempty" typescript:",notnull"`
 	RateLimit                       RateLimitConfig                      `json:"rate_limit,omitempty" typescript:",notnull"`
@@ -2162,6 +2163,15 @@ when required by your organization's security policy.`,
 			Annotations: serpent.Annotations{}.Mark(annotationEnterpriseKey, "true").Mark(annotationSecretKey, "true"),
 			Value:       &c.SCIMAPIKey,
 		},
+		{
+			Name:        "SCIM Organization",
+			Description: "Enables SCIM and sets the authentication header for the built-in SCIM server. New users are automatically created with OIDC authentication.",
+			Flag:        "scim-auth-header",
+			Env:         "CODER_SCIM_AUTH_HEADER",
+			Annotations: serpent.Annotations{}.Mark(annotationEnterpriseKey, "true").Mark(annotationSecretKey, "true"),
+			Value:       &c.SCIMOrganization,
+			Default:     "default",
+		},
 		{
 			Name:        "External Token Encryption Keys",
 			Description: "Encrypt OIDC and Git authentication tokens with AES-256-GCM in the database. The value must be a comma-separated list of base64-encoded keys. Each key, when base64-decoded, must be exactly 32 bytes in length. The first key will be used to encrypt new values. Subsequent keys will be used as a fallback when decrypting. During normal operation it is recommended to only set one key unless you are in the process of rotating keys with the `coder server dbcrypt rotate` command.",
diff --git a/enterprise/cli/server.go b/enterprise/cli/server.go
@@ -88,6 +88,7 @@ func (r *RootCmd) Server(_ func()) *serpent.Command {
 			AuditLogging:              true,
 			BrowserOnly:               options.DeploymentValues.BrowserOnly.Value(),
 			SCIMAPIKey:                []byte(options.DeploymentValues.SCIMAPIKey.Value()),
+			SCIMOrganizationName:      options.DeploymentValues.SCIMOrganization.Value(),
 			RBAC:                      true,
 			DERPServerRelayAddress:    options.DeploymentValues.DERP.Server.RelayURL.String(),
 			DERPServerRegionID:        int(options.DeploymentValues.DERP.Server.RegionID.Value()),
diff --git a/enterprise/coderd/coderd.go b/enterprise/coderd/coderd.go
@@ -527,8 +527,9 @@ type Options struct {
 	RBAC         bool
 	AuditLogging bool
 	// Whether to block non-browser connections.
-	BrowserOnly bool
-	SCIMAPIKey  []byte
+	BrowserOnly          bool
+	SCIMAPIKey           []byte
+	SCIMOrganizationName string
 
 	ExternalTokenEncryption []dbcrypt.Cipher
 
diff --git a/enterprise/coderd/coderdenttest/coderdenttest.go b/enterprise/coderd/coderdenttest/coderdenttest.go
@@ -65,6 +65,7 @@ type Options struct {
 	BrowserOnly                bool
 	EntitlementsUpdateInterval time.Duration
 	SCIMAPIKey                 []byte
+	SCIMOrganizationName       string
 	UserWorkspaceQuota         int
 	ProxyHealthInterval        time.Duration
 	LicenseOptions             *LicenseOptions
@@ -105,6 +106,7 @@ func NewWithAPI(t *testing.T, options *Options) (
 		AuditLogging:               options.AuditLogging,
 		BrowserOnly:                options.BrowserOnly,
 		SCIMAPIKey:                 options.SCIMAPIKey,
+		SCIMOrganizationName:       options.SCIMOrganizationName,
 		DERPServerRelayAddress:     oop.AccessURL.String(),
 		DERPServerRegionID:         oop.BaseDERPMap.RegionIDs()[0],
 		ReplicaSyncUpdateInterval:  options.ReplicaSyncUpdateInterval,
diff --git a/enterprise/coderd/scim.go b/enterprise/coderd/scim.go
@@ -6,6 +6,7 @@ import (
 	"encoding/json"
 	"net/http"
 
+	"cdr.dev/slog"
 	"github.com/go-chi/chi/v5"
 	"github.com/google/uuid"
 	"github.com/imulab/go-scim/pkg/v2/handlerutil"
@@ -217,22 +218,36 @@ func (api *API) scimPostUser(rw http.ResponseWriter, r *http.Request) {
 		sUser.UserName = codersdk.UsernameFrom(sUser.UserName)
 	}
 
-	// TODO: This is a temporary solution that does not support multi-org
-	// 	deployments. This assumption places all new SCIM users into the
-	//	default organization.
-	//nolint:gocritic
-	defaultOrganization, err := api.Database.GetDefaultOrganization(dbauthz.AsSystemRestricted(ctx))
-	if err != nil {
-		_ = handlerutil.WriteError(rw, err)
-		return
+	var org database.Organization
+	switch api.SCIMOrganizationName {
+	case "", "default":
+		//nolint:gocritic
+		org, err = api.Database.GetDefaultOrganization(dbauthz.AsSystemRestricted(ctx))
+		if err != nil {
+			_ = handlerutil.WriteError(rw, err)
+			return
+		}
+
+	default:
+		//nolint:gocritic
+		org, err = api.Database.GetOrganizationByName(dbauthz.AsSystemRestricted(ctx), api.SCIMOrganizationName)
+		if err != nil {
+			if xerrors.Is(err, sql.ErrNoRows) {
+				api.Logger.Error(ctx, "unknown organization set for CODER_SCIM_ORGANIZATION", slog.Error(err), slog.F("organization_name", api.SCIMOrganizationName))
+				_ = handlerutil.WriteError(rw, xerrors.Errorf("SCIM is configured with an organization that does not exist: %q", api.SCIMOrganizationName))
+				return
+			}
+			_ = handlerutil.WriteError(rw, err)
+			return
+		}
 	}
 
 	//nolint:gocritic // needed for SCIM
 	dbUser, err = api.AGPL.CreateUser(dbauthz.AsSystemRestricted(ctx), api.Database, agpl.CreateUserRequest{
 		CreateUserRequestWithOrgs: codersdk.CreateUserRequestWithOrgs{
 			Username:        sUser.UserName,
 			Email:           email,
-			OrganizationIDs: []uuid.UUID{defaultOrganization.ID},
+			OrganizationIDs: []uuid.UUID{org.ID},
 		},
 		LoginType: database.LoginTypeOIDC,
 		// Do not send notifications to user admins as SCIM endpoint might be called sequentially to all users.
diff --git a/enterprise/coderd/scim_test.go b/enterprise/coderd/scim_test.go
@@ -1,6 +1,7 @@
 package coderd_test
 
 import (
+	"bytes"
 	"context"
 	"encoding/json"
 	"fmt"
@@ -157,11 +158,125 @@ func TestScim(t *testing.T) {
 			require.Len(t, userRes.Users, 1)
 			assert.Equal(t, sUser.Emails[0].Value, userRes.Users[0].Email)
 			assert.Equal(t, sUser.UserName, userRes.Users[0].Username)
+			require.Len(t, userRes.Users[0].OrganizationIDs, 1)
 
 			// Expect zero notifications (SkipNotifications = true)
 			require.Empty(t, notifyEnq.Sent)
 		})
 
+		t.Run("OK_Organization", func(t *testing.T) {
+			t.Parallel()
+
+			ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+			defer cancel()
+			orgName := "coolin-org"
+
+			// given
+			dv := coderdtest.DeploymentValues(t)
+			dv.Experiments = []string{string(codersdk.ExperimentMultiOrganization)}
+			scimAPIKey := []byte("hi")
+			mockAudit := audit.NewMock()
+			notifyEnq := &testutil.FakeNotificationsEnqueuer{}
+			client, _ := coderdenttest.New(t, &coderdenttest.Options{
+				Options: &coderdtest.Options{
+					Auditor:               mockAudit,
+					NotificationsEnqueuer: notifyEnq,
+					DeploymentValues:      dv,
+				},
+				SCIMAPIKey:           scimAPIKey,
+				SCIMOrganizationName: orgName,
+				AuditLogging:         true,
+				LicenseOptions: &coderdenttest.LicenseOptions{
+					AccountID:  "coolin",
+					FeatureSet: codersdk.FeatureSetPremium,
+					// Features: license.Features{
+					// 	codersdk.FeatureSCIM:     1,
+					// 	codersdk.FeatureAuditLog: 1,
+					// },
+				},
+			})
+
+			org, err := client.CreateOrganization(ctx, codersdk.CreateOrganizationRequest{
+				Name: orgName,
+			})
+			require.NoError(t, err)
+			mockAudit.ResetLogs()
+
+			// when
+			sUser := makeScimUser(t)
+			res, err := client.Request(ctx, "POST", "/scim/v2/Users", sUser, setScimAuth(scimAPIKey))
+			require.NoError(t, err)
+			defer res.Body.Close()
+			require.Equal(t, http.StatusOK, res.StatusCode)
+
+			// then
+			// Expect audit logs
+			aLogs := mockAudit.AuditLogs()
+			require.Len(t, aLogs, 1)
+			af := map[string]string{}
+			err = json.Unmarshal([]byte(aLogs[0].AdditionalFields), &af)
+			require.NoError(t, err)
+			assert.Equal(t, coderd.SCIMAuditAdditionalFields, af)
+			assert.Equal(t, database.AuditActionCreate, aLogs[0].Action)
+
+			// Expect users exposed over API
+			userRes, err := client.Users(ctx, codersdk.UsersRequest{Search: sUser.Emails[0].Value})
+			require.NoError(t, err)
+			require.Len(t, userRes.Users, 1)
+			assert.Equal(t, sUser.Emails[0].Value, userRes.Users[0].Email)
+			assert.Equal(t, sUser.UserName, userRes.Users[0].Username)
+			assert.Len(t, userRes.Users[0].OrganizationIDs, 1)
+			assert.Equal(t, org.ID, userRes.Users[0].OrganizationIDs[0])
+
+			// Expect zero notifications (SkipNotifications = true)
+			require.Empty(t, notifyEnq.Sent)
+		})
+
+		t.Run("UnknownOrganization", func(t *testing.T) {
+			t.Parallel()
+
+			ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+			defer cancel()
+			orgName := "coolin-org"
+
+			// given
+			dv := coderdtest.DeploymentValues(t)
+			dv.Experiments = []string{string(codersdk.ExperimentMultiOrganization)}
+			scimAPIKey := []byte("hi")
+			mockAudit := audit.NewMock()
+			notifyEnq := &testutil.FakeNotificationsEnqueuer{}
+			client, _ := coderdenttest.New(t, &coderdenttest.Options{
+				Options: &coderdtest.Options{
+					Auditor:               mockAudit,
+					NotificationsEnqueuer: notifyEnq,
+					DeploymentValues:      dv,
+				},
+				SCIMAPIKey:           scimAPIKey,
+				SCIMOrganizationName: "org-that-doesnt-exist",
+				AuditLogging:         true,
+				LicenseOptions: &coderdenttest.LicenseOptions{
+					AccountID:  "coolin",
+					FeatureSet: codersdk.FeatureSetPremium,
+				},
+			})
+
+			_, err := client.CreateOrganization(ctx, codersdk.CreateOrganizationRequest{
+				Name: orgName,
+			})
+			require.NoError(t, err)
+			mockAudit.ResetLogs()
+
+			// when
+			sUser := makeScimUser(t)
+			res, err := client.Request(ctx, "POST", "/scim/v2/Users", sUser, setScimAuth(scimAPIKey))
+			require.NoError(t, err)
+			defer res.Body.Close()
+			require.Equal(t, http.StatusInternalServerError, res.StatusCode)
+			body := bytes.NewBuffer(nil)
+			_, _ = io.Copy(body, res.Body)
+			require.Contains(t, body.String(), "org-that-doesnt-exist")
+		})
+
 		t.Run("Duplicate", func(t *testing.T) {
 			t.Parallel()
 
