add api endpoints

Emyrk · Emyrk · commit f0832f18da8a · 2024-11-14T13:48:52.000-06:00
diff --git a/coderd/database/oidcclaims_test.go b/coderd/database/oidcclaims_test.go
@@ -109,13 +109,15 @@ func TestOIDCClaims(t *testing.T) {
 			charlie,
 		)...,
 	).Do()
+	orgC := dbfake.Organization(t, db).Members().Do()
 
 	// Verify the OIDC claim fields
 	always := []string{"array", "map", "nil", "number"}
 	expectA := append([]string{"sub", "alice-id", "bob-id", "bob-info"}, always...)
 	expectB := append([]string{"sub", "bob-id", "bob-info", "charlie-id", "charlie-info"}, always...)
 	requireClaims(t, db, orgA.Org.ID, expectA)
 	requireClaims(t, db, orgB.Org.ID, expectB)
+	requireClaims(t, db, orgC.Org.ID, []string{})
 	requireClaims(t, db, uuid.Nil, slice.Unique(append(expectA, expectB...)))
 }
 
diff --git a/codersdk/idpsync.go b/codersdk/idpsync.go
@@ -137,3 +137,31 @@ func (c *Client) PatchOrganizationIDPSyncSettings(ctx context.Context, req Organ
 	var resp OrganizationSyncSettings
 	return resp, json.NewDecoder(res.Body).Decode(&resp)
 }
+
+func (c *Client) GetAvailableIDPSyncFields(ctx context.Context) ([]string, error) {
+	res, err := c.Request(ctx, http.MethodGet, "/api/v2/settings/idpsync/available-fields", nil)
+	if err != nil {
+		return nil, xerrors.Errorf("make request: %w", err)
+	}
+	defer res.Body.Close()
+
+	if res.StatusCode != http.StatusOK {
+		return nil, ReadBodyAsError(res)
+	}
+	var resp []string
+	return resp, json.NewDecoder(res.Body).Decode(&resp)
+}
+
+func (c *Client) GetOrganizationAvailableIDPSyncFields(ctx context.Context, orgID string) ([]string, error) {
+	res, err := c.Request(ctx, http.MethodGet, fmt.Sprintf("/api/v2/organizations/%s/settings/idpsync/available-fields", orgID), nil)
+	if err != nil {
+		return nil, xerrors.Errorf("make request: %w", err)
+	}
+	defer res.Body.Close()
+
+	if res.StatusCode != http.StatusOK {
+		return nil, ReadBodyAsError(res)
+	}
+	var resp []string
+	return resp, json.NewDecoder(res.Body).Decode(&resp)
+}
diff --git a/enterprise/coderd/coderd.go b/enterprise/coderd/coderd.go
@@ -291,9 +291,12 @@ func New(ctx context.Context, options *Options) (_ *API, err error) {
 			r.Use(
 				apiKeyMiddleware,
 			)
-			r.Route("/settings/idpsync/organization", func(r chi.Router) {
-				r.Get("/", api.organizationIDPSyncSettings)
-				r.Patch("/", api.patchOrganizationIDPSyncSettings)
+			r.Route("/settings/idpsync", func(r chi.Router) {
+				r.Route("/organization", func(r chi.Router) {
+					r.Get("/", api.organizationIDPSyncSettings)
+					r.Patch("/", api.patchOrganizationIDPSyncSettings)
+				})
+				r.Get("/available-fields", api.deploymentIDPSyncClaimFields)
 			})
 		})
 
@@ -303,6 +306,7 @@ func New(ctx context.Context, options *Options) (_ *API, err error) {
 				httpmw.ExtractOrganizationParam(api.Database),
 			)
 			r.Route("/organizations/{organization}/settings", func(r chi.Router) {
+				r.Get("/idpsync/available-fields", api.organizationIDPSyncClaimFields)
 				r.Get("/idpsync/groups", api.groupIDPSyncSettings)
 				r.Patch("/idpsync/groups", api.patchGroupIDPSyncSettings)
 				r.Get("/idpsync/roles", api.roleIDPSyncSettings)
diff --git a/enterprise/coderd/idpsync.go b/enterprise/coderd/idpsync.go
@@ -1,8 +1,11 @@
 package coderd
 
 import (
+	"fmt"
 	"net/http"
 
+	"github.com/google/uuid"
+
 	"github.com/coder/coder/v2/coderd/database/dbauthz"
 	"github.com/coder/coder/v2/coderd/httpapi"
 	"github.com/coder/coder/v2/coderd/httpmw"
@@ -255,3 +258,50 @@ func (api *API) patchOrganizationIDPSyncSettings(rw http.ResponseWriter, r *http
 		AssignDefault: settings.AssignDefault,
 	})
 }
+
+// @Summary Get the available idp sync claim fields
+// @ID get-the-available-idp-sync-claim-fields
+// @Security CoderSessionToken
+// @Produce json
+// @Tags Enterprise
+// @Param organization path string true "Organization ID" format(uuid)
+// @Success 200 {array} string
+// @Router /organizations/{organization}/settings/idpsync/available-fields [get]
+func (api *API) organizationIDPSyncClaimFields(rw http.ResponseWriter, r *http.Request) {
+	org := httpmw.OrganizationParam(r)
+	api.idpSyncClaimFields(org.ID, rw, r)
+}
+
+// @Summary Get the available idp sync claim fields
+// @ID get-the-available-idp-sync-claim-fields
+// @Security CoderSessionToken
+// @Produce json
+// @Tags Enterprise
+// @Param organization path string true "Organization ID" format(uuid)
+// @Success 200 {array} string
+// @Router /settings/idpsync/available-fields [get]
+func (api *API) deploymentIDPSyncClaimFields(rw http.ResponseWriter, r *http.Request) {
+	// nil uuid implies all organizations
+	api.idpSyncClaimFields(uuid.Nil, rw, r)
+}
+
+func (api *API) idpSyncClaimFields(orgID uuid.UUID, rw http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	fields, err := api.Database.OIDCClaimFields(ctx, orgID)
+	if httpapi.IsUnauthorizedError(err) {
+		// Give a helpful error. The user could read the org, so this does not
+		// leak anything.
+		httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{
+			Message: "You do not have permission to view the available IDP fields",
+			Detail:  fmt.Sprintf("%s.read permission is required", rbac.ResourceIdpsyncSettings.Type),
+		})
+		return
+	}
+	if err != nil {
+		httpapi.InternalServerError(rw, err)
+		return
+	}
+
+	httpapi.Write(ctx, rw, http.StatusOK, fields)
+}
diff --git a/enterprise/coderd/userauth_test.go b/enterprise/coderd/userauth_test.go
@@ -165,6 +165,19 @@ func TestUserOIDC(t *testing.T) {
 			user, err := userClient.User(ctx, codersdk.Me)
 			require.NoError(t, err)
 
+			// Then: the available sync fields should be "email" and "organization"
+			fields, err := runner.AdminClient.GetAvailableIDPSyncFields(ctx)
+			require.NoError(t, err)
+			require.ElementsMatch(t, []string{
+				"aud", "exp", "iss", // Always included from jwt
+				"email", "organization",
+			}, fields)
+
+			// This should be the same as above
+			orgFields, err := runner.AdminClient.GetOrganizationAvailableIDPSyncFields(ctx, orgOne.ID.String())
+			require.NoError(t, err)
+			require.ElementsMatch(t, fields, orgFields)
+
 			// When: they are manually added to the fourth organization, a new sync
 			// should remove them.
 			_, err = runner.AdminClient.PostOrganizationMember(ctx, orgThree.ID, "alice")
