Skip to content

chore: support multi-org group sync with runtime configuration #14578

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 38 commits into from
Sep 11, 2024
Merged

chore: support multi-org group sync with runtime configuration #14578

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
38 commits
Select commit Hold shift + click to select a range
99c97c2
wip
Emyrk Sep 3, 2024
bfddeb6
begin group sync main work
Emyrk Sep 3, 2024
f2857c6
initial implementation of group sync
Emyrk Sep 3, 2024
791a059
work on moving to the manager
Emyrk Sep 4, 2024
4326e9d
fixup compile issues
Emyrk Sep 4, 2024
6d3ed2e
fixup some tests
Emyrk Sep 4, 2024
0803619
handle allow list
Emyrk Sep 4, 2024
596e7b4
WIP unit test for group sync
Emyrk Sep 4, 2024
b9476ac
fixup tests, account for existing groups
Emyrk Sep 4, 2024
ee8e4e4
fix compile issues
Emyrk Sep 5, 2024
d5ff0f7
add comment for test helper
Emyrk Sep 5, 2024
86c0f6f
handle legacy params
Emyrk Sep 5, 2024
2f03e18
make gen
Emyrk Sep 5, 2024
ec8092d
cleanup
Emyrk Sep 5, 2024
d63727d
add unit test for legacy behavior
Emyrk Sep 5, 2024
2a1769c
work on batching removal by name or id
Emyrk Sep 5, 2024
640e86e
group sync adjustments
Emyrk Sep 5, 2024
c544a29
test legacy params
Emyrk Sep 5, 2024
476be45
add unit test for ApplyGroupDifference
Emyrk Sep 5, 2024
164aeac
chore: remove old group sync code
Emyrk Sep 5, 2024
986498d
switch oidc test config to deployment values
Emyrk Sep 5, 2024
290cfa5
fix err name
Emyrk Sep 6, 2024
c563b10
some linting cleanup
Emyrk Sep 6, 2024
d2c247f
dbauthz test for new query
Emyrk Sep 6, 2024
12685bd
fixup comments
Emyrk Sep 6, 2024
bf0d4ed
fixup compile issues from rebase
Emyrk Sep 6, 2024
f95128e
add test for disabled sync
Emyrk Sep 6, 2024
88b0ad9
linting
Emyrk Sep 6, 2024
6491f6a
chore: handle db conflicts gracefully
Emyrk Sep 6, 2024
bd23288
test expected group equality
Emyrk Sep 6, 2024
a390ec4
cleanup comments
Emyrk Sep 6, 2024
a0a1c53
spelling mistake
Emyrk Sep 6, 2024
a86ba83
linting:
Emyrk Sep 6, 2024
0df7f28
add interface method to allow api crud
Emyrk Sep 9, 2024
7a802a9
Remove testable example
Emyrk Sep 11, 2024
611f1e3
fix formatting of sql, add a comment
Emyrk Sep 11, 2024
7f28a53
remove function only used in 1 place
Emyrk Sep 11, 2024
41994d2
make fmt
Emyrk Sep 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
handle allow list
  • Loading branch information
@Emyrk
Emyrk committed Sep 9, 2024
commit 0803619e8c65eb1bb584abae3137e403bf07f8fe
6 changes: 1 addition & 5 deletions coderd/coderd.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -312,11 +312,7 @@ func New(options *Options) *API {
)

if options.IDPSync == nil {
options.IDPSync = idpsync.NewAGPLSync(options.Logger, idpsync.DeploymentSyncSettings{
OrganizationField: options.DeploymentValues.OIDC.OrganizationField.Value(),
OrganizationMapping: options.DeploymentValues.OIDC.OrganizationMapping.Value,
OrganizationAssignDefault: options.DeploymentValues.OIDC.OrganizationAssignDefault.Value(),
})
options.IDPSync = idpsync.NewAGPLSync(options.Logger, options.RuntimeConfig, idpsync.FromDeploymentValues(options.DeploymentValues))
}

experiments := ReadExperiments(
Expand Down
8 changes: 8 additions & 0 deletions coderd/idpsync/group.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -266,3 +266,11 @@ func (s GroupSyncSettings) HandleMissingGroups(ctx context.Context, tx database.

return addIDs, nil
}

func ConvertAllowList(allowList []string) map[string]struct{} {
allowMap := make(map[string]struct{}, len(allowList))
for _, group := range allowList {
allowMap[group] = struct{}{}
}
return allowMap
}
23 changes: 23 additions & 0 deletions coderd/idpsync/idpsync.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,29 @@ type DeploymentSyncSettings struct {
// placed into the default organization. This is mostly a hack to support
// legacy deployments.
OrganizationAssignDefault bool

// GroupField at the deployment level is used for deployment level group claim
// settings.
GroupField string
// GroupAllowList (if set) will restrict authentication to only users who
// have at least one group in this list.
// A map representation is used for easier lookup.
GroupAllowList map[string]struct{}
Comment on lines +71 to +75
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At some point we should disconnect these from the default org. Might need to move the existing config env and flags, and deprecate the old.

}

func FromDeploymentValues(dv *codersdk.DeploymentValues) DeploymentSyncSettings {
if dv == nil {
panic("Developer error: DeploymentValues should not be nil")
}
return DeploymentSyncSettings{
OrganizationField: dv.OIDC.OrganizationField.Value(),
OrganizationMapping: dv.OIDC.OrganizationMapping.Value,
OrganizationAssignDefault: dv.OIDC.OrganizationAssignDefault.Value(),

GroupField: dv.OIDC.GroupField.Value(),
GroupAllowList: ConvertAllowList(dv.OIDC.GroupAllowList.Value()),
}

}

type SyncSettings struct {
Expand Down
2 changes: 1 addition & 1 deletion coderd/userauth.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1142,7 +1142,7 @@ func (api *API) oidcGroups(ctx context.Context, mergedClaims map[string]interfac
slog.F("allow_list_count", len(api.OIDCConfig.GroupAllowList)),
slog.F("user_group_count", len(groups)),
)
detail := "Ask an administrator to add one of your groups to the whitelist"
detail := "Ask an administrator to add one of your groups to the allow list"
if len(groups) == 0 {
detail = "You are currently not a member of any groups! Ask an administrator to add you to an authorized group to login."
}
Expand Down
6 changes: 1 addition & 5 deletions enterprise/coderd/coderd.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,11 +113,7 @@ func New(ctx context.Context, options *Options) (_ *API, err error) {
options.Database = cryptDB

if options.IDPSync == nil {
options.IDPSync = enidpsync.NewSync(options.Logger, options.Entitlements, idpsync.SyncSettings{
OrganizationField: options.DeploymentValues.OIDC.OrganizationField.Value(),
OrganizationMapping: options.DeploymentValues.OIDC.OrganizationMapping.Value,
OrganizationAssignDefault: options.DeploymentValues.OIDC.OrganizationAssignDefault.Value(),
})
options.IDPSync = enidpsync.NewSync(options.Logger, options.RuntimeConfig, options.Entitlements, idpsync.FromDeploymentValues(options.DeploymentValues))
}

api := &API{
Expand Down
42 changes: 41 additions & 1 deletion enterprise/coderd/enidpsync/groups.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package enidpsync

import (
"context"
"net/http"

"github.com/golang-jwt/jwt/v4"

Expand All @@ -11,7 +12,6 @@ import (

func (e EnterpriseIDPSync) GroupSyncEnabled() bool {
return e.entitlements.Enabled(codersdk.FeatureTemplateRBAC)

}

// ParseGroupClaims parses the user claims and handles deployment wide group behavior.
Expand All @@ -23,6 +23,46 @@ func (e EnterpriseIDPSync) ParseGroupClaims(ctx context.Context, mergedClaims jw
return e.AGPLIDPSync.ParseGroupClaims(ctx, mergedClaims)
}

if e.GroupField != "" && len(e.GroupAllowList) > 0 {
groupsRaw, ok := mergedClaims[e.GroupField]
if !ok {
return idpsync.GroupParams{}, &idpsync.HTTPError{
Code: http.StatusForbidden,
Msg: "Not a member of an allowed group",
Detail: "You have no groups in your claims!",
RenderStaticPage: true,
}
}
parsedGroups, err := idpsync.ParseStringSliceClaim(groupsRaw)
if err != nil {
return idpsync.GroupParams{}, &idpsync.HTTPError{
Code: http.StatusBadRequest,
Msg: "Failed read groups from claims for allow list check. Ask an administrator for help.",
Detail: err.Error(),
RenderStaticPage: true,
}
}

inAllowList := false
AllowListCheckLoop:
for _, group := range parsedGroups {
if _, ok := e.GroupAllowList[group]; ok {
inAllowList = true
break AllowListCheckLoop
}
}

if !inAllowList {
return idpsync.GroupParams{}, &idpsync.HTTPError{
Code: http.StatusForbidden,
Msg: "Not a member of an allowed group",
Detail: "Ask an administrator to add one of your groups to the allow list.",
RenderStaticPage: true,
}
}

}

return idpsync.GroupParams{
SyncEnabled: e.OrganizationSyncEnabled(),
MergedClaims: mergedClaims,
Expand Down
35 changes: 35 additions & 0 deletions enterprise/coderd/enidpsync/groups_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
package enidpsync_test

import (
"testing"

"github.com/golang-jwt/jwt/v4"
"github.com/stretchr/testify/require"

"cdr.dev/slog/sloggers/slogtest"
"github.com/coder/coder/v2/coderd/entitlements"
"github.com/coder/coder/v2/coderd/idpsync"
"github.com/coder/coder/v2/coderd/runtimeconfig"
"github.com/coder/coder/v2/enterprise/coderd/enidpsync"
"github.com/coder/coder/v2/testutil"
)

func TestEnterpriseParseGroupClaims(t *testing.T) {
t.Parallel()

t.Run("NoEntitlements", func(t *testing.T) {
t.Parallel()

s := enidpsync.NewSync(slogtest.Make(t, &slogtest.Options{}),
runtimeconfig.NewNoopManager(),
entitlements.New(),
idpsync.DeploymentSyncSettings{})

ctx := testutil.Context(t, testutil.WaitMedium)

params, err := s.ParseGroupClaims(ctx, jwt.MapClaims{})
require.Nil(t, err)

require.False(t, params.SyncEnabled)
})
}