Skip to content

chore: support multi-org group sync with runtime configuration #14578

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 38 commits into from
Sep 11, 2024
Merged

chore: support multi-org group sync with runtime configuration #14578

Show file tree
Hide file tree
Changes from 34 commits
Commits
Show all changes
38 commits
Select commit Hold shift + click to select a range
99c97c2
wip
Emyrk Sep 3, 2024
bfddeb6
begin group sync main work
Emyrk Sep 3, 2024
f2857c6
initial implementation of group sync
Emyrk Sep 3, 2024
791a059
work on moving to the manager
Emyrk Sep 4, 2024
4326e9d
fixup compile issues
Emyrk Sep 4, 2024
6d3ed2e
fixup some tests
Emyrk Sep 4, 2024
0803619
handle allow list
Emyrk Sep 4, 2024
596e7b4
WIP unit test for group sync
Emyrk Sep 4, 2024
b9476ac
fixup tests, account for existing groups
Emyrk Sep 4, 2024
ee8e4e4
fix compile issues
Emyrk Sep 5, 2024
d5ff0f7
add comment for test helper
Emyrk Sep 5, 2024
86c0f6f
handle legacy params
Emyrk Sep 5, 2024
2f03e18
make gen
Emyrk Sep 5, 2024
ec8092d
cleanup
Emyrk Sep 5, 2024
d63727d
add unit test for legacy behavior
Emyrk Sep 5, 2024
2a1769c
work on batching removal by name or id
Emyrk Sep 5, 2024
640e86e
group sync adjustments
Emyrk Sep 5, 2024
c544a29
test legacy params
Emyrk Sep 5, 2024
476be45
add unit test for ApplyGroupDifference
Emyrk Sep 5, 2024
164aeac
chore: remove old group sync code
Emyrk Sep 5, 2024
986498d
switch oidc test config to deployment values
Emyrk Sep 5, 2024
290cfa5
fix err name
Emyrk Sep 6, 2024
c563b10
some linting cleanup
Emyrk Sep 6, 2024
d2c247f
dbauthz test for new query
Emyrk Sep 6, 2024
12685bd
fixup comments
Emyrk Sep 6, 2024
bf0d4ed
fixup compile issues from rebase
Emyrk Sep 6, 2024
f95128e
add test for disabled sync
Emyrk Sep 6, 2024
88b0ad9
linting
Emyrk Sep 6, 2024
6491f6a
chore: handle db conflicts gracefully
Emyrk Sep 6, 2024
bd23288
test expected group equality
Emyrk Sep 6, 2024
a390ec4
cleanup comments
Emyrk Sep 6, 2024
a0a1c53
spelling mistake
Emyrk Sep 6, 2024
a86ba83
linting:
Emyrk Sep 6, 2024
0df7f28
add interface method to allow api crud
Emyrk Sep 9, 2024
7a802a9
Remove testable example
Emyrk Sep 11, 2024
611f1e3
fix formatting of sql, add a comment
Emyrk Sep 11, 2024
7f28a53
remove function only used in 1 place
Emyrk Sep 11, 2024
41994d2
make fmt
Emyrk Sep 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 0 additions & 5 deletions cli/server.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -187,11 +187,6 @@ func createOIDCConfig(ctx context.Context, logger slog.Logger, vals *codersdk.De
EmailField: vals.OIDC.EmailField.String(),
AuthURLParams: vals.OIDC.AuthURLParams.Value,
IgnoreUserInfo: vals.OIDC.IgnoreUserInfo.Value(),
GroupField: vals.OIDC.GroupField.String(),
GroupFilter: vals.OIDC.GroupRegexFilter.Value(),
GroupAllowList: groupAllowList,
CreateMissingGroups: vals.OIDC.GroupAutoCreate.Value(),
GroupMapping: vals.OIDC.GroupMapping.Value,
UserRoleField: vals.OIDC.UserRoleField.String(),
UserRoleMapping: vals.OIDC.UserRoleMapping.Value,
UserRolesDefault: vals.OIDC.UserRolesDefault.GetSlice(),
Expand Down
22 changes: 4 additions & 18 deletions coderd/coderd.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -181,7 +181,6 @@ type Options struct {
NetworkTelemetryBatchFrequency time.Duration
NetworkTelemetryBatchMaxSize int
SwaggerEndpoint bool
SetUserGroups func(ctx context.Context, logger slog.Logger, tx database.Store, userID uuid.UUID, orgGroupNames map[uuid.UUID][]string, createMissingGroups bool) error
SetUserSiteRoles func(ctx context.Context, logger slog.Logger, tx database.Store, userID uuid.UUID, roles []string) error
TemplateScheduleStore *atomic.Pointer[schedule.TemplateScheduleStore]
UserQuietHoursScheduleStore *atomic.Pointer[schedule.UserQuietHoursScheduleStore]
Expand Down Expand Up @@ -276,13 +275,6 @@ func New(options *Options) *API {
if options.Entitlements == nil {
options.Entitlements = entitlements.New()
}
if options.IDPSync == nil {
options.IDPSync = idpsync.NewAGPLSync(options.Logger, idpsync.SyncSettings{
OrganizationField: options.DeploymentValues.OIDC.OrganizationField.Value(),
OrganizationMapping: options.DeploymentValues.OIDC.OrganizationMapping.Value,
OrganizationAssignDefault: options.DeploymentValues.OIDC.OrganizationAssignDefault.Value(),
})
}
if options.NewTicker == nil {
options.NewTicker = func(duration time.Duration) (tick <-chan time.Time, done func()) {
ticker := time.NewTicker(duration)
Expand Down Expand Up @@ -318,6 +310,10 @@ func New(options *Options) *API {
options.AccessControlStore,
)

if options.IDPSync == nil {
options.IDPSync = idpsync.NewAGPLSync(options.Logger, options.RuntimeConfig, idpsync.FromDeploymentValues(options.DeploymentValues))
}

experiments := ReadExperiments(
options.Logger, options.DeploymentValues.Experiments.Value(),
)
Expand Down Expand Up @@ -377,16 +373,6 @@ func New(options *Options) *API {
if options.TracerProvider == nil {
options.TracerProvider = trace.NewNoopTracerProvider()
}
if options.SetUserGroups == nil {
options.SetUserGroups = func(ctx context.Context, logger slog.Logger, _ database.Store, userID uuid.UUID, orgGroupNames map[uuid.UUID][]string, createMissingGroups bool) error {
logger.Warn(ctx, "attempted to assign OIDC groups without enterprise license",
slog.F("user_id", userID),
slog.F("groups", orgGroupNames),
slog.F("create_missing_groups", createMissingGroups),
)
return nil
}
}
if options.SetUserSiteRoles == nil {
options.SetUserSiteRoles = func(ctx context.Context, logger slog.Logger, _ database.Store, userID uuid.UUID, roles []string) error {
logger.Warn(ctx, "attempted to assign OIDC user roles without enterprise license",
Expand Down
25 changes: 25 additions & 0 deletions coderd/coderdtest/uuids.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
package coderdtest

import "github.com/google/uuid"

// DeterministicUUIDGenerator allows "naming" uuids for unit tests.
// An example of where this is useful, is when a tabled test references
// a UUID that is not yet known. An alternative to this would be to
// hard code some UUID strings, but these strings are not human friendly.
type DeterministicUUIDGenerator struct {
Named map[string]uuid.UUID
}

func NewDeterministicUUIDGenerator() *DeterministicUUIDGenerator {
return &DeterministicUUIDGenerator{
Named: make(map[string]uuid.UUID),
}
}

func (d *DeterministicUUIDGenerator) ID(name string) uuid.UUID {
if v, ok := d.Named[name]; ok {
return v
}
d.Named[name] = uuid.New()
return d.Named[name]
}
33 changes: 33 additions & 0 deletions coderd/coderdtest/uuids_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
package coderdtest_test

import (
"github.com/google/uuid"

"github.com/coder/coder/v2/coderd/coderdtest"
)

func ExampleNewDeterministicUUIDGenerator() {
det := coderdtest.NewDeterministicUUIDGenerator()
testCases := []struct {
CreateUsers []uuid.UUID
ExpectedIDs []uuid.UUID
}{
{
CreateUsers: []uuid.UUID{
det.ID("player1"),
det.ID("player2"),
},
ExpectedIDs: []uuid.UUID{
det.ID("player1"),
det.ID("player2"),
},
},
}

for _, tc := range testCases {
tc := tc
_ = tc
// Do the test with CreateUsers as the setup, and the expected IDs
// will match.
}
}
16 changes: 16 additions & 0 deletions coderd/database/dbauthz/dbauthz.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2892,6 +2892,14 @@ func (q *querier) InsertUser(ctx context.Context, arg database.InsertUserParams)
return insert(q.log, q.auth, obj, q.db.InsertUser)(ctx, arg)
}

func (q *querier) InsertUserGroupsByID(ctx context.Context, arg database.InsertUserGroupsByIDParams) ([]uuid.UUID, error) {
// This is used by OIDC sync. So only used by a system user.
if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceSystem); err != nil {
return nil, err
}
return q.db.InsertUserGroupsByID(ctx, arg)
}

func (q *querier) InsertUserGroupsByName(ctx context.Context, arg database.InsertUserGroupsByNameParams) error {
// This will add the user to all named groups. This counts as updating a group.
// NOTE: instead of checking if the user has permission to update each group, we instead
Expand Down Expand Up @@ -3100,6 +3108,14 @@ func (q *querier) RemoveUserFromAllGroups(ctx context.Context, userID uuid.UUID)
return q.db.RemoveUserFromAllGroups(ctx, userID)
}

func (q *querier) RemoveUserFromGroups(ctx context.Context, arg database.RemoveUserFromGroupsParams) ([]uuid.UUID, error) {
// This is a system function to clear user groups in group sync.
if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceSystem); err != nil {
return nil, err
}
return q.db.RemoveUserFromGroups(ctx, arg)
}

func (q *querier) RevokeDBCryptKey(ctx context.Context, activeKeyDigest string) error {
if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceSystem); err != nil {
return err
Expand Down
23 changes: 23 additions & 0 deletions coderd/database/dbauthz/dbauthz_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -388,6 +388,17 @@ func (s *MethodTestSuite) TestGroup() {
GroupNames: slice.New(g1.Name, g2.Name),
}).Asserts(rbac.ResourceGroup.InOrg(o.ID), policy.ActionUpdate).Returns()
}))
s.Run("InsertUserGroupsByID", s.Subtest(func(db database.Store, check *expects) {
o := dbgen.Organization(s.T(), db, database.Organization{})
u1 := dbgen.User(s.T(), db, database.User{})
g1 := dbgen.Group(s.T(), db, database.Group{OrganizationID: o.ID})
g2 := dbgen.Group(s.T(), db, database.Group{OrganizationID: o.ID})
_ = dbgen.GroupMember(s.T(), db, database.GroupMemberTable{GroupID: g1.ID, UserID: u1.ID})
check.Args(database.InsertUserGroupsByIDParams{
UserID: u1.ID,
GroupIds: slice.New(g1.ID, g2.ID),
}).Asserts(rbac.ResourceSystem, policy.ActionUpdate).Returns(slice.New(g1.ID, g2.ID))
}))
s.Run("RemoveUserFromAllGroups", s.Subtest(func(db database.Store, check *expects) {
o := dbgen.Organization(s.T(), db, database.Organization{})
u1 := dbgen.User(s.T(), db, database.User{})
Expand All @@ -397,6 +408,18 @@ func (s *MethodTestSuite) TestGroup() {
_ = dbgen.GroupMember(s.T(), db, database.GroupMemberTable{GroupID: g2.ID, UserID: u1.ID})
check.Args(u1.ID).Asserts(rbac.ResourceSystem, policy.ActionUpdate).Returns()
}))
s.Run("RemoveUserFromGroups", s.Subtest(func(db database.Store, check *expects) {
o := dbgen.Organization(s.T(), db, database.Organization{})
u1 := dbgen.User(s.T(), db, database.User{})
g1 := dbgen.Group(s.T(), db, database.Group{OrganizationID: o.ID})
g2 := dbgen.Group(s.T(), db, database.Group{OrganizationID: o.ID})
_ = dbgen.GroupMember(s.T(), db, database.GroupMemberTable{GroupID: g1.ID, UserID: u1.ID})
_ = dbgen.GroupMember(s.T(), db, database.GroupMemberTable{GroupID: g2.ID, UserID: u1.ID})
check.Args(database.RemoveUserFromGroupsParams{
UserID: u1.ID,
GroupIds: []uuid.UUID{g1.ID, g2.ID},
}).Asserts(rbac.ResourceSystem, policy.ActionUpdate).Returns(slice.New(g1.ID, g2.ID))
}))
s.Run("UpdateGroupByID", s.Subtest(func(db database.Store, check *expects) {
g := dbgen.Group(s.T(), db, database.Group{})
check.Args(database.UpdateGroupByIDParams{
Expand Down
93 changes: 81 additions & 12 deletions coderd/database/dbmem/dbmem.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -682,6 +682,17 @@ func (q *FakeQuerier) getWorkspaceResourcesByJobIDNoLock(_ context.Context, jobI
return resources, nil
}

func (q *FakeQuerier) getGroupByNameNoLock(arg database.NameOrganizationPair) (database.Group, error) {
for _, group := range q.groups {
if group.OrganizationID == arg.OrganizationID &&
group.Name == arg.Name {
return group, nil
}
}

return database.Group{}, sql.ErrNoRows
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm very curious what this is necessary for

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, I originally was using it in another query. Wanted to reuse the same code. Now it's not necessary to extract to it's own function 🤷‍♂️. I'll put it back.


func (q *FakeQuerier) getGroupByIDNoLock(_ context.Context, id uuid.UUID) (database.Group, error) {
for _, group := range q.groups {
if group.ID == id {
Expand Down Expand Up @@ -2613,14 +2624,10 @@ func (q *FakeQuerier) GetGroupByOrgAndName(_ context.Context, arg database.GetGr
q.mutex.RLock()
defer q.mutex.RUnlock()

for _, group := range q.groups {
if group.OrganizationID == arg.OrganizationID &&
group.Name == arg.Name {
return group, nil
}
}

return database.Group{}, sql.ErrNoRows
return q.getGroupByNameNoLock(database.NameOrganizationPair{
Name: arg.Name,
OrganizationID: arg.OrganizationID,
})
}

func (q *FakeQuerier) GetGroupMembers(ctx context.Context) ([]database.GroupMember, error) {
Expand Down Expand Up @@ -2695,18 +2702,18 @@ func (q *FakeQuerier) GetGroups(_ context.Context, arg database.GetGroupsParams)
q.mutex.RLock()
defer q.mutex.RUnlock()

groupIDs := make(map[uuid.UUID]struct{})
userGroupIDs := make(map[uuid.UUID]struct{})
if arg.HasMemberID != uuid.Nil {
for _, member := range q.groupMembers {
if member.UserID == arg.HasMemberID {
groupIDs[member.GroupID] = struct{}{}
userGroupIDs[member.GroupID] = struct{}{}
}
}

// Handle the everyone group
for _, orgMember := range q.organizationMembers {
if orgMember.UserID == arg.HasMemberID {
groupIDs[orgMember.OrganizationID] = struct{}{}
userGroupIDs[orgMember.OrganizationID] = struct{}{}
}
}
}
Expand All @@ -2718,11 +2725,15 @@ func (q *FakeQuerier) GetGroups(_ context.Context, arg database.GetGroupsParams)
continue
}

_, ok := groupIDs[group.ID]
_, ok := userGroupIDs[group.ID]
if arg.HasMemberID != uuid.Nil && !ok {
continue
}

if len(arg.GroupNames) > 0 && !slices.Contains(arg.GroupNames, group.Name) {
continue
}

orgDetails, ok := orgDetailsCache[group.ID]
if !ok {
for _, org := range q.organizations {
Expand Down Expand Up @@ -7015,7 +7026,37 @@ func (q *FakeQuerier) InsertUser(_ context.Context, arg database.InsertUserParam
return user, nil
}

func (q *FakeQuerier) InsertUserGroupsByID(_ context.Context, arg database.InsertUserGroupsByIDParams) ([]uuid.UUID, error) {
err := validateDatabaseType(arg)
if err != nil {
return nil, err
}

q.mutex.Lock()
defer q.mutex.Unlock()

var groupIDs []uuid.UUID
for _, group := range q.groups {
for _, groupID := range arg.GroupIds {
if group.ID == groupID {
q.groupMembers = append(q.groupMembers, database.GroupMemberTable{
UserID: arg.UserID,
GroupID: groupID,
})
groupIDs = append(groupIDs, group.ID)
}
}
}

return groupIDs, nil
}

func (q *FakeQuerier) InsertUserGroupsByName(_ context.Context, arg database.InsertUserGroupsByNameParams) error {
err := validateDatabaseType(arg)
if err != nil {
return err
}

q.mutex.Lock()
defer q.mutex.Unlock()

Expand Down Expand Up @@ -7607,6 +7648,34 @@ func (q *FakeQuerier) RemoveUserFromAllGroups(_ context.Context, userID uuid.UUI
return nil
}

func (q *FakeQuerier) RemoveUserFromGroups(_ context.Context, arg database.RemoveUserFromGroupsParams) ([]uuid.UUID, error) {
err := validateDatabaseType(arg)
if err != nil {
return nil, err
}

q.mutex.Lock()
defer q.mutex.Unlock()

removed := make([]uuid.UUID, 0)
q.data.groupMembers = slices.DeleteFunc(q.data.groupMembers, func(groupMember database.GroupMemberTable) bool {
// Delete all group members that match the arguments.
if groupMember.UserID != arg.UserID {
// Not the right user, ignore.
return false
}

if !slices.Contains(arg.GroupIds, groupMember.GroupID) {
return false
}

removed = append(removed, groupMember.GroupID)
return true
})

return removed, nil
}

func (q *FakeQuerier) RevokeDBCryptKey(_ context.Context, activeKeyDigest string) error {
q.mutex.Lock()
defer q.mutex.Unlock()
Expand Down
14 changes: 14 additions & 0 deletions coderd/database/dbmetrics/dbmetrics.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading