Skip to content

chore: include merged claims into the database #15570

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 18, 2024
Merged

chore: include merged claims into the database #15570

merged 2 commits into from
Nov 18, 2024

Conversation

Emyrk
Copy link
Member

@Emyrk Emyrk commented Nov 18, 2024
edited
Loading

Merging happens before IDP sync. Storing this will make some SQL queries much simplier.

Currently the SQL queries look like this:

coder/coderd/database/queries/user_links.sql

Lines 65 to 97 in 664e734

SELECT
DISTINCT jsonb_object_keys(claims->'id_token_claims')
FROM
user_links
WHERE
-- Only return rows where the top level key exists
claims ? 'id_token_claims' AND
-- 'null' is the default value for the id_token_claims field
-- jsonb 'null' is not the same as SQL NULL. Strip these out.
jsonb_typeof(claims->'id_token_claims') != 'null' AND
login_type = 'oidc'
AND CASE WHEN @organization_id :: uuid != '00000000-0000-0000-0000-000000000000'::uuid THEN
user_links.user_id = ANY(SELECT organization_members.user_id FROM organization_members WHERE organization_id = @organization_id)
ELSE true
END
-- Merge with user_info claims.
UNION
-- This query is identical to the one above, except for 'user_info_claims'.
-- There might be some way to do this more concisely at a cost of readability.
SELECT
DISTINCT jsonb_object_keys(claims->'user_info_claims')
FROM
user_links
WHERE
claims ? 'user_info_claims' AND
jsonb_typeof(claims->'user_info_claims') != 'null' AND
login_type = 'oidc'
AND CASE WHEN @organization_id :: uuid != '00000000-0000-0000-0000-000000000000'::uuid THEN
user_links.user_id = ANY(SELECT organization_members.user_id FROM organization_members WHERE organization_id = @organization_id)
ELSE true
END

Query is duplicated over both fields with a union. This query is also incorrect, as merged claims do not properly merge arrays of duplicated fields.

@Emyrk
chore: include merged claims into the database
d1fb4eb 
Merging happens before IDP sync. Storing this will make
some SQL queries much simplier
johnstcn
johnstcn reviewed Nov 18, 2024
View reviewed changes
Copy link
Member

@johnstcn johnstcn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this not also require updated tests also in coderd/idpsync?

@Emyrk
Copy link
Member Author

Emyrk commented Nov 18, 2024
edited
Loading

The real tests are in this PR: #15525

There is only a debug endpoint that returns this information today, and I did not want to add tests for a debug endpoint. So it requires more effort than it's worth imo to fully test this feature outside of the PRs I have in flight.

Writing the queries to use this data, I realized merging the fields simplifies a lot and makes claims more correct.

johnstcn
johnstcn approved these changes Nov 18, 2024
View reviewed changes
Copy link
Member

@johnstcn johnstcn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Stamp 👍 in combination with test improoooovements in #15525

@Emyrk Emyrk merged commit 4fedc7c into main Nov 18, 2024
32 checks passed
@Emyrk Emyrk deleted the stevenmasley/idp_field_include_merged branch November 18, 2024 17:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@johnstcn johnstcn johnstcn approved these changes

Assignees

@Emyrk Emyrk

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Emyrk @johnstcn