coder · Emyrk · Jul 24, 2023 · Jul 19, 2023 · Jul 19, 2023 · Jul 19, 2023
diff --git a/.gitattributes b/.gitattributes
@@ -1,5 +1,7 @@
 # Generated files
 coderd/apidoc/docs.go linguist-generated=true
+docs/api/*.md linguist-generated=true
+docs/cli/*.md linguist-generated=true
 coderd/apidoc/swagger.json linguist-generated=true
 coderd/database/dump.sql linguist-generated=true
 peerbroker/proto/*.go linguist-generated=true
@@ -9,3 +11,4 @@ provisionersdk/proto/*.go linguist-generated=true
 *.tfstate.json linguist-generated=true
 *.tfstate.dot linguist-generated=true
 *.tfplan.dot linguist-generated=true
+
diff --git a/cli/server.go b/cli/server.go
@@ -596,6 +596,9 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 					IgnoreUserInfo:      cfg.OIDC.IgnoreUserInfo.Value(),
 					GroupField:          cfg.OIDC.GroupField.String(),
 					GroupMapping:        cfg.OIDC.GroupMapping.Value,
+					UserRoleField:       cfg.OIDC.UserRoleField.String(),
+					UserRoleMapping:     cfg.OIDC.UserRoleMapping.Value,
+					UserRolesDefault:    cfg.OIDC.UserRolesDefault.GetSlice(),
 					SignInText:          cfg.OIDC.SignInText.String(),
 					IconURL:             cfg.OIDC.IconURL.String(),
 					IgnoreEmailVerified: cfg.OIDC.IgnoreEmailVerified.Value(),

diff --git a/cli/server_test.go b/cli/server_test.go
@@ -1095,6 +1095,8 @@ func TestServer(t *testing.T) {
 			require.False(t, deploymentConfig.Values.OIDC.IgnoreUserInfo.Value())
 			require.Empty(t, deploymentConfig.Values.OIDC.GroupField.Value())
 			require.Empty(t, deploymentConfig.Values.OIDC.GroupMapping.Value)
+			require.Empty(t, deploymentConfig.Values.OIDC.UserRoleField.Value())
+			require.Empty(t, deploymentConfig.Values.OIDC.UserRoleMapping.Value)
 			require.Equal(t, "OpenID Connect", deploymentConfig.Values.OIDC.SignInText.Value())
 			require.Empty(t, deploymentConfig.Values.OIDC.IconURL.Value())
 		})

diff --git a/cli/testdata/coder_server_--help.golden b/cli/testdata/coder_server_--help.golden
@@ -337,6 +337,20 @@ can safely ignore these settings.
       --oidc-scopes string-array, $CODER_OIDC_SCOPES (default: openid,profile,email)
           Scopes to grant when authenticating with OIDC.
 
+      --oidc-user-role-default string-array, $CODER_OIDC_USER_ROLE_DEFAULT
+          If user role sync is enabled, these roles are always included for all
+          authenticated users. The 'member' role is always assigned.
+
+      --oidc-user-role-field string, $CODER_OIDC_USER_ROLE_FIELD
+          This field must be set if using the user roles sync feature. Set this
+          to the name of the claim used to store the user's role. The roles
+          should be sent as an array of strings.
+
+      --oidc-user-role-mapping struct[map[string][]string], $CODER_OIDC_USER_ROLE_MAPPING (default: {})
+          A map of the OIDC passed in user roles and the groups in Coder it
+          should map to. This is useful if the group names do not match. If
+          mapped to the empty string, the role will ignored.
+
       --oidc-username-field string, $CODER_OIDC_USERNAME_FIELD (default: preferred_username)
           OIDC claim field to use as the username.
 

diff --git a/cli/testdata/coder_users_list_--output_json.golden b/cli/testdata/coder_users_list_--output_json.golden
@@ -15,7 +15,8 @@
         "display_name": "Owner"
       }
     ],
-    "avatar_url": ""
+    "avatar_url": "",
+    "login_type": "password"
   },
   {
     "id": "[second user ID]",
@@ -28,6 +29,7 @@
       "[first org ID]"
     ],
     "roles": [],
-    "avatar_url": ""
+    "avatar_url": "",
+    "login_type": "password"
   }
 ]
diff --git a/cli/testdata/server-config.yaml.golden b/cli/testdata/server-config.yaml.golden
@@ -268,6 +268,20 @@ oidc:
   # for when OIDC providers only return group IDs.
   # (default: {}, type: struct[map[string]string])
   groupMapping: {}
+  # This field must be set if using the user roles sync feature. Set this to the
+  # name of the claim used to store the user's role. The roles should be sent as an
+  # array of strings.
+  # (default: <unset>, type: string)
+  userRoleField: ""
+  # A map of the OIDC passed in user roles and the groups in Coder it should map to.
+  # This is useful if the group names do not match. If mapped to the empty string,
+  # the role will ignored.
+  # (default: {}, type: struct[map[string][]string])
+  userRoleMapping: {}
+  # If user role sync is enabled, these roles are always included for all
+  # authenticated users. The 'member' role is always assigned.
+  # (default: <unset>, type: string-array)
+  userRoleDefault: []
   # The text to show on the OpenID Connect sign in button.
   # (default: OpenID Connect, type: string)
   signInText: OpenID Connect

diff --git a/coderd/apidoc/docs.go b/coderd/apidoc/docs.go
diff --git a/coderd/apidoc/swagger.json b/coderd/apidoc/swagger.json
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -124,6 +124,7 @@ type Options struct {
 	DERPMap                     *tailcfg.DERPMap
 	SwaggerEndpoint             bool
 	SetUserGroups               func(ctx context.Context, tx database.Store, userID uuid.UUID, groupNames []string) error
+	SetUserSiteRoles            func(ctx context.Context, tx database.Store, userID uuid.UUID, roles []string) error
 	TemplateScheduleStore       *atomic.Pointer[schedule.TemplateScheduleStore]
 	UserQuietHoursScheduleStore *atomic.Pointer[schedule.UserQuietHoursScheduleStore]
 	// AppSecurityKey is the crypto key used to sign and encrypt tokens related to
@@ -258,6 +259,14 @@ func New(options *Options) *API {
 			return nil
 		}
 	}
+	if options.SetUserSiteRoles == nil {
+		options.SetUserSiteRoles = func(ctx context.Context, _ database.Store, userID uuid.UUID, roles []string) error {
+			options.Logger.Warn(ctx, "attempted to assign OIDC user roles without enterprise license",
+				slog.F("user_id", userID), slog.F("roles", roles),
+			)
+			return nil
+		}
+	}
 	if options.TemplateScheduleStore == nil {
 		options.TemplateScheduleStore = &atomic.Pointer[schedule.TemplateScheduleStore]{}
 	}

diff --git a/coderd/database/db2sdk/db2sdk.go b/coderd/database/db2sdk/db2sdk.go
@@ -115,6 +115,7 @@ func User(user database.User, organizationIDs []uuid.UUID) codersdk.User {
 		OrganizationIDs: organizationIDs,
 		Roles:           make([]codersdk.Role, 0, len(user.RBACRoles)),
 		AvatarURL:       user.AvatarURL.String,
+		LoginType:       codersdk.LoginType(user.LoginType),
 	}
 
 	for _, roleName := range user.RBACRoles {

diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go
@@ -207,7 +207,7 @@ var (
 					rbac.ResourceWildcard.Type:           {rbac.ActionRead},
 					rbac.ResourceAPIKey.Type:             {rbac.ActionCreate, rbac.ActionUpdate, rbac.ActionDelete},
 					rbac.ResourceGroup.Type:              {rbac.ActionCreate, rbac.ActionUpdate},
-					rbac.ResourceRoleAssignment.Type:     {rbac.ActionCreate},
+					rbac.ResourceRoleAssignment.Type:     {rbac.ActionCreate, rbac.ActionDelete},
 					rbac.ResourceSystem.Type:             {rbac.WildcardSymbol},
 					rbac.ResourceOrganization.Type:       {rbac.ActionCreate},
 					rbac.ResourceOrganizationMember.Type: {rbac.ActionCreate},

diff --git a/coderd/rbac/roles.go b/coderd/rbac/roles.go
@@ -283,10 +283,13 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 //	map[actor_role][assign_role]<can_assign>
 var assignRoles = map[string]map[string]bool{
 	"system": {
-		owner:     true,
-		member:    true,
-		orgAdmin:  true,
-		orgMember: true,
+		owner:         true,
+		auditor:       true,
+		member:        true,
+		orgAdmin:      true,
+		orgMember:     true,
+		templateAdmin: true,
+		userAdmin:     true,
 	},
 	owner: {
 		owner:         true,

diff --git a/coderd/userauth.go b/coderd/userauth.go
@@ -684,12 +684,27 @@ type OIDCConfig struct {
 	// to groups within Coder.
 	// map[oidcGroupName]coderGroupName
 	GroupMapping map[string]string
+	// UserRoleField selects the claim field to be used as the created user's
+	// roles. If the field is the empty string, then no role updates
+	// will ever come from the OIDC provider.
+	UserRoleField string
+	// UserRoleMapping controls how groups returned by the OIDC provider get mapped
+	// to roles within Coder.
+	// map[oidcRoleName]coderRoleName
+	UserRoleMapping map[string][]string
+	// UserRolesDefault is the default set of roles to assign to a user if role sync
+	// is enabled.
+	UserRolesDefault []string
 	// SignInText is the text to display on the OIDC login button
 	SignInText string
 	// IconURL points to the URL of an icon to display on the OIDC login button
 	IconURL string
 }
 
+func (cfg OIDCConfig) RoleSyncEnabled() bool {
+	return cfg.UserRoleField != ""
+}
+
 // @Summary OpenID Connect Callback
 // @ID openid-connect-callback
 // @Security CoderSessionToken
@@ -942,6 +957,62 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	roles := api.OIDCConfig.UserRolesDefault
+	if api.OIDCConfig.RoleSyncEnabled() {
+		rolesRow, ok := claims[api.OIDCConfig.UserRoleField]
+		if !ok {
+			// If no claim is provided than we can assume the user is just
+			// a member. This is because there is no way to tell the difference
+			// between []string{} and nil for OIDC claims. IDPs omit claims
+			// if they are empty ([]string{}).
+			rolesRow = []string{}
+		}
+
+		rolesInterface, ok := rolesRow.([]interface{})
+		if !ok {
+			api.Logger.Error(ctx, "oidc claim user roles field was an unknown type",
+				slog.F("type", fmt.Sprintf("%T", rolesRow)),
+			)
+			site.RenderStaticErrorPage(rw, r, site.ErrorPageData{
+				Status:       http.StatusInternalServerError,
+				HideStatus:   true,
+				Title:        "Login disabled until OIDC config is fixed",
+				Description:  fmt.Sprintf("Roles claim must be an array of strings, type found: %T. Disabling role sync will allow login to proceed.", rolesRow),
+				RetryEnabled: false,
+				DashboardURL: "/login",
+			})
+			return
+		}
+
+		api.Logger.Debug(ctx, "roles returned in oidc claims",
+			slog.F("len", len(rolesInterface)),
+			slog.F("roles", rolesInterface),
+		)
+		for _, roleInterface := range rolesInterface {
+			role, ok := roleInterface.(string)
+			if !ok {
+				api.Logger.Error(ctx, "invalid oidc user role type",
+					slog.F("type", fmt.Sprintf("%T", rolesRow)),
+				)
+				httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+					Message: fmt.Sprintf("Invalid user role type. Expected string, got: %T", roleInterface),
+				})
+				return
+			}
+
+			if mappedRoles, ok := api.OIDCConfig.UserRoleMapping[role]; ok {
+				if len(mappedRoles) == 0 {
+					continue
+				}
+				// Mapped roles are added to the list of roles
+				roles = append(roles, mappedRoles...)
+				continue
+			}
+
+			roles = append(roles, role)
+		}
+	}
+
 	// If a new user is authenticating for the first time
 	// the audit action is 'register', not 'login'
 	if user.ID == uuid.Nil {
@@ -959,6 +1030,8 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) {
 		Username:     username,
 		AvatarURL:    picture,
 		UsingGroups:  usingGroups,
+		UsingRoles:   api.OIDCConfig.RoleSyncEnabled(),
+		Roles:        roles,
 		Groups:       groups,
 	}).SetInitAuditRequest(func(params *audit.RequestParams) (*audit.Request[database.User], func()) {
 		return audit.InitRequest[database.User](rw, params)
@@ -1045,6 +1118,10 @@ type oauthLoginParams struct {
 	// to the Groups provided.
 	UsingGroups bool
 	Groups      []string
+	// Is UsingRoles is true, then the user will be assigned
+	// the roles provided.
+	UsingRoles bool
+	Roles      []string
 
 	commitLock       sync.Mutex
 	initAuditRequest func(params *audit.RequestParams) *audit.Request[database.User]
@@ -1108,6 +1185,7 @@ func (api *API) oauthLogin(r *http.Request, params *oauthLoginParams) ([]*http.C
 		ctx     = r.Context()
 		user    database.User
 		cookies []*http.Cookie
+		logger  = api.Logger.Named(userAuthLoggerName)
 	)
 
 	var isConvertLoginType bool
@@ -1248,6 +1326,37 @@ func (api *API) oauthLogin(r *http.Request, params *oauthLoginParams) ([]*http.C
 			}
 		}
 
+		// Ensure roles are correct.
+		if params.UsingRoles {
+			ignored := make([]string, 0)
+			filtered := make([]string, 0, len(params.Roles))
+			for _, role := range params.Roles {
+				if _, err := rbac.RoleByName(role); err == nil {
+					filtered = append(filtered, role)
+				} else {
+					ignored = append(ignored, role)
+				}
+			}
+
+			//nolint:gocritic
+			err := api.Options.SetUserSiteRoles(dbauthz.AsSystemRestricted(ctx), tx, user.ID, filtered)
+			if err != nil {
+				return httpError{
+					code:             http.StatusBadRequest,
+					msg:              "Invalid roles through OIDC claim",
+					detail:           fmt.Sprintf("Error from role assignment attempt: %s", err.Error()),
+					renderStaticPage: true,
+				}
+			}
+			if len(ignored) > 0 {
+				logger.Debug(ctx, "OIDC roles ignored in assignment",
+					slog.F("ignored", ignored),
+					slog.F("assigned", filtered),
+					slog.F("user_id", user.ID),
+				)
+			}
+		}
+
 		needsUpdate := false
 		if user.AvatarURL.String != params.AvatarURL {
 			user.AvatarURL = sql.NullString{