chore: refactor into agpl and enterprise

Emyrk · Emyrk · commit 1667624f5f56 · 2024-08-28T09:39:25.000-05:00
diff --git a/cli/server.go b/cli/server.go
@@ -55,6 +55,7 @@ import (
 
 	"cdr.dev/slog"
 	"cdr.dev/slog/sloggers/sloghuman"
+	"github.com/coder/coder/v2/coderd/idpsync"
 	"github.com/coder/pretty"
 	"github.com/coder/quartz"
 	"github.com/coder/retry"
@@ -197,6 +198,11 @@ func createOIDCConfig(ctx context.Context, logger slog.Logger, vals *codersdk.De
 		SignupsDisabledText: vals.OIDC.SignupsDisabledText.String(),
 		IconURL:             vals.OIDC.IconURL.String(),
 		IgnoreEmailVerified: vals.OIDC.IgnoreEmailVerified.Value(),
+		IDPSync: idpsync.NewSync(logger, idpsync.SyncSettings{
+			OrganizationField:         vals.OIDC.OrganizationField.Value(),
+			OrganizationMapping:       vals.OIDC.OrganizationMapping.Value,
+			OrganizationAssignDefault: vals.OIDC.OrganizationAssignDefault.Value,
+		}),
 	}, nil
 }
 
diff --git a/coderd/idpsync/idpsync.go b/coderd/idpsync/idpsync.go
@@ -1,40 +1,54 @@
 package idpsync
 
 import (
+	"context"
 	"net/http"
 	"strings"
 
 	"github.com/google/uuid"
 	"golang.org/x/xerrors"
 
 	"cdr.dev/slog"
-	"github.com/coder/coder/v2/coderd/entitlements"
+	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/httpapi"
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/site"
 )
 
-// IDPSync is the configuration for syncing user information from an external
+type IDPSync interface {
+	// ParseOrganizationClaims takes claims from an OIDC provider, and returns the
+	// organization sync params for assigning users into organizations.
+	ParseOrganizationClaims(ctx context.Context, _ map[string]interface{}) (OrganizationParams, *HttpError)
+	// SyncOrganizations assigns and removed users from organizations based on the
+	// provided params.
+	SyncOrganizations(ctx context.Context, tx database.Store, user database.User, params OrganizationParams) error
+}
+
+// AGPLIDPSync is the configuration for syncing user information from an external
 // IDP. All related code to syncing user information should be in this package.
-type IDPSync struct {
-	logger       slog.Logger
-	entitlements *entitlements.Set
+type AGPLIDPSync struct {
+	Logger slog.Logger
+
+	SyncSettings
+}
 
+type SyncSettings struct {
 	// OrganizationField selects the claim field to be used as the created user's
 	// organizations. If the field is the empty string, then no organization updates
 	// will ever come from the OIDC provider.
 	OrganizationField string
 	// OrganizationMapping controls how organizations returned by the OIDC provider get mapped
 	OrganizationMapping map[string][]uuid.UUID
-	// OrganizationAlwaysAssign will ensure all users that authenticate will be
-	// placed into the specified organizations.
-	OrganizationAlwaysAssign []uuid.UUID
+	// OrganizationAssignDefault will ensure all users that authenticate will be
+	// placed into the default organization. This is mostly a hack to support
+	// legacy deployments.
+	OrganizationAssignDefault bool
 }
 
-func NewSync(logger slog.Logger, set *entitlements.Set) *IDPSync {
-	return &IDPSync{
-		logger:       logger.Named("idp-sync"),
-		entitlements: set,
+func NewSync(logger slog.Logger, settings SyncSettings) *AGPLIDPSync {
+	return &AGPLIDPSync{
+		Logger:       logger.Named("idp-sync"),
+		SyncSettings: settings,
 	}
 }
 
diff --git a/coderd/idpsync/organization.go b/coderd/idpsync/organization.go
@@ -3,7 +3,6 @@ package idpsync
 import (
 	"context"
 	"database/sql"
-	"net/http"
 
 	"github.com/google/uuid"
 	"golang.org/x/xerrors"
@@ -16,64 +15,46 @@ import (
 	"github.com/coder/coder/v2/coderd/util/slice"
 )
 
-func (s IDPSync) ParseOrganizationClaims(ctx context.Context, mergedClaims map[string]interface{}) (OrganizationParams, *HttpError) {
+func (s AGPLIDPSync) ParseOrganizationClaims(ctx context.Context, _ map[string]interface{}) (OrganizationParams, *HttpError) {
 	// nolint:gocritic // all syncing is done as a system user
 	ctx = dbauthz.AsSystemRestricted(ctx)
 
-	// Copy in the always included static set of organizations.
-	userOrganizations := make([]uuid.UUID, len(s.OrganizationAlwaysAssign))
-	copy(userOrganizations, s.OrganizationAlwaysAssign)
-
-	// Pull extra organizations from the claims.
-	if s.OrganizationField != "" {
-		organizationRaw, ok := mergedClaims[s.OrganizationField]
-		if ok {
-			parsedOrganizations, err := ParseStringSliceClaim(organizationRaw)
-			if err != nil {
-				return OrganizationParams{}, &HttpError{
-					Code:                 http.StatusBadRequest,
-					Msg:                  "Failed to sync organizations from the OIDC claims",
-					Detail:               err.Error(),
-					RenderStaticPage:     false,
-					RenderDetailMarkdown: false,
-				}
-			}
-
-			// Keep track of which claims are not mapped for debugging purposes.
-			var ignored []string
-			for _, parsedOrg := range parsedOrganizations {
-				if mappedOrganization, ok := s.OrganizationMapping[parsedOrg]; ok {
-					// parsedOrg is in the mapping, so add the mapped organizations to the
-					// user's organizations.
-					userOrganizations = append(userOrganizations, mappedOrganization...)
-				} else {
-					ignored = append(ignored, parsedOrg)
-				}
-			}
-
-			s.logger.Debug(ctx, "parsed organizations from claim",
-				slog.F("len", len(parsedOrganizations)),
-				slog.F("ignored", ignored),
-				slog.F("organizations", parsedOrganizations),
-			)
-		}
-	}
-
+	// For AGPL we only rely on 'OrganizationAlwaysAssign'
 	return OrganizationParams{
-		Organizations: userOrganizations,
+		SyncEnabled:    false,
+		IncludeDefault: s.OrganizationAssignDefault,
+		Organizations:  []uuid.UUID{},
 	}, nil
 }
 
 type OrganizationParams struct {
+	// SyncEnabled if false will skip syncing the user's organizations.
+	SyncEnabled    bool
+	IncludeDefault bool
 	// Organizations is the list of organizations the user should be a member of
 	// assuming syncing is turned on.
 	Organizations []uuid.UUID
 }
 
-func (s IDPSync) SyncOrganizations(ctx context.Context, tx database.Store, user database.User, params OrganizationParams) error {
+func (s AGPLIDPSync) SyncOrganizations(ctx context.Context, tx database.Store, user database.User, params OrganizationParams) error {
+	// Nothing happens if sync is not enabled
+	if !params.SyncEnabled {
+		return nil
+	}
+
 	// nolint:gocritic // all syncing is done as a system user
 	ctx = dbauthz.AsSystemRestricted(ctx)
 
+	// This is a bit hacky, but if AssignDefault is included, then always
+	// make sure to include the default org in the list of expected.
+	if s.OrganizationAssignDefault {
+		defaultOrg, err := tx.GetDefaultOrganization(ctx)
+		if err != nil {
+			return xerrors.Errorf("failed to get default organization: %w", err)
+		}
+		params.Organizations = append(params.Organizations, defaultOrg.ID)
+	}
+
 	existingOrgs, err := tx.GetOrganizationsByUserID(ctx, user.ID)
 	if err != nil {
 		return xerrors.Errorf("failed to get user organizations: %w", err)
@@ -117,7 +98,7 @@ func (s IDPSync) SyncOrganizations(ctx context.Context, tx database.Store, user
 	}
 
 	if len(notExists) > 0 {
-		s.logger.Debug(ctx, "organizations do not exist but attempted to use in org sync",
+		s.Logger.Debug(ctx, "organizations do not exist but attempted to use in org sync",
 			slog.F("not_found", notExists),
 			slog.F("user_id", user.ID),
 			slog.F("username", user.Username),
diff --git a/coderd/userauth.go b/coderd/userauth.go
@@ -738,6 +738,11 @@ type OIDCConfig struct {
 	// support the userinfo endpoint, or if the userinfo endpoint causes
 	// undesirable behavior.
 	IgnoreUserInfo bool
+	// IDPSync contains all the configuration for syncing user information
+	// from the external IDP.
+	IDPSync idpsync.IDPSync
+
+	// TODO: Move all idp fields into the IDPSync struct
 	// GroupField selects the claim field to be used as the created user's
 	// groups. If the group field is the empty string, then no group updates
 	// will ever come from the OIDC provider.
@@ -768,16 +773,6 @@ type OIDCConfig struct {
 	// UserRolesDefault is the default set of roles to assign to a user if role sync
 	// is enabled.
 	UserRolesDefault []string
-	// OrganizationField selects the claim field to be used as the created user's
-	// organizations. If the field is the empty string, then no organization updates
-	// will ever come from the OIDC provider.
-	OrganizationField string
-	// OrganizationMapping controls how organizations returned by the OIDC provider get mapped
-	OrganizationMapping map[string][]string
-	// OrganizationAlwaysAssign will ensure all users that authenticate will be
-	// placed into the specified organizations. 'default' is a special keyword
-	// that will use the `IsDefault` organization.
-	OrganizationAlwaysAssign []string
 	// SignInText is the text to display on the OIDC login button
 	SignInText string
 	// IconURL points to the URL of an icon to display on the OIDC login button
diff --git a/coderd/util/slice/example_test.go b/coderd/util/slice/example_test.go
@@ -10,8 +10,8 @@ import (
 func ExampleSymmetricDifference() {
 	// The goal of this function is to find the elements to add & remove from
 	// set 'a' to make it equal to set 'b'.
-	a := []int{1, 2, 5, 6}
-	b := []int{2, 3, 4, 5}
+	a := []int{1, 2, 5, 6, 6, 6}
+	b := []int{2, 3, 3, 3, 4, 5}
 	add, remove := slice.SymmetricDifference(a, b)
 	fmt.Println("Elements to add:", add)
 	fmt.Println("Elements to remove:", remove)
diff --git a/coderd/util/slice/slice.go b/coderd/util/slice/slice.go
@@ -62,6 +62,20 @@ func Overlap[T comparable](a []T, b []T) bool {
 	})
 }
 
+func UniqueFunc[T any](a []T, equal func(a, b T) bool) []T {
+	cpy := make([]T, 0, len(a))
+
+	for _, v := range a {
+		if ContainsCompare(cpy, v, equal) {
+			continue
+		}
+
+		cpy = append(cpy, v)
+	}
+
+	return cpy
+}
+
 // Unique returns a new slice with all duplicate elements removed.
 func Unique[T comparable](a []T) []T {
 	cpy := make([]T, 0, len(a))
@@ -109,15 +123,15 @@ func Descending[T constraints.Ordered](a, b T) int {
 }
 
 // SymmetricDifference returns the elements that need to be added and removed
-// to get from set 'a' to set 'b'.
+// to get from set 'a' to set 'b'. Note that duplicates are ignored in sets.
 // In classical set theory notation, SymmetricDifference returns
 // all elements of {add} and {remove} together. It is more useful to
 // return them as their own slices.
 // Notation: A Δ B = (A\B) ∪ (B\A)
 // Example:
 //
 //	a := []int{1, 3, 4}
-//	b := []int{1, 2}
+//	b := []int{1, 2, 2, 2}
 //	add, remove := SymmetricDifference(a, b)
 //	fmt.Println(add)    // [2]
 //	fmt.Println(remove) // [3, 4]
@@ -127,6 +141,8 @@ func SymmetricDifference[T comparable](a, b []T) (add []T, remove []T) {
 }
 
 func SymmetricDifferenceFunc[T any](a, b []T, equal func(a, b T) bool) (add []T, remove []T) {
+	// Ignore all duplicates
+	a, b = UniqueFunc(a, equal), UniqueFunc(b, equal)
 	return DifferenceFunc(b, a, equal), DifferenceFunc(a, b, equal)
 }
 
diff --git a/coderd/util/slice/slice_test.go b/coderd/util/slice/slice_test.go
@@ -52,6 +52,22 @@ func TestUnique(t *testing.T) {
 		slice.Unique([]string{
 			"a", "a", "a",
 		}))
+
+	require.ElementsMatch(t,
+		[]int{1, 2, 3, 4, 5},
+		slice.UniqueFunc([]int{
+			1, 2, 3, 4, 5, 1, 2, 3, 4, 5,
+		}, func(a, b int) bool {
+			return a == b
+		}))
+
+	require.ElementsMatch(t,
+		[]string{"a"},
+		slice.UniqueFunc([]string{
+			"a", "a", "a",
+		}, func(a, b string) bool {
+			return a == b
+		}))
 }
 
 func TestContains(t *testing.T) {
@@ -230,4 +246,15 @@ func TestSymmetricDifference(t *testing.T) {
 		require.ElementsMatch(t, []int{1, 2, 3}, add)
 		require.ElementsMatch(t, []int{}, remove)
 	})
+
+	t.Run("Duplicates", func(t *testing.T) {
+		t.Parallel()
+
+		add, remove := slice.SymmetricDifference(
+			[]int{5, 5, 5, 1, 1, 1, 3, 3, 3, 5, 5, 5},
+			[]int{2, 2, 2, 1, 1, 1, 2, 4, 4, 4, 5, 5, 5, 1, 1},
+		)
+		require.ElementsMatch(t, []int{2, 4}, add)
+		require.ElementsMatch(t, []int{3}, remove)
+	})
 }
diff --git a/codersdk/deployment.go b/codersdk/deployment.go
@@ -14,6 +14,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/google/uuid"
 	"golang.org/x/mod/semver"
 	"golang.org/x/xerrors"
 
@@ -512,29 +513,32 @@ type OIDCConfig struct {
 	ClientID     serpent.String `json:"client_id" typescript:",notnull"`
 	ClientSecret serpent.String `json:"client_secret" typescript:",notnull"`
 	// ClientKeyFile & ClientCertFile are used in place of ClientSecret for PKI auth.
-	ClientKeyFile       serpent.String                      `json:"client_key_file" typescript:",notnull"`
-	ClientCertFile      serpent.String                      `json:"client_cert_file" typescript:",notnull"`
-	EmailDomain         serpent.StringArray                 `json:"email_domain" typescript:",notnull"`
-	IssuerURL           serpent.String                      `json:"issuer_url" typescript:",notnull"`
-	Scopes              serpent.StringArray                 `json:"scopes" typescript:",notnull"`
-	IgnoreEmailVerified serpent.Bool                        `json:"ignore_email_verified" typescript:",notnull"`
-	UsernameField       serpent.String                      `json:"username_field" typescript:",notnull"`
-	NameField           serpent.String                      `json:"name_field" typescript:",notnull"`
-	EmailField          serpent.String                      `json:"email_field" typescript:",notnull"`
-	AuthURLParams       serpent.Struct[map[string]string]   `json:"auth_url_params" typescript:",notnull"`
-	IgnoreUserInfo      serpent.Bool                        `json:"ignore_user_info" typescript:",notnull"`
-	GroupAutoCreate     serpent.Bool                        `json:"group_auto_create" typescript:",notnull"`
-	GroupRegexFilter    serpent.Regexp                      `json:"group_regex_filter" typescript:",notnull"`
-	GroupAllowList      serpent.StringArray                 `json:"group_allow_list" typescript:",notnull"`
-	GroupField          serpent.String                      `json:"groups_field" typescript:",notnull"`
-	GroupMapping        serpent.Struct[map[string]string]   `json:"group_mapping" typescript:",notnull"`
-	UserRoleField       serpent.String                      `json:"user_role_field" typescript:",notnull"`
-	UserRoleMapping     serpent.Struct[map[string][]string] `json:"user_role_mapping" typescript:",notnull"`
-	UserRolesDefault    serpent.StringArray                 `json:"user_roles_default" typescript:",notnull"`
-	SignInText          serpent.String                      `json:"sign_in_text" typescript:",notnull"`
-	IconURL             serpent.URL                         `json:"icon_url" typescript:",notnull"`
-	SignupsDisabledText serpent.String                      `json:"signups_disabled_text" typescript:",notnull"`
-	SkipIssuerChecks    serpent.Bool                        `json:"skip_issuer_checks" typescript:",notnull"`
+	ClientKeyFile             serpent.String                         `json:"client_key_file" typescript:",notnull"`
+	ClientCertFile            serpent.String                         `json:"client_cert_file" typescript:",notnull"`
+	EmailDomain               serpent.StringArray                    `json:"email_domain" typescript:",notnull"`
+	IssuerURL                 serpent.String                         `json:"issuer_url" typescript:",notnull"`
+	Scopes                    serpent.StringArray                    `json:"scopes" typescript:",notnull"`
+	IgnoreEmailVerified       serpent.Bool                           `json:"ignore_email_verified" typescript:",notnull"`
+	UsernameField             serpent.String                         `json:"username_field" typescript:",notnull"`
+	NameField                 serpent.String                         `json:"name_field" typescript:",notnull"`
+	EmailField                serpent.String                         `json:"email_field" typescript:",notnull"`
+	AuthURLParams             serpent.Struct[map[string]string]      `json:"auth_url_params" typescript:",notnull"`
+	IgnoreUserInfo            serpent.Bool                           `json:"ignore_user_info" typescript:",notnull"`
+	OrganizationField         serpent.String                         `json:"organization_field" typescript:",notnull"`
+	OrganizationMapping       serpent.Struct[map[string][]uuid.UUID] `json:"organization_mapping" typescript:",notnull"`
+	OrganizationAssignDefault serpent.Bool                           `json:"organization_assign_default" typescript:",notnull"`
+	GroupAutoCreate           serpent.Bool                           `json:"group_auto_create" typescript:",notnull"`
+	GroupRegexFilter          serpent.Regexp                         `json:"group_regex_filter" typescript:",notnull"`
+	GroupAllowList            serpent.StringArray                    `json:"group_allow_list" typescript:",notnull"`
+	GroupField                serpent.String                         `json:"groups_field" typescript:",notnull"`
+	GroupMapping              serpent.Struct[map[string]string]      `json:"group_mapping" typescript:",notnull"`
+	UserRoleField             serpent.String                         `json:"user_role_field" typescript:",notnull"`
+	UserRoleMapping           serpent.Struct[map[string][]string]    `json:"user_role_mapping" typescript:",notnull"`
+	UserRolesDefault          serpent.StringArray                    `json:"user_roles_default" typescript:",notnull"`
+	SignInText                serpent.String                         `json:"sign_in_text" typescript:",notnull"`
+	IconURL                   serpent.URL                            `json:"icon_url" typescript:",notnull"`
+	SignupsDisabledText       serpent.String                         `json:"signups_disabled_text" typescript:",notnull"`
+	SkipIssuerChecks          serpent.Bool                           `json:"skip_issuer_checks" typescript:",notnull"`
 }
 
 type TelemetryConfig struct {
diff --git a/enterprise/coderd/enidpsync/enidpsync.go b/enterprise/coderd/enidpsync/enidpsync.go
diff --git a/enterprise/coderd/enidpsync/organizations.go b/enterprise/coderd/enidpsync/organizations.go
