NotificationsYou must be signed in to change notification settings
Fork913
Star10.1k

Commit0abd55e

committed

fix(scim): ensure scim users aren't created with their own org

1 parent0b15b1b commit0abd55eCopy full SHA for 0abd55e

File tree

8 files changed

+91

-22

lines changed

coderd
- apidoc
  - docs.go
  - swagger.json
- userauth.go
- users.go
- users_test.go
codersdk
- users.go
docs/api
- schemas.md
enterprise/coderd
- scim.go

8 files changed

+91

-22

lines changed

`‎coderd/apidoc/docs.go`

Lines changed: 0 additions & 1 deletion

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/apidoc/swagger.json`

Lines changed: 1 addition & 1 deletion

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/userauth.go`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -921,7 +921,8 @@ func (api API) oauthLogin(r http.Request, params oauthLoginParams) (*http.Cook`
`921`	`921`	`Username:params.Username,`
`922`	`922`	`OrganizationID:organizationID,`
`923`	`923`	`},`
`924`		`-LoginType:params.LoginType,`
	`924`	`+CreateOrganization:len(organizations)==0,`
	`925`	`+LoginType:params.LoginType,`
`925`	`926`	`})`
`926`	`927`	`iferr!=nil {`
`927`	`928`	`returnxerrors.Errorf("create user: %w",err)`

`‎coderd/users.go`

Lines changed: 43 additions & 15 deletions

Original file line number	Diff line number	Diff line change
`@@ -128,7 +128,8 @@ func (api API) postFirstUser(rw http.ResponseWriter, r http.Request) {`
`128`	`128`	`// Create an org for the first user.`
`129`	`129`	`OrganizationID:uuid.Nil,`
`130`	`130`	`},`
`131`		`-LoginType:database.LoginTypePassword,`
	`131`	`+CreateOrganization:true,`
	`132`	`+LoginType:database.LoginTypePassword,`
`132`	`133`	`})`
`133`	`134`	`iferr!=nil {`
`134`	`135`	`httpapi.Write(ctx,rw,http.StatusInternalServerError, codersdk.Response{`
`@@ -313,19 +314,41 @@ func (api API) postUser(rw http.ResponseWriter, r http.Request) {`
`313`	`314`	`return`
`314`	`315`	`}`
`315`	`316`
`316`		`-_,err=api.Database.GetOrganizationByID(ctx,req.OrganizationID)`
`317`		`-ifhttpapi.Is404Error(err) {`
`318`		`-httpapi.Write(ctx,rw,http.StatusNotFound, codersdk.Response{`
`319`		`-Message:fmt.Sprintf("Organization does not exist with the provided id %q.",req.OrganizationID),`
`320`		`-})`
`321`		`-return`
`322`		`-}`
`323`		`-iferr!=nil {`
`324`		`-httpapi.Write(ctx,rw,http.StatusInternalServerError, codersdk.Response{`
`325`		`-Message:"Internal error fetching organization.",`
`326`		`-Detail:err.Error(),`
`327`		`-})`
`328`		`-return`
	`317`	`+ifreq.OrganizationID!=uuid.Nil {`
	`318`	`+// If an organization was provided, make sure it exists.`
	`319`	`+_,err:=api.Database.GetOrganizationByID(ctx,req.OrganizationID)`
	`320`	`+iferr!=nil {`
	`321`	`+ifhttpapi.Is404Error(err) {`
	`322`	`+httpapi.Write(ctx,rw,http.StatusNotFound, codersdk.Response{`
	`323`	`+Message:fmt.Sprintf("Organization does not exist with the provided id %q.",req.OrganizationID),`
	`324`	`+})`
	`325`	`+return`
	`326`	`+}`
	`327`	`+`
	`328`	`+httpapi.Write(ctx,rw,http.StatusInternalServerError, codersdk.Response{`
	`329`	`+Message:"Internal error fetching organization.",`
	`330`	`+Detail:err.Error(),`
	`331`	`+})`
	`332`	`+return`
	`333`	`+}`
	`334`	`+}else {`
	`335`	`+// If no organization is provided, add the user to the first`
	`336`	`+// organization.`
	`337`	`+organizations,err:=api.Database.GetOrganizations(ctx)`
	`338`	`+iferr!=nil {`
	`339`	`+httpapi.Write(ctx,rw,http.StatusInternalServerError, codersdk.Response{`
	`340`	`+Message:"Internal error fetching user.",`
	`341`	`+Detail:err.Error(),`
	`342`	`+})`
	`343`	`+return`
	`344`	`+}`
	`345`	`+`
	`346`	`+iflen(organizations)>0 {`
	`347`	`+// Add the user to the first organization. Once multi-organization`
	`348`	`+// support is added, we should enable a configuration map of user`
	`349`	`+// email to organization.`
	`350`	`+req.OrganizationID=organizations[0].ID`
	`351`	`+}`
`329`	`352`	`}`
`330`	`353`
`331`	`354`	`err=userpassword.Validate(req.Password)`
`@@ -955,7 +978,8 @@ func (api API) organizationByUserAndName(rw http.ResponseWriter, r http.Reques`
`955`	`978`
`956`	`979`	`typeCreateUserRequeststruct {`
`957`	`980`	`codersdk.CreateUserRequest`
`958`		`-LoginType database.LoginType`
	`981`	`+CreateOrganizationbool`
	`982`	`+LoginType database.LoginType`
`959`	`983`	`}`
`960`	`984`
`961`	`985`	`func (api*API)CreateUser(ctx context.Context,store database.Store,reqCreateUserRequest) (database.User, uuid.UUID,error) {`
`@@ -964,6 +988,10 @@ func (api *API) CreateUser(ctx context.Context, store database.Store, req Create`
`964`	`988`	`orgRoles:=make([]string,0)`
`965`	`989`	`// If no organization is provided, create a new one for the user.`
`966`	`990`	`ifreq.OrganizationID==uuid.Nil {`
	`991`	`+if!req.CreateOrganization {`
	`992`	`+returnxerrors.Errorf("organization ID must be provided")`
	`993`	`+}`
	`994`	`+`
`967`	`995`	`organization,err:=tx.InsertOrganization(ctx, database.InsertOrganizationParams{`
`968`	`996`	`ID:uuid.New(),`
`969`	`997`	`Name:req.Username,`

`‎coderd/users_test.go`

Lines changed: 25 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -478,6 +478,31 @@ func TestPostUsers(t *testing.T) {`
`478`	`478`	`require.Equal(t,http.StatusNotFound,apiErr.StatusCode())`
`479`	`479`	`})`
`480`	`480`
	`481`	`+t.Run("CreateWithoutOrg",func(t*testing.T) {`
	`482`	`+t.Parallel()`
	`483`	`+auditor:=audit.NewMock()`
	`484`	`+client:=coderdtest.New(t,&coderdtest.Options{Auditor:auditor})`
	`485`	`+numLogs:=len(auditor.AuditLogs())`
	`486`	`+`
	`487`	`+_=coderdtest.CreateFirstUser(t,client)`
	`488`	`+numLogs++// add an audit log for user create`
	`489`	`+numLogs++// add an audit log for login`
	`490`	`+`
	`491`	`+ctx,cancel:=context.WithTimeout(context.Background(),testutil.WaitLong)`
	`492`	`+defercancel()`
	`493`	`+`
	`494`	`+_,err:=client.CreateUser(ctx, codersdk.CreateUserRequest{`
	`495`	`+Email:"another@user.org",`
	`496`	`+Username:"someone-else",`
	`497`	`+Password:"SomeSecurePassword!",`
	`498`	`+})`
	`499`	`+require.NoError(t,err)`
	`500`	`+`
	`501`	`+require.Len(t,auditor.AuditLogs(),numLogs)`
	`502`	`+require.Equal(t,database.AuditActionCreate,auditor.AuditLogs()[numLogs-1].Action)`
	`503`	`+require.Equal(t,database.AuditActionLogin,auditor.AuditLogs()[numLogs-2].Action)`
	`504`	`+})`
	`505`	`+`
`481`	`506`	`t.Run("Create",func(t*testing.T) {`
`482`	`507`	`t.Parallel()`
`483`	`508`	`auditor:=audit.NewMock()`

`‎codersdk/users.go`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -69,7 +69,7 @@ type CreateUserRequest struct {`
`69`	`69`	Emailstring`json:"email" validate:"required,email" format:"email"`
`70`	`70`	Usernamestring`json:"username" validate:"required,username"`
`71`	`71`	Passwordstring`json:"password" validate:"required"`
`72`		-OrganizationID uuid.UUID`json:"organization_id" validate:"required" format:"uuid"`
	`72`	+OrganizationID uuid.UUID`json:"organization_id" validate:"" format:"uuid"`
`73`	`73`	`}`
`74`	`74`
`75`	`75`	`typeUpdateUserProfileRequeststruct {`

`‎docs/api/schemas.md`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1564,7 +1564,7 @@ CreateParameterRequest is a structure used to create a new parameter value for a`
`1564`	`1564`	`\| Name\| Type\| Required\| Restrictions\| Description\|`
`1565`	`1565`	`\| -----------------\| ------\| --------\| ------------\| -----------\|`
`1566`	`1566`	\|`email`\| string\| true\|\|\|
`1567`		-\|`organization_id`\| string\|true\|\|\|
	`1567`	+\|`organization_id`\| string\|false\|\|\|
`1568`	`1568`	\|`password`\| string\| true\|\|\|
`1569`	`1569`	\|`username`\| string\| true\|\|\|
`1570`	`1570`

`‎enterprise/coderd/scim.go`

Lines changed: 18 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -156,11 +156,27 @@ func (api API) scimPostUser(rw http.ResponseWriter, r http.Request) {`
`156`	`156`	`return`
`157`	`157`	`}`
`158`	`158`
	`159`	`+varorganizationID uuid.UUID`
	`160`	`+//nolint:gocritic`
	`161`	`+organizations,err:=api.Database.GetOrganizations(dbauthz.AsSystemRestricted(ctx))`
	`162`	`+iferr!=nil {`
	`163`	`+_=handlerutil.WriteError(rw,err)`
	`164`	`+return`
	`165`	`+}`
	`166`	`+`
	`167`	`+iflen(organizations)>0 {`
	`168`	`+// Add the user to the first organization. Once multi-organization`
	`169`	`+// support is added, we should enable a configuration map of user`
	`170`	`+// email to organization.`
	`171`	`+organizationID=organizations[0].ID`
	`172`	`+}`
	`173`	`+`
`159`	`174`	`//nolint:gocritic // needed for SCIM`
`160`	`175`	`user,_,err:=api.AGPL.CreateUser(dbauthz.AsSystemRestricted(ctx),api.Database, agpl.CreateUserRequest{`
`161`	`176`	`CreateUserRequest: codersdk.CreateUserRequest{`
`162`		`-Username:sUser.UserName,`
`163`		`-Email:email,`
	`177`	`+Username:sUser.UserName,`
	`178`	`+Email:email,`
	`179`	`+OrganizationID:organizationID,`
`164`	`180`	`},`
`165`	`181`	`LoginType:database.LoginTypeOIDC,`
`166`	`182`	`})`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit0abd55e

File tree

8 files changed

8 files changed

`‎coderd/apidoc/docs.go`

`‎coderd/apidoc/swagger.json`

`‎coderd/userauth.go`

`‎coderd/users.go`

`‎coderd/users_test.go`

`‎codersdk/users.go`

`‎docs/api/schemas.md`

`‎enterprise/coderd/scim.go`

0 commit comments