coder/coderPublic

NotificationsYou must be signed in to change notification settings
Fork928
Star10.1k

Commit5e2efb6

coadler

and

bpmct

authored

feat: add SCIM provisioning via Okta (#4132)

Co-authored-by: Ben Potter <ben@coder.com>

1 parent50321ba commit5e2efb6Copy full SHA for 5e2efb6

File tree

16 files changed

+467

-13

lines changed

cli
- server_test.go
coderd
- coderd.go
- httpapi
  - httpapi.go
- userauth.go
- users.go
codersdk
- features.go
docs/admin
- auth.md
enterprise
- cli
  - server.go
- coderd
  - coderd.go
  - coderdenttest
    - coderdenttest.go
  - licenses.go
  - licenses_test.go
  - scim.go
  - scim_test.go
go.mod
go.sum

16 files changed

+467

-13

lines changed

`‎cli/server_test.go`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,7 @@ import (`
`24`	`24`	`"testing"`
`25`	`25`	`"time"`
`26`	`26`
`27`		`-"github.com/go-chi/chi"`
	`27`	`+"github.com/go-chi/chi/v5"`
`28`	`28`	`"github.com/stretchr/testify/assert"`
`29`	`29`	`"github.com/stretchr/testify/require"`
`30`	`30`	`"go.uber.org/goleak"`

`‎coderd/coderd.go`

Lines changed: 1 addition & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -222,11 +222,7 @@ func New(options Options) API {`
`222`	`222`	`r.Route("/api/v2",func(r chi.Router) {`
`223`	`223`	`api.APIHandler=r`
`224`	`224`
`225`		`-r.NotFound(func(rw http.ResponseWriter,r*http.Request) {`
`226`		`-httpapi.Write(rw,http.StatusNotFound, codersdk.Response{`
`227`		`-Message:"Route not found.",`
`228`		`-})`
`229`		`-})`
	`225`	`+r.NotFound(func(rw http.ResponseWriter,r*http.Request) {httpapi.RouteNotFound(rw) })`
`230`	`226`	`r.Use(`
`231`	`227`	`tracing.Middleware(api.TracerProvider),`
`232`	`228`	`// Specific routes can specify smaller limits.`

`‎coderd/httpapi/httpapi.go`

Lines changed: 6 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -75,6 +75,12 @@ func InternalServerError(rw http.ResponseWriter, err error) {`
`75`	`75`	`})`
`76`	`76`	`}`
`77`	`77`
	`78`	`+funcRouteNotFound(rw http.ResponseWriter) {`
	`79`	`+Write(rw,http.StatusNotFound, codersdk.Response{`
	`80`	`+Message:"Route not found.",`
	`81`	`+})`
	`82`	`+}`
	`83`	`+`
`78`	`84`	`// Write outputs a standardized format to an HTTP response body.`
`79`	`85`	`funcWrite(rw http.ResponseWriter,statusint,responseinterface{}) {`
`80`	`86`	`buf:=&bytes.Buffer{}`

`‎coderd/userauth.go`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -378,7 +378,7 @@ func (api API) oauthLogin(r http.Request, params oauthLoginParams) (*http.Cook`
`378`	`378`	`organizationID=organizations[0].ID`
`379`	`379`	`}`
`380`	`380`
`381`		`-user,_,err=api.createUser(ctx,tx,createUserRequest{`
	`381`	`+user,_,err=api.CreateUser(ctx,tx,CreateUserRequest{`
`382`	`382`	`CreateUserRequest: codersdk.CreateUserRequest{`
`383`	`383`	`Email:params.Email,`
`384`	`384`	`Username:params.Username,`

`‎coderd/users.go`

Lines changed: 4 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -83,7 +83,7 @@ func (api API) postFirstUser(rw http.ResponseWriter, r http.Request) {`
`83`	`83`	`return`
`84`	`84`	`}`
`85`	`85`
`86`		`-user,organizationID,err:=api.createUser(r.Context(),api.Database,createUserRequest{`
	`86`	`+user,organizationID,err:=api.CreateUser(r.Context(),api.Database,CreateUserRequest{`
`87`	`87`	`CreateUserRequest: codersdk.CreateUserRequest{`
`88`	`88`	`Email:createUser.Email,`
`89`	`89`	`Username:createUser.Username,`
`@@ -317,7 +317,7 @@ func (api API) postUser(rw http.ResponseWriter, r http.Request) {`
`317`	`317`	`return`
`318`	`318`	`}`
`319`	`319`
`320`		`-user,_,err:=api.createUser(r.Context(),api.Database,createUserRequest{`
	`320`	`+user,_,err:=api.CreateUser(r.Context(),api.Database,CreateUserRequest{`
`321`	`321`	`CreateUserRequest:req,`
`322`	`322`	`LoginType:database.LoginTypePassword,`
`323`	`323`	`})`
`@@ -1101,12 +1101,12 @@ func (api API) createAPIKey(r http.Request, params createAPIKeyParams) (*http.`
`1101`	`1101`	`},nil`
`1102`	`1102`	`}`
`1103`	`1103`
`1104`		`-typecreateUserRequeststruct {`
	`1104`	`+typeCreateUserRequeststruct {`
`1105`	`1105`	`codersdk.CreateUserRequest`
`1106`	`1106`	`LoginType database.LoginType`
`1107`	`1107`	`}`
`1108`	`1108`
`1109`		`-func (api*API)createUser(ctx context.Context,store database.Store,reqcreateUserRequest) (database.User, uuid.UUID,error) {`
	`1109`	`+func (api*API)CreateUser(ctx context.Context,store database.Store,reqCreateUserRequest) (database.User, uuid.UUID,error) {`
`1110`	`1110`	`varuser database.User`
`1111`	`1111`	`returnuser,req.OrganizationID,store.InTx(func(tx database.Store)error {`
`1112`	`1112`	`orgRoles:=make([]string,0)`

`‎codersdk/features.go`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -17,9 +17,10 @@ const (`
`17`	`17`	`const (`
`18`	`18`	`FeatureUserLimit="user_limit"`
`19`	`19`	`FeatureAuditLog="audit_log"`
	`20`	`+FeatureSCIM="scim"`
`20`	`21`	`)`
`21`	`22`
`22`		`-varFeatureNames= []string{FeatureUserLimit,FeatureAuditLog}`
	`23`	`+varFeatureNames= []string{FeatureUserLimit,FeatureAuditLog,FeatureSCIM}`
`23`	`24`
`24`	`25`	`typeFeaturestruct {`
`25`	`26`	EntitlementEntitlement`json:"entitlement"`

`‎docs/admin/auth.md`

Lines changed: 11 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -74,3 +74,14 @@ CODER_OIDC_CLIENT_SECRET="G0CSP...7qSM"`
`74`	`74`	Once complete, run`sudo service coder restart` to reboot Coder.
`75`	`75`
`76`	`76`	>When a new user is created, the`preferred_username` claim becomes the username. If this claim is empty, the email address will be stripped of the domain, and become the username (e.g.`example@coder.com` becomes`example`).
	`77`	`+`
	`78`	`+##SCIM`
	`79`	`+`
	`80`	`+Coder supports user provisioning and deprovisioning via SCIM 2.0 with header`
	`81`	`+authentication. Upon deactivation, users are[suspended](userd.md#suspend-a-user)`
	`82`	`+and are not deleted.[Configure](./configure.md) your SCIM application with an`
	`83`	`+auth key and supply it the Coder server.`
	`84`	`+`
	`85`	+```console
	`86`	`+CODER_SCIM_API_KEY="your-api-key"`
	`87`	+```

`‎enterprise/cli/server.go`

Lines changed: 4 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -14,11 +14,13 @@ import (`
`14`	`14`
`15`	`15`	`funcserver()*cobra.Command {`
`16`	`16`	`var (`
`17`		`-auditLoggingbool`
	`17`	`+auditLoggingbool`
	`18`	`+scimAuthHeaderstring`
`18`	`19`	`)`
`19`	`20`	`cmd:=agpl.Server(func(ctx context.Context,optionsagplcoderd.Options) (agplcoderd.API,error) {`
`20`	`21`	`api,err:=coderd.New(ctx,&coderd.Options{`
`21`	`22`	`AuditLogging:auditLogging,`
	`23`	`+SCIMAPIKey: []byte(scimAuthHeader),`
`22`	`24`	`Options:options,`
`23`	`25`	`})`
`24`	`26`	`iferr!=nil {`
`@@ -28,6 +30,7 @@ func server() *cobra.Command {`
`28`	`30`	`})`
`29`	`31`	`cliflag.BoolVarP(cmd.Flags(),&auditLogging,"audit-logging","","CODER_AUDIT_LOGGING",true,`
`30`	`32`	`"Specifies whether audit logging is enabled.")`
	`33`	`+cliflag.StringVarP(cmd.Flags(),&scimAuthHeader,"scim-auth-header","","CODER_SCIM_API_KEY","","Enables SCIM and sets the authentication header for the built-in SCIM server. New users are automatically created with OIDC authentication.")`
`31`	`34`
`32`	`35`	`returncmd`
`33`	`36`	`}`

`‎enterprise/coderd/coderd.go`

Lines changed: 19 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -63,6 +63,19 @@ func New(ctx context.Context, options Options) (API, error) {`
`63`	`63`	`})`
`64`	`64`	`})`
`65`	`65`
	`66`	`+iflen(options.SCIMAPIKey)!=0 {`
	`67`	`+api.AGPL.RootHandler.Route("/scim/v2",func(r chi.Router) {`
	`68`	`+r.Use(api.scimEnabledMW)`
	`69`	`+r.Post("/Users",api.scimPostUser)`
	`70`	`+r.Route("/Users",func(r chi.Router) {`
	`71`	`+r.Get("/",api.scimGetUsers)`
	`72`	`+r.Post("/",api.scimPostUser)`
	`73`	`+r.Get("/{id}",api.scimGetUser)`
	`74`	`+r.Patch("/{id}",api.scimPatchUser)`
	`75`	`+})`
	`76`	`+})`
	`77`	`+}`
	`78`	`+`
`66`	`79`	`err:=api.updateEntitlements(ctx)`
`67`	`80`	`iferr!=nil {`
`68`	`81`	`returnnil,xerrors.Errorf("update entitlements: %w",err)`
`@@ -76,6 +89,7 @@ type Options struct {`
`76`	`89`	`*coderd.Options`
`77`	`90`
`78`	`91`	`AuditLoggingbool`
	`92`	`+SCIMAPIKey []byte`
`79`	`93`	`EntitlementsUpdateInterval time.Duration`
`80`	`94`	`Keysmap[string]ed25519.PublicKey`
`81`	`95`	`}`
`@@ -93,6 +107,7 @@ type entitlements struct {`
`93`	`107`	`hasLicensebool`
`94`	`108`	`activeUsers codersdk.Feature`
`95`	`109`	`auditLogs codersdk.Entitlement`
	`110`	`+scim codersdk.Entitlement`
`96`	`111`	`}`
`97`	`112`
`98`	`113`	`func (api*API)Close()error {`
`@@ -117,6 +132,7 @@ func (api *API) updateEntitlements(ctx context.Context) error {`
`117`	`132`	`Entitlement:codersdk.EntitlementNotEntitled,`
`118`	`133`	`},`
`119`	`134`	`auditLogs:codersdk.EntitlementNotEntitled,`
	`135`	`+scim:codersdk.EntitlementNotEntitled,`
`120`	`136`	`}`
`121`	`137`
`122`	`138`	`// Here we loop through licenses to detect enabled features.`
`@@ -149,6 +165,9 @@ func (api *API) updateEntitlements(ctx context.Context) error {`
`149`	`165`	`ifclaims.Features.AuditLog>0 {`
`150`	`166`	`entitlements.auditLogs=entitlement`
`151`	`167`	`}`
	`168`	`+ifclaims.Features.SCIM>0 {`
	`169`	`+entitlements.scim=entitlement`
	`170`	`+}`
`152`	`171`	`}`
`153`	`172`
`154`	`173`	`ifentitlements.auditLogs!=api.entitlements.auditLogs {`

`‎enterprise/coderd/coderdenttest/coderdenttest.go`

Lines changed: 9 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -37,6 +37,7 @@ func init() {`
`37`	`37`	`typeOptionsstruct {`
`38`	`38`	`*coderdtest.Options`
`39`	`39`	`EntitlementsUpdateInterval time.Duration`
	`40`	`+SCIMAPIKey []byte`
`40`	`41`	`}`
`41`	`42`
`42`	`43`	`// New constructs a codersdk client connected to an in-memory Enterprise API instance.`
`@@ -55,6 +56,7 @@ func NewWithAPI(t testing.T, options Options) (codersdk.Client, io.Closer, c`
`55`	`56`	`srv,cancelFunc,oop:=coderdtest.NewOptions(t,options.Options)`
`56`	`57`	`coderAPI,err:=coderd.New(context.Background(),&coderd.Options{`
`57`	`58`	`AuditLogging:true,`
	`59`	`+SCIMAPIKey:options.SCIMAPIKey,`
`58`	`60`	`Options:oop,`
`59`	`61`	`EntitlementsUpdateInterval:options.EntitlementsUpdateInterval,`
`60`	`62`	`Keys:map[string]ed25519.PublicKey{`
`@@ -82,6 +84,7 @@ type LicenseOptions struct {`
`82`	`84`	`ExpiresAt time.Time`
`83`	`85`	`UserLimitint64`
`84`	`86`	`AuditLogbool`
	`87`	`+SCIMbool`
`85`	`88`	`}`
`86`	`89`
`87`	`90`	`// AddLicense generates a new license with the options provided and inserts it.`
`@@ -105,6 +108,11 @@ func GenerateLicense(t *testing.T, options LicenseOptions) string {`
`105`	`108`	`ifoptions.AuditLog {`
`106`	`109`	`auditLog=1`
`107`	`110`	`}`
	`111`	`+scim:=int64(0)`
	`112`	`+ifoptions.SCIM {`
	`113`	`+scim=1`
	`114`	`+}`
	`115`	`+`
`108`	`116`	`c:=&coderd.Claims{`
`109`	`117`	`RegisteredClaims: jwt.RegisteredClaims{`
`110`	`118`	`Issuer:"test@testing.test",`
`@@ -119,6 +127,7 @@ func GenerateLicense(t *testing.T, options LicenseOptions) string {`
`119`	`127`	`Features: coderd.Features{`
`120`	`128`	`UserLimit:options.UserLimit,`
`121`	`129`	`AuditLog:auditLog,`
	`130`	`+SCIM:scim,`
`122`	`131`	`},`
`123`	`132`	`}`
`124`	`133`	`tok:=jwt.NewWithClaims(jwt.SigningMethodEdDSA,c)`

`‎enterprise/coderd/licenses.go`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -47,6 +47,7 @@ var Keys = map[string]ed25519.PublicKey{"2022-08-12": ed25519.PublicKey(key20220`
`47`	`47`	`typeFeaturesstruct {`
`48`	`48`	UserLimitint64`json:"user_limit"`
`49`	`49`	AuditLogint64`json:"audit_log"`
	`50`	+SCIMint64`json:"scim"`
`50`	`51`	`}`
`51`	`52`
`52`	`53`	`typeClaimsstruct {`

`‎enterprise/coderd/licenses_test.go`

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -80,11 +80,13 @@ func TestGetLicense(t *testing.T) {`
`80`	`80`	`coderdenttest.AddLicense(t,client, coderdenttest.LicenseOptions{`
`81`	`81`	`AccountID:"testing",`
`82`	`82`	`AuditLog:true,`
	`83`	`+SCIM:true,`
`83`	`84`	`})`
`84`	`85`
`85`	`86`	`coderdenttest.AddLicense(t,client, coderdenttest.LicenseOptions{`
`86`	`87`	`AccountID:"testing2",`
`87`	`88`	`AuditLog:true,`
	`89`	`+SCIM:true,`
`88`	`90`	`UserLimit:200,`
`89`	`91`	`})`
`90`	`92`
`@@ -96,12 +98,14 @@ func TestGetLicense(t *testing.T) {`
`96`	`98`	`assert.Equal(t,map[string]interface{}{`
`97`	`99`	`codersdk.FeatureUserLimit:json.Number("0"),`
`98`	`100`	`codersdk.FeatureAuditLog:json.Number("1"),`
	`101`	`+codersdk.FeatureSCIM:json.Number("1"),`
`99`	`102`	`},licenses[0].Claims["features"])`
`100`	`103`	`assert.Equal(t,int32(2),licenses[1].ID)`
`101`	`104`	`assert.Equal(t,"testing2",licenses[1].Claims["account_id"])`
`102`	`105`	`assert.Equal(t,map[string]interface{}{`
`103`	`106`	`codersdk.FeatureUserLimit:json.Number("200"),`
`104`	`107`	`codersdk.FeatureAuditLog:json.Number("1"),`
	`108`	`+codersdk.FeatureSCIM:json.Number("1"),`
`105`	`109`	`},licenses[1].Claims["features"])`
`106`	`110`	`})`
`107`	`111`	`}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit5e2efb6

File tree

16 files changed

16 files changed

`‎cli/server_test.go`

`‎coderd/coderd.go`

`‎coderd/httpapi/httpapi.go`

`‎coderd/userauth.go`

`‎coderd/users.go`

`‎codersdk/features.go`

`‎docs/admin/auth.md`

`‎enterprise/cli/server.go`

`‎enterprise/coderd/coderd.go`

`‎enterprise/coderd/coderdenttest/coderdenttest.go`

`‎enterprise/coderd/licenses.go`

`‎enterprise/coderd/licenses_test.go`

0 commit comments