Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit5e4d617

Browse files
committed
switch oidc test config to deployment values
1 parent633fe1c commit5e4d617

File tree

5 files changed

+100
-100
lines changed

5 files changed

+100
-100
lines changed

‎cli/server.go

Lines changed: 0 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -187,11 +187,6 @@ func createOIDCConfig(ctx context.Context, logger slog.Logger, vals *codersdk.De
187187
EmailField:vals.OIDC.EmailField.String(),
188188
AuthURLParams:vals.OIDC.AuthURLParams.Value,
189189
IgnoreUserInfo:vals.OIDC.IgnoreUserInfo.Value(),
190-
GroupField:vals.OIDC.GroupField.String(),
191-
GroupFilter:vals.OIDC.GroupRegexFilter.Value(),
192-
GroupAllowList:groupAllowList,
193-
CreateMissingGroups:vals.OIDC.GroupAutoCreate.Value(),
194-
GroupMapping:vals.OIDC.GroupMapping.Value,
195190
UserRoleField:vals.OIDC.UserRoleField.String(),
196191
UserRoleMapping:vals.OIDC.UserRoleMapping.Value,
197192
UserRolesDefault:vals.OIDC.UserRolesDefault.GetSlice(),

‎coderd/idpsync/group.go

Lines changed: 29 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,9 @@ func (s AGPLIDPSync) SyncGroups(ctx context.Context, db database.Store, user dat
4141
returnnil
4242
}
4343

44+
// nolint:gocritic // all syncing is done as a system user
45+
ctx=dbauthz.AsSystemRestricted(ctx)
46+
4447
// Only care about the default org for deployment settings if the
4548
// legacy deployment settings exist.
4649
defaultOrgID:=uuid.Nil
@@ -53,9 +56,6 @@ func (s AGPLIDPSync) SyncGroups(ctx context.Context, db database.Store, user dat
5356
defaultOrgID=defaultOrganization.ID
5457
}
5558

56-
// nolint:gocritic // all syncing is done as a system user
57-
ctx=dbauthz.AsSystemRestricted(ctx)
58-
5959
err:=db.InTx(func(tx database.Store)error {
6060
userGroups,err:=tx.GetGroups(ctx, database.GetGroupsParams{
6161
HasMemberID:user.ID,
@@ -86,12 +86,12 @@ func (s AGPLIDPSync) SyncGroups(ctx context.Context, db database.Store, user dat
8686
}
8787

8888
// Legacy deployment settings will override empty settings.
89-
iforgID==defaultOrgID&&settings.GroupField=="" {
89+
iforgID==defaultOrgID&&settings.Field=="" {
9090
settings=&GroupSyncSettings{
91-
GroupField:s.Legacy.GroupField,
92-
LegacyGroupNameMapping:s.Legacy.GroupMapping,
93-
RegexFilter:s.Legacy.GroupFilter,
94-
AutoCreateMissingGroups:s.Legacy.CreateMissingGroups,
91+
Field:s.Legacy.GroupField,
92+
LegacyNameMapping:s.Legacy.GroupMapping,
93+
RegexFilter:s.Legacy.GroupFilter,
94+
AutoCreateMissing:s.Legacy.CreateMissingGroups,
9595
}
9696
}
9797
orgSettings[orgID]=*settings
@@ -102,7 +102,7 @@ func (s AGPLIDPSync) SyncGroups(ctx context.Context, db database.Store, user dat
102102
groupIDsToRemove:=make([]uuid.UUID,0)
103103
// For each org, determine which groups the user should land in
104104
fororgID,settings:=rangeorgSettings {
105-
ifsettings.GroupField=="" {
105+
ifsettings.Field=="" {
106106
// No group sync enabled for this org, so do nothing.
107107
continue
108108
}
@@ -231,17 +231,25 @@ func (s AGPLIDPSync) ApplyGroupDifference(ctx context.Context, tx database.Store
231231
}
232232

233233
typeGroupSyncSettingsstruct {
234-
GroupFieldstring`json:"field"`
235-
// GroupMapping maps from an OIDC group --> Coder group ID
236-
GroupMappingmap[string][]uuid.UUID`json:"mapping"`
237-
RegexFilter*regexp.Regexp`json:"regex_filter"`
238-
AutoCreateMissingGroupsbool`json:"auto_create_missing_groups"`
239-
// LegacyGroupNameMapping is deprecated. It remaps an IDP group name to
234+
// Field selects the claim field to be used as the created user's
235+
// groups. If the group field is the empty string, then no group updates
236+
// will ever come from the OIDC provider.
237+
Fieldstring`json:"field"`
238+
// Mapping maps from an OIDC group --> Coder group ID
239+
Mappingmap[string][]uuid.UUID`json:"mapping"`
240+
// RegexFilter is a regular expression that filters the groups returned by
241+
// the OIDC provider. Any group not matched by this regex will be ignored.
242+
// If the group filter is nil, then no group filtering will occur.
243+
RegexFilter*regexp.Regexp`json:"regex_filter"`
244+
// AutoCreateMissing controls whether groups returned by the OIDC provider
245+
// are automatically created in Coder if they are missing.
246+
AutoCreateMissingbool`json:"auto_create_missing_groups"`
247+
// LegacyNameMapping is deprecated. It remaps an IDP group name to
240248
// a Coder group name. Since configuration is now done at runtime,
241249
// group IDs are used to account for group renames.
242250
// For legacy configurations, this config option has to remain.
243-
// Deprecated: UseGroupMapping instead.
244-
LegacyGroupNameMappingmap[string]string`json:"legacy_group_name_mapping,omitempty"`
251+
// Deprecated: UseMapping instead.
252+
LegacyNameMappingmap[string]string`json:"legacy_group_name_mapping,omitempty"`
245253
}
246254

247255
func (s*GroupSyncSettings)Set(vstring)error {
@@ -275,7 +283,7 @@ type ExpectedGroup struct {
275283
// We have to keep names because group sync supports syncing groups by name if
276284
// the external IDP group name matches the Coder one.
277285
func (sGroupSyncSettings)ParseClaims(orgID uuid.UUID,mergedClaims jwt.MapClaims) ([]ExpectedGroup,error) {
278-
groupsRaw,ok:=mergedClaims[s.GroupField]
286+
groupsRaw,ok:=mergedClaims[s.Field]
279287
if!ok {
280288
return []ExpectedGroup{},nil
281289
}
@@ -290,7 +298,7 @@ func (s GroupSyncSettings) ParseClaims(orgID uuid.UUID, mergedClaims jwt.MapClai
290298
group:=group
291299

292300
// Legacy group mappings happen before the regex filter.
293-
mappedGroupName,ok:=s.LegacyGroupNameMapping[group]
301+
mappedGroupName,ok:=s.LegacyNameMapping[group]
294302
ifok {
295303
group=mappedGroupName
296304
}
@@ -302,7 +310,7 @@ func (s GroupSyncSettings) ParseClaims(orgID uuid.UUID, mergedClaims jwt.MapClai
302310
}
303311
}
304312

305-
mappedGroupIDs,ok:=s.GroupMapping[group]
313+
mappedGroupIDs,ok:=s.Mapping[group]
306314
ifok {
307315
for_,gid:=rangemappedGroupIDs {
308316
gid:=gid
@@ -338,7 +346,7 @@ func (s GroupSyncSettings) HandleMissingGroups(ctx context.Context, tx database.
338346
}
339347
}
340348

341-
ifs.AutoCreateMissingGroups&&len(missingGroups)>0 {
349+
ifs.AutoCreateMissing&&len(missingGroups)>0 {
342350
// Insert any missing groups. If the groups already exist, this is a noop.
343351
_,err:=tx.InsertMissingGroups(ctx, database.InsertMissingGroupsParams{
344352
OrganizationID:orgID,

‎coderd/idpsync/group_test.go

Lines changed: 19 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -81,8 +81,8 @@ func TestGroupSyncTable(t *testing.T) {
8181
{
8282
Name:"SwitchGroups",
8383
Settings:&idpsync.GroupSyncSettings{
84-
GroupField:"groups",
85-
GroupMapping:map[string][]uuid.UUID{
84+
Field:"groups",
85+
Mapping:map[string][]uuid.UUID{
8686
"foo": {ids.ID("sg-foo"),ids.ID("sg-foo-2")},
8787
"bar": {ids.ID("sg-bar")},
8888
"baz": {ids.ID("sg-baz")},
@@ -107,10 +107,10 @@ func TestGroupSyncTable(t *testing.T) {
107107
{
108108
Name:"StayInGroup",
109109
Settings:&idpsync.GroupSyncSettings{
110-
GroupField:"groups",
110+
Field:"groups",
111111
// Only match foo, so bar does not map
112112
RegexFilter:regexp.MustCompile("^foo$"),
113-
GroupMapping:map[string][]uuid.UUID{
113+
Mapping:map[string][]uuid.UUID{
114114
"foo": {ids.ID("gg-foo"),uuid.New()},
115115
"bar": {ids.ID("gg-bar")},
116116
"baz": {ids.ID("gg-baz")},
@@ -127,8 +127,8 @@ func TestGroupSyncTable(t *testing.T) {
127127
{
128128
Name:"UserJoinsGroups",
129129
Settings:&idpsync.GroupSyncSettings{
130-
GroupField:"groups",
131-
GroupMapping:map[string][]uuid.UUID{
130+
Field:"groups",
131+
Mapping:map[string][]uuid.UUID{
132132
"foo": {ids.ID("ng-foo"),uuid.New()},
133133
"bar": {ids.ID("ng-bar"),ids.ID("ng-bar-2")},
134134
"baz": {ids.ID("ng-baz")},
@@ -150,9 +150,9 @@ func TestGroupSyncTable(t *testing.T) {
150150
{
151151
Name:"CreateGroups",
152152
Settings:&idpsync.GroupSyncSettings{
153-
GroupField:"groups",
154-
RegexFilter:regexp.MustCompile("^create"),
155-
AutoCreateMissingGroups:true,
153+
Field:"groups",
154+
RegexFilter:regexp.MustCompile("^create"),
155+
AutoCreateMissing:true,
156156
},
157157
Groups:map[uuid.UUID]bool{},
158158
ExpectedGroupNames: []string{
@@ -163,9 +163,9 @@ func TestGroupSyncTable(t *testing.T) {
163163
{
164164
Name:"GroupNamesNoMapping",
165165
Settings:&idpsync.GroupSyncSettings{
166-
GroupField:"groups",
167-
RegexFilter:regexp.MustCompile(".*"),
168-
AutoCreateMissingGroups:false,
166+
Field:"groups",
167+
RegexFilter:regexp.MustCompile(".*"),
168+
AutoCreateMissing:false,
169169
},
170170
GroupNames:map[string]bool{
171171
"foo":false,
@@ -180,13 +180,13 @@ func TestGroupSyncTable(t *testing.T) {
180180
{
181181
Name:"NoUser",
182182
Settings:&idpsync.GroupSyncSettings{
183-
GroupField:"groups",
184-
GroupMapping:map[string][]uuid.UUID{
183+
Field:"groups",
184+
Mapping:map[string][]uuid.UUID{
185185
// Extra ID that does not map to a group
186186
"foo": {ids.ID("ow-foo"),uuid.New()},
187187
},
188-
RegexFilter:nil,
189-
AutoCreateMissingGroups:false,
188+
RegexFilter:nil,
189+
AutoCreateMissing:false,
190190
},
191191
NotMember:true,
192192
Groups:map[uuid.UUID]bool{
@@ -202,14 +202,14 @@ func TestGroupSyncTable(t *testing.T) {
202202
{
203203
Name:"LegacyMapping",
204204
Settings:&idpsync.GroupSyncSettings{
205-
GroupField:"groups",
205+
Field:"groups",
206206
RegexFilter:regexp.MustCompile("^legacy"),
207-
LegacyGroupNameMapping:map[string]string{
207+
LegacyNameMapping:map[string]string{
208208
"create-bar":"legacy-bar",
209209
"foo":"legacy-foo",
210210
"bop":"legacy-bop",
211211
},
212-
AutoCreateMissingGroups:true,
212+
AutoCreateMissing:true,
213213
},
214214
Groups:map[uuid.UUID]bool{
215215
ids.ID("lg-foo"):true,

‎coderd/userauth.go

Lines changed: 1 addition & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,6 @@ import (
88
"fmt"
99
"net/http"
1010
"net/mail"
11-
"regexp"
1211
"sort"
1312
"strconv"
1413
"strings"
@@ -659,7 +658,7 @@ func (api *API) userOAuth2Github(rw http.ResponseWriter, r *http.Request) {
659658
Name:normName,
660659
DebugContext:OauthDebugContext{},
661660
GroupSync: idpsync.GroupParams{
662-
SyncEnabled:false,
661+
SyncEnabled:false,
663662
},
664663
OrganizationSync: idpsync.OrganizationParams{
665664
SyncEnabled:false,
@@ -743,27 +742,6 @@ type OIDCConfig struct {
743742
// support the userinfo endpoint, or if the userinfo endpoint causes
744743
// undesirable behavior.
745744
IgnoreUserInfobool
746-
747-
// TODO: Move all idp fields into the IDPSync struct
748-
// GroupField selects the claim field to be used as the created user's
749-
// groups. If the group field is the empty string, then no group updates
750-
// will ever come from the OIDC provider.
751-
GroupFieldstring
752-
// CreateMissingGroups controls whether groups returned by the OIDC provider
753-
// are automatically created in Coder if they are missing.
754-
CreateMissingGroupsbool
755-
// GroupFilter is a regular expression that filters the groups returned by
756-
// the OIDC provider. Any group not matched by this regex will be ignored.
757-
// If the group filter is nil, then no group filtering will occur.
758-
GroupFilter*regexp.Regexp
759-
// GroupAllowList is a list of groups that are allowed to log in.
760-
// If the list length is 0, then the allow list will not be applied and
761-
// this feature is disabled.
762-
GroupAllowListmap[string]bool
763-
// GroupMapping controls how groups returned by the OIDC provider get mapped
764-
// to groups within Coder.
765-
// map[oidcGroupName]coderGroupName
766-
GroupMappingmap[string]string
767745
// UserRoleField selects the claim field to be used as the created user's
768746
// roles. If the field is the empty string, then no role updates
769747
// will ever come from the OIDC provider.

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp