Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitb03cb00

Browse files
committed
chore: reference legacy assign default option for legacy behavior
AssignDefault is a boolean flag mainly for single org and legacydeployments. Use this flag to determine SCIM behavior.
1 parent126a560 commitb03cb00

File tree

4 files changed

+81
-5
lines changed

4 files changed

+81
-5
lines changed

‎coderd/idpsync/idpsync.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,7 @@ import (
2424
// claims to the internal representation of a user in Coder.
2525
// TODO: Move group + role sync into this interface.
2626
typeIDPSyncinterface {
27+
AssignDefaultOrganization()bool
2728
OrganizationSyncEnabled()bool
2829
// ParseOrganizationClaims takes claims from an OIDC provider, and returns the
2930
// organization sync params for assigning users into organizations.

‎coderd/idpsync/organization.go

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,10 @@ func (AGPLIDPSync) OrganizationSyncEnabled() bool {
3232
returnfalse
3333
}
3434

35+
func (sAGPLIDPSync)AssignDefaultOrganization()bool {
36+
returns.OrganizationAssignDefault
37+
}
38+
3539
func (sAGPLIDPSync)ParseOrganizationClaims(_ context.Context,_ jwt.MapClaims) (OrganizationParams,*HTTPError) {
3640
// For AGPL we only sync the default organization.
3741
returnOrganizationParams{

‎enterprise/coderd/scim.go

Lines changed: 17 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -217,14 +217,26 @@ func (api *API) scimPostUser(rw http.ResponseWriter, r *http.Request) {
217217
sUser.UserName=codersdk.UsernameFrom(sUser.UserName)
218218
}
219219

220+
// If organization sync is enabled, the user's organizations will be
221+
// corrected on login. If including the default org, then always assign
222+
// the default org, regardless if sync is enabled or not.
223+
// This is to preserve single org deployment behavior.
224+
organizations:= []uuid.UUID{}
225+
ifapi.IDPSync.AssignDefaultOrganization() {
226+
defaultOrganization,err:=api.Database.GetDefaultOrganization(dbauthz.AsSystemRestricted(ctx))
227+
iferr!=nil {
228+
_=handlerutil.WriteError(rw,err)
229+
return
230+
}
231+
organizations=append(organizations,defaultOrganization.ID)
232+
}
233+
220234
//nolint:gocritic // needed for SCIM
221235
dbUser,err=api.AGPL.CreateUser(dbauthz.AsSystemRestricted(ctx),api.Database, agpl.CreateUserRequest{
222236
CreateUserRequestWithOrgs: codersdk.CreateUserRequestWithOrgs{
223-
Username:sUser.UserName,
224-
Email:email,
225-
// In the multi-org world, SCIM does not assign any orgs. Users will
226-
// be automatically sync'd with the correct organization on login.
227-
OrganizationIDs: []uuid.UUID{},
237+
Username:sUser.UserName,
238+
Email:email,
239+
OrganizationIDs:organizations,
228240
},
229241
LoginType:database.LoginTypeOIDC,
230242
// Do not send notifications to user admins as SCIM endpoint might be called sequentially to all users.

‎enterprise/coderd/scim_test.go

Lines changed: 59 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -151,6 +151,65 @@ func TestScim(t *testing.T) {
151151
assert.Equal(t,coderd.SCIMAuditAdditionalFields,af)
152152
assert.Equal(t,database.AuditActionCreate,aLogs[0].Action)
153153

154+
// Expect users exposed over API
155+
userRes,err:=client.Users(ctx, codersdk.UsersRequest{Search:sUser.Emails[0].Value})
156+
require.NoError(t,err)
157+
require.Len(t,userRes.Users,1)
158+
assert.Equal(t,sUser.Emails[0].Value,userRes.Users[0].Email)
159+
assert.Equal(t,sUser.UserName,userRes.Users[0].Username)
160+
assert.Len(t,userRes.Users[0].OrganizationIDs,1)
161+
162+
// Expect zero notifications (SkipNotifications = true)
163+
require.Empty(t,notifyEnq.Sent)
164+
})
165+
166+
t.Run("OKNoDefault",func(t*testing.T) {
167+
t.Parallel()
168+
169+
ctx,cancel:=context.WithTimeout(context.Background(),testutil.WaitLong)
170+
defercancel()
171+
172+
// given
173+
scimAPIKey:= []byte("hi")
174+
mockAudit:=audit.NewMock()
175+
notifyEnq:=&testutil.FakeNotificationsEnqueuer{}
176+
dv:=coderdtest.DeploymentValues(t)
177+
dv.OIDC.OrganizationAssignDefault=false
178+
client,_:=coderdenttest.New(t,&coderdenttest.Options{
179+
Options:&coderdtest.Options{
180+
Auditor:mockAudit,
181+
NotificationsEnqueuer:notifyEnq,
182+
DeploymentValues:dv,
183+
},
184+
SCIMAPIKey:scimAPIKey,
185+
AuditLogging:true,
186+
LicenseOptions:&coderdenttest.LicenseOptions{
187+
AccountID:"coolin",
188+
Features: license.Features{
189+
codersdk.FeatureSCIM:1,
190+
codersdk.FeatureAuditLog:1,
191+
},
192+
},
193+
})
194+
mockAudit.ResetLogs()
195+
196+
// when
197+
sUser:=makeScimUser(t)
198+
res,err:=client.Request(ctx,"POST","/scim/v2/Users",sUser,setScimAuth(scimAPIKey))
199+
require.NoError(t,err)
200+
deferres.Body.Close()
201+
require.Equal(t,http.StatusOK,res.StatusCode)
202+
203+
// then
204+
// Expect audit logs
205+
aLogs:=mockAudit.AuditLogs()
206+
require.Len(t,aLogs,1)
207+
af:=map[string]string{}
208+
err=json.Unmarshal([]byte(aLogs[0].AdditionalFields),&af)
209+
require.NoError(t,err)
210+
assert.Equal(t,coderd.SCIMAuditAdditionalFields,af)
211+
assert.Equal(t,database.AuditActionCreate,aLogs[0].Action)
212+
154213
// Expect users exposed over API
155214
userRes,err:=client.Users(ctx, codersdk.UsersRequest{Search:sUser.Emails[0].Value})
156215
require.NoError(t,err)

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp