NotificationsYou must be signed in to change notification settings
Fork1.1k
Star11.4k

Commitb1ece73

committed

chore: remove resetting user's roles on misconfigured

1 parentca8e9b9 commitb1ece73Copy full SHA for b1ece73

File tree

3 files changed

+88

-35

lines changed

coderd/idpsync

3 files changed

+88

-35

lines changed

`‎coderd/idpsync/group_test.go‎`

Lines changed: 24 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -756,6 +756,7 @@ func SetupOrganization(t testing.T, s idpsync.AGPLIDPSync, db database.Store,`
`756`	`756`	`OrganizationID:org.ID,`
`757`	`757`	`})`
`758`	`758`	`}`
	`759`	`+`
`759`	`760`	`iflen(def.OrganizationRoles)>0 {`
`760`	`761`	`_,err:=db.UpdateMemberRoles(context.Background(), database.UpdateMemberRolesParams{`
`761`	`762`	`GrantedRoles:def.OrganizationRoles,`
`@@ -764,6 +765,24 @@ func SetupOrganization(t testing.T, s idpsync.AGPLIDPSync, db database.Store,`
`764`	`765`	`})`
`765`	`766`	`require.NoError(t,err)`
`766`	`767`	`}`
	`768`	`+`
	`769`	`+iflen(def.CustomRoles)>0 {`
	`770`	`+for_,cr:=rangedef.CustomRoles {`
	`771`	`+_,err:=db.InsertCustomRole(context.Background(), database.InsertCustomRoleParams{`
	`772`	`+Name:cr,`
	`773`	`+DisplayName:cr,`
	`774`	`+OrganizationID: uuid.NullUUID{`
	`775`	`+UUID:org.ID,`
	`776`	`+Valid:true,`
	`777`	`+},`
	`778`	`+SitePermissions:nil,`
	`779`	`+OrgPermissions:nil,`
	`780`	`+UserPermissions:nil,`
	`781`	`+})`
	`782`	`+require.NoError(t,err)`
	`783`	`+}`
	`784`	`+}`
	`785`	`+`
`767`	`786`	`forgroupID,in:=rangedef.Groups {`
`768`	`787`	`dbgen.Group(t,db, database.Group{`
`769`	`788`	`ID:groupID,`
`@@ -793,10 +812,10 @@ func SetupOrganization(t testing.T, s idpsync.AGPLIDPSync, db database.Store,`
`793`	`812`	`typeorgSetupDefinitionstruct {`
`794`	`813`	`Namestring`
`795`	`814`	`// True if the user is a member of the group`
`796`		`-Groupsmap[uuid.UUID]bool`
`797`		`-GroupNamesmap[string]bool`
`798`		`-`
	`815`	`+Groupsmap[uuid.UUID]bool`
	`816`	`+GroupNamesmap[string]bool`
`799`	`817`	`OrganizationRoles []string`
	`818`	`+CustomRoles []string`
`800`	`819`	`// NotMember if true will ensure the user is not a member of the organization.`
`801`	`820`	`NotMemberbool`
`802`	`821`
`@@ -839,7 +858,8 @@ func (o orgSetupDefinition) Assert(t *testing.T, orgID uuid.UUID, db database.St`
`839`	`858`	`o.assertRoles.Assert(t,orgID,db,o.NotMember,user)`
`840`	`859`	`}`
`841`	`860`
`842`		`-ifo.assertGroups==nil&&o.assertRoles==nil {`
	`861`	`+// If the user is not a member, there is nothing to really assert in the org`
	`862`	`+ifo.assertGroups==nil&&o.assertRoles==nil&&!o.NotMember {`
`843`	`863`	`t.Errorf("no group or role asserts present, must have at least one")`
`844`	`864`	`t.FailNow()`
`845`	`865`	`}`

`‎coderd/idpsync/role.go‎`

Lines changed: 10 additions & 24 deletions

Original file line number	Diff line number	Diff line change
`@@ -98,8 +98,16 @@ func (s AGPLIDPSync) SyncRoles(ctx context.Context, db database.Store, user data`
`98`	`98`	`slog.Error(err),`
`99`	`99`	`)`
`100`	`100`
`101`		`-// Failing role sync should reset a user's roles.`
`102`		`-expectedRoles[orgID]= []rbac.RoleIdentifier{}`
	`101`	`+// TODO: If rolesync fails, we might want to reset a user's`
	`102`	`+// roles to prevent stale roles from existing.`
	`103`	+// Eg: `expectedRoles[orgID] = []rbac.RoleIdentifier{}`
	`104`	`+// However, implementing this could lock an org admin out`
	`105`	`+// of fixing their configuration.`
	`106`	`+// There is also no current method to notify an org admin of`
	`107`	`+// a configuration issue.`
	`108`	`+// So until org admins can be notified of configuration issues,`
	`109`	`+// and they will not be locked out, this code will do nothing to`
	`110`	`+// the user's roles.`
`103`	`111`
`104`	`112`	`// Do not return an error, because that would prevent a user`
`105`	`113`	`// from logging in. A misconfigured organization should not`
`@@ -172,28 +180,6 @@ func (s AGPLIDPSync) SyncRoles(ctx context.Context, db database.Store, user data`
`172`	`180`	`returnnil`
`173`	`181`	`}`
`174`	`182`
`175`		`-// resetUserOrgRoles will reset the user's roles for a specific organization.`
`176`		`-// It does not remove them as a member from the organization.`
`177`		`-func (sAGPLIDPSync)resetUserOrgRoles(ctx context.Context,tx database.Store,member database.OrganizationMembersRow,orgID uuid.UUID)error {`
`178`		`-withoutMember:=slices.DeleteFunc(member.OrganizationMember.Roles,func(sstring)bool {`
`179`		`-returns==rbac.RoleOrgMember()`
`180`		`-})`
`181`		`-// If the user has no roles, then skip doing any database request.`
`182`		`-iflen(withoutMember)==0 {`
`183`		`-returnnil`
`184`		`-}`
`185`		`-`
`186`		`-_,err:=tx.UpdateMemberRoles(ctx, database.UpdateMemberRolesParams{`
`187`		`-GrantedRoles: []string{},`
`188`		`-UserID:member.OrganizationMember.UserID,`
`189`		`-OrgID:orgID,`
`190`		`-})`
`191`		`-iferr!=nil {`
`192`		`-returnxerrors.Errorf("zero out member roles(%s): %w",member.OrganizationMember.UserID.String(),err)`
`193`		`-}`
`194`		`-returnnil`
`195`		`-}`
`196`		`-`
`197`	`183`	`func (sAGPLIDPSync)syncSiteWideRoles(ctx context.Context,tx database.Store,user database.User,paramsRoleParams)error {`
`198`	`184`	`// Apply site wide roles to a user.`
`199`	`185`	`// ignored is the list of roles that are not valid Coder roles and will`

`‎coderd/idpsync/role_test.go‎`

Lines changed: 54 additions & 7 deletions

Original file line number	Diff line number	Diff line change
`@@ -31,6 +31,8 @@ func TestRoleSyncTable(t *testing.T) {`
`31`	`31`	`"create-bar","create-baz",`
`32`	`32`	`"legacy-bar",rbac.RoleOrgAuditor(),`
`33`	`33`	`},`
	`34`	`+// bad-claim is a number, and will fail any role sync`
	`35`	`+"bad-claim":100,`
`34`	`36`	`}`
`35`	`37`
`36`	`38`	`//ids := coderdtest.NewDeterministicUUIDGenerator()`
`@@ -43,41 +45,83 @@ func TestRoleSyncTable(t *testing.T) {`
`43`	`45`	`},`
`44`	`46`	`},`
`45`	`47`	`{`
`46`		`-Name:"NoSyncNoChange",`
	`48`	`+Name:"SyncDisabled",`
`47`	`49`	`OrganizationRoles: []string{`
`48`	`50`	`rbac.RoleOrgAdmin(),`
`49`	`51`	`},`
	`52`	`+RoleSettings:&idpsync.RoleSyncSettings{},`
`50`	`53`	`assertRoles:&orgRoleAssert{`
`51`	`54`	`ExpectedOrgRoles: []string{`
`52`	`55`	`rbac.RoleOrgAdmin(),`
`53`	`56`	`},`
`54`	`57`	`},`
`55`	`58`	`},`
`56`	`59`	`{`
`57`		`-Name:"NoChange",`
	`60`	`+// Audit role from claim`
	`61`	`+Name:"RawAudit",`
`58`	`62`	`OrganizationRoles: []string{`
`59`	`63`	`rbac.RoleOrgAdmin(),`
`60`	`64`	`},`
`61`		`-RoleSettings:&idpsync.RoleSyncSettings{},`
	`65`	`+RoleSettings:&idpsync.RoleSyncSettings{`
	`66`	`+Field:"roles",`
	`67`	`+Mapping:map[string][]string{},`
	`68`	`+},`
`62`	`69`	`assertRoles:&orgRoleAssert{`
`63`	`70`	`ExpectedOrgRoles: []string{`
`64`		`-rbac.RoleOrgAdmin(),`
	`71`	`+rbac.RoleOrgAuditor(),`
`65`	`72`	`},`
`66`	`73`	`},`
`67`	`74`	`},`
`68`	`75`	`{`
`69`		`-// Audit role from claim`
`70`		`-Name:"RawAudit",`
	`76`	`+Name:"CustomRole",`
`71`	`77`	`OrganizationRoles: []string{`
`72`	`78`	`rbac.RoleOrgAdmin(),`
`73`	`79`	`},`
	`80`	`+CustomRoles: []string{"foo"},`
`74`	`81`	`RoleSettings:&idpsync.RoleSyncSettings{`
`75`	`82`	`Field:"roles",`
`76`	`83`	`Mapping:map[string][]string{},`
`77`	`84`	`},`
`78`	`85`	`assertRoles:&orgRoleAssert{`
`79`	`86`	`ExpectedOrgRoles: []string{`
`80`	`87`	`rbac.RoleOrgAuditor(),`
	`88`	`+"foo",`
	`89`	`+},`
	`90`	`+},`
	`91`	`+},`
	`92`	`+{`
	`93`	`+Name:"RoleMapping",`
	`94`	`+OrganizationRoles: []string{`
	`95`	`+rbac.RoleOrgAdmin(),`
	`96`	`+"invalid",// Throw in an extra invalid role that will be removed`
	`97`	`+},`
	`98`	`+CustomRoles: []string{"custom"},`
	`99`	`+RoleSettings:&idpsync.RoleSyncSettings{`
	`100`	`+Field:"roles",`
	`101`	`+Mapping:map[string][]string{`
	`102`	`+"foo": {"custom",rbac.RoleOrgTemplateAdmin()},`
	`103`	`+},`
	`104`	`+},`
	`105`	`+assertRoles:&orgRoleAssert{`
	`106`	`+ExpectedOrgRoles: []string{`
	`107`	`+rbac.RoleOrgAuditor(),`
	`108`	`+rbac.RoleOrgTemplateAdmin(),`
	`109`	`+"custom",`
	`110`	`+},`
	`111`	`+},`
	`112`	`+},`
	`113`	`+{`
	`114`	`+// InvalidClaims will log an error, but do not block authentication.`
	`115`	`+// This is to prevent a misconfigured organization from blocking`
	`116`	`+// a user from authenticating.`
	`117`	`+Name:"InvalidClaim",`
	`118`	`+OrganizationRoles: []string{rbac.RoleOrgAdmin()},`
	`119`	`+RoleSettings:&idpsync.RoleSyncSettings{`
	`120`	`+Field:"bad-claim",`
	`121`	`+},`
	`122`	`+assertRoles:&orgRoleAssert{`
	`123`	`+ExpectedOrgRoles: []string{`
	`124`	`+rbac.RoleOrgAdmin(),`
`81`	`125`	`},`
`82`	`126`	`},`
`83`	`127`	`},`
`@@ -90,7 +134,9 @@ func TestRoleSyncTable(t *testing.T) {`
`90`	`134`
`91`	`135`	`db,_:=dbtestutil.NewDB(t)`
`92`	`136`	`manager:=runtimeconfig.NewManager()`
`93`		`-s:=idpsync.NewAGPLSync(slogtest.Make(t,&slogtest.Options{}),`
	`137`	`+s:=idpsync.NewAGPLSync(slogtest.Make(t,&slogtest.Options{`
	`138`	`+IgnoreErrors:true,`
	`139`	`+}),`
`94`	`140`	`manager,`
`95`	`141`	`idpsync.DeploymentSyncSettings{`
`96`	`142`	`SiteRoleField:"roles",`
`@@ -105,6 +151,7 @@ func TestRoleSyncTable(t *testing.T) {`
`105`	`151`	`// Do the group sync!`
`106`	`152`	`err:=s.SyncRoles(ctx,db,user, idpsync.RoleParams{`
`107`	`153`	`SyncEnabled:true,`
	`154`	`+SyncSiteWide:false,`
`108`	`155`	`MergedClaims:userClaims,`
`109`	`156`	`})`
`110`	`157`	`require.NoError(t,err)`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitb1ece73

File tree

3 files changed

3 files changed

`‎coderd/idpsync/group_test.go‎`

`‎coderd/idpsync/role.go‎`

`‎coderd/idpsync/role_test.go‎`

0 commit comments