Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitced4905

Browse files
committed
feat: set groupsync to use default org
1 parent872f4a2 commitced4905

File tree

11 files changed

+139
-123
lines changed

11 files changed

+139
-123
lines changed

‎coderd/coderd.go

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -134,7 +134,7 @@ type Options struct {
134134
BaseDERPMap*tailcfg.DERPMap
135135
DERPMapUpdateFrequency time.Duration
136136
SwaggerEndpointbool
137-
SetUserGroupsfunc(ctx context.Context,logger slog.Logger,tx database.Store,userID uuid.UUID,groupNames[]string,createMissingGroupsbool)error
137+
SetUserGroupsfunc(ctx context.Context,logger slog.Logger,tx database.Store,userID uuid.UUID,orgGroupNamesmap[uuid.UUID][]string,createMissingGroupsbool)error
138138
SetUserSiteRolesfunc(ctx context.Context,logger slog.Logger,tx database.Store,userID uuid.UUID,roles []string)error
139139
TemplateScheduleStore*atomic.Pointer[schedule.TemplateScheduleStore]
140140
UserQuietHoursScheduleStore*atomic.Pointer[schedule.UserQuietHoursScheduleStore]
@@ -301,9 +301,11 @@ func New(options *Options) *API {
301301
options.TracerProvider=trace.NewNoopTracerProvider()
302302
}
303303
ifoptions.SetUserGroups==nil {
304-
options.SetUserGroups=func(ctx context.Context,logger slog.Logger,_ database.Store,userID uuid.UUID,groups[]string,createMissingGroupsbool)error {
304+
options.SetUserGroups=func(ctx context.Context,logger slog.Logger,_ database.Store,userID uuid.UUID,orgGroupNamesmap[uuid.UUID][]string,createMissingGroupsbool)error {
305305
logger.Warn(ctx,"attempted to assign OIDC groups without enterprise license",
306-
slog.F("user_id",userID),slog.F("groups",groups),slog.F("create_missing_groups",createMissingGroups),
306+
slog.F("user_id",userID),
307+
slog.F("groups",orgGroupNames),
308+
slog.F("create_missing_groups",createMissingGroups),
307309
)
308310
returnnil
309311
}

‎coderd/database/dbauthz/dbauthz.go

Lines changed: 8 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -793,16 +793,6 @@ func (q *querier) DeleteGroupMemberFromGroup(ctx context.Context, arg database.D
793793
returnupdate(q.log,q.auth,fetch,q.db.DeleteGroupMemberFromGroup)(ctx,arg)
794794
}
795795

796-
func (q*querier)DeleteGroupMembersByOrgAndUser(ctx context.Context,arg database.DeleteGroupMembersByOrgAndUserParams)error {
797-
// This will remove the user from all groups in the org. This counts as updating a group.
798-
// NOTE: instead of fetching all groups in the org with arg.UserID as a member, we instead
799-
// check if the caller has permission to update any group in the org.
800-
fetch:=func(ctx context.Context,arg database.DeleteGroupMembersByOrgAndUserParams) (rbac.Objecter,error) {
801-
returnrbac.ResourceGroup.InOrg(arg.OrganizationID),nil
802-
}
803-
returnupdate(q.log,q.auth,fetch,q.db.DeleteGroupMembersByOrgAndUser)(ctx,arg)
804-
}
805-
806796
func (q*querier)DeleteLicense(ctx context.Context,idint32) (int32,error) {
807797
err:=deleteQ(q.log,q.auth,q.db.GetLicenseByID,func(ctx context.Context,idint32)error {
808798
_,err:=q.db.DeleteLicense(ctx,id)
@@ -2555,6 +2545,14 @@ func (q *querier) RegisterWorkspaceProxy(ctx context.Context, arg database.Regis
25552545
returnupdateWithReturn(q.log,q.auth,fetch,q.db.RegisterWorkspaceProxy)(ctx,arg)
25562546
}
25572547

2548+
func (q*querier)RemoveUserFromAllGroups(ctx context.Context,userID uuid.UUID)error {
2549+
// This is a system function to clear user groups in group sync.
2550+
iferr:=q.authorizeContext(ctx,rbac.ActionUpdate,rbac.ResourceSystem);err!=nil {
2551+
returnerr
2552+
}
2553+
returnq.db.RemoveUserFromAllGroups(ctx,userID)
2554+
}
2555+
25582556
func (q*querier)RevokeDBCryptKey(ctx context.Context,activeKeyDigeststring)error {
25592557
iferr:=q.authorizeContext(ctx,rbac.ActionUpdate,rbac.ResourceSystem);err!=nil {
25602558
returnerr

‎coderd/database/dbauthz/dbauthz_test.go

Lines changed: 2 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -344,17 +344,14 @@ func (s *MethodTestSuite) TestGroup() {
344344
GroupNames:slice.New(g1.Name,g2.Name),
345345
}).Asserts(rbac.ResourceGroup.InOrg(o.ID),rbac.ActionUpdate).Returns()
346346
}))
347-
s.Run("DeleteGroupMembersByOrgAndUser",s.Subtest(func(db database.Store,check*expects) {
347+
s.Run("RemoveUserFromAllGroups",s.Subtest(func(db database.Store,check*expects) {
348348
o:=dbgen.Organization(s.T(),db, database.Organization{})
349349
u1:=dbgen.User(s.T(),db, database.User{})
350350
g1:=dbgen.Group(s.T(),db, database.Group{OrganizationID:o.ID})
351351
g2:=dbgen.Group(s.T(),db, database.Group{OrganizationID:o.ID})
352352
_=dbgen.GroupMember(s.T(),db, database.GroupMember{GroupID:g1.ID,UserID:u1.ID})
353353
_=dbgen.GroupMember(s.T(),db, database.GroupMember{GroupID:g2.ID,UserID:u1.ID})
354-
check.Args(database.DeleteGroupMembersByOrgAndUserParams{
355-
OrganizationID:o.ID,
356-
UserID:u1.ID,
357-
}).Asserts(rbac.ResourceGroup.InOrg(o.ID),rbac.ActionUpdate).Returns()
354+
check.Args(u1.ID).Asserts(rbac.ResourceSystem,rbac.ActionUpdate).Returns()
358355
}))
359356
s.Run("UpdateGroupByID",s.Subtest(func(db database.Store,check*expects) {
360357
g:=dbgen.Group(s.T(),db, database.Group{})

‎coderd/database/dbmem/dbmem.go

Lines changed: 16 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -1135,36 +1135,6 @@ func (q *FakeQuerier) DeleteGroupMemberFromGroup(_ context.Context, arg database
11351135
returnnil
11361136
}
11371137

1138-
func (q*FakeQuerier)DeleteGroupMembersByOrgAndUser(_ context.Context,arg database.DeleteGroupMembersByOrgAndUserParams)error {
1139-
q.mutex.Lock()
1140-
deferq.mutex.Unlock()
1141-
1142-
newMembers:=q.groupMembers[:0]
1143-
for_,member:=rangeq.groupMembers {
1144-
ifmember.UserID!=arg.UserID {
1145-
// Do not delete the other members
1146-
newMembers=append(newMembers,member)
1147-
}elseifmember.UserID==arg.UserID {
1148-
// We only want to delete from groups in the organization in the args.
1149-
for_,group:=rangeq.groups {
1150-
// Find the group that the member is apartof.
1151-
ifgroup.ID==member.GroupID {
1152-
// Only add back the member if the organization ID does not match
1153-
// the arg organization ID. Since the arg is saying which
1154-
// org to delete.
1155-
ifgroup.OrganizationID!=arg.OrganizationID {
1156-
newMembers=append(newMembers,member)
1157-
}
1158-
break
1159-
}
1160-
}
1161-
}
1162-
}
1163-
q.groupMembers=newMembers
1164-
1165-
returnnil
1166-
}
1167-
11681138
func (q*FakeQuerier)DeleteLicense(_ context.Context,idint32) (int32,error) {
11691139
q.mutex.Lock()
11701140
deferq.mutex.Unlock()
@@ -6096,6 +6066,22 @@ func (q *FakeQuerier) RegisterWorkspaceProxy(_ context.Context, arg database.Reg
60966066
return database.WorkspaceProxy{},sql.ErrNoRows
60976067
}
60986068

6069+
func (q*FakeQuerier)RemoveUserFromAllGroups(_ context.Context,userID uuid.UUID)error {
6070+
q.mutex.Lock()
6071+
deferq.mutex.Unlock()
6072+
6073+
newMembers:=q.groupMembers[:0]
6074+
for_,member:=rangeq.groupMembers {
6075+
ifmember.UserID==userID {
6076+
continue
6077+
}
6078+
newMembers=append(newMembers,member)
6079+
}
6080+
q.groupMembers=newMembers
6081+
6082+
returnnil
6083+
}
6084+
60996085
func (q*FakeQuerier)RevokeDBCryptKey(_ context.Context,activeKeyDigeststring)error {
61006086
q.mutex.Lock()
61016087
deferq.mutex.Unlock()

‎coderd/database/dbmetrics/dbmetrics.go

Lines changed: 7 additions & 7 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

‎coderd/database/dbmock/dbmock.go

Lines changed: 14 additions & 14 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

‎coderd/database/querier.go

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

‎coderd/database/queries.sql.go

Lines changed: 12 additions & 18 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

‎coderd/database/queries/groupmembers.sql

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -42,12 +42,11 @@ SELECT
4242
FROM
4343
groups;
4444

45-
-- name:DeleteGroupMembersByOrgAndUser :exec
45+
-- name:RemoveUserFromAllGroups :exec
4646
DELETEFROM
4747
group_members
4848
WHERE
49-
group_members.user_id= @user_id
50-
AND group_id= ANY(SELECT idFROM groupsWHERE organization_id= @organization_id);
49+
user_id= @user_id;
5150

5251
-- name: InsertGroupMember :exec
5352
INSERT INTO

‎coderd/userauth.go

Lines changed: 36 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1217,8 +1217,10 @@ type oauthLoginParams struct {
12171217
// to the Groups provided.
12181218
UsingGroupsbool
12191219
CreateMissingGroupsbool
1220-
Groups []string
1221-
GroupFilter*regexp.Regexp
1220+
// These are the group names from the IDP. Internally, they will map to
1221+
// some organization groups.
1222+
Groups []string
1223+
GroupFilter*regexp.Regexp
12221224
// Is UsingRoles is true, then the user will be assigned
12231225
// the roles provided.
12241226
UsingRolesbool
@@ -1301,7 +1303,6 @@ func (api *API) oauthLogin(r *http.Request, params *oauthLoginParams) ([]*http.C
13011303
link database.UserLink
13021304
errerror
13031305
)
1304-
13051306
user=params.User
13061307
link=params.Link
13071308

@@ -1457,6 +1458,9 @@ func (api *API) oauthLogin(r *http.Request, params *oauthLoginParams) ([]*http.C
14571458
}
14581459

14591460
// Ensure groups are correct.
1461+
// This places all groups into the default organization.
1462+
// To go multi-org, we need to add a mapping feature here to know which
1463+
// groups go to which orgs.
14601464
ifparams.UsingGroups {
14611465
filtered:=params.Groups
14621466
ifparams.GroupFilter!=nil {
@@ -1468,8 +1472,36 @@ func (api *API) oauthLogin(r *http.Request, params *oauthLoginParams) ([]*http.C
14681472
}
14691473
}
14701474

1475+
//nolint:gocritic // No user present in the context.
1476+
defaultOrganization,err:=tx.GetDefaultOrganization(dbauthz.AsSystemRestricted(ctx))
1477+
iferr!=nil {
1478+
// If there is no default org, then we can't assign groups.
1479+
// By default, we assume all groups belong to the default org.
1480+
returnxerrors.Errorf("get default organization: %w",err)
1481+
}
1482+
1483+
//nolint:gocritic // No user present in the context.
1484+
memberships,err:=tx.GetOrganizationMembershipsByUserID(dbauthz.AsSystemRestricted(ctx),user.ID)
1485+
iferr!=nil {
1486+
returnxerrors.Errorf("get organization memberships: %w",err)
1487+
}
1488+
1489+
inDefault:=false
1490+
for_,membership:=rangememberships {
1491+
ifmembership.OrganizationID==defaultOrganization.ID {
1492+
inDefault=true
1493+
break
1494+
}
1495+
}
1496+
1497+
if!inDefault {
1498+
returnxerrors.Errorf("user %s is not a member of the default organization, cannot assign to groups in the org",user.ID)
1499+
}
1500+
14711501
//nolint:gocritic
1472-
err:=api.Options.SetUserGroups(dbauthz.AsSystemRestricted(ctx),logger,tx,user.ID,filtered,params.CreateMissingGroups)
1502+
err=api.Options.SetUserGroups(dbauthz.AsSystemRestricted(ctx),logger,tx,user.ID,map[uuid.UUID][]string{
1503+
defaultOrganization.ID:filtered,
1504+
},params.CreateMissingGroups)
14731505
iferr!=nil {
14741506
returnxerrors.Errorf("set user groups: %w",err)
14751507
}

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp