Commitff1eabe

coadler

and

Emyrk

authored

feat: add SCIM support for multi-organization (#14691)

* chore: use legacy "AssignDefault" option for legacy behavior in SCIM (#14696)* chore: reference legacy assign default option for legacy behaviorAssignDefault is a boolean flag mainly for single org and legacydeployments. Use this flag to determine SCIM behavior.---------Co-authored-by: Steven Masley <Emyrk@users.noreply.github.com>

1 parent7139374 commitff1eabeCopy full SHA for ff1eabe

File tree

4 files changed

+79

-9

lines changed

coderd/idpsync
- idpsync.go
- organization.go
enterprise/coderd
- scim.go
- scim_test.go

4 files changed

+79

-9

lines changed

`‎coderd/idpsync/idpsync.go`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,7 @@ import (`
`24`	`24`	`// claims to the internal representation of a user in Coder.`
`25`	`25`	`// TODO: Move group + role sync into this interface.`
`26`	`26`	`typeIDPSyncinterface {`
	`27`	`+AssignDefaultOrganization()bool`
`27`	`28`	`OrganizationSyncEnabled()bool`
`28`	`29`	`// ParseOrganizationClaims takes claims from an OIDC provider, and returns the`
`29`	`30`	`// organization sync params for assigning users into organizations.`

`‎coderd/idpsync/organization.go`

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -32,6 +32,10 @@ func (AGPLIDPSync) OrganizationSyncEnabled() bool {`
`32`	`32`	`returnfalse`
`33`	`33`	`}`
`34`	`34`
	`35`	`+func (sAGPLIDPSync)AssignDefaultOrganization()bool {`
	`36`	`+returns.OrganizationAssignDefault`
	`37`	`+}`
	`38`	`+`
`35`	`39`	`func (sAGPLIDPSync)ParseOrganizationClaims(_ context.Context,_ jwt.MapClaims) (OrganizationParams,*HTTPError) {`
`36`	`40`	`// For AGPL we only sync the default organization.`
`37`	`41`	`returnOrganizationParams{`

`‎enterprise/coderd/scim.go`

Lines changed: 14 additions & 9 deletions

Original file line number	Diff line number	Diff line change
`@@ -217,22 +217,27 @@ func (api API) scimPostUser(rw http.ResponseWriter, r http.Request) {`
`217`	`217`	`sUser.UserName=codersdk.UsernameFrom(sUser.UserName)`
`218`	`218`	`}`
`219`	`219`
`220`		`-// TODO: This is a temporary solution that does not support multi-org`
`221`		`-// deployments. This assumption places all new SCIM users into the`
`222`		`-//default organization.`
`223`		`-//nolint:gocritic`
`224`		`-defaultOrganization,err:=api.Database.GetDefaultOrganization(dbauthz.AsSystemRestricted(ctx))`
`225`		`-iferr!=nil {`
`226`		`-_=handlerutil.WriteError(rw,err)`
`227`		`-return`
	`220`	`+// If organization sync is enabled, the user's organizations will be`
	`221`	`+// corrected on login. If including the default org, then always assign`
	`222`	`+// the default org, regardless if sync is enabled or not.`
	`223`	`+// This is to preserve single org deployment behavior.`
	`224`	`+organizations:= []uuid.UUID{}`
	`225`	`+ifapi.IDPSync.AssignDefaultOrganization() {`
	`226`	`+//nolint:gocritic // SCIM operations are a system user`
	`227`	`+defaultOrganization,err:=api.Database.GetDefaultOrganization(dbauthz.AsSystemRestricted(ctx))`
	`228`	`+iferr!=nil {`
	`229`	`+_=handlerutil.WriteError(rw,err)`
	`230`	`+return`
	`231`	`+}`
	`232`	`+organizations=append(organizations,defaultOrganization.ID)`
`228`	`233`	`}`
`229`	`234`
`230`	`235`	`//nolint:gocritic // needed for SCIM`
`231`	`236`	`dbUser,err=api.AGPL.CreateUser(dbauthz.AsSystemRestricted(ctx),api.Database, agpl.CreateUserRequest{`
`232`	`237`	`CreateUserRequestWithOrgs: codersdk.CreateUserRequestWithOrgs{`
`233`	`238`	`Username:sUser.UserName,`
`234`	`239`	`Email:email,`
`235`		`-OrganizationIDs:[]uuid.UUID{defaultOrganization.ID},`
	`240`	`+OrganizationIDs:organizations,`
`236`	`241`	`},`
`237`	`242`	`LoginType:database.LoginTypeOIDC,`
`238`	`243`	`// Do not send notifications to user admins as SCIM endpoint might be called sequentially to all users.`

`‎enterprise/coderd/scim_test.go`

Lines changed: 60 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -157,6 +157,66 @@ func TestScim(t *testing.T) {`
`157`	`157`	`require.Len(t,userRes.Users,1)`
`158`	`158`	`assert.Equal(t,sUser.Emails[0].Value,userRes.Users[0].Email)`
`159`	`159`	`assert.Equal(t,sUser.UserName,userRes.Users[0].Username)`
	`160`	`+assert.Len(t,userRes.Users[0].OrganizationIDs,1)`
	`161`	`+`
	`162`	`+// Expect zero notifications (SkipNotifications = true)`
	`163`	`+require.Empty(t,notifyEnq.Sent)`
	`164`	`+})`
	`165`	`+`
	`166`	`+t.Run("OKNoDefault",func(t*testing.T) {`
	`167`	`+t.Parallel()`
	`168`	`+`
	`169`	`+ctx,cancel:=context.WithTimeout(context.Background(),testutil.WaitLong)`
	`170`	`+defercancel()`
	`171`	`+`
	`172`	`+// given`
	`173`	`+scimAPIKey:= []byte("hi")`
	`174`	`+mockAudit:=audit.NewMock()`
	`175`	`+notifyEnq:=&testutil.FakeNotificationsEnqueuer{}`
	`176`	`+dv:=coderdtest.DeploymentValues(t)`
	`177`	`+dv.OIDC.OrganizationAssignDefault=false`
	`178`	`+client,_:=coderdenttest.New(t,&coderdenttest.Options{`
	`179`	`+Options:&coderdtest.Options{`
	`180`	`+Auditor:mockAudit,`
	`181`	`+NotificationsEnqueuer:notifyEnq,`
	`182`	`+DeploymentValues:dv,`
	`183`	`+},`
	`184`	`+SCIMAPIKey:scimAPIKey,`
	`185`	`+AuditLogging:true,`
	`186`	`+LicenseOptions:&coderdenttest.LicenseOptions{`
	`187`	`+AccountID:"coolin",`
	`188`	`+Features: license.Features{`
	`189`	`+codersdk.FeatureSCIM:1,`
	`190`	`+codersdk.FeatureAuditLog:1,`
	`191`	`+},`
	`192`	`+},`
	`193`	`+})`
	`194`	`+mockAudit.ResetLogs()`
	`195`	`+`
	`196`	`+// when`
	`197`	`+sUser:=makeScimUser(t)`
	`198`	`+res,err:=client.Request(ctx,"POST","/scim/v2/Users",sUser,setScimAuth(scimAPIKey))`
	`199`	`+require.NoError(t,err)`
	`200`	`+deferres.Body.Close()`
	`201`	`+require.Equal(t,http.StatusOK,res.StatusCode)`
	`202`	`+`
	`203`	`+// then`
	`204`	`+// Expect audit logs`
	`205`	`+aLogs:=mockAudit.AuditLogs()`
	`206`	`+require.Len(t,aLogs,1)`
	`207`	`+af:=map[string]string{}`
	`208`	`+err=json.Unmarshal([]byte(aLogs[0].AdditionalFields),&af)`
	`209`	`+require.NoError(t,err)`
	`210`	`+assert.Equal(t,coderd.SCIMAuditAdditionalFields,af)`
	`211`	`+assert.Equal(t,database.AuditActionCreate,aLogs[0].Action)`
	`212`	`+`
	`213`	`+// Expect users exposed over API`
	`214`	`+userRes,err:=client.Users(ctx, codersdk.UsersRequest{Search:sUser.Emails[0].Value})`
	`215`	`+require.NoError(t,err)`
	`216`	`+require.Len(t,userRes.Users,1)`
	`217`	`+assert.Equal(t,sUser.Emails[0].Value,userRes.Users[0].Email)`
	`218`	`+assert.Equal(t,sUser.UserName,userRes.Users[0].Username)`
	`219`	`+assert.Len(t,userRes.Users[0].OrganizationIDs,0)`
`160`	`220`
`161`	`221`	`// Expect zero notifications (SkipNotifications = true)`
`162`	`222`	`require.Empty(t,notifyEnq.Sent)`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitff1eabe

File tree

4 files changed

4 files changed

`‎coderd/idpsync/idpsync.go`

`‎coderd/idpsync/organization.go`

`‎enterprise/coderd/scim.go`

`‎enterprise/coderd/scim_test.go`

0 commit comments