Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

chore: support multi-org group sync with runtime configuration#14578

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
Emyrk merged 38 commits intomainfromstevenmasley/org_group_sync
Sep 11, 2024
Merged
Show file tree
Hide file tree
Changes fromall commits
Commits
Show all changes
38 commits
Select commitHold shift + click to select a range
99c97c2
wip
EmyrkSep 3, 2024
bfddeb6
begin group sync main work
EmyrkSep 3, 2024
f2857c6
initial implementation of group sync
EmyrkSep 3, 2024
791a059
work on moving to the manager
EmyrkSep 4, 2024
4326e9d
fixup compile issues
EmyrkSep 4, 2024
6d3ed2e
fixup some tests
EmyrkSep 4, 2024
0803619
handle allow list
EmyrkSep 4, 2024
596e7b4
WIP unit test for group sync
EmyrkSep 4, 2024
b9476ac
fixup tests, account for existing groups
EmyrkSep 4, 2024
ee8e4e4
fix compile issues
EmyrkSep 5, 2024
d5ff0f7
add comment for test helper
EmyrkSep 5, 2024
86c0f6f
handle legacy params
EmyrkSep 5, 2024
2f03e18
make gen
EmyrkSep 5, 2024
ec8092d
cleanup
EmyrkSep 5, 2024
d63727d
add unit test for legacy behavior
EmyrkSep 5, 2024
2a1769c
work on batching removal by name or id
EmyrkSep 5, 2024
640e86e
group sync adjustments
EmyrkSep 5, 2024
c544a29
test legacy params
EmyrkSep 5, 2024
476be45
add unit test for ApplyGroupDifference
EmyrkSep 5, 2024
164aeac
chore: remove old group sync code
EmyrkSep 5, 2024
986498d
switch oidc test config to deployment values
EmyrkSep 5, 2024
290cfa5
fix err name
EmyrkSep 6, 2024
c563b10
some linting cleanup
EmyrkSep 6, 2024
d2c247f
dbauthz test for new query
EmyrkSep 6, 2024
12685bd
fixup comments
EmyrkSep 6, 2024
bf0d4ed
fixup compile issues from rebase
EmyrkSep 6, 2024
f95128e
add test for disabled sync
EmyrkSep 6, 2024
88b0ad9
linting
EmyrkSep 6, 2024
6491f6a
chore: handle db conflicts gracefully
EmyrkSep 6, 2024
bd23288
test expected group equality
EmyrkSep 6, 2024
a390ec4
cleanup comments
EmyrkSep 6, 2024
a0a1c53
spelling mistake
EmyrkSep 6, 2024
a86ba83
linting:
EmyrkSep 6, 2024
0df7f28
add interface method to allow api crud
EmyrkSep 9, 2024
7a802a9
Remove testable example
EmyrkSep 11, 2024
611f1e3
fix formatting of sql, add a comment
EmyrkSep 11, 2024
7f28a53
remove function only used in 1 place
EmyrkSep 11, 2024
41994d2
make fmt
EmyrkSep 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 0 additions & 5 deletionscli/server.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -187,11 +187,6 @@ func createOIDCConfig(ctx context.Context, logger slog.Logger, vals *codersdk.De
EmailField: vals.OIDC.EmailField.String(),
AuthURLParams: vals.OIDC.AuthURLParams.Value,
IgnoreUserInfo: vals.OIDC.IgnoreUserInfo.Value(),
GroupField: vals.OIDC.GroupField.String(),
GroupFilter: vals.OIDC.GroupRegexFilter.Value(),
GroupAllowList: groupAllowList,
CreateMissingGroups: vals.OIDC.GroupAutoCreate.Value(),
GroupMapping: vals.OIDC.GroupMapping.Value,
UserRoleField: vals.OIDC.UserRoleField.String(),
UserRoleMapping: vals.OIDC.UserRoleMapping.Value,
UserRolesDefault: vals.OIDC.UserRolesDefault.GetSlice(),
Expand Down
22 changes: 4 additions & 18 deletionscoderd/coderd.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -181,7 +181,6 @@ type Options struct {
NetworkTelemetryBatchFrequency time.Duration
NetworkTelemetryBatchMaxSize int
SwaggerEndpoint bool
SetUserGroups func(ctx context.Context, logger slog.Logger, tx database.Store, userID uuid.UUID, orgGroupNames map[uuid.UUID][]string, createMissingGroups bool) error
SetUserSiteRoles func(ctx context.Context, logger slog.Logger, tx database.Store, userID uuid.UUID, roles []string) error
TemplateScheduleStore *atomic.Pointer[schedule.TemplateScheduleStore]
UserQuietHoursScheduleStore *atomic.Pointer[schedule.UserQuietHoursScheduleStore]
Expand DownExpand Up@@ -276,13 +275,6 @@ func New(options *Options) *API {
if options.Entitlements == nil {
options.Entitlements = entitlements.New()
}
if options.IDPSync == nil {
options.IDPSync = idpsync.NewAGPLSync(options.Logger, idpsync.SyncSettings{
OrganizationField: options.DeploymentValues.OIDC.OrganizationField.Value(),
OrganizationMapping: options.DeploymentValues.OIDC.OrganizationMapping.Value,
OrganizationAssignDefault: options.DeploymentValues.OIDC.OrganizationAssignDefault.Value(),
})
}
if options.NewTicker == nil {
options.NewTicker = func(duration time.Duration) (tick <-chan time.Time, done func()) {
ticker := time.NewTicker(duration)
Expand DownExpand Up@@ -318,6 +310,10 @@ func New(options *Options) *API {
options.AccessControlStore,
)

if options.IDPSync == nil {
options.IDPSync = idpsync.NewAGPLSync(options.Logger, options.RuntimeConfig, idpsync.FromDeploymentValues(options.DeploymentValues))
}

experiments := ReadExperiments(
options.Logger, options.DeploymentValues.Experiments.Value(),
)
Expand DownExpand Up@@ -377,16 +373,6 @@ func New(options *Options) *API {
if options.TracerProvider == nil {
options.TracerProvider = trace.NewNoopTracerProvider()
}
if options.SetUserGroups == nil {
options.SetUserGroups = func(ctx context.Context, logger slog.Logger, _ database.Store, userID uuid.UUID, orgGroupNames map[uuid.UUID][]string, createMissingGroups bool) error {
logger.Warn(ctx, "attempted to assign OIDC groups without enterprise license",
slog.F("user_id", userID),
slog.F("groups", orgGroupNames),
slog.F("create_missing_groups", createMissingGroups),
)
return nil
}
}
if options.SetUserSiteRoles == nil {
options.SetUserSiteRoles = func(ctx context.Context, logger slog.Logger, _ database.Store, userID uuid.UUID, roles []string) error {
logger.Warn(ctx, "attempted to assign OIDC user roles without enterprise license",
Expand Down
25 changes: 25 additions & 0 deletionscoderd/coderdtest/uuids.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
package coderdtest

import "github.com/google/uuid"

// DeterministicUUIDGenerator allows "naming" uuids for unit tests.
// An example of where this is useful, is when a tabled test references
// a UUID that is not yet known. An alternative to this would be to
// hard code some UUID strings, but these strings are not human friendly.
type DeterministicUUIDGenerator struct {
Named map[string]uuid.UUID
}

func NewDeterministicUUIDGenerator() *DeterministicUUIDGenerator {
return &DeterministicUUIDGenerator{
Named: make(map[string]uuid.UUID),
}
}

func (d *DeterministicUUIDGenerator) ID(name string) uuid.UUID {
if v, ok := d.Named[name]; ok {
return v
}
d.Named[name] = uuid.New()
return d.Named[name]
}
17 changes: 17 additions & 0 deletionscoderd/coderdtest/uuids_test.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
package coderdtest_test

import (
"testing"

"github.com/stretchr/testify/require"

"github.com/coder/coder/v2/coderd/coderdtest"
)

func TestDeterministicUUIDGenerator(t *testing.T) {
t.Parallel()

ids := coderdtest.NewDeterministicUUIDGenerator()
require.Equal(t, ids.ID("g1"), ids.ID("g1"))
require.NotEqual(t, ids.ID("g1"), ids.ID("g2"))
}
16 changes: 16 additions & 0 deletionscoderd/database/dbauthz/dbauthz.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -2892,6 +2892,14 @@ func (q *querier) InsertUser(ctx context.Context, arg database.InsertUserParams)
return insert(q.log, q.auth, obj, q.db.InsertUser)(ctx, arg)
}

func (q *querier) InsertUserGroupsByID(ctx context.Context, arg database.InsertUserGroupsByIDParams) ([]uuid.UUID, error) {
// This is used by OIDC sync. So only used by a system user.
if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceSystem); err != nil {
return nil, err
}
return q.db.InsertUserGroupsByID(ctx, arg)
}

func (q *querier) InsertUserGroupsByName(ctx context.Context, arg database.InsertUserGroupsByNameParams) error {
// This will add the user to all named groups. This counts as updating a group.
// NOTE: instead of checking if the user has permission to update each group, we instead
Expand DownExpand Up@@ -3100,6 +3108,14 @@ func (q *querier) RemoveUserFromAllGroups(ctx context.Context, userID uuid.UUID)
return q.db.RemoveUserFromAllGroups(ctx, userID)
}

func (q *querier) RemoveUserFromGroups(ctx context.Context, arg database.RemoveUserFromGroupsParams) ([]uuid.UUID, error) {
// This is a system function to clear user groups in group sync.
if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceSystem); err != nil {
return nil, err
}
return q.db.RemoveUserFromGroups(ctx, arg)
}

func (q *querier) RevokeDBCryptKey(ctx context.Context, activeKeyDigest string) error {
if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceSystem); err != nil {
return err
Expand Down
23 changes: 23 additions & 0 deletionscoderd/database/dbauthz/dbauthz_test.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -388,6 +388,17 @@ func (s *MethodTestSuite) TestGroup() {
GroupNames: slice.New(g1.Name, g2.Name),
}).Asserts(rbac.ResourceGroup.InOrg(o.ID), policy.ActionUpdate).Returns()
}))
s.Run("InsertUserGroupsByID", s.Subtest(func(db database.Store, check *expects) {
o := dbgen.Organization(s.T(), db, database.Organization{})
u1 := dbgen.User(s.T(), db, database.User{})
g1 := dbgen.Group(s.T(), db, database.Group{OrganizationID: o.ID})
g2 := dbgen.Group(s.T(), db, database.Group{OrganizationID: o.ID})
_ = dbgen.GroupMember(s.T(), db, database.GroupMemberTable{GroupID: g1.ID, UserID: u1.ID})
check.Args(database.InsertUserGroupsByIDParams{
UserID: u1.ID,
GroupIds: slice.New(g1.ID, g2.ID),
}).Asserts(rbac.ResourceSystem, policy.ActionUpdate).Returns(slice.New(g1.ID, g2.ID))
}))
s.Run("RemoveUserFromAllGroups", s.Subtest(func(db database.Store, check *expects) {
o := dbgen.Organization(s.T(), db, database.Organization{})
u1 := dbgen.User(s.T(), db, database.User{})
Expand All@@ -397,6 +408,18 @@ func (s *MethodTestSuite) TestGroup() {
_ = dbgen.GroupMember(s.T(), db, database.GroupMemberTable{GroupID: g2.ID, UserID: u1.ID})
check.Args(u1.ID).Asserts(rbac.ResourceSystem, policy.ActionUpdate).Returns()
}))
s.Run("RemoveUserFromGroups", s.Subtest(func(db database.Store, check *expects) {
o := dbgen.Organization(s.T(), db, database.Organization{})
u1 := dbgen.User(s.T(), db, database.User{})
g1 := dbgen.Group(s.T(), db, database.Group{OrganizationID: o.ID})
g2 := dbgen.Group(s.T(), db, database.Group{OrganizationID: o.ID})
_ = dbgen.GroupMember(s.T(), db, database.GroupMemberTable{GroupID: g1.ID, UserID: u1.ID})
_ = dbgen.GroupMember(s.T(), db, database.GroupMemberTable{GroupID: g2.ID, UserID: u1.ID})
check.Args(database.RemoveUserFromGroupsParams{
UserID: u1.ID,
GroupIds: []uuid.UUID{g1.ID, g2.ID},
}).Asserts(rbac.ResourceSystem, policy.ActionUpdate).Returns(slice.New(g1.ID, g2.ID))
}))
s.Run("UpdateGroupByID", s.Subtest(func(db database.Store, check *expects) {
g := dbgen.Group(s.T(), db, database.Group{})
check.Args(database.UpdateGroupByIDParams{
Expand Down
70 changes: 66 additions & 4 deletionscoderd/database/dbmem/dbmem.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -2695,18 +2695,18 @@ func (q *FakeQuerier) GetGroups(_ context.Context, arg database.GetGroupsParams)
q.mutex.RLock()
defer q.mutex.RUnlock()

groupIDs := make(map[uuid.UUID]struct{})
userGroupIDs := make(map[uuid.UUID]struct{})
if arg.HasMemberID != uuid.Nil {
for _, member := range q.groupMembers {
if member.UserID == arg.HasMemberID {
groupIDs[member.GroupID] = struct{}{}
userGroupIDs[member.GroupID] = struct{}{}
}
}

// Handle the everyone group
for _, orgMember := range q.organizationMembers {
if orgMember.UserID == arg.HasMemberID {
groupIDs[orgMember.OrganizationID] = struct{}{}
userGroupIDs[orgMember.OrganizationID] = struct{}{}
}
}
}
Expand All@@ -2718,11 +2718,15 @@ func (q *FakeQuerier) GetGroups(_ context.Context, arg database.GetGroupsParams)
continue
}

_, ok :=groupIDs[group.ID]
_, ok :=userGroupIDs[group.ID]
if arg.HasMemberID != uuid.Nil && !ok {
continue
}

if len(arg.GroupNames) > 0 && !slices.Contains(arg.GroupNames, group.Name) {
continue
}

orgDetails, ok := orgDetailsCache[group.ID]
if !ok {
for _, org := range q.organizations {
Expand DownExpand Up@@ -7015,7 +7019,37 @@ func (q *FakeQuerier) InsertUser(_ context.Context, arg database.InsertUserParam
return user, nil
}

func (q *FakeQuerier) InsertUserGroupsByID(_ context.Context, arg database.InsertUserGroupsByIDParams) ([]uuid.UUID, error) {
err := validateDatabaseType(arg)
if err != nil {
return nil, err
}

q.mutex.Lock()
defer q.mutex.Unlock()

var groupIDs []uuid.UUID
for _, group := range q.groups {
for _, groupID := range arg.GroupIds {
if group.ID == groupID {
q.groupMembers = append(q.groupMembers, database.GroupMemberTable{
UserID: arg.UserID,
GroupID: groupID,
})
groupIDs = append(groupIDs, group.ID)
}
}
}

return groupIDs, nil
}

func (q *FakeQuerier) InsertUserGroupsByName(_ context.Context, arg database.InsertUserGroupsByNameParams) error {
err := validateDatabaseType(arg)
if err != nil {
return err
}

q.mutex.Lock()
defer q.mutex.Unlock()

Expand DownExpand Up@@ -7607,6 +7641,34 @@ func (q *FakeQuerier) RemoveUserFromAllGroups(_ context.Context, userID uuid.UUI
return nil
}

func (q *FakeQuerier) RemoveUserFromGroups(_ context.Context, arg database.RemoveUserFromGroupsParams) ([]uuid.UUID, error) {
err := validateDatabaseType(arg)
if err != nil {
return nil, err
}

q.mutex.Lock()
defer q.mutex.Unlock()

removed := make([]uuid.UUID, 0)
q.data.groupMembers = slices.DeleteFunc(q.data.groupMembers, func(groupMember database.GroupMemberTable) bool {
// Delete all group members that match the arguments.
if groupMember.UserID != arg.UserID {
// Not the right user, ignore.
return false
}

if !slices.Contains(arg.GroupIds, groupMember.GroupID) {
return false
}

removed = append(removed, groupMember.GroupID)
return true
})

return removed, nil
}

func (q *FakeQuerier) RevokeDBCryptKey(_ context.Context, activeKeyDigest string) error {
q.mutex.Lock()
defer q.mutex.Unlock()
Expand Down
14 changes: 14 additions & 0 deletionscoderd/database/dbmetrics/dbmetrics.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more abouthow customized files appear on GitHub.

30 changes: 30 additions & 0 deletionscoderd/database/dbmock/dbmock.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more abouthow customized files appear on GitHub.

4 changes: 4 additions & 0 deletionscoderd/database/querier.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more abouthow customized files appear on GitHub.

Loading
Loading
[8]ページ先頭
©2009-2025 Movatter.jp