Movatterモバイル変換

[0]ホーム
URL:

idpsync

package
v2.23.0Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest Published: Jun 3, 2025 License:AGPL-3.0Imports:24Imported by:0

Details

Repository

github.com/coder/coder

Links

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

funcConvertAllowListadded inv2.16.0

func ConvertAllowList(allowList []string) map[string]struct{}

funcParseStringSliceClaim

func ParseStringSliceClaim(claim interface{}) ([]string,error)

ParseStringSliceClaim parses the claim for groups and roles, expected []string.

Some providers like ADFS return a single string instead of an array if thereis only 1 element. So this function handles the edge cases.

Types

typeAGPLIDPSync

type AGPLIDPSync struct {Loggerslog.LoggerManager *runtimeconfig.ManagerSyncSettings}

AGPLIDPSync is the configuration for syncing user information from an externalIDP. All related code to syncing user information should be in this package.

funcNewAGPLSync

func NewAGPLSync(loggerslog.Logger, manager *runtimeconfig.Manager, settingsDeploymentSyncSettings) *AGPLIDPSync

func (AGPLIDPSync)ApplyGroupDifferenceadded inv2.16.0

func (sAGPLIDPSync) ApplyGroupDifference(ctxcontext.Context, txdatabase.Store, userdatabase.User, add []uuid.UUID, removeIDs []uuid.UUID)error

ApplyGroupDifference will add and remove the user from the specified groups.

func (AGPLIDPSync)GroupSyncEntitledadded inv2.18.0

func (AGPLIDPSync) GroupSyncEntitled()bool

func (AGPLIDPSync)GroupSyncSettingsadded inv2.16.0

func (sAGPLIDPSync) GroupSyncSettings(ctxcontext.Context, orgIDuuid.UUID, dbdatabase.Store) (*GroupSyncSettings,error)

func (AGPLIDPSync)OrganizationRoleSyncEnabledadded inv2.16.0

func (AGPLIDPSync) OrganizationRoleSyncEnabled(_context.Context, _database.Store, _uuid.UUID) (bool,error)

func (AGPLIDPSync)OrganizationSyncEnabled

func (AGPLIDPSync) OrganizationSyncEnabled(_context.Context, _database.Store)bool

func (AGPLIDPSync)OrganizationSyncEntitledadded inv2.18.0

func (AGPLIDPSync) OrganizationSyncEntitled()bool

func (AGPLIDPSync)OrganizationSyncSettingsadded inv2.18.0

func (sAGPLIDPSync) OrganizationSyncSettings(ctxcontext.Context, dbdatabase.Store) (*OrganizationSyncSettings,error)

func (AGPLIDPSync)ParseGroupClaimsadded inv2.16.0

func (sAGPLIDPSync) ParseGroupClaims(_context.Context, _ jwt.MapClaims) (GroupParams, *HTTPError)

func (AGPLIDPSync)ParseOrganizationClaims

func (sAGPLIDPSync) ParseOrganizationClaims(_context.Context, claims jwt.MapClaims) (OrganizationParams, *HTTPError)

func (AGPLIDPSync)ParseRoleClaimsadded inv2.16.0

func (sAGPLIDPSync) ParseRoleClaims(_context.Context, _ jwt.MapClaims) (RoleParams, *HTTPError)

func (AGPLIDPSync)RoleSyncEntitledadded inv2.16.0

func (AGPLIDPSync) RoleSyncEntitled()bool

func (AGPLIDPSync)RoleSyncSettingsadded inv2.16.0

func (sAGPLIDPSync) RoleSyncSettings(ctxcontext.Context, orgIDuuid.UUID, dbdatabase.Store) (*RoleSyncSettings,error)

func (AGPLIDPSync)RolesFromClaimadded inv2.16.0

func (AGPLIDPSync) RolesFromClaim(fieldstring, claims jwt.MapClaims) ([]string,error)

func (AGPLIDPSync)SiteRoleSyncEnabledadded inv2.16.0

func (AGPLIDPSync) SiteRoleSyncEnabled()bool

func (AGPLIDPSync)SyncGroupsadded inv2.16.0

func (sAGPLIDPSync) SyncGroups(ctxcontext.Context, dbdatabase.Store, userdatabase.User, paramsGroupParams)error

func (AGPLIDPSync)SyncOrganizations

func (sAGPLIDPSync) SyncOrganizations(ctxcontext.Context, txdatabase.Store, userdatabase.User, paramsOrganizationParams)error

SyncOrganizations if enabled will ensure the user is a member of the providedorganizations. It will add and remove their membership to match the expected set.

func (AGPLIDPSync)SyncRolesadded inv2.16.0

func (sAGPLIDPSync) SyncRoles(ctxcontext.Context, dbdatabase.Store, userdatabase.User, paramsRoleParams)error

func (AGPLIDPSync)UpdateGroupSyncSettingsadded inv2.19.0

func (sAGPLIDPSync) UpdateGroupSyncSettings(ctxcontext.Context, orgIDuuid.UUID, dbdatabase.Store, settingsGroupSyncSettings)error

func (AGPLIDPSync)UpdateOrganizationSyncSettingsadded inv2.19.0

func (sAGPLIDPSync) UpdateOrganizationSyncSettings(ctxcontext.Context, dbdatabase.Store, settingsOrganizationSyncSettings)error

func (AGPLIDPSync)UpdateRoleSyncSettingsadded inv2.19.0

func (sAGPLIDPSync) UpdateRoleSyncSettings(ctxcontext.Context, orgIDuuid.UUID, dbdatabase.Store, settingsRoleSyncSettings)error

typeDefaultOrgLegacySettingsadded inv2.16.0

type DefaultOrgLegacySettings struct {GroupFieldstringGroupMapping        map[string]stringGroupFilter         *regexp.RegexpCreateMissingGroupsbool}

typeDeploymentSyncSettingsadded inv2.16.0

type DeploymentSyncSettings struct {// OrganizationField selects the claim field to be used as the created user's// organizations. If the field is the empty string, then no organization updates// will ever come from the OIDC provider.OrganizationFieldstring// OrganizationMapping controls how organizations returned by the OIDC provider get mappedOrganizationMapping map[string][]uuid.UUID// OrganizationAssignDefault will ensure all users that authenticate will be// placed into the default organization. This is mostly a hack to support// legacy deployments.OrganizationAssignDefaultbool// GroupField at the deployment level is used for deployment level group claim// settings.GroupFieldstring// GroupAllowList (if set) will restrict authentication to only users who// have at least one group in this list.// A map representation is used for easier lookup.GroupAllowList map[string]struct{}// Legacy deployment settings that only apply to the default org.LegacyDefaultOrgLegacySettings// SiteRoleField selects the claim field to be used as the created user's// roles. If the field is the empty string, then no site role updates// will ever come from the OIDC provider.SiteRoleFieldstring// SiteRoleMapping controls how groups returned by the OIDC provider get mapped// to site roles within Coder.// map[oidcRoleName][]coderRoleNameSiteRoleMapping map[string][]string// SiteDefaultRoles is the default set of site roles to assign to a user if role sync// is enabled.SiteDefaultRoles []string}

DeploymentSyncSettings are static and are sourced from the deployment config.

funcFromDeploymentValuesadded inv2.16.0

func FromDeploymentValues(dv *codersdk.DeploymentValues)DeploymentSyncSettings

typeExpectedGroupadded inv2.16.0

type ExpectedGroup struct {OrganizationIDuuid.UUIDGroupID        *uuid.UUIDGroupName      *string}

func (ExpectedGroup)Equaladded inv2.16.0

Equal compares two ExpectedGroups. The org id must be the same.If the group ID is set, it will be compared and take priority, ignoring thename value. So 2 groups with the same ID but different names will beconsidered equal.

typeGroupParamsadded inv2.16.0

type GroupParams struct {// SyncEntitled if false will skip syncing the user's groupsSyncEntitledboolMergedClaims jwt.MapClaims}

typeGroupSyncSettingsadded inv2.16.0

type GroupSyncSettingscodersdk.GroupSyncSettings

func (GroupSyncSettings)HandleMissingGroupsadded inv2.16.0

func (sGroupSyncSettings) HandleMissingGroups(ctxcontext.Context, txdatabase.Store, orgIDuuid.UUID, add []ExpectedGroup) ([]uuid.UUID,error)

HandleMissingGroups ensures all ExpectedGroups convert to uuids.Groups can be referenced by name via legacy params or IDP group names.These group names are converted to IDs for easier assignment.Missing groups are created if AutoCreate is enabled.TODO: Batching this would be better, as this is 1 or 2 db calls per organization.

func (GroupSyncSettings)ParseClaimsadded inv2.16.0

func (sGroupSyncSettings) ParseClaims(orgIDuuid.UUID, mergedClaims jwt.MapClaims) ([]ExpectedGroup,error)

ParseClaims will take the merged claims from the IDP and return the groupsthe user is expected to be a member of. The expected group can either be aname or an ID.It is unfortunate we cannot use exclusively names or exclusively IDs.When configuring though, if a group is mapped from "A" -> "UUID 1234", andthe group "UUID 1234" is renamed, we want to maintain the mapping.We have to keep names because group sync supports syncing groups by name ifthe external IDP group name matches the Coder one.

func (*GroupSyncSettings)Setadded inv2.16.0

func (*GroupSyncSettings)Stringadded inv2.16.0

func (s *GroupSyncSettings) String()string

typeHTTPError

type HTTPError struct {CodeintMsgstringDetailstringRenderStaticPageboolRenderDetailMarkdownbool}

HTTPError is a helper struct for returning errors from the IDP sync process.A regular error is not sufficient because many of these errors are surfacedto a user logging in, and the errors should be descriptive.

funcIsHTTPError

func IsHTTPError(errerror) *HTTPError

IsHTTPError handles us being inconsistent with returning errors as values orpointers.

func (HTTPError)Error

func (eHTTPError) Error()string

func (HTTPError)Write

typeIDPSync

type IDPSync interface {OrganizationSyncEntitled()boolOrganizationSyncSettings(ctxcontext.Context, dbdatabase.Store) (*OrganizationSyncSettings,error)UpdateOrganizationSyncSettings(ctxcontext.Context, dbdatabase.Store, settingsOrganizationSyncSettings)error// OrganizationSyncEnabled returns true if all OIDC users are assigned// to organizations via org sync settings.// This is used to know when to disable manual org membership assignment.OrganizationSyncEnabled(ctxcontext.Context, dbdatabase.Store)bool// ParseOrganizationClaims takes claims from an OIDC provider, and returns the// organization sync params for assigning users into organizations.ParseOrganizationClaims(ctxcontext.Context, mergedClaims jwt.MapClaims) (OrganizationParams, *HTTPError)// SyncOrganizations assigns and removed users from organizations based on the// provided params.SyncOrganizations(ctxcontext.Context, txdatabase.Store, userdatabase.User, paramsOrganizationParams)errorGroupSyncEntitled()bool// ParseGroupClaims takes claims from an OIDC provider, and returns the params// for group syncing. Most of the logic happens in SyncGroups.ParseGroupClaims(ctxcontext.Context, mergedClaims jwt.MapClaims) (GroupParams, *HTTPError)// SyncGroups assigns and removes users from groups based on the provided params.SyncGroups(ctxcontext.Context, dbdatabase.Store, userdatabase.User, paramsGroupParams)error// GroupSyncSettings is exposed for the API to implement CRUD operations// on the settings used by IDPSync. This entry is thread safe and can be// accessed concurrently. The settings are stored in the database.GroupSyncSettings(ctxcontext.Context, orgIDuuid.UUID, dbdatabase.Store) (*GroupSyncSettings,error)UpdateGroupSyncSettings(ctxcontext.Context, orgIDuuid.UUID, dbdatabase.Store, settingsGroupSyncSettings)error// RoleSyncEntitled returns true if the deployment is entitled to role syncing.RoleSyncEntitled()bool// OrganizationRoleSyncEnabled returns true if the organization has role sync// enabled.OrganizationRoleSyncEnabled(ctxcontext.Context, dbdatabase.Store, orguuid.UUID) (bool,error)// SiteRoleSyncEnabled returns true if the deployment has role sync enabled// at the site level.SiteRoleSyncEnabled()bool// RoleSyncSettings is similar to GroupSyncSettings. See GroupSyncSettings for// rational.RoleSyncSettings(ctxcontext.Context, orgIDuuid.UUID, dbdatabase.Store) (*RoleSyncSettings,error)UpdateRoleSyncSettings(ctxcontext.Context, orgIDuuid.UUID, dbdatabase.Store, settingsRoleSyncSettings)error// ParseRoleClaims takes claims from an OIDC provider, and returns the params// for role syncing. Most of the logic happens in SyncRoles.ParseRoleClaims(ctxcontext.Context, mergedClaims jwt.MapClaims) (RoleParams, *HTTPError)// SyncRoles assigns and removes users from roles based on the provided params.// Site & org roles are handled in this method.SyncRoles(ctxcontext.Context, dbdatabase.Store, userdatabase.User, paramsRoleParams)error}

IDPSync is an interface, so we can implement this as AGPL and as enterprise,and just swap the underlying implementation.IDPSync exists to contain all the logic for mapping a user's external IDPclaims to the internal representation of a user in Coder.TODO: Move group + role sync into this interface.

typeOrganizationParams

type OrganizationParams struct {// SyncEntitled if false will skip syncing the user's organizations.SyncEntitledbool// MergedClaims are passed to the organization level for syncingMergedClaims jwt.MapClaims}

typeOrganizationSyncSettingsadded inv2.18.0

type OrganizationSyncSettings struct {// Field selects the claim field to be used as the created user's// organizations. If the field is the empty string, then no organization updates// will ever come from the OIDC provider.Fieldstring `json:"field"`// Mapping controls how organizations returned by the OIDC provider get mappedMapping map[string][]uuid.UUID `json:"mapping"`// AssignDefault will ensure all users that authenticate will be// placed into the default organization. This is mostly a hack to support// legacy deployments.AssignDefaultbool `json:"assign_default"`}

func (*OrganizationSyncSettings)ParseClaimsadded inv2.18.0

func (s *OrganizationSyncSettings) ParseClaims(ctxcontext.Context, dbdatabase.Store, mergedClaims jwt.MapClaims) ([]uuid.UUID,error)

ParseClaims will parse the claims and return the list of organizations the usershould sync to.

func (*OrganizationSyncSettings)Setadded inv2.18.0

func (*OrganizationSyncSettings)Stringadded inv2.18.0

typeRoleParamsadded inv2.16.0

type RoleParams struct {// SyncEntitled if false will skip syncing the user's roles at// all levels.SyncEntitledboolSyncSiteWideboolSiteWideRoles []string// MergedClaims are passed to the organization level for syncingMergedClaims jwt.MapClaims}

typeRoleSyncSettingsadded inv2.16.0

type RoleSyncSettingscodersdk.RoleSyncSettings

func (*RoleSyncSettings)Setadded inv2.16.0

func (*RoleSyncSettings)Stringadded inv2.16.0

func (s *RoleSyncSettings) String()string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f orF : Jump to
y orY : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic.Learn more.
[8]ページ先頭
©2009-2025 Movatter.jp