fix: handle omitted role sync claim (#8697)

Emyrk · web-flow · commit ac559f101e49 · 2023-07-24T15:50:23.000-04:00
* fix: handle omitted role sync claim
diff --git a/coderd/userauth.go b/coderd/userauth.go
@@ -965,7 +965,8 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) {
 			// a member. This is because there is no way to tell the difference
 			// between []string{} and nil for OIDC claims. IDPs omit claims
 			// if they are empty ([]string{}).
-			rolesRow = []string{}
+			// Use []interface{}{} so the next typecast works.
+			rolesRow = []interface{}{}
 		}
 
 		rolesInterface, ok := rolesRow.([]interface{})
diff --git a/enterprise/coderd/userauth_test.go b/enterprise/coderd/userauth_test.go
@@ -28,6 +28,45 @@ func TestUserOIDC(t *testing.T) {
 	t.Run("RoleSync", func(t *testing.T) {
 		t.Parallel()
 
+		t.Run("NoRoles", func(t *testing.T) {
+			t.Parallel()
+
+			ctx := testutil.Context(t, testutil.WaitMedium)
+			conf := coderdtest.NewOIDCConfig(t, "")
+
+			oidcRoleName := "TemplateAuthor"
+
+			config := conf.OIDCConfig(t, jwt.MapClaims{}, func(cfg *coderd.OIDCConfig) {
+				cfg.UserRoleMapping = map[string][]string{oidcRoleName: {rbac.RoleTemplateAdmin(), rbac.RoleUserAdmin()}}
+			})
+			config.AllowSignups = true
+			config.UserRoleField = "roles"
+
+			client, _ := coderdenttest.New(t, &coderdenttest.Options{
+				Options: &coderdtest.Options{
+					OIDCConfig: config,
+				},
+				LicenseOptions: &coderdenttest.LicenseOptions{
+					Features: license.Features{codersdk.FeatureUserRoleManagement: 1},
+				},
+			})
+
+			admin, err := client.User(ctx, "me")
+			require.NoError(t, err)
+			require.Len(t, admin.OrganizationIDs, 1)
+
+			resp := oidcCallback(t, client, conf.EncodeClaims(t, jwt.MapClaims{
+				"email": "alice@coder.com",
+			}))
+			require.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode)
+			user, err := client.User(ctx, "alice")
+			require.NoError(t, err)
+
+			require.Len(t, user.Roles, 0)
+			roleNames := []string{}
+			require.ElementsMatch(t, roleNames, []string{})
+		})
+
 		t.Run("NewUserAndRemoveRoles", func(t *testing.T) {
 			t.Parallel()
 

Original file line number	Diff line number	Diff line change
`@@ -965,7 +965,8 @@ func (api API) userOIDC(rw http.ResponseWriter, r http.Request) {`
`965`	`965`	`// a member. This is because there is no way to tell the difference`
`966`	`966`	`// between []string{} and nil for OIDC claims. IDPs omit claims`
`967`	`967`	`// if they are empty ([]string{}).`
`968`		`- rolesRow = []string{}`
	`968`	`+ // Use []interface{}{} so the next typecast works.`
	`969`	`+ rolesRow = []interface{}{}`
`969`	`970`	`}`
`970`	`971`
`971`	`972`	`rolesInterface, ok := rolesRow.([]interface{})`