chore: implement organization sync and create idpsync package

IDP sync code should be refactored to be contained in it's own package. This will make it easier to maintain and test moving forward.
coder · Emyrk · Aug 30, 2024 · Aug 28, 2024 · Aug 26, 2024 · Aug 26, 2024
commit d788be77e2d09a01fd2b36c772b1db1326091d60
diff --git a/coderd/database/models.go b/coderd/database/models.go
diff --git a/coderd/database/querier.go b/coderd/database/querier.go
diff --git a/coderd/idpsync/idpsync.go b/coderd/idpsync/idpsync.go
@@ -0,0 +1,125 @@
+package idpsync
+
+import (
+	"net/http"
+	"strings"
+
+	"github.com/google/uuid"
+	"golang.org/x/xerrors"
+
+	"cdr.dev/slog"
+	"github.com/coder/coder/v2/coderd/entitlements"
+	"github.com/coder/coder/v2/coderd/httpapi"
+	"github.com/coder/coder/v2/codersdk"
+	"github.com/coder/coder/v2/site"
+)
+
+// IDPSync is the configuration for syncing user information from an external
+// IDP. All related code to syncing user information should be in this package.
+type IDPSync struct {
+	logger       slog.Logger
+	entitlements *entitlements.Set
+
+	// OrganizationField selects the claim field to be used as the created user's
+	// organizations. If the field is the empty string, then no organization updates
+	// will ever come from the OIDC provider.
+	OrganizationField string
+	// OrganizationMapping controls how organizations returned by the OIDC provider get mapped
+	OrganizationMapping map[string][]uuid.UUID
+	// OrganizationAlwaysAssign will ensure all users that authenticate will be
+	// placed into the specified organizations.
+	OrganizationAlwaysAssign []uuid.UUID
+}
+
+func NewSync(logger slog.Logger, set *entitlements.Set) *IDPSync {
+	return &IDPSync{
+		logger:       logger.Named("idp-sync"),
+		entitlements: set,
+	}
+}
+
+// ParseStringSliceClaim parses the claim for groups and roles, expected []string.
+//
+// Some providers like ADFS return a single string instead of an array if there
+// is only 1 element. So this function handles the edge cases.
+func ParseStringSliceClaim(claim interface{}) ([]string, error) {
+	groups := make([]string, 0)
+	if claim == nil {
+		return groups, nil
+	}
+
+	// The simple case is the type is exactly what we expected
+	asStringArray, ok := claim.([]string)
+	if ok {
+		return asStringArray, nil
+	}
+
+	asArray, ok := claim.([]interface{})
+	if ok {
+		for i, item := range asArray {
 			asString, ok := item.(string)
+			if !ok {
+				return nil, xerrors.Errorf("invalid claim type. Element %d expected a string, got: %T", i, item)
+			}
+			groups = append(groups, asString)
+		}
+		return groups, nil
+	}
+
+	asString, ok := claim.(string)
+	if ok {
+		if asString == "" {
+			// Empty string should be 0 groups.
+			return []string{}, nil
+		}
+		// If it is a single string, first check if it is a csv.
+		// If a user hits this, it is likely a misconfiguration and they need
+		// to reconfigure their IDP to send an array instead.
+		if strings.Contains(asString, ",") {
+			return nil, xerrors.Errorf("invalid claim type. Got a csv string (%q), change this claim to return an array of strings instead.", asString)
+		}
+		return []string{asString}, nil
+	}
+
+	// Not sure what the user gave us.
+	return nil, xerrors.Errorf("invalid claim type. Expected an array of strings, got: %T", claim)
+}
+
+// HttpError is a helper struct for returning errors from the IDP sync process.
+// A regular error is not sufficient because many of these errors are surfaced
+// to a user logging in, and the errors should be descriptive.
+type HttpError struct {
+	Code                 int
+	Msg                  string
+	Detail               string
+	RenderStaticPage     bool
+	RenderDetailMarkdown bool
+}
+
+func (e HttpError) Write(rw http.ResponseWriter, r *http.Request) {
+	if e.RenderStaticPage {
+		site.RenderStaticErrorPage(rw, r, site.ErrorPageData{
+			Status:       e.Code,
+			HideStatus:   true,
+			Title:        e.Msg,
+			Description:  e.Detail,
+			RetryEnabled: false,
+			DashboardURL: "/login",
+
+			RenderDescriptionMarkdown: e.RenderDetailMarkdown,
+		})
+		return
+	}
+	httpapi.Write(r.Context(), rw, e.Code, codersdk.Response{
+		Message: e.Msg,
+		Detail:  e.Detail,
+	})
+}
+
+func (e HttpError) Error() string {
+	if e.Detail != "" {
+		return e.Detail
+	}
+
+	return e.Msg
+}
diff --git a/coderd/userauth_internal_test.go → coderd/idpsync/idpsync_test.go b/coderd/userauth_internal_test.go → coderd/idpsync/idpsync_test.go
@@ -1,10 +1,12 @@
-package coderd
+package idpsync_test
 
 import (
 	"encoding/json"
 	"testing"
 
 	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/v2/coderd/idpsync"
 )
 
 func TestParseStringSliceClaim(t *testing.T) {
@@ -123,7 +125,7 @@ func TestParseStringSliceClaim(t *testing.T) {
 				require.NoError(t, err, "unmarshal json claim")
 			}
 
-			found, err := parseStringSliceClaim(c.GoClaim)
+			found, err := idpsync.ParseStringSliceClaim(c.GoClaim)
 			if c.ErrorExpected {
 				require.Error(t, err)
 			} else {

diff --git a/coderd/idpsync/organization.go b/coderd/idpsync/organization.go
@@ -0,0 +1,127 @@
+package idpsync
+
+import (
+	"context"
+	"database/sql"
+	"net/http"
+
+	"github.com/google/uuid"
+	"golang.org/x/xerrors"
+
+	"cdr.dev/slog"
+	"github.com/coder/coder/v2/coderd/database"
+	"github.com/coder/coder/v2/coderd/database/db2sdk"
+	"github.com/coder/coder/v2/coderd/database/dbauthz"
+	"github.com/coder/coder/v2/coderd/database/dbtime"
+	"github.com/coder/coder/v2/coderd/util/slice"
+)
+
+func (s IDPSync) ParseOrganizationClaims(ctx context.Context, mergedClaims map[string]interface{}) (OrganizationParams, *HttpError) {
+	// nolint:gocritic // all syncing is done as a system user
+	ctx = dbauthz.AsSystemRestricted(ctx)
+
+	// Copy in the always included static set of organizations.
+	userOrganizations := make([]uuid.UUID, len(s.OrganizationAlwaysAssign))
+	copy(userOrganizations, s.OrganizationAlwaysAssign)
+
+	// Pull extra organizations from the claims.
+	if s.OrganizationField != "" {
+		organizationRaw, ok := mergedClaims[s.OrganizationField]
+		if ok {
+			parsedOrganizations, err := ParseStringSliceClaim(organizationRaw)
+			if err != nil {
+				return OrganizationParams{}, &HttpError{
+					Code:                 http.StatusBadRequest,
+					Msg:                  "Failed to sync organizations from the OIDC claims",
+					Detail:               err.Error(),
+					RenderStaticPage:     false,
+					RenderDetailMarkdown: false,
+				}
+			}
+
+			// Keep track of which claims are not mapped for debugging purposes.
+			var ignored []string
+			for _, parsedOrg := range parsedOrganizations {
+				if mappedOrganization, ok := s.OrganizationMapping[parsedOrg]; ok {
+					// parsedOrg is in the mapping, so add the mapped organizations to the
+					// user's organizations.
+					userOrganizations = append(userOrganizations, mappedOrganization...)
+				} else {
+					ignored = append(ignored, parsedOrg)
+				}
+			}
+
+			s.logger.Debug(ctx, "parsed organizations from claim",
+				slog.F("len", len(parsedOrganizations)),
+				slog.F("ignored", ignored),
+				slog.F("organizations", parsedOrganizations),
+			)
+		}
+	}
+
+	return OrganizationParams{
+		Organizations: userOrganizations,
+	}, nil
+}
+
+type OrganizationParams struct {
+	// Organizations is the list of organizations the user should be a member of
+	// assuming syncing is turned on.
+	Organizations []uuid.UUID
+}
+
+func (s IDPSync) SyncOrganizations(ctx context.Context, tx database.Store, user database.User, params OrganizationParams) error {
+	// nolint:gocritic // all syncing is done as a system user
+	ctx = dbauthz.AsSystemRestricted(ctx)
+
+	existingOrgs, err := tx.GetOrganizationsByUserID(ctx, user.ID)
+	if err != nil {
+		return xerrors.Errorf("failed to get user organizations: %w", err)
+	}
+
+	existingOrgIDs := db2sdk.List(existingOrgs, func(org database.Organization) uuid.UUID {
+		return org.ID
+	})
+
+	// Find the difference in the expected and the existing orgs, and
+	// correct the set of orgs the user is a member of.
+	add, remove := slice.SymmetricDifference(existingOrgIDs, params.Organizations)
+	notExists := make([]uuid.UUID, 0)
+	for _, orgID := range add {
+		//nolint:gocritic // System actor being used to assign orgs
+		_, err := tx.InsertOrganizationMember(dbauthz.AsSystemRestricted(ctx), database.InsertOrganizationMemberParams{
+			OrganizationID: orgID,
+			UserID:         user.ID,
+			CreatedAt:      dbtime.Now(),
+			UpdatedAt:      dbtime.Now(),
+			Roles:          []string{},
+		})
+		if err != nil {
+			if xerrors.Is(err, sql.ErrNoRows) {
+				notExists = append(notExists, orgID)
+				continue
+			}
+			return xerrors.Errorf("add user to organization: %w", err)
+		}
+	}
+
+	for _, orgID := range remove {
+		//nolint:gocritic // System actor being used to assign orgs
+		err := tx.DeleteOrganizationMember(dbauthz.AsSystemRestricted(ctx), database.DeleteOrganizationMemberParams{
+			OrganizationID: orgID,
+			UserID:         user.ID,
+		})
+		if err != nil {
+			return xerrors.Errorf("remove user from organization: %w", err)
+		}
+	}
+
+	if len(notExists) > 0 {
+		s.logger.Debug(ctx, "organizations do not exist but attempted to use in org sync",
+			slog.F("not_found", notExists),
+			slog.F("user_id", user.ID),
+			slog.F("username", user.Username),
+		)
+	}
+	return nil
+}