8000 feat: implement organization role sync by Emyrk · Pull Request #14649 · coder/coder · GitHub
[go: up one dir, main page]
Skip to content

feat: implement organization role sync #14649

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 13 commits into from
Sep 17, 2024
Merged

feat: implement organization role sync #14649

Changes from 1 commit
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
9a73013
rolesync start
Emyrk Sep 10, 2024
c6080b5
chore: implement organization and site wide role sync in idpsync
Emyrk Sep 10, 2024
ca8e9b9
work on unit test for role sync
Emyrk Sep 10, 2024
b1ece73
chore: remove resetting user's roles on misconfigured
Emyrk Sep 11, 2024
5d0f729
Begin unit testing work
Emyrk Sep 11, 2024
601652c
test enterprise parse
Emyrk Sep 11, 2024
2a1e2d0
chore: remove old role sync, insert new idpsync package
Emyrk Sep 11, 2024
8967a42
fixup test
Emyrk Sep 11, 2024
f51fae7
linting
Emyrk Sep 11, 2024
12c7af7
rebase fixes
Emyrk Sep 16, 2024
8857660
extract method into it's own funciton
Emyrk Sep 16, 2024
7ff0bb0
linting
Emyrk Sep 16, 2024
d8b0d45
Trigger Build
Emyrk Sep 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
extract method into it's own funciton
  • Loading branch information
@Emyrk
Emyrk committed Sep 16, 2024
commit 88576606c62f9c0ce4f7301e21b3150119ffd860
57 changes: 32 additions & 25 deletions coderd/members.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -216,31 +216,9 @@
aReq.Old = member.OrganizationMember.Auditable(member.Username)
defer commitAudit()

// Keep this block scoping to prevent accidental use of the user variable.
{
// nolint:gocritic // The caller could be an org admin without this perm.
// We need to disable manual role assignment if role sync is enabled for
// the given organization.
user, err := api.Database.GetUserByID(dbauthz.AsSystemRestricted(ctx), member.UserID)
if err != nil {
httpapi.InternalServerError(rw, err)
return
}
if user.LoginType == database.LoginTypeOIDC {
// nolint:gocritic // fetching settings
orgSync, err := api.IDPSync.OrganizationRoleSyncEnabled(dbauthz.AsSystemRestricted(ctx), api.Database, organization.ID)
if err != nil {
httpapi.InternalServerError(rw, err)
return
}
if orgSync {
httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
Message: "Cannot modify roles for OIDC users when role sync is enabled. This organization member's roles are managed by the identity provider.",
Detail: "'User Role Field' is set in the organization settings. Ask an administrator to adjust or disable these settings.",
})
return
}
}
// Check if changing roles is allowed
if !api.allowChangingMemberRoles(rw, ctx, member, organization) {
return
}

if apiKey.UserID == member.OrganizationMember.UserID {
Expand Down Expand Up @@ -287,6 +265,35 @@
httpapi.Write(ctx, rw, http.StatusOK, resp[0])
}

func (api *API) allowChangingMemberRoles(rw http.ResponseWriter, ctx context.Context, member httpmw.OrganizationMember, organization database.Organization) bool {

Check failure on line 268 in coderd/members.go

View workflow job for this annotation

GitHub Actions / lint 

context-as-argument: context.Context should be the first parameter of a function (revive)
// nolint:gocritic // The caller could be an org admin without this perm.
// We need to disable manual role assignment if role sync is enabled for
// the given organization.
user, err := api.Database.GetUserByID(dbauthz.AsSystemRestricted(ctx), member.UserID)
if err != nil {
httpapi.InternalServerError(rw, err)
return false
}

if user.LoginType == database.LoginTypeOIDC {
// nolint:gocritic // fetching settings
orgSync, err := api.IDPSync.OrganizationRoleSyncEnabled(dbauthz.AsSystemRestricted(ctx), api.Database, organization.ID)
if err != nil {
httpapi.InternalServerError(rw, err)
return false
}
if orgSync {
httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
Message: "Cannot modify roles for OIDC users when role sync is enabled. This organization member's roles are managed by the identity provider.",
Detail: "'User Role Field' is set in the organization settings. Ask an administrator to adjust or disable these settings.",
})
return false
}
}

return true
}

// convertOrganizationMembers batches the role lookup to make only 1 sql call
// We
func convertOrganizationMembers(ctx context.Context, db database.Store, mems []database.OrganizationMember) ([]codersdk.OrganizationMember, error) {
Expand Down
Loading
0