Thanks to visit codestin.com
Credit goes to pkg.go.dev

idpsync

package
v2.21.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 29, 2025 License: AGPL-3.0 Imports: 24 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ConvertAllowList added in v2.16.0 

func ConvertAllowList(allowList []string) map[string]struct{}

func ParseStringSliceClaim 

func ParseStringSliceClaim(claim interface{}) ([]string, error)

ParseStringSliceClaim parses the claim for groups and roles, expected []string.

Some providers like ADFS return a single string instead of an array if there is only 1 element. So this function handles the edge cases.

Types

type AGPLIDPSync 

type AGPLIDPSync struct {
	Logger  slog.Logger
	Manager *runtimeconfig.Manager

	SyncSettings
}

AGPLIDPSync is the configuration for syncing user information from an external IDP. All related code to syncing user information should be in this package.

func NewAGPLSync 

func NewAGPLSync(logger slog.Logger, manager *runtimeconfig.Manager, settings DeploymentSyncSettings) *AGPLIDPSync

func (AGPLIDPSync) ApplyGroupDifference added in v2.16.0 

func (s AGPLIDPSync) ApplyGroupDifference(ctx context.Context, tx database.Store, user database.User, add []uuid.UUID, removeIDs []uuid.UUID) error

ApplyGroupDifference will add and remove the user from the specified groups.

func (AGPLIDPSync) GroupSyncEntitled added in v2.18.0 

func (AGPLIDPSync) GroupSyncEntitled() bool

func (AGPLIDPSync) GroupSyncSettings added in v2.16.0 

func (s AGPLIDPSync) GroupSyncSettings(ctx context.Context, orgID uuid.UUID, db database.Store) (*GroupSyncSettings, error)

func (AGPLIDPSync) OrganizationRoleSyncEnabled added in v2.16.0 

func (AGPLIDPSync) OrganizationRoleSyncEnabled(_ context.Context, _ database.Store, _ uuid.UUID) (bool, error)

func (AGPLIDPSync) OrganizationSyncEnabled 

func (AGPLIDPSync) OrganizationSyncEnabled(_ context.Context, _ database.Store) bool

func (AGPLIDPSync) OrganizationSyncEntitled added in v2.18.0 

func (AGPLIDPSync) OrganizationSyncEntitled() bool

func (AGPLIDPSync) OrganizationSyncSettings added in v2.18.0 

func (s AGPLIDPSync) OrganizationSyncSettings(ctx context.Context, db database.Store) (*OrganizationSyncSettings, error)

func (AGPLIDPSync) ParseGroupClaims added in v2.16.0 

func (s AGPLIDPSync) ParseGroupClaims(_ context.Context, _ jwt.MapClaims) (GroupParams, *HTTPError)

func (AGPLIDPSync) ParseOrganizationClaims 

func (s AGPLIDPSync) ParseOrganizationClaims(_ context.Context, claims jwt.MapClaims) (OrganizationParams, *HTTPError)

func (AGPLIDPSync) ParseRoleClaims added in v2.16.0 

func (s AGPLIDPSync) ParseRoleClaims(_ context.Context, _ jwt.MapClaims) (RoleParams, *HTTPError)

func (AGPLIDPSync) RoleSyncEntitled added in v2.16.0 

func (AGPLIDPSync) RoleSyncEntitled() bool

func (AGPLIDPSync) RoleSyncSettings added in v2.16.0 

func (s AGPLIDPSync) RoleSyncSettings(ctx context.Context, orgID uuid.UUID, db database.Store) (*RoleSyncSettings, error)

func (AGPLIDPSync) RolesFromClaim added in v2.16.0 

func (AGPLIDPSync) RolesFromClaim(field string, claims jwt.MapClaims) ([]string, error)

func (AGPLIDPSync) SiteRoleSyncEnabled added in v2.16.0 

func (AGPLIDPSync) SiteRoleSyncEnabled() bool

func (AGPLIDPSync) SyncGroups added in v2.16.0 

func (s AGPLIDPSync) SyncGroups(ctx context.Context, db database.Store, user database.User, params GroupParams) error

func (AGPLIDPSync) SyncOrganizations 

func (s AGPLIDPSync) SyncOrganizations(ctx context.Context, tx database.Store, user database.User, params OrganizationParams) error

SyncOrganizations if enabled will ensure the user is a member of the provided organizations. It will add and remove their membership to match the expected set.

func (AGPLIDPSync) SyncRoles added in v2.16.0 

func (s AGPLIDPSync) SyncRoles(ctx context.Context, db database.Store, user database.User, params RoleParams) error

func (AGPLIDPSync) UpdateGroupSyncSettings added in v2.19.0 

func (s AGPLIDPSync) UpdateGroupSyncSettings(ctx context.Context, orgID uuid.UUID, db database.Store, settings GroupSyncSettings) error

func (AGPLIDPSync) UpdateOrganizationSyncSettings added in v2.19.0 

func (s AGPLIDPSync) UpdateOrganizationSyncSettings(ctx context.Context, db database.Store, settings OrganizationSyncSettings) error

func (AGPLIDPSync) UpdateRoleSyncSettings added in v2.19.0 

func (s AGPLIDPSync) UpdateRoleSyncSettings(ctx context.Context, orgID uuid.UUID, db database.Store, settings RoleSyncSettings) error

type DefaultOrgLegacySettings added in v2.16.0 

type DefaultOrgLegacySettings struct {
	GroupField          string
	GroupMapping        map[string]string
	GroupFilter         *regexp.Regexp
	CreateMissingGroups bool
}

type DeploymentSyncSettings added in v2.16.0 

type DeploymentSyncSettings struct {
	// OrganizationField selects the claim field to be used as the created user's
	// organizations. If the field is the empty string, then no organization updates
	// will ever come from the OIDC provider.
	OrganizationField string
	// OrganizationMapping controls how organizations returned by the OIDC provider get mapped
	OrganizationMapping map[string][]uuid.UUID
	// OrganizationAssignDefault will ensure all users that authenticate will be
	// placed into the default organization. This is mostly a hack to support
	// legacy deployments.
	OrganizationAssignDefault bool

	// GroupField at the deployment level is used for deployment level group claim
	// settings.
	GroupField string
	// GroupAllowList (if set) will restrict authentication to only users who
	// have at least one group in this list.
	// A map representation is used for easier lookup.
	GroupAllowList map[string]struct{}
	// Legacy deployment settings that only apply to the default org.
	Legacy DefaultOrgLegacySettings

	// SiteRoleField selects the claim field to be used as the created user's
	// roles. If the field is the empty string, then no site role updates
	// will ever come from the OIDC provider.
	SiteRoleField string
	// SiteRoleMapping controls how groups returned by the OIDC provider get mapped
	// to site roles within Coder.
	// map[oidcRoleName][]coderRoleName
	SiteRoleMapping map[string][]string
	// SiteDefaultRoles is the default set of site roles to assign to a user if role sync
	// is enabled.
	SiteDefaultRoles []string
}

DeploymentSyncSettings are static and are sourced from the deployment config.

func FromDeploymentValues added in v2.16.0 

func FromDeploymentValues(dv *codersdk.DeploymentValues) DeploymentSyncSettings

type ExpectedGroup added in v2.16.0 

type ExpectedGroup struct {
	OrganizationID uuid.UUID
	GroupID        *uuid.UUID
	GroupName      *string
}

func (ExpectedGroup) Equal added in v2.16.0 

func (a ExpectedGroup) Equal(b ExpectedGroup) bool

Equal compares two ExpectedGroups. The org id must be the same. If the group ID is set, it will be compared and take priority, ignoring the name value. So 2 groups with the same ID but different names will be considered equal.

type GroupParams added in v2.16.0 

type GroupParams struct {
	// SyncEntitled if false will skip syncing the user's groups
	SyncEntitled bool
	MergedClaims jwt.MapClaims
}

type GroupSyncSettings added in v2.16.0 

type GroupSyncSettings codersdk.GroupSyncSettings

func (GroupSyncSettings) HandleMissingGroups added in v2.16.0 

func (s GroupSyncSettings) HandleMissingGroups(ctx context.Context, tx database.Store, orgID uuid.UUID, add []ExpectedGroup) ([]uuid.UUID, error)

HandleMissingGroups ensures all ExpectedGroups convert to uuids. Groups can be referenced by name via legacy params or IDP group names. These group names are converted to IDs for easier assignment. Missing groups are created if AutoCreate is enabled. TODO: Batching this would be better, as this is 1 or 2 db calls per organization.

func (GroupSyncSettings) ParseClaims added in v2.16.0 

func (s GroupSyncSettings) ParseClaims(orgID uuid.UUID, mergedClaims jwt.MapClaims) ([]ExpectedGroup, error)

ParseClaims will take the merged claims from the IDP and return the groups the user is expected to be a member of. The expected group can either be a name or an ID. It is unfortunate we cannot use exclusively names or exclusively IDs. When configuring though, if a group is mapped from "A" -> "UUID 1234", and the group "UUID 1234" is renamed, we want to maintain the mapping. We have to keep names because group sync supports syncing groups by name if the external IDP group name matches the Coder one.

func (*GroupSyncSettings) Set added in v2.16.0 

func (s *GroupSyncSettings) Set(v string) error

func (*GroupSyncSettings) String added in v2.16.0 

func (s *GroupSyncSettings) String() string

type HTTPError 

type HTTPError struct {
	Code                 int
	Msg                  string
	Detail               string
	RenderStaticPage     bool
	RenderDetailMarkdown bool
}

HTTPError is a helper struct for returning errors from the IDP sync process. A regular error is not sufficient because many of these errors are surfaced to a user logging in, and the errors should be descriptive.

func IsHTTPError 

func IsHTTPError(err error) *HTTPError

IsHTTPError handles us being inconsistent with returning errors as values or pointers.

func (HTTPError) Error 

func (e HTTPError) Error() string

func (HTTPError) Write 

func (e HTTPError) Write(rw http.ResponseWriter, r *http.Request)

type IDPSync 

type IDPSync interface {
	OrganizationSyncEntitled() bool
	OrganizationSyncSettings(ctx context.Context, db database.Store) (*OrganizationSyncSettings, error)
	UpdateOrganizationSyncSettings(ctx context.Context, db database.Store, settings OrganizationSyncSettings) error
	// OrganizationSyncEnabled returns true if all OIDC users are assigned
	// to organizations via org sync settings.
	// This is used to know when to disable manual org membership assignment.
	OrganizationSyncEnabled(ctx context.Context, db database.Store) bool
	// ParseOrganizationClaims takes claims from an OIDC provider, and returns the
	// organization sync params for assigning users into organizations.
	ParseOrganizationClaims(ctx context.Context, mergedClaims jwt.MapClaims) (OrganizationParams, *HTTPError)
	// SyncOrganizations assigns and removed users from organizations based on the
	// provided params.
	SyncOrganizations(ctx context.Context, tx database.Store, user database.User, params OrganizationParams) error

	GroupSyncEntitled() bool
	// ParseGroupClaims takes claims from an OIDC provider, and returns the params
	// for group syncing. Most of the logic happens in SyncGroups.
	ParseGroupClaims(ctx context.Context, mergedClaims jwt.MapClaims) (GroupParams, *HTTPError)
	// SyncGroups assigns and removes users from groups based on the provided params.
	SyncGroups(ctx context.Context, db database.Store, user database.User, params GroupParams) error
	// GroupSyncSettings is exposed for the API to implement CRUD operations
	// on the settings used by IDPSync. This entry is thread safe and can be
	// accessed concurrently. The settings are stored in the database.
	GroupSyncSettings(ctx context.Context, orgID uuid.UUID, db database.Store) (*GroupSyncSettings, error)
	UpdateGroupSyncSettings(ctx context.Context, orgID uuid.UUID, db database.Store, settings GroupSyncSettings) error

	// RoleSyncEntitled returns true if the deployment is entitled to role syncing.
	RoleSyncEntitled() bool
	// OrganizationRoleSyncEnabled returns true if the organization has role sync
	// enabled.
	OrganizationRoleSyncEnabled(ctx context.Context, db database.Store, org uuid.UUID) (bool, error)
	// SiteRoleSyncEnabled returns true if the deployment has role sync enabled
	// at the site level.
	SiteRoleSyncEnabled() bool
	// RoleSyncSettings is similar to GroupSyncSettings. See GroupSyncSettings for
	// rational.
	RoleSyncSettings(ctx context.Context, orgID uuid.UUID, db database.Store) (*RoleSyncSettings, error)
	UpdateRoleSyncSettings(ctx context.Context, orgID uuid.UUID, db database.Store, settings RoleSyncSettings) error
	// ParseRoleClaims takes claims from an OIDC provider, and returns the params
	// for role syncing. Most of the logic happens in SyncRoles.
	ParseRoleClaims(ctx context.Context, mergedClaims jwt.MapClaims) (RoleParams, *HTTPError)
	// SyncRoles assigns and removes users from roles based on the provided params.
	// Site & org roles are handled in this method.
	SyncRoles(ctx context.Context, db database.Store, user database.User, params RoleParams) error
}

IDPSync is an interface, so we can implement this as AGPL and as enterprise, and just swap the underlying implementation. IDPSync exists to contain all the logic for mapping a user's external IDP claims to the internal representation of a user in Coder. TODO: Move group + role sync into this interface.

type OrganizationParams 

type OrganizationParams struct {
	// SyncEntitled if false will skip syncing the user's organizations.
	SyncEntitled bool
	// MergedClaims are passed to the organization level for syncing
	MergedClaims jwt.MapClaims
}

type OrganizationSyncSettings added in v2.18.0 

type OrganizationSyncSettings struct {
	// Field selects the claim field to be used as the created user's
	// organizations. If the field is the empty string, then no organization updates
	// will ever come from the OIDC provider.
	Field string `json:"field"`
	// Mapping controls how organizations returned by the OIDC provider get mapped
	Mapping map[string][]uuid.UUID `json:"mapping"`
	// AssignDefault will ensure all users that authenticate will be
	// placed into the default organization. This is mostly a hack to support
	// legacy deployments.
	AssignDefault bool `json:"assign_default"`
}

func (*OrganizationSyncSettings) ParseClaims added in v2.18.0 

func (s *OrganizationSyncSettings) ParseClaims(ctx context.Context, db database.Store, mergedClaims jwt.MapClaims) ([]uuid.UUID, error)

ParseClaims will parse the claims and return the list of organizations the user should sync to.

func (*OrganizationSyncSettings) Set added in v2.18.0 

func (s *OrganizationSyncSettings) Set(v string) error

func (*OrganizationSyncSettings) String added in v2.18.0 

func (s *OrganizationSyncSettings) String() string

type RoleParams added in v2.16.0 

type RoleParams struct {
	// SyncEntitled if false will skip syncing the user's roles at
	// all levels.
	SyncEntitled  bool
	SyncSiteWide  bool
	SiteWideRoles []string
	// MergedClaims are passed to the organization level for syncing
	MergedClaims jwt.MapClaims
}

type RoleSyncSettings added in v2.16.0 

type RoleSyncSettings codersdk.RoleSyncSettings

func (*RoleSyncSettings) Set added in v2.16.0 

func (s *RoleSyncSettings) Set(v string) error

func (*RoleSyncSettings) String added in v2.16.0 

func (s *RoleSyncSettings) String() string

type SyncSettings 

type SyncSettings struct {
	DeploymentSyncSettings

	Group        runtimeconfig.RuntimeEntry[*GroupSyncSettings]
	Role         runtimeconfig.RuntimeEntry[*RoleSyncSettings]
	Organization runtimeconfig.RuntimeEntry[*OrganizationSyncSettings]
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.