mirror of
https://github.com/coder/coder.git
synced 2026-06-02 20:48:20 +00:00
Spike Curtis
bddb808b25
Fixes all our Go file imports to match the preferred spec that we've _mostly_ been using. For example: ``` import ( "context" "time" "github.com/prometheus/client_golang/prometheus" "golang.org/x/xerrors" "gopkg.in/natefinch/lumberjack.v2" "cdr.dev/slog/v3" "github.com/coder/coder/v2/codersdk/agentsdk" "github.com/coder/serpent" ) ``` 3 groups: standard library, 3rd partly libs, Coder libs. This PR makes the change across the codebase. The PR in the stack above modifies our formatting to maintain this state of affairs, and is a separate PR so it's possible to review that one in detail.
94 lines
2.8 KiB
Go
94 lines
2.8 KiB
Go
package enidpsync
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"net/http"
|
|
|
|
"github.com/golang-jwt/jwt/v4"
|
|
"github.com/google/uuid"
|
|
"golang.org/x/xerrors"
|
|
|
|
"cdr.dev/slog/v3"
|
|
"github.com/coder/coder/v2/coderd/database"
|
|
"github.com/coder/coder/v2/coderd/idpsync"
|
|
"github.com/coder/coder/v2/coderd/runtimeconfig"
|
|
"github.com/coder/coder/v2/coderd/util/slice"
|
|
"github.com/coder/coder/v2/codersdk"
|
|
)
|
|
|
|
func (e EnterpriseIDPSync) RoleSyncEntitled() bool {
|
|
return e.entitlements.Enabled(codersdk.FeatureUserRoleManagement)
|
|
}
|
|
|
|
func (e EnterpriseIDPSync) OrganizationRoleSyncEnabled(ctx context.Context, db database.Store, orgID uuid.UUID) (bool, error) {
|
|
if !e.RoleSyncEntitled() {
|
|
return false, nil
|
|
}
|
|
roleSyncSettings, err := e.Role.Resolve(ctx, e.Manager.OrganizationResolver(db, orgID))
|
|
if err != nil {
|
|
if xerrors.Is(err, runtimeconfig.ErrEntryNotFound) {
|
|
return false, nil
|
|
}
|
|
return false, err
|
|
}
|
|
return roleSyncSettings.Field != "", nil
|
|
}
|
|
|
|
func (e EnterpriseIDPSync) SiteRoleSyncEnabled() bool {
|
|
if !e.RoleSyncEntitled() {
|
|
return false
|
|
}
|
|
return e.AGPLIDPSync.SiteRoleField != ""
|
|
}
|
|
|
|
func (e EnterpriseIDPSync) ParseRoleClaims(ctx context.Context, mergedClaims jwt.MapClaims) (idpsync.RoleParams, *idpsync.HTTPError) {
|
|
if !e.RoleSyncEntitled() {
|
|
return e.AGPLIDPSync.ParseRoleClaims(ctx, mergedClaims)
|
|
}
|
|
|
|
var claimRoles []string
|
|
if e.AGPLIDPSync.SiteRoleField != "" {
|
|
var err error
|
|
// TODO: Smoke test this error for org and site
|
|
claimRoles, err = e.AGPLIDPSync.RolesFromClaim(e.AGPLIDPSync.SiteRoleField, mergedClaims)
|
|
if err != nil {
|
|
rawType := mergedClaims[e.AGPLIDPSync.SiteRoleField]
|
|
e.Logger.Error(ctx, "oidc claims user roles field was an unknown type",
|
|
slog.F("type", fmt.Sprintf("%T", rawType)),
|
|
slog.F("field", e.AGPLIDPSync.SiteRoleField),
|
|
slog.F("raw_value", rawType),
|
|
slog.Error(err),
|
|
)
|
|
// TODO: Determine a static page or not
|
|
return idpsync.RoleParams{}, &idpsync.HTTPError{
|
|
Code: http.StatusInternalServerError,
|
|
Msg: "Login disabled until site wide OIDC config is fixed",
|
|
Detail: fmt.Sprintf("Roles claim must be an array of strings, type found: %T. Disabling role sync will allow login to proceed.", rawType),
|
|
RenderStaticPage: false,
|
|
}
|
|
}
|
|
}
|
|
|
|
siteRoles := append([]string{}, e.SiteDefaultRoles...)
|
|
for _, role := range claimRoles {
|
|
if mappedRoles, ok := e.SiteRoleMapping[role]; ok {
|
|
if len(mappedRoles) == 0 {
|
|
continue
|
|
}
|
|
// Mapped roles are added to the list of roles
|
|
siteRoles = append(siteRoles, mappedRoles...)
|
|
continue
|
|
}
|
|
// Append as is.
|
|
siteRoles = append(siteRoles, role)
|
|
}
|
|
|
|
return idpsync.RoleParams{
|
|
SyncEntitled: e.RoleSyncEntitled(),
|
|
SyncSiteWide: e.SiteRoleSyncEnabled(),
|
|
SiteWideRoles: slice.Unique(siteRoles),
|
|
MergedClaims: mergedClaims,
|
|
}, nil
|
|
}
|