test: add full org sync tests

Emyrk · Emyrk · commit 3ead01640200 · 2024-08-28T11:29:19.000-05:00
diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go
@@ -243,7 +243,7 @@ var (
 					rbac.ResourceAssignOrgRole.Type:          rbac.ResourceAssignOrgRole.AvailableActions(),
 					rbac.ResourceSystem.Type:                 {policy.WildcardSymbol},
 					rbac.ResourceOrganization.Type:           {policy.ActionCreate, policy.ActionRead},
-					rbac.ResourceOrganizationMember.Type:     {policy.ActionCreate},
+					rbac.ResourceOrganizationMember.Type:     {policy.ActionCreate, policy.ActionDelete, policy.ActionRead},
 					rbac.ResourceProvisionerDaemon.Type:      {policy.ActionCreate, policy.ActionUpdate},
 					rbac.ResourceProvisionerKeys.Type:        {policy.ActionCreate, policy.ActionRead, policy.ActionDelete},
 					rbac.ResourceUser.Type:                   rbac.ResourceUser.AvailableActions(),
diff --git a/coderd/idpsync/idpsync.go b/coderd/idpsync/idpsync.go
@@ -22,6 +22,7 @@ import (
 // claims to the internal representation of a user in Coder.
 // TODO: Move group + role sync into this interface.
 type IDPSync interface {
+	OrganizationSyncEnabled() bool
 	// ParseOrganizationClaims takes claims from an OIDC provider, and returns the
 	// organization sync params for assigning users into organizations.
 	ParseOrganizationClaims(ctx context.Context, _ jwt.MapClaims) (OrganizationParams, *HTTPError)
@@ -105,6 +106,21 @@ func ParseStringSliceClaim(claim interface{}) ([]string, error) {
 	return nil, xerrors.Errorf("invalid claim type. Expected an array of strings, got: %T", claim)
 }
 
+// IsHTTPError handles us being inconsistent with returning errors as values or
+// pointers.
+func IsHTTPError(err error) *HTTPError {
+	var httpErr HTTPError
+	if xerrors.As(err, &httpErr) {
+		return &httpErr
+	}
+
+	var httpErrPtr *HTTPError
+	if xerrors.As(err, &httpErrPtr) {
+		return httpErrPtr
+	}
+	return nil
+}
+
 // HTTPError is a helper struct for returning errors from the IDP sync process.
 // A regular error is not sufficient because many of these errors are surfaced
 // to a user logging in, and the errors should be descriptive.
diff --git a/coderd/idpsync/idpsync_test.go b/coderd/idpsync/idpsync_test.go
@@ -135,3 +135,11 @@ func TestParseStringSliceClaim(t *testing.T) {
 		})
 	}
 }
+
+func TestIsHTTPError(t *testing.T) {
+	herr := idpsync.HTTPError{}
+	require.NotNil(t, idpsync.IsHTTPError(herr))
+	require.NotNil(t, idpsync.IsHTTPError(&herr))
+
+	require.Nil(t, error(nil))
+}
diff --git a/coderd/idpsync/organization.go b/coderd/idpsync/organization.go
@@ -16,10 +16,15 @@ import (
 	"github.com/coder/coder/v2/coderd/util/slice"
 )
 
+func (s AGPLIDPSync) OrganizationSyncEnabled() bool {
+	// AGPL does not support syncing organizations.
+	return false
+}
+
 func (s AGPLIDPSync) ParseOrganizationClaims(_ context.Context, _ jwt.MapClaims) (OrganizationParams, *HTTPError) {
 	// For AGPL we only sync the default organization.
 	return OrganizationParams{
-		SyncEnabled:    false,
+		SyncEnabled:    s.OrganizationSyncEnabled(),
 		IncludeDefault: s.OrganizationAssignDefault,
 		Organizations:  []uuid.UUID{},
 	}, nil
diff --git a/coderd/members.go b/coderd/members.go
@@ -2,6 +2,7 @@ package coderd
 
 import (
 	"context"
+	"fmt"
 	"net/http"
 
 	"github.com/google/uuid"
@@ -43,6 +44,14 @@ func (api *API) postOrganizationMember(rw http.ResponseWriter, r *http.Request)
 	aReq.Old = database.AuditableOrganizationMember{}
 	defer commitAudit()
 
+	if user.LoginType == database.LoginTypeOIDC && api.IDPSync.OrganizationSyncEnabled() {
+		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+			Message: "Organization sync is enabled for OIDC users, meaning manual organization assignment is not allowed for this user.",
+			Detail:  fmt.Sprintf("User %s is an OIDC user and organization sync is enabled. Ask an administrator to resolve this in your external IDP.", user.ID),
+		})
+		return
+	}
+
 	member, err := api.Database.InsertOrganizationMember(ctx, database.InsertOrganizationMemberParams{
 		OrganizationID: organization.ID,
 		UserID:         user.ID,
diff --git a/coderd/userauth.go b/coderd/userauth.go
@@ -669,12 +669,11 @@ func (api *API) userOAuth2Github(rw http.ResponseWriter, r *http.Request) {
 	})
 	cookies, user, key, err := api.oauthLogin(r, params)
 	defer params.CommitAuditLogs()
-	var httpErr idpsync.HTTPError
-	if xerrors.As(err, &httpErr) {
-		httpErr.Write(rw, r)
-		return
-	}
 	if err != nil {
+		if httpErr := idpsync.IsHTTPError(err); httpErr != nil {
+			httpErr.Write(rw, r)
+			return
+		}
 		logger.Error(ctx, "oauth2: login failed", slog.F("user", user.Username), slog.Error(err))
 		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
 			Message: "Failed to process OAuth login.",
@@ -1066,12 +1065,11 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) {
 	})
 	cookies, user, key, err := api.oauthLogin(r, params)
 	defer params.CommitAuditLogs()
-	var httpErr idpsync.HTTPError
-	if xerrors.As(err, &httpErr) {
-		httpErr.Write(rw, r)
-		return
-	}
 	if err != nil {
+		if hErr := idpsync.IsHTTPError(err); hErr != nil {
+			hErr.Write(rw, r)
+			return
+		}
 		logger.Error(ctx, "oauth2: login failed", slog.F("user", user.Username), slog.Error(err))
 		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
 			Message: "Failed to process OAuth login.",
diff --git a/coderd/userauth_test.go b/coderd/userauth_test.go
@@ -366,6 +366,7 @@ func TestUserOAuth2Github(t *testing.T) {
 		require.Equal(t, "kyle", user.Username)
 		require.Equal(t, "Kylium Carbonate", user.Name)
 		require.Equal(t, "/hello-world", user.AvatarURL)
+		require.Equal(t, 1, len(user.OrganizationIDs), "in the default org")
 
 		require.Len(t, auditor.AuditLogs(), numLogs)
 		require.NotEqual(t, auditor.AuditLogs()[numLogs-1].UserID, uuid.Nil)
@@ -419,6 +420,7 @@ func TestUserOAuth2Github(t *testing.T) {
 		require.Equal(t, "kyle", user.Username)
 		require.Equal(t, strings.Repeat("a", 128), user.Name)
 		require.Equal(t, "/hello-world", user.AvatarURL)
+		require.Equal(t, 1, len(user.OrganizationIDs), "in the default org")
 
 		require.Len(t, auditor.AuditLogs(), numLogs)
 		require.NotEqual(t, auditor.AuditLogs()[numLogs-1].UserID, uuid.Nil)
@@ -474,6 +476,7 @@ func TestUserOAuth2Github(t *testing.T) {
 		require.Equal(t, "kyle", user.Username)
 		require.Equal(t, "Kylium Carbonate", user.Name)
 		require.Equal(t, "/hello-world", user.AvatarURL)
+		require.Equal(t, 1, len(user.OrganizationIDs), "in the default org")
 
 		require.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode)
 		require.Len(t, auditor.AuditLogs(), numLogs)
@@ -536,6 +539,7 @@ func TestUserOAuth2Github(t *testing.T) {
 		require.Equal(t, "mathias@coder.com", user.Email)
 		require.Equal(t, "mathias", user.Username)
 		require.Equal(t, "Mathias Mathias", user.Name)
+		require.Equal(t, 1, len(user.OrganizationIDs), "in the default org")
 
 		require.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode)
 		require.Len(t, auditor.AuditLogs(), numLogs)
@@ -598,6 +602,7 @@ func TestUserOAuth2Github(t *testing.T) {
 		require.Equal(t, "mathias@coder.com", user.Email)
 		require.Equal(t, "mathias", user.Username)
 		require.Equal(t, "Mathias Mathias", user.Name)
+		require.Equal(t, 1, len(user.OrganizationIDs), "in the default org")
 
 		require.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode)
 		require.Len(t, auditor.AuditLogs(), numLogs)
@@ -1270,6 +1275,7 @@ func TestUserOIDC(t *testing.T) {
 				require.Len(t, auditor.AuditLogs(), numLogs)
 				require.NotEqual(t, uuid.Nil, auditor.AuditLogs()[numLogs-1].UserID)
 				require.Equal(t, database.AuditActionRegister, auditor.AuditLogs()[numLogs-1].Action)
+				require.Equal(t, 1, len(user.OrganizationIDs), "in the default org")
 			}
 		})
 	}
diff --git a/coderd/users.go b/coderd/users.go
@@ -1294,10 +1294,6 @@ func (api *API) CreateUser(ctx context.Context, store database.Store, req Create
 	var user database.User
 	err := store.InTx(func(tx database.Store) error {
 		orgRoles := make([]string, 0)
-		// Organization is required to know where to allocate the user.
-		if len(req.OrganizationIDs) == 0 {
-			return xerrors.Errorf("organization ID must be provided")
-		}
 
 		params := database.InsertUserParams{
 			ID:             uuid.New(),
diff --git a/enterprise/coderd/enidpsync/enidpsync.go b/enterprise/coderd/enidpsync/enidpsync.go
@@ -7,12 +7,6 @@ import (
 	"github.com/coder/coder/v2/coderd/idpsync"
 )
 
-func init() {
-	idpsync.NewSync = func(logger slog.Logger, entitlements *entitlements.Set, settings idpsync.SyncSettings) idpsync.IDPSync {
-		return NewSync(logger, entitlements, settings)
-	}
-}
-
 type EnterpriseIDPSync struct {
 	entitlements *entitlements.Set
 	*idpsync.AGPLIDPSync
@@ -21,6 +15,6 @@ type EnterpriseIDPSync struct {
 func NewSync(logger slog.Logger, set *entitlements.Set, settings idpsync.SyncSettings) *EnterpriseIDPSync {
 	return &EnterpriseIDPSync{
 		entitlements: set,
-		AGPLIDPSync:  idpsync.NewAGPLSync(logger.With(slog.F("enterprise_capable", "true")), set, settings),
+		AGPLIDPSync:  idpsync.NewAGPLSync(logger.With(slog.F("enterprise_capable", "true")), settings),
 	}
 }
diff --git a/enterprise/coderd/enidpsync/organizations.go b/enterprise/coderd/enidpsync/organizations.go
@@ -14,8 +14,12 @@ import (
 	"github.com/coder/coder/v2/codersdk"
 )
 
+func (e EnterpriseIDPSync) OrganizationSyncEnabled() bool {
+	return e.entitlements.Enabled(codersdk.FeatureMultipleOrganizations) && e.OrganizationField != ""
+}
+
 func (e EnterpriseIDPSync) ParseOrganizationClaims(ctx context.Context, mergedClaims jwt.MapClaims) (idpsync.OrganizationParams, *idpsync.HTTPError) {
-	if !e.entitlements.Enabled(codersdk.FeatureMultipleOrganizations) {
+	if !e.OrganizationSyncEnabled() {
 		// Default to agpl if multi-org is not enabled
 		return e.AGPLIDPSync.ParseOrganizationClaims(ctx, mergedClaims)
 	}
diff --git a/enterprise/coderd/userauth_test.go b/enterprise/coderd/userauth_test.go

Original file line number	Diff line number	Diff line change
`@@ -135,3 +135,11 @@ func TestParseStringSliceClaim(t *testing.T) {`
`135`	`135`	`})`
`136`	`136`	`}`
`137`	`137`	`}`
	`138`	`+`
	`139`	`+func TestIsHTTPError(t *testing.T) {`
	`140`	`+ herr := idpsync.HTTPError{}`
	`141`	`+ require.NotNil(t, idpsync.IsHTTPError(herr))`
	`142`	`+ require.NotNil(t, idpsync.IsHTTPError(&herr))`
	`143`	`+`
	`144`	`+ require.Nil(t, error(nil))`
	`145`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -7,12 +7,6 @@ import (`
`7`	`7`	`"github.com/coder/coder/v2/coderd/idpsync"`
`8`	`8`	`)`
`9`	`9`
`10`		`-func init() {`
`11`		`- idpsync.NewSync = func(logger slog.Logger, entitlements *entitlements.Set, settings idpsync.SyncSettings) idpsync.IDPSync {`
`12`		`- return NewSync(logger, entitlements, settings)`
`13`		`- }`
`14`		`-}`
`15`		`-`
`16`	`10`	`type EnterpriseIDPSync struct {`
`17`	`11`	`entitlements *entitlements.Set`
`18`	`12`	`*idpsync.AGPLIDPSync`
`@@ -21,6 +15,6 @@ type EnterpriseIDPSync struct {`
`21`	`15`	`func NewSync(logger slog.Logger, set entitlements.Set, settings idpsync.SyncSettings) EnterpriseIDPSync {`
`22`	`16`	`return &EnterpriseIDPSync{`
`23`	`17`	`entitlements: set,`
`24`		`- AGPLIDPSync: idpsync.NewAGPLSync(logger.With(slog.F("enterprise_capable", "true")), set, settings),`
	`18`	`+ AGPLIDPSync: idpsync.NewAGPLSync(logger.With(slog.F("enterprise_capable", "true")), settings),`
`25`	`19`	`}`
`26`	`20`	`}`
Original file line number	Diff line number	Diff line change
`@@ -14,8 +14,12 @@ import (`
`14`	`14`	`"github.com/coder/coder/v2/codersdk"`
`15`	`15`	`)`
`16`	`16`
	`17`	`+func (e EnterpriseIDPSync) OrganizationSyncEnabled() bool {`
	`18`	`+ return e.entitlements.Enabled(codersdk.FeatureMultipleOrganizations) && e.OrganizationField != ""`
	`19`	`+}`
	`20`	`+`
`17`	`21`	`func (e EnterpriseIDPSync) ParseOrganizationClaims(ctx context.Context, mergedClaims jwt.MapClaims) (idpsync.OrganizationParams, *idpsync.HTTPError) {`
`18`		`- if !e.entitlements.Enabled(codersdk.FeatureMultipleOrganizations) {`
	`22`	`+ if !e.OrganizationSyncEnabled() {`
`19`	`23`	`// Default to agpl if multi-org is not enabled`
`20`	`24`	`return e.AGPLIDPSync.ParseOrganizationClaims(ctx, mergedClaims)`
`21`	`25`	`}`