mirror of https://github.com/coder/coder.git
109 lines
3.4 KiB
Go
109 lines
3.4 KiB
Go
package coderd
|
|
|
|
import (
|
|
"context"
|
|
|
|
"github.com/google/uuid"
|
|
"golang.org/x/xerrors"
|
|
|
|
"cdr.dev/slog"
|
|
"github.com/coder/coder/v2/coderd/database"
|
|
"github.com/coder/coder/v2/coderd/database/dbauthz"
|
|
"github.com/coder/coder/v2/codersdk"
|
|
)
|
|
|
|
// nolint: revive
|
|
func (api *API) setUserGroups(ctx context.Context, logger slog.Logger, db database.Store, userID uuid.UUID, orgGroupNames map[uuid.UUID][]string, createMissingGroups bool) error {
|
|
api.entitlementsMu.RLock()
|
|
enabled := api.entitlements.Features[codersdk.FeatureTemplateRBAC].Enabled
|
|
api.entitlementsMu.RUnlock()
|
|
|
|
if !enabled {
|
|
return nil
|
|
}
|
|
|
|
return db.InTx(func(tx database.Store) error {
|
|
// When setting the user's groups, it's easier to just clear their groups and re-add them.
|
|
// This ensures that the user's groups are always in sync with the auth provider.
|
|
orgs, err := tx.GetOrganizationsByUserID(ctx, userID)
|
|
if err != nil {
|
|
return xerrors.Errorf("get user orgs: %w", err)
|
|
}
|
|
if len(orgs) != 1 {
|
|
return xerrors.Errorf("expected 1 org, got %d", len(orgs))
|
|
}
|
|
|
|
// Delete all groups the user belongs to.
|
|
// nolint:gocritic // Requires system context to remove user from all groups.
|
|
err = tx.RemoveUserFromAllGroups(dbauthz.AsSystemRestricted(ctx), userID)
|
|
if err != nil {
|
|
return xerrors.Errorf("delete user groups: %w", err)
|
|
}
|
|
|
|
// TODO: This could likely be improved by making these single queries.
|
|
// Either by batching or some other means. This for loop could be really
|
|
// inefficient if there are a lot of organizations. There was deployments
|
|
// on v1 with >100 orgs.
|
|
for orgID, groupNames := range orgGroupNames {
|
|
// Create the missing groups for each organization.
|
|
if createMissingGroups {
|
|
// This is the system creating these additional groups, so we use the system restricted context.
|
|
// nolint:gocritic
|
|
created, err := tx.InsertMissingGroups(dbauthz.AsSystemRestricted(ctx), database.InsertMissingGroupsParams{
|
|
OrganizationID: orgID,
|
|
GroupNames: groupNames,
|
|
Source: database.GroupSourceOidc,
|
|
})
|
|
if err != nil {
|
|
return xerrors.Errorf("insert missing groups: %w", err)
|
|
}
|
|
if len(created) > 0 {
|
|
logger.Debug(ctx, "auto created missing groups",
|
|
slog.F("org_id", orgID.ID),
|
|
slog.F("created", created),
|
|
slog.F("num", len(created)),
|
|
)
|
|
}
|
|
}
|
|
|
|
// Re-add the user to all groups returned by the auth provider.
|
|
err = tx.InsertUserGroupsByName(ctx, database.InsertUserGroupsByNameParams{
|
|
UserID: userID,
|
|
OrganizationID: orgID,
|
|
GroupNames: groupNames,
|
|
})
|
|
if err != nil {
|
|
return xerrors.Errorf("insert user groups: %w", err)
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}, nil)
|
|
}
|
|
|
|
func (api *API) setUserSiteRoles(ctx context.Context, logger slog.Logger, db database.Store, userID uuid.UUID, roles []string) error {
|
|
api.entitlementsMu.RLock()
|
|
enabled := api.entitlements.Features[codersdk.FeatureUserRoleManagement].Enabled
|
|
api.entitlementsMu.RUnlock()
|
|
|
|
if !enabled {
|
|
logger.Warn(ctx, "attempted to assign OIDC user roles without enterprise entitlement, roles left unchanged",
|
|
slog.F("user_id", userID), slog.F("roles", roles),
|
|
)
|
|
return nil
|
|
}
|
|
|
|
// Should this be feature protected?
|
|
return db.InTx(func(tx database.Store) error {
|
|
_, err := db.UpdateUserRoles(ctx, database.UpdateUserRolesParams{
|
|
GrantedRoles: roles,
|
|
ID: userID,
|
|
})
|
|
if err != nil {
|
|
return xerrors.Errorf("set user roles(%s): %w", userID.String(), err)
|
|
}
|
|
|
|
return nil
|
|
}, nil)
|
|
}
|