Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ParseStringSliceClaim ¶
ParseStringSliceClaim parses the claim for groups and roles, expected []string.
Some providers like ADFS return a single string instead of an array if there is only 1 element. So this function handles the edge cases.
Types ¶
type AGPLIDPSync ¶
type AGPLIDPSync struct {
Logger slog.Logger
SyncSettings
}
AGPLIDPSync is the configuration for syncing user information from an external IDP. All related code to syncing user information should be in this package.
func NewAGPLSync ¶
func NewAGPLSync(logger slog.Logger, settings SyncSettings) *AGPLIDPSync
func (AGPLIDPSync) OrganizationSyncEnabled ¶
func (AGPLIDPSync) OrganizationSyncEnabled() bool
func (AGPLIDPSync) ParseOrganizationClaims ¶
func (s AGPLIDPSync) ParseOrganizationClaims(_ context.Context, _ jwt.MapClaims) (OrganizationParams, *HTTPError)
func (AGPLIDPSync) SyncOrganizations ¶
func (s AGPLIDPSync) SyncOrganizations(ctx context.Context, tx database.Store, user database.User, params OrganizationParams) error
SyncOrganizations if enabled will ensure the user is a member of the provided organizations. It will add and remove their membership to match the expected set.
type HTTPError ¶
type HTTPError struct {
Code int
Msg string
Detail string
RenderStaticPage bool
RenderDetailMarkdown bool
}
HTTPError is a helper struct for returning errors from the IDP sync process. A regular error is not sufficient because many of these errors are surfaced to a user logging in, and the errors should be descriptive.
func IsHTTPError ¶
IsHTTPError handles us being inconsistent with returning errors as values or pointers.
type IDPSync ¶
type IDPSync interface {
OrganizationSyncEnabled() bool
// ParseOrganizationClaims takes claims from an OIDC provider, and returns the
// organization sync params for assigning users into organizations.
ParseOrganizationClaims(ctx context.Context, _ jwt.MapClaims) (OrganizationParams, *HTTPError)
// SyncOrganizations assigns and removed users from organizations based on the
// provided params.
SyncOrganizations(ctx context.Context, tx database.Store, user database.User, params OrganizationParams) error
}
IDPSync is an interface, so we can implement this as AGPL and as enterprise, and just swap the underlying implementation. IDPSync exists to contain all the logic for mapping a user's external IDP claims to the internal representation of a user in Coder. TODO: Move group + role sync into this interface.
type OrganizationParams ¶
type OrganizationParams struct {
// SyncEnabled if false will skip syncing the user's organizations.
SyncEnabled bool
// IncludeDefault is primarily for single org deployments. It will ensure
// a user is always inserted into the default org.
IncludeDefault bool
// Organizations is the list of organizations the user should be a member of
// assuming syncing is turned on.
Organizations []uuid.UUID
}
type SyncSettings ¶
type SyncSettings struct {
// OrganizationField selects the claim field to be used as the created user's
// organizations. If the field is the empty string, then no organization updates
// will ever come from the OIDC provider.
OrganizationField string
// OrganizationMapping controls how organizations returned by the OIDC provider get mapped
OrganizationMapping map[string][]uuid.UUID
// OrganizationAssignDefault will ensure all users that authenticate will be
// placed into the default organization. This is mostly a hack to support
// legacy deployments.
OrganizationAssignDefault bool
}
Source Files