Merge branch 'coder:main' into main

coderd/audit/diff.go

@@ -2,6 +2,7 @@ package audit
 
 import (
 	"github.com/coder/coder/v2/coderd/database"
+	"github.com/coder/coder/v2/coderd/idpsync"
 )
 
 // Auditable is mostly a marker interface. It contains a definitive list of all
@@ -26,7 +27,10 @@ type Auditable interface {
 		database.CustomRole |
 		database.AuditableOrganizationMember |
 		database.Organization |
-		database.NotificationTemplate
+		database.NotificationTemplate |
+		idpsync.OrganizationSyncSettings |
+		idpsync.GroupSyncSettings |
+		idpsync.RoleSyncSettings
 }
 
 // Map is a map of changed fields in an audited resource. It maps field names to

coderd/audit/request.go

@@ -20,6 +20,7 @@ import (
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/database/dbtime"
 	"github.com/coder/coder/v2/coderd/httpmw"
+	"github.com/coder/coder/v2/coderd/idpsync"
 	"github.com/coder/coder/v2/coderd/tracing"
 )
 
@@ -121,11 +122,22 @@ func ResourceTarget[T Auditable](tgt T) string {
 		return typed.Name
 	case database.NotificationTemplate:
 		return typed.Name
+	case idpsync.OrganizationSyncSettings:
+		return "Organization Sync"
+	case idpsync.GroupSyncSettings:
+		return "Organization Group Sync"
+	case idpsync.RoleSyncSettings:
+		return "Organization Role Sync"
 	default:
 		panic(fmt.Sprintf("unknown resource %T for ResourceTarget", tgt))
 	}
 }
 
+// noID can be used for resources that do not have an uuid.
+// An example is singleton configuration resources.
+// 51A51C = "Static"
+var noID = uuid.MustParse("51A51C00-0000-0000-0000-000000000000")
+
 func ResourceID[T Auditable](tgt T) uuid.UUID {
 	switch typed := any(tgt).(type) {
 	case database.Template:
@@ -169,6 +181,12 @@ func ResourceID[T Auditable](tgt T) uuid.UUID {
 		return typed.ID
 	case database.NotificationTemplate:
 		return typed.ID
+	case idpsync.OrganizationSyncSettings:
+		return noID // Deployment all uses the same org sync settings
+	case idpsync.GroupSyncSettings:
+		return noID // Org field on audit log has org id
+	case idpsync.RoleSyncSettings:
+		return noID // Org field on audit log has org id
 	default:
 		panic(fmt.Sprintf("unknown resource %T for ResourceID", tgt))
 	}
@@ -214,6 +232,12 @@ func ResourceType[T Auditable](tgt T) database.ResourceType {
 		return database.ResourceTypeOrganization
 	case database.NotificationTemplate:
 		return database.ResourceTypeNotificationTemplate
+	case idpsync.OrganizationSyncSettings:
+		return database.ResourceTypeIdpSyncSettingsOrganization
+	case idpsync.RoleSyncSettings:
+		return database.ResourceTypeIdpSyncSettingsRole
+	case idpsync.GroupSyncSettings:
+		return database.ResourceTypeIdpSyncSettingsGroup
 	default:
 		panic(fmt.Sprintf("unknown resource %T for ResourceType", typed))
 	}
@@ -261,6 +285,12 @@ func ResourceRequiresOrgID[T Auditable]() bool {
 		return true
 	case database.NotificationTemplate:
 		return false
+	case idpsync.OrganizationSyncSettings:
+		return false
+	case idpsync.GroupSyncSettings:
+		return true
+	case idpsync.RoleSyncSettings:
+		return true
 	default:
 		panic(fmt.Sprintf("unknown resource %T for ResourceRequiresOrgID", tgt))
 	}

coderd/database/migrations/000281_idpsync_settings.down.sql

@@ -0,0 +1 @@
+-- Nothing to do

coderd/database/migrations/000281_idpsync_settings.up.sql

@@ -0,0 +1,4 @@
+-- Allow modifications to notification templates to be audited.
+ALTER TYPE resource_type ADD VALUE IF NOT EXISTS 'idp_sync_settings_organization';
+ALTER TYPE resource_type ADD VALUE IF NOT EXISTS 'idp_sync_settings_group';
+ALTER TYPE resource_type ADD VALUE IF NOT EXISTS 'idp_sync_settings_role';

coderd/idpsync/organization.go

@@ -149,13 +149,13 @@ type OrganizationSyncSettings struct {
 	// Field selects the claim field to be used as the created user's
 	// organizations. If the field is the empty string, then no organization updates
 	// will ever come from the OIDC provider.
-	Field string
+	Field string `json:"field"`
 	// Mapping controls how organizations returned by the OIDC provider get mapped
-	Mapping map[string][]uuid.UUID
+	Mapping map[string][]uuid.UUID `json:"mapping"`
 	// AssignDefault will ensure all users that authenticate will be
 	// placed into the default organization. This is mostly a hack to support
 	// legacy deployments.
-	AssignDefault bool
+	AssignDefault bool `json:"assign_default"`
 }
 
 func (s *OrganizationSyncSettings) Set(v string) error {

codersdk/audit.go

@@ -30,10 +30,13 @@ const (
 	ResourceTypeOrganization          ResourceType = "organization"
 	ResourceTypeOAuth2ProviderApp     ResourceType = "oauth2_provider_app"
 	// nolint:gosec // This is not a secret.
-	ResourceTypeOAuth2ProviderAppSecret ResourceType = "oauth2_provider_app_secret"
-	ResourceTypeCustomRole              ResourceType = "custom_role"
-	ResourceTypeOrganizationMember                   = "organization_member"
-	ResourceTypeNotificationTemplate                 = "notification_template"
+	ResourceTypeOAuth2ProviderAppSecret     ResourceType = "oauth2_provider_app_secret"
+	ResourceTypeCustomRole                  ResourceType = "custom_role"
+	ResourceTypeOrganizationMember          ResourceType = "organization_member"
+	ResourceTypeNotificationTemplate        ResourceType = "notification_template"
+	ResourceTypeIdpSyncSettingsOrganization ResourceType = "idp_sync_settings_organization"
+	ResourceTypeIdpSyncSettingsGroup        ResourceType = "idp_sync_settings_group"
+	ResourceTypeIdpSyncSettingsRole         ResourceType = "idp_sync_settings_role"
 )
 
 func (r ResourceType) FriendlyString() string {
@@ -78,6 +81,12 @@ func (r ResourceType) FriendlyString() string {
 		return "organization member"
 	case ResourceTypeNotificationTemplate:
 		return "notification template"
+	case ResourceTypeIdpSyncSettingsOrganization:
+		return "settings"
+	case ResourceTypeIdpSyncSettingsGroup:
+		return "settings"
+	case ResourceTypeIdpSyncSettingsRole:
+		return "settings"
 	default:
 		return "unknown"
 	}