MCPcopy Index your code
hub / github.com/coder/coder / SyncRoles

Method SyncRoles

coderd/idpsync/role.go:74–218  ·  view source on GitHub ↗
(ctx context.Context, db database.Store, user database.User, params RoleParams)

Source from the content-addressed store, hash-verified

72}
73
74func (s AGPLIDPSync) SyncRoles(ctx context.Context, db database.Store, user database.User, params RoleParams) error {
75 // Nothing happens if sync is not enabled
76 if !params.SyncEntitled {
77 return nil
78 }
79
80 // nolint:gocritic // all syncing is done as a system user
81 ctx = dbauthz.AsSystemRestricted(ctx)
82
83 err := db.InTx(func(tx database.Store) error {
84 if params.SyncSiteWide {
85 if err := s.syncSiteWideRoles(ctx, tx, user, params); err != nil {
86 return err
87 }
88 }
89
90 // sync roles per organization
91 orgMemberships, err := tx.OrganizationMembers(ctx, database.OrganizationMembersParams{
92 OrganizationID: uuid.Nil,
93 UserID: user.ID,
94 IncludeSystem: false,
95 GithubUserID: 0,
96 })
97 if err != nil {
98 return xerrors.Errorf("get organizations by user id: %w", err)
99 }
100
101 // Sync for each organization
102 // If a key for a given org exists in the map, the user's roles will be
103 // updated to the value of that key.
104 expectedRoles := make(map[uuid.UUID][]rbac.RoleIdentifier)
105 existingRoles := make(map[uuid.UUID][]string)
106 allExpected := make([]rbac.RoleIdentifier, 0)
107 for _, member := range orgMemberships {
108 orgID := member.OrganizationMember.OrganizationID
109 settings, err := s.RoleSyncSettings(ctx, orgID, tx)
110 if err != nil {
111 // No entry means no role syncing for this organization
112 continue
113 }
114
115 if settings.Field == "" {
116 // Explicitly disabled role sync for this organization
117 continue
118 }
119
120 existingRoles[orgID] = member.OrganizationMember.Roles
121 orgRoleClaims, err := s.RolesFromClaim(settings.Field, params.MergedClaims)
122 if err != nil {
123 s.Logger.Error(ctx, "failed to parse roles from claim",
124 slog.F("field", settings.Field),
125 slog.F("organization_id", orgID),
126 slog.F("user_id", user.ID),
127 slog.F("username", user.Username),
128 slog.Error(err),
129 )
130
131 // TODO: If rolesync fails, we might want to reset a user's

Callers

nothing calls this directly

Calls 15

syncSiteWideRolesMethod · 0.95
RoleSyncSettingsMethod · 0.95
RolesFromClaimMethod · 0.95
AsSystemRestrictedFunction · 0.92
ExpandFunction · 0.92
RoleOrgMemberFunction · 0.92
UniqueFunction · 0.92
InTxMethod · 0.65
OrganizationMembersMethod · 0.65
UpdateMemberRolesMethod · 0.65
ErrorfMethod · 0.45
ErrorMethod · 0.45

Tested by

no test coverage detected