feat: assign users to teams via OIDC claims (#1393)

This change adds the ability to sync teams via a custom openid claim. Vikunja will automatically create and delete teams as necessary, it will also add and remove users when they log in. These teams are fully managed by Vikunja and cannot be updated by a user. Co-authored-by: kolaente <k@knt.li> Reviewed-on: https://kolaente.dev/vikunja/vikunja/pulls/1393 Resolves https://kolaente.dev/vikunja/vikunja/issues/1279 Resolves https://github.com/go-vikunja/vikunja/issues/42 Resolves https://kolaente.dev/vikunja/vikunja/issues/950 Co-authored-by: viehlieb <pf@pragma-shift.net> Co-committed-by: viehlieb <pf@pragma-shift.net>
2024-03-02 08:47:10 +00:00
parent f18cde269b
commit ed4da96ab1
26 changed files with 686 additions and 32 deletions
--- a/pkg/models/error.go
+++ b/pkg/models/error.go
@ -1059,7 +1059,6 @@ func (err ErrTeamNameCannotBeEmpty) HTTPError() web.HTTPError {
 	return web.HTTPError{HTTPCode: http.StatusBadRequest, Code: ErrCodeTeamNameCannotBeEmpty, Message: "The team name cannot be empty"}
 }

-// ErrTeamDoesNotExist represents an error where a team does not exist
 type ErrTeamDoesNotExist struct {
 	TeamID int64
 }
@ -1178,6 +1177,54 @@ func (err ErrTeamDoesNotHaveAccessToProject) HTTPError() web.HTTPError {
 	return web.HTTPError{HTTPCode: http.StatusForbidden, Code: ErrCodeTeamDoesNotHaveAccessToProject, Message: "This team does not have access to the project."}
 }

+// ErrOIDCTeamDoesNotExist represents an error where a team with specified name and specified oidcId property does not exist
+type ErrOIDCTeamDoesNotExist struct {
+	OidcID string
+	Name   string
+}
+
+// IsErrOIDCTeamDoesNotExist checks if an error is ErrOIDCTeamDoesNotExist.
+func IsErrOIDCTeamDoesNotExist(err error) bool {
+	_, ok := err.(ErrOIDCTeamDoesNotExist)
+	return ok
+}
+
+// ErrTeamDoesNotExist represents an error where a team does not exist
+func (err ErrOIDCTeamDoesNotExist) Error() string {
+	return fmt.Sprintf("No team with that name and valid oidcId could be found. [Team Name: %v] [OidcID : %v] ", err.Name, err.OidcID)
+}
+
+// ErrCodeTeamDoesNotExist holds the unique world-error code of this error
+const ErrCodeOIDCTeamDoesNotExist = 6008
+
+// HTTPError holds the http error description
+func (err ErrOIDCTeamDoesNotExist) HTTPError() web.HTTPError {
+	return web.HTTPError{HTTPCode: http.StatusNotFound, Code: ErrCodeTeamDoesNotExist, Message: "No team with that name and valid oidcId could be found."}
+}
+
+// ErrOIDCTeamsDoNotExistForUser represents an error where an oidcTeam does not exist for the user
+type ErrOIDCTeamsDoNotExistForUser struct {
+	UserID int64
+}
+
+// IsErrOIDCTeamsDoNotExistForUser checks if an error is ErrOIDCTeamsDoNotExistForUser.
+func IsErrOIDCTeamsDoNotExistForUser(err error) bool {
+	_, ok := err.(ErrOIDCTeamsDoNotExistForUser)
+	return ok
+}
+
+func (err ErrOIDCTeamsDoNotExistForUser) Error() string {
+	return fmt.Sprintf("No teams with property oidcId could be found for user [User ID: %d]", err.UserID)
+}
+
+// ErrCodeTeamDoesNotExist holds the unique world-error code of this error
+const ErrCodeOIDCTeamsDoNotExistForUser = 6009
+
+// HTTPError holds the http error description
+func (err ErrOIDCTeamsDoNotExistForUser) HTTPError() web.HTTPError {
+	return web.HTTPError{HTTPCode: http.StatusNotFound, Code: ErrCodeTeamDoesNotExist, Message: "No Teams with property oidcId could be found for User."}
+}
+
 // ====================
 // User <-> Project errors
 // ====================
--- a/pkg/models/team_members.go
+++ b/pkg/models/team_members.go
@ -44,7 +44,6 @@ func (tm *TeamMember) Create(s *xorm.Session, a web.Auth) (err error) {
 	if err != nil {
 		return err
 	}
-
 	// Check if the user exists
 	member, err := user2.GetUserByUsername(s, tm.Username)
 	if err != nil {
@ -109,6 +108,12 @@ func (tm *TeamMember) Delete(s *xorm.Session, _ web.Auth) (err error) {
 	return
 }

+func (tm *TeamMember) MembershipExists(s *xorm.Session) (exists bool, err error) {
+	return s.
+		Where("team_id = ? AND user_id = ?", tm.TeamID, tm.UserID).
+		Exist(&TeamMember{})
+}
+
 // Update toggles a team member's admin status
 // @Summary Toggle a team member's admin status
 // @Description If a user is team admin, this will make them member and vise-versa.
--- a/pkg/models/teams.go
+++ b/pkg/models/teams.go
@ -38,6 +38,8 @@ type Team struct {
 	// The team's description.
 	Description string `xorm:"longtext null" json:"description"`
 	CreatedByID int64  `xorm:"bigint not null INDEX" json:"-"`
+	// The team's oidc id delivered by the oidc provider
+	OidcID string `xorm:"varchar(250) null" maxLength:"250" json:"oidc_id"`

 	// The user who created this team.
 	CreatedBy *user.User `xorm:"-" json:"created_by"`
@ -91,6 +93,13 @@ type TeamUser struct {
 	TeamID int64 `json:"-"`
 }

+// OIDCTeamData is the relevant data for a team and is delivered by oidc token
+type OIDCTeamData struct {
+	TeamName    string
+	OidcID      string
+	Description string
+}
+
 // GetTeamByID gets a team by its ID
 func GetTeamByID(s *xorm.Session, id int64) (team *Team, err error) {
 	if id < 1 {
@ -120,6 +129,34 @@ func GetTeamByID(s *xorm.Session, id int64) (team *Team, err error) {
 	return
 }

+// GetTeamByOidcIDAndName gets teams where oidc_id and name match parameters
+// For oidc team creation oidcID and Name need to be set
+func GetTeamByOidcIDAndName(s *xorm.Session, oidcID string, teamName string) (*Team, error) {
+	team := &Team{}
+	has, err := s.
+		Table("teams").
+		Where("oidc_id = ? AND name = ?", oidcID, teamName).
+		Get(team)
+	if !has || err != nil {
+		return nil, ErrOIDCTeamDoesNotExist{teamName, oidcID}
+	}
+	return team, nil
+}
+
+func FindAllOidcTeamIDsForUser(s *xorm.Session, userID int64) (ts []int64, err error) {
+	err = s.
+		Table("team_members").
+		Where("user_id = ? ", userID).
+		Join("RIGHT", "teams", "teams.id = team_members.team_id").
+		Where("teams.oidc_id != ? AND teams.oidc_id IS NOT NULL", "").
+		Cols("teams.id").
+		Find(&ts)
+	if ts == nil || err != nil {
+		return ts, err
+	}
+	return ts, nil
+}
+
 func addMoreInfoToTeams(s *xorm.Session, teams []*Team) (err error) {

 	if len(teams) == 0 {
@ -270,7 +307,6 @@ func (t *Team) Create(s *xorm.Session, a web.Auth) (err error) {
 		return
 	}

-	// Insert the current user as member and admin
 	tm := TeamMember{TeamID: t.ID, Username: doer.Username, Admin: true}
 	if err = tm.Create(s, doer); err != nil {
 		return err