feat: assign users to teams via OIDC claims (#1393)

This change adds the ability to sync teams via a custom openid claim. Vikunja will automatically create and delete teams as necessary, it will also add and remove users when they log in. These teams are fully managed by Vikunja and cannot be updated by a user.

Co-authored-by: kolaente <k@knt.li>
Reviewed-on: https://kolaente.dev/vikunja/vikunja/pulls/1393
Resolves https://kolaente.dev/vikunja/vikunja/issues/1279
Resolves https://github.com/go-vikunja/vikunja/issues/42
Resolves https://kolaente.dev/vikunja/vikunja/issues/950
Co-authored-by: viehlieb <pf@pragma-shift.net>
Co-committed-by: viehlieb <pf@pragma-shift.net>

pkg/modules/auth/openid/openid_test.go

@@ -20,7 +20,9 @@ import (
 	"testing"
 
 	"code.vikunja.io/api/pkg/db"
-
+	"code.vikunja.io/api/pkg/models"
+	"code.vikunja.io/api/pkg/user"
+	"code.vikunja.io/api/pkg/utils"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -95,4 +97,145 @@ func TestGetOrCreateUser(t *testing.T) {
 			"email": cl.Email,
 		}, false)
 	})
+	t.Run("existing user, non existing team", func(t *testing.T) {
+		db.LoadAndAssertFixtures(t)
+		s := db.NewSession()
+		defer s.Close()
+
+		team := "new sso team"
+		oidcID := "47404"
+		cl := &claims{
+			Email: "other-email-address@some.service.com",
+			VikunjaGroups: []map[string]interface{}{
+				{"name": team, "oidcID": oidcID},
+			},
+		}
+
+		u, err := getOrCreateUser(s, cl, "https://some.service.com", "12345")
+		require.NoError(t, err)
+		teamData, errs := getTeamDataFromToken(cl.VikunjaGroups, nil)
+		for _, err := range errs {
+			require.NoError(t, err)
+		}
+		require.NoError(t, err)
+		oidcTeams, err := AssignOrCreateUserToTeams(s, u, teamData)
+		require.NoError(t, err)
+		err = s.Commit()
+		require.NoError(t, err)
+
+		db.AssertExists(t, "users", map[string]interface{}{
+			"id":    u.ID,
+			"email": cl.Email,
+		}, false)
+		db.AssertExists(t, "teams", map[string]interface{}{
+			"id":   oidcTeams,
+			"name": team,
+		}, false)
+	})
+
+	t.Run("existing user, assign to existing team", func(t *testing.T) {
+		db.LoadAndAssertFixtures(t)
+		s := db.NewSession()
+		defer s.Close()
+
+		team := "testteam14"
+		oidcID := "14"
+		cl := &claims{
+			Email: "other-email-address@some.service.com",
+			VikunjaGroups: []map[string]interface{}{
+				{"name": team, "oidcID": oidcID},
+			},
+		}
+
+		u := &user.User{ID: 10}
+		teamData, errs := getTeamDataFromToken(cl.VikunjaGroups, nil)
+		for _, err := range errs {
+			require.NoError(t, err)
+		}
+		oidcTeams, err := AssignOrCreateUserToTeams(s, u, teamData)
+		require.NoError(t, err)
+		err = s.Commit()
+		require.NoError(t, err)
+
+		db.AssertExists(t, "team_members", map[string]interface{}{
+			"team_id": oidcTeams,
+			"user_id": u.ID,
+		}, false)
+	})
+	t.Run("existing user, remove from existing team", func(t *testing.T) {
+		db.LoadAndAssertFixtures(t)
+		s := db.NewSession()
+		defer s.Close()
+
+		cl := &claims{
+			Email:         "other-email-address@some.service.com",
+			VikunjaGroups: []map[string]interface{}{},
+		}
+
+		u := &user.User{ID: 10}
+		teamData, errs := getTeamDataFromToken(cl.VikunjaGroups, nil)
+		if len(errs) > 0 {
+			for _, err := range errs {
+				require.NoError(t, err)
+			}
+		}
+		oldOidcTeams, err := models.FindAllOidcTeamIDsForUser(s, u.ID)
+		require.NoError(t, err)
+		oidcTeams, err := AssignOrCreateUserToTeams(s, u, teamData)
+		require.NoError(t, err)
+		teamIDsToLeave := utils.NotIn(oldOidcTeams, oidcTeams)
+		require.NoError(t, err)
+		err = RemoveUserFromTeamsByIds(s, u, teamIDsToLeave)
+		require.NoError(t, err)
+		errs = RemoveEmptySSOTeams(s, teamIDsToLeave)
+		for _, err = range errs {
+			require.NoError(t, err)
+		}
+		errs = RemoveEmptySSOTeams(s, teamIDsToLeave)
+		for _, err = range errs {
+			require.NoError(t, err)
+		}
+		err = s.Commit()
+		require.NoError(t, err)
+
+		db.AssertMissing(t, "team_members", map[string]interface{}{
+			"team_id": oidcTeams,
+			"user_id": u.ID,
+		})
+	})
+	t.Run("existing user, remove from existing team and delete team", func(t *testing.T) {
+		db.LoadAndAssertFixtures(t)
+		s := db.NewSession()
+		defer s.Close()
+
+		cl := &claims{
+			Email:         "other-email-address@some.service.com",
+			VikunjaGroups: []map[string]interface{}{},
+		}
+
+		u := &user.User{ID: 10}
+		teamData, errs := getTeamDataFromToken(cl.VikunjaGroups, nil)
+		if len(errs) > 0 {
+			for _, err := range errs {
+				require.NoError(t, err)
+			}
+		}
+		oldOidcTeams, err := models.FindAllOidcTeamIDsForUser(s, u.ID)
+		require.NoError(t, err)
+		oidcTeams, err := AssignOrCreateUserToTeams(s, u, teamData)
+		require.NoError(t, err)
+		teamIDsToLeave := utils.NotIn(oldOidcTeams, oidcTeams)
+		require.NoError(t, err)
+		err = RemoveUserFromTeamsByIds(s, u, teamIDsToLeave)
+		require.NoError(t, err)
+		errs = RemoveEmptySSOTeams(s, teamIDsToLeave)
+		for _, err := range errs {
+			require.NoError(t, err)
+		}
+		err = s.Commit()
+		require.NoError(t, err)
+		db.AssertMissing(t, "teams", map[string]interface{}{
+			"id": oidcTeams,
+		})
+	})
 }