allow importing existing users when the localpart matches in upstream OAuth 2.0 logins

Author: mcalinghee

crates/cli/src/sync.rs

@@ -37,6 +37,19 @@ fn map_import_action(
     }
 }
 
+fn map_import_on_conflict(
+    config: mas_config::UpstreamOAuth2OnConflict,
+) -> mas_data_model::UpstreamOAuthProviderOnConflict {
+    match config {
+        mas_config::UpstreamOAuth2OnConflict::Add => {
+            mas_data_model::UpstreamOAuthProviderOnConflict::Add
+        }
+        mas_config::UpstreamOAuth2OnConflict::Fail => {
+            mas_data_model::UpstreamOAuthProviderOnConflict::Fail
+        }
+    }
+}
+
 fn map_claims_imports(
     config: &mas_config::UpstreamOAuth2ClaimsImports,
 ) -> mas_data_model::UpstreamOAuthProviderClaimsImports {
@@ -47,14 +60,17 @@ fn map_claims_imports(
         localpart: mas_data_model::UpstreamOAuthProviderImportPreference {
             action: map_import_action(config.localpart.action),
             template: config.localpart.template.clone(),
+            on_conflict: map_import_on_conflict(config.localpart.on_conflict),
         },
         displayname: mas_data_model::UpstreamOAuthProviderImportPreference {
             action: map_import_action(config.displayname.action),
             template: config.displayname.template.clone(),
+            on_conflict: mas_data_model::UpstreamOAuthProviderOnConflict::default(),
         },
         email: mas_data_model::UpstreamOAuthProviderImportPreference {
             action: map_import_action(config.email.action),
             template: config.email.template.clone(),
+            on_conflict: mas_data_model::UpstreamOAuthProviderOnConflict::default(),
         },
         account_name: mas_data_model::UpstreamOAuthProviderSubjectPreference {
             template: config.account_name.template.clone(),

crates/config/src/sections/mod.rs

@@ -52,7 +52,7 @@ pub use self::{
     upstream_oauth2::{
         ClaimsImports as UpstreamOAuth2ClaimsImports, DiscoveryMode as UpstreamOAuth2DiscoveryMode,
         EmailImportPreference as UpstreamOAuth2EmailImportPreference,
-        ImportAction as UpstreamOAuth2ImportAction,
+        ImportAction as UpstreamOAuth2ImportAction, OnConflict as UpstreamOAuth2OnConflict,
         OnBackchannelLogout as UpstreamOAuth2OnBackchannelLogout,
         PkceMethod as UpstreamOAuth2PkceMethod, Provider as UpstreamOAuth2Provider,
         ResponseMode as UpstreamOAuth2ResponseMode,

crates/config/src/sections/upstream_oauth2.rs

@@ -110,6 +110,20 @@ impl ConfigurationSection for UpstreamOAuth2Config {
                     }
                 }
             }
+
+            if !provider.claims_imports.localpart.on_conflict.is_default()
+                && !matches!(
+                    provider.claims_imports.localpart.action,
+                    ImportAction::Force | ImportAction::Require
+                )
+            {
+                return annotate(figment::Error::custom(
+                    "The field `action` must be either `force` or `require` when `on_conflict` is set to `add`",
+                ));
+            }
+
+            //TODO : check that claims imports use on_conflict where it is not
+            // supported?
         }
 
         Ok(())
@@ -183,6 +197,26 @@ impl ImportAction {
     }
 }
 
+/// How to handle an existing localpart claim
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, Default, JsonSchema)]
+#[serde(rename_all = "lowercase")]
+pub enum OnConflict {
+    /// Fails the sso login on conflict
+    #[default]
+    Fail,
+
+    /// Adds the oauth identity link, regardless of whether there is an existing
+    /// link or not
+    Add,
+}
+
+impl OnConflict {
+    #[allow(clippy::trivially_copy_pass_by_ref)]
+    const fn is_default(&self) -> bool {
+        matches!(self, OnConflict::Fail)
+    }
+}
+
 /// What should be done for the subject attribute
 #[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, Default, JsonSchema)]
 pub struct SubjectImportPreference {
@@ -211,6 +245,10 @@ pub struct LocalpartImportPreference {
     /// If not provided, the default template is `{{ user.preferred_username }}`
     #[serde(default, skip_serializing_if = "Option::is_none")]
     pub template: Option<String>,
+
+    /// How to handle conflicts on the claim, default value is `Fail`
+    #[serde(default, skip_serializing_if = "OnConflict::is_default")]
+    pub on_conflict: OnConflict,
 }
 
 impl LocalpartImportPreference {

crates/data-model/src/lib.rs

@@ -42,7 +42,7 @@ pub use self::{
         UpstreamOAuthAuthorizationSession, UpstreamOAuthAuthorizationSessionState,
         UpstreamOAuthLink, UpstreamOAuthProvider, UpstreamOAuthProviderClaimsImports,
         UpstreamOAuthProviderDiscoveryMode, UpstreamOAuthProviderImportAction,
-        UpstreamOAuthProviderImportPreference, UpstreamOAuthProviderOnBackchannelLogout,
+        UpstreamOAuthProviderImportPreference, UpstreamOAuthProviderOnConflict, UpstreamOAuthProviderOnBackchannelLogout,
         UpstreamOAuthProviderPkceMode, UpstreamOAuthProviderResponseMode,
         UpstreamOAuthProviderSubjectPreference, UpstreamOAuthProviderTokenAuthMethod,
     },

crates/data-model/src/upstream_oauth2/mod.rs

@@ -16,7 +16,7 @@ pub use self::{
         ImportAction as UpstreamOAuthProviderImportAction,
         ImportPreference as UpstreamOAuthProviderImportPreference,
         OnBackchannelLogout as UpstreamOAuthProviderOnBackchannelLogout,
-        PkceMode as UpstreamOAuthProviderPkceMode,
+        OnConflict as UpstreamOAuthProviderOnConflict, PkceMode as UpstreamOAuthProviderPkceMode,
         ResponseMode as UpstreamOAuthProviderResponseMode,
         SubjectPreference as UpstreamOAuthProviderSubjectPreference,
         TokenAuthMethod as UpstreamOAuthProviderTokenAuthMethod, UpstreamOAuthProvider,

crates/data-model/src/upstream_oauth2/provider.rs

@@ -339,6 +339,9 @@ pub struct ImportPreference {
 
     #[serde(default)]
     pub template: Option<String>,
+
+    #[serde(default)]
+    pub on_conflict: OnConflict,
 }
 
 impl std::ops::Deref for ImportPreference {
@@ -391,3 +394,22 @@ impl ImportAction {
         }
     }
 }
+
+#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, Default)]
+#[serde(rename_all = "lowercase")]
+pub enum OnConflict {
+    /// Fails the upstream OAuth 2.0 login
+    #[default]
+    Fail,
+
+    /// Adds the upstream account link, regardless of whether there is an
+    /// existing link or not
+    Add,
+}
+
+impl OnConflict {
+    #[must_use]
+    pub fn is_add(&self) -> bool {
+        matches!(self, Self::Add)
+    }
+}