feat(rbac): enable okta login when creating integration (#416)

## 📝 Description

renderedtext/tasks#8169

## ✅ Checklist
- [x] I have tested this change
- [ ] This change requires documentation update

Author: VeljkoMaksimovic

ee/rbac/lib/rbac/api/organization.ex

@@ -4,6 +4,15 @@ defmodule Rbac.Api.Organization do
 
   def find_by_username(username) do
     req = %Organization.DescribeRequest{org_username: username}
+    describe_organization(req)
+  end
+
+  def find_by_id(org_id) do
+    req = %Organization.DescribeRequest{org_id: org_id}
+    describe_organization(req)
+  end
+
+  defp describe_organization(req) do
     {:ok, channel} = GRPC.Stub.connect(Application.fetch_env!(:rbac, :organization_grpc_endpoint))
 
     Logger.info("Sending Organization describe request: #{inspect(req)}")
@@ -20,4 +29,20 @@ defmodule Rbac.Api.Organization do
         {:error, :not_found}
     end
   end
+
+  def update(organization) do
+    req = %Organization.UpdateRequest{organization: organization}
+    {:ok, channel} = GRPC.Stub.connect(Application.fetch_env!(:rbac, :organization_grpc_endpoint))
+
+    Logger.info("Sending Organization update request: #{inspect(req)}")
+
+    grpc_result = Organization.OrganizationService.Stub.update(channel, req, timeout: 30_000)
+
+    Logger.info("Received Organization update response: #{inspect(grpc_result)}")
+
+    case grpc_result do
+      {:ok, res} -> {:ok, res.organization}
+      {:error, error} -> {:error, error}
+    end
+  end
 end

ee/rbac/lib/rbac/okta/integrations.ex

@@ -4,6 +4,8 @@ defmodule Rbac.Okta.Integration do
   """
 
   require Ecto.Query
+  require Logger
+
   alias Ecto.Query
   alias Rbac.Repo
   alias Rbac.Okta.Saml.Certificate
@@ -21,23 +23,82 @@ defmodule Rbac.Okta.Integration do
         jit_provisioning_enabled,
         idempotency_token \\ Ecto.UUID.generate()
       ) do
-    with {:ok, fingerprint} <- Certificate.fingerprint(certificate),
-         {:ok, integration} <-
-           Rbac.Repo.OktaIntegration.insert_or_update(
-             org_id: org_id,
-             creator_id: creator_id,
-             sso_url: sso_url,
-             saml_issuer: saml_issuer,
-             saml_certificate_fingerprint: Base.encode64(fingerprint),
-             jit_provisioning_enabled: jit_provisioning_enabled,
-             idempotency_token: idempotency_token
-           ) do
-      {:ok, integration}
+    Ecto.Multi.new()
+    |> Ecto.Multi.run(:fingerprint, fn _repo, _changes ->
+      Certificate.fingerprint(certificate)
+    end)
+    |> Ecto.Multi.run(:integration, fn _repo, %{fingerprint: fingerprint} ->
+      Rbac.Repo.OktaIntegration.insert_or_update(
+        org_id: org_id,
+        creator_id: creator_id,
+        sso_url: sso_url,
+        saml_issuer: saml_issuer,
+        saml_certificate_fingerprint: Base.encode64(fingerprint),
+        jit_provisioning_enabled: jit_provisioning_enabled,
+        idempotency_token: idempotency_token
+      )
+    end)
+    |> Ecto.Multi.run(:allowed_id_providers, fn _repo, _changes ->
+      add_okta_to_allowed_id_providers(org_id)
+    end)
+    |> Rbac.Repo.transaction()
+    |> case do
+      {:ok, %{integration: integration}} ->
+        {:ok, integration}
+
+      {:error, :fingerprint, reason, _changes} ->
+        Logger.error("Failed to decode certificate for org #{org_id}: #{inspect(reason)}.")
+        {:error, :cert_decode_error}
+
+      {:error, :integration, reason, _changes} ->
+        Logger.error(
+          "Failed to create/update Okta integration for org #{org_id}: #{inspect(reason)}"
+        )
+
+        {:error, {:integration_failed, reason}}
+
+      {:error, :allowed_id_providers, reason, _changes} ->
+        Logger.error(
+          "Failed to add Okta to allowed ID providers for org #{org_id}: #{inspect(reason)}"
+        )
+
+        {:error, {:allowed_id_providers_failed, reason}}
+
+      {:error, operation, reason, _changes} ->
+        Logger.error(
+          "Unknown operation #{inspect(operation)} failed for org #{org_id}: #{inspect(reason)}"
+        )
+
+        {:error, reason}
+    end
+  end
+
+  defp update_id_providers(org_id, operation, action) do
+    with {:ok, org} <- Rbac.Api.Organization.find_by_id(org_id),
+         updated_providers <- operation.(org.allowed_id_providers || []),
+         updated_org <- Map.put(org, :allowed_id_providers, updated_providers),
+         {:ok, updated} <- Rbac.Api.Organization.update(updated_org) do
+      {:ok, updated}
     else
-      e -> e
+      {:error, :not_found} ->
+        Logger.error("Failed to #{action} okta provider: Org #{org_id} not found")
+        {:error, :organization_not_found}
+
+      {:error, reason} ->
+        Logger.error("Failed to #{action} okta provider for org #{org_id}: #{inspect(reason)}")
+
+        {:error, :update_failed}
     end
   end
 
+  defp add_okta_to_allowed_id_providers(org_id) do
+    update_id_providers(org_id, &Enum.uniq(&1 ++ ["okta"]), "add")
+  end
+
+  defp remove_okta_from_allowed_id_providers(org_id) do
+    update_id_providers(org_id, &Enum.reject(&1, fn provider -> provider == "okta" end), "remove")
+  end
+
   def generate_scim_token(integration) do
     token = Rbac.Okta.Scim.Token.generate()
     token_hash = Rbac.Okta.Scim.Token.hash(token)
@@ -96,10 +157,13 @@ defmodule Rbac.Okta.Integration do
         Rbac.RoleManagement.retract_roles(rbi, :okta)
         {:ok, :retracted_roles}
       end)
-      |> Ecto.Multi.run(:delete_okta_users, fn _repo, _cahnges ->
+      |> Ecto.Multi.run(:delete_okta_users, fn _repo, _changes ->
         OktaUser.delete_all(id)
         {:ok, :okta_users_deleted}
       end)
+      |> Ecto.Multi.run(:remove_okta_from_allowed_id_providers, fn _repo, _changes ->
+        remove_okta_from_allowed_id_providers(integration.org_id)
+      end)
       |> Ecto.Multi.delete(:delete_okta_integration, integration)
       |> Rbac.Repo.transaction(timeout: 60_000)