feat(rbac): jit saml group membership (#142)

VeljkoMaksimovic · web-flow · commit b9df3ed16e40 · 2025-03-24T16:47:33.000Z
## 📝 Description Handle group membership for jit saml users based on saml attributes renderedtext/tasks#7653 ## ✅ Checklist - [x] I have tested this change - [ ] This change requires documentation update
diff --git a/ee/rbac/lib/rbac/grpc_servers/groups_server.ex b/ee/rbac/lib/rbac/grpc_servers/groups_server.ex
@@ -27,7 +27,7 @@ defmodule Rbac.GrpcServers.GroupsServer do
         Rbac.TempSync.assign_org_member_role(created_group.id, org_id)
 
         Enum.each(group.member_ids, fn member_id ->
-          Rbac.Repo.GroupManagementRequest.create_new_request(member_id, created_group.id, "add")
+          Rbac.Repo.GroupManagementRequest.create_new_request(member_id, created_group.id, :add)
         end)
 
         %Groups.CreateGroupResponse{group: construct_grpc_group(created_group)}
@@ -73,8 +73,8 @@ defmodule Rbac.GrpcServers.GroupsServer do
     with {:ok, _} <- Group.fetch_group(req.group.id),
          {:ok, group} <-
            Group.modify_metadata(req.group.id, req.group.name, req.group.description) do
-      GroupManagementRequest.create_new_request(req.members_to_remove, group.id, "remove")
-      GroupManagementRequest.create_new_request(req.members_to_add, group.id, "add")
+      GroupManagementRequest.create_new_request(req.members_to_remove, group.id, :remove)
+      GroupManagementRequest.create_new_request(req.members_to_add, group.id, :add)
       %Groups.ModifyGroupResponse{group: construct_grpc_group(group)}
     else
       {:error, :not_found} ->
diff --git a/ee/rbac/lib/rbac/okta/saml/jit_provisioner/add_user.ex b/ee/rbac/lib/rbac/okta/saml/jit_provisioner/add_user.ex
@@ -40,6 +40,8 @@ defmodule Rbac.Okta.Saml.JitProvisioner.AddUser do
       {:ok, saml_jit_user} <- SamlJitUser.connect_user(saml_jit_user, user.id),
       {:ok, role_id} <- fetch_role_to_be_assigned(saml_jit_user),
       :ok <- assign_role(user.id, saml_jit_user.org_id, role_id),
+      {:ok, group_ids} <- fetch_groups_to_be_assigned(saml_jit_user),
+      :ok <- assign_groups(user.id, group_ids),
       {:ok, saml_jit_user} <- SamlJitUser.mark_as_processed(saml_jit_user)
     ) do
       info("Provisioning #{saml_jit_user.id} done.")
@@ -125,6 +127,29 @@ defmodule Rbac.Okta.Saml.JitProvisioner.AddUser do
     end
   end
 
+  defp fetch_groups_to_be_assigned(jit_user) do
+    member_of = jit_user.attributes["member"] || []
+    info("[Saml JIT Provisioner] User member groups: #{inspect(member_of)}")
+
+    case Rbac.Okta.IdpGroupMapping.map_groups(jit_user.org_id, member_of) do
+      {:ok, groups, _default_role_id} when is_list(groups) ->
+        info("[Saml JIT Provisioner] Mapped Semaphore groups: #{inspect(groups)}")
+        {:ok, groups}
+
+      e ->
+        info("[Saml JIT Provisioner] Response from IdpGroupMapping.map_groups #{inspect(e)}")
+        {:ok, []}
+    end
+  end
+
+  defp assign_groups(user_id, group_ids) when is_list(group_ids) do
+    Enum.each(group_ids, fn group_id ->
+      Rbac.Repo.GroupManagementRequest.create_new_request(user_id, group_id, :add)
+    end)
+
+    :ok
+  end
+
   defp log_provisioning_error(okta_user, err) do
     inspects = "okta user: #{inspect(okta_user)} error: #{inspect(err)}"
 
diff --git a/ee/rbac/lib/rbac/okta/saml/payload_parser.ex b/ee/rbac/lib/rbac/okta/saml/payload_parser.ex
@@ -44,14 +44,17 @@ defmodule Rbac.Okta.Saml.PayloadParser do
 
   defp construct_attributes_map(attributes) do
     Enum.reduce(attributes, %{}, fn {name, value}, acc ->
-      <<first::utf8, rest::binary>> = name |> Atom.to_string() |> String.trim("/")
-      name = <<String.downcase(<<first::utf8>>)::binary, rest::binary>>
-
-      value = to_string(value)
+      name = name |> Atom.to_string() |> sanitize_string()
+      value = to_string(value) |> sanitize_string()
       Map.update(acc, name, [value], &(&1 ++ [value]))
     end)
   end
 
+  defp sanitize_string(string) do
+    <<first::utf8, rest::binary>> = string |> String.trim("/")
+    <<String.downcase(<<first::utf8>>)::binary, rest::binary>>
+  end
+
   defp validate_assertion(saml, sp) do
     :esaml_sp.validate_assertion(saml, sp)
   end
diff --git a/ee/rbac/lib/rbac/repo/group_management_request.ex b/ee/rbac/lib/rbac/repo/group_management_request.ex
@@ -8,7 +8,7 @@ defmodule Rbac.Repo.GroupManagementRequest do
     field(:state, Ecto.Enum, values: [:pending, :processing, :done, :failed], default: :pending)
     field(:user_id, :binary_id)
     field(:group_id, :binary_id)
-    field(:action, :string)
+    field(:action, Ecto.Enum, values: [:add, :remove])
     field(:retries, :integer, default: 0)
 
     timestamps()
diff --git a/ee/rbac/lib/rbac/repo/okta_user.ex b/ee/rbac/lib/rbac/repo/okta_user.ex
@@ -71,6 +71,12 @@ defmodule Rbac.Repo.OktaUser do
     end
   end
 
+  def find_by_user_id(user_id) do
+    __MODULE__
+    |> where([u], u.user_id == ^user_id)
+    |> Repo.all()
+  end
+
   @spec list(Rbac.Repo.OktaIntegration.t(), integer(), integer(), [Rbac.Okta.SCIM.Filter.t()]) ::
           any()
   def list(integration, start_index, count, filters) do
@@ -157,6 +163,10 @@ defmodule Rbac.Repo.OktaUser do
     changeset(okta_user, %{user_id: user_id}) |> Repo.update()
   end
 
+  def disconnect_user(okta_user) do
+    changeset(okta_user, %{user_id: nil}) |> Repo.update()
+  end
+
   def reload_with_lock_and_transaction(okta_user_id, fun) do
     Rbac.Repo.transaction(
       fn ->
diff --git a/ee/rbac/lib/rbac/repo/saml_jit_user.ex b/ee/rbac/lib/rbac/repo/saml_jit_user.ex
@@ -49,8 +49,18 @@ defmodule Rbac.Repo.SamlJitUser do
     end
   end
 
-  def connect_user(%__MODULE__{} = user, user_id) do
-    changeset(user, %{user_id: user_id}) |> Repo.update()
+  def find_by_user_id(user_id) do
+    __MODULE__
+    |> where([u], u.user_id == ^user_id)
+    |> Repo.all()
+  end
+
+  def delete(%__MODULE__{} = saml_jit_user) do
+    Repo.delete(saml_jit_user)
+  end
+
+  def connect_user(%__MODULE__{} = saml_jit_user, user_id) do
+    changeset(saml_jit_user, %{user_id: user_id}) |> Repo.update()
   end
 
   def construct_name(%__MODULE__{} = user) do
diff --git a/ee/rbac/lib/rbac/services/user_deleted.ex b/ee/rbac/lib/rbac/services/user_deleted.ex
@@ -13,17 +13,17 @@ defmodule Rbac.Services.UserDeleted do
 
       log(event.user_id, "Processing started")
 
-      if Rbac.OIDC.enabled?() do
-        handle_oidc_sync(event.user_id)
-      end
+      delete_oidc_user(event.user_id)
+      disconnect_okta_user(event.user_id)
+      delete_saml_jit_user(event.user_id)
 
       Rbac.Store.RbacUser.delete(event.user_id)
 
       log(event.user_id, "Processing finished")
     end)
   end
 
-  defp handle_oidc_sync(user_id) do
+  defp delete_oidc_user(user_id) do
     case Rbac.Store.OIDCUser.fetch_by_user_id(user_id) do
       {:ok, oidc_user} ->
         log(user_id, "OIDC user exists, deleting")
@@ -35,6 +35,30 @@ defmodule Rbac.Services.UserDeleted do
     end
   end
 
+  defp disconnect_okta_user(user_id) do
+    okta_users = Rbac.Repo.OktaUser.find_by_user_id(user_id)
+
+    if Enum.empty?(okta_users) do
+      log(user_id, "No Okta users found, not syncing")
+    else
+      log(user_id, "Found #{length(okta_users)} Okta users, disconnecting")
+
+      Enum.each(okta_users, fn okta_user ->
+        Rbac.Repo.OktaUser.disconnect_user(okta_user)
+      end)
+    end
+  end
+
+  defp delete_saml_jit_user(user_id) do
+    saml_users = Rbac.Repo.SamlJitUser.find_by_user_id(user_id)
+
+    log(user_id, "Found #{length(saml_users)} SAML JIT users, deleting")
+
+    Enum.each(saml_users, fn saml_user ->
+      Rbac.Repo.SamlJitUser.delete(saml_user)
+    end)
+  end
+
   defp log(level \\ :info, user_id, message) do
     message = "[User Deleted] #{user_id}: #{message}"
 
diff --git a/ee/rbac/lib/rbac/store/group.ex b/ee/rbac/lib/rbac/store/group.ex
@@ -115,7 +115,7 @@ defmodule Rbac.Store.Group do
     |> where([_, g], g.org_id == ^org_id)
     |> select([ugb, _], ugb.group_id)
     |> Rbac.Repo.all()
-    |> Enum.each(&Rbac.Repo.GroupManagementRequest.create_new_request(member_id, &1, "remove"))
+    |> Enum.each(&Rbac.Repo.GroupManagementRequest.create_new_request(member_id, &1, :remove))
   end
 
   def modify_metadata(group_id, "", ""), do: fetch_group(group_id)
diff --git a/ee/rbac/lib/rbac/workers/group_management.ex b/ee/rbac/lib/rbac/workers/group_management.ex
@@ -26,10 +26,10 @@ defmodule Rbac.Workers.GroupManagement do
         {:ok, group} = Rbac.Store.Group.fetch_group(req.group_id)
 
         case req.action do
-          "add" ->
+          :add ->
             :ok = Rbac.Store.Group.add_to_group(group, req.user_id)
 
-          "remove" ->
+          :remove ->
             :ok = Rbac.Store.Group.remove_from_group(group, req.user_id)
 
           other ->
diff --git a/ee/rbac/test/rbac/grpc_servers/groups_server_test.exs b/ee/rbac/test/rbac/grpc_servers/groups_server_test.exs
@@ -248,9 +248,9 @@ defmodule Rbac.GrpcServers.GroupsServer.Test do
       }
 
       {:ok, _} = state.grpc_channel |> Stub.modify_group(request)
-      assert_request_created(user1.id, state.group.id, "add")
-      assert_request_created(user2.id, state.group.id, "add")
-      assert_request_created(user3.id, state.group.id, "remove")
+      assert_request_created(user1.id, state.group.id, :add)
+      assert_request_created(user2.id, state.group.id, :add)
+      assert_request_created(user3.id, state.group.id, :remove)
       assert Rbac.Repo.GroupManagementRequest |> Rbac.Repo.aggregate(:count, :id) == 3
     end
   end
diff --git a/ee/rbac/test/rbac/okta/saml/payload_parser_test.exs b/ee/rbac/test/rbac/okta/saml/payload_parser_test.exs
@@ -57,9 +57,9 @@ defmodule Rbac.Okta.Saml.PayloadParser.Test do
   test "valid SAML XML with attributes => returns a parsed SamlPayload" do
     # When processing assertions, '/' should be trimmerd, and first character should always be lowercase
     attributes = [
-      {"memberOf", "group1"},
-      {"memberOf", "group2"},
-      {"/Role/", "user"}
+      {"member", "group1/"},
+      {"member", "/group2"},
+      {"/Role/", "User"}
     ]
 
     payload =
@@ -74,7 +74,7 @@ defmodule Rbac.Okta.Saml.PayloadParser.Test do
         :jump_cloud
       )
 
-    assert {:ok, @email, %{"role" => ["user"], "memberOf" => ["group2", "group1"]}} =
+    assert {:ok, @email, %{"role" => ["user"], "member" => ["group2", "group1"]}} =
              Parser.parse(
                integration(@jump_cloud_issuer),
                URI.decode_query(payload),
diff --git a/ee/rbac/test/rbac/okta/saml/provisioner/add_user_test.exs b/ee/rbac/test/rbac/okta/saml/provisioner/add_user_test.exs
@@ -2,6 +2,7 @@ defmodule Rbac.Okta.Saml.Provisioner.AddUser.Test do
   use Rbac.RepoCase, async: true
   alias Rbac.Okta.Saml.JitProvisioner.AddUser
   alias Rbac.{Repo, FrontRepo}
+  alias Support.Factories
 
   @org_id Ecto.UUID.generate()
 
@@ -23,7 +24,7 @@ defmodule Rbac.Okta.Saml.Provisioner.AddUser.Test do
     test "When the org has custom mapping but w/o any role mappings", ctx do
       {:ok, role} = Repo.RbacRole.get_role_by_name("Admin", "org_scope", ctx.jit_user.org_id)
 
-      Support.Factories.IdpGroupMapping.insert(
+      Factories.IdpGroupMapping.insert(
         organization_id: ctx.jit_user.org_id,
         default_role_id: role.id
       )
@@ -36,15 +37,15 @@ defmodule Rbac.Okta.Saml.Provisioner.AddUser.Test do
 
     test "When the org has custom role mappings" do
       {:ok, jit_user} =
-        Support.Factories.SamlJitUser.insert(
+        Factories.SamlJitUser.insert(
           org_id: @org_id,
           attributes: %{"role" => ["role_1", "test_role"]}
         )
 
       {:ok, admin} = Repo.RbacRole.get_role_by_name("Admin", "org_scope", jit_user.org_id)
       {:ok, owner} = Repo.RbacRole.get_role_by_name("Owner", "org_scope", jit_user.org_id)
 
-      Support.Factories.IdpGroupMapping.insert(
+      Factories.IdpGroupMapping.insert(
         organization_id: jit_user.org_id,
         default_role_id: admin.id,
         role_mapping: [%{idp_role_id: "test_role", semaphore_role_id: owner.id}]
@@ -55,6 +56,36 @@ defmodule Rbac.Okta.Saml.Provisioner.AddUser.Test do
       assert_user_created(jit_user)
       assert_role_assigned(jit_user, "Owner")
     end
+
+    test "When the org has custom group mappings" do
+      {:ok, jit_user} =
+        Factories.SamlJitUser.insert(
+          org_id: @org_id,
+          attributes: %{"member" => ["g1", "g2", "unmapped_group"]}
+        )
+
+      {:ok, group1} = Factories.Group.insert(organization_id: @org_id)
+      {:ok, group2} = Factories.Group.insert(organization_id: @org_id)
+      {:ok, member} = Repo.RbacRole.get_role_by_name("Member", "org_scope", jit_user.org_id)
+
+      Factories.IdpGroupMapping.insert(
+        organization_id: jit_user.org_id,
+        default_role_id: member.id,
+        group_mapping: [
+          %{idp_group_id: "g1", semaphore_group_id: group1.id},
+          %{idp_group_id: "g2", semaphore_group_id: group2.id}
+        ]
+      )
+
+      {:ok, jit_user} = AddUser.run(jit_user)
+
+      assert_user_created(jit_user)
+      assert_role_assigned(jit_user, "Member")
+      assert_group_request(jit_user.user_id, group1.id)
+      assert_group_request(jit_user.user_id, group2.id)
+
+      assert Repo.GroupManagementRequest |> Repo.aggregate(:count) == 2
+    end
   end
 
   defp assert_user_created(jit_user) do
@@ -78,4 +109,12 @@ defmodule Rbac.Okta.Saml.Provisioner.AddUser.Test do
            )
            |> Repo.exists?()
   end
+
+  defp assert_group_request(user_id, group_id) do
+    import Ecto.Query
+
+    assert Repo.GroupManagementRequest
+           |> where([r], r.user_id == ^user_id and r.group_id == ^group_id and r.action == :add)
+           |> Repo.exists?()
+  end
 end
diff --git a/ee/rbac/test/rbac/services/user_deleted_test.exs b/ee/rbac/test/rbac/services/user_deleted_test.exs
@@ -14,6 +14,33 @@ defmodule Rbac.Services.UserDeletedTest do
         assert_called_exactly(Rbac.Store.RbacUser.delete(user_id), 1)
       end
     end
+
+    test "make sure okta user is disconnected" do
+      {:ok, user} = Support.Factories.RbacUser.insert()
+      {:ok, okta_user} = Support.Factories.OktaUser.insert(user_id: user.id)
+
+      publish_event(user.id)
+      :timer.sleep(300)
+
+      refute Rbac.Store.RbacUser.fetch(user.id)
+
+      # Reload the okta user to see its current state
+      okta_user_after_deletion = Rbac.Repo.get(Rbac.Repo.OktaUser, okta_user.id)
+
+      assert okta_user_after_deletion != nil
+      assert okta_user_after_deletion.user_id == nil
+    end
+
+    test "make sure saml_jit user is disconnected" do
+      {:ok, user} = Support.Factories.RbacUser.insert()
+      {:ok, saml_jit_user} = Support.Factories.SamlJitUser.insert(user_id: user.id)
+
+      publish_event(user.id)
+      :timer.sleep(300)
+
+      refute Rbac.Store.RbacUser.fetch(user.id)
+      refute Rbac.Repo.get(Rbac.Repo.SamlJitUser, saml_jit_user.id)
+    end
   end
 
   #
diff --git a/ee/rbac/test/support/factories/okta_user_factory.ex b/ee/rbac/test/support/factories/okta_user_factory.ex
@@ -13,7 +13,7 @@ defmodule Support.Factories.OktaUser do
   def insert(options \\ []) do
     %OktaUser{
       org_id: get_id(options[:org_id]),
-      integration_id: get_id(options[:integration_id]),
+      integration_id: get_integration_id(options[:integration_id]),
       payload: get_payload(options[:payload]),
       state: get_state(options[:state]),
       user_id: get_id(options[:user_id]),
@@ -25,6 +25,11 @@ defmodule Support.Factories.OktaUser do
   defp get_id(nil), do: UUID.generate()
   defp get_id(id), do: id
 
+  defp get_integration_id(nil),
+    do: Support.Factories.OktaIntegration.insert() |> elem(1) |> Map.get(:id)
+
+  defp get_integration_id(id), do: id
+
   defp get_string(nil), do: for(_ <- 1..10, into: "", do: <<Enum.random(~c"abcdefghijk")>>)
   defp get_string(string), do: string
 
diff --git a/ee/rbac/test/support/factories/saml_jit_user_factory.ex b/ee/rbac/test/support/factories/saml_jit_user_factory.ex
@@ -13,6 +13,7 @@ defmodule Support.Factories.SamlJitUser do
   def insert(options \\ []) do
     %SamlJitUser{
       org_id: get_id(options[:org_id]),
+      user_id: get_id(options[:user_id]),
       integration_id: get_integration_id(options[:integration_id]),
       attributes: get_attributes(options[:attributes]),
       state: get_state(options[:state]),
