Auth: Allow admins to manually change oauth user role if oauth_skip_org_role_update_sync is enabled (#55182)

* Auth: Allow admins to change oauth user info it it's not synced. Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> * Update public/app/features/admin/UserAdminPage.tsx Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> * Add missing import * Simplify init Co-authored-by: Josh Hunt <joshhunt@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> * SAML: Add option to skip org role sync (#55230) * SAML: Add option to skip org role sync * Modify frontend accordingly * Remove update from config option name Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Remove update from config option name Co-authored-by: Jguer <joao.guerreiro@grafana.com> * Fix typo Co-authored-by: Jguer <joao.guerreiro@grafana.com> Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com> Co-authored-by: Alex Khomenko <Clarity-89@users.noreply.github.com> Co-authored-by: gamab <gabi.mabs@gmail.com> Co-authored-by: Josh Hunt <joshhunt@users.noreply.github.com>
2025-02-25 18:55:37 -06:00 · 2022-09-15 18:06:09 +02:00
parent ebcbb66548
commit 3e2e9f93b9
7 changed files with 39 additions and 6 deletions
--- a/public/app/features/admin/UserAdminPage.tsx
+++ b/public/app/features/admin/UserAdminPage.tsx
@@ -4,6 +4,7 @@ import { connect, ConnectedProps } from 'react-redux';
 import { NavModelItem } from '@grafana/data';
 import { featureEnabled } from '@grafana/runtime';
 import { Page } from 'app/core/components/Page/Page';
+import config from 'app/core/config';
 import { contextSrv } from 'app/core/core';
 import { GrafanaRouteComponentProps } from 'app/core/navigation/types';
 import { StoreState, UserDTO, UserOrg, UserSession, SyncInfo, UserAdminError, AccessControlAction } from 'app/types';
@@ -38,6 +39,8 @@ interface OwnProps extends GrafanaRouteComponentProps<{ id: string }> {
  error?: UserAdminError;
 }

+const SyncedOAuthLabels: string[] = ['GitHub', 'GitLab', 'AzureAD', 'OAuth'];
+
 export class UserAdminPage extends PureComponent<Props> {
  async componentDidMount() {
    const { match, loadAdminUserPage } = this.props;
@@ -105,6 +108,13 @@ export class UserAdminPage extends PureComponent<Props> {
    const isLDAPUser = user && user.isExternal && user.authLabels && user.authLabels.includes('LDAP');
    const canReadSessions = contextSrv.hasPermission(AccessControlAction.UsersAuthTokenList);
    const canReadLDAPStatus = contextSrv.hasPermission(AccessControlAction.LDAPStatusRead);
+    const isOAuthUserWithSkippableSync =
+      user?.isExternal && user?.authLabels?.some((r) => SyncedOAuthLabels.includes(r));
+    const isSAMLUser = user?.isExternal && user?.authLabels?.includes('SAML');
+    const isUserSynced =
+      (user?.isExternal && !(isOAuthUserWithSkippableSync || isSAMLUser)) ||
+      (!config.auth.OAuthSkipOrgRoleUpdateSync && isOAuthUserWithSkippableSync) ||
+      (!config.auth.SAMLSkipOrgRoleSync && isSAMLUser);

    const pageNav: NavModelItem = {
      text: user?.login ?? '',
@@ -137,7 +147,7 @@ export class UserAdminPage extends PureComponent<Props> {
            <UserOrgs
              user={user}
              orgs={orgs}
-              isExternalUser={user?.isExternal}
+              isExternalUser={isUserSynced}
              onOrgRemove={this.onOrgRemove}
              onOrgRoleChange={this.onOrgRoleChange}
              onOrgAdd={this.onOrgAdd}