Skip to content

Commit 8c349d7

Browse files
committed
refactor(dashboard-api): port the issuer registry into provisioning
Carries the base branch's identity.Registry design through the extraction: provisioning.Service takes the issuer-keyed registry instead of a bare issuer URL, BootstrapOIDCUser resolves the identity provider for the request's issuer (unknown issuer -> 400), and the SSO guards resolve a user's organization through the registry, which checks every identity deterministically.
1 parent b99e2e6 commit 8c349d7

9 files changed

Lines changed: 63 additions & 59 deletions

File tree

packages/dashboard-api/internal/handlers/admin_teams_bootstrap_test.go

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,7 @@ func TestPostAdminTeamsBootstrapCreatesTeam(t *testing.T) {
3434
ginCtx.Request.Header.Set("Content-Type", "application/json")
3535

3636
store := &APIStore{
37-
provisioning: provisioning.New(testDB.AuthDB, nil, sink, ""),
37+
provisioning: provisioning.New(testDB.AuthDB, nil, sink, nil),
3838
}
3939
store.PostAdminTeamsBootstrap(ginCtx)
4040

@@ -109,7 +109,7 @@ func TestPostAdminTeamsBootstrapRollsBackOnProvisioningFailure(t *testing.T) {
109109
ginCtx.Request.Header.Set("Content-Type", "application/json")
110110

111111
store := &APIStore{
112-
provisioning: provisioning.New(testDB.AuthDB, nil, sink, ""),
112+
provisioning: provisioning.New(testDB.AuthDB, nil, sink, nil),
113113
}
114114
store.PostAdminTeamsBootstrap(ginCtx)
115115

@@ -148,7 +148,7 @@ func TestPostAdminTeamsBootstrapRejectsMissingFields(t *testing.T) {
148148
ginCtx.Request.Header.Set("Content-Type", "application/json")
149149

150150
store := &APIStore{
151-
provisioning: provisioning.New(testDB.AuthDB, nil, &fakeTeamProvisionSink{err: errors.New("should not provision")}, ""),
151+
provisioning: provisioning.New(testDB.AuthDB, nil, &fakeTeamProvisionSink{err: errors.New("should not provision")}, nil),
152152
}
153153
store.PostAdminTeamsBootstrap(ginCtx)
154154

packages/dashboard-api/internal/handlers/store.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -48,7 +48,7 @@ func NewAPIStore(
4848
clickhouse: ch,
4949
authService: authService,
5050
idp: idp,
51-
provisioning: provisioning.New(authDB, idp, teamProvisionSink, config.OryIssuerURL),
51+
provisioning: provisioning.New(authDB, idp, teamProvisionSink, identity.Registry{config.OryIssuerURL: idp}),
5252
}
5353
}
5454

packages/dashboard-api/internal/handlers/team_handlers_test.go

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -219,7 +219,7 @@ func TestPostTeamsTeamIDMembers_RejectsInviteOutsideSSOOrg(t *testing.T) {
219219
// invitee belongs to no org (orgByUser empty) → outside the team's org.
220220
store := &APIStore{
221221
idp: ssoIdentityProvider{},
222-
provisioning: provisioning.New(nil, ssoIdentityProvider{}, nil, ""),
222+
provisioning: provisioning.New(nil, ssoIdentityProvider{}, nil, identity.Registry{"": ssoIdentityProvider{}}),
223223
}
224224
store.PostTeamsTeamIDMembers(ginCtx, teamID)
225225

@@ -255,7 +255,7 @@ func TestPostTeamsTeamIDMembers_AllowsInviteFromSSOOrg(t *testing.T) {
255255
authDB: testDB.AuthDB,
256256
authService: noopAuthService{},
257257
idp: profiles,
258-
provisioning: provisioning.New(testDB.AuthDB, profiles, nil, ""),
258+
provisioning: provisioning.New(testDB.AuthDB, profiles, nil, identity.Registry{"": profiles}),
259259
}
260260
store.PostTeamsTeamIDMembers(ginCtx, teamID)
261261

@@ -565,7 +565,7 @@ func TestPostTeams_LocalPolicyDeniedReturnsBadRequestWithoutCreatingTeam(t *test
565565
store := &APIStore{
566566
db: testDB.SqlcClient,
567567
authDB: testDB.AuthDB,
568-
provisioning: provisioning.New(testDB.AuthDB, handlerTestIdentityProvider{}, sink, ""),
568+
provisioning: provisioning.New(testDB.AuthDB, handlerTestIdentityProvider{}, sink, identity.Registry{"": handlerTestIdentityProvider{}}),
569569
}
570570
store.PostTeams(ginCtx)
571571

@@ -603,7 +603,7 @@ func TestPostTeams_InvalidNameReturnsBadRequest(t *testing.T) {
603603
store := &APIStore{
604604
db: testDB.SqlcClient,
605605
authDB: testDB.AuthDB,
606-
provisioning: provisioning.New(testDB.AuthDB, handlerTestIdentityProvider{}, sink, ""),
606+
provisioning: provisioning.New(testDB.AuthDB, handlerTestIdentityProvider{}, sink, identity.Registry{"": handlerTestIdentityProvider{}}),
607607
}
608608
store.PostTeams(ginCtx)
609609

@@ -633,7 +633,7 @@ func TestPostTeams_InvalidRequestBodyReturnsBadRequest(t *testing.T) {
633633
store := &APIStore{
634634
db: testDB.SqlcClient,
635635
authDB: testDB.AuthDB,
636-
provisioning: provisioning.New(testDB.AuthDB, handlerTestIdentityProvider{}, sink, ""),
636+
provisioning: provisioning.New(testDB.AuthDB, handlerTestIdentityProvider{}, sink, identity.Registry{"": handlerTestIdentityProvider{}}),
637637
}
638638
store.PostTeams(ginCtx)
639639

@@ -665,7 +665,7 @@ func TestPostTeams_TrimsNameBeforeCreate(t *testing.T) {
665665
store := &APIStore{
666666
db: testDB.SqlcClient,
667667
authDB: testDB.AuthDB,
668-
provisioning: provisioning.New(testDB.AuthDB, handlerTestIdentityProvider{}, sink, ""),
668+
provisioning: provisioning.New(testDB.AuthDB, handlerTestIdentityProvider{}, sink, identity.Registry{"": handlerTestIdentityProvider{}}),
669669
}
670670
store.PostTeams(ginCtx)
671671

@@ -716,7 +716,7 @@ func TestPostTeams_ProvisioningFailureRollsBackCreatedTeam(t *testing.T) {
716716
store := &APIStore{
717717
db: testDB.SqlcClient,
718718
authDB: testDB.AuthDB,
719-
provisioning: provisioning.New(testDB.AuthDB, handlerTestIdentityProvider{}, sink, ""),
719+
provisioning: provisioning.New(testDB.AuthDB, handlerTestIdentityProvider{}, sink, identity.Registry{"": handlerTestIdentityProvider{}}),
720720
}
721721
store.PostTeams(ginCtx)
722722

@@ -774,7 +774,7 @@ func TestPostTeams_ProvisioningFailurePreservesProvisionErrorStatus(t *testing.T
774774
store := &APIStore{
775775
db: testDB.SqlcClient,
776776
authDB: testDB.AuthDB,
777-
provisioning: provisioning.New(testDB.AuthDB, handlerTestIdentityProvider{}, sink, ""),
777+
provisioning: provisioning.New(testDB.AuthDB, handlerTestIdentityProvider{}, sink, identity.Registry{"": handlerTestIdentityProvider{}}),
778778
}
779779
store.PostTeams(ginCtx)
780780

packages/dashboard-api/internal/provisioning/bootstrap.go

Lines changed: 23 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -9,14 +9,16 @@ import (
99

1010
"github.com/google/uuid"
1111

12+
"github.com/e2b-dev/infra/packages/dashboard-api/internal/identity"
1213
internalteamprovision "github.com/e2b-dev/infra/packages/dashboard-api/internal/teamprovision"
1314
authqueries "github.com/e2b-dev/infra/packages/db/pkg/auth/queries"
1415
"github.com/e2b-dev/infra/packages/db/pkg/dberrors"
1516
"github.com/e2b-dev/infra/packages/shared/pkg/teamprovision"
1617
)
1718

1819
func (s *Service) BootstrapOIDCUser(ctx context.Context, input OIDCUserBootstrapInput) (ProvisionedTeam, error) {
19-
if err := s.requireConfiguredOIDCIssuer(input.OIDCIssuer); err != nil {
20+
idp, err := s.providerForIssuer(input.OIDCIssuer)
21+
if err != nil {
2022
return ProvisionedTeam{}, err
2123
}
2224

@@ -31,31 +33,30 @@ func (s *Service) BootstrapOIDCUser(ctx context.Context, input OIDCUserBootstrap
3133
}),
3234
}
3335

34-
return s.bootstrapUser(ctx, profile, bootstrapUserIdentity{
36+
return s.bootstrapUser(ctx, idp, profile, bootstrapUserIdentity{
3537
Issuer: input.OIDCIssuer,
3638
Subject: input.OIDCUserID,
3739
})
3840
}
3941

40-
// requireConfiguredOIDCIssuer rejects bootstrap requests whose issuer is not the
41-
// configured Ory issuer.
42-
func (s *Service) requireConfiguredOIDCIssuer(issuer string) error {
43-
oryIssuer := strings.TrimSpace(s.issuerURL)
44-
45-
if oryIssuer != "" && oryIssuer == issuer {
46-
return nil
42+
// providerForIssuer resolves the identity provider responsible for the issuer,
43+
// rejecting bootstrap requests from issuers no provider is registered for.
44+
func (s *Service) providerForIssuer(issuer string) (identity.Provider, error) {
45+
idp, ok := s.idps.ForIssuer(strings.TrimSpace(issuer))
46+
if !ok {
47+
return nil, &internalteamprovision.ProvisionError{
48+
StatusCode: http.StatusBadRequest,
49+
Message: "oidc_issuer does not match a configured identity provider",
50+
}
4751
}
4852

49-
return &internalteamprovision.ProvisionError{
50-
StatusCode: http.StatusBadRequest,
51-
Message: "oidc_issuer must equal the configured ORY_ISSUER_URL",
52-
}
53+
return idp, nil
5354
}
5455

55-
func (s *Service) bootstrapUser(ctx context.Context, profile bootstrapUserProfile, identity bootstrapUserIdentity) (ProvisionedTeam, error) {
56+
func (s *Service) bootstrapUser(ctx context.Context, idp identity.Provider, profile bootstrapUserProfile, oidcIdentity bootstrapUserIdentity) (ProvisionedTeam, error) {
5657
// Resolve the identity's SSO organization before opening the transaction: the
5758
// Kratos lookup is a network call that must not run under the per-user lock.
58-
ssoOrgID, err := s.idp.GetIdentityOrganizationID(ctx, identity.Subject)
59+
ssoOrgID, err := idp.GetIdentityOrganizationID(ctx, oidcIdentity.Subject)
5960
if err != nil {
6061
return ProvisionedTeam{}, fmt.Errorf("resolve sso organization: %w", err)
6162
}
@@ -69,8 +70,8 @@ func (s *Service) bootstrapUser(ctx context.Context, profile bootstrapUserProfil
6970
}()
7071

7172
existing, err := authTxDB.GetUserIdentity(ctx, authqueries.GetUserIdentityParams{
72-
OidcIss: identity.Issuer,
73-
OidcSub: identity.Subject,
73+
OidcIss: oidcIdentity.Issuer,
74+
OidcSub: oidcIdentity.Subject,
7475
})
7576
switch {
7677
case err == nil:
@@ -84,8 +85,8 @@ func (s *Service) bootstrapUser(ctx context.Context, profile bootstrapUserProfil
8485
return ProvisionedTeam{}, fmt.Errorf("upsert public user: %w", err)
8586
}
8687
canonicalUserID, err := authTxDB.UpsertPublicIdentity(ctx, authqueries.UpsertPublicIdentityParams{
87-
OidcIss: identity.Issuer,
88-
OidcSub: identity.Subject,
88+
OidcIss: oidcIdentity.Issuer,
89+
OidcSub: oidcIdentity.Subject,
8990
UserID: candidateUserID,
9091
})
9192
if err != nil {
@@ -127,7 +128,7 @@ func (s *Service) bootstrapUser(ctx context.Context, profile bootstrapUserProfil
127128
// transaction. This is also the recovery path: a user whose external_id was
128129
// never set (e.g. a prior bootstrap whose PATCH failed after commit) re-runs
129130
// here and the idempotent PATCH is re-asserted.
130-
if err := s.idp.SetIdentityExternalID(ctx, identity.Subject, profile.UserID); err != nil {
131+
if err := idp.SetIdentityExternalID(ctx, oidcIdentity.Subject, profile.UserID); err != nil {
131132
return ProvisionedTeam{}, fmt.Errorf("set ory identity external id: %w", err)
132133
}
133134

@@ -156,7 +157,7 @@ func (s *Service) bootstrapUser(ctx context.Context, profile bootstrapUserProfil
156157
}
157158

158159
// No billing: SSO teams are provisioned out of band.
159-
if err := s.idp.SetIdentityExternalID(ctx, identity.Subject, profile.UserID); err != nil {
160+
if err := idp.SetIdentityExternalID(ctx, oidcIdentity.Subject, profile.UserID); err != nil {
160161
return ProvisionedTeam{}, fmt.Errorf("set ory identity external id: %w", err)
161162
}
162163

@@ -206,7 +207,7 @@ func (s *Service) bootstrapUser(ctx context.Context, profile bootstrapUserProfil
206207
// A PATCH failure here is recoverable: external_id stays unset, the dashboard
207208
// re-runs bootstrap on the next login and re-asserts it via the existing-team
208209
// path above.
209-
if err := s.idp.SetIdentityExternalID(ctx, identity.Subject, profile.UserID); err != nil {
210+
if err := idp.SetIdentityExternalID(ctx, oidcIdentity.Subject, profile.UserID); err != nil {
210211
return ProvisionedTeam{}, fmt.Errorf("set ory identity external id: %w", err)
211212
}
212213

packages/dashboard-api/internal/provisioning/bootstrap_test.go

Lines changed: 9 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@ import (
1010
"github.com/google/uuid"
1111
"github.com/jackc/pgx/v5"
1212

13+
"github.com/e2b-dev/infra/packages/dashboard-api/internal/identity"
1314
internalteamprovision "github.com/e2b-dev/infra/packages/dashboard-api/internal/teamprovision"
1415
authqueries "github.com/e2b-dev/infra/packages/db/pkg/auth/queries"
1516
"github.com/e2b-dev/infra/packages/db/pkg/testutils"
@@ -23,7 +24,7 @@ func TestBootstrapAuthProviderUser_CreatesIdentityAndDefaultTeam(t *testing.T) {
2324
ctx := t.Context()
2425
sink := &fakeTeamProvisionSink{}
2526

26-
svc := New(testDB.AuthDB, testIdentityProvider{}, sink, testIssuer)
27+
svc := New(testDB.AuthDB, testIdentityProvider{}, sink, identity.Registry{testIssuer: testIdentityProvider{}})
2728

2829
input := OIDCUserBootstrapInput{
2930
OIDCIssuer: testIssuer,
@@ -105,7 +106,7 @@ func TestBootstrapOIDCUser_PopulatesOryExternalID(t *testing.T) {
105106
sink := &fakeTeamProvisionSink{}
106107
profiles := &recordingIdentityProvider{}
107108

108-
svc := New(testDB.AuthDB, profiles, sink, testIssuer)
109+
svc := New(testDB.AuthDB, profiles, sink, identity.Registry{testIssuer: profiles})
109110

110111
input := OIDCUserBootstrapInput{
111112
OIDCIssuer: testIssuer,
@@ -161,7 +162,7 @@ func TestBootstrapOIDCUser_ExternalIDFailureKeepsUserProvisioned(t *testing.T) {
161162
sink := &fakeTeamProvisionSink{}
162163
profiles := &failingIdentityProvider{}
163164

164-
svc := New(testDB.AuthDB, profiles, sink, testIssuer)
165+
svc := New(testDB.AuthDB, profiles, sink, identity.Registry{testIssuer: profiles})
165166

166167
input := OIDCUserBootstrapInput{
167168
OIDCIssuer: testIssuer,
@@ -204,7 +205,7 @@ func TestBootstrapOIDCUser_ReRunBackfillsExternalID(t *testing.T) {
204205
ctx := t.Context()
205206
sink := &fakeTeamProvisionSink{}
206207

207-
svc := New(testDB.AuthDB, &failingIdentityProvider{}, sink, testIssuer)
208+
svc := New(testDB.AuthDB, &failingIdentityProvider{}, sink, identity.Registry{testIssuer: &failingIdentityProvider{}})
208209

209210
input := OIDCUserBootstrapInput{
210211
OIDCIssuer: testIssuer,
@@ -229,7 +230,7 @@ func TestBootstrapOIDCUser_ReRunBackfillsExternalID(t *testing.T) {
229230
}
230231

231232
recording := &recordingIdentityProvider{}
232-
svc = New(testDB.AuthDB, recording, sink, testIssuer)
233+
svc = New(testDB.AuthDB, recording, sink, identity.Registry{testIssuer: recording})
233234

234235
secondTeam, err := svc.BootstrapOIDCUser(ctx, input)
235236
if err != nil {
@@ -253,7 +254,7 @@ func TestBootstrapOIDCUser_ConcurrentRequestsSingleIdentityAndTeam(t *testing.T)
253254
ctx := t.Context()
254255
sink := &fakeTeamProvisionSink{}
255256

256-
svc := New(testDB.AuthDB, testIdentityProvider{}, sink, testIssuer)
257+
svc := New(testDB.AuthDB, testIdentityProvider{}, sink, identity.Registry{testIssuer: testIdentityProvider{}})
257258

258259
input := OIDCUserBootstrapInput{
259260
OIDCIssuer: testIssuer,
@@ -340,7 +341,7 @@ func TestBootstrapOIDCUser_AcceptsConfiguredIssuer(t *testing.T) {
340341
ctx := t.Context()
341342
sink := &fakeTeamProvisionSink{}
342343

343-
svc := New(testDB.AuthDB, testIdentityProvider{}, sink, testIssuer)
344+
svc := New(testDB.AuthDB, testIdentityProvider{}, sink, identity.Registry{testIssuer: testIdentityProvider{}})
344345

345346
team, err := svc.BootstrapOIDCUser(ctx, OIDCUserBootstrapInput{
346347
OIDCIssuer: testIssuer,
@@ -363,7 +364,7 @@ func TestBootstrapOIDCUser_UnknownIssuerReturnsBadRequest(t *testing.T) {
363364
ctx := t.Context()
364365
sink := &fakeTeamProvisionSink{}
365366

366-
svc := New(testDB.AuthDB, testIdentityProvider{}, sink, testIssuer)
367+
svc := New(testDB.AuthDB, testIdentityProvider{}, sink, identity.Registry{testIssuer: testIdentityProvider{}})
367368

368369
_, err := svc.BootstrapOIDCUser(ctx, OIDCUserBootstrapInput{
369370
OIDCIssuer: "https://attacker.example.test",

packages/dashboard-api/internal/provisioning/service.go

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -30,18 +30,18 @@ const (
3030
)
3131

3232
type Service struct {
33-
authDB *authdb.Client
34-
idp identity.Provider
35-
billing internalteamprovision.TeamProvisionSink
36-
issuerURL string
33+
authDB *authdb.Client
34+
idp identity.Provider
35+
billing internalteamprovision.TeamProvisionSink
36+
idps identity.Registry
3737
}
3838

39-
func New(authDB *authdb.Client, idp identity.Provider, billing internalteamprovision.TeamProvisionSink, issuerURL string) *Service {
39+
func New(authDB *authdb.Client, idp identity.Provider, billing internalteamprovision.TeamProvisionSink, idps identity.Registry) *Service {
4040
return &Service{
41-
authDB: authDB,
42-
idp: idp,
43-
billing: billing,
44-
issuerURL: issuerURL,
41+
authDB: authDB,
42+
idp: idp,
43+
billing: billing,
44+
idps: idps,
4545
}
4646
}
4747

packages/dashboard-api/internal/provisioning/sso.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -55,7 +55,7 @@ func (s *Service) enrollSSOMember(ctx context.Context, authTxDB *authqueries.Que
5555
// ensureNotSSOManaged blocks team creation for SSO-managed users; their team
5656
// membership is driven entirely by their identity provider.
5757
func (s *Service) ensureNotSSOManaged(ctx context.Context, userID uuid.UUID) error {
58-
orgID, err := s.idp.GetUserOrganizationID(ctx, userID)
58+
orgID, err := s.idps.GetUserOrganizationID(ctx, userID)
5959
if err != nil {
6060
return fmt.Errorf("resolve sso organization: %w", err)
6161
}
@@ -72,7 +72,7 @@ func (s *Service) ensureNotSSOManaged(ctx context.Context, userID uuid.UUID) err
7272
// ValidateInviteeOrganization rejects adding a user to an SSO-managed team when
7373
// the invitee's Ory identity belongs to a different organization.
7474
func (s *Service) ValidateInviteeOrganization(ctx context.Context, teamOrgID, inviteeUserID uuid.UUID) error {
75-
inviteeOrgID, err := s.idp.GetUserOrganizationID(ctx, inviteeUserID)
75+
inviteeOrgID, err := s.idps.GetUserOrganizationID(ctx, inviteeUserID)
7676
if err != nil {
7777
return fmt.Errorf("resolve invitee organization: %w", err)
7878
}

packages/dashboard-api/internal/provisioning/sso_test.go

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@ import (
99

1010
"github.com/google/uuid"
1111

12+
"github.com/e2b-dev/infra/packages/dashboard-api/internal/identity"
1213
internalteamprovision "github.com/e2b-dev/infra/packages/dashboard-api/internal/teamprovision"
1314
authqueries "github.com/e2b-dev/infra/packages/db/pkg/auth/queries"
1415
"github.com/e2b-dev/infra/packages/db/pkg/testutils"
@@ -58,7 +59,7 @@ func TestBootstrapOIDCUser_SSOJoinsMappedTeams(t *testing.T) {
5859
setTeamSSOOrg(t, testDB, teamNewer, orgID, true, time.Now().Add(-1*time.Hour))
5960
setTeamSSOOrg(t, testDB, teamOlder, orgID, true, time.Now().Add(-2*time.Hour))
6061

61-
svc := New(testDB.AuthDB, ssoIdentityProvider{orgBySubject: map[string]uuid.UUID{subject: orgID}}, sink, testIssuer)
62+
svc := New(testDB.AuthDB, ssoIdentityProvider{orgBySubject: map[string]uuid.UUID{subject: orgID}}, sink, identity.Registry{testIssuer: ssoIdentityProvider{orgBySubject: map[string]uuid.UUID{subject: orgID}}})
6263

6364
input := OIDCUserBootstrapInput{
6465
OIDCIssuer: testIssuer,
@@ -120,7 +121,7 @@ func TestBootstrapOIDCUser_SSOFailsClosedWhenNoTeamMapped(t *testing.T) {
120121
orgID := uuid.New()
121122
subject := uuid.NewString()
122123

123-
svc := New(testDB.AuthDB, ssoIdentityProvider{orgBySubject: map[string]uuid.UUID{subject: orgID}}, sink, testIssuer)
124+
svc := New(testDB.AuthDB, ssoIdentityProvider{orgBySubject: map[string]uuid.UUID{subject: orgID}}, sink, identity.Registry{testIssuer: ssoIdentityProvider{orgBySubject: map[string]uuid.UUID{subject: orgID}}})
124125

125126
input := OIDCUserBootstrapInput{
126127
OIDCIssuer: testIssuer,
@@ -166,7 +167,7 @@ func TestBootstrapOIDCUser_SSOSkipsManualTeams(t *testing.T) {
166167
manualTeam := testutils.CreateTestTeam(t, testDB)
167168
setTeamSSOOrg(t, testDB, manualTeam, orgID, false, time.Now().Add(-1*time.Hour))
168169

169-
svc := New(testDB.AuthDB, ssoIdentityProvider{orgBySubject: map[string]uuid.UUID{subject: orgID}}, sink, testIssuer)
170+
svc := New(testDB.AuthDB, ssoIdentityProvider{orgBySubject: map[string]uuid.UUID{subject: orgID}}, sink, identity.Registry{testIssuer: ssoIdentityProvider{orgBySubject: map[string]uuid.UUID{subject: orgID}}})
170171

171172
input := OIDCUserBootstrapInput{
172173
OIDCIssuer: testIssuer,
@@ -187,7 +188,7 @@ func TestCreateTeam_SSOUserRejected(t *testing.T) {
187188
ctx := t.Context()
188189
userID := uuid.New()
189190

190-
svc := New(nil, ssoIdentityProvider{orgByUser: map[uuid.UUID]uuid.UUID{userID: uuid.New()}}, nil, testIssuer)
191+
svc := New(nil, ssoIdentityProvider{orgByUser: map[uuid.UUID]uuid.UUID{userID: uuid.New()}}, nil, identity.Registry{testIssuer: ssoIdentityProvider{orgByUser: map[uuid.UUID]uuid.UUID{userID: uuid.New()}}})
191192

192193
_, err := svc.CreateTeam(ctx, userID, "My Team")
193194
if err == nil {

0 commit comments

Comments
 (0)