Add Onboarding Tweaks (#229)

Add in some late-to-the-party requests to improve the interface and complete the specification.
unikorn-cloud · Mar 4, 2025 · 8384270 · 8384270
1 parent db24662
commit 8384270
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 3 deletions.
diff --git a/charts/identity/templates/identity/deployment.yaml b/charts/identity/templates/identity/deployment.yaml
@@ -59,7 +59,10 @@ spec:
         - --account-creation-enabled
           {{- end }}
           {{- with $webhook := $onboarding.webhook }}
-        - --account-creation-webhook-uri=[{ $webhook.uri }}
+        - --account-creation-webhook-uri={{ $webhook.uri }}
+            {{- if $webhook.token }}
+        - --account-creation-webhook-token={{ $webhook.token }}
+            {{- end }}
           {{- end }}
         {{- end }}
         ports:

diff --git a/charts/identity/values.yaml b/charts/identity/values.yaml
@@ -43,7 +43,10 @@ onboarding:
   enabled: false
   # Webhook to invoke when a signup occurs.
   # webhook:
+  #   # URI to POST account creation data to.
   #   uri: https://onboard.namespace/some/path
+  #   # An optional bearer token for authentication.
+  #   token: f9b0c034-2316-4cda-918e-5d96dbaa8d82
 
 # Issuer related configuration.
 issuer:

diff --git a/pkg/oauth2/oauth2.go b/pkg/oauth2/oauth2.go
@@ -106,6 +106,10 @@ type Options struct {
 	// AccountCreationWebhookURI is used to notify an external service of an organization/user
 	// creation event.
 	AccountCreationWebhookURI string
+
+	// AccountCreationWebhookToken is used in conjunction with the URI for authentication.
+	// Must be used over TLS or it's useless.
+	AccountCreationWebhookToken string
 }
 
 func (o *Options) AddFlags(f *pflag.FlagSet) {
@@ -118,6 +122,7 @@ func (o *Options) AddFlags(f *pflag.FlagSet) {
 	f.BoolVar(&o.AccountCreationEnabled, "account-creation-enabled", false, "Whether to allow accounts to be created.")
 	f.StringSliceVar(&o.AccountCreationDefaultRoles, "account-creation-default-roles", []string{"administrator"}, "Default role names to grant a account creators user.")
 	f.StringVar(&o.AccountCreationWebhookURI, "account-creation-webhook-uri", "", "URI to post user signup data.")
+	f.StringVar(&o.AccountCreationWebhookToken, "account-creation-webhook-token", "", "Bearer token for authenticating singup data.")
 }
 
 // Authenticator provides Keystone authentication functionality.
@@ -1028,13 +1033,14 @@ type OnboardWebhookData struct {
 	// TODO: we can't get at this via the API...
 	// UserID string `json:"userID"`
 	OrganizationID     string `json:"organizationID"`
+	OrganizationName   string `json:"organizationName"`
 	OrganizationUserID string `json:"organizationUserID"`
 }
 
 // Onboard creates a user's initial account and organization under guidance
 // from the client.
 //
-//nolint:cyclop
+//nolint:cyclop,gocognit,maintidx
 func (a *Authenticator) Onboard(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 
@@ -1132,6 +1138,24 @@ func (a *Authenticator) Onboard(w http.ResponseWriter, r *http.Request) {
 		organizationRequest.Metadata.Description = ptr.To(r.Form.Get("organization_description"))
 	}
 
+	if r.Form.Has("organization_tags") {
+		fields := strings.Split(r.Form.Get("organization_tags"), " ")
+
+		tags := make(coreapi.TagList, len(fields))
+
+		for i := range fields {
+			kv := strings.Split(fields[i], ":")
+			if len(kv) != 2 {
+				continue
+			}
+
+			tags[i].Name = kv[0]
+			tags[i].Value = kv[1]
+		}
+
+		organizationRequest.Metadata.Tags = &tags
+	}
+
 	organization, err := organizations.New(a.client, a.namespace).Create(ctx, organizationRequest)
 	if err != nil {
 		redirector.raise(ErrorServerError, "failed to create organization")
@@ -1236,6 +1260,7 @@ func (a *Authenticator) notifyAccountCreation(ctx context.Context, redirector *r
 		Forename:           idToken.Profile.GivenName,
 		Surname:            idToken.Profile.FamilyName,
 		OrganizationID:     organization.Metadata.Id,
+		OrganizationName:   organization.Metadata.Name,
 		OrganizationUserID: user.Metadata.Id,
 	}
 
@@ -1251,7 +1276,11 @@ func (a *Authenticator) notifyAccountCreation(ctx context.Context, redirector *r
 		return false
 	}
 
-	request.Header.Set("Contenttype", "application/json")
+	request.Header.Set("Content-Type", "application/json")
+
+	if a.options.AccountCreationWebhookToken != "" {
+		request.Header.Set("Authorization", "Bearer "+a.options.AccountCreationWebhookToken)
+	}
 
 	hc := &http.Client{}