feat(oidc): cy oidc group-mapping + org-settings commands#452
Merged
Conversation
Contributor
Author
|
Paired Terraform PR: cycloidio/terraform-provider-cycloid#102 — consumes the |
fhacloid
added a commit
to cycloidio/terraform-provider-cycloid
that referenced
this pull request
Jun 2, 2026
…dleware) Add the cycloid_oidc_integration resource managing an org's AuthenticationOIDC SSO integration through the cycloid-cli GetOIDCIntegration / UpdateOIDCIntegration middleware methods. - Full config schema: issuer, client_id, client_secret, discovery_url, session_ttl_seconds, groups_claim_name, ca_cert, and the TLS/discovery toggles. - client_secret and ca_cert are Sensitive + write-only: Read never overwrites them from the API (which never returns them), avoiding perpetual drift; has_secret / has_ca_certificate computed flags reflect server presence. - Create/Update send the full config (secret only when set); Delete disables the integration (enabled=false), since the API has no delete, then drops state. Synced with cycloidio/cycloid-cli#452 (consumes its OIDC middleware via the go.mod replace).
fhacloid
force-pushed
the
feat/beta-oidc-group-mappings
branch
from
June 8, 2026 08:26
6790cf5 to
cf40abf
Compare
fhacloid
added a commit
to cycloidio/terraform-provider-cycloid
that referenced
this pull request
Jun 10, 2026
Rework the OIDC group-mapping and organization-settings resources to call the named cycloid-cli Middleware methods (CreateOIDCGroupMapping, ListOIDCGroupMappings, DeleteOIDCGroupMapping, GetOIDCOrganizationSettings, UpdateOIDCOrganizationSettings) instead of issuing raw GenericRequest calls with hand-rolled structs. - Drops the duplicated local wire structs; uses the middleware OIDC types. - Guards against a nil Team in the mapping response (avoids a provider panic). - go.mod: temporary replace => ../cycloid-cli so the provider builds against the branch that adds these methods (cycloidio/cycloid-cli#452). Un-draft checklist is in the go.mod comment. Synced with cycloidio/cycloid-cli#452.
fhacloid
added a commit
to cycloidio/terraform-provider-cycloid
that referenced
this pull request
Jun 10, 2026
…dleware) Add the cycloid_oidc_integration resource managing an org's AuthenticationOIDC SSO integration through the cycloid-cli GetOIDCIntegration / UpdateOIDCIntegration middleware methods. - Full config schema: issuer, client_id, client_secret, discovery_url, session_ttl_seconds, groups_claim_name, ca_cert, and the TLS/discovery toggles. - client_secret and ca_cert are Sensitive + write-only: Read never overwrites them from the API (which never returns them), avoiding perpetual drift; has_secret / has_ca_certificate computed flags reflect server presence. - Create/Update send the full config (secret only when set); Delete disables the integration (enabled=false), since the API has no delete, then drops state. Synced with cycloidio/cycloid-cli#452 (consumes its OIDC middleware via the go.mod replace).
Add OIDC group->team mapping CRUD and per-organization OIDC reconciliation
settings under the `cy beta oidc` command group, plus the middleware methods
that back them.
Middleware (cmd/cycloid/middleware/organization_oidc.go):
ListOIDCGroupMappings, CreateOIDCGroupMapping, DeleteOIDCGroupMapping,
GetOIDCOrganizationSettings, UpdateOIDCOrganizationSettings. The OIDC types
live in the middleware package because these endpoints are not in the
published swagger spec yet (no client/models regen needed).
Commands:
cy beta oidc mappings {list,create,delete}
cy beta oidc settings {get,set}
settings set is read-merge-write (only the flags you pass change), so an
unset flag never silently resets live state on the full-replace PUT.
Tests: full mappings CRUD + settings round-trip in e2e/oidc_test.go.
Backs the PROD-303 OIDC group-mapping feature; the matching
terraform-provider-cycloid resources consume these middleware methods.
…action
Add `cy beta oidc integration {get,set}` to configure an org's AuthenticationOIDC
SSO integration (issuer, client_id/secret, discovery_url, session TTL, groups
claim, CA cert, TLS/discovery toggles), backed by new GetOIDCIntegration /
UpdateOIDCIntegration middleware methods.
- set is read-merge-write: sends type+enabled+only-changed keys; the backend
preserves untouched config and the stored secret (an absent/empty secret is
never blanked). Secret via --client-secret or CY_OIDC_CLIENT_SECRET (env form
preferred, keeps it out of shell history); CA cert via --ca-cert / CY_OIDC_CA_CERT.
- get never exposes the secret (API returns has_secret / has_ca_certificate only).
- Harden the debug/error body sanitizer: redact oidc_client_secret / oidc_ca_cert
and any *_secret / *_ca_cert field (wired isSensitiveKey into sanitizeValue) so
secrets never reach DEBUG-verbosity logs. Covered by sanitize_test.go.
e2e/oidc_test.go gains an integration get/set round-trip.
Move the OIDC group-mapping command tree out of the `beta` namespace so
the commands are `cy oidc {mappings,settings,integration}` instead of
`cy beta oidc ...`. Drop the "(beta)"/experimental wording from the
command help, update e2e invocations and the sanitize-test comment to
the new path, and add a changelog entry.
No behaviour, flag, or output changes — only the command namespace.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
fhacloid
force-pushed
the
feat/beta-oidc-group-mappings
branch
from
June 17, 2026 12:03
cf40abf to
7e8fcb9
Compare
When enabled on an OIDC integration, manually-invited members who log in via OIDC have their membership source flipped from 'manual' to 'oidc', making them fully managed by group mapping from that point. Changes: - New flag --adopt-manual-members in cyargs/oidc.go - Wired into oidc integration set command - Added OidcAdoptManualMembers field to OIDCIntegration struct
talset
marked this pull request as ready for review
June 18, 2026 19:15
talset
previously approved these changes
Jun 19, 2026
gaelL
previously approved these changes
Jun 19, 2026
- Remove compiled binaries (cy-darwin-*, cy-linux-*, cy-windows-*) from git tracking and add cy-* to .gitignore - Remove stale (beta) annotation from middleware interface comment - Consistent error wrapping across all OIDC middleware methods - Clarify --enabled flag help text (toggle, not just enable) - Add comment on secret env var behavior (sent when set, intentional) - Add comment that keep_membership default must stay in sync with server - Add mappingID guards in e2e tests to prevent nil panics - Add comment explaining defer t.Run cleanup pattern - Move OIDCAdoptManualMembersFlagName into the main constants block
gaelL
approved these changes
Jun 19, 2026
xescugc
pushed a commit
to cycloidio/terraform-provider-cycloid
that referenced
this pull request
Jun 19, 2026
Rework the OIDC group-mapping and organization-settings resources to call the named cycloid-cli Middleware methods (CreateOIDCGroupMapping, ListOIDCGroupMappings, DeleteOIDCGroupMapping, GetOIDCOrganizationSettings, UpdateOIDCOrganizationSettings) instead of issuing raw GenericRequest calls with hand-rolled structs. - Drops the duplicated local wire structs; uses the middleware OIDC types. - Guards against a nil Team in the mapping response (avoids a provider panic). - go.mod: temporary replace => ../cycloid-cli so the provider builds against the branch that adds these methods (cycloidio/cycloid-cli#452). Un-draft checklist is in the go.mod comment. Synced with cycloidio/cycloid-cli#452.
xescugc
pushed a commit
to cycloidio/terraform-provider-cycloid
that referenced
this pull request
Jun 19, 2026
…dleware) Add the cycloid_oidc_integration resource managing an org's AuthenticationOIDC SSO integration through the cycloid-cli GetOIDCIntegration / UpdateOIDCIntegration middleware methods. - Full config schema: issuer, client_id, client_secret, discovery_url, session_ttl_seconds, groups_claim_name, ca_cert, and the TLS/discovery toggles. - client_secret and ca_cert are Sensitive + write-only: Read never overwrites them from the API (which never returns them), avoiding perpetual drift; has_secret / has_ca_certificate computed flags reflect server presence. - Create/Update send the full config (secret only when set); Delete disables the integration (enabled=false), since the API has no delete, then drops state. Synced with cycloidio/cycloid-cli#452 (consumes its OIDC middleware via the go.mod replace).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds OIDC group→team mapping CRUD and per-organization OIDC reconciliation settings to the CLI, under a new
cy beta oidccommand group, plus the middleware methods that back them.This is the CLI half of a synced pair with
terraform-provider-cycloid— the TF provider consumes these middleware methods (see the paired PR). Goal: make the PROD-303 OIDC group-mapping feature scriptable for end-to-end testing / automation.Commands
settings setis read-merge-write: only the flags you pass are changed, so an unset flag never silently resets live state (the backend endpoint is a full-replace PUT). A not-yet-configured org (404 on read) starts from defaults.Middleware
New methods on the
Middlewareinterface (cmd/cycloid/middleware/organization_oidc.go), all viaGenericRequest:ListOIDCGroupMappings,CreateOIDCGroupMapping,DeleteOIDCGroupMappingGetOIDCOrganizationSettings,UpdateOIDCOrganizationSettingsThe OIDC request/response types live in the
middlewarepackage (notclient/models) because these endpoints are not in the published swagger spec yet — so noclient/modelsregen and no network codegen.models.Roleis reused for the mapped team's roles.Backend contract
Targets
/organizations/{org}/oidc-group-mappingsand/organizations/{org}/oidc-organization-settings(PROD-303 backend, currently on themeta-gm-rescopebranch). A mapping is one(group_name, team_canonical)pair (a group granting several teams = several mappings).oidc_no_match_policy=ejectrequiresoidc_managed=true(API returns 422 otherwise).Tests
e2e/oidc_test.go— full mappings CRUD + settings round-trip, following the existingteams_test.gopattern (requires a live backend; runs in CI /make test).Verification (offline, on this branch)
go build ./...— ✓go vet ./cmd/... ./internal/... ./e2e/...— ✓golangci-lint run ./cmd/cycloid/beta/oidc/...— 0 issuesgofmt— cleanStatus
Draft — beta command group; lands alongside the PROD-303 backend endpoints. Paired with the
terraform-provider-cycloidOIDC PR, which depends on theMiddlewaremethods added here.Update —
cy beta oidc integration(SSO config) + secret-redaction hardeningAdded a third subcommand group:
cy beta oidc integration {get,set}to configure the org's AuthenticationOIDC SSO integration — issuer, client_id/secret,discovery_url(split-network), session TTL, groups claim, CA cert, TLS/discovery toggles (full config parity). Backed by newGetOIDCIntegration/UpdateOIDCIntegrationmiddleware methods.setis read-merge-write: sendstype+enabled+only-the-changed keys; the backend merge preserves untouched config and the stored secret (an absent/empty secret is never blanked — secret rotation requires a non-empty value).--client-secretorCY_OIDC_CLIENT_SECRET(env form is the documented default — keeps it out of shell history); CA cert via--ca-cert/CY_OIDC_CA_CERT.getnever exposes the secret (has_secret/has_ca_certificatebooleans only).oidc_client_secret/oidc_ca_certand any*_secret/*_ca_certfield, so secrets never reach DEBUG-verbosity (CY_TEST_VERBOSITY=debug) logs. New cases insanitize_test.go. (A security pass caught that the suffix safety-net wasn't wired intosanitizeValue— fixed.)Verified offline: build + vet +
golangci-lint ./cmd/cycloid/middleware/... ./cmd/cycloid/beta/oidc/...= 0 issues + gofmt clean.