Add more options to deal with localpart conflicts on upstream OAuth 2.0 logins (#5295)

Author: sandhose

crates/cli/src/sync.rs

@@ -45,6 +45,12 @@ fn map_import_on_conflict(
         mas_config::UpstreamOAuth2OnConflict::Add => {
             mas_data_model::UpstreamOAuthProviderOnConflict::Add
         }
+        mas_config::UpstreamOAuth2OnConflict::Replace => {
+            mas_data_model::UpstreamOAuthProviderOnConflict::Replace
+        }
+        mas_config::UpstreamOAuth2OnConflict::Set => {
+            mas_data_model::UpstreamOAuthProviderOnConflict::Set
+        }
         mas_config::UpstreamOAuth2OnConflict::Fail => {
             mas_data_model::UpstreamOAuthProviderOnConflict::Fail
         }

crates/config/src/sections/upstream_oauth2.rs

@@ -120,14 +120,14 @@ impl ConfigurationSection for UpstreamOAuth2Config {
 
             if matches!(
                 provider.claims_imports.localpart.on_conflict,
-                OnConflict::Add
+                OnConflict::Add | OnConflict::Replace | OnConflict::Set
             ) && !matches!(
                 provider.claims_imports.localpart.action,
                 ImportAction::Force | ImportAction::Require
             ) {
                 return Err(annotate(figment::Error::custom(
-                    "The field `action` must be either `force` or `require` when `on_conflict` is set to `add`",
-                )).into());
+                    "The field `action` must be either `force` or `require` when `on_conflict` is set to `add`, `replace` or `set`",
+                )).with_path("claims_imports.localpart").into());
             }
         }
 
@@ -206,13 +206,20 @@ impl ImportAction {
 #[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, Default, JsonSchema)]
 #[serde(rename_all = "lowercase")]
 pub enum OnConflict {
-    /// Fails the sso login on conflict
+    /// Fails the upstream OAuth 2.0 login on conflict
     #[default]
     Fail,
 
-    /// Adds the oauth identity link, regardless of whether there is an existing
-    /// link or not
+    /// Adds the upstream OAuth 2.0 identity link, regardless of whether there
+    /// is an existing link or not
     Add,
+
+    /// Replace any existing upstream OAuth 2.0 identity link
+    Replace,
+
+    /// Adds the upstream OAuth 2.0 identity link *only* if there is no existing
+    /// link for this provider on the matching user
+    Set,
 }
 
 impl OnConflict {

crates/data-model/src/upstream_oauth2/provider.rs

@@ -415,11 +415,18 @@ impl ImportAction {
 #[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, Default)]
 #[serde(rename_all = "lowercase")]
 pub enum OnConflict {
-    /// Fails the upstream OAuth 2.0 login
+    /// Fails the upstream OAuth 2.0 login on conflict
     #[default]
     Fail,
 
-    /// Adds the upstream account link, regardless of whether there is an
-    /// existing link or not
+    /// Adds the upstream OAuth 2.0 identity link, regardless of whether there
+    /// is an existing link or not
     Add,
+
+    /// Replace any existing upstream OAuth 2.0 identity link
+    Replace,
+
+    /// Adds the upstream OAuth 2.0 identity link *only* if there is no existing
+    /// link for this provider on the matching user
+    Set,
 }