From faebc73dc566cb4a8b64e6fba34b9da0a59280d6 Mon Sep 17 00:00:00 2001
From: Alex Tugarev <alex@gitpod.io>
Date: Tue, 9 Apr 2024 09:10:48 +0200
Subject: [PATCH] Lift the SCM identity restriction for org owned accounts
 (#19606)

The restriction of SCM identities doesn't apply to organization owned accounts which were
created through OIDC SSO, because this identity is not used to create/find the account of a user.

Hint: with this restriction lifted, the subsequent call to `#updateUserOnLogin` would always add/update
the SCM identity for the given `currentUser` if it's owned by an organization.
---
 components/server/src/auth/generic-auth-provider.ts |  2 +-
 components/server/src/user/user-authentication.ts   | 12 +++++++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/components/server/src/auth/generic-auth-provider.ts b/components/server/src/auth/generic-auth-provider.ts
index f152d5e44a1856..1a85dde4249f5b 100644
--- a/components/server/src/auth/generic-auth-provider.ts
+++ b/components/server/src/auth/generic-auth-provider.ts
@@ -587,7 +587,7 @@ export abstract class GenericAuthProvider implements AuthProvider {
 
                 // we need to check current provider authorizations first...
                 try {
-                    await this.userAuthentication.asserNoTwinAccount(
+                    await this.userAuthentication.assertNoTwinAccount(
                         currentGitpodUser,
                         this.host,
                         this.authProviderId,
diff --git a/components/server/src/user/user-authentication.ts b/components/server/src/user/user-authentication.ts
index b55261af3fcb15..40250e7bffde40 100644
--- a/components/server/src/user/user-authentication.ts
+++ b/components/server/src/user/user-authentication.ts
@@ -117,7 +117,17 @@ export class UserAuthentication {
         await this.userDb.storeUser(user);
     }
 
-    async asserNoTwinAccount(currentUser: User, authHost: string, authProviderId: string, candidate: Identity) {
+    async assertNoTwinAccount(currentUser: User, authHost: string, authProviderId: string, candidate: Identity) {
+        if (User.isOrganizationOwned(currentUser)) {
+            /**
+             * The restriction of SCM identities doesn't apply to organization owned accounts which were
+             * created through OIDC SSO because this identity is not used to create/find the account of a user.
+             *
+             * Hint: with this restriction lifted, the subsequent call to `#updateUserOnLogin` would always add/update
+             * the SCM identity for the given `currentUser` if it's owned by an organization.
+             */
+            return;
+        }
         if (currentUser.identities.some((i) => Identity.equals(i, candidate))) {
             return; // same user => OK
         }