Add settings to enable/disable user/group sync

lukegb · lukegb · commit 2bb3d5042e02 · 2025-09-21T12:13:59.000+01:00
diff --git a/plugin.json b/plugin.json
@@ -22,6 +22,20 @@
         "header": "",
         "footer": "",
         "settings": [
+		{
+			"key": "EnableUserSync",
+			"display_name": "Whether or not user sync is enabled",
+			"type": "bool",
+			"help_text": "If enabled, new users will be created and removed users will be disabled. If disabled, user information will not be synced. Disabling this may lead to users that log in via OIDC SSO to end up with incorrect or surprising information in their profile.",
+			"default": true
+		},
+		{
+			"key": "EnableGroupSync",
+			"display_name": "Whether or not group sync is enabled",
+			"type": "bool",
+			"help_text": "If enabled, users will be added/removed from teams, channels, and system roles according to their group membership. Note that if user sync is disabled, users will be synced according to their group membership as of the last time user sync was enabled.",
+			"default": true
+		},
 		{
 			"key": "EnabledGroup",
 			"display_name": "Name of group that gates access to Mattermost in uffd",
diff --git a/server/configuration.go b/server/configuration.go
@@ -39,6 +39,12 @@ func (c *configurationDuration) UnmarshalJSON(data []byte) error {
 // If you add non-reference types to your configuration struct, be sure to rewrite Clone as a deep
 // copy appropriate for your types.
 type configuration struct {
+	// Whether or not user sync is enabled.
+	EnableUserSync bool
+
+	// Whether or not group sync is enabled.
+	EnableGroupSync bool
+
 	// EnabledGroup defines the name of a group that, if a user is present in it,
 	// causes the user to be enabled for Mattermost.
 	// This should usually match how the OIDC service is configured in uffd.
diff --git a/server/job.go b/server/job.go
@@ -29,50 +29,58 @@ func (p *Plugin) runSync(ctx context.Context, trigger string) error {
 
 	cfg := p.getConfiguration()
 
-	l.Info("Performing UFFD group sync")
+	if cfg.EnableUserSync {
+		l.Info("Performing UFFD sync")
 
-	var additionalGroups []string
-	if cfg.SystemAdminGroup != "" {
-		additionalGroups = append(additionalGroups, cfg.SystemAdminGroup)
+		var additionalGroups []string
+		if cfg.SystemAdminGroup != "" {
+			additionalGroups = append(additionalGroups, cfg.SystemAdminGroup)
+		}
+		se := &syncengine.SyncEngine{
+			IDP: &syncengine.UffdIDP{
+				API:          p.uffd,
+				EnabledGroup: cfg.EnabledGroup,
+			},
+			Service: &syncengine.MattermostService{
+				API: p.API,
+			},
+			GroupStore: &datastore.MattermostDataStore{
+				API: p.API,
+			},
+			AdditionalGroups: additionalGroups,
+		}
+		out, err := se.FullSync(ctx)
+		if err != nil {
+			l.WithError(err).Error("UFFD sync failed")
+			return err
+		}
+		l.WithFields(log.Fields{"outcome": out}).Info("UFFD sync complete")
+	} else {
+		l.Info("UFFD sync disabled in settings")
 	}
-	se := &syncengine.SyncEngine{
-		IDP: &syncengine.UffdIDP{
-			API:          p.uffd,
-			EnabledGroup: cfg.EnabledGroup,
-		},
-		Service: &syncengine.MattermostService{
-			API: p.API,
-		},
-		GroupStore: &datastore.MattermostDataStore{
-			API: p.API,
-		},
-		AdditionalGroups: additionalGroups,
-	}
-	out, err := se.FullSync(ctx)
-	if err != nil {
-		l.WithError(err).Error("UFFD group sync failed")
-		return err
-	}
-	l.WithFields(log.Fields{"outcome": out}).Info("UFFD group sync complete")
 
-	l.Info("Performing syncables sync")
-	siteURL := p.API.GetConfig().ServiceSettings.SiteURL
-	if siteURL == nil {
-		return fmt.Errorf("site url setting is missing")
-	}
-	ss := &syncablesync.Engine{
-		API: &syncablesync.Mattermost{
-			API:              p.API,
-			REST:             model.NewAPIv4Client(*siteURL),
-			GroupStore:       p.datastore(),
-			SystemAdminGroup: cfg.SystemAdminGroup,
-			ManagedTeam:      cfg.ManagedTeam,
-		},
-	}
-	if err := ss.FullSync(ctx); err != nil {
-		l.WithError(err).Error("Syncables sync failed")
+	if cfg.EnableGroupSync {
+		l.Info("Performing syncables sync")
+		siteURL := p.API.GetConfig().ServiceSettings.SiteURL
+		if siteURL == nil {
+			return fmt.Errorf("site url setting is missing")
+		}
+		ss := &syncablesync.Engine{
+			API: &syncablesync.Mattermost{
+				API:              p.API,
+				REST:             model.NewAPIv4Client(*siteURL),
+				GroupStore:       p.datastore(),
+				SystemAdminGroup: cfg.SystemAdminGroup,
+				ManagedTeam:      cfg.ManagedTeam,
+			},
+		}
+		if err := ss.FullSync(ctx); err != nil {
+			l.WithError(err).Error("Syncables sync failed")
+		}
+		l.Info("Syncables sync complete")
+	} else {
+		l.Info("Syncable sync disabled in settings")
 	}
-	l.Info("Syncables sync complete")
 
 	return nil
 }
