Pass the claims import preferences on the storage layer

crates/cli/src/commands/manage.rs

@@ -15,7 +15,7 @@
 use anyhow::Context;
 use clap::{Parser, ValueEnum};
 use mas_config::{DatabaseConfig, PasswordsConfig, RootConfig};
-use mas_data_model::{Device, TokenType};
+use mas_data_model::{Device, TokenType, UpstreamOAuthProviderClaimsImports};
 use mas_iana::{jose::JsonWebSignatureAlg, oauth::OAuthClientAuthenticationMethod};
 use mas_router::UrlBuilder;
 use mas_storage::{
@@ -375,6 +375,7 @@ impl Options {
                         token_endpoint_signing_alg,
                         client_id.clone(),
                         encrypted_client_secret,
+                        UpstreamOAuthProviderClaimsImports::default(),
                     )
                     .await?;
 

crates/data-model/src/upstream_oauth2/mod.rs

@@ -20,6 +20,7 @@ pub use self::{
     link::UpstreamOAuthLink,
     provider::{
         ClaimsImports as UpstreamOAuthProviderClaimsImports,
+        ImportAction as UpstreamOAuthProviderImportAction,
         ImportPreference as UpstreamOAuthProviderImportPreference, UpstreamOAuthProvider,
     },
     session::{UpstreamOAuthAuthorizationSession, UpstreamOAuthAuthorizationSessionState},

crates/handlers/src/upstream_oauth2/link.rs

@@ -124,7 +124,7 @@ fn import_claim(
     name: &'static str,
     value: Option<String>,
     preference: &UpstreamOAuthProviderImportPreference,
-    mut run: impl FnMut(String, bool) -> (),
+    mut run: impl FnMut(String, bool),
 ) -> Result<(), RouteError> {
     // If this claim is ignored, we don't need to do anything.
     if preference.ignore() {

crates/handlers/src/views/login.rs

@@ -284,6 +284,7 @@ mod test {
         header::{CONTENT_TYPE, LOCATION},
         Request, StatusCode,
     };
+    use mas_data_model::UpstreamOAuthProviderClaimsImports;
     use mas_iana::oauth::OAuthClientAuthenticationMethod;
     use mas_router::Route;
     use mas_storage::{upstream_oauth2::UpstreamOAuthProviderRepository, RepositoryAccess};
@@ -326,6 +327,7 @@ mod test {
                 None,
                 "first_client".into(),
                 None,
+                UpstreamOAuthProviderClaimsImports::default(),
             )
             .await
             .unwrap();
@@ -350,6 +352,7 @@ mod test {
                 None,
                 "second_client".into(),
                 None,
+                UpstreamOAuthProviderClaimsImports::default(),
             )
             .await
             .unwrap();

crates/storage-pg/src/upstream_oauth2/mod.rs

@@ -27,6 +27,7 @@ pub use self::{
 #[cfg(test)]
 mod tests {
     use chrono::Duration;
+    use mas_data_model::UpstreamOAuthProviderClaimsImports;
     use mas_storage::{
         clock::MockClock,
         upstream_oauth2::{
@@ -64,6 +65,7 @@ mod tests {
                 None,
                 "client-id".to_owned(),
                 None,
+                UpstreamOAuthProviderClaimsImports::default(),
             )
             .await
             .unwrap();
@@ -207,6 +209,7 @@ mod tests {
                     None,
                     client_id,
                     None,
+                    UpstreamOAuthProviderClaimsImports::default(),
                 )
                 .await
                 .unwrap();

crates/storage-pg/src/upstream_oauth2/provider.rs

@@ -163,13 +163,12 @@ impl<'c> UpstreamOAuthProviderRepository for PgUpstreamOAuthProviderRepository<'
         token_endpoint_signing_alg: Option<JsonWebSignatureAlg>,
         client_id: String,
         encrypted_client_secret: Option<String>,
+        claims_imports: UpstreamOAuthProviderClaimsImports,
     ) -> Result<UpstreamOAuthProvider, Self::Error> {
         let created_at = clock.now();
         let id = Ulid::from_datetime_with_source(created_at.into(), rng);
         tracing::Span::current().record("upstream_oauth_provider.id", tracing::field::display(id));
 
-        let claims_imports = UpstreamOAuthProviderClaimsImports::default();
-
         sqlx::query!(
             r#"
             INSERT INTO upstream_oauth_providers (

crates/storage/src/upstream_oauth2/provider.rs

@@ -13,7 +13,7 @@
 // limitations under the License.
 
 use async_trait::async_trait;
-use mas_data_model::UpstreamOAuthProvider;
+use mas_data_model::{UpstreamOAuthProvider, UpstreamOAuthProviderClaimsImports};
 use mas_iana::{jose::JsonWebSignatureAlg, oauth::OAuthClientAuthenticationMethod};
 use oauth2_types::scope::Scope;
 use rand_core::RngCore;
@@ -58,6 +58,8 @@ pub trait UpstreamOAuthProviderRepository: Send + Sync {
     /// * `client_id`: The client ID to use when authenticating to the upstream
     /// * `encrypted_client_secret`: The encrypted client secret to use when
     ///   authenticating to the upstream
+    /// * `claims_imports`: How claims should be imported from the upstream
+    ///   provider
     ///
     /// # Errors
     ///
@@ -73,6 +75,7 @@ pub trait UpstreamOAuthProviderRepository: Send + Sync {
         token_endpoint_signing_alg: Option<JsonWebSignatureAlg>,
         client_id: String,
         encrypted_client_secret: Option<String>,
+        claims_imports: UpstreamOAuthProviderClaimsImports,
     ) -> Result<UpstreamOAuthProvider, Self::Error>;
 
     /// Get a paginated list of upstream OAuth providers
@@ -109,7 +112,8 @@ repository_impl!(UpstreamOAuthProviderRepository:
         token_endpoint_auth_method: OAuthClientAuthenticationMethod,
         token_endpoint_signing_alg: Option<JsonWebSignatureAlg>,
         client_id: String,
-        encrypted_client_secret: Option<String>
+        encrypted_client_secret: Option<String>,
+        claims_imports: UpstreamOAuthProviderClaimsImports
     ) -> Result<UpstreamOAuthProvider, Self::Error>;
 
     async fn list_paginated(