element-hq
diff --git a/‎crates/cli/src/sync.rs
Lines changed: 15 additions & 1 deletion b/‎crates/cli/src/sync.rs
Lines changed: 15 additions & 1 deletion
diff --git a/‎crates/config/src/sections/mod.rs
Lines changed: 2 additions & 2 deletions b/‎crates/config/src/sections/mod.rs
Lines changed: 2 additions & 2 deletions
diff --git a/‎crates/config/src/sections/upstream_oauth2.rs
Lines changed: 36 additions & 0 deletions b/‎crates/config/src/sections/upstream_oauth2.rs
Lines changed: 36 additions & 0 deletions
diff --git a/‎crates/data-model/src/lib.rs
Lines changed: 2 additions & 1 deletion b/‎crates/data-model/src/lib.rs
Lines changed: 2 additions & 1 deletion
diff --git a/‎crates/data-model/src/upstream_oauth2/mod.rs
Lines changed: 2 additions & 1 deletion b/‎crates/data-model/src/upstream_oauth2/mod.rs
Lines changed: 2 additions & 1 deletion
diff --git a/‎crates/data-model/src/upstream_oauth2/provider.rs
Lines changed: 34 additions & 2 deletions b/‎crates/data-model/src/upstream_oauth2/provider.rs
Lines changed: 34 additions & 2 deletions
@@ -37,16 +37,30 @@ fn map_import_action(
     }
 }
 
+fn map_import_on_conflict(
+    config: mas_config::UpstreamOAuth2OnConflict,
+) -> mas_data_model::UpstreamOAuthProviderOnConflict {
+    match config {
+        mas_config::UpstreamOAuth2OnConflict::Add => {
+            mas_data_model::UpstreamOAuthProviderOnConflict::Add
+        }
+        mas_config::UpstreamOAuth2OnConflict::Fail => {
+            mas_data_model::UpstreamOAuthProviderOnConflict::Fail
+        }
+    }
+}
+
 fn map_claims_imports(
     config: &mas_config::UpstreamOAuth2ClaimsImports,
 ) -> mas_data_model::UpstreamOAuthProviderClaimsImports {
     mas_data_model::UpstreamOAuthProviderClaimsImports {
         subject: mas_data_model::UpstreamOAuthProviderSubjectPreference {
             template: config.subject.template.clone(),
         },
-        localpart: mas_data_model::UpstreamOAuthProviderImportPreference {
+        localpart: mas_data_model::UpstreamOAuthProviderLocalpartPreference {
             action: map_import_action(config.localpart.action),
             template: config.localpart.template.clone(),
+            on_conflict: map_import_on_conflict(config.localpart.on_conflict),
         },
         displayname: mas_data_model::UpstreamOAuthProviderImportPreference {
             action: map_import_action(config.displayname.action),
 
@@ -54,8 +54,8 @@ pub use self::{
         EmailImportPreference as UpstreamOAuth2EmailImportPreference,
         ImportAction as UpstreamOAuth2ImportAction,
         OnBackchannelLogout as UpstreamOAuth2OnBackchannelLogout,
-        PkceMethod as UpstreamOAuth2PkceMethod, Provider as UpstreamOAuth2Provider,
-        ResponseMode as UpstreamOAuth2ResponseMode,
+        OnConflict as UpstreamOAuth2OnConflict, PkceMethod as UpstreamOAuth2PkceMethod,
+        Provider as UpstreamOAuth2Provider, ResponseMode as UpstreamOAuth2ResponseMode,
         TokenAuthMethod as UpstreamOAuth2TokenAuthMethod, UpstreamOAuth2Config,
     },
 };
 
@@ -117,6 +117,18 @@ impl ConfigurationSection for UpstreamOAuth2Config {
                     }
                 }
             }
+
+            if matches!(
+                provider.claims_imports.localpart.on_conflict,
+                OnConflict::Add
+            ) && !matches!(
+                provider.claims_imports.localpart.action,
+                ImportAction::Force | ImportAction::Require
+            ) {
+                return Err(annotate(figment::Error::custom(
+                    "The field `action` must be either `force` or `require` when `on_conflict` is set to `add`",
+                )).into());
+            }
         }
 
         Ok(())
@@ -190,6 +202,26 @@ impl ImportAction {
     }
 }
 
+/// How to handle an existing localpart claim
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize, Default, JsonSchema)]
+#[serde(rename_all = "lowercase")]
+pub enum OnConflict {
+    /// Fails the sso login on conflict
+    #[default]
+    Fail,
+
+    /// Adds the oauth identity link, regardless of whether there is an existing
+    /// link or not
+    Add,
+}
+
+impl OnConflict {
+    #[allow(clippy::trivially_copy_pass_by_ref)]
+    const fn is_default(&self) -> bool {
+        matches!(self, OnConflict::Fail)
+    }
+}
+
 /// What should be done for the subject attribute
 #[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, Default, JsonSchema)]
 pub struct SubjectImportPreference {
@@ -218,6 +250,10 @@ pub struct LocalpartImportPreference {
     /// If not provided, the default template is `{{ user.preferred_username }}`
     #[serde(default, skip_serializing_if = "Option::is_none")]
     pub template: Option<String>,
+
+    /// How to handle conflicts on the claim, default value is `Fail`
+    #[serde(default, skip_serializing_if = "OnConflict::is_default")]
+    pub on_conflict: OnConflict,
 }
 
 impl LocalpartImportPreference {
 
@@ -42,7 +42,8 @@ pub use self::{
         UpstreamOAuthAuthorizationSession, UpstreamOAuthAuthorizationSessionState,
         UpstreamOAuthLink, UpstreamOAuthProvider, UpstreamOAuthProviderClaimsImports,
         UpstreamOAuthProviderDiscoveryMode, UpstreamOAuthProviderImportAction,
-        UpstreamOAuthProviderImportPreference, UpstreamOAuthProviderOnBackchannelLogout,
+        UpstreamOAuthProviderImportPreference, UpstreamOAuthProviderLocalpartPreference,
+        UpstreamOAuthProviderOnBackchannelLogout, UpstreamOAuthProviderOnConflict,
         UpstreamOAuthProviderPkceMode, UpstreamOAuthProviderResponseMode,
         UpstreamOAuthProviderSubjectPreference, UpstreamOAuthProviderTokenAuthMethod,
     },
 
@@ -15,8 +15,9 @@ pub use self::{
         DiscoveryMode as UpstreamOAuthProviderDiscoveryMode,
         ImportAction as UpstreamOAuthProviderImportAction,
         ImportPreference as UpstreamOAuthProviderImportPreference,
+        LocalpartPreference as UpstreamOAuthProviderLocalpartPreference,
         OnBackchannelLogout as UpstreamOAuthProviderOnBackchannelLogout,
-        PkceMode as UpstreamOAuthProviderPkceMode,
+        OnConflict as UpstreamOAuthProviderOnConflict, PkceMode as UpstreamOAuthProviderPkceMode,
         ResponseMode as UpstreamOAuthProviderResponseMode,
         SubjectPreference as UpstreamOAuthProviderSubjectPreference,
         TokenAuthMethod as UpstreamOAuthProviderTokenAuthMethod, UpstreamOAuthProvider,
 
@@ -313,7 +313,7 @@ pub struct ClaimsImports {
     pub subject: SubjectPreference,
 
     #[serde(default)]
-    pub localpart: ImportPreference,
+    pub localpart: LocalpartPreference,
 
     #[serde(default)]
     pub displayname: ImportPreference,
@@ -332,6 +332,26 @@ pub struct SubjectPreference {
     pub template: Option<String>,
 }
 
+#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, Default)]
+pub struct LocalpartPreference {
+    #[serde(default)]
+    pub action: ImportAction,
+
+    #[serde(default)]
+    pub template: Option<String>,
+
+    #[serde(default)]
+    pub on_conflict: OnConflict,
+}
+
+impl std::ops::Deref for LocalpartPreference {
+    type Target = ImportAction;
+
+    fn deref(&self) -> &Self::Target {
+        &self.action
+    }
+}
+
 #[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, Default)]
 pub struct ImportPreference {
     #[serde(default)]
@@ -368,7 +388,7 @@ pub enum ImportAction {
 
 impl ImportAction {
     #[must_use]
-    pub fn is_forced(&self) -> bool {
+    pub fn is_forced_or_required(&self) -> bool {
         matches!(self, Self::Force | Self::Require)
     }
 
@@ -391,3 +411,15 @@ impl ImportAction {
         }
     }
 }
+
+#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, Default)]
+#[serde(rename_all = "lowercase")]
+pub enum OnConflict {
+    /// Fails the upstream OAuth 2.0 login
+    #[default]
+    Fail,
+
+    /// Adds the upstream account link, regardless of whether there is an
+    /// existing link or not
+    Add,
+}