NotificationsYou must be signed in to change notification settings
Fork1k
Star11.1k

Commit1131772

authored

feat(coderd): set full name from IDP name claim (#13468)

* Updates OIDC and GitHub OAuth login to fetch set name from relevant claim fields* Adds CODER_OIDC_NAME_FIELD as configurable source of user name claim* Adds httpapi function to normalize a username such that it will pass validation* Adds firstName / lastName fields to dev OIDC setup

1 parente743588 commit1131772Copy full SHA for 1131772

File tree

16 files changed

+301

-42

lines changed

cli
- server.go
- testdata
  - coder_server_--help.golden
  - server-config.yaml.golden
coderd
- apidoc
  - docs.go
  - swagger.json
- httpapi
  - name.go
  - name_test.go
- userauth.go
- userauth_test.go
codersdk
- deployment.go
docs
- api
  - general.md
  - schemas.md
- cli
  - server.md
enterprise/cli/testdata
- coder_server_--help.golden
scripts
- dev-oidc.sh
site/src/api
- typesGenerated.ts

16 files changed

+301

-42

lines changed

`‎cli/server.go‎`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -169,6 +169,7 @@ func createOIDCConfig(ctx context.Context, vals codersdk.DeploymentValues) (co`
`169`	`169`	`EmailDomain:vals.OIDC.EmailDomain,`
`170`	`170`	`AllowSignups:vals.OIDC.AllowSignups.Value(),`
`171`	`171`	`UsernameField:vals.OIDC.UsernameField.String(),`
	`172`	`+NameField:vals.OIDC.NameField.String(),`
`172`	`173`	`EmailField:vals.OIDC.EmailField.String(),`
`173`	`174`	`AuthURLParams:vals.OIDC.AuthURLParams.Value,`
`174`	`175`	`IgnoreUserInfo:vals.OIDC.IgnoreUserInfo.Value(),`

`‎cli/testdata/coder_server_--help.golden‎`

Lines changed: 3 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -407,6 +407,9 @@ OIDC OPTIONS:`
`407`	`407`	`--oidc-issuer-url string, $CODER_OIDC_ISSUER_URL`
`408`	`408`	`Issuer URL to use for Login with OIDC.`
`409`	`409`
	`410`	`+ --oidc-name-field string, $CODER_OIDC_NAME_FIELD (default: name)`
	`411`	`+ OIDC claim field to use as the name.`
	`412`	`+`
`410`	`413`	`--oidc-group-regex-filter regexp, $CODER_OIDC_GROUP_REGEX_FILTER (default: .*)`
`411`	`414`	`If provided any group name not matching the regex is ignored. This`
`412`	`415`	`allows for filtering out groups that are not needed. This filter is`

`‎cli/testdata/server-config.yaml.golden‎`

Lines changed: 3 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -306,6 +306,9 @@ oidc:`
`306`	`306`	`# OIDC claim field to use as the username.`
`307`	`307`	`# (default: preferred_username, type: string)`
`308`	`308`	`usernameField: preferred_username`
	`309`	`+ # OIDC claim field to use as the name.`
	`310`	`+ # (default: name, type: string)`
	`311`	`+ nameField: name`
`309`	`312`	`# OIDC claim field to use as the email.`
`310`	`313`	`# (default: email, type: string)`
`311`	`314`	`emailField: email`

`‎coderd/apidoc/docs.go‎`

Lines changed: 3 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/apidoc/swagger.json‎`

Lines changed: 3 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/httpapi/name.go‎`

Lines changed: 11 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -91,3 +91,14 @@ func UserRealNameValid(str string) error {`
`91`	`91`	`}`
`92`	`92`	`returnnil`
`93`	`93`	`}`
	`94`	`+`
	`95`	`+// NormalizeUserRealName normalizes a user name such that it will pass`
	`96`	`+// validation by UserRealNameValid. This is done to avoid blocking`
	`97`	`+// little Bobby Whitespace from using Coder.`
	`98`	`+funcNormalizeRealUsername(strstring)string {`
	`99`	`+s:=strings.TrimSpace(str)`
	`100`	`+iflen(s)>128 {`
	`101`	`+s=s[:128]`
	`102`	`+}`
	`103`	`+returns`
	`104`	`+}`

`‎coderd/httpapi/name_test.go‎`

Lines changed: 14 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,9 +1,11 @@`
`1`	`1`	`package httpapi_test`
`2`	`2`
`3`	`3`	`import (`
	`4`	`+"strings"`
`4`	`5`	`"testing"`
`5`	`6`
`6`	`7`	`"github.com/moby/moby/pkg/namesgenerator"`
	`8`	`+"github.com/stretchr/testify/assert"`
`7`	`9`	`"github.com/stretchr/testify/require"`
`8`	`10`
`9`	`11`	`"github.com/coder/coder/v2/coderd/httpapi"`
`@@ -217,6 +219,10 @@ func TestUserRealNameValid(t *testing.T) {`
`217`	`219`	`Namestring`
`218`	`220`	`Validbool`
`219`	`221`	`}{`
	`222`	`+{"",true},`
	`223`	`+{" a",false},`
	`224`	`+{"a ",false},`
	`225`	`+{" a ",false},`
`220`	`226`	`{"1",true},`
`221`	`227`	`{"A",true},`
`222`	`228`	`{"A1",true},`
`@@ -229,17 +235,22 @@ func TestUserRealNameValid(t *testing.T) {`
`229`	`235`	`{"Małgorzata Kalinowska-Iszkowska",true},`
`230`	`236`	`{"成龍",true},`
`231`	`237`	`{". .",true},`
`232`		`-`
`233`	`238`	`{"Lord Voldemort ",false},`
`234`	`239`	`{" Bellatrix Lestrange",false},`
`235`	`240`	`{" ",false},`
	`241`	`+{strings.Repeat("a",128),true},`
	`242`	`+{strings.Repeat("a",129),false},`
`236`	`243`	`}`
`237`	`244`	`for_,testCase:=rangetestCases {`
`238`	`245`	`testCase:=testCase`
`239`	`246`	`t.Run(testCase.Name,func(t*testing.T) {`
`240`	`247`	`t.Parallel()`
`241`		`-valid:=httpapi.UserRealNameValid(testCase.Name)`
`242`		`-require.Equal(t,testCase.Valid,valid==nil)`
	`248`	`+err:=httpapi.UserRealNameValid(testCase.Name)`
	`249`	`+norm:=httpapi.NormalizeRealUsername(testCase.Name)`
	`250`	`+normErr:=httpapi.UserRealNameValid(norm)`
	`251`	`+assert.NoError(t,normErr)`
	`252`	`+assert.Equal(t,testCase.Valid,err==nil)`
	`253`	`+assert.Equal(t,testCase.Valid,norm==testCase.Name,"invalid name should be different after normalization")`
`243`	`254`	`})`
`244`	`255`	`}`
`245`	`256`	`}`

`‎coderd/userauth.go‎`

Lines changed: 23 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -607,6 +607,9 @@ func (api API) userOAuth2Github(rw http.ResponseWriter, r http.Request) {`
`607`	`607`	`return`
`608`	`608`	`}`
`609`	`609`
	`610`	`+ghName:=ghUser.GetName()`
	`611`	`+normName:=httpapi.NormalizeRealUsername(ghName)`
	`612`	`+`
`610`	`613`	`// If we have a nil GitHub ID, that is a big problem. That would mean we link`
`611`	`614`	`// this user and all other users with this bug to the same uuid.`
`612`	`615`	`// We should instead throw an error. This should never occur in production.`
`@@ -652,6 +655,7 @@ func (api API) userOAuth2Github(rw http.ResponseWriter, r http.Request) {`
`652`	`655`	`Email:verifiedEmail.GetEmail(),`
`653`	`656`	`Username:ghUser.GetLogin(),`
`654`	`657`	`AvatarURL:ghUser.GetAvatarURL(),`
	`658`	`+Name:normName,`
`655`	`659`	`DebugContext:OauthDebugContext{},`
`656`	`660`	`}).SetInitAuditRequest(func(paramsaudit.RequestParams) (audit.Request[database.User],func()) {`
`657`	`661`	`returnaudit.InitRequest[database.User](rw,params)`
`@@ -701,6 +705,9 @@ type OIDCConfig struct {`
`701`	`705`	`// EmailField selects the claim field to be used as the created user's`
`702`	`706`	`// email.`
`703`	`707`	`EmailFieldstring`
	`708`	`+// NameField selects the claim field to be used as the created user's`
	`709`	`+// full / given name.`
	`710`	`+NameFieldstring`
`704`	`711`	`// AuthURLParams are additional parameters to be passed to the OIDC provider`
`705`	`712`	`// when requesting an access token.`
`706`	`713`	`AuthURLParamsmap[string]string`
`@@ -952,13 +959,22 @@ func (api API) userOIDC(rw http.ResponseWriter, r http.Request) {`
`952`	`959`	`}`
`953`	`960`	`}`
`954`	`961`
	`962`	`+// The 'name' is an optional property in Coder. If not specified,`
	`963`	`+// it will be left blank.`
	`964`	`+varnamestring`
	`965`	`+nameRaw,ok:=mergedClaims[api.OIDCConfig.NameField]`
	`966`	`+ifok {`
	`967`	`+name,_=nameRaw.(string)`
	`968`	`+name=httpapi.NormalizeRealUsername(name)`
	`969`	`+}`
	`970`	`+`
`955`	`971`	`varpicturestring`
`956`	`972`	`pictureRaw,ok:=mergedClaims["picture"]`
`957`	`973`	`ifok {`
`958`	`974`	`picture,_=pictureRaw.(string)`
`959`	`975`	`}`
`960`	`976`
`961`		`-ctx=slog.With(ctx,slog.F("email",email),slog.F("username",username))`
	`977`	`+ctx=slog.With(ctx,slog.F("email",email),slog.F("username",username),slog.F("name",name))`
`962`	`978`	`usingGroups,groups,groupErr:=api.oidcGroups(ctx,mergedClaims)`
`963`	`979`	`ifgroupErr!=nil {`
`964`	`980`	`groupErr.Write(rw,r)`
`@@ -996,6 +1012,7 @@ func (api API) userOIDC(rw http.ResponseWriter, r http.Request) {`
`996`	`1012`	`AllowSignups:api.OIDCConfig.AllowSignups,`
`997`	`1013`	`Email:email,`
`998`	`1014`	`Username:username,`
	`1015`	`+Name:name,`
`999`	`1016`	`AvatarURL:picture,`
`1000`	`1017`	`UsingRoles:api.OIDCConfig.RoleSyncEnabled(),`
`1001`	`1018`	`Roles:roles,`
`@@ -1222,6 +1239,7 @@ type oauthLoginParams struct {`
`1222`	`1239`	`AllowSignupsbool`
`1223`	`1240`	`Emailstring`
`1224`	`1241`	`Usernamestring`
	`1242`	`+Namestring`
`1225`	`1243`	`AvatarURLstring`
`1226`	`1244`	`// Is UsingGroups is true, then the user will be assigned`
`1227`	`1245`	`// to the Groups provided.`
`@@ -1544,6 +1562,10 @@ func (api API) oauthLogin(r http.Request, params oauthLoginParams) ([]http.C`
`1544`	`1562`	`user.AvatarURL=params.AvatarURL`
`1545`	`1563`	`needsUpdate=true`
`1546`	`1564`	`}`
	`1565`	`+ifuser.Name!=params.Name {`
	`1566`	`+user.Name=params.Name`
	`1567`	`+needsUpdate=true`
	`1568`	`+}`
`1547`	`1569`
`1548`	`1570`	`// If the upstream email or username has changed we should mirror`
`1549`	`1571`	`// that in Coder. Many enterprises use a user's email/username as`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit1131772

File tree

16 files changed

16 files changed

`‎cli/server.go‎`

`‎cli/testdata/coder_server_--help.golden‎`

`‎cli/testdata/server-config.yaml.golden‎`

`‎coderd/apidoc/docs.go‎`

`‎coderd/apidoc/swagger.json‎`

`‎coderd/httpapi/name.go‎`

`‎coderd/httpapi/name_test.go‎`

`‎coderd/userauth.go‎`

0 commit comments