NotificationsYou must be signed in to change notification settings
Fork928
Star10.1k

Commit16ade98

authored

chore: make scim auth header case insensitive for 'bearer' (#15538)

Fixes status codes to return more than 500. The way we were using thepackage, it always returned a status code 500

1 parent4cb8076 commit16ade98Copy full SHA for 16ade98

File tree

3 files changed

+91

-22

lines changed

enterprise/coderd
- scim
  - scimtypes.go
- scim.go
- scim_test.go

3 files changed

+91

-22

lines changed

`‎enterprise/coderd/scim.go`

Lines changed: 24 additions & 18 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,7 @@`
`1`	`1`	`package coderd`
`2`	`2`
`3`	`3`	`import (`
	`4`	`+"bytes"`
`4`	`5`	`"crypto/subtle"`
`5`	`6`	`"database/sql"`
`6`	`7`	`"encoding/json"`
`@@ -26,16 +27,21 @@ import (`
`26`	`27`	`)`
`27`	`28`
`28`	`29`	`func (apiAPI)scimVerifyAuthHeader(rhttp.Request)bool {`
`29`		`-bearer:= []byte("Bearer ")`
	`30`	`+bearer:= []byte("bearer ")`
`30`	`31`	`hdr:= []byte(r.Header.Get("Authorization"))`
`31`	`32`
`32`		`-iflen(hdr)>=len(bearer)&&subtle.ConstantTimeCompare(hdr[:len(bearer)],bearer)==1 {`
	`33`	`+// Use toLower to make the comparison case-insensitive.`
	`34`	`+iflen(hdr)>=len(bearer)&&subtle.ConstantTimeCompare(bytes.ToLower(hdr[:len(bearer)]),bearer)==1 {`
`33`	`35`	`hdr=hdr[len(bearer):]`
`34`	`36`	`}`
`35`	`37`
`36`	`38`	`returnlen(api.SCIMAPIKey)!=0&&subtle.ConstantTimeCompare(hdr,api.SCIMAPIKey)==1`
`37`	`39`	`}`
`38`	`40`
	`41`	`+funcscimUnauthorized(rw http.ResponseWriter) {`
	`42`	`+_=handlerutil.WriteError(rw,scim.NewHTTPError(http.StatusUnauthorized,"invalidAuthorization",xerrors.New("invalid authorization")))`
	`43`	`+}`
	`44`	`+`
`39`	`45`	`// scimServiceProviderConfig returns a static SCIM service provider configuration.`
`40`	`46`	`//`
`41`	`47`	`// @Summary SCIM 2.0: Service Provider Config`
`@@ -114,7 +120,7 @@ func (api API) scimServiceProviderConfig(rw http.ResponseWriter, _ http.Reques`
`114`	`120`	`//nolint:revive`
`115`	`121`	`func (apiAPI)scimGetUsers(rw http.ResponseWriter,rhttp.Request) {`
`116`	`122`	`if!api.scimVerifyAuthHeader(r) {`
`117`		`-_=handlerutil.WriteError(rw, spec.Error{Status:http.StatusUnauthorized,Type:"invalidAuthorization"})`
	`123`	`+scimUnauthorized(rw)`
`118`	`124`	`return`
`119`	`125`	`}`
`120`	`126`
`@@ -142,11 +148,11 @@ func (api API) scimGetUsers(rw http.ResponseWriter, r http.Request) {`
`142`	`148`	`//nolint:revive`
`143`	`149`	`func (apiAPI)scimGetUser(rw http.ResponseWriter,rhttp.Request) {`
`144`	`150`	`if!api.scimVerifyAuthHeader(r) {`
`145`		`-_=handlerutil.WriteError(rw, spec.Error{Status:http.StatusUnauthorized,Type:"invalidAuthorization"})`
	`151`	`+scimUnauthorized(rw)`
`146`	`152`	`return`
`147`	`153`	`}`
`148`	`154`
`149`		`-_=handlerutil.WriteError(rw,spec.ErrNotFound)`
	`155`	`+_=handlerutil.WriteError(rw,scim.NewHTTPError(http.StatusNotFound,spec.ErrNotFound.Type,xerrors.New("endpoint will always return 404")))`
`150`	`156`	`}`
`151`	`157`
`152`	`158`	`// We currently use our own struct instead of using the SCIM package. This was`
`@@ -192,7 +198,7 @@ var SCIMAuditAdditionalFields = map[string]string{`
`192`	`198`	`func (apiAPI)scimPostUser(rw http.ResponseWriter,rhttp.Request) {`
`193`	`199`	`ctx:=r.Context()`
`194`	`200`	`if!api.scimVerifyAuthHeader(r) {`
`195`		`-_=handlerutil.WriteError(rw, spec.Error{Status:http.StatusUnauthorized,Type:"invalidAuthorization"})`
	`201`	`+scimUnauthorized(rw)`
`196`	`202`	`return`
`197`	`203`	`}`
`198`	`204`
`@@ -209,7 +215,7 @@ func (api API) scimPostUser(rw http.ResponseWriter, r http.Request) {`
`209`	`215`	`varsUserSCIMUser`
`210`	`216`	`err:=json.NewDecoder(r.Body).Decode(&sUser)`
`211`	`217`	`iferr!=nil {`
`212`		`-_=handlerutil.WriteError(rw,err)`
	`218`	`+_=handlerutil.WriteError(rw,scim.NewHTTPError(http.StatusBadRequest,"invalidRequest",err))`
`213`	`219`	`return`
`214`	`220`	`}`
`215`	`221`
`@@ -222,7 +228,7 @@ func (api API) scimPostUser(rw http.ResponseWriter, r http.Request) {`
`222`	`228`	`}`
`223`	`229`
`224`	`230`	`ifemail=="" {`
`225`		`-_=handlerutil.WriteError(rw,spec.Error{Status:http.StatusBadRequest,Type:"invalidEmail"})`
	`231`	`+_=handlerutil.WriteError(rw,scim.NewHTTPError(http.StatusBadRequest,"invalidEmail",xerrors.New("no primary email provided")))`
`226`	`232`	`return`
`227`	`233`	`}`
`228`	`234`
`@@ -232,7 +238,7 @@ func (api API) scimPostUser(rw http.ResponseWriter, r http.Request) {`
`232`	`238`	`Username:sUser.UserName,`
`233`	`239`	`})`
`234`	`240`	`iferr!=nil&&!xerrors.Is(err,sql.ErrNoRows) {`
`235`		`-_=handlerutil.WriteError(rw,err)`
	`241`	`+_=handlerutil.WriteError(rw,err)// internal error`
`236`	`242`	`return`
`237`	`243`	`}`
`238`	`244`	`iferr==nil {`
`@@ -248,7 +254,7 @@ func (api API) scimPostUser(rw http.ResponseWriter, r http.Request) {`
`248`	`254`	`UpdatedAt:dbtime.Now(),`
`249`	`255`	`})`
`250`	`256`	`iferr!=nil {`
`251`		`-_=handlerutil.WriteError(rw,err)`
	`257`	`+_=handlerutil.WriteError(rw,err)// internal error`
`252`	`258`	`return`
`253`	`259`	`}`
`254`	`260`	`aReq.New=newUser`
`@@ -284,14 +290,14 @@ func (api API) scimPostUser(rw http.ResponseWriter, r http.Request) {`
`284`	`290`	`//nolint:gocritic // SCIM operations are a system user`
`285`	`291`	`orgSync,err:=api.IDPSync.OrganizationSyncSettings(dbauthz.AsSystemRestricted(ctx),api.Database)`
`286`	`292`	`iferr!=nil {`
`287`		`-_=handlerutil.WriteError(rw,xerrors.Errorf("failed to get organization sync settings: %w",err))`
	`293`	`+_=handlerutil.WriteError(rw,scim.NewHTTPError(http.StatusInternalServerError,"internalError",xerrors.Errorf("failed to get organization sync settings: %w",err)))`
`288`	`294`	`return`
`289`	`295`	`}`
`290`	`296`	`iforgSync.AssignDefault {`
`291`	`297`	`//nolint:gocritic // SCIM operations are a system user`
`292`	`298`	`defaultOrganization,err:=api.Database.GetDefaultOrganization(dbauthz.AsSystemRestricted(ctx))`
`293`	`299`	`iferr!=nil {`
`294`		`-_=handlerutil.WriteError(rw,err)`
	`300`	`+_=handlerutil.WriteError(rw,scim.NewHTTPError(http.StatusInternalServerError,"internalError",xerrors.Errorf("failed to get default organization: %w",err)))`
`295`	`301`	`return`
`296`	`302`	`}`
`297`	`303`	`organizations=append(organizations,defaultOrganization.ID)`
`@@ -309,7 +315,7 @@ func (api API) scimPostUser(rw http.ResponseWriter, r http.Request) {`
`309`	`315`	`SkipNotifications:true,`
`310`	`316`	`})`
`311`	`317`	`iferr!=nil {`
`312`		`-_=handlerutil.WriteError(rw,err)`
	`318`	`+_=handlerutil.WriteError(rw,scim.NewHTTPError(http.StatusInternalServerError,"internalError",xerrors.Errorf("failed to create user: %w",err)))`
`313`	`319`	`return`
`314`	`320`	`}`
`315`	`321`	`aReq.New=dbUser`
`@@ -335,7 +341,7 @@ func (api API) scimPostUser(rw http.ResponseWriter, r http.Request) {`
`335`	`341`	`func (apiAPI)scimPatchUser(rw http.ResponseWriter,rhttp.Request) {`
`336`	`342`	`ctx:=r.Context()`
`337`	`343`	`if!api.scimVerifyAuthHeader(r) {`
`338`		`-_=handlerutil.WriteError(rw, spec.Error{Status:http.StatusUnauthorized,Type:"invalidAuthorization"})`
	`344`	`+scimUnauthorized(rw)`
`339`	`345`	`return`
`340`	`346`	`}`
`341`	`347`
`@@ -354,21 +360,21 @@ func (api API) scimPatchUser(rw http.ResponseWriter, r http.Request) {`
`354`	`360`	`varsUserSCIMUser`
`355`	`361`	`err:=json.NewDecoder(r.Body).Decode(&sUser)`
`356`	`362`	`iferr!=nil {`
`357`		`-_=handlerutil.WriteError(rw,err)`
	`363`	`+_=handlerutil.WriteError(rw,scim.NewHTTPError(http.StatusBadRequest,"invalidRequest",err))`
`358`	`364`	`return`
`359`	`365`	`}`
`360`	`366`	`sUser.ID=id`
`361`	`367`
`362`	`368`	`uid,err:=uuid.Parse(id)`
`363`	`369`	`iferr!=nil {`
`364`		`-_=handlerutil.WriteError(rw,spec.Error{Status:http.StatusBadRequest,Type:"invalidId"})`
	`370`	`+_=handlerutil.WriteError(rw,scim.NewHTTPError(http.StatusBadRequest,"invalidId",xerrors.Errorf("id must be a uuid: %w",err)))`
`365`	`371`	`return`
`366`	`372`	`}`
`367`	`373`
`368`	`374`	`//nolint:gocritic // needed for SCIM`
`369`	`375`	`dbUser,err:=api.Database.GetUserByID(dbauthz.AsSystemRestricted(ctx),uid)`
`370`	`376`	`iferr!=nil {`
`371`		`-_=handlerutil.WriteError(rw,err)`
	`377`	`+_=handlerutil.WriteError(rw,err)// internal error`
`372`	`378`	`return`
`373`	`379`	`}`
`374`	`380`	`aReq.Old=dbUser`
`@@ -400,7 +406,7 @@ func (api API) scimPatchUser(rw http.ResponseWriter, r http.Request) {`
`400`	`406`	`UpdatedAt:dbtime.Now(),`
`401`	`407`	`})`
`402`	`408`	`iferr!=nil {`
`403`		`-_=handlerutil.WriteError(rw,err)`
	`409`	`+_=handlerutil.WriteError(rw,err)// internal error`
`404`	`410`	`return`
`405`	`411`	`}`
`406`	`412`	`dbUser=userNew`

`‎enterprise/coderd/scim/scimtypes.go`

Lines changed: 40 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,11 @@`
`1`	`1`	`package scim`
`2`	`2`
`3`		`-import"time"`
	`3`	`+import (`
	`4`	`+"encoding/json"`
	`5`	`+"time"`
	`6`	`+`
	`7`	`+"github.com/imulab/go-scim/pkg/v2/spec"`
	`8`	`+)`
`4`	`9`
`5`	`10`	`typeServiceProviderConfigstruct {`
`6`	`11`	Schemas []string`json:"schemas"`
`@@ -44,3 +49,37 @@ type AuthenticationScheme struct {`
`44`	`49`	SpecURIstring`json:"specUri"`
`45`	`50`	DocURIstring`json:"documentationUri"`
`46`	`51`	`}`
	`52`	`+`
	`53`	`+// HTTPError wraps a *spec.Error for correct usage with`
	`54`	`+// 'handlerutil.WriteError'. This error type is cursed to be`
	`55`	`+// absolutely strange and specific to the SCIM library we use.`
	`56`	`+//`
	`57`	`+// The library expects *spec.Error to be returned on unwrap, and the`
	`58`	`+// internal error description to be returned by a json.Marshal of the`
	`59`	`+// top level error.`
	`60`	`+typeHTTPErrorstruct {`
	`61`	`+scim*spec.Error`
	`62`	`+internalerror`
	`63`	`+}`
	`64`	`+`
	`65`	`+funcNewHTTPError(statusint,eTypestring,errerror)*HTTPError {`
	`66`	`+return&HTTPError{`
	`67`	`+scim:&spec.Error{`
	`68`	`+Status:status,`
	`69`	`+Type:eType,`
	`70`	`+},`
	`71`	`+internal:err,`
	`72`	`+}`
	`73`	`+}`
	`74`	`+`
	`75`	`+func (eHTTPError)Error()string {`
	`76`	`+returne.internal.Error()`
	`77`	`+}`
	`78`	`+`
	`79`	`+func (eHTTPError)MarshalJSON() ([]byte,error) {`
	`80`	`+returnjson.Marshal(e.internal)`
	`81`	`+}`
	`82`	`+`
	`83`	`+func (eHTTPError)Unwrap()error {`
	`84`	`+returne.scim`
	`85`	`+}`

`‎enterprise/coderd/scim_test.go`

Lines changed: 27 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -6,11 +6,15 @@ import (`
`6`	`6`	`"fmt"`
`7`	`7`	`"io"`
`8`	`8`	`"net/http"`
	`9`	`+"net/http/httptest"`
`9`	`10`	`"testing"`
`10`	`11`
`11`	`12`	`"github.com/golang-jwt/jwt/v4"`
	`13`	`+"github.com/imulab/go-scim/pkg/v2/handlerutil"`
	`14`	`+"github.com/imulab/go-scim/pkg/v2/spec"`
`12`	`15`	`"github.com/stretchr/testify/assert"`
`13`	`16`	`"github.com/stretchr/testify/require"`
	`17`	`+"golang.org/x/xerrors"`
`14`	`18`
`15`	`19`	`"github.com/coder/coder/v2/coderd/audit"`
`16`	`20`	`"github.com/coder/coder/v2/coderd/coderdtest"`
`@@ -22,6 +26,7 @@ import (`
`22`	`26`	`"github.com/coder/coder/v2/enterprise/coderd"`
`23`	`27`	`"github.com/coder/coder/v2/enterprise/coderd/coderdenttest"`
`24`	`28`	`"github.com/coder/coder/v2/enterprise/coderd/license"`
	`29`	`+"github.com/coder/coder/v2/enterprise/coderd/scim"`
`25`	`30`	`"github.com/coder/coder/v2/testutil"`
`26`	`31`	`)`
`27`	`32`
`@@ -59,7 +64,8 @@ func setScimAuth(key []byte) func(*http.Request) {`
`59`	`64`
`60`	`65`	`funcsetScimAuthBearer(key []byte)func(*http.Request) {`
`61`	`66`	`returnfunc(r*http.Request) {`
`62`		`-r.Header.Set("Authorization","Bearer "+string(key))`
	`67`	`+// Do strange casing to ensure it's case-insensitive`
	`68`	`+r.Header.Set("Authorization","beAreR "+string(key))`
`63`	`69`	`}`
`64`	`70`	`}`
`65`	`71`
`@@ -111,7 +117,7 @@ func TestScim(t *testing.T) {`
`111`	`117`	`res,err:=client.Request(ctx,"POST","/scim/v2/Users",struct{}{})`
`112`	`118`	`require.NoError(t,err)`
`113`	`119`	`deferres.Body.Close()`
`114`		`-assert.Equal(t,http.StatusInternalServerError,res.StatusCode)`
	`120`	`+assert.Equal(t,http.StatusUnauthorized,res.StatusCode)`
`115`	`121`	`})`
`116`	`122`
`117`	`123`	`t.Run("OK",func(t*testing.T) {`
`@@ -454,7 +460,7 @@ func TestScim(t *testing.T) {`
`454`	`460`	`require.NoError(t,err)`
`455`	`461`	`_,_=io.Copy(io.Discard,res.Body)`
`456`	`462`	`_=res.Body.Close()`
`457`		`-assert.Equal(t,http.StatusInternalServerError,res.StatusCode)`
	`463`	`+assert.Equal(t,http.StatusUnauthorized,res.StatusCode)`
`458`	`464`	`})`
`459`	`465`
`460`	`466`	`t.Run("OK",func(t*testing.T) {`
`@@ -585,3 +591,21 @@ func TestScim(t *testing.T) {`
`585`	`591`	`})`
`586`	`592`	`})`
`587`	`593`	`}`
	`594`	`+`
	`595`	`+funcTestScimError(t*testing.T) {`
	`596`	`+t.Parallel()`
	`597`	`+`
	`598`	`+// Demonstrates that we cannot use the standard errors`
	`599`	`+rw:=httptest.NewRecorder()`
	`600`	`+_=handlerutil.WriteError(rw,spec.ErrNotFound)`
	`601`	`+resp:=rw.Result()`
	`602`	`+deferresp.Body.Close()`
	`603`	`+require.Equal(t,http.StatusInternalServerError,resp.StatusCode)`
	`604`	`+`
	`605`	`+// Our error wrapper works`
	`606`	`+rw=httptest.NewRecorder()`
	`607`	`+_=handlerutil.WriteError(rw,scim.NewHTTPError(http.StatusNotFound,spec.ErrNotFound.Type,xerrors.New("not found")))`
	`608`	`+resp=rw.Result()`
	`609`	`+deferresp.Body.Close()`
	`610`	`+require.Equal(t,http.StatusNotFound,resp.StatusCode)`
	`611`	`+}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit16ade98

File tree

3 files changed

3 files changed

`‎enterprise/coderd/scim.go`

`‎enterprise/coderd/scim/scimtypes.go`

`‎enterprise/coderd/scim_test.go`

0 commit comments