NotificationsYou must be signed in to change notification settings
Fork927
Star10.1k

Commit24ba819

authored

chore: return failed refresh errors on external auth as string (was boolean) (#13402)

* chore: return failed refresh errors on external authFailed refreshes should return errors. These errors are capturedas validate errors.

1 parentbf98b0d commit24ba819Copy full SHA for 24ba819

File tree

6 files changed

+68

-52

lines changed

coderd
- externalauth
  - externalauth.go
  - externalauth_test.go
- externalauth.go
- provisionerdserver
  - provisionerdserver.go
- templateversions.go
- workspaceagents.go

6 files changed

+68

-52

lines changed

`‎coderd/externalauth.go`

Lines changed: 5 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -351,15 +351,17 @@ func (api API) listUserExternalAuths(rw http.ResponseWriter, r http.Request) {`
`351`	`351`	`iflink.OAuthAccessToken!="" {`
`352`	`352`	`cfg,ok:=configs[link.ProviderID]`
`353`	`353`	`ifok {`
`354`		`-newLink,valid,err:=cfg.RefreshToken(ctx,api.Database,link)`
	`354`	`+newLink,err:=cfg.RefreshToken(ctx,api.Database,link)`
`355`	`355`	`meta:= db2sdk.ExternalAuthMeta{`
`356`		`-Authenticated:valid,`
	`356`	`+Authenticated:err==nil,`
`357`	`357`	`}`
`358`	`358`	`iferr!=nil {`
`359`	`359`	`meta.ValidateError=err.Error()`
`360`	`360`	`}`
	`361`	`+linkMeta[link.ProviderID]=meta`
	`362`	`+`
`361`	`363`	`// Update the link if it was potentially refreshed.`
`362`		`-iferr==nil&&valid{`
	`364`	`+iferr==nil {`
`363`	`365`	`links[i]=newLink`
`364`	`366`	`}`
`365`	`367`	`}`

`‎coderd/externalauth/externalauth.go`

Lines changed: 27 additions & 11 deletions

Original file line number	Diff line number	Diff line change
`@@ -95,17 +95,31 @@ func (c Config) GenerateTokenExtra(token oauth2.Token) (pqtype.NullRawMessage,`
`95`	`95`	`},nil`
`96`	`96`	`}`
`97`	`97`
	`98`	`+// InvalidTokenError is a case where the "RefreshToken" failed to complete`
	`99`	`+// as a result of invalid credentials. Error contains the reason of the failure.`
	`100`	`+typeInvalidTokenErrorstring`
	`101`	`+`
	`102`	`+func (eInvalidTokenError)Error()string {`
	`103`	`+returnstring(e)`
	`104`	`+}`
	`105`	`+`
	`106`	`+funcIsInvalidTokenError(errerror)bool {`
	`107`	`+varinvalidTokenErrorInvalidTokenError`
	`108`	`+returnxerrors.As(err,&invalidTokenError)`
	`109`	`+}`
	`110`	`+`
`98`	`111`	`// RefreshToken automatically refreshes the token if expired and permitted.`
`99`		`-// It returns the token and a bool indicating if the token is valid.`
`100`		`-func (c*Config)RefreshToken(ctx context.Context,db database.Store,externalAuthLink database.ExternalAuthLink) (database.ExternalAuthLink,bool,error) {`
	`112`	`+// If an error is returned, the token is either invalid, or an error occurred.`
	`113`	`+// Use 'IsInvalidTokenError(err)' to determine the difference.`
	`114`	`+func (c*Config)RefreshToken(ctx context.Context,db database.Store,externalAuthLink database.ExternalAuthLink) (database.ExternalAuthLink,error) {`
`101`	`115`	`// If the token is expired and refresh is disabled, we prompt`
`102`	`116`	`// the user to authenticate again.`
`103`	`117`	`ifc.NoRefresh&&`
`104`	`118`	`// If the time is set to 0, then it should never expire.`
`105`	`119`	`// This is true for github, which has no expiry.`
`106`	`120`	`!externalAuthLink.OAuthExpiry.IsZero()&&`
`107`	`121`	`externalAuthLink.OAuthExpiry.Before(dbtime.Now()) {`
`108`		`-returnexternalAuthLink,false,nil`
	`122`	`+returnexternalAuthLink,InvalidTokenError("token expired, refreshing is disabled")`
`109`	`123`	`}`
`110`	`124`
`111`	`125`	`// This is additional defensive programming. Because TokenSource is an interface,`
`@@ -123,14 +137,16 @@ func (c *Config) RefreshToken(ctx context.Context, db database.Store, externalAu`
`123`	`137`	`Expiry:externalAuthLink.OAuthExpiry,`
`124`	`138`	`}).Token()`
`125`	`139`	`iferr!=nil {`
`126`		`-// Even if the token fails to be obtained, we still return false because`
`127`		`-// we aren't trying to surface an error, we're just trying to obtain a valid token.`
`128`		`-returnexternalAuthLink,false,nil`
	`140`	`+// Even if the token fails to be obtained, do not return the error as an error.`
	`141`	`+// TokenSource(...).Token() will always return the current token if the token is not expired.`
	`142`	`+// If it is expired, it will attempt to refresh the token, and if it cannot, it will fail with`
	`143`	`+// an error. This error is a reason the token is invalid.`
	`144`	`+returnexternalAuthLink,InvalidTokenError(fmt.Sprintf("refresh token: %s",err.Error()))`
`129`	`145`	`}`
`130`	`146`
`131`	`147`	`extra,err:=c.GenerateTokenExtra(token)`
`132`	`148`	`iferr!=nil {`
`133`		`-returnexternalAuthLink,false,xerrors.Errorf("generate token extra: %w",err)`
	`149`	`+returnexternalAuthLink,xerrors.Errorf("generate token extra: %w",err)`
`134`	`150`	`}`
`135`	`151`
`136`	`152`	`r:=retry.New(50time.Millisecond,200time.Millisecond)`
`@@ -140,7 +156,7 @@ func (c *Config) RefreshToken(ctx context.Context, db database.Store, externalAu`
`140`	`156`	`validate:`
`141`	`157`	`valid,_,err:=c.ValidateToken(ctx,token)`
`142`	`158`	`iferr!=nil {`
`143`		`-returnexternalAuthLink,false,xerrors.Errorf("validate external auth token: %w",err)`
	`159`	`+returnexternalAuthLink,xerrors.Errorf("validate external auth token: %w",err)`
`144`	`160`	`}`
`145`	`161`	`if!valid {`
`146`	`162`	`// A customer using GitHub in Australia reported that validating immediately`
`@@ -154,7 +170,7 @@ validate:`
`154`	`170`	`goto validate`
`155`	`171`	`}`
`156`	`172`	`// The token is no longer valid!`
`157`		`-returnexternalAuthLink,false,nil`
	`173`	`+returnexternalAuthLink,InvalidTokenError("token failed to validate")`
`158`	`174`	`}`
`159`	`175`
`160`	`176`	`iftoken.AccessToken!=externalAuthLink.OAuthAccessToken {`
`@@ -170,11 +186,11 @@ validate:`
`170`	`186`	`OAuthExtra:extra,`
`171`	`187`	`})`
`172`	`188`	`iferr!=nil {`
`173`		`-returnupdatedAuthLink,false,xerrors.Errorf("update external auth link: %w",err)`
	`189`	`+returnupdatedAuthLink,xerrors.Errorf("update external auth link: %w",err)`
`174`	`190`	`}`
`175`	`191`	`externalAuthLink=updatedAuthLink`
`176`	`192`	`}`
`177`		`-returnexternalAuthLink,true,nil`
	`193`	`+returnexternalAuthLink,nil`
`178`	`194`	`}`
`179`	`195`
`180`	`196`	`// ValidateToken ensures the Git token provided is valid!`

`‎coderd/externalauth/externalauth_test.go`

Lines changed: 22 additions & 20 deletions

Original file line number	Diff line number	Diff line change
`@@ -59,9 +59,10 @@ func TestRefreshToken(t *testing.T) {`
`59`	`59`	`// Expire the link`
`60`	`60`	`link.OAuthExpiry=expired`
`61`	`61`
`62`		`-_,refreshed,err:=config.RefreshToken(ctx,nil,link)`
`63`		`-require.NoError(t,err)`
`64`		`-require.False(t,refreshed)`
	`62`	`+_,err:=config.RefreshToken(ctx,nil,link)`
	`63`	`+require.Error(t,err)`
	`64`	`+require.True(t,externalauth.IsInvalidTokenError(err))`
	`65`	`+require.Contains(t,err.Error(),"refreshing is disabled")`
`65`	`66`	`})`
`66`	`67`
`67`	`68`	`// NoRefreshNoExpiry tests that an oauth token without an expiry is always valid.`
`@@ -90,9 +91,8 @@ func TestRefreshToken(t *testing.T) {`
`90`	`91`
`91`	`92`	`// Zero time used`
`92`	`93`	`link.OAuthExpiry= time.Time{}`
`93`		`-_,refreshed,err:=config.RefreshToken(ctx,nil,link)`
	`94`	`+_,err:=config.RefreshToken(ctx,nil,link)`
`94`	`95`	`require.NoError(t,err)`
`95`		`-require.True(t,refreshed,"token without expiry is always valid")`
`96`	`96`	`require.True(t,validated,"token should have been validated")`
`97`	`97`	`})`
`98`	`98`
`@@ -105,11 +105,12 @@ func TestRefreshToken(t *testing.T) {`
`105`	`105`	`},`
`106`	`106`	`},`
`107`	`107`	`}`
`108`		`-_,refreshed,err:=config.RefreshToken(context.Background(),nil, database.ExternalAuthLink{`
	`108`	`+_,err:=config.RefreshToken(context.Background(),nil, database.ExternalAuthLink{`
`109`	`109`	`OAuthExpiry:expired,`
`110`	`110`	`})`
`111`		`-require.NoError(t,err)`
`112`		`-require.False(t,refreshed)`
	`111`	`+require.Error(t,err)`
	`112`	`+require.True(t,externalauth.IsInvalidTokenError(err))`
	`113`	`+require.Contains(t,err.Error(),"failure")`
`113`	`114`	`})`
`114`	`115`
`115`	`116`	`t.Run("ValidateServerError",func(t*testing.T) {`
`@@ -131,8 +132,12 @@ func TestRefreshToken(t *testing.T) {`
`131`	`132`	`ctx:=oidc.ClientContext(context.Background(),fake.HTTPClient(nil))`
`132`	`133`	`link.OAuthExpiry=expired`
`133`	`134`
`134`		`-_,_,err:=config.RefreshToken(ctx,nil,link)`
	`135`	`+_,err:=config.RefreshToken(ctx,nil,link)`
`135`	`136`	`require.ErrorContains(t,err,staticError)`
	`137`	`+// Unsure if this should be the correct behavior. It's an invalid token because`
	`138`	`+// 'ValidateToken()' failed with a runtime error. This was the previous behavior,`
	`139`	`+// so not going to change it.`
	`140`	`+require.False(t,externalauth.IsInvalidTokenError(err))`
`136`	`141`	`require.True(t,validated,"token should have been attempted to be validated")`
`137`	`142`	`})`
`138`	`143`
`@@ -156,9 +161,9 @@ func TestRefreshToken(t *testing.T) {`
`156`	`161`	`ctx:=oidc.ClientContext(context.Background(),fake.HTTPClient(nil))`
`157`	`162`	`link.OAuthExpiry=expired`
`158`	`163`
`159`		`-_,refreshed,err:=config.RefreshToken(ctx,nil,link)`
`160`		`-require.NoError(t,err,staticError)`
`161`		`-require.False(t,refreshed)`
	`164`	`+_,err:=config.RefreshToken(ctx,nil,link)`
	`165`	`+require.ErrorContains(t,err,"token failed to validate")`
	`166`	`+require.True(t,externalauth.IsInvalidTokenError(err))`
`162`	`167`	`require.True(t,validated,"token should have been attempted to be validated")`
`163`	`168`	`})`
`164`	`169`
`@@ -191,9 +196,8 @@ func TestRefreshToken(t *testing.T) {`
`191`	`196`	`// Unlimited lifetime, this is what GitHub returns tokens as`
`192`	`197`	`link.OAuthExpiry= time.Time{}`
`193`	`198`
`194`		`-_,ok,err:=config.RefreshToken(ctx,nil,link)`
	`199`	`+_,err:=config.RefreshToken(ctx,nil,link)`
`195`	`200`	`require.NoError(t,err)`
`196`		`-require.True(t,ok)`
`197`	`201`	`require.Equal(t,2,validateCalls,"token should have been attempted to be validated more than once")`
`198`	`202`	`})`
`199`	`203`
`@@ -219,9 +223,8 @@ func TestRefreshToken(t *testing.T) {`
`219`	`223`
`220`	`224`	`ctx:=oidc.ClientContext(context.Background(),fake.HTTPClient(nil))`
`221`	`225`
`222`		`-_,ok,err:=config.RefreshToken(ctx,nil,link)`
	`226`	`+_,err:=config.RefreshToken(ctx,nil,link)`
`223`	`227`	`require.NoError(t,err)`
`224`		`-require.True(t,ok)`
`225`	`228`	`require.Equal(t,1,validateCalls,"token is validated")`
`226`	`229`	`})`
`227`	`230`
`@@ -253,9 +256,8 @@ func TestRefreshToken(t *testing.T) {`
`253`	`256`	`// Force a refresh`
`254`	`257`	`link.OAuthExpiry=expired`
`255`	`258`
`256`		`-updated,ok,err:=config.RefreshToken(ctx,db,link)`
	`259`	`+updated,err:=config.RefreshToken(ctx,db,link)`
`257`	`260`	`require.NoError(t,err)`
`258`		`-require.True(t,ok)`
`259`	`261`	`require.Equal(t,1,validateCalls,"token is validated")`
`260`	`262`	`require.Equal(t,1,refreshCalls,"token is refreshed")`
`261`	`263`	`require.NotEqualf(t,link.OAuthAccessToken,updated.OAuthAccessToken,"token is updated")`
`@@ -292,9 +294,9 @@ func TestRefreshToken(t *testing.T) {`
`292`	`294`	`// Force a refresh`
`293`	`295`	`link.OAuthExpiry=expired`
`294`	`296`
`295`		`-updated,ok,err:=config.RefreshToken(ctx,db,link)`
	`297`	`+updated,err:=config.RefreshToken(ctx,db,link)`
`296`	`298`	`require.NoError(t,err)`
`297`		`-require.True(t,ok)`
	`299`	`+`
`298`	`300`	`require.True(t,updated.OAuthExtra.Valid)`
`299`	`301`	`extra:=map[string]interface{}{}`
`300`	`302`	`require.NoError(t,json.Unmarshal(updated.OAuthExtra.RawMessage,&extra))`

`‎coderd/provisionerdserver/provisionerdserver.go`

Lines changed: 5 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -559,16 +559,17 @@ func (s *server) acquireProtoJob(ctx context.Context, job database.ProvisionerJo`
`559`	`559`	`continue`
`560`	`560`	`}`
`561`	`561`
`562`		`-link,valid,err:=config.RefreshToken(ctx,s.Database,link)`
`563`		`-iferr!=nil {`
	`562`	`+refreshed,err:=config.RefreshToken(ctx,s.Database,link)`
	`563`	`+iferr!=nil&&!externalauth.IsInvalidTokenError(err){`
`564`	`564`	`returnnil,failJob(fmt.Sprintf("refresh external auth link %q: %s",p.ID,err))`
`565`	`565`	`}`
`566`		`-if!valid {`
	`566`	`+iferr!=nil {`
	`567`	`+// Invalid tokens are skipped`
`567`	`568`	`continue`
`568`	`569`	`}`
`569`	`570`	`externalAuthProviders=append(externalAuthProviders,&sdkproto.ExternalAuthProvider{`
`570`	`571`	`Id:p.ID,`
`571`		`-AccessToken:link.OAuthAccessToken,`
	`572`	`+AccessToken:refreshed.OAuthAccessToken,`
`572`	`573`	`})`
`573`	`574`	`}`
`574`	`575`

`‎coderd/templateversions.go`

Lines changed: 4 additions & 9 deletions

Original file line number	Diff line number	Diff line change
`@@ -353,21 +353,16 @@ func (api API) templateVersionExternalAuth(rw http.ResponseWriter, r http.Requ`
`353`	`353`	`return`
`354`	`354`	`}`
`355`	`355`
`356`		`-_,updated,err:=config.RefreshToken(ctx,api.Database,authLink)`
`357`		`-iferr!=nil {`
	`356`	`+_,err=config.RefreshToken(ctx,api.Database,authLink)`
	`357`	`+iferr!=nil&&!externalauth.IsInvalidTokenError(err){`
`358`	`358`	`httpapi.Write(ctx,rw,http.StatusInternalServerError, codersdk.Response{`
`359`	`359`	`Message:"Failed to refresh external auth token.",`
`360`	`360`	`Detail:err.Error(),`
`361`	`361`	`})`
`362`	`362`	`return`
`363`	`363`	`}`
`364`		`-// If the token couldn't be validated, then we assume the user isn't`
`365`		`-// authenticated and return early.`
`366`		`-if!updated {`
`367`		`-providers=append(providers,provider)`
`368`		`-continue`
`369`		`-}`
`370`		`-provider.Authenticated=true`
	`364`	`+`
	`365`	`+provider.Authenticated=err==nil`
`371`	`366`	`providers=append(providers,provider)`
`372`	`367`	`}`
`373`	`368`

`‎coderd/workspaceagents.go`

Lines changed: 5 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -1912,25 +1912,25 @@ func (api API) workspaceAgentsExternalAuth(rw http.ResponseWriter, r http.Requ`
`1912`	`1912`	`return`
`1913`	`1913`	`}`
`1914`	`1914`
`1915`		`-externalAuthLink,valid,err:=externalAuthConfig.RefreshToken(ctx,api.Database,externalAuthLink)`
`1916`		`-iferr!=nil {`
	`1915`	`+refreshedLink,err:=externalAuthConfig.RefreshToken(ctx,api.Database,externalAuthLink)`
	`1916`	`+iferr!=nil&&!externalauth.IsInvalidTokenError(err){`
`1917`	`1917`	`handleRetrying(http.StatusInternalServerError, codersdk.Response{`
`1918`	`1918`	`Message:"Failed to refresh external auth token.",`
`1919`	`1919`	`Detail:err.Error(),`
`1920`	`1920`	`})`
`1921`	`1921`	`return`
`1922`	`1922`	`}`
`1923`		`-if!valid {`
	`1923`	`+iferr!=nil {`
`1924`	`1924`	`// Set the previous token so the retry logic will skip validating the`
`1925`	`1925`	`// same token again. This should only be set if the token is invalid and there`
`1926`	`1926`	`// was no error. If it is invalid because of an error, then we should recheck.`
`1927`		`-previousToken=&externalAuthLink`
	`1927`	`+previousToken=&refreshedLink`
`1928`	`1928`	`handleRetrying(http.StatusOK, agentsdk.ExternalAuthResponse{`
`1929`	`1929`	`URL:redirectURL.String(),`
`1930`	`1930`	`})`
`1931`	`1931`	`return`
`1932`	`1932`	`}`
`1933`		`-resp,err:=createExternalAuthResponse(externalAuthConfig.Type,externalAuthLink.OAuthAccessToken,externalAuthLink.OAuthExtra)`
	`1933`	`+resp,err:=createExternalAuthResponse(externalAuthConfig.Type,refreshedLink.OAuthAccessToken,refreshedLink.OAuthExtra)`
`1934`	`1934`	`iferr!=nil {`
`1935`	`1935`	`handleRetrying(http.StatusInternalServerError, codersdk.Response{`
`1936`	`1936`	`Message:"Failed to create external auth response.",`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit24ba819

File tree

6 files changed

6 files changed

`‎coderd/externalauth.go`

`‎coderd/externalauth/externalauth.go`

`‎coderd/externalauth/externalauth_test.go`

`‎coderd/provisionerdserver/provisionerdserver.go`

`‎coderd/templateversions.go`

`‎coderd/workspaceagents.go`

0 commit comments