NotificationsYou must be signed in to change notification settings
Fork1.1k
Star11.7k

Commit27f2691

authored

chore: external auth validate response "Forbidden" should return invalid, not an error (#13446)

* chore: add unit test to delete workspace from suspended user* chore: account for forbidden as well as unauthorized response codes

1 parent0b019ca commit27f2691Copy full SHA for 27f2691

File tree

4 files changed

+98

-9

lines changed

coderd
- coderdtest/oidctest
  - idp.go
- externalauth_test.go
- externalauth
  - externalauth.go
- workspacebuilds_test.go

4 files changed

+98

-9

lines changed

`‎coderd/coderdtest/oidctest/idp.go‎`

Lines changed: 17 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -1255,7 +1255,9 @@ type ExternalAuthConfigOptions struct {`
`1255`	`1255`	`// ValidatePayload is the payload that is used when the user calls the`
`1256`	`1256`	`// equivalent of "userinfo" for oauth2. This is not standardized, so is`
`1257`	`1257`	`// different for each provider type.`
`1258`		`-ValidatePayloadfunc(emailstring)interface{}`
	`1258`	`+//`
	`1259`	`+// The int,error payload can control the response if set.`
	`1260`	`+ValidatePayloadfunc(emailstring) (interface{},int,error)`
`1259`	`1261`
`1260`	`1262`	`// routes is more advanced usage. This allows the caller to`
`1261`	`1263`	`// completely customize the response. It captures all routes under the /external-auth-validate/*`
`@@ -1292,7 +1294,20 @@ func (f FakeIDP) ExternalAuthConfig(t testing.TB, id string, custom ExternalAu`
`1292`	`1294`	`case"/user","/","":`
`1293`	`1295`	`varpayloadinterface{}="OK"`
`1294`	`1296`	`ifcustom.ValidatePayload!=nil {`
`1295`		`-payload=custom.ValidatePayload(email)`
	`1297`	`+varerrerror`
	`1298`	`+varcodeint`
	`1299`	`+payload,code,err=custom.ValidatePayload(email)`
	`1300`	`+ifcode==0&&err==nil {`
	`1301`	`+code=http.StatusOK`
	`1302`	`+}`
	`1303`	`+ifcode==0&&err!=nil {`
	`1304`	`+code=http.StatusUnauthorized`
	`1305`	`+}`
	`1306`	`+iferr!=nil {`
	`1307`	`+http.Error(rw,fmt.Sprintf("failed validation via custom method: %s",err.Error()),code)`
	`1308`	`+return`
	`1309`	`+}`
	`1310`	`+rw.WriteHeader(code)`
`1296`	`1311`	`}`
`1297`	`1312`	`_=json.NewEncoder(rw).Encode(payload)`
`1298`	`1313`	`default:`

`‎coderd/externalauth/externalauth.go‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -218,7 +218,7 @@ func (c Config) ValidateToken(ctx context.Context, link oauth2.Token) (bool, *`
`218`	`218`	`returnfalse,nil,err`
`219`	`219`	`}`
`220`	`220`	`deferres.Body.Close()`
`221`		`-ifres.StatusCode==http.StatusUnauthorized {`
	`221`	`+ifres.StatusCode==http.StatusUnauthorized\|\|res.StatusCode==http.StatusForbidden{`
`222`	`222`	`// The token is no longer valid!`
`223`	`223`	`returnfalse,nil,nil`
`224`	`224`	`}`

`‎coderd/externalauth_test.go‎`

Lines changed: 6 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -79,11 +79,11 @@ func TestExternalAuthByID(t *testing.T) {`
`79`	`79`	`client:=coderdtest.New(t,&coderdtest.Options{`
`80`	`80`	`ExternalAuthConfigs: []*externalauth.Config{`
`81`	`81`	`fake.ExternalAuthConfig(t,providerID,&oidctest.ExternalAuthConfigOptions{`
`82`		`-ValidatePayload:func(_string)interface{} {`
	`82`	`+ValidatePayload:func(_string)(interface{},int,error) {`
`83`	`83`	`return github.User{`
`84`	`84`	`Login:github.String("kyle"),`
`85`	`85`	`AvatarURL:github.String("https://avatars.githubusercontent.com/u/12345678?v=4"),`
`86`		`-}`
	`86`	`+},0,nil`
`87`	`87`	`},`
`88`	`88`	`},func(cfg*externalauth.Config) {`
`89`	`89`	`cfg.Type=codersdk.EnhancedExternalAuthProviderGitHub.String()`
`@@ -108,11 +108,11 @@ func TestExternalAuthByID(t *testing.T) {`
`108`	`108`
`109`	`109`	`// routes includes a route for /install that returns a list of installations`
`110`	`110`	`routes:= (&oidctest.ExternalAuthConfigOptions{`
`111`		`-ValidatePayload:func(_string)interface{} {`
	`111`	`+ValidatePayload:func(_string)(interface{},int,error) {`
`112`	`112`	`return github.User{`
`113`	`113`	`Login:github.String("kyle"),`
`114`	`114`	`AvatarURL:github.String("https://avatars.githubusercontent.com/u/12345678?v=4"),`
`115`		`-}`
	`115`	`+},0,nil`
`116`	`116`	`},`
`117`	`117`	`}).AddRoute("/installs",func(_string,rw http.ResponseWriter,r*http.Request) {`
`118`	`118`	`httpapi.Write(r.Context(),rw,http.StatusOK,struct {`
`@@ -556,7 +556,7 @@ func TestExternalAuthCallback(t *testing.T) {`
`556`	`556`	`// If the validation URL gives a non-OK status code, this`
`557`	`557`	`// should be treated as an internal server error.`
`558`	`558`	`srv.Config.Handler=http.HandlerFunc(func(w http.ResponseWriter,r*http.Request) {`
`559`		`-w.WriteHeader(http.StatusForbidden)`
	`559`	`+w.WriteHeader(http.StatusBadRequest)`
`560`	`560`	`w.Write([]byte("Something went wrong!"))`
`561`	`561`	`})`
`562`	`562`	`_,err=agentClient.ExternalAuth(ctx, agentsdk.ExternalAuthRequest{`
`@@ -565,7 +565,7 @@ func TestExternalAuthCallback(t *testing.T) {`
`565`	`565`	`varapiError*codersdk.Error`
`566`	`566`	`require.ErrorAs(t,err,&apiError)`
`567`	`567`	`require.Equal(t,http.StatusInternalServerError,apiError.StatusCode())`
`568`		`-require.Equal(t,"validate external auth token: status403: body: Something went wrong!",apiError.Detail)`
	`568`	`+require.Equal(t,"validate external auth token: status400: body: Something went wrong!",apiError.Detail)`
`569`	`569`	`})`
`570`	`570`
`571`	`571`	`t.Run("ExpiredNoRefresh",func(t*testing.T) {`

`‎coderd/workspacebuilds_test.go‎`

Lines changed: 74 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -20,9 +20,11 @@ import (`
`20`	`20`	`"cdr.dev/slog/sloggers/slogtest"`
`21`	`21`	`"github.com/coder/coder/v2/coderd/audit"`
`22`	`22`	`"github.com/coder/coder/v2/coderd/coderdtest"`
	`23`	`+"github.com/coder/coder/v2/coderd/coderdtest/oidctest"`
`23`	`24`	`"github.com/coder/coder/v2/coderd/database"`
`24`	`25`	`"github.com/coder/coder/v2/coderd/database/dbauthz"`
`25`	`26`	`"github.com/coder/coder/v2/coderd/database/dbtime"`
	`27`	`+"github.com/coder/coder/v2/coderd/externalauth"`
`26`	`28`	`"github.com/coder/coder/v2/coderd/rbac"`
`27`	`29`	`"github.com/coder/coder/v2/codersdk"`
`28`	`30`	`"github.com/coder/coder/v2/provisioner/echo"`
`@@ -711,6 +713,78 @@ func TestWorkspaceBuildStatus(t *testing.T) {`
`711`	`713`	`require.EqualValues(t,codersdk.WorkspaceStatusDeleted,workspace.LatestBuild.Status)`
`712`	`714`	`}`
`713`	`715`
	`716`	`+funcTestWorkspaceDeleteSuspendedUser(t*testing.T) {`
	`717`	`+t.Parallel()`
	`718`	`+constproviderID="fake-github"`
	`719`	`+fake:=oidctest.NewFakeIDP(t,oidctest.WithServing())`
	`720`	`+`
	`721`	`+validateCalls:=0`
	`722`	`+userSuspended:=false`
	`723`	`+owner:=coderdtest.New(t,&coderdtest.Options{`
	`724`	`+IncludeProvisionerDaemon:true,`
	`725`	`+ExternalAuthConfigs: []*externalauth.Config{`
	`726`	`+fake.ExternalAuthConfig(t,providerID,&oidctest.ExternalAuthConfigOptions{`
	`727`	`+ValidatePayload:func(emailstring) (interface{},int,error) {`
	`728`	`+validateCalls++`
	`729`	`+ifuserSuspended {`
	`730`	`+// Simulate the user being suspended from the IDP too.`
	`731`	`+return"",http.StatusForbidden,fmt.Errorf("user is suspended")`
	`732`	`+}`
	`733`	`+return"OK",0,nil`
	`734`	`+},`
	`735`	`+}),`
	`736`	`+},`
	`737`	`+})`
	`738`	`+`
	`739`	`+first:=coderdtest.CreateFirstUser(t,owner)`
	`740`	`+`
	`741`	`+// New user that we will suspend when we try to delete the workspace.`
	`742`	`+client,user:=coderdtest.CreateAnotherUser(t,owner,first.OrganizationID,rbac.RoleTemplateAdmin())`
	`743`	`+fake.ExternalLogin(t,client)`
	`744`	`+`
	`745`	`+version:=coderdtest.CreateTemplateVersion(t,client,first.OrganizationID,&echo.Responses{`
	`746`	`+Parse:echo.ParseComplete,`
	`747`	`+ProvisionApply:echo.ApplyComplete,`
	`748`	`+ProvisionPlan: []*proto.Response{{`
	`749`	`+Type:&proto.Response_Plan{`
	`750`	`+Plan:&proto.PlanComplete{`
	`751`	`+Error:"",`
	`752`	`+Resources:nil,`
	`753`	`+Parameters:nil,`
	`754`	`+ExternalAuthProviders: []*proto.ExternalAuthProviderResource{`
	`755`	`+{`
	`756`	`+Id:providerID,`
	`757`	`+Optional:false,`
	`758`	`+},`
	`759`	`+},`
	`760`	`+},`
	`761`	`+},`
	`762`	`+}},`
	`763`	`+})`
	`764`	`+`
	`765`	`+validateCalls=0// Reset`
	`766`	`+coderdtest.AwaitTemplateVersionJobCompleted(t,client,version.ID)`
	`767`	`+template:=coderdtest.CreateTemplate(t,client,first.OrganizationID,version.ID)`
	`768`	`+workspace:=coderdtest.CreateWorkspace(t,client,first.OrganizationID,template.ID)`
	`769`	`+coderdtest.AwaitWorkspaceBuildJobCompleted(t,client,workspace.LatestBuild.ID)`
	`770`	`+require.Equal(t,1,validateCalls)// Ensure the external link is working`
	`771`	`+`
	`772`	`+// Suspend the user`
	`773`	`+ctx:=testutil.Context(t,testutil.WaitLong)`
	`774`	`+_,err:=owner.UpdateUserStatus(ctx,user.ID.String(),codersdk.UserStatusSuspended)`
	`775`	`+require.NoError(t,err,"suspend user")`
	`776`	`+`
	`777`	`+// Now delete the workspace build`
	`778`	`+userSuspended=true`
	`779`	`+build,err:=owner.CreateWorkspaceBuild(ctx,workspace.ID, codersdk.CreateWorkspaceBuildRequest{`
	`780`	`+Transition:codersdk.WorkspaceTransitionDelete,`
	`781`	`+})`
	`782`	`+require.NoError(t,err)`
	`783`	`+build=coderdtest.AwaitWorkspaceBuildJobCompleted(t,owner,build.ID)`
	`784`	`+require.Equal(t,2,validateCalls)`
	`785`	`+require.Equal(t,codersdk.WorkspaceStatusDeleted,build.Status)`
	`786`	`+}`
	`787`	`+`
`714`	`788`	`funcTestWorkspaceBuildDebugMode(t*testing.T) {`
`715`	`789`	`t.Parallel()`
`716`	`790`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit27f2691

File tree

4 files changed

4 files changed

`‎coderd/coderdtest/oidctest/idp.go‎`

`‎coderd/externalauth/externalauth.go‎`

`‎coderd/externalauth_test.go‎`

`‎coderd/workspacebuilds_test.go‎`

0 commit comments