Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit386d77d

Browse files
committed
chore: add OAuth2 device flow test scripts
Change-Id: Ic232851727e683ab3d8b7ce970c505588da2f827Signed-off-by: Thomas Kosiewski <tk@coder.com>
1 parent18c8ebf commit386d77d

File tree

24 files changed

+794
-104
lines changed

24 files changed

+794
-104
lines changed

‎.claude/scripts/format.sh‎

Lines changed: 16 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -101,30 +101,36 @@ fi
101101
# Get the file extension to determine the appropriate formatter
102102
file_ext="${file_path##*.}"
103103

104+
# Helper function to run formatter and handle errors
105+
run_formatter() {
106+
local target="$1"
107+
local file_type="$2"
108+
109+
if! make FILE="$file_path""$target";then
110+
echo"Error: Failed to format$file_type file:$file_path">&2
111+
exit 2
112+
fi
113+
echo"✓ Formatted$file_type file:$file_path"
114+
}
104115
# Change to the project root directory (where the Makefile is located)
105116
cd"$(dirname"$0")/../.."
106117

107118
# Call the appropriate Makefile target based on file extension
108119
case"$file_ext"in
109120
go)
110-
make fmt/go FILE="$file_path"
111-
echo"✓ Formatted Go file:$file_path"
121+
run_formatter"fmt/go""Go"
112122
;;
113123
js | jsx | ts | tsx)
114-
make fmt/ts FILE="$file_path"
115-
echo"✓ Formatted TypeScript/JavaScript file:$file_path"
124+
run_formatter"fmt/ts""TypeScript/JavaScript"
116125
;;
117126
tf | tfvars)
118-
make fmt/terraform FILE="$file_path"
119-
echo"✓ Formatted Terraform file:$file_path"
127+
run_formatter"fmt/terraform""Terraform"
120128
;;
121129
sh)
122-
make fmt/shfmt FILE="$file_path"
123-
echo"✓ Formatted shell script:$file_path"
130+
run_formatter"fmt/shfmt""shell script"
124131
;;
125132
md)
126-
make fmt/markdown FILE="$file_path"
127-
echo"✓ Formatted Markdown file:$file_path"
133+
run_formatter"fmt/markdown""Markdown"
128134
;;
129135
*)
130136
echo"No formatter available for file extension:$file_ext"

‎coderd/coderd.go‎

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -974,7 +974,7 @@ func New(options *Options) *API {
974974
r.Route("/device",func(r chi.Router) {
975975
r.Post("/",api.postOAuth2DeviceAuthorization())// RFC 8628 compliant endpoint
976976
r.Route("/verify",func(r chi.Router) {
977-
r.Use(apiKeyMiddleware)
977+
r.Use(apiKeyMiddlewareRedirect)
978978
r.Get("/",api.getOAuth2DeviceVerification())
979979
r.Post("/",api.postOAuth2DeviceVerification())
980980
})

‎coderd/database/dbauthz/dbauthz.go‎

Lines changed: 16 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -399,6 +399,7 @@ var (
399399
rbac.ResourceProvisionerJobs.Type: {policy.ActionRead,policy.ActionUpdate,policy.ActionCreate},
400400
rbac.ResourceOauth2App.Type: {policy.ActionCreate,policy.ActionRead,policy.ActionUpdate,policy.ActionDelete},
401401
rbac.ResourceOauth2AppSecret.Type: {policy.ActionCreate,policy.ActionRead,policy.ActionUpdate,policy.ActionDelete},
402+
rbac.ResourceOauth2AppCodeToken.Type: {policy.ActionCreate,policy.ActionRead,policy.ActionUpdate,policy.ActionDelete},
402403
}),
403404
Org:map[string][]rbac.Permission{},
404405
User: []rbac.Permission{},
@@ -1324,6 +1325,14 @@ func (q *querier) CleanTailnetTunnels(ctx context.Context) error {
13241325
returnq.db.CleanTailnetTunnels(ctx)
13251326
}
13261327

1328+
func (q*querier)ConsumeOAuth2ProviderAppCodeByPrefix(ctx context.Context,secretPrefix []byte) (database.OAuth2ProviderAppCode,error) {
1329+
returnupdateWithReturn(q.log,q.auth,q.db.GetOAuth2ProviderAppCodeByPrefix,q.db.ConsumeOAuth2ProviderAppCodeByPrefix)(ctx,secretPrefix)
1330+
}
1331+
1332+
func (q*querier)ConsumeOAuth2ProviderDeviceCodeByPrefix(ctx context.Context,deviceCodePrefixstring) (database.OAuth2ProviderDeviceCode,error) {
1333+
returnupdateWithReturn(q.log,q.auth,q.db.GetOAuth2ProviderDeviceCodeByPrefix,q.db.ConsumeOAuth2ProviderDeviceCodeByPrefix)(ctx,deviceCodePrefix)
1334+
}
1335+
13271336
func (q*querier)CountAuditLogs(ctx context.Context,arg database.CountAuditLogsParams) (int64,error) {
13281337
// Shortcut if the user is an owner. The SQL filter is noticeable,
13291338
// and this is an easy win for owners. Which is the common case.
@@ -2301,8 +2310,8 @@ func (q *querier) GetOAuth2ProviderDeviceCodeByUserCode(ctx context.Context, use
23012310
}
23022311

23032312
func (q*querier)GetOAuth2ProviderDeviceCodesByClientID(ctx context.Context,clientID uuid.UUID) ([]database.OAuth2ProviderDeviceCode,error) {
2304-
// This requires access to readtheOAuth2 app
2305-
iferr:=q.authorizeContext(ctx,policy.ActionRead,rbac.ResourceOauth2App);err!=nil {
2313+
// This requires access to read OAuth2 app code tokens
2314+
iferr:=q.authorizeContext(ctx,policy.ActionRead,rbac.ResourceOauth2AppCodeToken);err!=nil {
23062315
return []database.OAuth2ProviderDeviceCode{},err
23072316
}
23082317
returnq.db.GetOAuth2ProviderDeviceCodesByClientID(ctx,clientID)
@@ -3752,8 +3761,8 @@ func (q *querier) InsertOAuth2ProviderAppToken(ctx context.Context, arg database
37523761
}
37533762

37543763
func (q*querier)InsertOAuth2ProviderDeviceCode(ctx context.Context,arg database.InsertOAuth2ProviderDeviceCodeParams) (database.OAuth2ProviderDeviceCode,error) {
3755-
// Creating device codes requires OAuth2 app access
3756-
iferr:=q.authorizeContext(ctx,policy.ActionCreate,rbac.ResourceOauth2App);err!=nil {
3764+
// Creating device codes requires OAuth2 appcode token creationaccess
3765+
iferr:=q.authorizeContext(ctx,policy.ActionCreate,rbac.ResourceOauth2AppCodeToken);err!=nil {
37573766
return database.OAuth2ProviderDeviceCode{},err
37583767
}
37593768
returnq.db.InsertOAuth2ProviderDeviceCode(ctx,arg)
@@ -4432,13 +4441,10 @@ func (q *querier) UpdateOAuth2ProviderAppSecretByID(ctx context.Context, arg dat
44324441
}
44334442

44344443
func (q*querier)UpdateOAuth2ProviderDeviceCodeAuthorization(ctx context.Context,arg database.UpdateOAuth2ProviderDeviceCodeAuthorizationParams) (database.OAuth2ProviderDeviceCode,error) {
4435-
// Verify the user is authenticated for device code authorization
4436-
_,ok:=ActorFromContext(ctx)
4437-
if!ok {
4438-
return database.OAuth2ProviderDeviceCode{},ErrNoActor
4444+
fetch:=func(ctx context.Context,arg database.UpdateOAuth2ProviderDeviceCodeAuthorizationParams) (database.OAuth2ProviderDeviceCode,error) {
4445+
returnq.db.GetOAuth2ProviderDeviceCodeByID(ctx,arg.ID)
44394446
}
4440-
4441-
returnq.db.UpdateOAuth2ProviderDeviceCodeAuthorization(ctx,arg)
4447+
returnupdateWithReturn(q.log,q.auth,fetch,q.db.UpdateOAuth2ProviderDeviceCodeAuthorization)(ctx,arg)
44424448
}
44434449

44444450
func (q*querier)UpdateOrganization(ctx context.Context,arg database.UpdateOrganizationParams) (database.Organization,error) {

‎coderd/database/dbauthz/dbauthz_test.go‎

Lines changed: 122 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5423,6 +5423,19 @@ func (s *MethodTestSuite) TestOAuth2ProviderAppCodes() {
54235423
UserID:user.ID,
54245424
}).Asserts(rbac.ResourceOauth2AppCodeToken.WithOwner(user.ID.String()),policy.ActionDelete)
54255425
}))
5426+
s.Run("ConsumeOAuth2ProviderAppCodeByPrefix",s.Subtest(func(db database.Store,check*expects) {
5427+
user:=dbgen.User(s.T(),db, database.User{})
5428+
app:=dbgen.OAuth2ProviderApp(s.T(),db, database.OAuth2ProviderApp{})
5429+
// Use unique prefix to avoid test isolation issues
5430+
uniquePrefix:=fmt.Sprintf("prefix-%s-%d",s.T().Name(),time.Now().UnixNano())
5431+
code:=dbgen.OAuth2ProviderAppCode(s.T(),db, database.OAuth2ProviderAppCode{
5432+
SecretPrefix: []byte(uniquePrefix),
5433+
UserID:user.ID,
5434+
AppID:app.ID,
5435+
ExpiresAt:time.Now().Add(24*time.Hour),// Extended expiry for test stability
5436+
})
5437+
check.Args(code.SecretPrefix).Asserts(code,policy.ActionUpdate).Returns(code)
5438+
}))
54265439
}
54275440

54285441
func (s*MethodTestSuite)TestOAuth2ProviderAppTokens() {
@@ -5498,6 +5511,115 @@ func (s *MethodTestSuite) TestOAuth2ProviderAppTokens() {
54985511
}))
54995512
}
55005513

5514+
func (s*MethodTestSuite)TestOAuth2ProviderDeviceCodes() {
5515+
s.Run("InsertOAuth2ProviderDeviceCode",s.Subtest(func(db database.Store,check*expects) {
5516+
app:=dbgen.OAuth2ProviderApp(s.T(),db, database.OAuth2ProviderApp{})
5517+
check.Args(database.InsertOAuth2ProviderDeviceCodeParams{
5518+
ClientID:app.ID,
5519+
DeviceCodePrefix:"testpref",
5520+
DeviceCodeHash: []byte("hash"),
5521+
UserCode:"TEST1234",
5522+
VerificationUri:"http://example.com/device",
5523+
}).Asserts(rbac.ResourceOauth2AppCodeToken,policy.ActionCreate)
5524+
}))
5525+
s.Run("GetOAuth2ProviderDeviceCodeByID",s.Subtest(func(db database.Store,check*expects) {
5526+
app:=dbgen.OAuth2ProviderApp(s.T(),db, database.OAuth2ProviderApp{})
5527+
deviceCode,err:=db.InsertOAuth2ProviderDeviceCode(context.Background(), database.InsertOAuth2ProviderDeviceCodeParams{
5528+
ClientID:app.ID,
5529+
DeviceCodePrefix:"testpref",
5530+
UserCode:"TEST1234",
5531+
VerificationUri:"http://example.com/device",
5532+
})
5533+
require.NoError(s.T(),err)
5534+
check.Args(deviceCode.ID).Asserts(deviceCode,policy.ActionRead).Returns(deviceCode)
5535+
}))
5536+
s.Run("GetOAuth2ProviderDeviceCodeByPrefix",s.Subtest(func(db database.Store,check*expects) {
5537+
app:=dbgen.OAuth2ProviderApp(s.T(),db, database.OAuth2ProviderApp{})
5538+
deviceCode,err:=db.InsertOAuth2ProviderDeviceCode(context.Background(), database.InsertOAuth2ProviderDeviceCodeParams{
5539+
ClientID:app.ID,
5540+
DeviceCodePrefix:"testpref",
5541+
UserCode:"TEST1234",
5542+
VerificationUri:"http://example.com/device",
5543+
})
5544+
require.NoError(s.T(),err)
5545+
check.Args(deviceCode.DeviceCodePrefix).Asserts(deviceCode,policy.ActionRead).Returns(deviceCode)
5546+
}))
5547+
s.Run("GetOAuth2ProviderDeviceCodeByUserCode",s.Subtest(func(db database.Store,check*expects) {
5548+
app:=dbgen.OAuth2ProviderApp(s.T(),db, database.OAuth2ProviderApp{})
5549+
deviceCode,err:=db.InsertOAuth2ProviderDeviceCode(context.Background(), database.InsertOAuth2ProviderDeviceCodeParams{
5550+
ClientID:app.ID,
5551+
DeviceCodePrefix:"testpref",
5552+
UserCode:"TEST1234",
5553+
VerificationUri:"http://example.com/device",
5554+
})
5555+
require.NoError(s.T(),err)
5556+
check.Args(deviceCode.UserCode).Asserts(deviceCode,policy.ActionRead).Returns(deviceCode)
5557+
}))
5558+
s.Run("GetOAuth2ProviderDeviceCodesByClientID",s.Subtest(func(db database.Store,check*expects) {
5559+
app:=dbgen.OAuth2ProviderApp(s.T(),db, database.OAuth2ProviderApp{})
5560+
deviceCode,err:=db.InsertOAuth2ProviderDeviceCode(context.Background(), database.InsertOAuth2ProviderDeviceCodeParams{
5561+
ClientID:app.ID,
5562+
DeviceCodePrefix:"testpref",
5563+
UserCode:"TEST1234",
5564+
VerificationUri:"http://example.com/device",
5565+
})
5566+
require.NoError(s.T(),err)
5567+
check.Args(app.ID).Asserts(rbac.ResourceOauth2AppCodeToken,policy.ActionRead).Returns([]database.OAuth2ProviderDeviceCode{deviceCode})
5568+
}))
5569+
s.Run("ConsumeOAuth2ProviderDeviceCodeByPrefix",s.Subtest(func(db database.Store,check*expects) {
5570+
app:=dbgen.OAuth2ProviderApp(s.T(),db, database.OAuth2ProviderApp{})
5571+
user:=dbgen.User(s.T(),db, database.User{})
5572+
// Use unique identifiers to avoid test isolation issues
5573+
// Device code prefix must be exactly 8 characters
5574+
uniquePrefix:=fmt.Sprintf("t%07d",time.Now().UnixNano()%10000000)
5575+
uniqueUserCode:=fmt.Sprintf("USER%04d",time.Now().UnixNano()%10000)
5576+
// Create device code using dbgen (now available!)
5577+
deviceCode:=dbgen.OAuth2ProviderDeviceCode(s.T(),db, database.OAuth2ProviderDeviceCode{
5578+
DeviceCodePrefix:uniquePrefix,
5579+
UserCode:uniqueUserCode,
5580+
ClientID:app.ID,
5581+
ExpiresAt:time.Now().Add(24*time.Hour),// Extended expiry for test stability
5582+
})
5583+
// Authorize the device code so it can be consumed
5584+
deviceCode,err:=db.UpdateOAuth2ProviderDeviceCodeAuthorization(s.T().Context(), database.UpdateOAuth2ProviderDeviceCodeAuthorizationParams{
5585+
ID:deviceCode.ID,
5586+
UserID: uuid.NullUUID{UUID:user.ID,Valid:true},
5587+
Status:database.OAuth2DeviceStatusAuthorized,
5588+
})
5589+
require.NoError(s.T(),err)
5590+
require.Equal(s.T(),database.OAuth2DeviceStatusAuthorized,deviceCode.Status)
5591+
check.Args(uniquePrefix).Asserts(deviceCode,policy.ActionUpdate).Returns(deviceCode)
5592+
}))
5593+
s.Run("UpdateOAuth2ProviderDeviceCodeAuthorization",s.Subtest(func(db database.Store,check*expects) {
5594+
app:=dbgen.OAuth2ProviderApp(s.T(),db, database.OAuth2ProviderApp{})
5595+
user:=dbgen.User(s.T(),db, database.User{})
5596+
// Create device code using dbgen
5597+
deviceCode:=dbgen.OAuth2ProviderDeviceCode(s.T(),db, database.OAuth2ProviderDeviceCode{
5598+
ClientID:app.ID,
5599+
})
5600+
require.Equal(s.T(),database.OAuth2DeviceStatusPending,deviceCode.Status)
5601+
check.Args(database.UpdateOAuth2ProviderDeviceCodeAuthorizationParams{
5602+
ID:deviceCode.ID,
5603+
UserID: uuid.NullUUID{UUID:user.ID,Valid:true},
5604+
Status:database.OAuth2DeviceStatusAuthorized,
5605+
}).Asserts(deviceCode,policy.ActionUpdate)
5606+
}))
5607+
s.Run("DeleteOAuth2ProviderDeviceCodeByID",s.Subtest(func(db database.Store,check*expects) {
5608+
app:=dbgen.OAuth2ProviderApp(s.T(),db, database.OAuth2ProviderApp{})
5609+
deviceCode,err:=db.InsertOAuth2ProviderDeviceCode(context.Background(), database.InsertOAuth2ProviderDeviceCodeParams{
5610+
ClientID:app.ID,
5611+
DeviceCodePrefix:"testpref",
5612+
UserCode:"TEST1234",
5613+
VerificationUri:"http://example.com/device",
5614+
})
5615+
require.NoError(s.T(),err)
5616+
check.Args(deviceCode.ID).Asserts(deviceCode,policy.ActionDelete)
5617+
}))
5618+
s.Run("DeleteExpiredOAuth2ProviderDeviceCodes",s.Subtest(func(db database.Store,check*expects) {
5619+
check.Args().Asserts(rbac.ResourceSystem,policy.ActionDelete)
5620+
}))
5621+
}
5622+
55015623
func (s*MethodTestSuite)TestResourcesMonitor() {
55025624
createAgent:=func(t*testing.T,db database.Store) (database.WorkspaceAgent, database.WorkspaceTable) {
55035625
t.Helper()

‎coderd/database/dbgen/dbgen.go‎

Lines changed: 21 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1199,7 +1199,7 @@ func OAuth2ProviderAppCode(t testing.TB, db database.Store, seed database.OAuth2
11991199
code,err:=db.InsertOAuth2ProviderAppCode(genCtx, database.InsertOAuth2ProviderAppCodeParams{
12001200
ID:takeFirst(seed.ID,uuid.New()),
12011201
CreatedAt:takeFirst(seed.CreatedAt,dbtime.Now()),
1202-
ExpiresAt:takeFirst(seed.CreatedAt,dbtime.Now()),
1202+
ExpiresAt:takeFirst(seed.ExpiresAt,dbtime.Now().Add(24*time.Hour)),
12031203
SecretPrefix:takeFirstSlice(seed.SecretPrefix, []byte("prefix")),
12041204
HashedSecret:takeFirstSlice(seed.HashedSecret, []byte("hashed-secret")),
12051205
AppID:takeFirst(seed.AppID,uuid.New()),
@@ -1216,7 +1216,7 @@ func OAuth2ProviderAppToken(t testing.TB, db database.Store, seed database.OAuth
12161216
token,err:=db.InsertOAuth2ProviderAppToken(genCtx, database.InsertOAuth2ProviderAppTokenParams{
12171217
ID:takeFirst(seed.ID,uuid.New()),
12181218
CreatedAt:takeFirst(seed.CreatedAt,dbtime.Now()),
1219-
ExpiresAt:takeFirst(seed.CreatedAt,dbtime.Now()),
1219+
ExpiresAt:takeFirst(seed.ExpiresAt,dbtime.Now().Add(24*time.Hour)),
12201220
HashPrefix:takeFirstSlice(seed.HashPrefix, []byte("prefix")),
12211221
RefreshHash:takeFirstSlice(seed.RefreshHash, []byte("hashed-secret")),
12221222
AppSecretID:takeFirst(seed.AppSecretID,uuid.New()),
@@ -1228,6 +1228,25 @@ func OAuth2ProviderAppToken(t testing.TB, db database.Store, seed database.OAuth
12281228
returntoken
12291229
}
12301230

1231+
funcOAuth2ProviderDeviceCode(t testing.TB,db database.Store,seed database.OAuth2ProviderDeviceCode) database.OAuth2ProviderDeviceCode {
1232+
deviceCode,err:=db.InsertOAuth2ProviderDeviceCode(genCtx, database.InsertOAuth2ProviderDeviceCodeParams{
1233+
ID:takeFirst(seed.ID,uuid.New()),
1234+
CreatedAt:takeFirst(seed.CreatedAt,dbtime.Now()),
1235+
ExpiresAt:takeFirst(seed.ExpiresAt,dbtime.Now().Add(24*time.Hour)),
1236+
DeviceCodeHash:takeFirstSlice(seed.DeviceCodeHash, []byte("device-hash")),
1237+
DeviceCodePrefix:takeFirst(seed.DeviceCodePrefix,testutil.GetRandomName(t)[:8]),
1238+
UserCode:takeFirst(seed.UserCode,testutil.GetRandomName(t)),
1239+
ClientID:takeFirst(seed.ClientID,uuid.New()),
1240+
VerificationUri:takeFirst(seed.VerificationUri,"https://example.com/device"),
1241+
VerificationUriComplete:seed.VerificationUriComplete,
1242+
Scope:seed.Scope,
1243+
ResourceUri:seed.ResourceUri,
1244+
PollingInterval:takeFirst(seed.PollingInterval,5),
1245+
})
1246+
require.NoError(t,err,"insert oauth2 device code")
1247+
returndeviceCode
1248+
}
1249+
12311250
funcWorkspaceAgentMemoryResourceMonitor(t testing.TB,db database.Store,seed database.WorkspaceAgentMemoryResourceMonitor) database.WorkspaceAgentMemoryResourceMonitor {
12321251
monitor,err:=db.InsertMemoryResourceMonitor(genCtx, database.InsertMemoryResourceMonitorParams{
12331252
AgentID:takeFirst(seed.AgentID,uuid.New()),

‎coderd/database/dbmetrics/querymetrics.go‎

Lines changed: 14 additions & 0 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

‎coderd/database/dbmock/dbmock.go‎

Lines changed: 30 additions & 0 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

‎coderd/database/dump.sql‎

Lines changed: 3 additions & 2 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp