coder/coderPublic

NotificationsYou must be signed in to change notification settings
Fork928
Star10.1k

Commit3d0febd

kylecarbs

and

ammario

authored

feat: Add OIDC authentication (#3314)

* feat: Add OIDC authentication* Extract username into a separate package and add OIDC tests* Add test case for invalid tokens* Add test case for username as email* Add OIDC to the frontend* Improve comments from self-review* Add authentication docs* Add telemetry* Update docs/install/auth.mdCo-authored-by: Ammar Bandukwala <ammar@ammar.io>* Update docs/install/auth.mdCo-authored-by: Ammar Bandukwala <ammar@ammar.io>* Remove username packageCo-authored-by: Ammar Bandukwala <ammar@ammar.io>

1 parent8b17bf9 commit3d0febdCopy full SHA for 3d0febd

File tree

28 files changed

+733

-137

lines changed

.vscode
- settings.json
cli
- server.go
coderd
- coderd.go
- coderd_test.go
- coderdtest
  - coderdtest.go
- database
  - dump
    - main.go
  - dump.sql
  - migrations
    - 000032_oidc.down.sql
    - 000032_oidc.up.sql
  - models.go
- httpapi
- httpmw
  - apikey.go
- telemetry
  - telemetry.go
- userauth.go
- userauth_test.go
codersdk
- users.go
docs
- install
  - auth.md
  - oauth.md
- manifest.json
go.mod
go.sum
site/src
- api
  - typesGenerated.ts
- components/SignInForm
  - SignInForm.stories.tsx
  - SignInForm.tsx
- testHelpers
  - entities.ts

28 files changed

+733

-137

lines changed

`‎.vscode/settings.json`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -42,6 +42,7 @@`
`42`	`42`	`"mattn",`
`43`	`43`	`"mitchellh",`
`44`	`44`	`"moby",`
	`45`	`+"namesgenerator",`
`45`	`46`	`"nfpms",`
`46`	`47`	`"nhooyr",`
`47`	`48`	`"nolint",`

`‎cli/server.go`

Lines changed: 53 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,7 @@ import (`
`23`	`23`	`"sync"`
`24`	`24`	`"time"`
`25`	`25`
	`26`	`+"github.com/coreos/go-oidc/v3/oidc"`
`26`	`27`	`"github.com/coreos/go-systemd/daemon"`
`27`	`28`	`embeddedpostgres"github.com/fergusstrange/embedded-postgres"`
`28`	`29`	`"github.com/google/go-github/v43/github"`
`@@ -84,6 +85,12 @@ func server() *cobra.Command {`
`84`	`85`	`oauth2GithubAllowedOrganizations []string`
`85`	`86`	`oauth2GithubAllowedTeams []string`
`86`	`87`	`oauth2GithubAllowSignupsbool`
	`88`	`+oidcAllowSignupsbool`
	`89`	`+oidcClientIDstring`
	`90`	`+oidcClientSecretstring`
	`91`	`+oidcEmailDomainstring`
	`92`	`+oidcIssuerURLstring`
	`93`	`+oidcScopes []string`
`87`	`94`	`telemetryEnablebool`
`88`	`95`	`telemetryURLstring`
`89`	`96`	`tlsCertFilestring`
`@@ -283,6 +290,38 @@ func server() *cobra.Command {`
`283`	`290`	`}`
`284`	`291`	`}`
`285`	`292`
	`293`	`+ifoidcClientSecret!="" {`
	`294`	`+ifoidcClientID=="" {`
	`295`	`+returnxerrors.Errorf("OIDC client ID be set!")`
	`296`	`+}`
	`297`	`+ifoidcIssuerURL=="" {`
	`298`	`+returnxerrors.Errorf("OIDC issuer URL must be set!")`
	`299`	`+}`
	`300`	`+`
	`301`	`+oidcProvider,err:=oidc.NewProvider(ctx,oidcIssuerURL)`
	`302`	`+iferr!=nil {`
	`303`	`+returnxerrors.Errorf("configure oidc provider: %w",err)`
	`304`	`+}`
	`305`	`+redirectURL,err:=accessURLParsed.Parse("/api/v2/users/oidc/callback")`
	`306`	`+iferr!=nil {`
	`307`	`+returnxerrors.Errorf("parse oidc oauth callback url: %w",err)`
	`308`	`+}`
	`309`	`+options.OIDCConfig=&coderd.OIDCConfig{`
	`310`	`+OAuth2Config:&oauth2.Config{`
	`311`	`+ClientID:oidcClientID,`
	`312`	`+ClientSecret:oidcClientSecret,`
	`313`	`+RedirectURL:redirectURL.String(),`
	`314`	`+Endpoint:oidcProvider.Endpoint(),`
	`315`	`+Scopes:oidcScopes,`
	`316`	`+},`
	`317`	`+Verifier:oidcProvider.Verifier(&oidc.Config{`
	`318`	`+ClientID:oidcClientID,`
	`319`	`+}),`
	`320`	`+EmailDomain:oidcEmailDomain,`
	`321`	`+AllowSignups:oidcAllowSignups,`
	`322`	`+}`
	`323`	`+}`
	`324`	`+`
`286`	`325`	`ifinMemoryDatabase {`
`287`	`326`	`options.Database=databasefake.New()`
`288`	`327`	`options.Pubsub=database.NewPubsubInMemory()`
`@@ -341,6 +380,8 @@ func server() *cobra.Command {`
`341`	`380`	`Logger:logger.Named("telemetry"),`
`342`	`381`	`URL:telemetryURL,`
`343`	`382`	`GitHubOAuth:oauth2GithubClientID!="",`
	`383`	`+OIDCAuth:oidcClientID!="",`
	`384`	`+OIDCIssuerURL:oidcIssuerURL,`
`344`	`385`	`Prometheus:promEnabled,`
`345`	`386`	`STUN:len(stunServers)!=0,`
`346`	`387`	`Tunnel:tunnel,`
`@@ -637,6 +678,18 @@ func server() *cobra.Command {`
`637`	`678`	`"Specifies teams inside organizations the user must be a member of to authenticate with GitHub. Formatted as: <organization-name>/<team-slug>.")`
`638`	`679`	`cliflag.BoolVarP(root.Flags(),&oauth2GithubAllowSignups,"oauth2-github-allow-signups","","CODER_OAUTH2_GITHUB_ALLOW_SIGNUPS",false,`
`639`	`680`	`"Specifies whether new users can sign up with GitHub.")`
	`681`	`+cliflag.BoolVarP(root.Flags(),&oidcAllowSignups,"oidc-allow-signups","","CODER_OIDC_ALLOW_SIGNUPS",true,`
	`682`	`+"Specifies whether new users can sign up with OIDC.")`
	`683`	`+cliflag.StringVarP(root.Flags(),&oidcClientID,"oidc-client-id","","CODER_OIDC_CLIENT_ID","",`
	`684`	`+"Specifies a client ID to use for OIDC.")`
	`685`	`+cliflag.StringVarP(root.Flags(),&oidcClientSecret,"oidc-client-secret","","CODER_OIDC_CLIENT_SECRET","",`
	`686`	`+"Specifies a client secret to use for OIDC.")`
	`687`	`+cliflag.StringVarP(root.Flags(),&oidcEmailDomain,"oidc-email-domain","","CODER_OIDC_EMAIL_DOMAIN","",`
	`688`	`+"Specifies an email domain that clients authenticating with OIDC must match.")`
	`689`	`+cliflag.StringVarP(root.Flags(),&oidcIssuerURL,"oidc-issuer-url","","CODER_OIDC_ISSUER_URL","",`
	`690`	`+"Specifies an issuer URL to use for OIDC.")`
	`691`	`+cliflag.StringArrayVarP(root.Flags(),&oidcScopes,"oidc-scopes","","CODER_OIDC_SCOPES", []string{oidc.ScopeOpenID,"profile","email"},`
	`692`	`+"Specifies scopes to grant when authenticating with OIDC.")`
`640`	`693`	`enableTelemetryByDefault:=!isTest()`
`641`	`694`	`cliflag.BoolVarP(root.Flags(),&telemetryEnable,"telemetry","","CODER_TELEMETRY",enableTelemetryByDefault,"Specifies whether telemetry is enabled or not. Coder collects anonymized usage data to help improve our product.")`
`642`	`695`	`cliflag.StringVarP(root.Flags(),&telemetryURL,"telemetry-url","","CODER_TELEMETRY_URL","https://telemetry.coder.com","Specifies a URL to send telemetry to.")`

`‎coderd/coderd.go`

Lines changed: 6 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -57,6 +57,7 @@ type Options struct {`
`57`	`57`	`AzureCertificates x509.VerifyOptions`
`58`	`58`	`GoogleTokenValidator*idtoken.Validator`
`59`	`59`	`GithubOAuth2Config*GithubOAuth2Config`
	`60`	`+OIDCConfig*OIDCConfig`
`60`	`61`	`ICEServers []webrtc.ICEServer`
`61`	`62`	`SecureAuthCookiebool`
`62`	`63`	`SSHKeygenAlgorithm gitsshkey.Algorithm`
`@@ -105,6 +106,7 @@ func New(options Options) API {`
`105`	`106`	`api.workspaceAgentCache=wsconncache.New(api.dialWorkspaceAgent,0)`
`106`	`107`	`oauthConfigs:=&httpmw.OAuth2Configs{`
`107`	`108`	`Github:options.GithubOAuth2Config,`
	`109`	`+OIDC:options.OIDCConfig,`
`108`	`110`	`}`
`109`	`111`	`apiKeyMiddleware:=httpmw.ExtractAPIKey(options.Database,oauthConfigs,false)`
`110`	`112`
`@@ -259,6 +261,10 @@ func New(options Options) API {`
`259`	`261`	`r.Get("/callback",api.userOAuth2Github)`
`260`	`262`	`})`
`261`	`263`	`})`
	`264`	`+r.Route("/oidc/callback",func(r chi.Router) {`
	`265`	`+r.Use(httpmw.ExtractOAuth2(options.OIDCConfig))`
	`266`	`+r.Get("/",api.userOIDC)`
	`267`	`+})`
`262`	`268`	`r.Group(func(r chi.Router) {`
`263`	`269`	`r.Use(`
`264`	`270`	`apiKeyMiddleware,`

`‎coderd/coderd_test.go`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -248,6 +248,7 @@ func TestAuthorizeAllEndpoints(t *testing.T) {`
`248`	`248`
`249`	`249`	`// Has it's own auth`
`250`	`250`	`"GET:/api/v2/users/oauth2/github/callback": {NoAuthorize:true},`
	`251`	`+"GET:/api/v2/users/oidc/callback": {NoAuthorize:true},`
`251`	`252`
`252`	`253`	`// All workspaceagents endpoints do not use rbac`
`253`	`254`	`"POST:/api/v2/workspaceagents/aws-instance-identity": {NoAuthorize:true},`

`‎coderd/coderdtest/coderdtest.go`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -63,6 +63,7 @@ type Options struct {`
`63`	`63`	`Authorizer rbac.Authorizer`
`64`	`64`	`AzureCertificates x509.VerifyOptions`
`65`	`65`	`GithubOAuth2Config*coderd.GithubOAuth2Config`
	`66`	`+OIDCConfig*coderd.OIDCConfig`
`66`	`67`	`GoogleTokenValidator*idtoken.Validator`
`67`	`68`	`SSHKeygenAlgorithm gitsshkey.Algorithm`
`68`	`69`	`APIRateLimitint`
`@@ -189,6 +190,7 @@ func newWithCloser(t testing.T, options Options) (*codersdk.Client, io.Closer)`
`189`	`190`	`AWSCertificates:options.AWSCertificates,`
`190`	`191`	`AzureCertificates:options.AzureCertificates,`
`191`	`192`	`GithubOAuth2Config:options.GithubOAuth2Config,`
	`193`	`+OIDCConfig:options.OIDCConfig,`
`192`	`194`	`GoogleTokenValidator:options.GoogleTokenValidator,`
`193`	`195`	`SSHKeygenAlgorithm:options.SSHKeygenAlgorithm,`
`194`	`196`	`TURNServer:turnServer,`

`‎coderd/database/dump.sql`

Lines changed: 2 additions & 1 deletion

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/database/dump/main.go`

Lines changed: 5 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -31,6 +31,11 @@ func main() {`
`31`	`31`	`}`
`32`	`32`
`33`	`33`	`cmd:=exec.Command(`
	`34`	`+"docker",`
	`35`	`+"run",`
	`36`	`+"--rm",`
	`37`	`+"--network=host",`
	`38`	`+"postgres:13",`
`34`	`39`	`"pg_dump",`
`35`	`40`	`"--schema-only",`
`36`	`41`	`connection,`

`‎coderd/database/migrations/000032_oidc.down.sql`

Lines changed: 7 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,7 @@`
	`1`	`+CREATETYPEold_login_typeAS ENUM (`
	`2`	`+'password',`
	`3`	`+'github'`
	`4`	`+);`
	`5`	`+ALTERTABLE api_keys ALTER COLUMN login_type TYPE old_login_type USING (login_type::text::old_login_type);`
	`6`	`+DROPTYPE login_type;`
	`7`	`+ALTERTYPE old_login_type RENAME TO login_type;`

`‎coderd/database/migrations/000032_oidc.up.sql`

Lines changed: 8 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,8 @@`
	`1`	`+CREATETYPEnew_login_typeAS ENUM (`
	`2`	`+'password',`
	`3`	`+'github',`
	`4`	`+'oidc'`
	`5`	`+);`
	`6`	`+ALTERTABLE api_keys ALTER COLUMN login_type TYPE new_login_type USING (login_type::text::new_login_type);`
	`7`	`+DROPTYPE login_type;`
	`8`	`+ALTERTYPE new_login_type RENAME TO login_type;`

`‎coderd/database/models.go`

Lines changed: 1 addition & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/httpapi/httpapi.go`

Lines changed: 2 additions & 10 deletions

Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,6 @@ import (`
`7`	`7`	`"fmt"`
`8`	`8`	`"net/http"`
`9`	`9`	`"reflect"`
`10`		`-"regexp"`
`11`	`10`	`"strings"`
`12`	`11`
`13`	`12`	`"github.com/go-playground/validator/v10"`
`@@ -16,8 +15,7 @@ import (`
`16`	`15`	`)`
`17`	`16`
`18`	`17`	`var (`
`19`		`-validate*validator.Validate`
`20`		`-usernameRegex=regexp.MustCompile("^[a-zA-Z0-9]+(?:-[a-zA-Z0-9]+)*$")`
	`18`	`+validate*validator.Validate`
`21`	`19`	`)`
`22`	`20`
`23`	`21`	`// This init is used to create a validator and register validation-specific`
`@@ -39,13 +37,7 @@ func init() {`
`39`	`37`	`if!ok {`
`40`	`38`	`returnfalse`
`41`	`39`	`}`
`42`		`-iflen(str)>32 {`
`43`		`-returnfalse`
`44`		`-}`
`45`		`-iflen(str)<1 {`
`46`		`-returnfalse`
`47`		`-}`
`48`		`-returnusernameRegex.MatchString(str)`
	`40`	`+returnUsernameValid(str)`
`49`	`41`	`})`
`50`	`42`	`iferr!=nil {`
`51`	`43`	`panic(err)`

`‎coderd/httpapi/httpapi_test.go`

Lines changed: 0 additions & 65 deletions

Original file line number	Diff line number	Diff line change
`@@ -81,71 +81,6 @@ func TestRead(t *testing.T) {`
`81`	`81`	`})`
`82`	`82`	`}`
`83`	`83`
`84`		`-funcTestReadUsername(t*testing.T) {`
`85`		`-t.Parallel()`
`86`		`-// Tests whether usernames are valid or not.`
`87`		`-testCases:= []struct {`
`88`		`-Usernamestring`
`89`		`-Validbool`
`90`		`-}{`
`91`		`-{"1",true},`
`92`		`-{"12",true},`
`93`		`-{"123",true},`
`94`		`-{"12345678901234567890",true},`
`95`		`-{"123456789012345678901",true},`
`96`		`-{"a",true},`
`97`		`-{"a1",true},`
`98`		`-{"a1b2",true},`
`99`		`-{"a1b2c3d4e5f6g7h8i9j0",true},`
`100`		`-{"a1b2c3d4e5f6g7h8i9j0k",true},`
`101`		`-{"aa",true},`
`102`		`-{"abc",true},`
`103`		`-{"abcdefghijklmnopqrst",true},`
`104`		`-{"abcdefghijklmnopqrstu",true},`
`105`		`-{"wow-test",true},`
`106`		`-`
`107`		`-{"",false},`
`108`		`-{" ",false},`
`109`		`-{" a",false},`
`110`		`-{" a ",false},`
`111`		`-{" 1",false},`
`112`		`-{"1 ",false},`
`113`		`-{" aa",false},`
`114`		`-{"aa ",false},`
`115`		`-{" 12",false},`
`116`		`-{"12 ",false},`
`117`		`-{" a1",false},`
`118`		`-{"a1 ",false},`
`119`		`-{" abcdefghijklmnopqrstu",false},`
`120`		`-{"abcdefghijklmnopqrstu ",false},`
`121`		`-{" 123456789012345678901",false},`
`122`		`-{" a1b2c3d4e5f6g7h8i9j0k",false},`
`123`		`-{"a1b2c3d4e5f6g7h8i9j0k ",false},`
`124`		`-{"bananas_wow",false},`
`125`		`-{"test--now",false},`
`126`		`-`
`127`		`-{"123456789012345678901234567890123",false},`
`128`		`-{"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",false},`
`129`		`-{"123456789012345678901234567890123123456789012345678901234567890123",false},`
`130`		`-}`
`131`		`-typetoValidatestruct {`
`132`		-Usernamestring`json:"username" validate:"username"`
`133`		`-}`
`134`		`-for_,testCase:=rangetestCases {`
`135`		`-testCase:=testCase`
`136`		`-t.Run(testCase.Username,func(t*testing.T) {`
`137`		`-t.Parallel()`
`138`		`-rw:=httptest.NewRecorder()`
`139`		`-data,err:=json.Marshal(toValidate{testCase.Username})`
`140`		`-require.NoError(t,err)`
`141`		`-r:=httptest.NewRequest("POST","/",bytes.NewBuffer(data))`
`142`		`-`
`143`		`-varvalidatetoValidate`
`144`		`-require.Equal(t,testCase.Valid,httpapi.Read(rw,r,&validate))`
`145`		`-})`
`146`		`-}`
`147`		`-}`
`148`		`-`
`149`	`84`	`funcWebsocketCloseMsg(t*testing.T) {`
`150`	`85`	`t.Parallel()`
`151`	`86`

`‎coderd/httpapi/username.go`

Lines changed: 45 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,45 @@`
	`1`	`+package httpapi`
	`2`	`+`
	`3`	`+import (`
	`4`	`+"regexp"`
	`5`	`+"strings"`
	`6`	`+`
	`7`	`+"github.com/moby/moby/pkg/namesgenerator"`
	`8`	`+)`
	`9`	`+`
	`10`	`+var (`
	`11`	`+usernameValid=regexp.MustCompile("^[a-zA-Z0-9]+(?:-[a-zA-Z0-9]+)*$")`
	`12`	`+usernameReplace=regexp.MustCompile("[^a-zA-Z0-9-]*")`
	`13`	`+)`
	`14`	`+`
	`15`	`+// UsernameValid returns whether the input string is a valid username.`
	`16`	`+funcUsernameValid(strstring)bool {`
	`17`	`+iflen(str)>32 {`
	`18`	`+returnfalse`
	`19`	`+}`
	`20`	`+iflen(str)<1 {`
	`21`	`+returnfalse`
	`22`	`+}`
	`23`	`+returnusernameValid.MatchString(str)`
	`24`	`+}`
	`25`	`+`
	`26`	`+// UsernameFrom returns a best-effort username from the provided string.`
	`27`	`+//`
	`28`	`+// It first attempts to validate the incoming string, which will`
	`29`	`+// be returned if it is valid. It then will attempt to extract`
	`30`	`+// the username from an email address. If no success happens during`
	`31`	`+// these steps, a random username will be returned.`
	`32`	`+funcUsernameFrom(strstring)string {`
	`33`	`+ifUsernameValid(str) {`
	`34`	`+returnstr`
	`35`	`+}`
	`36`	`+emailAt:=strings.LastIndex(str,"@")`
	`37`	`+ifemailAt>=0 {`
	`38`	`+str=str[:emailAt]`
	`39`	`+}`
	`40`	`+str=usernameReplace.ReplaceAllString(str,"")`
	`41`	`+ifUsernameValid(str) {`
	`42`	`+returnstr`
	`43`	`+}`
	`44`	`+returnstrings.ReplaceAll(namesgenerator.GetRandomName(1),"_","-")`
	`45`	`+}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit3d0febd

File tree

28 files changed

28 files changed

`‎.vscode/settings.json`

`‎cli/server.go`

`‎coderd/coderd.go`

`‎coderd/coderd_test.go`

`‎coderd/coderdtest/coderdtest.go`

`‎coderd/database/dump.sql`

`‎coderd/database/dump/main.go`

`‎coderd/database/migrations/000032_oidc.down.sql`

`‎coderd/database/migrations/000032_oidc.up.sql`

`‎coderd/database/models.go`

`‎coderd/httpapi/httpapi.go`

`‎coderd/httpapi/httpapi_test.go`

`‎coderd/httpapi/username.go`

0 commit comments