NotificationsYou must be signed in to change notification settings
Fork1k
Star11.2k

Commit50b78e3

authored

chore: instrument external oauth2 requests (#11519)

* chore: instrument external oauth2 requestsExternal requests made by oauth2 configs are now instrumented into prometheus metrics.

1 parentaa7fe07 commit50b78e3Copy full SHA for 50b78e3

File tree

17 files changed

+425

-98

lines changed

cli
- create_test.go
- server.go
coderd
- coderdtest/oidctest
  - idp.go
- externalauth_test.go
- externalauth
  - externalauth.go
  - externalauth_test.go
- httpmw
  - apikey.go
  - oauth2.go
- oauthpki
  - oidcpki.go
- promoauth
- provisionerdserver
  - provisionerdserver.go
  - provisionerdserver_test.go
- templateversions_test.go
- userauth.go
testutil
- oauth2.go

17 files changed

+425

-98

lines changed

`‎cli/create_test.go‎`

Lines changed: 5 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -767,11 +767,11 @@ func TestCreateWithGitAuth(t *testing.T) {`
`767`	`767`
`768`	`768`	`client:=coderdtest.New(t,&coderdtest.Options{`
`769`	`769`	`ExternalAuthConfigs: []*externalauth.Config{{`
`770`		`-OAuth2Config:&testutil.OAuth2Config{},`
`771`		`-ID:"github",`
`772`		-Regex:regexp.MustCompile(`github\.com`),
`773`		`-Type:codersdk.EnhancedExternalAuthProviderGitHub.String(),`
`774`		`-DisplayName:"GitHub",`
	`770`	`+InstrumentedOAuth2Config:&testutil.OAuth2Config{},`
	`771`	`+ID:"github",`
	`772`	+Regex:regexp.MustCompile(`github\.com`),
	`773`	`+Type:codersdk.EnhancedExternalAuthProviderGitHub.String(),`
	`774`	`+DisplayName:"GitHub",`
`775`	`775`	`}},`
`776`	`776`	`IncludeProvisionerDaemon:true,`
`777`	`777`	`})`

`‎cli/server.go‎`

Lines changed: 18 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -80,6 +80,7 @@ import (`
`80`	`80`	`"github.com/coder/coder/v2/coderd/oauthpki"`
`81`	`81`	`"github.com/coder/coder/v2/coderd/prometheusmetrics"`
`82`	`82`	`"github.com/coder/coder/v2/coderd/prometheusmetrics/insights"`
	`83`	`+"github.com/coder/coder/v2/coderd/promoauth"`
`83`	`84`	`"github.com/coder/coder/v2/coderd/schedule"`
`84`	`85`	`"github.com/coder/coder/v2/coderd/telemetry"`
`85`	`86`	`"github.com/coder/coder/v2/coderd/tracing"`
`@@ -133,7 +134,7 @@ func createOIDCConfig(ctx context.Context, vals codersdk.DeploymentValues) (co`
`133`	`134`	`Scopes:vals.OIDC.Scopes,`
`134`	`135`	`}`
`135`	`136`
`136`		`-varuseCfghttpmw.OAuth2Config=oauthCfg`
	`137`	`+varuseCfgpromoauth.OAuth2Config=oauthCfg`
`137`	`138`	`ifvals.OIDC.ClientKeyFile!="" {`
`138`	`139`	`// PKI authentication is done in the params. If a`
`139`	`140`	`// counter example is found, we can add a config option to`
`@@ -523,8 +524,11 @@ func (r RootCmd) Server(newAPI func(context.Context, coderd.Options) (*coderd.`
`523`	`524`	`returnxerrors.Errorf("read external auth providers from env: %w",err)`
`524`	`525`	`}`
`525`	`526`
	`527`	`+promRegistry:=prometheus.NewRegistry()`
	`528`	`+oauthInstrument:=promoauth.NewFactory(promRegistry)`
`526`	`529`	`vals.ExternalAuthConfigs.Value=append(vals.ExternalAuthConfigs.Value,extAuthEnv...)`
`527`	`530`	`externalAuthConfigs,err:=externalauth.ConvertConfig(`
	`531`	`+oauthInstrument,`
`528`	`532`	`vals.ExternalAuthConfigs.Value,`
`529`	`533`	`vals.AccessURL.Value(),`
`530`	`534`	`)`
`@@ -571,7 +575,7 @@ func (r RootCmd) Server(newAPI func(context.Context, coderd.Options) (*coderd.`
`571`	`575`	`// the DeploymentValues instead, this just serves to indicate the source of each`
`572`	`576`	`// option. This is just defensive to prevent accidentally leaking.`
`573`	`577`	`DeploymentOptions:codersdk.DeploymentOptionsWithoutSecrets(opts),`
`574`		`-PrometheusRegistry:prometheus.NewRegistry(),`
	`578`	`+PrometheusRegistry:promRegistry,`
`575`	`579`	`APIRateLimit:int(vals.RateLimit.API.Value()),`
`576`	`580`	`LoginRateLimit:loginRateLimit,`
`577`	`581`	`FilesRateLimit:filesRateLimit,`
`@@ -617,7 +621,9 @@ func (r RootCmd) Server(newAPI func(context.Context, coderd.Options) (*coderd.`
`617`	`621`	`}`
`618`	`622`
`619`	`623`	`ifvals.OAuth2.Github.ClientSecret!="" {`
`620`		`-options.GithubOAuth2Config,err=configureGithubOAuth2(vals.AccessURL.Value(),`
	`624`	`+options.GithubOAuth2Config,err=configureGithubOAuth2(`
	`625`	`+oauthInstrument,`
	`626`	`+vals.AccessURL.Value(),`
`621`	`627`	`vals.OAuth2.Github.ClientID.String(),`
`622`	`628`	`vals.OAuth2.Github.ClientSecret.String(),`
`623`	`629`	`vals.OAuth2.Github.AllowSignups.Value(),`
`@@ -636,6 +642,12 @@ func (r RootCmd) Server(newAPI func(context.Context, coderd.Options) (*coderd.`
`636`	`642`	`logger.Warn(ctx,"coder will not check email_verified for OIDC logins")`
`637`	`643`	`}`
`638`	`644`
	`645`	`+// This OIDC config is not being instrumented with the`
	`646`	`+// oauth2 instrument wrapper. If we implement the missing`
	`647`	`+// oidc methods, then we can instrument it.`
	`648`	`+// Missing:`
	`649`	`+//- Userinfo`
	`650`	`+//- Verify`
`639`	`651`	`oc,err:=createOIDCConfig(ctx,vals)`
`640`	`652`	`iferr!=nil {`
`641`	`653`	`returnxerrors.Errorf("create oidc config: %w",err)`
`@@ -1737,7 +1749,7 @@ func configureCAPool(tlsClientCAFile string, tlsConfig *tls.Config) error {`
`1737`	`1749`	`}`
`1738`	`1750`
`1739`	`1751`	`//nolint:revive // Ignore flag-parameter: parameter 'allowEveryone' seems to be a control flag, avoid control coupling (revive)`
`1740`		`-funcconfigureGithubOAuth2(accessURLurl.URL,clientID,clientSecretstring,allowSignups,allowEveryonebool,allowOrgs []string,rawTeams []string,enterpriseBaseURLstring) (coderd.GithubOAuth2Config,error) {`
	`1752`	`+funcconfigureGithubOAuth2(instrumentpromoauth.Factory,accessURLurl.URL,clientID,clientSecretstring,allowSignups,allowEveryonebool,allowOrgs []string,rawTeams []string,enterpriseBaseURLstring) (*coderd.GithubOAuth2Config,error) {`
`1741`	`1753`	`redirectURL,err:=accessURL.Parse("/api/v2/users/oauth2/github/callback")`
`1742`	`1754`	`iferr!=nil {`
`1743`	`1755`	`returnnil,xerrors.Errorf("parse github oauth callback url: %w",err)`
`@@ -1790,7 +1802,7 @@ func configureGithubOAuth2(accessURL *url.URL, clientID, clientSecret string, al`
`1790`	`1802`	`}`
`1791`	`1803`
`1792`	`1804`	`return&coderd.GithubOAuth2Config{`
`1793`		`-OAuth2Config:&oauth2.Config{`
	`1805`	`+OAuth2Config:instrument.New("github-login",&oauth2.Config{`
`1794`	`1806`	`ClientID:clientID,`
`1795`	`1807`	`ClientSecret:clientSecret,`
`1796`	`1808`	`Endpoint:endpoint,`
`@@ -1800,7 +1812,7 @@ func configureGithubOAuth2(accessURL *url.URL, clientID, clientSecret string, al`
`1800`	`1812`	`"read:org",`
`1801`	`1813`	`"user:email",`
`1802`	`1814`	`},`
`1803`		`-},`
	`1815`	`+}),`
`1804`	`1816`	`AllowSignups:allowSignups,`
`1805`	`1817`	`AllowEveryone:allowEveryone,`
`1806`	`1818`	`AllowOrganizations:allowOrgs,`

`‎coderd/coderdtest/oidctest/idp.go‎`

Lines changed: 48 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,7 @@ import (`
`24`	`24`	`"github.com/go-jose/go-jose/v3"`
`25`	`25`	`"github.com/golang-jwt/jwt/v4"`
`26`	`26`	`"github.com/google/uuid"`
	`27`	`+"github.com/prometheus/client_golang/prometheus"`
`27`	`28`	`"github.com/stretchr/testify/assert"`
`28`	`29`	`"github.com/stretchr/testify/require"`
`29`	`30`	`"golang.org/x/oauth2"`
`@@ -33,6 +34,7 @@ import (`
`33`	`34`	`"cdr.dev/slog/sloggers/slogtest"`
`34`	`35`	`"github.com/coder/coder/v2/coderd"`
`35`	`36`	`"github.com/coder/coder/v2/coderd/externalauth"`
	`37`	`+"github.com/coder/coder/v2/coderd/promoauth"`
`36`	`38`	`"github.com/coder/coder/v2/coderd/util/syncmap"`
`37`	`39`	`"github.com/coder/coder/v2/codersdk"`
`38`	`40`	`)`
`@@ -223,6 +225,10 @@ func (f *FakeIDP) WellknownConfig() ProviderJSON {`
`223`	`225`	`returnf.provider`
`224`	`226`	`}`
`225`	`227`
	`228`	`+func (fFakeIDP)IssuerURL()url.URL {`
	`229`	`+returnf.issuerURL`
	`230`	`+}`
	`231`	`+`
`226`	`232`	`func (f*FakeIDP)updateIssuerURL(t testing.TB,issuerstring) {`
`227`	`233`	`t.Helper()`
`228`	`234`
`@@ -397,6 +403,44 @@ func (f FakeIDP) ExternalLogin(t testing.TB, client codersdk.Client, opts ...f`
`397`	`403`	`_=res.Body.Close()`
`398`	`404`	`}`
`399`	`405`
	`406`	`+// CreateAuthCode emulates a user clicking "allow" on the IDP page. When doing`
	`407`	`+// unit tests, it's easier to skip this step sometimes. It does make an actual`
	`408`	`+// request to the IDP, so it should be equivalent to doing this "manually" with`
	`409`	`+// actual requests.`
	`410`	`+func (fFakeIDP)CreateAuthCode(t testing.TB,statestring,opts...func(rhttp.Request))string {`
	`411`	`+// We need to store some claims, because this is also an OIDC provider, and`
	`412`	`+// it expects some claims to be present.`
	`413`	`+f.stateToIDTokenClaims.Store(state, jwt.MapClaims{})`
	`414`	`+`
	`415`	`+u:=f.cfg.AuthCodeURL(state)`
	`416`	`+r,err:=http.NewRequestWithContext(context.Background(),http.MethodPost,u,nil)`
	`417`	`+require.NoError(t,err,"failed to create auth request")`
	`418`	`+`
	`419`	`+for_,opt:=rangeopts {`
	`420`	`+opt(r)`
	`421`	`+}`
	`422`	`+`
	`423`	`+rw:=httptest.NewRecorder()`
	`424`	`+f.handler.ServeHTTP(rw,r)`
	`425`	`+resp:=rw.Result()`
	`426`	`+deferresp.Body.Close()`
	`427`	`+`
	`428`	`+require.Equal(t,http.StatusTemporaryRedirect,resp.StatusCode,"expected redirect")`
	`429`	`+to:=resp.Header.Get("Location")`
	`430`	`+require.NotEmpty(t,to,"expected redirect location")`
	`431`	`+`
	`432`	`+toURL,err:=url.Parse(to)`
	`433`	`+require.NoError(t,err,"failed to parse redirect location")`
	`434`	`+`
	`435`	`+code:=toURL.Query().Get("code")`
	`436`	`+require.NotEmpty(t,code,"expected code in redirect location")`
	`437`	`+`
	`438`	`+newState:=toURL.Query().Get("state")`
	`439`	`+require.Equal(t,state,newState,"expected state to match")`
	`440`	`+`
	`441`	`+returncode`
	`442`	`+}`
	`443`	`+`
`400`	`444`	`// OIDCCallback will emulate the IDP redirecting back to the Coder callback.`
`401`	`445`	`// This is helpful if no Coderd exists because the IDP needs to redirect to`
`402`	`446`	`// something.`
`@@ -901,9 +945,10 @@ func (f FakeIDP) ExternalAuthConfig(t testing.TB, id string, custom ExternalAu`
`901`	`945`	`handle(email,rw,r)`
`902`	`946`	`}`
`903`	`947`	`}`
	`948`	`+instrumentF:=promoauth.NewFactory(prometheus.NewRegistry())`
`904`	`949`	`cfg:=&externalauth.Config{`
`905`		`-OAuth2Config:f.OIDCConfig(t,nil),`
`906`		`-ID:id,`
	`950`	`+InstrumentedOAuth2Config:instrumentF.New(f.clientID,f.OIDCConfig(t,nil)),`
	`951`	`+ID:id,`
`907`	`952`	`// No defaults for these fields by omitting the type`
`908`	`953`	`Type:"",`
`909`	`954`	`DisplayIcon:f.WellknownConfig().UserInfoURL,`
`@@ -920,10 +965,10 @@ func (f FakeIDP) ExternalAuthConfig(t testing.TB, id string, custom ExternalAu`
`920`	`965`	`// OIDCConfig returns the OIDC config to use for Coderd.`
`921`	`966`	`func (fFakeIDP)OIDCConfig(t testing.TB,scopes []string,opts...func(cfgcoderd.OIDCConfig))*coderd.OIDCConfig {`
`922`	`967`	`t.Helper()`
	`968`	`+`
`923`	`969`	`iflen(scopes)==0 {`
`924`	`970`	`scopes= []string{"openid","email","profile"}`
`925`	`971`	`}`
`926`		`-`
`927`	`972`	`oauthCfg:=&oauth2.Config{`
`928`	`973`	`ClientID:f.clientID,`
`929`	`974`	`ClientSecret:f.clientSecret,`
`@@ -966,7 +1011,6 @@ func (f FakeIDP) OIDCConfig(t testing.TB, scopes []string, opts ...func(cfg co`
`966`	`1011`	`}`
`967`	`1012`
`968`	`1013`	`f.cfg=oauthCfg`
`969`		`-`
`970`	`1014`	`returncfg`
`971`	`1015`	`}`
`972`	`1016`

`‎coderd/externalauth/externalauth.go‎`

Lines changed: 30 additions & 27 deletions

Original file line number	Diff line number	Diff line change
`@@ -22,19 +22,14 @@ import (`
`22`	`22`	`"github.com/coder/coder/v2/coderd/database"`
`23`	`23`	`"github.com/coder/coder/v2/coderd/database/dbtime"`
`24`	`24`	`"github.com/coder/coder/v2/coderd/httpapi"`
	`25`	`+"github.com/coder/coder/v2/coderd/promoauth"`
`25`	`26`	`"github.com/coder/coder/v2/codersdk"`
`26`	`27`	`"github.com/coder/retry"`
`27`	`28`	`)`
`28`	`29`
`29`		`-typeOAuth2Configinterface {`
`30`		`-AuthCodeURL(statestring,opts...oauth2.AuthCodeOption)string`
`31`		`-Exchange(ctx context.Context,codestring,opts...oauth2.AuthCodeOption) (*oauth2.Token,error)`
`32`		`-TokenSource(context.Context,*oauth2.Token) oauth2.TokenSource`
`33`		`-}`
`34`		`-`
`35`	`30`	`// Config is used for authentication for Git operations.`
`36`	`31`	`typeConfigstruct {`
`37`		`-OAuth2Config`
	`32`	`+promoauth.InstrumentedOAuth2Config`
`38`	`33`	`// ID is a unique identifier for the authenticator.`
`39`	`34`	`IDstring`
`40`	`35`	`// Type is the type of provider.`
`@@ -192,12 +187,8 @@ func (c Config) ValidateToken(ctx context.Context, token string) (bool, coders`
`192`	`187`	`returnfalse,nil,err`
`193`	`188`	`}`
`194`	`189`
`195`		`-cli:=http.DefaultClient`
`196`		`-ifv,ok:=ctx.Value(oauth2.HTTPClient).(*http.Client);ok {`
`197`		`-cli=v`
`198`		`-}`
`199`	`190`	`req.Header.Set("Authorization",fmt.Sprintf("Bearer %s",token))`
`200`		`-res,err:=cli.Do(req)`
	`191`	`+res,err:=c.InstrumentedOAuth2Config.Do(ctx,promoauth.SourceValidateToken,req)`
`201`	`192`	`iferr!=nil {`
`202`	`193`	`returnfalse,nil,err`
`203`	`194`	`}`
`@@ -247,7 +238,7 @@ func (c *Config) AppInstallations(ctx context.Context, token string) ([]codersdk`
`247`	`238`	`returnnil,false,err`
`248`	`239`	`}`
`249`	`240`	`req.Header.Set("Authorization",fmt.Sprintf("Bearer %s",token))`
`250`		`-res,err:=http.DefaultClient.Do(req)`
	`241`	`+res,err:=c.InstrumentedOAuth2Config.Do(ctx,promoauth.SourceAppInstallations,req)`
`251`	`242`	`iferr!=nil {`
`252`	`243`	`returnnil,false,err`
`253`	`244`	`}`
`@@ -287,6 +278,8 @@ func (c *Config) AppInstallations(ctx context.Context, token string) ([]codersdk`
`287`	`278`	`}`
`288`	`279`
`289`	`280`	`typeDeviceAuthstruct {`
	`281`	`+// Config is provided for the http client method.`
	`282`	`+Config promoauth.InstrumentedOAuth2Config`
`290`	`283`	`ClientIDstring`
`291`	`284`	`TokenURLstring`
`292`	`285`	`Scopes []string`
`@@ -307,8 +300,17 @@ func (c DeviceAuth) AuthorizeDevice(ctx context.Context) (codersdk.ExternalAut`
`307`	`300`	`iferr!=nil {`
`308`	`301`	`returnnil,err`
`309`	`302`	`}`
	`303`	`+`
	`304`	`+do:=http.DefaultClient.Do`
	`305`	`+ifc.Config!=nil {`
	`306`	`+// The cfg can be nil in unit tests.`
	`307`	`+do=func(reqhttp.Request) (http.Response,error) {`
	`308`	`+returnc.Config.Do(ctx,promoauth.SourceAuthorizeDevice,req)`
	`309`	`+}`
	`310`	`+}`
	`311`	`+`
	`312`	`+resp,err:=do(req)`
`310`	`313`	`req.Header.Set("Accept","application/json")`
`311`		`-resp,err:=http.DefaultClient.Do(req)`
`312`	`314`	`iferr!=nil {`
`313`	`315`	`returnnil,err`
`314`	`316`	`}`
`@@ -401,7 +403,7 @@ func (c *DeviceAuth) formatDeviceCodeURL() (string, error) {`
`401`	`403`
`402`	`404`	`// ConvertConfig converts the SDK configuration entry format`
`403`	`405`	`// to the parsed and ready-to-consume in coderd provider type.`
`404`		`-funcConvertConfig(entries []codersdk.ExternalAuthConfig,accessURLurl.URL) ([]Config,error) {`
	`406`	`+funcConvertConfig(instrumentpromoauth.Factory,entries []codersdk.ExternalAuthConfig,accessURLurl.URL) ([]*Config,error) {`
`405`	`407`	`ids:=map[string]struct{}{}`
`406`	`408`	`configs:= []*Config{}`
`407`	`409`	`for_,entry:=rangeentries {`
`@@ -453,7 +455,7 @@ func ConvertConfig(entries []codersdk.ExternalAuthConfig, accessURL *url.URL) ([`
`453`	`455`	`Scopes:entry.Scopes,`
`454`	`456`	`}`
`455`	`457`
`456`		`-varoauthConfigOAuth2Config=oc`
	`458`	`+varoauthConfigpromoauth.OAuth2Config=oc`
`457`	`459`	`// Azure DevOps uses JWT token authentication!`
`458`	`460`	`ifentry.Type==string(codersdk.EnhancedExternalAuthProviderAzureDevops) {`
`459`	`461`	`oauthConfig=&jwtConfig{oc}`
`@@ -463,24 +465,25 @@ func ConvertConfig(entries []codersdk.ExternalAuthConfig, accessURL *url.URL) ([`
`463`	`465`	`}`
`464`	`466`
`465`	`467`	`cfg:=&Config{`
`466`		`-OAuth2Config:oauthConfig,`
`467`		`-ID:entry.ID,`
`468`		`-Regex:regex,`
`469`		`-Type:entry.Type,`
`470`		`-NoRefresh:entry.NoRefresh,`
`471`		`-ValidateURL:entry.ValidateURL,`
`472`		`-AppInstallationsURL:entry.AppInstallationsURL,`
`473`		`-AppInstallURL:entry.AppInstallURL,`
`474`		`-DisplayName:entry.DisplayName,`
`475`		`-DisplayIcon:entry.DisplayIcon,`
`476`		`-ExtraTokenKeys:entry.ExtraTokenKeys,`
	`468`	`+InstrumentedOAuth2Config:instrument.New(entry.ID,oauthConfig),`
	`469`	`+ID:entry.ID,`
	`470`	`+Regex:regex,`
	`471`	`+Type:entry.Type,`
	`472`	`+NoRefresh:entry.NoRefresh,`
	`473`	`+ValidateURL:entry.ValidateURL,`
	`474`	`+AppInstallationsURL:entry.AppInstallationsURL,`
	`475`	`+AppInstallURL:entry.AppInstallURL,`
	`476`	`+DisplayName:entry.DisplayName,`
	`477`	`+DisplayIcon:entry.DisplayIcon,`
	`478`	`+ExtraTokenKeys:entry.ExtraTokenKeys,`
`477`	`479`	`}`
`478`	`480`
`479`	`481`	`ifentry.DeviceFlow {`
`480`	`482`	`ifentry.DeviceCodeURL=="" {`
`481`	`483`	`returnnil,xerrors.Errorf("external auth provider %q: device auth url must be provided",entry.ID)`
`482`	`484`	`}`
`483`	`485`	`cfg.DeviceAuth=&DeviceAuth{`
	`486`	`+Config:cfg,`
`484`	`487`	`ClientID:entry.ClientID,`
`485`	`488`	`TokenURL:oc.Endpoint.TokenURL,`
`486`	`489`	`Scopes:entry.Scopes,`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit50b78e3

File tree

17 files changed

17 files changed

`‎cli/create_test.go‎`

`‎cli/server.go‎`

`‎coderd/coderdtest/oidctest/idp.go‎`

`‎coderd/externalauth/externalauth.go‎`

0 commit comments