NotificationsYou must be signed in to change notification settings
Fork927
Star10.1k

Commit58f7071

authored

fix: make 'NoRefresh' honor unlimited tokens in gitauth (#9472)

* chore: fix NoRefresh to honor unlimited tokens* improve testing coverage of gitauth* refactor rest of gitauth tests

1 parentda0ef92 commit58f7071Copy full SHA for 58f7071

File tree

5 files changed

+354

-112

lines changed

coderd
- coderdtest/oidctest
  - idp.go
- gitauth
  - config.go
  - config_test.go
- userauth_test.go
enterprise/coderd
- userauth_test.go

5 files changed

+354

-112

lines changed

`‎coderd/coderdtest/oidctest/idp.go`

Lines changed: 64 additions & 15 deletions

Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,7 @@ import (`
`7`	`7`	`"crypto/x509"`
`8`	`8`	`"encoding/json"`
`9`	`9`	`"encoding/pem"`
	`10`	`+"errors"`
`10`	`11`	`"fmt"`
`11`	`12`	`"io"`
`12`	`13`	`"net"`
`@@ -41,7 +42,7 @@ import (`
`41`	`42`	`typeFakeIDPstruct {`
`42`	`43`	`issuerstring`
`43`	`44`	`key*rsa.PrivateKey`
`44`		`-providerproviderJSON`
	`45`	`+providerProviderJSON`
`45`	`46`	`handler http.Handler`
`46`	`47`	`cfg*oauth2.Config`
`47`	`48`
`@@ -66,7 +67,7 @@ type FakeIDP struct {`
`66`	`67`	`// IDP -> Application. Almost all IDPs have the concept of`
`67`	`68`	`// "Authorized Redirect URLs". This can be used to emulate that.`
`68`	`69`	`hookValidRedirectURLfunc(redirectURLstring)error`
`69`		`-hookUserInfofunc(emailstring) jwt.MapClaims`
	`70`	`+hookUserInfofunc(emailstring)(jwt.MapClaims,error)`
`70`	`71`	`fakeCoderdfunc(reqhttp.Request) (http.Response,error)`
`71`	`72`	`hookOnRefreshfunc(emailstring)error`
`72`	`73`	`// Custom authentication for the client. This is useful if you want`
`@@ -75,6 +76,26 @@ type FakeIDP struct {`
`75`	`76`	`servebool`
`76`	`77`	`}`
`77`	`78`
	`79`	`+funcStatusError(codeint,errerror)error {`
	`80`	`+returnstatusHookError{`
	`81`	`+Err:err,`
	`82`	`+HTTPStatusCode:code,`
	`83`	`+}`
	`84`	`+}`
	`85`	`+`
	`86`	`+// statusHookError allows a hook to change the returned http status code.`
	`87`	`+typestatusHookErrorstruct {`
	`88`	`+Errerror`
	`89`	`+HTTPStatusCodeint`
	`90`	`+}`
	`91`	`+`
	`92`	`+func (sstatusHookError)Error()string {`
	`93`	`+ifs.Err==nil {`
	`94`	`+return""`
	`95`	`+}`
	`96`	`+returns.Err.Error()`
	`97`	`+}`
	`98`	`+`
`78`	`99`	`typeFakeIDPOptfunc(idp*FakeIDP)`
`79`	`100`
`80`	`101`	`funcWithAuthorizedRedirectURL(hookfunc(redirectURLstring)error)func(*FakeIDP) {`
`@@ -83,9 +104,9 @@ func WithAuthorizedRedirectURL(hook func(redirectURL string) error) func(*FakeID`
`83`	`104`	`}`
`84`	`105`	`}`
`85`	`106`
`86`		`-//WithRefreshHook is called when a refresh token is used. The email is`
	`107`	`+//WithRefresh is called when a refresh token is used. The email is`
`87`	`108`	`// the email of the user that is being refreshed assuming the claims are correct.`
`88`		`-funcWithRefreshHook(hookfunc(emailstring)error)func(*FakeIDP) {`
	`109`	`+funcWithRefresh(hookfunc(emailstring)error)func(*FakeIDP) {`
`89`	`110`	`returnfunc(f*FakeIDP) {`
`90`	`111`	`f.hookOnRefresh=hook`
`91`	`112`	`}`
`@@ -108,13 +129,13 @@ func WithLogging(t testing.TB, options slogtest.Options) func(FakeIDP) {`
`108`	`129`	`// every user on the /userinfo endpoint.`
`109`	`130`	`funcWithStaticUserInfo(info jwt.MapClaims)func(*FakeIDP) {`
`110`	`131`	`returnfunc(f*FakeIDP) {`
`111`		`-f.hookUserInfo=func(_string) jwt.MapClaims {`
`112`		`-returninfo`
	`132`	`+f.hookUserInfo=func(_string)(jwt.MapClaims,error) {`
	`133`	`+returninfo,nil`
`113`	`134`	`}`
`114`	`135`	`}`
`115`	`136`	`}`
`116`	`137`
`117`		`-funcWithDynamicUserInfo(userInfoFuncfunc(emailstring) jwt.MapClaims)func(*FakeIDP) {`
	`138`	`+funcWithDynamicUserInfo(userInfoFuncfunc(emailstring)(jwt.MapClaims,error))func(*FakeIDP) {`
`118`	`139`	`returnfunc(f*FakeIDP) {`
`119`	`140`	`f.hookUserInfo=userInfoFunc`
`120`	`141`	`}`
`@@ -160,7 +181,7 @@ func NewFakeIDP(t testing.TB, opts ...FakeIDPOpt) *FakeIDP {`
`160`	`181`	`stateToIDTokenClaims:syncmap.New[string, jwt.MapClaims](),`
`161`	`182`	`refreshIDTokenClaims:syncmap.New[string, jwt.MapClaims](),`
`162`	`183`	`hookOnRefresh:func(_string)error {returnnil },`
`163`		`-hookUserInfo:func(emailstring) jwt.MapClaims{return jwt.MapClaims{} },`
	`184`	`+hookUserInfo:func(emailstring)(jwt.MapClaims,error){return jwt.MapClaims{},nil },`
`164`	`185`	`hookValidRedirectURL:func(redirectURLstring)error {returnnil },`
`165`	`186`	`}`
`166`	`187`
`@@ -181,16 +202,20 @@ func NewFakeIDP(t testing.TB, opts ...FakeIDPOpt) *FakeIDP {`
`181`	`202`	`returnidp`
`182`	`203`	`}`
`183`	`204`
	`205`	`+func (f*FakeIDP)WellknownConfig()ProviderJSON {`
	`206`	`+returnf.provider`
	`207`	`+}`
	`208`	`+`
`184`	`209`	`func (f*FakeIDP)updateIssuerURL(t testing.TB,issuerstring) {`
`185`	`210`	`t.Helper()`
`186`	`211`
`187`	`212`	`u,err:=url.Parse(issuer)`
`188`	`213`	`require.NoError(t,err,"invalid issuer URL")`
`189`	`214`
`190`	`215`	`f.issuer=issuer`
`191`		`-//providerJSON is the JSON representation of the OpenID Connect provider`
	`216`	`+//ProviderJSON is the JSON representation of the OpenID Connect provider`
`192`	`217`	`// These are all the urls that the IDP will respond to.`
`193`		`-f.provider=providerJSON{`
	`218`	`+f.provider=ProviderJSON{`
`194`	`219`	`Issuer:issuer,`
`195`	`220`	`AuthURL:u.ResolveReference(&url.URL{Path:authorizePath}).String(),`
`196`	`221`	`TokenURL:u.ResolveReference(&url.URL{Path:tokenPath}).String(),`
`@@ -220,6 +245,15 @@ func (f FakeIDP) realServer(t testing.TB) httptest.Server {`
`220`	`245`	`returnsrv`
`221`	`246`	`}`
`222`	`247`
	`248`	`+// GenerateAuthenticatedToken skips all oauth2 flows, and just generates a`
	`249`	`+// valid token for some given claims.`
	`250`	`+func (fFakeIDP)GenerateAuthenticatedToken(claims jwt.MapClaims) (oauth2.Token,error) {`
	`251`	`+state:=uuid.NewString()`
	`252`	`+f.stateToIDTokenClaims.Store(state,claims)`
	`253`	`+code:=f.newCode(state)`
	`254`	`+returnf.cfg.Exchange(oidc.ClientContext(context.Background(),f.HTTPClient(nil)),code)`
	`255`	`+}`
	`256`	`+`
`223`	`257`	`// Login does the full OIDC flow starting at the "LoginButton".`
`224`	`258`	`// The client argument is just to get the URL of the Coder instance.`
`225`	`259`	`//`
`@@ -333,7 +367,8 @@ func (f *FakeIDP) OIDCCallback(t testing.TB, state string, idTokenClaims jwt.Map`
`333`	`367`	`returnresp,nil`
`334`	`368`	`}`
`335`	`369`
`336`		`-typeproviderJSONstruct {`
	`370`	`+// ProviderJSON is the .well-known/configuration JSON`
	`371`	`+typeProviderJSONstruct {`
`337`	`372`	Issuerstring`json:"issuer"`
`338`	`373`	AuthURLstring`json:"authorization_endpoint"`
`339`	`374`	TokenURLstring`json:"token_endpoint"`
`@@ -475,7 +510,7 @@ func (f *FakeIDP) httpHandler(t testing.TB) http.Handler {`
`475`	`510`	`err:=f.hookValidRedirectURL(redirectURI)`
`476`	`511`	`iferr!=nil {`
`477`	`512`	`t.Errorf("not authorized redirect_uri by custom hook %q: %s",redirectURI,err.Error())`
`478`		`-http.Error(rw,fmt.Sprintf("invalid redirect_uri: %s",err.Error()),http.StatusBadRequest)`
	`513`	`+http.Error(rw,fmt.Sprintf("invalid redirect_uri: %s",err.Error()),httpErrorCode(http.StatusBadRequest,err))`
`479`	`514`	`return`
`480`	`515`	`}`
`481`	`516`
`@@ -501,7 +536,7 @@ func (f *FakeIDP) httpHandler(t testing.TB) http.Handler {`
`501`	`536`	`slog.F("values",values.Encode()),`
`502`	`537`	`)`
`503`	`538`	`iferr!=nil {`
`504`		`-http.Error(rw,fmt.Sprintf("invalid token request: %s",err.Error()),http.StatusBadRequest)`
	`539`	`+http.Error(rw,fmt.Sprintf("invalid token request: %s",err.Error()),httpErrorCode(http.StatusBadRequest,err))`
`505`	`540`	`return`
`506`	`541`	`}`
`507`	`542`	`getEmail:=func(claims jwt.MapClaims)string {`
`@@ -562,7 +597,7 @@ func (f *FakeIDP) httpHandler(t testing.TB) http.Handler {`
`562`	`597`	`claims=idTokenClaims`
`563`	`598`	`err:=f.hookOnRefresh(getEmail(claims))`
`564`	`599`	`iferr!=nil {`
`565`		`-http.Error(rw,fmt.Sprintf("refresh hook blocked refresh: %s",err.Error()),http.StatusBadRequest)`
	`600`	`+http.Error(rw,fmt.Sprintf("refresh hook blocked refresh: %s",err.Error()),httpErrorCode(http.StatusBadRequest,err))`
`566`	`601`	`return`
`567`	`602`	`}`
`568`	`603`
`@@ -610,7 +645,12 @@ func (f *FakeIDP) httpHandler(t testing.TB) http.Handler {`
`610`	`645`	`http.Error(rw,"invalid access token, missing user info",http.StatusBadRequest)`
`611`	`646`	`return`
`612`	`647`	`}`
`613`		`-_=json.NewEncoder(rw).Encode(f.hookUserInfo(email))`
	`648`	`+claims,err:=f.hookUserInfo(email)`
	`649`	`+iferr!=nil {`
	`650`	`+http.Error(rw,fmt.Sprintf("user info hook returned error: %s",err.Error()),httpErrorCode(http.StatusBadRequest,err))`
	`651`	`+return`
	`652`	`+}`
	`653`	`+_=json.NewEncoder(rw).Encode(claims)`
`614`	`654`	`}))`
`615`	`655`
`616`	`656`	`mux.Handle(keysPath,http.HandlerFunc(func(rw http.ResponseWriter,r*http.Request) {`
`@@ -768,6 +808,15 @@ func (f FakeIDP) OIDCConfig(t testing.TB, scopes []string, opts ...func(cfg co`
`768`	`808`	`returncfg`
`769`	`809`	`}`
`770`	`810`
	`811`	`+funchttpErrorCode(defaultCodeint,errerror)int {`
	`812`	`+varstautsErrstatusHookError`
	`813`	`+status:=defaultCode`
	`814`	`+iferrors.As(err,&stautsErr) {`
	`815`	`+status=stautsErr.HTTPStatusCode`
	`816`	`+}`
	`817`	`+returnstatus`
	`818`	`+}`
	`819`	`+`
`771`	`820`	`typefakeRoundTripperstruct {`
`772`	`821`	`roundTripfunc(reqhttp.Request) (http.Response,error)`
`773`	`822`	`}`

`‎coderd/gitauth/config.go`

Lines changed: 22 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -60,17 +60,30 @@ type Config struct {`
`60`	`60`	`}`
`61`	`61`
`62`	`62`	`// RefreshToken automatically refreshes the token if expired and permitted.`
`63`		`-// It returns the token and a bool indicating if the tokenwas refreshed.`
	`63`	`+// It returns the token and a bool indicating if the tokenis valid.`
`64`	`64`	`func (c*Config)RefreshToken(ctx context.Context,db database.Store,gitAuthLink database.GitAuthLink) (database.GitAuthLink,bool,error) {`
`65`	`65`	`// If the token is expired and refresh is disabled, we prompt`
`66`	`66`	`// the user to authenticate again.`
`67`		`-ifc.NoRefresh&&gitAuthLink.OAuthExpiry.Before(dbtime.Now()) {`
	`67`	`+ifc.NoRefresh&&`
	`68`	`+// If the time is set to 0, then it should never expire.`
	`69`	`+// This is true for github, which has no expiry.`
	`70`	`+!gitAuthLink.OAuthExpiry.IsZero()&&`
	`71`	`+gitAuthLink.OAuthExpiry.Before(dbtime.Now()) {`
`68`	`72`	`returngitAuthLink,false,nil`
`69`	`73`	`}`
`70`	`74`
	`75`	`+// This is additional defensive programming. Because TokenSource is an interface,`
	`76`	`+// we cannot be sure that the implementation will treat an 'IsZero' time`
	`77`	`+// as "not-expired". The default implementation does, but a custom implementation`
	`78`	`+// might not. Removing the refreshToken will guarantee a refresh will fail.`
	`79`	`+refreshToken:=gitAuthLink.OAuthRefreshToken`
	`80`	`+ifc.NoRefresh {`
	`81`	`+refreshToken=""`
	`82`	`+}`
	`83`	`+`
`71`	`84`	`token,err:=c.TokenSource(ctx,&oauth2.Token{`
`72`	`85`	`AccessToken:gitAuthLink.OAuthAccessToken,`
`73`		`-RefreshToken:gitAuthLink.OAuthRefreshToken,`
	`86`	`+RefreshToken:refreshToken,`
`74`	`87`	`Expiry:gitAuthLink.OAuthExpiry,`
`75`	`88`	`}).Token()`
`76`	`89`	`iferr!=nil {`
`@@ -130,8 +143,13 @@ func (c Config) ValidateToken(ctx context.Context, token string) (bool, coders`
`130`	`143`	`iferr!=nil {`
`131`	`144`	`returnfalse,nil,err`
`132`	`145`	`}`
	`146`	`+`
	`147`	`+cli:=http.DefaultClient`
	`148`	`+ifv,ok:=ctx.Value(oauth2.HTTPClient).(*http.Client);ok {`
	`149`	`+cli=v`
	`150`	`+}`
`133`	`151`	`req.Header.Set("Authorization",fmt.Sprintf("Bearer %s",token))`
`134`		`-res,err:=http.DefaultClient.Do(req)`
	`152`	`+res,err:=cli.Do(req)`
`135`	`153`	`iferr!=nil {`
`136`	`154`	`returnfalse,nil,err`
`137`	`155`	`}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit58f7071

File tree

5 files changed

5 files changed

`‎coderd/coderdtest/oidctest/idp.go`

`‎coderd/gitauth/config.go`

0 commit comments