NotificationsYou must be signed in to change notification settings
Fork1k
Star11.1k

Commit78554eb

committed

feat: add best effort attempt to revoke oauth access token in provider

1 parent38d3d06 commit78554ebCopy full SHA for 78554eb

File tree

19 files changed

+482

-69

lines changed

coderd
- apidoc
  - docs.go
  - swagger.json
- coderdtest/oidctest
  - idp.go
- externalauth.go
- externalauth_test.go
- externalauth
  - externalauth.go
  - externalauth_test.go
codersdk
- deployment.go
- deployment_test.go
- externalauth.go
- testdata
  - githubcfg.yaml
docs
- admin/external-auth
  - index.md
- reference/api
site/src
- api
  - typesGenerated.ts
- pages
  - DeploymentSettingsPage/ExternalAuthSettingsPage
    - ExternalAuthSettingsPageView.stories.tsx
  - UserSettingsPage/ExternalAuthPage
    - ExternalAuthPage.tsx
    - ExternalAuthPageView.tsx

19 files changed

+482

-69

lines changed

`‎coderd/apidoc/docs.go‎`

Lines changed: 19 additions & 1 deletion

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/apidoc/swagger.json‎`

Lines changed: 19 additions & 1 deletion

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/coderdtest/oidctest/idp.go‎`

Lines changed: 59 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -46,6 +46,8 @@ import (`
`46`	`46`	`"github.com/coder/coder/v2/testutil"`
`47`	`47`	`)`
`48`	`48`
	`49`	`+typeHookRevokeTokenFnfunc() (httpStatusint,errerror)`
	`50`	`+`
`49`	`51`	`typetokenstruct {`
`50`	`52`	`issued time.Time`
`51`	`53`	`emailstring`
`@@ -196,9 +198,11 @@ type FakeIDP struct {`
`196`	`198`	`// hookValidRedirectURL can be used to reject a redirect url from the`
`197`	`199`	`// IDP -> Application. Almost all IDPs have the concept of`
`198`	`200`	`// "Authorized Redirect URLs". This can be used to emulate that.`
`199`		`-hookValidRedirectURLfunc(redirectURLstring)error`
`200`		`-hookUserInfofunc(emailstring) (jwt.MapClaims,error)`
`201`		`-hookAccessTokenJWTfunc(emailstring,exp time.Time) jwt.MapClaims`
	`201`	`+hookValidRedirectURLfunc(redirectURLstring)error`
	`202`	`+hookUserInfofunc(emailstring) (jwt.MapClaims,error)`
	`203`	`+hookRevokeTokenHookRevokeTokenFn`
	`204`	`+revokeTokenGitHubFormatbool// GitHub doesn't follow token revocation RFC spec`
	`205`	`+hookAccessTokenJWTfunc(emailstring,exp time.Time) jwt.MapClaims`
`202`	`206`	`// defaultIDClaims is if a new client connects and we didn't preset`
`203`	`207`	`// some claims.`
`204`	`208`	`defaultIDClaims jwt.MapClaims`
`@@ -327,6 +331,19 @@ func WithStaticUserInfo(info jwt.MapClaims) func(*FakeIDP) {`
`327`	`331`	`}`
`328`	`332`	`}`
`329`	`333`
	`334`	`+funcWithRevokeTokenRFC(revokeFuncHookRevokeTokenFn)func(*FakeIDP) {`
	`335`	`+returnfunc(f*FakeIDP) {`
	`336`	`+f.hookRevokeToken=revokeFunc`
	`337`	`+}`
	`338`	`+}`
	`339`	`+`
	`340`	`+funcWithRevokeTokenGitHub(revokeFuncHookRevokeTokenFn)func(*FakeIDP) {`
	`341`	`+returnfunc(f*FakeIDP) {`
	`342`	`+f.hookRevokeToken=revokeFunc`
	`343`	`+f.revokeTokenGitHubFormat=true`
	`344`	`+}`
	`345`	`+}`
	`346`	`+`
`330`	`347`	`funcWithDefaultIDClaims(claims jwt.MapClaims)func(*FakeIDP) {`
`331`	`348`	`returnfunc(f*FakeIDP) {`
`332`	`349`	`f.defaultIDClaims=claims`
`@@ -358,6 +375,7 @@ type With429Arguments struct {`
`358`	`375`	`AuthorizePathbool`
`359`	`376`	`KeysPathbool`
`360`	`377`	`UserInfoPathbool`
	`378`	`+RevokePathbool`
`361`	`379`	`DeviceAuthbool`
`362`	`380`	`DeviceVerifybool`
`363`	`381`	`}`
`@@ -387,6 +405,10 @@ func With429(params With429Arguments) func(*FakeIDP) {`
`387`	`405`	`http.Error(rw,"429, being manually blocked (userinfo)",http.StatusTooManyRequests)`
`388`	`406`	`return`
`389`	`407`	`}`
	`408`	`+ifparams.RevokePath&&strings.Contains(r.URL.Path,revokeTokenPath) {`
	`409`	`+http.Error(rw,"429, being manually blocked (revoke)",http.StatusTooManyRequests)`
	`410`	`+return`
	`411`	`+}`
`390`	`412`	`ifparams.DeviceAuth&&strings.Contains(r.URL.Path,deviceAuth) {`
`391`	`413`	`http.Error(rw,"429, being manually blocked (device-auth)",http.StatusTooManyRequests)`
`392`	`414`	`return`
`@@ -408,8 +430,10 @@ const (`
`408`	`430`	`authorizePath="/oauth2/authorize"`
`409`	`431`	`keysPath="/oauth2/keys"`
`410`	`432`	`userInfoPath="/oauth2/userinfo"`
`411`		`-deviceAuth="/login/device/code"`
`412`		`-deviceVerify="/login/device"`
	`433`	`+// nolint:gosec // It also thinks this is a secret lol`
	`434`	`+revokeTokenPath="/oauth2/revoke"`
	`435`	`+deviceAuth="/login/device/code"`
	`436`	`+deviceVerify="/login/device"`
`413`	`437`	`)`
`414`	`438`
`415`	`439`	`funcNewFakeIDP(t testing.TB,opts...FakeIDPOpt)*FakeIDP {`
`@@ -486,6 +510,7 @@ func (f *FakeIDP) updateIssuerURL(t testing.TB, issuer string) {`
`486`	`510`	`TokenURL:u.ResolveReference(&url.URL{Path:tokenPath}).String(),`
`487`	`511`	`JWKSURL:u.ResolveReference(&url.URL{Path:keysPath}).String(),`
`488`	`512`	`UserInfoURL:u.ResolveReference(&url.URL{Path:userInfoPath}).String(),`
	`513`	`+RevokeURL:u.ResolveReference(&url.URL{Path:revokeTokenPath}).String(),`
`489`	`514`	`DeviceCodeURL:u.ResolveReference(&url.URL{Path:deviceAuth}).String(),`
`490`	`515`	`Algorithms: []string{`
`491`	`516`	`"RS256",`
`@@ -756,6 +781,7 @@ type ProviderJSON struct {`
`756`	`781`	TokenURLstring`json:"token_endpoint"`
`757`	`782`	JWKSURLstring`json:"jwks_uri"`
`758`	`783`	UserInfoURLstring`json:"userinfo_endpoint"`
	`784`	+RevokeURLstring`json:"revocation_endpoint"`
`759`	`785`	DeviceCodeURLstring`json:"device_authorization_endpoint"`
`760`	`786`	Algorithms []string`json:"id_token_signing_alg_values_supported"`
`761`	`787`	`// This is custom`
`@@ -1146,6 +1172,29 @@ func (f *FakeIDP) httpHandler(t testing.TB) http.Handler {`
`1146`	`1172`	`_=json.NewEncoder(rw).Encode(claims)`
`1147`	`1173`	`}))`
`1148`	`1174`
	`1175`	`+mux.Handle(revokeTokenPath,http.HandlerFunc(func(rw http.ResponseWriter,r*http.Request) {`
	`1176`	`+iff.revokeTokenGitHubFormat {`
	`1177`	`+u,p,ok:=r.BasicAuth()`
	`1178`	`+if!ok\|\|!(u==f.clientID&&p==f.clientSecret) {`
	`1179`	`+httpError(rw,http.StatusForbidden,xerrors.Errorf("basic auth failed"))`
	`1180`	`+return`
	`1181`	`+}`
	`1182`	`+}else {`
	`1183`	`+_,ok:=validateMW(rw,r)`
	`1184`	`+if!ok {`
	`1185`	`+httpError(rw,http.StatusForbidden,xerrors.Errorf("token validation failed"))`
	`1186`	`+return`
	`1187`	`+}`
	`1188`	`+}`
	`1189`	`+`
	`1190`	`+code,err:=f.hookRevokeToken()`
	`1191`	`+iferr!=nil {`
	`1192`	`+httpError(rw,code,xerrors.Errorf("hook err: %w",err))`
	`1193`	`+return`
	`1194`	`+}`
	`1195`	`+httpapi.Write(r.Context(),rw,code,"")`
	`1196`	`+}))`
	`1197`	`+`
`1149`	`1198`	`// There is almost no difference between this and /userinfo.`
`1150`	`1199`	`// The main tweak is that this route is "mounted" vs "handle" because "/userinfo"`
`1151`	`1200`	`// should be strict, and this one needs to handle sub routes.`
`@@ -1474,12 +1523,16 @@ func (f FakeIDP) ExternalAuthConfig(t testing.TB, id string, custom ExternalAu`
`1474`	`1523`	`DisplayName:id,`
`1475`	`1524`	`InstrumentedOAuth2Config:oauthCfg,`
`1476`	`1525`	`ID:id,`
	`1526`	`+ClientID:f.clientID,`
	`1527`	`+ClientSecret:f.clientSecret,`
`1477`	`1528`	`// No defaults for these fields by omitting the type`
`1478`	`1529`	`Type:"",`
`1479`	`1530`	`DisplayIcon:f.WellknownConfig().UserInfoURL,`
`1480`	`1531`	`// Omit the /user for the validate so we can easily append to it when modifying`
`1481`	`1532`	`// the cfg for advanced tests.`
`1482`		`-ValidateURL:f.locked.IssuerURL().ResolveReference(&url.URL{Path:"/external-auth-validate/"}).String(),`
	`1533`	`+ValidateURL:f.locked.IssuerURL().ResolveReference(&url.URL{Path:"/external-auth-validate/"}).String(),`
	`1534`	`+RevokeURL:f.locked.IssuerURL().ResolveReference(&url.URL{Path:revokeTokenPath}).String(),`
	`1535`	`+RevokeTimeout:1*time.Second,`
`1483`	`1536`	`DeviceAuth:&externalauth.DeviceAuth{`
`1484`	`1537`	`Config:oauthCfg,`
`1485`	`1538`	`ClientID:f.clientID,`

`‎coderd/externalauth.go‎`

Lines changed: 6 additions & 7 deletions

Original file line number	Diff line number	Diff line change
`@@ -87,7 +87,7 @@ func (api API) externalAuthByID(w http.ResponseWriter, r http.Request) {`
`87`	`87`	`// @Tags Git`
`88`	`88`	`// @Produce json`
`89`	`89`	`// @Param externalauth path string true "Git Provider ID" format(string)`
`90`		`-// @Success 200`
	`90`	`+// @Success 200 {object} codersdk.DeleteExternalAuthByIDResponse`
`91`	`91`	`// @Router /external-auth/{externalauth} [delete]`
`92`	`92`	`func (apiAPI)deleteExternalAuthByID(w http.ResponseWriter,rhttp.Request) {`
`93`	`93`	`config:=httpmw.ExternalAuthParam(r)`
`@@ -98,7 +98,6 @@ func (api API) deleteExternalAuthByID(w http.ResponseWriter, r http.Request) {`
`98`	`98`	`ProviderID:config.ID,`
`99`	`99`	`UserID:apiKey.UserID,`
`100`	`100`	`})`
`101`		`-`
`102`	`101`	`iferr!=nil {`
`103`	`102`	`iferrors.Is(err,sql.ErrNoRows) {`
`104`	`103`	`httpapi.ResourceNotFound(w)`
`@@ -128,12 +127,12 @@ func (api API) deleteExternalAuthByID(w http.ResponseWriter, r http.Request) {`
`128`	`127`	`}`
`129`	`128`
`130`	`129`	`ok,err:=config.RevokeToken(ctx,link)`
`131`		`-iferr!=nil\|\|!ok {`
`132`		`-httpapi.Write(ctx,w,http.StatusOK, codersdk.DeleteExternalAuthByIDResponse{TokenRevocationSuccessful:false})`
`133`		`-return`
`134`		`-}`
	`130`	`+resp:= codersdk.DeleteExternalAuthByIDResponse{TokenRevoked:ok}`
`135`	`131`
`136`		`-httpapi.Write(ctx,w,http.StatusOK, codersdk.DeleteExternalAuthByIDResponse{TokenRevocationSuccessful:true})`
	`132`	`+iferr!=nil {`
	`133`	`+resp.TokenRevocationError=err.Error()`
	`134`	`+}`
	`135`	`+httpapi.Write(ctx,w,http.StatusOK,resp)`
`137`	`136`	`}`
`138`	`137`
`139`	`138`	`// @Summary Post external auth device by ID`

`‎coderd/externalauth/externalauth.go‎`

Lines changed: 46 additions & 19 deletions

Original file line number	Diff line number	Diff line change
`@@ -34,6 +34,9 @@ const (`
`34`	`34`	`// database for a failed refresh token. In rare cases, the error could be a large`
`35`	`35`	`// HTML payload.`
`36`	`36`	`failureReasonLimit=400`
	`37`	`+`
	`38`	`+// tokenRevocationTimeout timeout for requests to external oauth provider.`
	`39`	`+tokenRevocationTimeout=10*time.Second`
`37`	`40`	`)`
`38`	`41`
`39`	`42`	`// Config is used for authentication for Git operations.`
`@@ -44,7 +47,7 @@ type Config struct {`
`44`	`47`	`// Type is the type of provider.`
`45`	`48`	`Typestring`
`46`	`49`
`47`		`-ClientIdstring`
	`50`	`+ClientIDstring`
`48`	`51`	`ClientSecretstring`
`49`	`52`	`// DeviceAuth is set if the provider uses the device flow.`
`50`	`53`	`DeviceAuth*DeviceAuth`
`@@ -72,7 +75,8 @@ type Config struct {`
`72`	`75`	`// not be validated before being returned.`
`73`	`76`	`ValidateURLstring`
`74`	`77`
`75`		`-RevokeURLstring`
	`78`	`+RevokeURLstring`
	`79`	`+RevokeTimeout time.Duration`
`76`	`80`
`77`	`81`	`// Regex is a Regexp matched against URLs for`
`78`	`82`	`// a Git clone. e.g. "Username for 'https://github.com':"`
`@@ -395,13 +399,9 @@ func (c *Config) RevokeToken(ctx context.Context, link database.ExternalAuthLink`
`395`	`399`	`returnfalse,nil`
`396`	`400`	`}`
`397`	`401`
`398`		`-varerrerror`
`399`		`-varreq*http.Request`
`400`		`-ifc.Type==codersdk.EnhancedExternalAuthProviderGitHub.String() {`
`401`		`-req,err=c.tokenRevocationRequestGitHub(ctx,link)`
`402`		`-}else {`
`403`		`-req,err=c.tokenRevocationRequestRFC7009(ctx,link)`
`404`		`-}`
	`402`	`+reqCtx,cancel:=context.WithTimeout(ctx,c.RevokeTimeout)`
	`403`	`+defercancel()`
	`404`	`+req,err:=c.TokenRevocationRequest(reqCtx,link)`
`405`	`405`	`iferr!=nil {`
`406`	`406`	`returnfalse,err`
`407`	`407`	`}`
`@@ -411,34 +411,60 @@ func (c *Config) RevokeToken(ctx context.Context, link database.ExternalAuthLink`
`411`	`411`	`returnfalse,err`
`412`	`412`	`}`
`413`	`413`	`deferres.Body.Close()`
	`414`	`+body,err:=io.ReadAll(res.Body)`
	`415`	`+iferr!=nil {`
	`416`	`+returnfalse,err`
	`417`	`+}`
`414`	`418`
`415`		`-returnres.StatusCode==http.StatusOK,nil`
	`419`	`+ifc.TokenRevocationResponseOk(res) {`
	`420`	`+returntrue,nil`
	`421`	`+}`
	`422`	`+returnfalse,xerrors.Errorf("failed to revoke token: %d %s",res.StatusCode,string(body))`
`416`	`423`	`}`
`417`	`424`
`418`		`-func (cConfig)tokenRevocationRequestRFC7009(ctx context.Context,link database.ExternalAuthLink) (http.Request,error) {`
	`425`	`+func (cConfig)TokenRevocationRequest(ctx context.Context,link database.ExternalAuthLink) (http.Request,error) {`
	`426`	`+ifc.Type==codersdk.EnhancedExternalAuthProviderGitHub.String() {`
	`427`	`+returnc.TokenRevocationRequestGitHub(ctx,link)`
	`428`	`+}`
	`429`	`+returnc.TokenRevocationRequestRFC7009(ctx,link)`
	`430`	`+}`
	`431`	`+`
	`432`	`+func (cConfig)TokenRevocationRequestRFC7009(ctx context.Context,link database.ExternalAuthLink) (http.Request,error) {`
`419`	`433`	`p:= url.Values{}`
`420`		`-p.Add("client_id",c.ClientId)`
	`434`	`+p.Add("client_id",c.ClientID)`
`421`	`435`	`p.Add("client_secret",c.ClientSecret)`
`422`	`436`	`p.Add("token_type_hint","refresh_token")`
`423`	`437`	`p.Add("token",link.OAuthRefreshToken)`
`424`		`-body:=p.Encode()`
`425`		`-returnhttp.NewRequestWithContext(ctx,http.MethodPost,c.RevokeURL,strings.NewReader(body))`
	`438`	`+req,err:=http.NewRequestWithContext(ctx,http.MethodPost,c.RevokeURL,strings.NewReader(p.Encode()))`
	`439`	`+iferr!=nil {`
	`440`	`+returnnil,err`
	`441`	`+}`
	`442`	`+req.Header.Set("Authorization",fmt.Sprintf("Bearer %s",link.OAuthAccessToken))`
	`443`	`+returnreq,nil`
`426`	`444`	`}`
`427`	`445`
`428`		`-func (cConfig)tokenRevocationRequestGitHub(ctx context.Context,link database.ExternalAuthLink) (http.Request,error) {`
`429`		`-// GitHub doesn't follow RFC spec, GitHub specific request is needed`
	`446`	`+func (cConfig)TokenRevocationRequestGitHub(ctx context.Context,link database.ExternalAuthLink) (http.Request,error) {`
	`447`	`+// GitHub doesn't follow RFC spec`
`430`	`448`	`// https://docs.github.com/en/rest/apps/oauth-applications?apiVersion=2022-11-28#delete-an-app-authorization`
`431`		`-body:=fmt.Sprintf("{\"access_token\":\"%s\"}",link.OAuthAccessToken)`
	`449`	`+body:=fmt.Sprintf("{\"access_token\":%q}",link.OAuthAccessToken)`
`432`	`450`	`req,err:=http.NewRequestWithContext(ctx,http.MethodDelete,c.RevokeURL,strings.NewReader(body))`
`433`	`451`	`iferr!=nil {`
`434`	`452`	`returnnil,err`
`435`	`453`	`}`
`436`	`454`	`req.Header.Add("Accept","application/vnd.github+json")`
`437`	`455`	`req.Header.Add("X-GitHub-Api-Version","2022-11-28")`
`438`		`-req.SetBasicAuth(c.ClientId,c.ClientSecret)`
	`456`	`+req.SetBasicAuth(c.ClientID,c.ClientSecret)`
`439`	`457`	`returnreq,nil`
`440`	`458`	`}`
`441`	`459`
	`460`	`+func (cConfig)TokenRevocationResponseOk(reshttp.Response)bool {`
	`461`	`+// RFC spec on successful revocation returns 200, GitHub 204`
	`462`	`+ifc.Type==codersdk.EnhancedExternalAuthProviderGitHub.String() {`
	`463`	`+returnres.StatusCode==http.StatusNoContent`
	`464`	`+}`
	`465`	`+returnres.StatusCode==http.StatusOK`
	`466`	`+}`
	`467`	`+`
`442`	`468`	`typeDeviceAuthstruct {`
`443`	`469`	`// Config is provided for the http client method.`
`444`	`470`	`Config promoauth.InstrumentedOAuth2Config`
`@@ -665,13 +691,14 @@ func ConvertConfig(instrument *promoauth.Factory, entries []codersdk.ExternalAut`
`665`	`691`	`cfg:=&Config{`
`666`	`692`	`InstrumentedOAuth2Config:instrumented,`
`667`	`693`	`ID:entry.ID,`
`668`		`-ClientId:entry.ClientID,`
	`694`	`+ClientID:entry.ClientID,`
`669`	`695`	`ClientSecret:entry.ClientSecret,`
`670`	`696`	`Regex:regex,`
`671`	`697`	`Type:entry.Type,`
`672`	`698`	`NoRefresh:entry.NoRefresh,`
`673`	`699`	`ValidateURL:entry.ValidateURL,`
`674`	`700`	`RevokeURL:entry.RevokeURL,`
	`701`	`+RevokeTimeout:tokenRevocationTimeout,`
`675`	`702`	`AppInstallationsURL:entry.AppInstallationsURL,`
`676`	`703`	`AppInstallURL:entry.AppInstallURL,`
`677`	`704`	`DisplayName:entry.DisplayName,`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit78554eb

File tree

19 files changed

19 files changed

`‎coderd/apidoc/docs.go‎`

`‎coderd/apidoc/swagger.json‎`

`‎coderd/coderdtest/oidctest/idp.go‎`

`‎coderd/externalauth.go‎`

`‎coderd/externalauth/externalauth.go‎`

0 commit comments