coder/coderPublic

NotificationsYou must be signed in to change notification settings
Fork1k
Star11.2k

Commit7bed916

kylecarbs

authored and

pull[bot]

committed

fix: allow disabling all password auth even if owner (#6193)

* fix: allow disabling all password auth even if ownerRemoves any and all ability to auth with a password.* Hide create user if password auth is disabled

1 parentcb991bf commit7bed916Copy full SHA for 7bed916

File tree

7 files changed

+116

-42

lines changed

coderd
site/src
- components
  - SignInForm
    - SignInForm.stories.tsx
    - SignInForm.tsx
  - UsersLayout
    - UsersLayout.tsx
- xServices/auth
  - authMethodsXService.ts

7 files changed

+116

-42

lines changed

`‎coderd/userauth.go‎`

Lines changed: 4 additions & 14 deletions

Original file line number	Diff line number	Diff line change
`@@ -23,7 +23,6 @@ import (`
`23`	`23`	`"github.com/coder/coder/coderd/database/dbauthz"`
`24`	`24`	`"github.com/coder/coder/coderd/httpapi"`
`25`	`25`	`"github.com/coder/coder/coderd/httpmw"`
`26`		`-"github.com/coder/coder/coderd/rbac"`
`27`	`26`	`"github.com/coder/coder/coderd/userpassword"`
`28`	`27`	`"github.com/coder/coder/codersdk"`
`29`	`28`	`)`
`@@ -90,19 +89,10 @@ func (api API) postLogin(rw http.ResponseWriter, r http.Request) {`
`90`	`89`	`// If password authentication is disabled and the user does not have the`
`91`	`90`	`// owner role, block the request.`
`92`	`91`	`ifapi.DeploymentConfig.DisablePasswordAuth.Value {`
`93`		`-permitted:=false`
`94`		`-for_,role:=rangeuser.RBACRoles {`
`95`		`-ifrole==rbac.RoleOwner() {`
`96`		`-permitted=true`
`97`		`-break`
`98`		`-}`
`99`		`-}`
`100`		`-if!permitted {`
`101`		`-httpapi.Write(ctx,rw,http.StatusForbidden, codersdk.Response{`
`102`		`-Message:"Password authentication is disabled. Only administrators can sign in with password authentication.",`
`103`		`-})`
`104`		`-return`
`105`		`-}`
	`92`	`+httpapi.Write(ctx,rw,http.StatusForbidden, codersdk.Response{`
	`93`	`+Message:"Password authentication is disabled.",`
	`94`	`+})`
	`95`	`+return`
`106`	`96`	`}`
`107`	`97`
`108`	`98`	`ifuser.LoginType!=database.LoginTypePassword {`

`‎coderd/users.go‎`

Lines changed: 9 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -299,6 +299,15 @@ func (api API) postUser(rw http.ResponseWriter, r http.Request) {`
`299`	`299`	`return`
`300`	`300`	`}`
`301`	`301`
	`302`	`+// If password auth is disabled, don't allow new users to be`
	`303`	`+// created with a password!`
	`304`	`+ifapi.DeploymentConfig.DisablePasswordAuth.Value {`
	`305`	`+httpapi.Write(ctx,rw,http.StatusForbidden, codersdk.Response{`
	`306`	`+Message:"You cannot manually provision new users with password authentication disabled!",`
	`307`	`+})`
	`308`	`+return`
	`309`	`+}`
	`310`	`+`
`302`	`311`	`// TODO: @emyrk Authorize the organization create if the createUser will do that.`
`303`	`312`
`304`	`313`	`_,err:=api.Database.GetUserByEmailOrUsername(ctx, database.GetUserByEmailOrUsernameParams{`

`‎coderd/users_test.go‎`

Lines changed: 2 additions & 15 deletions

Original file line number	Diff line number	Diff line change
`@@ -187,7 +187,6 @@ func TestPostLogin(t *testing.T) {`
`187`	`187`	`t.Parallel()`
`188`	`188`
`189`	`189`	`dc:=coderdtest.DeploymentConfig(t)`
`190`		`-dc.DisablePasswordAuth.Value=true`
`191`	`190`	`client:=coderdtest.New(t,&coderdtest.Options{`
`192`	`191`	`DeploymentConfig:dc,`
`193`	`192`	`})`
`@@ -207,6 +206,8 @@ func TestPostLogin(t *testing.T) {`
`207`	`206`	`})`
`208`	`207`	`require.NoError(t,err)`
`209`	`208`
	`209`	`+dc.DisablePasswordAuth.Value=true`
	`210`	`+`
`210`	`211`	`userClient:=codersdk.New(client.URL)`
`211`	`212`	`_,err=userClient.LoginWithPassword(ctx, codersdk.LoginWithPasswordRequest{`
`212`	`213`	`Email:user.Email,`
`@@ -217,20 +218,6 @@ func TestPostLogin(t *testing.T) {`
`217`	`218`	`require.ErrorAs(t,err,&apiErr)`
`218`	`219`	`require.Equal(t,http.StatusForbidden,apiErr.StatusCode())`
`219`	`220`	`require.Contains(t,apiErr.Message,"Password authentication is disabled")`
`220`		`-`
`221`		`-// Promote the user account to an owner.`
`222`		`-_,err=client.UpdateUserRoles(ctx,user.ID.String(), codersdk.UpdateRoles{`
`223`		`-Roles: []string{rbac.RoleOwner(),rbac.RoleMember()},`
`224`		`-})`
`225`		`-require.NoError(t,err)`
`226`		`-`
`227`		`-// Login with the user account.`
`228`		`-res,err:=userClient.LoginWithPassword(ctx, codersdk.LoginWithPasswordRequest{`
`229`		`-Email:user.Email,`
`230`		`-Password:password,`
`231`		`-})`
`232`		`-require.NoError(t,err)`
`233`		`-require.NotEmpty(t,res.SessionToken)`
`234`	`221`	`})`
`235`	`222`
`236`	`223`	`t.Run("Success",func(t*testing.T) {`

`‎site/src/components/SignInForm/SignInForm.stories.tsx‎`

Lines changed: 20 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -116,6 +116,26 @@ WithOIDC.args = {`
`116`	`116`	`},`
`117`	`117`	`}`
`118`	`118`
	`119`	`+exportconstWithOIDCWithoutPassword=Template.bind({})`
	`120`	`+WithOIDCWithoutPassword.args={`
	`121`	`+ ...SignedOut.args,`
	`122`	`+authMethods:{`
	`123`	`+password:{enabled:false},`
	`124`	`+github:{enabled:false},`
	`125`	`+oidc:{enabled:true,signInText:"",iconUrl:""},`
	`126`	`+},`
	`127`	`+}`
	`128`	`+`
	`129`	`+exportconstWithoutAny=Template.bind({})`
	`130`	`+WithoutAny.args={`
	`131`	`+ ...SignedOut.args,`
	`132`	`+authMethods:{`
	`133`	`+password:{enabled:false},`
	`134`	`+github:{enabled:false},`
	`135`	`+oidc:{enabled:false,signInText:"",iconUrl:""},`
	`136`	`+},`
	`137`	`+}`
	`138`	`+`
`119`	`139`	`exportconstWithGithubAndOIDC=Template.bind({})`
`120`	`140`	`WithGithubAndOIDC.args={`
`121`	`141`	`...SignedOut.args,`

`‎site/src/components/SignInForm/SignInForm.tsx‎`

Lines changed: 12 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,7 @@ import { OAuthSignInForm } from "./OAuthSignInForm"`
`9`	`9`	`import{BuiltInAuthFormValues}from"./SignInForm.types"`
`10`	`10`	`importButtonfrom"@material-ui/core/Button"`
`11`	`11`	`importEmailIconfrom"@material-ui/icons/EmailOutlined"`
	`12`	`+import{AlertBanner}from"components/AlertBanner/AlertBanner"`
`12`	`13`
`13`	`14`	`exportenumLoginErrors{`
`14`	`15`	`AUTH_ERROR="authError",`
`@@ -94,6 +95,7 @@ export const SignInForm: FC<React.PropsWithChildren<SignInFormProps>> = ({`
`94`	`95`	`constoAuthEnabled=Boolean(`
`95`	`96`	`authMethods?.github.enabled\|\|authMethods?.oidc.enabled,`
`96`	`97`	`)`
	`98`	`+constpasswordEnabled=authMethods?.password.enabled??true`
`97`	`99`
`98`	`100`	`// Hide password auth by default if any OAuth method is enabled`
`99`	`101`	`const[showPasswordAuth,setShowPasswordAuth]=useState(!oAuthEnabled)`
`@@ -108,15 +110,15 @@ export const SignInForm: FC<React.PropsWithChildren<SignInFormProps>> = ({`
`108`	`110`	`{loginPageTranslation.t("signInTo")}{" "}`
`109`	`111`	`<strong>{commonTranslation.t("coder")}</strong>`
`110`	`112`	`</h1>`
`111`		`-<Maybecondition={showPasswordAuth}>`
	`113`	`+<Maybecondition={passwordEnabled&&showPasswordAuth}>`
`112`	`114`	`<PasswordSignInForm`
`113`	`115`	`loginErrors={loginErrors}`
`114`	`116`	`onSubmit={onSubmit}`
`115`	`117`	`initialTouched={initialTouched}`
`116`	`118`	`isLoading={isLoading}`
`117`	`119`	`/>`
`118`	`120`	`</Maybe>`
`119`		`-<Maybecondition={showPasswordAuth&&oAuthEnabled}>`
	`121`	`+<Maybecondition={passwordEnabled&&showPasswordAuth&&oAuthEnabled}>`
`120`	`122`	`<divclassName={styles.divider}>`
`121`	`123`	`<divclassName={styles.dividerLine}/>`
`122`	`124`	`<divclassName={styles.dividerLabel}>Or</div>`
`@@ -131,7 +133,14 @@ export const SignInForm: FC<React.PropsWithChildren<SignInFormProps>> = ({`
`131`	`133`	`/>`
`132`	`134`	`</Maybe>`
`133`	`135`
`134`		`-<Maybecondition={!showPasswordAuth}>`
	`136`	`+<Maybecondition={!passwordEnabled&&!oAuthEnabled}>`
	`137`	`+<AlertBanner`
	`138`	`+severity="error"`
	`139`	`+text="No authentication methods configured!"`
	`140`	`+/>`
	`141`	`+</Maybe>`
	`142`	`+`
	`143`	`+<Maybecondition={passwordEnabled&&!showPasswordAuth}>`
`135`	`144`	`<divclassName={styles.divider}>`
`136`	`145`	`<divclassName={styles.dividerLine}/>`
`137`	`146`	`<divclassName={styles.dividerLabel}>Or</div>`

`‎site/src/components/UsersLayout/UsersLayout.tsx‎`

Lines changed: 14 additions & 10 deletions

Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,7 @@ import Link from "@material-ui/core/Link"`
`3`	`3`	`import{makeStyles}from"@material-ui/core/styles"`
`4`	`4`	`importGroupAddfrom"@material-ui/icons/GroupAddOutlined"`
`5`	`5`	`importPersonAddfrom"@material-ui/icons/PersonAddOutlined"`
	`6`	`+import{useMachine}from"@xstate/react"`
`6`	`7`	`import{USERS_LINK}from"components/NavbarView/NavbarView"`
`7`	`8`	`import{PageHeader,PageHeaderTitle}from"components/PageHeader/PageHeader"`
`8`	`9`	`import{useFeatureVisibility}from"hooks/useFeatureVisibility"`
`@@ -15,13 +16,15 @@ import {`
`15`	`16`	`useNavigate,`
`16`	`17`	`}from"react-router-dom"`
`17`	`18`	`import{combineClasses}from"util/combineClasses"`
	`19`	`+import{authMethodsXService}from"xServices/auth/authMethodsXService"`
`18`	`20`	`import{Margins}from"../../components/Margins/Margins"`
`19`	`21`	`import{Stack}from"../../components/Stack/Stack"`
`20`	`22`
`21`	`23`	`exportconstUsersLayout:FC=()=>{`
`22`	`24`	`conststyles=useStyles()`
`23`	`25`	`const{createUser:canCreateUser,createGroup:canCreateGroup}=`
`24`	`26`	`usePermissions()`
	`27`	`+const[authMethods]=useMachine(authMethodsXService)`
`25`	`28`	`constnavigate=useNavigate()`
`26`	`29`	`const{template_rbac:isTemplateRBACEnabled}=useFeatureVisibility()`
`27`	`30`
`@@ -31,16 +34,17 @@ export const UsersLayout: FC = () => {`
`31`	`34`	`<PageHeader`
`32`	`35`	`actions={`
`33`	`36`	`<>`
`34`		`-{canCreateUser&&(`
`35`		`-<Button`
`36`		`-onClick={()=>{`
`37`		`-navigate("/users/create")`
`38`		`-}}`
`39`		`-startIcon={<PersonAdd/>}`
`40`		`->`
`41`		`- Create user`
`42`		`-</Button>`
`43`		`-)}`
	`37`	`+{canCreateUser&&`
	`38`	`+authMethods.context.authMethods?.password.enabled&&(`
	`39`	`+<Button`
	`40`	`+onClick={()=>{`
	`41`	`+navigate("/users/create")`
	`42`	`+}}`
	`43`	`+startIcon={<PersonAdd/>}`
	`44`	`+>`
	`45`	`+ Create user`
	`46`	`+</Button>`
	`47`	`+)}`
`44`	`48`	`{canCreateGroup&&isTemplateRBACEnabled&&(`
`45`	`49`	`<Link`
`46`	`50`	`underline="none"`

`‎site/src/xServices/auth/authMethodsXService.ts‎`

Lines changed: 55 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,55 @@`
	`1`	`+import{assign,createMachine}from"xstate"`
	`2`	`+import*asTypeGenfrom"api/typesGenerated"`
	`3`	`+import*asAPIfrom"api/api"`
	`4`	`+`
	`5`	`+exportinterfaceAuthMethodsContext{`
	`6`	`+authMethods?:TypeGen.AuthMethods`
	`7`	`+error?:Error\|unknown`
	`8`	`+}`
	`9`	`+`
	`10`	`+exportconstauthMethodsXService=createMachine(`
	`11`	`+{`
	`12`	`+id:"authMethods",`
	`13`	`+predictableActionArguments:true,`
	`14`	`+tsTypes:{}asimport("./authMethodsXService.typegen").Typegen0,`
	`15`	`+schema:{`
	`16`	`+context:{}asAuthMethodsContext,`
	`17`	`+services:{}as{`
	`18`	`+getAuthMethods:{`
	`19`	`+data:TypeGen.AuthMethods`
	`20`	`+}`
	`21`	`+},`
	`22`	`+},`
	`23`	`+context:{},`
	`24`	`+initial:"gettingAuthMethods",`
	`25`	`+states:{`
	`26`	`+gettingAuthMethods:{`
	`27`	`+invoke:{`
	`28`	`+src:"getAuthMethods",`
	`29`	`+onDone:{`
	`30`	`+target:"idle",`
	`31`	`+actions:["assignAuthMethods"],`
	`32`	`+},`
	`33`	`+onError:{`
	`34`	`+target:"idle",`
	`35`	`+actions:["setError"],`
	`36`	`+},`
	`37`	`+},`
	`38`	`+},`
	`39`	`+idle:{},`
	`40`	`+},`
	`41`	`+},`
	`42`	`+{`
	`43`	`+actions:{`
	`44`	`+assignAuthMethods:assign({`
	`45`	`+authMethods:(_,event)=>event.data,`
	`46`	`+}),`
	`47`	`+setError:assign({`
	`48`	`+error:(_,event)=>event.data,`
	`49`	`+}),`
	`50`	`+},`
	`51`	`+services:{`
	`52`	`+getAuthMethods:()=>API.getAuthMethods(),`
	`53`	`+},`
	`54`	`+},`
	`55`	`+)`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit7bed916

File tree

7 files changed

7 files changed

`‎coderd/userauth.go‎`

`‎coderd/users.go‎`

`‎coderd/users_test.go‎`

`‎site/src/components/SignInForm/SignInForm.stories.tsx‎`

`‎site/src/components/SignInForm/SignInForm.tsx‎`

`‎site/src/components/UsersLayout/UsersLayout.tsx‎`

`‎site/src/xServices/auth/authMethodsXService.ts‎`

0 commit comments