NotificationsYou must be signed in to change notification settings
Fork909
Star10k

Commit95347b2

authored

fix: allow orgs with default github provider (#16755)

This PR fixes 2 bugs:## Problem 1The server would fail to start when the default github provider wasconfigured and the flag `--oauth2-github-allowed-orgs` was set. Theerror was```error: configure github oauth2: allow everyone and allowed orgs cannot be used together```This PR fixes it by enabling "allow everone" with the default provideronly if "allowed orgs" isn't set.## Problem 2The default github provider uses the device flow to authorize users, andthat's handled differently by our web UI than the standard oauth flow.In particular, the web UI only handles JSON responses rather than HTTPredirects. There were 2 code paths that returned redirects, and the PRchanges them to return JSON messages instead if the device flow isconfigured.

1 parentb85ba58 commit95347b2Copy full SHA for 95347b2

File tree

3 files changed

+35

-4

lines changed

cli
- server.go
- server_test.go
coderd
- userauth.go

3 files changed

+35

-4

lines changed

`‎cli/server.go`

Lines changed: 3 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1911,8 +1911,10 @@ func getGithubOAuth2ConfigParams(ctx context.Context, db database.Store, vals *c`
`1911`	`1911`	`}`
`1912`	`1912`
`1913`	`1913`	`params.clientID=GithubOAuth2DefaultProviderClientID`
`1914`		`-params.allowEveryone=GithubOAuth2DefaultProviderAllowEveryone`
`1915`	`1914`	`params.deviceFlow=GithubOAuth2DefaultProviderDeviceFlow`
	`1915`	`+iflen(params.allowOrgs)==0 {`
	`1916`	`+params.allowEveryone=GithubOAuth2DefaultProviderAllowEveryone`
	`1917`	`+}`
`1916`	`1918`
`1917`	`1919`	`return&params,nil`
`1918`	`1920`	`}`

`‎cli/server_test.go`

Lines changed: 10 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -314,6 +314,7 @@ func TestServer(t *testing.T) {`
`314`	`314`	`githubDefaultProviderEnabledstring`
`315`	`315`	`githubClientIDstring`
`316`	`316`	`githubClientSecretstring`
	`317`	`+allowedOrgstring`
`317`	`318`	`expectGithubEnabledbool`
`318`	`319`	`expectGithubDefaultProviderConfiguredbool`
`319`	`320`	`createUserPreStartbool`
`@@ -355,7 +356,9 @@ func TestServer(t *testing.T) {`
`355`	`356`	`iftc.githubDefaultProviderEnabled!="" {`
`356`	`357`	`args=append(args,fmt.Sprintf("--oauth2-github-default-provider-enable=%s",tc.githubDefaultProviderEnabled))`
`357`	`358`	`}`
`358`		`-`
	`359`	`+iftc.allowedOrg!="" {`
	`360`	`+args=append(args,fmt.Sprintf("--oauth2-github-allowed-orgs=%s",tc.allowedOrg))`
	`361`	`+}`
`359`	`362`	`inv,cfg:=clitest.New(t,args...)`
`360`	`363`	`errChan:=make(chanerror,1)`
`361`	`364`	`gofunc() {`
`@@ -439,6 +442,12 @@ func TestServer(t *testing.T) {`
`439`	`442`	`expectGithubEnabled:true,`
`440`	`443`	`expectGithubDefaultProviderConfigured:false,`
`441`	`444`	`},`
	`445`	`+{`
	`446`	`+name:"AllowedOrg",`
	`447`	`+allowedOrg:"coder",`
	`448`	`+expectGithubEnabled:true,`
	`449`	`+expectGithubDefaultProviderConfigured:true,`
	`450`	`+},`
`442`	`451`	`} {`
`443`	`452`	`tc:=tc`
`444`	`453`	`t.Run(tc.name,func(t*testing.T) {`

`‎coderd/userauth.go`

Lines changed: 22 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -922,7 +922,17 @@ func (api API) userOAuth2Github(rw http.ResponseWriter, r http.Request) {`
`922`	`922`	`}`
`923`	`923`	`}`
`924`	`924`	`iflen(selectedMemberships)==0 {`
`925`		`-httpmw.CustomRedirectToLogin(rw,r,redirect,"You aren't a member of the authorized Github organizations!",http.StatusUnauthorized)`
	`925`	`+status:=http.StatusUnauthorized`
	`926`	`+msg:="You aren't a member of the authorized Github organizations!"`
	`927`	`+ifapi.GithubOAuth2Config.DeviceFlowEnabled {`
	`928`	`+// In the device flow, the error is rendered client-side.`
	`929`	`+httpapi.Write(ctx,rw,status, codersdk.Response{`
	`930`	`+Message:"Unauthorized",`
	`931`	`+Detail:msg,`
	`932`	`+})`
	`933`	`+}else {`
	`934`	`+httpmw.CustomRedirectToLogin(rw,r,redirect,msg,status)`
	`935`	`+}`
`926`	`936`	`return`
`927`	`937`	`}`
`928`	`938`	`}`
`@@ -959,7 +969,17 @@ func (api API) userOAuth2Github(rw http.ResponseWriter, r http.Request) {`
`959`	`969`	`}`
`960`	`970`	`}`
`961`	`971`	`ifallowedTeam==nil {`
`962`		`-httpmw.CustomRedirectToLogin(rw,r,redirect,fmt.Sprintf("You aren't a member of an authorized team in the %v Github organization(s)!",organizationNames),http.StatusUnauthorized)`
	`972`	`+msg:=fmt.Sprintf("You aren't a member of an authorized team in the %v Github organization(s)!",organizationNames)`
	`973`	`+status:=http.StatusUnauthorized`
	`974`	`+ifapi.GithubOAuth2Config.DeviceFlowEnabled {`
	`975`	`+// In the device flow, the error is rendered client-side.`
	`976`	`+httpapi.Write(ctx,rw,status, codersdk.Response{`
	`977`	`+Message:"Unauthorized",`
	`978`	`+Detail:msg,`
	`979`	`+})`
	`980`	`+}else {`
	`981`	`+httpmw.CustomRedirectToLogin(rw,r,redirect,msg,status)`
	`982`	`+}`
`963`	`983`	`return`
`964`	`984`	`}`
`965`	`985`	`}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit95347b2

File tree

3 files changed

3 files changed

`‎cli/server.go`

`‎cli/server_test.go`

`‎coderd/userauth.go`

0 commit comments