NotificationsYou must be signed in to change notification settings
Fork928
Star10.1k

Commit9578ce9

authored

OAuth now uses client TLS certs (if configured) (#5042)

* OAuth now uses client TLS certs (if configured)* Update docs* Cleaning* Fix lint errors and generate static files* Fix lint error and regenerate more static files* Suppress lint error

1 parent49c7648 commit9578ce9Copy full SHA for 9578ce9

File tree

9 files changed

+61

-10

lines changed

cli
- deployment
  - config.go
- server.go
- testdata
  - coder_server_--help.golden
codersdk
- deploymentconfig.go
docs/admin
- auth.md
scripts/apitypings
- main.go
- testdata
  - enums
    - enums.ts
  - generics
    - generics.ts
site/src/api
- typesGenerated.ts

9 files changed

+61

-10

lines changed

`‎cli/deployment/config.go`

Lines changed: 10 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -282,6 +282,16 @@ func newConfig() *codersdk.DeploymentConfig {`
`282`	`282`	`Flag:"tls-min-version",`
`283`	`283`	`Default:"tls12",`
`284`	`284`	`},`
	`285`	`+ClientCertFile:&codersdk.DeploymentConfigField[string]{`
	`286`	`+Name:"TLS Client Cert File",`
	`287`	`+Usage:"Path to certificate for client TLS authentication. It requires a PEM-encoded file.",`
	`288`	`+Flag:"tls-client-cert-file",`
	`289`	`+},`
	`290`	`+ClientKeyFile:&codersdk.DeploymentConfigField[string]{`
	`291`	`+Name:"TLS Client Key File",`
	`292`	`+Usage:"Path to key for client TLS authentication. It requires a PEM-encoded file.",`
	`293`	`+Flag:"tls-client-key-file",`
	`294`	`+},`
`285`	`295`	`},`
`286`	`296`	`Trace:&codersdk.TraceConfig{`
`287`	`297`	`Enable:&codersdk.DeploymentConfigField[bool]{`

`‎cli/server.go`

Lines changed: 23 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -392,6 +392,11 @@ func Server(vip viper.Viper, newAPI func(context.Context, coderd.Options) (*co`
`392`	`392`	`returnxerrors.Errorf("OIDC issuer URL must be set!")`
`393`	`393`	`}`
`394`	`394`
	`395`	`+ctx,err:=handleOauth2ClientCertificates(ctx,cfg)`
	`396`	`+iferr!=nil {`
	`397`	`+returnxerrors.Errorf("configure oidc client certificates: %w",err)`
	`398`	`+}`
	`399`	`+`
`395`	`400`	`oidcProvider,err:=oidc.NewProvider(ctx,cfg.OIDC.IssuerURL.Value)`
`396`	`401`	`iferr!=nil {`
`397`	`402`	`returnxerrors.Errorf("configure oidc provider: %w",err)`
`@@ -1249,3 +1254,21 @@ func startBuiltinPostgres(ctx context.Context, cfg config.Root, logger slog.Logg`
`1249`	`1254`	`}`
`1250`	`1255`	`returnconnectionURL,ep.Stop,nil`
`1251`	`1256`	`}`
	`1257`	`+`
	`1258`	`+funchandleOauth2ClientCertificates(ctx context.Context,cfg*codersdk.DeploymentConfig) (context.Context,error) {`
	`1259`	`+ifcfg.TLS.ClientCertFile.Value!=""&&cfg.TLS.ClientKeyFile.Value!="" {`
	`1260`	`+certificates,err:=loadCertificates([]string{cfg.TLS.ClientCertFile.Value}, []string{cfg.TLS.ClientKeyFile.Value})`
	`1261`	`+iferr!=nil {`
	`1262`	`+returnnil,err`
	`1263`	`+}`
	`1264`	`+`
	`1265`	`+returncontext.WithValue(ctx,oauth2.HTTPClient,&http.Client{`
	`1266`	`+Transport:&http.Transport{`
	`1267`	`+TLSClientConfig:&tls.Config{//nolint:gosec`
	`1268`	`+Certificates:certificates,`
	`1269`	`+},`
	`1270`	`+},`
	`1271`	`+}),nil`
	`1272`	`+}`
	`1273`	`+returnctx,nil`
	`1274`	`+}`

`‎cli/testdata/coder_server_--help.golden`

Lines changed: 8 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -177,6 +177,14 @@ Flags:`
`177`	`177`	`used for checking the authenticity of`
`178`	`178`	`client`
`179`	`179`	`Consumes $CODER_TLS_CLIENT_CA_FILE`
	`180`	`+ --tls-client-cert-file string Path to certificate for client TLS`
	`181`	`+ authentication. It requires a PEM-encoded`
	`182`	`+ file.`
	`183`	`+ Consumes $CODER_TLS_CLIENT_CERT_FILE`
	`184`	`+ --tls-client-key-file string Path to key for client TLS`
	`185`	`+ authentication. It requires a PEM-encoded`
	`186`	`+ file.`
	`187`	`+ Consumes $CODER_TLS_CLIENT_KEY_FILE`
`180`	`188`	`--tls-enable Whether TLS will be enabled.`
`181`	`189`	`Consumes $CODER_TLS_ENABLE`
`182`	`190`	`--tls-key-file strings Paths to the private keys for each of the`

`‎codersdk/deploymentconfig.go`

Lines changed: 8 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -101,12 +101,14 @@ type TelemetryConfig struct {`
`101`	`101`	`}`
`102`	`102`
`103`	`103`	`typeTLSConfigstruct {`
`104`		-Enable*DeploymentConfigField[bool]`json:"enable" typescript:",notnull"`
`105`		-CertFiles*DeploymentConfigField[[]string]`json:"cert_file" typescript:",notnull"`
`106`		-ClientAuth*DeploymentConfigField[string]`json:"client_auth" typescript:",notnull"`
`107`		-ClientCAFile*DeploymentConfigField[string]`json:"client_ca_file" typescript:",notnull"`
`108`		-KeyFiles*DeploymentConfigField[[]string]`json:"key_file" typescript:",notnull"`
`109`		-MinVersion*DeploymentConfigField[string]`json:"min_version" typescript:",notnull"`
	`104`	+Enable*DeploymentConfigField[bool]`json:"enable" typescript:",notnull"`
	`105`	+CertFiles*DeploymentConfigField[[]string]`json:"cert_file" typescript:",notnull"`
	`106`	+ClientAuth*DeploymentConfigField[string]`json:"client_auth" typescript:",notnull"`
	`107`	+ClientCAFile*DeploymentConfigField[string]`json:"client_ca_file" typescript:",notnull"`
	`108`	+KeyFiles*DeploymentConfigField[[]string]`json:"key_file" typescript:",notnull"`
	`109`	+MinVersion*DeploymentConfigField[string]`json:"min_version" typescript:",notnull"`
	`110`	+ClientCertFile*DeploymentConfigField[string]`json:"client_cert_file" typescript:",notnull"`
	`111`	+ClientKeyFile*DeploymentConfigField[string]`json:"client_key_file" typescript:",notnull"`
`110`	`112`	`}`
`111`	`113`
`112`	`114`	`typeTraceConfigstruct {`

`‎docs/admin/auth.md`

Lines changed: 6 additions & 0 deletions

Original file line number	Diff line number	Diff line change
@@ -75,6 +75,12 @@ Once complete, run `sudo service coder restart` to reboot Coder.
`75`	`75`
`76`	`76`	>When a new user is created, the`preferred_username` claim becomes the username. If this claim is empty, the email address will be stripped of the domain, and become the username (e.g.`example@coder.com` becomes`example`).
`77`	`77`
	`78`	`+If your OpenID Connect provider requires client TLS certificates for authentication, you can configure them like so:`
	`79`	+```console
	`80`	`+CODER_TLS_CLIENT_CERT_FILE=/path/to/cert.pem`
	`81`	`+CODER_TLS_CLIENT_KEY_FILE=/path/to/key.pem`
	`82`	+```
	`83`	`+`
`78`	`84`	`##SCIM (enterprise)`
`79`	`85`
`80`	`86`	`Coder supports user provisioning and deprovisioning via SCIM 2.0 with header`

`‎scripts/apitypings/main.go`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -63,7 +63,7 @@ type TypescriptTypes struct {`
`63`	`63`	`// String just combines all the codeblocks.`
`64`	`64`	`func (tTypescriptTypes)String()string {`
`65`	`65`	`vars strings.Builder`
`66`		`-_,_=s.WriteString("// Code generated by 'makecoder/scripts/apitypings/main.go'. DO NOT EDIT.\n\n")`
	`66`	`+_,_=s.WriteString("// Code generated by 'makesite/src/api/typesGenerated.ts'. DO NOT EDIT.\n\n")`
`67`	`67`
`68`	`68`	`sortedTypes:=make([]string,0,len(t.Types))`
`69`	`69`	`sortedEnums:=make([]string,0,len(t.Enums))`

`‎scripts/apitypings/testdata/enums/enums.ts`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-// Code generated by 'makecoder/scripts/apitypings/main.go'. DO NOT EDIT.`
	`1`	`+// Code generated by 'makesite/src/api/typesGenerated.ts'. DO NOT EDIT.`
`2`	`2`
`3`	`3`	`// From codersdk/enums.go`
`4`	`4`	`exporttypeEnum="bar"\|"baz"\|"foo"\|"qux"`

`‎scripts/apitypings/testdata/generics/generics.ts`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-// Code generated by 'makecoder/scripts/apitypings/main.go'. DO NOT EDIT.`
	`1`	`+// Code generated by 'makesite/src/api/typesGenerated.ts'. DO NOT EDIT.`
`2`	`2`
`3`	`3`	`// From codersdk/generics.go`
`4`	`4`	`exportinterfaceComplexGeneric<Cextendscomparable,SextendsSingle,TextendsCustom>{`

`‎site/src/api/typesGenerated.ts`

Lines changed: 3 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-// Code generated by 'makecoder/scripts/apitypings/main.go'. DO NOT EDIT.`
	`1`	`+// Code generated by 'makesite/src/api/typesGenerated.ts'. DO NOT EDIT.`
`2`	`2`
`3`	`3`	`// From codersdk/apikey.go`
`4`	`4`	`exportinterfaceAPIKey{`
`@@ -598,6 +598,8 @@ export interface TLSConfig {`
`598`	`598`	`readonlyclient_ca_file:DeploymentConfigField<string>`
`599`	`599`	`readonlykey_file:DeploymentConfigField<string[]>`
`600`	`600`	`readonlymin_version:DeploymentConfigField<string>`
	`601`	`+readonlyclient_cert_file:DeploymentConfigField<string>`
	`602`	`+readonlyclient_key_file:DeploymentConfigField<string>`
`601`	`603`	`}`
`602`	`604`
`603`	`605`	`// From codersdk/deploymentconfig.go`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit9578ce9

File tree

9 files changed

9 files changed

`‎cli/deployment/config.go`

`‎cli/server.go`

`‎cli/testdata/coder_server_--help.golden`

`‎codersdk/deploymentconfig.go`

`‎docs/admin/auth.md`

`‎scripts/apitypings/main.go`

`‎scripts/apitypings/testdata/enums/enums.ts`

`‎scripts/apitypings/testdata/generics/generics.ts`

`‎site/src/api/typesGenerated.ts`

0 commit comments