NotificationsYou must be signed in to change notification settings
Fork1k
Star11.1k

Commita14d39f

committed

feat: add best effort revocation of access tokens in OAuth provider

1 parente6b04d1 commita14d39fCopy full SHA for a14d39f

File tree

24 files changed

+635

-65

lines changed

cli
- server.go
- server_test.go
coderd
- apidoc
  - docs.go
  - swagger.json
- coderdtest/oidctest
  - idp.go
- externalauth.go
- externalauth_test.go
- externalauth
  - externalauth.go
  - externalauth_test.go
- promoauth
  - oauth2.go
codersdk
- deployment.go
- deployment_test.go
- externalauth.go
- testdata
  - githubcfg.yaml
docs
- admin/external-auth
  - index.md
- reference/api
site/src
- api
  - api.ts
  - typesGenerated.ts
- pages
  - DeploymentSettingsPage/ExternalAuthSettingsPage
    - ExternalAuthSettingsPageView.stories.tsx
  - UserSettingsPage/ExternalAuthPage
    - ExternalAuthPage.tsx
    - ExternalAuthPageView.tsx
- testHelpers
  - entities.ts

24 files changed

+635

-65

lines changed

`‎cli/server.go‎`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -2692,6 +2692,8 @@ func parseExternalAuthProvidersFromEnv(prefix string, environ []string) ([]coder`
`2692`	`2692`	`provider.AuthURL=v.Value`
`2693`	`2693`	`case"TOKEN_URL":`
`2694`	`2694`	`provider.TokenURL=v.Value`
	`2695`	`+case"REVOKE_URL":`
	`2696`	`+provider.RevokeURL=v.Value`
`2695`	`2697`	`case"VALIDATE_URL":`
`2696`	`2698`	`provider.ValidateURL=v.Value`
`2697`	`2699`	`case"REGEX":`

`‎cli/server_test.go‎`

Lines changed: 3 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -76,6 +76,7 @@ func TestReadExternalAuthProvidersFromEnv(t *testing.T) {`
`76`	`76`	`"CODER_EXTERNAL_AUTH_1_CLIENT_SECRET=hunter12",`
`77`	`77`	`"CODER_EXTERNAL_AUTH_1_TOKEN_URL=google.com",`
`78`	`78`	`"CODER_EXTERNAL_AUTH_1_VALIDATE_URL=bing.com",`
	`79`	`+"CODER_EXTERNAL_AUTH_1_REVOKE_URL=revoke.url",`
`79`	`80`	`"CODER_EXTERNAL_AUTH_1_SCOPES=repo:read repo:write",`
`80`	`81`	`"CODER_EXTERNAL_AUTH_1_NO_REFRESH=true",`
`81`	`82`	`"CODER_EXTERNAL_AUTH_1_DISPLAY_NAME=Google",`
`@@ -87,13 +88,15 @@ func TestReadExternalAuthProvidersFromEnv(t *testing.T) {`
`87`	`88`	`// Validate the first provider.`
`88`	`89`	`assert.Equal(t,"1",providers[0].ID)`
`89`	`90`	`assert.Equal(t,"gitlab",providers[0].Type)`
	`91`	`+assert.Equal(t,"",providers[0].RevokeURL)`
`90`	`92`
`91`	`93`	`// Validate the second provider.`
`92`	`94`	`assert.Equal(t,"2",providers[1].ID)`
`93`	`95`	`assert.Equal(t,"sid",providers[1].ClientID)`
`94`	`96`	`assert.Equal(t,"hunter12",providers[1].ClientSecret)`
`95`	`97`	`assert.Equal(t,"google.com",providers[1].TokenURL)`
`96`	`98`	`assert.Equal(t,"bing.com",providers[1].ValidateURL)`
	`99`	`+assert.Equal(t,"revoke.url",providers[1].RevokeURL)`
`97`	`100`	`assert.Equal(t, []string{"repo:read","repo:write"},providers[1].Scopes)`
`98`	`101`	`assert.Equal(t,true,providers[1].NoRefresh)`
`99`	`102`	`assert.Equal(t,"Google",providers[1].DisplayName)`

`‎coderd/apidoc/docs.go‎`

Lines changed: 25 additions & 1 deletion

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/apidoc/swagger.json‎`

Lines changed: 23 additions & 1 deletion

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/coderdtest/oidctest/idp.go‎`

Lines changed: 59 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -46,6 +46,8 @@ import (`
`46`	`46`	`"github.com/coder/coder/v2/testutil"`
`47`	`47`	`)`
`48`	`48`
	`49`	`+typeHookRevokeTokenFnfunc() (httpStatusint,errerror)`
	`50`	`+`
`49`	`51`	`typetokenstruct {`
`50`	`52`	`issued time.Time`
`51`	`53`	`emailstring`
`@@ -196,9 +198,11 @@ type FakeIDP struct {`
`196`	`198`	`// hookValidRedirectURL can be used to reject a redirect url from the`
`197`	`199`	`// IDP -> Application. Almost all IDPs have the concept of`
`198`	`200`	`// "Authorized Redirect URLs". This can be used to emulate that.`
`199`		`-hookValidRedirectURLfunc(redirectURLstring)error`
`200`		`-hookUserInfofunc(emailstring) (jwt.MapClaims,error)`
`201`		`-hookAccessTokenJWTfunc(emailstring,exp time.Time) jwt.MapClaims`
	`201`	`+hookValidRedirectURLfunc(redirectURLstring)error`
	`202`	`+hookUserInfofunc(emailstring) (jwt.MapClaims,error)`
	`203`	`+hookRevokeTokenHookRevokeTokenFn`
	`204`	`+revokeTokenGitHubFormatbool// GitHub doesn't follow token revocation RFC spec`
	`205`	`+hookAccessTokenJWTfunc(emailstring,exp time.Time) jwt.MapClaims`
`202`	`206`	`// defaultIDClaims is if a new client connects and we didn't preset`
`203`	`207`	`// some claims.`
`204`	`208`	`defaultIDClaims jwt.MapClaims`
`@@ -327,6 +331,19 @@ func WithStaticUserInfo(info jwt.MapClaims) func(*FakeIDP) {`
`327`	`331`	`}`
`328`	`332`	`}`
`329`	`333`
	`334`	`+funcWithRevokeTokenRFC(revokeFuncHookRevokeTokenFn)func(*FakeIDP) {`
	`335`	`+returnfunc(f*FakeIDP) {`
	`336`	`+f.hookRevokeToken=revokeFunc`
	`337`	`+}`
	`338`	`+}`
	`339`	`+`
	`340`	`+funcWithRevokeTokenGitHub(revokeFuncHookRevokeTokenFn)func(*FakeIDP) {`
	`341`	`+returnfunc(f*FakeIDP) {`
	`342`	`+f.hookRevokeToken=revokeFunc`
	`343`	`+f.revokeTokenGitHubFormat=true`
	`344`	`+}`
	`345`	`+}`
	`346`	`+`
`330`	`347`	`funcWithDefaultIDClaims(claims jwt.MapClaims)func(*FakeIDP) {`
`331`	`348`	`returnfunc(f*FakeIDP) {`
`332`	`349`	`f.defaultIDClaims=claims`
`@@ -358,6 +375,7 @@ type With429Arguments struct {`
`358`	`375`	`AuthorizePathbool`
`359`	`376`	`KeysPathbool`
`360`	`377`	`UserInfoPathbool`
	`378`	`+RevokePathbool`
`361`	`379`	`DeviceAuthbool`
`362`	`380`	`DeviceVerifybool`
`363`	`381`	`}`
`@@ -387,6 +405,10 @@ func With429(params With429Arguments) func(*FakeIDP) {`
`387`	`405`	`http.Error(rw,"429, being manually blocked (userinfo)",http.StatusTooManyRequests)`
`388`	`406`	`return`
`389`	`407`	`}`
	`408`	`+ifparams.RevokePath&&strings.Contains(r.URL.Path,revokeTokenPath) {`
	`409`	`+http.Error(rw,"429, being manually blocked (revoke)",http.StatusTooManyRequests)`
	`410`	`+return`
	`411`	`+}`
`390`	`412`	`ifparams.DeviceAuth&&strings.Contains(r.URL.Path,deviceAuth) {`
`391`	`413`	`http.Error(rw,"429, being manually blocked (device-auth)",http.StatusTooManyRequests)`
`392`	`414`	`return`
`@@ -408,8 +430,10 @@ const (`
`408`	`430`	`authorizePath="/oauth2/authorize"`
`409`	`431`	`keysPath="/oauth2/keys"`
`410`	`432`	`userInfoPath="/oauth2/userinfo"`
`411`		`-deviceAuth="/login/device/code"`
`412`		`-deviceVerify="/login/device"`
	`433`	`+// nolint:gosec // It also thinks this is a secret lol`
	`434`	`+revokeTokenPath="/oauth2/revoke"`
	`435`	`+deviceAuth="/login/device/code"`
	`436`	`+deviceVerify="/login/device"`
`413`	`437`	`)`
`414`	`438`
`415`	`439`	`funcNewFakeIDP(t testing.TB,opts...FakeIDPOpt)*FakeIDP {`
`@@ -486,6 +510,7 @@ func (f *FakeIDP) updateIssuerURL(t testing.TB, issuer string) {`
`486`	`510`	`TokenURL:u.ResolveReference(&url.URL{Path:tokenPath}).String(),`
`487`	`511`	`JWKSURL:u.ResolveReference(&url.URL{Path:keysPath}).String(),`
`488`	`512`	`UserInfoURL:u.ResolveReference(&url.URL{Path:userInfoPath}).String(),`
	`513`	`+RevokeURL:u.ResolveReference(&url.URL{Path:revokeTokenPath}).String(),`
`489`	`514`	`DeviceCodeURL:u.ResolveReference(&url.URL{Path:deviceAuth}).String(),`
`490`	`515`	`Algorithms: []string{`
`491`	`516`	`"RS256",`
`@@ -756,6 +781,7 @@ type ProviderJSON struct {`
`756`	`781`	TokenURLstring`json:"token_endpoint"`
`757`	`782`	JWKSURLstring`json:"jwks_uri"`
`758`	`783`	UserInfoURLstring`json:"userinfo_endpoint"`
	`784`	+RevokeURLstring`json:"revocation_endpoint"`
`759`	`785`	DeviceCodeURLstring`json:"device_authorization_endpoint"`
`760`	`786`	Algorithms []string`json:"id_token_signing_alg_values_supported"`
`761`	`787`	`// This is custom`
`@@ -1146,6 +1172,29 @@ func (f *FakeIDP) httpHandler(t testing.TB) http.Handler {`
`1146`	`1172`	`_=json.NewEncoder(rw).Encode(claims)`
`1147`	`1173`	`}))`
`1148`	`1174`
	`1175`	`+mux.Handle(revokeTokenPath,http.HandlerFunc(func(rw http.ResponseWriter,r*http.Request) {`
	`1176`	`+iff.revokeTokenGitHubFormat {`
	`1177`	`+u,p,ok:=r.BasicAuth()`
	`1178`	`+if!ok\|\|!(u==f.clientID&&p==f.clientSecret) {`
	`1179`	`+httpError(rw,http.StatusForbidden,xerrors.Errorf("basic auth failed"))`
	`1180`	`+return`
	`1181`	`+}`
	`1182`	`+}else {`
	`1183`	`+_,ok:=validateMW(rw,r)`
	`1184`	`+if!ok {`
	`1185`	`+httpError(rw,http.StatusForbidden,xerrors.Errorf("token validation failed"))`
	`1186`	`+return`
	`1187`	`+}`
	`1188`	`+}`
	`1189`	`+`
	`1190`	`+code,err:=f.hookRevokeToken()`
	`1191`	`+iferr!=nil {`
	`1192`	`+httpError(rw,code,xerrors.Errorf("hook err: %w",err))`
	`1193`	`+return`
	`1194`	`+}`
	`1195`	`+httpapi.Write(r.Context(),rw,code,"")`
	`1196`	`+}))`
	`1197`	`+`
`1149`	`1198`	`// There is almost no difference between this and /userinfo.`
`1150`	`1199`	`// The main tweak is that this route is "mounted" vs "handle" because "/userinfo"`
`1151`	`1200`	`// should be strict, and this one needs to handle sub routes.`
`@@ -1474,12 +1523,16 @@ func (f FakeIDP) ExternalAuthConfig(t testing.TB, id string, custom ExternalAu`
`1474`	`1523`	`DisplayName:id,`
`1475`	`1524`	`InstrumentedOAuth2Config:oauthCfg,`
`1476`	`1525`	`ID:id,`
	`1526`	`+ClientID:f.clientID,`
	`1527`	`+ClientSecret:f.clientSecret,`
`1477`	`1528`	`// No defaults for these fields by omitting the type`
`1478`	`1529`	`Type:"",`
`1479`	`1530`	`DisplayIcon:f.WellknownConfig().UserInfoURL,`
`1480`	`1531`	`// Omit the /user for the validate so we can easily append to it when modifying`
`1481`	`1532`	`// the cfg for advanced tests.`
`1482`		`-ValidateURL:f.locked.IssuerURL().ResolveReference(&url.URL{Path:"/external-auth-validate/"}).String(),`
	`1533`	`+ValidateURL:f.locked.IssuerURL().ResolveReference(&url.URL{Path:"/external-auth-validate/"}).String(),`
	`1534`	`+RevokeURL:f.locked.IssuerURL().ResolveReference(&url.URL{Path:revokeTokenPath}).String(),`
	`1535`	`+RevokeTimeout:1*time.Second,`
`1483`	`1536`	`DeviceAuth:&externalauth.DeviceAuth{`
`1484`	`1537`	`Config:oauthCfg,`
`1485`	`1538`	`ClientID:f.clientID,`

`‎coderd/externalauth.go‎`

Lines changed: 35 additions & 11 deletions

Original file line number	Diff line number	Diff line change
`@@ -85,20 +85,37 @@ func (api API) externalAuthByID(w http.ResponseWriter, r http.Request) {`
`85`	`85`	`// @ID delete-external-auth-user-link-by-id`
`86`	`86`	`// @Security CoderSessionToken`
`87`	`87`	`// @Tags Git`
`88`		`-// @Success 200`
	`88`	`+// @Produce json`
`89`	`89`	`// @Param externalauth path string true "Git Provider ID" format(string)`
	`90`	`+// @Success 200 {object} codersdk.DeleteExternalAuthByIDResponse`
`90`	`91`	`// @Router /external-auth/{externalauth} [delete]`
`91`	`92`	`func (apiAPI)deleteExternalAuthByID(w http.ResponseWriter,rhttp.Request) {`
`92`	`93`	`config:=httpmw.ExternalAuthParam(r)`
`93`	`94`	`apiKey:=httpmw.APIKey(r)`
`94`	`95`	`ctx:=r.Context()`
`95`	`96`
`96`		`-err:=api.Database.DeleteExternalAuthLink(ctx, database.DeleteExternalAuthLinkParams{`
	`97`	`+link,err:=api.Database.GetExternalAuthLink(ctx, database.GetExternalAuthLinkParams{`
`97`	`98`	`ProviderID:config.ID,`
`98`	`99`	`UserID:apiKey.UserID,`
`99`	`100`	`})`
`100`	`101`	`iferr!=nil {`
`101`		`-if!errors.Is(err,sql.ErrNoRows) {`
	`102`	`+iferrors.Is(err,sql.ErrNoRows) {`
	`103`	`+httpapi.ResourceNotFound(w)`
	`104`	`+return`
	`105`	`+}`
	`106`	`+httpapi.Write(ctx,w,http.StatusInternalServerError, codersdk.Response{`
	`107`	`+Message:"Failed to get external auth link during deletion.",`
	`108`	`+Detail:err.Error(),`
	`109`	`+})`
	`110`	`+return`
	`111`	`+}`
	`112`	`+`
	`113`	`+err=api.Database.DeleteExternalAuthLink(ctx, database.DeleteExternalAuthLinkParams{`
	`114`	`+ProviderID:config.ID,`
	`115`	`+UserID:apiKey.UserID,`
	`116`	`+})`
	`117`	`+iferr!=nil {`
	`118`	`+iferrors.Is(err,sql.ErrNoRows) {`
`102`	`119`	`httpapi.ResourceNotFound(w)`
`103`	`120`	`return`
`104`	`121`	`}`
`@@ -109,7 +126,13 @@ func (api API) deleteExternalAuthByID(w http.ResponseWriter, r http.Request) {`
`109`	`126`	`return`
`110`	`127`	`}`
`111`	`128`
`112`		`-httpapi.Write(ctx,w,http.StatusOK,"OK")`
	`129`	`+ok,err:=config.RevokeToken(ctx,link)`
	`130`	`+resp:= codersdk.DeleteExternalAuthByIDResponse{TokenRevoked:ok}`
	`131`	`+`
	`132`	`+iferr!=nil {`
	`133`	`+resp.TokenRevocationError=err.Error()`
	`134`	`+}`
	`135`	`+httpapi.Write(ctx,w,http.StatusOK,resp)`
`113`	`136`	`}`
`114`	`137`
`115`	`138`	`// @Summary Post external auth device by ID`
`@@ -394,13 +417,14 @@ func ExternalAuthConfigs(auths []*externalauth.Config) []codersdk.ExternalAuthLi`
`394`	`417`
`395`	`418`	`funcExternalAuthConfig(cfg*externalauth.Config) codersdk.ExternalAuthLinkProvider {`
`396`	`419`	`return codersdk.ExternalAuthLinkProvider{`
`397`		`-ID:cfg.ID,`
`398`		`-Type:cfg.Type,`
`399`		`-Device:cfg.DeviceAuth!=nil,`
`400`		`-DisplayName:cfg.DisplayName,`
`401`		`-DisplayIcon:cfg.DisplayIcon,`
`402`		`-AllowRefresh:!cfg.NoRefresh,`
`403`		`-AllowValidate:cfg.ValidateURL!="",`
	`420`	`+ID:cfg.ID,`
	`421`	`+Type:cfg.Type,`
	`422`	`+Device:cfg.DeviceAuth!=nil,`
	`423`	`+DisplayName:cfg.DisplayName,`
	`424`	`+DisplayIcon:cfg.DisplayIcon,`
	`425`	`+AllowRefresh:!cfg.NoRefresh,`
	`426`	`+AllowValidate:cfg.ValidateURL!="",`
	`427`	`+SupportsRevocation:cfg.RevokeURL!="",`
`404`	`428`	`}`
`405`	`429`	`}`
`406`	`430`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commita14d39f

File tree

24 files changed

24 files changed

`‎cli/server.go‎`

`‎cli/server_test.go‎`

`‎coderd/apidoc/docs.go‎`

`‎coderd/apidoc/swagger.json‎`

`‎coderd/coderdtest/oidctest/idp.go‎`

`‎coderd/externalauth.go‎`

0 commit comments