Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commita8f6869

Browse files
committed
server
1 parente26e6cb commita8f6869

File tree

2 files changed

+120
-42
lines changed

2 files changed

+120
-42
lines changed

‎cli/server.go‎

Lines changed: 114 additions & 41 deletions
Original file line numberDiff line numberDiff line change
@@ -677,24 +677,6 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
677677
}
678678
}
679679

680-
ifvals.OAuth2.Github.ClientSecret!=""||vals.OAuth2.Github.DeviceFlow.Value() {
681-
options.GithubOAuth2Config,err=configureGithubOAuth2(
682-
oauthInstrument,
683-
vals.AccessURL.Value(),
684-
vals.OAuth2.Github.ClientID.String(),
685-
vals.OAuth2.Github.ClientSecret.String(),
686-
vals.OAuth2.Github.DeviceFlow.Value(),
687-
vals.OAuth2.Github.AllowSignups.Value(),
688-
vals.OAuth2.Github.AllowEveryone.Value(),
689-
vals.OAuth2.Github.AllowedOrgs,
690-
vals.OAuth2.Github.AllowedTeams,
691-
vals.OAuth2.Github.EnterpriseBaseURL.String(),
692-
)
693-
iferr!=nil {
694-
returnxerrors.Errorf("configure github oauth2: %w",err)
695-
}
696-
}
697-
698680
// As OIDC clients can be confidential or public,
699681
// we should only check for a client id being set.
700682
// The underlying library handles the case of no
@@ -782,6 +764,20 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
782764
returnxerrors.Errorf("set deployment id: %w",err)
783765
}
784766

767+
githubOAuth2ConfigParams,err:=getGithubOAuth2ConfigParams(ctx,options.Database,vals)
768+
iferr!=nil {
769+
returnxerrors.Errorf("get github oauth2 config params: %w",err)
770+
}
771+
ifgithubOAuth2ConfigParams!=nil {
772+
options.GithubOAuth2Config,err=configureGithubOAuth2(
773+
oauthInstrument,
774+
githubOAuth2ConfigParams,
775+
)
776+
iferr!=nil {
777+
returnxerrors.Errorf("configure github oauth2: %w",err)
778+
}
779+
}
780+
785781
options.RuntimeConfig=runtimeconfig.NewManager()
786782

787783
// This should be output before the logs start streaming.
@@ -1832,25 +1828,101 @@ func configureCAPool(tlsClientCAFile string, tlsConfig *tls.Config) error {
18321828
returnnil
18331829
}
18341830

1835-
// TODO: convert the argument list to a struct, it's easy to mix up the order of the arguments
1836-
//
1831+
const (
1832+
// Client ID for https://github.com/apps/coder
1833+
GithubOAuth2DefaultProviderClientID="Iv1.6a2b4b4aec4f4fe7"
1834+
GithubOAuth2DefaultProviderAllowEveryone=true
1835+
GithubOAuth2DefaultProviderDeviceFlow=true
1836+
)
1837+
1838+
typegithubOAuth2ConfigParamsstruct {
1839+
accessURL*url.URL
1840+
clientIDstring
1841+
clientSecretstring
1842+
deviceFlowbool
1843+
allowSignupsbool
1844+
allowEveryonebool
1845+
allowOrgs []string
1846+
rawTeams []string
1847+
enterpriseBaseURLstring
1848+
}
1849+
1850+
funcgetGithubOAuth2ConfigParams(ctx context.Context,db database.Store,vals*codersdk.DeploymentValues) (*githubOAuth2ConfigParams,error) {
1851+
params:=githubOAuth2ConfigParams{
1852+
accessURL:vals.AccessURL.Value(),
1853+
clientID:vals.OAuth2.Github.ClientID.String(),
1854+
clientSecret:vals.OAuth2.Github.ClientSecret.String(),
1855+
deviceFlow:vals.OAuth2.Github.DeviceFlow.Value(),
1856+
allowSignups:vals.OAuth2.Github.AllowSignups.Value(),
1857+
allowEveryone:vals.OAuth2.Github.AllowEveryone.Value(),
1858+
allowOrgs:vals.OAuth2.Github.AllowedOrgs.Value(),
1859+
rawTeams:vals.OAuth2.Github.AllowedTeams.Value(),
1860+
enterpriseBaseURL:vals.OAuth2.Github.EnterpriseBaseURL.String(),
1861+
}
1862+
1863+
// If the user manually configured the GitHub OAuth2 provider,
1864+
// we won't add the default configuration.
1865+
ifparams.clientID!=""||params.clientSecret!=""||params.enterpriseBaseURL!="" {
1866+
return&params,nil
1867+
}
1868+
1869+
// Check if the user manually disabled the default GitHub OAuth2 provider.
1870+
if!vals.OAuth2.Github.DefaultProviderEnable.Value() {
1871+
returnnil,nil//nolint:nilnil
1872+
}
1873+
1874+
// Check if the deployment is eligible for the default GitHub OAuth2 provider.
1875+
// We want to enable it only for new deployments, and avoid enabling it
1876+
// if a deployment was upgraded from an older version.
1877+
// nolint:gocritic // Requires system privileges
1878+
defaultEligible,err:=db.GetOAuth2GithubDefaultEligible(dbauthz.AsSystemRestricted(ctx))
1879+
iferr!=nil&&!errors.Is(err,sql.ErrNoRows) {
1880+
returnnil,xerrors.Errorf("get github default eligible: %w",err)
1881+
}
1882+
defaultEligibleNotSet:=errors.Is(err,sql.ErrNoRows)
1883+
1884+
ifdefaultEligibleNotSet {
1885+
// nolint:gocritic // User count requires system privileges
1886+
userCount,err:=db.GetUserCount(dbauthz.AsSystemRestricted(ctx))
1887+
iferr!=nil {
1888+
returnnil,xerrors.Errorf("get user count: %w",err)
1889+
}
1890+
// We check if a deployment is new by checking if it has any users.
1891+
defaultEligible=userCount==0
1892+
// nolint:gocritic // Requires system privileges
1893+
iferr:=db.UpsertOAuth2GithubDefaultEligible(dbauthz.AsSystemRestricted(ctx),defaultEligible);err!=nil {
1894+
returnnil,xerrors.Errorf("upsert github default eligible: %w",err)
1895+
}
1896+
}
1897+
1898+
if!defaultEligible {
1899+
returnnil,nil//nolint:nilnil
1900+
}
1901+
1902+
params.clientID=GithubOAuth2DefaultProviderClientID
1903+
params.allowEveryone=GithubOAuth2DefaultProviderAllowEveryone
1904+
params.deviceFlow=GithubOAuth2DefaultProviderDeviceFlow
1905+
1906+
return&params,nil
1907+
}
1908+
18371909
//nolint:revive // Ignore flag-parameter: parameter 'allowEveryone' seems to be a control flag, avoid control coupling (revive)
1838-
funcconfigureGithubOAuth2(instrument*promoauth.Factory,accessURL*url.URL,clientID,clientSecretstring,deviceFlow,allowSignups,allowEveryonebool,allowOrgs []string,rawTeams []string,enterpriseBaseURLstring) (*coderd.GithubOAuth2Config,error) {
1839-
redirectURL,err:=accessURL.Parse("/api/v2/users/oauth2/github/callback")
1910+
funcconfigureGithubOAuth2(instrument*promoauth.Factory,params*githubOAuth2ConfigParams) (*coderd.GithubOAuth2Config,error) {
1911+
redirectURL,err:=params.accessURL.Parse("/api/v2/users/oauth2/github/callback")
18401912
iferr!=nil {
18411913
returnnil,xerrors.Errorf("parse github oauth callback url: %w",err)
18421914
}
1843-
ifallowEveryone&&len(allowOrgs)>0 {
1915+
ifparams.allowEveryone&&len(params.allowOrgs)>0 {
18441916
returnnil,xerrors.New("allow everyone and allowed orgs cannot be used together")
18451917
}
1846-
ifallowEveryone&&len(rawTeams)>0 {
1918+
ifparams.allowEveryone&&len(params.rawTeams)>0 {
18471919
returnnil,xerrors.New("allow everyone and allowed teams cannot be used together")
18481920
}
1849-
if!allowEveryone&&len(allowOrgs)==0 {
1921+
if!params.allowEveryone&&len(params.allowOrgs)==0 {
18501922
returnnil,xerrors.New("allowed orgs is empty: must specify at least one org or allow everyone")
18511923
}
1852-
allowTeams:=make([]coderd.GithubOAuth2Team,0,len(rawTeams))
1853-
for_,rawTeam:=rangerawTeams {
1924+
allowTeams:=make([]coderd.GithubOAuth2Team,0,len(params.rawTeams))
1925+
for_,rawTeam:=rangeparams.rawTeams {
18541926
parts:=strings.SplitN(rawTeam,"/",2)
18551927
iflen(parts)!=2 {
18561928
returnnil,xerrors.Errorf("github team allowlist is formatted incorrectly. got %s; wanted <organization>/<team>",rawTeam)
@@ -1862,8 +1934,8 @@ func configureGithubOAuth2(instrument *promoauth.Factory, accessURL *url.URL, cl
18621934
}
18631935

18641936
endpoint:=xgithub.Endpoint
1865-
ifenterpriseBaseURL!="" {
1866-
enterpriseURL,err:=url.Parse(enterpriseBaseURL)
1937+
ifparams.enterpriseBaseURL!="" {
1938+
enterpriseURL,err:=url.Parse(params.enterpriseBaseURL)
18671939
iferr!=nil {
18681940
returnnil,xerrors.Errorf("parse enterprise base url: %w",err)
18691941
}
@@ -1882,8 +1954,8 @@ func configureGithubOAuth2(instrument *promoauth.Factory, accessURL *url.URL, cl
18821954
}
18831955

18841956
instrumentedOauth:=instrument.NewGithub("github-login",&oauth2.Config{
1885-
ClientID:clientID,
1886-
ClientSecret:clientSecret,
1957+
ClientID:params.clientID,
1958+
ClientSecret:params.clientSecret,
18871959
Endpoint:endpoint,
18881960
RedirectURL:redirectURL.String(),
18891961
Scopes: []string{
@@ -1895,17 +1967,17 @@ func configureGithubOAuth2(instrument *promoauth.Factory, accessURL *url.URL, cl
18951967

18961968
createClient:=func(client*http.Client,source promoauth.Oauth2Source) (*github.Client,error) {
18971969
client=instrumentedOauth.InstrumentHTTPClient(client,source)
1898-
ifenterpriseBaseURL!="" {
1899-
returngithub.NewEnterpriseClient(enterpriseBaseURL,"",client)
1970+
ifparams.enterpriseBaseURL!="" {
1971+
returngithub.NewEnterpriseClient(params.enterpriseBaseURL,"",client)
19001972
}
19011973
returngithub.NewClient(client),nil
19021974
}
19031975

19041976
vardeviceAuth*externalauth.DeviceAuth
1905-
ifdeviceFlow {
1977+
ifparams.deviceFlow {
19061978
deviceAuth=&externalauth.DeviceAuth{
19071979
Config:instrumentedOauth,
1908-
ClientID:clientID,
1980+
ClientID:params.clientID,
19091981
TokenURL:endpoint.TokenURL,
19101982
Scopes: []string{"read:user","read:org","user:email"},
19111983
CodeURL:endpoint.DeviceAuthURL,
@@ -1914,9 +1986,9 @@ func configureGithubOAuth2(instrument *promoauth.Factory, accessURL *url.URL, cl
19141986

19151987
return&coderd.GithubOAuth2Config{
19161988
OAuth2Config:instrumentedOauth,
1917-
AllowSignups:allowSignups,
1918-
AllowEveryone:allowEveryone,
1919-
AllowOrganizations:allowOrgs,
1989+
AllowSignups:params.allowSignups,
1990+
AllowEveryone:params.allowEveryone,
1991+
AllowOrganizations:params.allowOrgs,
19201992
AllowTeams:allowTeams,
19211993
AuthenticatedUser:func(ctx context.Context,client*http.Client) (*github.User,error) {
19221994
api,err:=createClient(client,promoauth.SourceGitAPIAuthUser)
@@ -1955,19 +2027,20 @@ func configureGithubOAuth2(instrument *promoauth.Factory, accessURL *url.URL, cl
19552027
team,_,err:=api.Teams.GetTeamMembershipBySlug(ctx,org,teamSlug,username)
19562028
returnteam,err
19572029
},
1958-
DeviceFlowEnabled:deviceFlow,
2030+
DeviceFlowEnabled:params.deviceFlow,
19592031
ExchangeDeviceCode:func(ctx context.Context,deviceCodestring) (*oauth2.Token,error) {
1960-
if!deviceFlow {
2032+
if!params.deviceFlow {
19612033
returnnil,xerrors.New("device flow is not enabled")
19622034
}
19632035
returndeviceAuth.ExchangeDeviceCode(ctx,deviceCode)
19642036
},
19652037
AuthorizeDevice:func(ctx context.Context) (*codersdk.ExternalAuthDevice,error) {
1966-
if!deviceFlow {
2038+
if!params.deviceFlow {
19672039
returnnil,xerrors.New("device flow is not enabled")
19682040
}
19692041
returndeviceAuth.AuthorizeDevice(ctx)
19702042
},
2043+
DefaultProviderConfigured:params.clientID==GithubOAuth2DefaultProviderClientID,
19712044
},nil
19722045
}
19732046

‎coderd/userauth.go‎

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -757,6 +757,8 @@ type GithubOAuth2Config struct {
757757
AllowEveryonebool
758758
AllowOrganizations []string
759759
AllowTeams []GithubOAuth2Team
760+
761+
DefaultProviderConfiguredbool
760762
}
761763

762764
func (c*GithubOAuth2Config)Exchange(ctx context.Context,codestring,opts...oauth2.AuthCodeOption) (*oauth2.Token,error) {
@@ -798,7 +800,10 @@ func (api *API) userAuthMethods(rw http.ResponseWriter, r *http.Request) {
798800
Password: codersdk.AuthMethod{
799801
Enabled:!api.DeploymentValues.DisablePasswordAuth.Value(),
800802
},
801-
Github: codersdk.AuthMethod{Enabled:api.GithubOAuth2Config!=nil},
803+
Github: codersdk.GithubAuthMethod{
804+
Enabled:api.GithubOAuth2Config!=nil,
805+
DefaultProviderConfigured:api.GithubOAuth2Config!=nil&&api.GithubOAuth2Config.DefaultProviderConfigured,
806+
},
802807
OIDC: codersdk.OIDCAuthMethod{
803808
AuthMethod: codersdk.AuthMethod{Enabled:api.OIDCConfig!=nil},
804809
SignInText:signInText,

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp