NotificationsYou must be signed in to change notification settings
Fork928
Star10.1k

Commitbe40fa8

committed

feat: Add allowlist of GitHub teams for OAuth

1 parent4f1e9da commitbe40fa8Copy full SHA for be40fa8

File tree

4 files changed

+123

-3

lines changed

cli
- cliflag
  - cliflag.go
- server.go
coderd
- userauth.go
- userauth_test.go

4 files changed

+123

-3

lines changed

`‎cli/cliflag/cliflag.go`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -47,7 +47,7 @@ func StringArrayVarP(flagset pflag.FlagSet, ptr []string, name string, shortha`
`47`	`47`	`def=strings.Split(val,",")`
`48`	`48`	`}`
`49`	`49`	`}`
`50`		`-flagset.StringArrayVarP(ptr,name,shorthand,def,usage)`
	`50`	`+flagset.StringArrayVarP(ptr,name,shorthand,def,fmtUsage(usage,env))`
`51`	`51`	`}`
`52`	`52`
`53`	`53`	`// Uint8VarP sets a uint8 flag on the given flag set.`

`‎cli/server.go`

Lines changed: 15 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -82,6 +82,7 @@ func server() *cobra.Command {`
`82`	`82`	`oauth2GithubClientIDstring`
`83`	`83`	`oauth2GithubClientSecretstring`
`84`	`84`	`oauth2GithubAllowedOrganizations []string`
	`85`	`+oauth2GithubAllowedTeams []string`
`85`	`86`	`oauth2GithubAllowSignupsbool`
`86`	`87`	`telemetryEnablebool`
`87`	`88`	`telemetryURLstring`
`@@ -264,7 +265,7 @@ func server() *cobra.Command {`
`264`	`265`	`}`
`265`	`266`
`266`	`267`	`ifoauth2GithubClientSecret!="" {`
`267`		`-options.GithubOAuth2Config,err=configureGithubOAuth2(accessURLParsed,oauth2GithubClientID,oauth2GithubClientSecret,oauth2GithubAllowSignups,oauth2GithubAllowedOrganizations)`
	`268`	`+options.GithubOAuth2Config,err=configureGithubOAuth2(accessURLParsed,oauth2GithubClientID,oauth2GithubClientSecret,oauth2GithubAllowSignups,oauth2GithubAllowedOrganizations,oauth2GithubAllowedTeams)`
`268`	`269`	`iferr!=nil {`
`269`	`270`	`returnxerrors.Errorf("configure github oauth2: %w",err)`
`270`	`271`	`}`
`@@ -535,6 +536,8 @@ func server() *cobra.Command {`
`535`	`536`	`"Specifies a client secret to use for oauth2 with GitHub.")`
`536`	`537`	`cliflag.StringArrayVarP(root.Flags(),&oauth2GithubAllowedOrganizations,"oauth2-github-allowed-orgs","","CODER_OAUTH2_GITHUB_ALLOWED_ORGS",nil,`
`537`	`538`	`"Specifies organizations the user must be a member of to authenticate with GitHub.")`
	`539`	`+cliflag.StringArrayVarP(root.Flags(),&oauth2GithubAllowedTeams,"oauth2-github-allowed-teams","","CODER_OAUTH2_GITHUB_ALLOWED_TEAMS",nil,`
	`540`	`+"Specifies teams inside organizations the user must be a member of to authenticate with GitHub. Formatted as: <organization-name>/<team-slug>.")`
`538`	`541`	`cliflag.BoolVarP(root.Flags(),&oauth2GithubAllowSignups,"oauth2-github-allow-signups","","CODER_OAUTH2_GITHUB_ALLOW_SIGNUPS",false,`
`539`	`542`	`"Specifies whether new users can sign up with GitHub.")`
`540`	`543`	`cliflag.BoolVarP(root.Flags(),&telemetryEnable,"telemetry","","CODER_TELEMETRY",true,"Specifies whether telemetry is enabled or not. Coder collects anonymized usage data to help improve our product.")`
`@@ -719,7 +722,7 @@ func configureTLS(listener net.Listener, tlsMinVersion, tlsClientAuth, tlsCertFi`
`719`	`722`	`returntls.NewListener(listener,tlsConfig),nil`
`720`	`723`	`}`
`721`	`724`
`722`		`-funcconfigureGithubOAuth2(accessURLurl.URL,clientID,clientSecretstring,allowSignupsbool,allowOrgs []string) (coderd.GithubOAuth2Config,error) {`
	`725`	`+funcconfigureGithubOAuth2(accessURLurl.URL,clientID,clientSecretstring,allowSignupsbool,allowOrgs []string,allowTeams []string) (coderd.GithubOAuth2Config,error) {`
`723`	`726`	`redirectURL,err:=accessURL.Parse("/api/v2/users/oauth2/github/callback")`
`724`	`727`	`iferr!=nil {`
`725`	`728`	`returnnil,xerrors.Errorf("parse github oauth callback url: %w",err)`
`@@ -738,6 +741,7 @@ func configureGithubOAuth2(accessURL *url.URL, clientID, clientSecret string, al`
`738`	`741`	`},`
`739`	`742`	`AllowSignups:allowSignups,`
`740`	`743`	`AllowOrganizations:allowOrgs,`
	`744`	`+AllowTeams:allowTeams,`
`741`	`745`	`AuthenticatedUser:func(ctx context.Context,clienthttp.Client) (github.User,error) {`
`742`	`746`	`user,_,err:=github.NewClient(client).Users.Get(ctx,"")`
`743`	`747`	`returnuser,err`
`@@ -749,9 +753,18 @@ func configureGithubOAuth2(accessURL *url.URL, clientID, clientSecret string, al`
`749`	`753`	`ListOrganizationMemberships:func(ctx context.Context,clienthttp.Client) ([]github.Membership,error) {`
`750`	`754`	`memberships,_,err:=github.NewClient(client).Organizations.ListOrgMemberships(ctx,&github.ListOrgMembershipsOptions{`
`751`	`755`	`State:"active",`
	`756`	`+ListOptions: github.ListOptions{`
	`757`	`+PerPage:100,`
	`758`	`+},`
`752`	`759`	`})`
`753`	`760`	`returnmemberships,err`
`754`	`761`	`},`
	`762`	`+ListTeams:func(ctx context.Context,clienthttp.Client,orgstring) ([]github.Team,error) {`
	`763`	`+teams,_,err:=github.NewClient(client).Teams.ListTeams(ctx,org,&github.ListOptions{`
	`764`	`+PerPage:100,`
	`765`	`+})`
	`766`	`+returnteams,err`
	`767`	`+},`
`755`	`768`	`},nil`
`756`	`769`	`}`
`757`	`770`

`‎coderd/userauth.go`

Lines changed: 46 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,7 @@ import (`
`6`	`6`	`"errors"`
`7`	`7`	`"fmt"`
`8`	`8`	`"net/http"`
	`9`	`+"strings"`
`9`	`10`
`10`	`11`	`"github.com/google/go-github/v43/github"`
`11`	`12`	`"github.com/google/uuid"`
`@@ -23,9 +24,11 @@ type GithubOAuth2Config struct {`
`23`	`24`	`AuthenticatedUserfunc(ctx context.Context,clienthttp.Client) (github.User,error)`
`24`	`25`	`ListEmailsfunc(ctx context.Context,clienthttp.Client) ([]github.UserEmail,error)`
`25`	`26`	`ListOrganizationMembershipsfunc(ctx context.Context,clienthttp.Client) ([]github.Membership,error)`
	`27`	`+ListTeamsfunc(ctx context.Context,clienthttp.Client,orgstring) ([]github.Team,error)`
`26`	`28`
`27`	`29`	`AllowSignupsbool`
`28`	`30`	`AllowOrganizations []string`
	`31`	`+AllowTeams []string`
`29`	`32`	`}`
`30`	`33`
`31`	`34`	`func (apiAPI)userAuthMethods(rw http.ResponseWriter,_http.Request) {`
`@@ -64,6 +67,49 @@ func (api API) userOAuth2Github(rw http.ResponseWriter, r http.Request) {`
`64`	`67`	`return`
`65`	`68`	`}`
`66`	`69`
	`70`	`+// The default if no teams are specified is to allow all.`
	`71`	`+iflen(api.GithubOAuth2Config.AllowTeams)>0 {`
	`72`	`+teams,err:=api.GithubOAuth2Config.ListTeams(r.Context(),oauthClient,*selectedMembership.Organization.Login)`
	`73`	`+iferr!=nil {`
	`74`	`+httpapi.Write(rw,http.StatusInternalServerError, httpapi.Response{`
	`75`	`+Message:"Failed to fetch teams from GitHub.",`
	`76`	`+Detail:err.Error(),`
	`77`	`+})`
	`78`	`+return`
	`79`	`+}`
	`80`	`+`
	`81`	`+varallowedTeam*github.Team`
	`82`	`+for_,team:=rangeteams {`
	`83`	`+for_,organizationAndTeam:=rangeapi.GithubOAuth2Config.AllowTeams {`
	`84`	`+parts:=strings.SplitN(organizationAndTeam,"/",2)`
	`85`	`+iflen(parts)!=2 {`
	`86`	`+httpapi.Write(rw,http.StatusInternalServerError, httpapi.Response{`
	`87`	`+Message:"Team allowlist isn't formatted correctly.",`
	`88`	`+Detail:fmt.Sprintf("Got %s, wanted <organization>/<team>",organizationAndTeam),`
	`89`	`+})`
	`90`	`+return`
	`91`	`+}`
	`92`	`+ifparts[0]!=*selectedMembership.Organization.Login {`
	`93`	`+// This needs to continue because multiple organizations`
	`94`	`+// could exist in the allow/team listings.`
	`95`	`+continue`
	`96`	`+}`
	`97`	`+ifparts[1]!=*team.Slug {`
	`98`	`+continue`
	`99`	`+}`
	`100`	`+allowedTeam=team`
	`101`	`+break`
	`102`	`+}`
	`103`	`+}`
	`104`	`+`
	`105`	`+ifallowedTeam==nil {`
	`106`	`+httpapi.Write(rw,http.StatusUnauthorized, httpapi.Response{`
	`107`	`+Message:fmt.Sprintf("You aren't a member of an authorized team in the %s Github organization!",*selectedMembership.Organization.Login),`
	`108`	`+})`
	`109`	`+return`
	`110`	`+}`
	`111`	`+}`
	`112`	`+`
`67`	`113`	`emails,err:=api.GithubOAuth2Config.ListEmails(r.Context(),oauthClient)`
`68`	`114`	`iferr!=nil {`
`69`	`115`	`httpapi.Write(rw,http.StatusInternalServerError, httpapi.Response{`

`‎coderd/userauth_test.go`

Lines changed: 61 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -73,6 +73,30 @@ func TestUserOAuth2Github(t *testing.T) {`
`73`	`73`	`resp:=oauth2Callback(t,client)`
`74`	`74`	`require.Equal(t,http.StatusUnauthorized,resp.StatusCode)`
`75`	`75`	`})`
	`76`	`+t.Run("NotInAllowedTeam",func(t*testing.T) {`
	`77`	`+t.Parallel()`
	`78`	`+client:=coderdtest.New(t,&coderdtest.Options{`
	`79`	`+GithubOAuth2Config:&coderd.GithubOAuth2Config{`
	`80`	`+AllowOrganizations: []string{"coder"},`
	`81`	`+AllowTeams: []string{"another/something","coder/frontend"},`
	`82`	`+OAuth2Config:&oauth2Config{},`
	`83`	`+ListOrganizationMemberships:func(ctx context.Context,clienthttp.Client) ([]github.Membership,error) {`
	`84`	`+return []*github.Membership{{`
	`85`	`+Organization:&github.Organization{`
	`86`	`+Login:github.String("coder"),`
	`87`	`+},`
	`88`	`+}},nil`
	`89`	`+},`
	`90`	`+ListTeams:func(ctx context.Context,clienthttp.Client,orgstring) ([]github.Team,error) {`
	`91`	`+return []*github.Team{{`
	`92`	`+Slug:github.String("nope"),`
	`93`	`+}},nil`
	`94`	`+},`
	`95`	`+},`
	`96`	`+})`
	`97`	`+resp:=oauth2Callback(t,client)`
	`98`	`+require.Equal(t,http.StatusUnauthorized,resp.StatusCode)`
	`99`	`+})`
`76`	`100`	`t.Run("UnverifiedEmail",func(t*testing.T) {`
`77`	`101`	`t.Parallel()`
`78`	`102`	`client:=coderdtest.New(t,&coderdtest.Options{`
`@@ -184,6 +208,43 @@ func TestUserOAuth2Github(t *testing.T) {`
`184`	`208`	`resp:=oauth2Callback(t,client)`
`185`	`209`	`require.Equal(t,http.StatusTemporaryRedirect,resp.StatusCode)`
`186`	`210`	`})`
	`211`	`+t.Run("SignupAllowedTeam",func(t*testing.T) {`
	`212`	`+t.Parallel()`
	`213`	`+client:=coderdtest.New(t,&coderdtest.Options{`
	`214`	`+GithubOAuth2Config:&coderd.GithubOAuth2Config{`
	`215`	`+AllowSignups:true,`
	`216`	`+AllowOrganizations: []string{"coder"},`
	`217`	`+AllowTeams: []string{"coder/frontend"},`
	`218`	`+OAuth2Config:&oauth2Config{},`
	`219`	`+ListOrganizationMemberships:func(ctx context.Context,clienthttp.Client) ([]github.Membership,error) {`
	`220`	`+return []*github.Membership{{`
	`221`	`+Organization:&github.Organization{`
	`222`	`+Login:github.String("coder"),`
	`223`	`+},`
	`224`	`+}},nil`
	`225`	`+},`
	`226`	`+ListTeams:func(ctx context.Context,clienthttp.Client,orgstring) ([]github.Team,error) {`
	`227`	`+return []*github.Team{{`
	`228`	`+Slug:github.String("frontend"),`
	`229`	`+}},nil`
	`230`	`+},`
	`231`	`+AuthenticatedUser:func(ctx context.Context,clienthttp.Client) (github.User,error) {`
	`232`	`+return&github.User{`
	`233`	`+Login:github.String("kyle"),`
	`234`	`+},nil`
	`235`	`+},`
	`236`	`+ListEmails:func(ctx context.Context,clienthttp.Client) ([]github.UserEmail,error) {`
	`237`	`+return []*github.UserEmail{{`
	`238`	`+Email:github.String("kyle@coder.com"),`
	`239`	`+Verified:github.Bool(true),`
	`240`	`+Primary:github.Bool(true),`
	`241`	`+}},nil`
	`242`	`+},`
	`243`	`+},`
	`244`	`+})`
	`245`	`+resp:=oauth2Callback(t,client)`
	`246`	`+require.Equal(t,http.StatusTemporaryRedirect,resp.StatusCode)`
	`247`	`+})`
`187`	`248`	`}`
`188`	`249`
`189`	`250`	`funcoauth2Callback(ttesting.T,clientcodersdk.Client)*http.Response {`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitbe40fa8

File tree

4 files changed

4 files changed

`‎cli/cliflag/cliflag.go`

`‎cli/server.go`

`‎coderd/userauth.go`

`‎coderd/userauth_test.go`

0 commit comments