Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitc59f6f8

Browse files
committed
backend changes
1 parentbe8cca1 commitc59f6f8

File tree

2 files changed

+50
-22
lines changed

2 files changed

+50
-22
lines changed

‎coderd/userauth.go

Lines changed: 32 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,7 @@ import (
2727
"github.com/coder/coder/v2/coderd/cryptokeys"
2828
"github.com/coder/coder/v2/coderd/idpsync"
2929
"github.com/coder/coder/v2/coderd/jwtutils"
30+
"github.com/coder/coder/v2/coderd/telemetry"
3031
"github.com/coder/coder/v2/coderd/util/ptr"
3132

3233
"github.com/coder/coder/v2/coderd/apikey"
@@ -1046,6 +1047,10 @@ func (api *API) userOAuth2Github(rw http.ResponseWriter, r *http.Request) {
10461047
deferparams.CommitAuditLogs()
10471048
iferr!=nil {
10481049
ifhttpErr:=idpsync.IsHTTPError(err);httpErr!=nil {
1050+
// In the device flow, the error page is rendered client-side.
1051+
ifapi.GithubOAuth2Config.DeviceFlowEnabled&&httpErr.RenderStaticPage {
1052+
httpErr.RenderStaticPage=false
1053+
}
10491054
httpErr.Write(rw,r)
10501055
return
10511056
}
@@ -1573,7 +1578,17 @@ func (api *API) oauthLogin(r *http.Request, params *oauthLoginParams) ([]*http.C
15731578
isConvertLoginType=true
15741579
}
15751580

1576-
ifuser.ID==uuid.Nil&&!params.AllowSignups {
1581+
// nolint:gocritic // Getting user count is a system function.
1582+
userCount,err:=tx.GetUserCount(dbauthz.AsSystemRestricted(ctx))
1583+
iferr!=nil {
1584+
returnxerrors.Errorf("unable to fetch user count: %w",err)
1585+
}
1586+
1587+
// Allow the first user to sign up with OIDC, regardless of
1588+
// whether signups are enabled or not.
1589+
allowSignup:=userCount==0||params.AllowSignups
1590+
1591+
ifuser.ID==uuid.Nil&&!allowSignup {
15771592
signupsDisabledText:="Please contact your Coder administrator to request access."
15781593
ifapi.OIDCConfig!=nil&&api.OIDCConfig.SignupsDisabledText!="" {
15791594
signupsDisabledText=render.HTMLFromMarkdown(api.OIDCConfig.SignupsDisabledText)
@@ -1634,6 +1649,12 @@ func (api *API) oauthLogin(r *http.Request, params *oauthLoginParams) ([]*http.C
16341649
returnxerrors.Errorf("unable to fetch default organization: %w",err)
16351650
}
16361651

1652+
rbacRoles:= []string{}
1653+
// If this is the first user, add the owner role.
1654+
ifuserCount==0 {
1655+
rbacRoles=append(rbacRoles,rbac.RoleOwner().String())
1656+
}
1657+
16371658
//nolint:gocritic
16381659
user,err=api.CreateUser(dbauthz.AsSystemRestricted(ctx),tx,CreateUserRequest{
16391660
CreateUserRequestWithOrgs: codersdk.CreateUserRequestWithOrgs{
@@ -1648,10 +1669,20 @@ func (api *API) oauthLogin(r *http.Request, params *oauthLoginParams) ([]*http.C
16481669
},
16491670
LoginType:params.LoginType,
16501671
accountCreatorName:"oauth",
1672+
RBACRoles:rbacRoles,
16511673
})
16521674
iferr!=nil {
16531675
returnxerrors.Errorf("create user: %w",err)
16541676
}
1677+
1678+
ifuserCount==0 {
1679+
telemetryUser:=telemetry.ConvertUser(user)
1680+
// The email is not anonymized for the first user.
1681+
telemetryUser.Email=&user.Email
1682+
api.Telemetry.Report(&telemetry.Snapshot{
1683+
Users: []telemetry.User{telemetryUser},
1684+
})
1685+
}
16551686
}
16561687

16571688
// Activate dormant user on sign-in

‎coderd/users.go

Lines changed: 18 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -118,6 +118,8 @@ func (api *API) firstUser(rw http.ResponseWriter, r *http.Request) {
118118
// @Success 201 {object} codersdk.CreateFirstUserResponse
119119
// @Router /users/first [post]
120120
func (api*API)postFirstUser(rw http.ResponseWriter,r*http.Request) {
121+
// The first user can also be created via oidc, so if making changes to the flow,
122+
// ensure that the oidc flow is also updated.
121123
ctx:=r.Context()
122124
varcreateUser codersdk.CreateFirstUserRequest
123125
if!httpapi.Read(ctx,rw,r,&createUser) {
@@ -198,6 +200,7 @@ func (api *API) postFirstUser(rw http.ResponseWriter, r *http.Request) {
198200
OrganizationIDs: []uuid.UUID{defaultOrg.ID},
199201
},
200202
LoginType:database.LoginTypePassword,
203+
RBACRoles: []string{rbac.RoleOwner().String()},
201204
accountCreatorName:"coder",
202205
})
203206
iferr!=nil {
@@ -225,23 +228,6 @@ func (api *API) postFirstUser(rw http.ResponseWriter, r *http.Request) {
225228
Users: []telemetry.User{telemetryUser},
226229
})
227230

228-
// TODO: @emyrk this currently happens outside the database tx used to create
229-
// the user. Maybe I add this ability to grant roles in the createUser api
230-
//and add some rbac bypass when calling api functions this way??
231-
// Add the admin role to this first user.
232-
//nolint:gocritic // needed to create first user
233-
_,err=api.Database.UpdateUserRoles(dbauthz.AsSystemRestricted(ctx), database.UpdateUserRolesParams{
234-
GrantedRoles: []string{rbac.RoleOwner().String()},
235-
ID:user.ID,
236-
})
237-
iferr!=nil {
238-
httpapi.Write(ctx,rw,http.StatusInternalServerError, codersdk.Response{
239-
Message:"Internal error updating user's roles.",
240-
Detail:err.Error(),
241-
})
242-
return
243-
}
244-
245231
httpapi.Write(ctx,rw,http.StatusCreated, codersdk.CreateFirstUserResponse{
246232
UserID:user.ID,
247233
OrganizationID:defaultOrg.ID,
@@ -1345,6 +1331,7 @@ type CreateUserRequest struct {
13451331
LoginType database.LoginType
13461332
SkipNotificationsbool
13471333
accountCreatorNamestring
1334+
RBACRoles []string
13481335
}
13491336

13501337
func (api*API)CreateUser(ctx context.Context,store database.Store,reqCreateUserRequest) (database.User,error) {
@@ -1354,6 +1341,13 @@ func (api *API) CreateUser(ctx context.Context, store database.Store, req Create
13541341
return database.User{},xerrors.Errorf("invalid username %q: %w",req.Username,usernameValid)
13551342
}
13561343

1344+
// If the caller didn't specify rbac roles, default to
1345+
// a member of the site.
1346+
rbacRoles:= []string{}
1347+
ifreq.RBACRoles!=nil {
1348+
rbacRoles=req.RBACRoles
1349+
}
1350+
13571351
varuser database.User
13581352
err:=store.InTx(func(tx database.Store)error {
13591353
orgRoles:=make([]string,0)
@@ -1370,10 +1364,9 @@ func (api *API) CreateUser(ctx context.Context, store database.Store, req Create
13701364
CreatedAt:dbtime.Now(),
13711365
UpdatedAt:dbtime.Now(),
13721366
HashedPassword: []byte{},
1373-
// All new users are defaulted to members of the site.
1374-
RBACRoles: []string{},
1375-
LoginType:req.LoginType,
1376-
Status:status,
1367+
RBACRoles:rbacRoles,
1368+
LoginType:req.LoginType,
1369+
Status:status,
13771370
}
13781371
// If a user signs up with OAuth, they can have no password!
13791372
ifreq.Password!="" {
@@ -1431,6 +1424,10 @@ func (api *API) CreateUser(ctx context.Context, store database.Store, req Create
14311424
}
14321425

14331426
for_,u:=rangeuserAdmins {
1427+
ifu.ID==user.ID {
1428+
// If the new user is an admin, don't notify them about themselves.
1429+
continue
1430+
}
14341431
if_,err:=api.NotificationsEnqueuer.EnqueueWithData(
14351432
// nolint:gocritic // Need notifier actor to enqueue notifications
14361433
dbauthz.AsNotifier(ctx),

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp