NotificationsYou must be signed in to change notification settings
Fork928
Star10.1k

Commitfd4954b

authored

fix: Use membership endpoint to ensure user exists in team (#3129)

This was using the incorrect GitHub endpoint prior, which fetched a teamby slug. Any user in a GitHub organization can view all teams, so thisdidn't block signups like intended.I've verified this API returns an error when the calling user is not amember of the team requested.Fixes#3105.

1 parent471564d commitfd4954bCopy full SHA for fd4954b

File tree

3 files changed

+22

-16

lines changed

cli
- server.go
coderd
- userauth.go
- userauth_test.go

3 files changed

+22

-16

lines changed

`‎cli/server.go`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -796,8 +796,8 @@ func configureGithubOAuth2(accessURL *url.URL, clientID, clientSecret string, al`
`796`	`796`	`})`
`797`	`797`	`returnmemberships,err`
`798`	`798`	`},`
`799`		`-Team:func(ctx context.Context,clienthttp.Client,org,teamSlugstring) (github.Team,error) {`
`800`		`-team,_,err:=github.NewClient(client).Teams.GetTeamBySlug(ctx,org,teamSlug)`
	`799`	`+TeamMembership:func(ctx context.Context,clienthttp.Client,org,teamSlug,usernamestring) (github.Membership,error) {`
	`800`	`+team,_,err:=github.NewClient(client).Teams.GetTeamMembershipBySlug(ctx,org,teamSlug,username)`
`801`	`801`	`returnteam,err`
`802`	`802`	`},`
`803`	`803`	`},nil`

`‎coderd/userauth.go`

Lines changed: 12 additions & 11 deletions

Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@ type GithubOAuth2Config struct {`
`29`	`29`	`AuthenticatedUserfunc(ctx context.Context,clienthttp.Client) (github.User,error)`
`30`	`30`	`ListEmailsfunc(ctx context.Context,clienthttp.Client) ([]github.UserEmail,error)`
`31`	`31`	`ListOrganizationMembershipsfunc(ctx context.Context,clienthttp.Client) ([]github.Membership,error)`
`32`		`-Teamfunc(ctx context.Context,clienthttp.Client,org,teamstring) (github.Team,error)`
	`32`	`+TeamMembershipfunc(ctx context.Context,clienthttp.Client,org,team,usernamestring) (github.Membership,error)`
`33`	`33`
`34`	`34`	`AllowSignupsbool`
`35`	`35`	`AllowOrganizations []string`
`@@ -72,17 +72,26 @@ func (api API) userOAuth2Github(rw http.ResponseWriter, r http.Request) {`
`72`	`72`	`return`
`73`	`73`	`}`
`74`	`74`
	`75`	`+ghUser,err:=api.GithubOAuth2Config.AuthenticatedUser(r.Context(),oauthClient)`
	`76`	`+iferr!=nil {`
	`77`	`+httpapi.Write(rw,http.StatusInternalServerError, codersdk.Response{`
	`78`	`+Message:"Internal error fetching authenticated Github user.",`
	`79`	`+Detail:err.Error(),`
	`80`	`+})`
	`81`	`+return`
	`82`	`+}`
	`83`	`+`
`75`	`84`	`// The default if no teams are specified is to allow all.`
`76`	`85`	`iflen(api.GithubOAuth2Config.AllowTeams)>0 {`
`77`		`-varallowedTeam*github.Team`
	`86`	`+varallowedTeam*github.Membership`
`78`	`87`	`for_,allowTeam:=rangeapi.GithubOAuth2Config.AllowTeams {`
`79`	`88`	`ifallowTeam.Organization!=*selectedMembership.Organization.Login {`
`80`	`89`	`// This needs to continue because multiple organizations`
`81`	`90`	`// could exist in the allow/team listings.`
`82`	`91`	`continue`
`83`	`92`	`}`
`84`	`93`
`85`		`-allowedTeam,err=api.GithubOAuth2Config.Team(r.Context(),oauthClient,allowTeam.Organization,allowTeam.Slug)`
	`94`	`+allowedTeam,err=api.GithubOAuth2Config.TeamMembership(r.Context(),oauthClient,allowTeam.Organization,allowTeam.Slug,*ghUser.Login)`
`86`	`95`	`// The calling user may not have permission to the requested team!`
`87`	`96`	`iferr!=nil {`
`88`	`97`	`continue`
`@@ -151,14 +160,6 @@ func (api API) userOAuth2Github(rw http.ResponseWriter, r http.Request) {`
`151`	`160`	`// email to organization.`
`152`	`161`	`organizationID=organizations[0].ID`
`153`	`162`	`}`
`154`		`-ghUser,err:=api.GithubOAuth2Config.AuthenticatedUser(r.Context(),oauthClient)`
`155`		`-iferr!=nil {`
`156`		`-httpapi.Write(rw,http.StatusInternalServerError, codersdk.Response{`
`157`		`-Message:"Internal error fetching authenticated Github user.",`
`158`		`-Detail:err.Error(),`
`159`		`-})`
`160`		`-return`
`161`		`-}`
`162`	`163`	`varverifiedEmail*github.UserEmail`
`163`	`164`	`for_,email:=rangeemails {`
`164`	`165`	`if!email.GetPrimary()\|\|!email.GetVerified() {`

`‎coderd/userauth_test.go`

Lines changed: 8 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -88,7 +88,12 @@ func TestUserOAuth2Github(t *testing.T) {`
`88`	`88`	`},`
`89`	`89`	`}},nil`
`90`	`90`	`},`
`91`		`-Team:func(ctx context.Context,clienthttp.Client,org,teamstring) (github.Team,error) {`
	`91`	`+AuthenticatedUser:func(ctx context.Context,clienthttp.Client) (github.User,error) {`
	`92`	`+return&github.User{`
	`93`	`+Login:github.String("kyle"),`
	`94`	`+},nil`
	`95`	`+},`
	`96`	`+TeamMembership:func(ctx context.Context,clienthttp.Client,org,team,usernamestring) (github.Membership,error) {`
`92`	`97`	`returnnil,xerrors.New("no perms")`
`93`	`98`	`},`
`94`	`99`	`},`
`@@ -222,8 +227,8 @@ func TestUserOAuth2Github(t *testing.T) {`
`222`	`227`	`},`
`223`	`228`	`}},nil`
`224`	`229`	`},`
`225`		`-Team:func(ctx context.Context,clienthttp.Client,org,teamstring) (github.Team,error) {`
`226`		`-return&github.Team{},nil`
	`230`	`+TeamMembership:func(ctx context.Context,clienthttp.Client,org,team,usernamestring) (github.Membership,error) {`
	`231`	`+return&github.Membership{},nil`
`227`	`232`	`},`
`228`	`233`	`AuthenticatedUser:func(ctx context.Context,clienthttp.Client) (github.User,error) {`
`229`	`234`	`return&github.User{`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitfd4954b

File tree

3 files changed

3 files changed

`‎cli/server.go`

`‎coderd/userauth.go`

`‎coderd/userauth_test.go`

0 commit comments