Jan 11, 2024 · Jan 10, 2024 · Jan 10, 2024 · Jan 10, 2024 · Jan 10, 2024 · Jan 10, 2024
diff --git a/coderd/coderdtest/oidctest/idp.go b/coderd/coderdtest/oidctest/idp.go
 // "Authorized Redirect URLs". This can be used to emulate that.
 hookValidRedirectURL func(redirectURL string) error
 hookUserInfo         func(email string) (jwt.MapClaims, error)
 hookMutateToken      func(token map[string]interface{})
 fakeCoderd           func(req *http.Request) (*http.Response, error)
 hookOnRefresh        func(email string) error
 // defaultIDClaims is if a new client connects and we didn't preset
 // some claims.
 defaultIDClaims jwt.MapClaims
 hookMutateToken func(token map[string]interface{})
 fakeCoderd      func(req *http.Request) (*http.Response, error)
 hookOnRefresh   func(email string) error
 // Custom authentication for the client. This is useful if you want
 // to test something like PKI auth vs a client_secret.
 hookAuthenticateClient func(t testing.TB, req *http.Request) (url.Values, error)
 }
 }

 func WithDefaultIDClaims(claims jwt.MapClaims) func(*FakeIDP) {
 return func(f *FakeIDP) {
 f.defaultIDClaims = claims
 }
 }

 func WithDynamicUserInfo(userInfoFunc func(email string) (jwt.MapClaims, error)) func(*FakeIDP) {
 return func(f *FakeIDP) {
 f.hookUserInfo = userInfoFunc
 // Always invalidate the code after it is used.
 f.codeToStateMap.Delete(code)

 idTokenClaims, ok := f.stateToIDTokenClaims.Load(stateStr)
 idTokenClaims, ok := f.getClaims(f.stateToIDTokenClaims,stateStr)
 if !ok {
 t.Errorf("missing id token claims")
 http.Error(rw, "missing id token claims", http.StatusBadRequest)
 return
 }

 idTokenClaims, ok := f.refreshIDTokenClaims.Load(refreshToken)
 idTokenClaims, ok := f.getClaims(f.refreshIDTokenClaims,refreshToken)
 if !ok {
 t.Errorf("missing id token claims in refresh")
 http.Error(rw, "missing id token claims in refresh", http.StatusBadRequest)
 return cfg
 }

 func (f *FakeIDP) AppCredentials() (string, string) {
 return f.clientID, f.clientSecret
 }

 // OIDCConfig returns the OIDC config to use for Coderd.
 func (f *FakeIDP) OIDCConfig(t testing.TB, scopes []string, opts ...func(cfg *coderd.OIDCConfig)) *coderd.OIDCConfig {
 t.Helper()
 return cfg
 }

 func (f *FakeIDP) getClaims(m *syncmap.Map[string, jwt.MapClaims], key string) (jwt.MapClaims, bool) {
 v, ok := m.Load(key)
 if !ok {
 if f.defaultIDClaims != nil {
 return f.defaultIDClaims, true
 }
 return nil, false
 }
 return v, true
 }

 func httpErrorCode(defaultCode int, err error) int {
 var stautsErr statusHookError
 status := defaultCode
diff --git a/coderd/coderdtest/oidctest/testidp/main.go b/coderd/coderdtest/oidctest/testidp/main.go
 package main

 import (
 "flag"
 "log"
 "os"
 "os/signal"
 "testing"

 "github.com/golang-jwt/jwt/v4"

 "github.com/coder/coder/v2/coderd/coderdtest/oidctest"
 )

 func main() {
 testing.Init()
 _ = flag.Set("test.timeout", "0")

 flag.Parse()

 // This is just a way to run tests outside go test
 testing.Main(func(pat, str string) (bool, error) {
 return true, nil
 }, []testing.InternalTest{
 {
 Name: "Run Fake IDP",
 F:    RunIDP(),
 },
 }, nil, nil)
 }

 // RunIDP needs the testing.T because our oidctest package requires the
 // testing.T.
 func RunIDP() func(t *testing.T) {
 return func(t *testing.T) {
 idp := oidctest.NewFakeIDP(t,
 oidctest.WithServing(),
 oidctest.WithStaticUserInfo(jwt.MapClaims{}),
 oidctest.WithDefaultIDClaims(jwt.MapClaims{}),
 )
 id, sec := idp.AppCredentials()
 prov := idp.WellknownConfig()

 log.Println("IDP Issuer URL", idp.IssuerURL())
 log.Println("Coderd Flags")
 log.Printf(`--external-auth-providers='[{"type":"fake","client_id":"%s","client_secret":"%s","auth_url":"%s","token_url":"%s","validate_url":"%s","scopes":["openid","email","profile"]}]'`,
 id, sec, prov.AuthURL, prov.TokenURL, prov.UserInfoURL,
 )

 log.Println("Press Ctrl+C to exit")
 c := make(chan os.Signal, 1)
 signal.Notify(c, os.Interrupt)
 select {
 case <-c:
 log.Println("Closing")
 }
 }
 }
diff --git a/codersdk/deployment.go b/codersdk/deployment.go
 // Env handling is done in cli.ReadGitAuthFromEnvironment
 Name:        "External Auth Providers",
 Description: "External Authentication providers.",
 // We need extra scrutiny to ensure this works, is documented, and
 // tested before enabling.
 YAML:   "externalAuthProviders",
 Value:  &c.ExternalAuthConfigs,
 Hidden: true,
 YAML:        "externalAuthProviders",
 Flag:        "external-auth-providers",
 Value:       &c.ExternalAuthConfigs,
 Hidden:      true,
 },
 {
 Name:        "Custom wgtunnel Host",
Original file line number	Diff line number	Diff line change
Expand Up		@@ -78,9 +78,12 @@ type FakeIDP struct {
		// "Authorized Redirect URLs". This can be used to emulate that.
		hookValidRedirectURL func(redirectURL string) error
		hookUserInfo func(email string) (jwt.MapClaims, error)
		hookMutateToken func(token map[string]interface{})
		fakeCoderd func(req http.Request) (http.Response, error)
		hookOnRefresh func(email string) error
		// defaultIDClaims is if a new client connects and we didn't preset
		// some claims.
		defaultIDClaims jwt.MapClaims
		hookMutateToken func(token map[string]interface{})
		fakeCoderd func(req http.Request) (http.Response, error)
		hookOnRefresh func(email string) error
		// Custom authentication for the client. This is useful if you want
		// to test something like PKI auth vs a client_secret.
		hookAuthenticateClient func(t testing.TB, req *http.Request) (url.Values, error)
Expand DownExpand Up		@@ -162,6 +165,12 @@ func WithStaticUserInfo(info jwt.MapClaims) func(*FakeIDP) {
		}
		}

		func WithDefaultIDClaims(claims jwt.MapClaims) func(*FakeIDP) {
		return func(f *FakeIDP) {
		f.defaultIDClaims = claims
		}
		}

		func WithDynamicUserInfo(userInfoFunc func(email string) (jwt.MapClaims, error)) func(*FakeIDP) {
		return func(f *FakeIDP) {
		f.hookUserInfo = userInfoFunc
Expand DownExpand Up		@@ -679,7 +688,7 @@ func (f *FakeIDP) httpHandler(t testing.TB) http.Handler {
		// Always invalidate the code after it is used.
		f.codeToStateMap.Delete(code)

		idTokenClaims, ok := f.stateToIDTokenClaims.Load(stateStr)
		idTokenClaims, ok := f.getClaims(f.stateToIDTokenClaims,stateStr)
		if !ok {
		t.Errorf("missing id token claims")
		http.Error(rw, "missing id token claims", http.StatusBadRequest)
Expand All		@@ -699,7 +708,7 @@ func (f *FakeIDP) httpHandler(t testing.TB) http.Handler {
		return
		}

		idTokenClaims, ok := f.refreshIDTokenClaims.Load(refreshToken)
		idTokenClaims, ok := f.getClaims(f.refreshIDTokenClaims,refreshToken)
		if !ok {
		t.Errorf("missing id token claims in refresh")
		http.Error(rw, "missing id token claims in refresh", http.StatusBadRequest)
Expand DownExpand Up		@@ -971,6 +980,10 @@ func (f FakeIDP) ExternalAuthConfig(t testing.TB, id string, custom ExternalAu
		return cfg
		}

		func (f *FakeIDP) AppCredentials() (string, string) {
		return f.clientID, f.clientSecret
		}

		// OIDCConfig returns the OIDC config to use for Coderd.
		func (f FakeIDP) OIDCConfig(t testing.TB, scopes []string, opts ...func(cfg coderd.OIDCConfig)) *coderd.OIDCConfig {
		t.Helper()
Expand DownExpand Up		@@ -1023,6 +1036,17 @@ func (f FakeIDP) OIDCConfig(t testing.TB, scopes []string, opts ...func(cfg co
		return cfg
		}

		func (f FakeIDP) getClaims(m syncmap.Map[string, jwt.MapClaims], key string) (jwt.MapClaims, bool) {
		v, ok := m.Load(key)
		if !ok {
		if f.defaultIDClaims != nil {
		return f.defaultIDClaims, true
		}
		return nil, false
		}
		return v, true
		}

		func httpErrorCode(defaultCode int, err error) int {
		var stautsErr statusHookError
		status := defaultCode
Expand Down
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,58 @@
		package main
Copy link Member mafredriJan 10, 2024 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others.Learn more. This could be moved to`cmd/testidp`. I think it would be confusing to have packages that can be built sprinkled within the source tree. Copy link MemberAuthor EmyrkJan 10, 2024 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others.Learn more. Good call 👍

		import (
		"flag"
		"log"
		"os"
		"os/signal"
		"testing"

		"github.com/golang-jwt/jwt/v4"

		"github.com/coder/coder/v2/coderd/coderdtest/oidctest"
		)

		func main() {
		testing.Init()
		_ = flag.Set("test.timeout", "0")

		flag.Parse()

		// This is just a way to run tests outside go test
		testing.Main(func(pat, str string) (bool, error) {
		return true, nil
		}, []testing.InternalTest{
		{
		Name: "Run Fake IDP",
		F: RunIDP(),
		},
		}, nil, nil)
Copy link Member mafredriJan 10, 2024 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others.Learn more. This feels weird, but I understand you did it to use the`oidctest` package 😄, it's also possible to build a test package, typically I'd suggest to implement this that way, but it wouldn't be as easily discoverable as this is (esp. if put in`cmd/`). Copy link MemberAuthor EmyrkJan 10, 2024 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others.Learn more. I felt werid saying`run go test -run="TestRealIDP"` or something. Another idea I had was to just implement the`testing.TB` struct myself and just throw log messages on the Fails(). It's not as trivial as I'd hope though, they have this:https://github.com/golang/go/blob/master/src/testing/testing.go#L899-L902 So I'd have to embed an actual testing.T struct? It just also has it's "jankiness", so just went with this for now.
		}

		// RunIDP needs the testing.T because our oidctest package requires the
		// testing.T.
		func RunIDP() func(t *testing.T) {
		return func(t *testing.T) {
		idp := oidctest.NewFakeIDP(t,
		oidctest.WithServing(),
		oidctest.WithStaticUserInfo(jwt.MapClaims{}),
		oidctest.WithDefaultIDClaims(jwt.MapClaims{}),
		)
		id, sec := idp.AppCredentials()
		prov := idp.WellknownConfig()

		log.Println("IDP Issuer URL", idp.IssuerURL())
		log.Println("Coderd Flags")
		log.Printf(`--external-auth-providers='[{"type":"fake","client_id":"%s","client_secret":"%s","auth_url":"%s","token_url":"%s","validate_url":"%s","scopes":["openid","email","profile"]}]'`,
		id, sec, prov.AuthURL, prov.TokenURL, prov.UserInfoURL,
		)

		log.Println("Press Ctrl+C to exit")
		c := make(chan os.Signal, 1)
		signal.Notify(c, os.Interrupt)
		select {
		case <-c:
		log.Println("Closing")
		}
		}
		}
Original file line number	Diff line number	Diff line change
Expand Up		@@ -1790,11 +1790,10 @@ Write out the current server config as YAML to stdout.`,
		// Env handling is done in cli.ReadGitAuthFromEnvironment
		Name: "External Auth Providers",
		Description: "External Authentication providers.",
		// We need extra scrutiny to ensure this works, is documented, and
		// tested before enabling.
		YAML: "externalAuthProviders",
		Value: &c.ExternalAuthConfigs,
		Hidden: true,
		YAML: "externalAuthProviders",
		Flag: "external-auth-providers",
		Value: &c.ExternalAuthConfigs,
		Hidden: true,
		},
		{
		Name: "Custom wgtunnel Host",
Expand Down