Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

feat: Add allowlist of GitHub teams for OAuth#2849

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
kylecarbs merged 3 commits intomainfromgithubteams
Jul 9, 2022
Merged
Show file tree
Hide file tree
Changes fromall commits
Commits
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletioncli/cliflag/cliflag.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -47,7 +47,7 @@ func StringArrayVarP(flagset *pflag.FlagSet, ptr *[]string, name string, shortha
def=strings.Split(val,",")
}
}
flagset.StringArrayVarP(ptr,name,shorthand,def,usage)
flagset.StringArrayVarP(ptr,name,shorthand,def,fmtUsage(usage,env))
}

// Uint8VarP sets a uint8 flag on the given flag set.
Expand Down
28 changes: 26 additions & 2 deletionscli/server.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -82,6 +82,7 @@ func server() *cobra.Command {
oauth2GithubClientIDstring
oauth2GithubClientSecretstring
oauth2GithubAllowedOrganizations []string
oauth2GithubAllowedTeams []string
oauth2GithubAllowSignupsbool
telemetryEnablebool
telemetryURLstring
Expand DownExpand Up@@ -264,7 +265,7 @@ func server() *cobra.Command {
}

ifoauth2GithubClientSecret!="" {
options.GithubOAuth2Config,err=configureGithubOAuth2(accessURLParsed,oauth2GithubClientID,oauth2GithubClientSecret,oauth2GithubAllowSignups,oauth2GithubAllowedOrganizations)
options.GithubOAuth2Config,err=configureGithubOAuth2(accessURLParsed,oauth2GithubClientID,oauth2GithubClientSecret,oauth2GithubAllowSignups,oauth2GithubAllowedOrganizations,oauth2GithubAllowedTeams)
iferr!=nil {
returnxerrors.Errorf("configure github oauth2: %w",err)
}
Expand DownExpand Up@@ -535,6 +536,8 @@ func server() *cobra.Command {
"Specifies a client secret to use for oauth2 with GitHub.")
cliflag.StringArrayVarP(root.Flags(),&oauth2GithubAllowedOrganizations,"oauth2-github-allowed-orgs","","CODER_OAUTH2_GITHUB_ALLOWED_ORGS",nil,
"Specifies organizations the user must be a member of to authenticate with GitHub.")
cliflag.StringArrayVarP(root.Flags(),&oauth2GithubAllowedTeams,"oauth2-github-allowed-teams","","CODER_OAUTH2_GITHUB_ALLOWED_TEAMS",nil,
"Specifies teams inside organizations the user must be a member of to authenticate with GitHub. Formatted as: <organization-name>/<team-slug>.")
cliflag.BoolVarP(root.Flags(),&oauth2GithubAllowSignups,"oauth2-github-allow-signups","","CODER_OAUTH2_GITHUB_ALLOW_SIGNUPS",false,
"Specifies whether new users can sign up with GitHub.")
cliflag.BoolVarP(root.Flags(),&telemetryEnable,"telemetry","","CODER_TELEMETRY",true,"Specifies whether telemetry is enabled or not. Coder collects anonymized usage data to help improve our product.")
Expand DownExpand Up@@ -719,11 +722,22 @@ func configureTLS(listener net.Listener, tlsMinVersion, tlsClientAuth, tlsCertFi
returntls.NewListener(listener,tlsConfig),nil
}

funcconfigureGithubOAuth2(accessURL*url.URL,clientID,clientSecretstring,allowSignupsbool,allowOrgs []string) (*coderd.GithubOAuth2Config,error) {
funcconfigureGithubOAuth2(accessURL*url.URL,clientID,clientSecretstring,allowSignupsbool,allowOrgs []string,rawTeams []string) (*coderd.GithubOAuth2Config,error) {
redirectURL,err:=accessURL.Parse("/api/v2/users/oauth2/github/callback")
iferr!=nil {
returnnil,xerrors.Errorf("parse github oauth callback url: %w",err)
}
allowTeams:=make([]coderd.GithubOAuth2Team,0,len(rawTeams))
for_,rawTeam:=rangerawTeams {
parts:=strings.SplitN(rawTeam,"/",2)
iflen(parts)!=2 {
returnnil,xerrors.Errorf("github team allowlist is formatted incorrectly. got %s; wanted <organization>/<team>",rawTeam)
}
allowTeams=append(allowTeams, coderd.GithubOAuth2Team{
Organization:parts[0],
Slug:parts[1],
})
}
return&coderd.GithubOAuth2Config{
OAuth2Config:&oauth2.Config{
ClientID:clientID,
Expand All@@ -738,6 +752,7 @@ func configureGithubOAuth2(accessURL *url.URL, clientID, clientSecret string, al
},
AllowSignups:allowSignups,
AllowOrganizations:allowOrgs,
AllowTeams:allowTeams,
AuthenticatedUser:func(ctx context.Context,client*http.Client) (*github.User,error) {
user,_,err:=github.NewClient(client).Users.Get(ctx,"")
returnuser,err
Expand All@@ -749,9 +764,18 @@ func configureGithubOAuth2(accessURL *url.URL, clientID, clientSecret string, al
ListOrganizationMemberships:func(ctx context.Context,client*http.Client) ([]*github.Membership,error) {
memberships,_,err:=github.NewClient(client).Organizations.ListOrgMemberships(ctx,&github.ListOrgMembershipsOptions{
State:"active",
ListOptions: github.ListOptions{
PerPage:100,
},
})
returnmemberships,err
},
ListTeams:func(ctx context.Context,client*http.Client,orgstring) ([]*github.Team,error) {
teams,_,err:=github.NewClient(client).Teams.ListTeams(ctx,org,&github.ListOptions{
PerPage:100,
})
returnteams,err
},
},nil
}

Expand Down
3 changes: 3 additions & 0 deletionscoderd/database/db_test.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -14,6 +14,9 @@ import (

funcTestNestedInTx(t*testing.T) {
t.Parallel()
iftesting.Short() {
t.SkipNow()
}

uid:=uuid.New()
sqlDB:=testSQLDB(t)
Expand Down
43 changes: 43 additions & 0 deletionscoderd/userauth.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -17,15 +17,23 @@ import (
"github.com/coder/coder/codersdk"
)

// GithubOAuth2Team represents a team scoped to an organization.
typeGithubOAuth2Teamstruct {
Organizationstring
Slugstring
}

// GithubOAuth2Provider exposes required functions for the Github authentication flow.
typeGithubOAuth2Configstruct {
httpmw.OAuth2Config
AuthenticatedUserfunc(ctx context.Context,client*http.Client) (*github.User,error)
ListEmailsfunc(ctx context.Context,client*http.Client) ([]*github.UserEmail,error)
ListOrganizationMembershipsfunc(ctx context.Context,client*http.Client) ([]*github.Membership,error)
ListTeamsfunc(ctx context.Context,client*http.Client,orgstring) ([]*github.Team,error)

AllowSignupsbool
AllowOrganizations []string
AllowTeams []GithubOAuth2Team
}

func (api*API)userAuthMethods(rw http.ResponseWriter,_*http.Request) {
Expand DownExpand Up@@ -64,6 +72,41 @@ func (api *API) userOAuth2Github(rw http.ResponseWriter, r *http.Request) {
return
}

// The default if no teams are specified is to allow all.
iflen(api.GithubOAuth2Config.AllowTeams)>0 {
teams,err:=api.GithubOAuth2Config.ListTeams(r.Context(),oauthClient,*selectedMembership.Organization.Login)
iferr!=nil {
httpapi.Write(rw,http.StatusInternalServerError, httpapi.Response{
Message:"Failed to fetch teams from GitHub.",
Detail:err.Error(),
})
return
}

varallowedTeam*github.Team
for_,team:=rangeteams {
for_,allowTeam:=rangeapi.GithubOAuth2Config.AllowTeams {
ifallowTeam.Organization!=*selectedMembership.Organization.Login {
// This needs to continue because multiple organizations
// could exist in the allow/team listings.
continue
}
ifallowTeam.Slug!=*team.Slug {
continue
}
allowedTeam=team
break
}
}

ifallowedTeam==nil {
httpapi.Write(rw,http.StatusUnauthorized, httpapi.Response{
Message:fmt.Sprintf("You aren't a member of an authorized team in the %s Github organization!",*selectedMembership.Organization.Login),
})
return
}
}

emails,err:=api.GithubOAuth2Config.ListEmails(r.Context(),oauthClient)
iferr!=nil {
httpapi.Write(rw,http.StatusInternalServerError, httpapi.Response{
Expand Down
61 changes: 61 additions & 0 deletionscoderd/userauth_test.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -73,6 +73,30 @@ func TestUserOAuth2Github(t *testing.T) {
resp:=oauth2Callback(t,client)
require.Equal(t,http.StatusUnauthorized,resp.StatusCode)
})
t.Run("NotInAllowedTeam",func(t*testing.T) {
t.Parallel()
client:=coderdtest.New(t,&coderdtest.Options{
GithubOAuth2Config:&coderd.GithubOAuth2Config{
AllowOrganizations: []string{"coder"},
AllowTeams: []coderd.GithubOAuth2Team{{"another","something"}, {"coder","frontend"}},
OAuth2Config:&oauth2Config{},
ListOrganizationMemberships:func(ctx context.Context,client*http.Client) ([]*github.Membership,error) {
return []*github.Membership{{
Organization:&github.Organization{
Login:github.String("coder"),
},
}},nil
},
ListTeams:func(ctx context.Context,client*http.Client,orgstring) ([]*github.Team,error) {
return []*github.Team{{
Slug:github.String("nope"),
}},nil
},
},
})
resp:=oauth2Callback(t,client)
require.Equal(t,http.StatusUnauthorized,resp.StatusCode)
})
t.Run("UnverifiedEmail",func(t*testing.T) {
t.Parallel()
client:=coderdtest.New(t,&coderdtest.Options{
Expand DownExpand Up@@ -184,6 +208,43 @@ func TestUserOAuth2Github(t *testing.T) {
resp:=oauth2Callback(t,client)
require.Equal(t,http.StatusTemporaryRedirect,resp.StatusCode)
})
t.Run("SignupAllowedTeam",func(t*testing.T) {
t.Parallel()
client:=coderdtest.New(t,&coderdtest.Options{
GithubOAuth2Config:&coderd.GithubOAuth2Config{
AllowSignups:true,
AllowOrganizations: []string{"coder"},
AllowTeams: []coderd.GithubOAuth2Team{{"coder","frontend"}},
OAuth2Config:&oauth2Config{},
ListOrganizationMemberships:func(ctx context.Context,client*http.Client) ([]*github.Membership,error) {
return []*github.Membership{{
Organization:&github.Organization{
Login:github.String("coder"),
},
}},nil
},
ListTeams:func(ctx context.Context,client*http.Client,orgstring) ([]*github.Team,error) {
return []*github.Team{{
Slug:github.String("frontend"),
}},nil
},
AuthenticatedUser:func(ctx context.Context,client*http.Client) (*github.User,error) {
return&github.User{
Login:github.String("kyle"),
},nil
},
ListEmails:func(ctx context.Context,client*http.Client) ([]*github.UserEmail,error) {
return []*github.UserEmail{{
Email:github.String("kyle@coder.com"),
Verified:github.Bool(true),
Primary:github.Bool(true),
}},nil
},
},
})
resp:=oauth2Callback(t,client)
require.Equal(t,http.StatusTemporaryRedirect,resp.StatusCode)
})
}

funcoauth2Callback(t*testing.T,client*codersdk.Client)*http.Response {
Expand Down
[8]ページ先頭
©2009-2025 Movatter.jp