Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

fix: allow disabling all password auth even if owner#6193

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
kylecarbs merged 2 commits intomainfromdisablepassauth
Feb 14, 2023
Merged
Show file tree
Hide file tree
Changes fromall commits
Commits
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 4 additions & 14 deletionscoderd/userauth.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -23,7 +23,6 @@ import (
"github.com/coder/coder/coderd/database"
"github.com/coder/coder/coderd/httpapi"
"github.com/coder/coder/coderd/httpmw"
"github.com/coder/coder/coderd/rbac"
"github.com/coder/coder/coderd/userpassword"
"github.com/coder/coder/codersdk"
)
Expand DownExpand Up@@ -89,19 +88,10 @@ func (api *API) postLogin(rw http.ResponseWriter, r *http.Request) {
// If password authentication is disabled and the user does not have the
// owner role, block the request.
if api.DeploymentConfig.DisablePasswordAuth.Value {
permitted := false
for _, role := range user.RBACRoles {
if role == rbac.RoleOwner() {
permitted = true
break
}
}
if !permitted {
httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{
Message: "Password authentication is disabled. Only administrators can sign in with password authentication.",
})
return
}
httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{
Message: "Password authentication is disabled.",
})
return
}

if user.LoginType != database.LoginTypePassword {
Expand Down
9 changes: 9 additions & 0 deletionscoderd/users.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -293,6 +293,15 @@ func (api *API) postUser(rw http.ResponseWriter, r *http.Request) {
return
}

// If password auth is disabled, don't allow new users to be
// created with a password!
ifapi.DeploymentConfig.DisablePasswordAuth.Value {
httpapi.Write(ctx,rw,http.StatusForbidden, codersdk.Response{
Message:"You cannot manually provision new users with password authentication disabled!",
})
return
}

// TODO: @emyrk Authorize the organization create if the createUser will do that.

_,err:=api.Database.GetUserByEmailOrUsername(ctx, database.GetUserByEmailOrUsernameParams{
Expand Down
17 changes: 2 additions & 15 deletionscoderd/users_test.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -187,7 +187,6 @@ func TestPostLogin(t *testing.T) {
t.Parallel()

dc:=coderdtest.DeploymentConfig(t)
dc.DisablePasswordAuth.Value=true
client:=coderdtest.New(t,&coderdtest.Options{
DeploymentConfig:dc,
})
Expand All@@ -207,6 +206,8 @@ func TestPostLogin(t *testing.T) {
})
require.NoError(t,err)

dc.DisablePasswordAuth.Value=true

userClient:=codersdk.New(client.URL)
_,err=userClient.LoginWithPassword(ctx, codersdk.LoginWithPasswordRequest{
Email:user.Email,
Expand All@@ -217,20 +218,6 @@ func TestPostLogin(t *testing.T) {
require.ErrorAs(t,err,&apiErr)
require.Equal(t,http.StatusForbidden,apiErr.StatusCode())
require.Contains(t,apiErr.Message,"Password authentication is disabled")

// Promote the user account to an owner.
_,err=client.UpdateUserRoles(ctx,user.ID.String(), codersdk.UpdateRoles{
Roles: []string{rbac.RoleOwner(),rbac.RoleMember()},
})
require.NoError(t,err)

// Login with the user account.
res,err:=userClient.LoginWithPassword(ctx, codersdk.LoginWithPasswordRequest{
Email:user.Email,
Password:password,
})
require.NoError(t,err)
require.NotEmpty(t,res.SessionToken)
})

t.Run("Success",func(t*testing.T) {
Expand Down
20 changes: 20 additions & 0 deletionssite/src/components/SignInForm/SignInForm.stories.tsx
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -116,6 +116,26 @@ WithOIDC.args = {
},
}

exportconstWithOIDCWithoutPassword=Template.bind({})
WithOIDCWithoutPassword.args={
...SignedOut.args,
authMethods:{
password:{enabled:false},
github:{enabled:false},
oidc:{enabled:true,signInText:"",iconUrl:""},
},
}

exportconstWithoutAny=Template.bind({})
WithoutAny.args={
...SignedOut.args,
authMethods:{
password:{enabled:false},
github:{enabled:false},
oidc:{enabled:false,signInText:"",iconUrl:""},
},
}

exportconstWithGithubAndOIDC=Template.bind({})
WithGithubAndOIDC.args={
...SignedOut.args,
Expand Down
15 changes: 12 additions & 3 deletionssite/src/components/SignInForm/SignInForm.tsx
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -9,6 +9,7 @@ import { OAuthSignInForm } from "./OAuthSignInForm"
import{BuiltInAuthFormValues}from"./SignInForm.types"
importButtonfrom"@material-ui/core/Button"
importEmailIconfrom"@material-ui/icons/EmailOutlined"
import{AlertBanner}from"components/AlertBanner/AlertBanner"

exportenumLoginErrors{
AUTH_ERROR="authError",
Expand DownExpand Up@@ -94,6 +95,7 @@ export const SignInForm: FC<React.PropsWithChildren<SignInFormProps>> = ({
constoAuthEnabled=Boolean(
authMethods?.github.enabled||authMethods?.oidc.enabled,
)
constpasswordEnabled=authMethods?.password.enabled??true

// Hide password auth by default if any OAuth method is enabled
const[showPasswordAuth,setShowPasswordAuth]=useState(!oAuthEnabled)
Expand All@@ -108,15 +110,15 @@ export const SignInForm: FC<React.PropsWithChildren<SignInFormProps>> = ({
{loginPageTranslation.t("signInTo")}{" "}
<strong>{commonTranslation.t("coder")}</strong>
</h1>
<Maybecondition={showPasswordAuth}>
<Maybecondition={passwordEnabled&&showPasswordAuth}>
<PasswordSignInForm
loginErrors={loginErrors}
onSubmit={onSubmit}
initialTouched={initialTouched}
isLoading={isLoading}
/>
</Maybe>
<Maybecondition={showPasswordAuth&&oAuthEnabled}>
<Maybecondition={passwordEnabled&&showPasswordAuth&&oAuthEnabled}>
<divclassName={styles.divider}>
<divclassName={styles.dividerLine}/>
<divclassName={styles.dividerLabel}>Or</div>
Expand All@@ -131,7 +133,14 @@ export const SignInForm: FC<React.PropsWithChildren<SignInFormProps>> = ({
/>
</Maybe>

<Maybecondition={!showPasswordAuth}>
<Maybecondition={!passwordEnabled&&!oAuthEnabled}>
<AlertBanner
severity="error"
text="No authentication methods configured!"
/>
</Maybe>

<Maybecondition={passwordEnabled&&!showPasswordAuth}>
<divclassName={styles.divider}>
<divclassName={styles.dividerLine}/>
<divclassName={styles.dividerLabel}>Or</div>
Expand Down
24 changes: 14 additions & 10 deletionssite/src/components/UsersLayout/UsersLayout.tsx
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -3,6 +3,7 @@ import Link from "@material-ui/core/Link"
import { makeStyles } from "@material-ui/core/styles"
import GroupAdd from "@material-ui/icons/GroupAddOutlined"
import PersonAdd from "@material-ui/icons/PersonAddOutlined"
import { useMachine } from "@xstate/react"
import { USERS_LINK } from "components/NavbarView/NavbarView"
import { PageHeader, PageHeaderTitle } from "components/PageHeader/PageHeader"
import { useFeatureVisibility } from "hooks/useFeatureVisibility"
Expand All@@ -15,13 +16,15 @@ import {
useNavigate,
} from "react-router-dom"
import { combineClasses } from "util/combineClasses"
import { authMethodsXService } from "xServices/auth/authMethodsXService"
import { Margins } from "../../components/Margins/Margins"
import { Stack } from "../../components/Stack/Stack"

export const UsersLayout: FC = () => {
const styles = useStyles()
const { createUser: canCreateUser, createGroup: canCreateGroup } =
usePermissions()
const [authMethods] = useMachine(authMethodsXService)
const navigate = useNavigate()
const { template_rbac: isTemplateRBACEnabled } = useFeatureVisibility()

Expand All@@ -31,16 +34,17 @@ export const UsersLayout: FC = () => {
<PageHeader
actions={
<>
{canCreateUser && (
<Button
onClick={() => {
navigate("/users/create")
}}
startIcon={<PersonAdd />}
>
Create user
</Button>
)}
{canCreateUser &&
authMethods.context.authMethods?.password.enabled && (
<Button
onClick={() => {
navigate("/users/create")
}}
startIcon={<PersonAdd />}
>
Create user
</Button>
)}
{canCreateGroup && isTemplateRBACEnabled && (
<Link
underline="none"
Expand Down
55 changes: 55 additions & 0 deletionssite/src/xServices/auth/authMethodsXService.ts
View file
Open in desktop
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,55 @@
import { assign, createMachine } from "xstate"
import * as TypeGen from "api/typesGenerated"
import * as API from "api/api"

export interface AuthMethodsContext {
authMethods?: TypeGen.AuthMethods
error?: Error | unknown
}

export const authMethodsXService = createMachine(
{
id: "authMethods",
predictableActionArguments: true,
tsTypes: {} as import("./authMethodsXService.typegen").Typegen0,
schema: {
context: {} as AuthMethodsContext,
services: {} as {
getAuthMethods: {
data: TypeGen.AuthMethods
}
},
},
context: {},
initial: "gettingAuthMethods",
states: {
gettingAuthMethods: {
invoke: {
src: "getAuthMethods",
onDone: {
target: "idle",
actions: ["assignAuthMethods"],
},
onError: {
target: "idle",
actions: ["setError"],
},
},
},
idle: {},
},
},
{
actions: {
assignAuthMethods: assign({
authMethods: (_, event) => event.data,
}),
setError: assign({
error: (_, event) => event.data,
}),
},
services: {
getAuthMethods: () => API.getAuthMethods(),
},
},
)
[8]ページ先頭
©2009-2025 Movatter.jp