Merge branch 'stevenmasley/merge_oidc_account' into bq/oidc-ui

BrunoQuaresma · BrunoQuaresma · commit 134f152ed900 · 2023-06-23T13:15:55.000Z
diff --git a/coderd/apidoc/docs.go b/coderd/apidoc/docs.go
diff --git a/coderd/apidoc/swagger.json b/coderd/apidoc/swagger.json
diff --git a/coderd/userauth.go b/coderd/userauth.go
@@ -32,6 +32,8 @@ import (
 	"github.com/coder/coder/cryptorand"
 )
 
+const mergeStateStringPrefix = "convert-"
+
 // postConvertLoginType replies with an oauth state token capable of converting
 // the user to an oauth user.
 //
@@ -105,6 +107,9 @@ func (api *API) postConvertLoginType(rw http.ResponseWriter, r *http.Request) {
 		})
 		return
 	}
+	// The prefix is used to identify this state string as a conversion state
+	// without needing to hit the database. The random string is the CSRF protection.
+	stateString = fmt.Sprintf("%s%s", mergeStateStringPrefix, stateString)
 
 	now := time.Now()
 	var mergeState database.OauthMergeState
@@ -406,6 +411,7 @@ func (api *API) userAuthMethods(rw http.ResponseWriter, r *http.Request) {
 
 	httpapi.Write(r.Context(), rw, http.StatusOK, codersdk.AuthMethods{
 		UserAuthenticationType: currentUserLoginType,
+		ConvertToOIDCEnabled:   api.Options.DeploymentValues.EnableOauthAccountConversion.Value(),
 		Password: codersdk.AuthMethod{
 			Enabled: !api.DeploymentValues.DisablePasswordAuth.Value(),
 		},
@@ -1024,74 +1030,12 @@ func (api *API) oauthLogin(r *http.Request, params oauthLoginParams) (*http.Cook
 			}
 		}
 
-		// If this is not a new user and the login type is different,
-		// we need to check if the user is trying to change their login type.
-		if user.ID != uuid.Nil && user.LoginType != params.LoginType {
-			wrongLoginTypeErr := httpError{
-				code: http.StatusForbidden,
-				msg: fmt.Sprintf("Incorrect login type, attempting to use %q but user is of login type %q",
-					params.LoginType,
-					user.LoginType,
-				),
-			}
-			// If we do not allow converting to oauth, return an error.
-			if !params.OauthConversionEnabled {
-				return wrongLoginTypeErr
-			}
-
-			// At this point, this request could be an attempt to convert from
-			// password auth to oauth auth.
-			var (
-				auditor                                    = *api.Auditor.Load()
-				oauthConvertAudit, commitOauthConvertAudit = params.InitAuditRequest(&audit.RequestParams{
-					Audit:   auditor,
-					Log:     api.Logger,
-					Request: r,
-					Action:  database.AuditActionLogin,
-				})
-			)
-			defer commitOauthConvertAudit()
-
-			// nolint:gocritic // Required to auth the oidc convert
-			mergeState, err := tx.GetUserOauthMergeState(dbauthz.AsSystemRestricted(ctx), database.GetUserOauthMergeStateParams{
-				UserID:      user.ID,
-				StateString: params.State.StateString,
-			})
-			if xerrors.Is(err, sql.ErrNoRows) {
-				return wrongLoginTypeErr
-			}
-
-			failedMsg := fmt.Sprintf("Request to convert login type from %s to %s failed", user.LoginType, params.LoginType)
+		// If you do a convert to OIDC and your email does not match, we need to
+		// catch this and not make a new account.
+		if isMergeStateString(params.State.StateString) {
+			err := api.convertUserToOauth(ctx, r, tx, params)
 			if err != nil {
-				return httpError{
-					code: http.StatusForbidden,
-					msg:  failedMsg,
-				}
-			}
-			oauthConvertAudit.Old = mergeState
-			// Make sure the merge state generated matches this OIDC login request.
-			// It needs to have the correct login type information for this
-			// user.
-			if user.ID != mergeState.UserID || user.LoginType != mergeState.FromLoginType || params.LoginType != mergeState.ToLoginType {
-				return httpError{
-					code: http.StatusForbidden,
-					msg:  failedMsg,
-				}
-			}
-
-			// Convert the user and default to the normal login flow.
-			// If the login succeeds, this transaction will commit and the user
-			// will be converted.
-			// nolint:gocritic // system query to update user login type
-			user, err = tx.UpdateUserLoginType(dbauthz.AsSystemRestricted(ctx), database.UpdateUserLoginTypeParams{
-				LoginType: params.LoginType,
-				UserID:    user.ID,
-			})
-			if err != nil {
-				return httpError{
-					code: http.StatusInternalServerError,
-					msg:  "Failed to convert user to new login type",
-				}
+				return err
 			}
 		}
 
@@ -1258,6 +1202,91 @@ func (api *API) oauthLogin(r *http.Request, params oauthLoginParams) (*http.Cook
 	return cookie, *key, nil
 }
 
+// convertUserToOauth will convert a user from password base loginType to
+// an oauth login type. If it fails, it will return a httpError
+func (api *API) convertUserToOauth(ctx context.Context, r *http.Request, db database.Store, params oauthLoginParams) error {
+	user := params.User
+
+	// Trying to convert to OIDC, but the email does not match.
+	// So do not make a new user, just block the request.
+	if user.ID == uuid.Nil {
+		return httpError{
+			code: http.StatusBadRequest,
+			msg:  fmt.Sprintf("The oidc account with the email %q does not match the email of the account you are trying to convert. Contact your administrator to resolve this issue.", params.Email),
+		}
+	}
+
+	// nolint:gocritic // Required to auth the oidc convert
+	mergeState, err := db.GetUserOauthMergeState(dbauthz.AsSystemRestricted(ctx), database.GetUserOauthMergeStateParams{
+		UserID:      user.ID,
+		StateString: params.State.StateString,
+	})
+	if xerrors.Is(err, sql.ErrNoRows) {
+		return httpError{
+			code: http.StatusBadRequest,
+			msg:  "No convert login request found with given state. Restart the convert process and try again.",
+		}
+	}
+	if err != nil {
+		return httpError{
+			code: http.StatusInternalServerError,
+			msg:  err.Error(),
+		}
+	}
+
+	// At this point, this request could be an attempt to convert from
+	// password auth to oauth auth. Always log these attempts.
+	var (
+		auditor                                    = *api.Auditor.Load()
+		oauthConvertAudit, commitOauthConvertAudit = params.InitAuditRequest(&audit.RequestParams{
+			Audit:   auditor,
+			Log:     api.Logger,
+			Request: r,
+			Action:  database.AuditActionLogin,
+		})
+	)
+	oauthConvertAudit.Old = mergeState
+	defer commitOauthConvertAudit()
+
+	// If we do not allow converting to oauth, return an error.
+	if !params.OauthConversionEnabled {
+		return httpError{
+			code: http.StatusForbidden,
+			msg: fmt.Sprintf("Incorrect login type, attempting to use %q but user is of login type %q",
+				params.LoginType,
+				user.LoginType,
+			),
+		}
+	}
+
+	// Make sure the merge state generated matches this OIDC login request.
+	// It needs to have the correct login type information for this
+	// user.
+	if user.ID != mergeState.UserID || user.LoginType != mergeState.FromLoginType || params.LoginType != mergeState.ToLoginType {
+		return httpError{
+			code: http.StatusForbidden,
+			msg:  fmt.Sprintf("Request to convert login type from %s to %s failed", user.LoginType, params.LoginType),
+		}
+	}
+
+	// Convert the user and default to the normal login flow.
+	// If the login succeeds, this transaction will commit and the user
+	// will be converted.
+	// nolint:gocritic // system query to update user login type
+	user, err = db.UpdateUserLoginType(dbauthz.AsSystemRestricted(ctx), database.UpdateUserLoginTypeParams{
+		LoginType: params.LoginType,
+		UserID:    user.ID,
+	})
+	if err != nil {
+		return httpError{
+			code: http.StatusInternalServerError,
+			msg:  "Failed to convert user to new login type",
+		}
+	}
+	return nil
+
+}
+
 // githubLinkedID returns the unique ID for a GitHub user.
 func githubLinkedID(u *github.User) string {
 	return strconv.FormatInt(u.GetID(), 10)
@@ -1324,3 +1353,10 @@ func findLinkedUser(ctx context.Context, db database.Store, linkedID string, ema
 
 	return user, link, nil
 }
+
+func isMergeStateString(state string) bool {
+	if strings.HasPrefix(state, mergeStateStringPrefix) {
+		return true
+	}
+	return false
+}
diff --git a/codersdk/users.go b/codersdk/users.go
@@ -126,6 +126,7 @@ type AuthMethods struct {
 	// UserAuthenticationType returns the authentication method for the given
 	// caller if the request is an authenticated request. Otherwise it is empty.
 	UserAuthenticationType LoginType      `json:"me_login_type,omitempty"`
+	ConvertToOIDCEnabled   bool           `json:"convert_to_oidc_enabled"`
 	Password               AuthMethod     `json:"password"`
 	Github                 AuthMethod     `json:"github"`
 	OIDC                   OIDCAuthMethod `json:"oidc"`
diff --git a/docs/api/schemas.md b/docs/api/schemas.md
@@ -1107,6 +1107,7 @@
 
 ```json
 {
+  "convert_to_oidc_enabled": true,
   "github": {
     "enabled": true
   },
@@ -1124,12 +1125,13 @@
 
 ### Properties
 
-| Name            | Type                                               | Required | Restrictions | Description                                                                                                                             |
-| --------------- | -------------------------------------------------- | -------- | ------------ | --------------------------------------------------------------------------------------------------------------------------------------- |
-| `github`        | [codersdk.AuthMethod](#codersdkauthmethod)         | false    |              |                                                                                                                                         |
-| `me_login_type` | [codersdk.LoginType](#codersdklogintype)           | false    |              | Me login type returns the authentication method for the given caller if the request is an authenticated request. Otherwise it is empty. |
-| `oidc`          | [codersdk.OIDCAuthMethod](#codersdkoidcauthmethod) | false    |              |                                                                                                                                         |
-| `password`      | [codersdk.AuthMethod](#codersdkauthmethod)         | false    |              |                                                                                                                                         |
+| Name                      | Type                                               | Required | Restrictions | Description                                                                                                                             |
+| ------------------------- | -------------------------------------------------- | -------- | ------------ | --------------------------------------------------------------------------------------------------------------------------------------- |
+| `convert_to_oidc_enabled` | boolean                                            | false    |              |                                                                                                                                         |
+| `github`                  | [codersdk.AuthMethod](#codersdkauthmethod)         | false    |              |                                                                                                                                         |
+| `me_login_type`           | [codersdk.LoginType](#codersdklogintype)           | false    |              | Me login type returns the authentication method for the given caller if the request is an authenticated request. Otherwise it is empty. |
+| `oidc`                    | [codersdk.OIDCAuthMethod](#codersdkoidcauthmethod) | false    |              |                                                                                                                                         |
+| `password`                | [codersdk.AuthMethod](#codersdkauthmethod)         | false    |              |                                                                                                                                         |
 
 ## codersdk.AuthorizationCheck
 
diff --git a/docs/api/users.md b/docs/api/users.md
@@ -140,6 +140,7 @@ curl -X GET http://coder-server:8080/api/v2/users/authmethods \
 
 ```json
 {
+  "convert_to_oidc_enabled": true,
   "github": {
     "enabled": true
   },
diff --git a/site/src/api/typesGenerated.ts b/site/src/api/typesGenerated.ts
@@ -105,6 +105,7 @@ export interface AuthMethod {
 // From codersdk/users.go
 export interface AuthMethods {
   readonly me_login_type?: LoginType
+  readonly convert_to_oidc_enabled: boolean
   readonly password: AuthMethod
   readonly github: AuthMethod
   readonly oidc: OIDCAuthMethod

Original file line number	Diff line number	Diff line change
`@@ -140,6 +140,7 @@ curl -X GET http://coder-server:8080/api/v2/users/authmethods \`
`140`	`140`
`141`	`141`	```json
`142`	`142`	`{`
	`143`	`+ "convert_to_oidc_enabled": true,`
`143`	`144`	`"github": {`
`144`	`145`	`"enabled": true`
`145`	`146`	`},`