add test for oidc jwt

sreya · sreya · commit 6b9a3e4efd34 · 2024-10-21T21:42:30.000Z
diff --git a/coderd/coderdtest/coderdtest.go b/coderd/coderdtest/coderdtest.go
@@ -161,6 +161,7 @@ type Options struct {
 	WorkspaceUsageTrackerTick          chan time.Time
 	NotificationsEnqueuer              notifications.Enqueuer
 	APIKeyEncryptionCache              cryptokeys.EncryptionKeycache
+	OIDCConvertKeyCache                cryptokeys.SigningKeycache
 	Clock                              quartz.Clock
 }
 
@@ -538,6 +539,7 @@ func NewOptions(t testing.TB, options *Options) (func(http.Handler), context.Can
 			OneTimePasscodeValidityPeriod:      options.OneTimePasscodeValidityPeriod,
 			Clock:                              options.Clock,
 			AppEncryptionKeyCache:              options.APIKeyEncryptionCache,
+			OIDCConvertKeyCache:                options.OIDCConvertKeyCache,
 		}
 }
 
diff --git a/coderd/jwtutils/jwe.go b/coderd/jwtutils/jwe.go
@@ -106,7 +106,7 @@ func Decrypt(ctx context.Context, d DecryptKeyProvider, token string, claims Cla
 
 	kid := object.Header.KeyID
 	if kid == "" {
-		return xerrors.Errorf("expected %q header to be a string", keyIDHeaderKey)
+		return ErrMissingKeyID
 	}
 
 	key, err := d.DecryptingKey(ctx, kid)
diff --git a/coderd/jwtutils/jws.go b/coderd/jwtutils/jws.go
@@ -10,6 +10,8 @@ import (
 	"golang.org/x/xerrors"
 )
 
+var ErrMissingKeyID = xerrors.New("missing key ID")
+
 const (
 	keyIDHeaderKey = "kid"
 )
@@ -126,7 +128,7 @@ func Verify(ctx context.Context, v VerifyKeyProvider, token string, claims Claim
 
 	kid := signature.Header.KeyID
 	if kid == "" {
-		return xerrors.Errorf("expected %q header to be a string", keyIDHeaderKey)
+		return ErrMissingKeyID
 	}
 
 	key, err := v.VerifyingKey(ctx, kid)
diff --git a/coderd/userauth.go b/coderd/userauth.go
@@ -52,7 +52,7 @@ const (
 )
 
 type OAuthConvertStateClaims struct {
-	jwt.Claims
+	jwtutils.RegisteredClaims
 
 	UserID        uuid.UUID          `json:"user_id"`
 	State         string             `json:"state"`
@@ -61,7 +61,7 @@ type OAuthConvertStateClaims struct {
 }
 
 func (o *OAuthConvertStateClaims) Validate(e jwt.Expected) error {
-	return o.Claims.Validate(e)
+	return o.RegisteredClaims.Validate(e)
 }
 
 // postConvertLoginType replies with an oauth state token capable of converting
@@ -156,7 +156,7 @@ func (api *API) postConvertLoginType(rw http.ResponseWriter, r *http.Request) {
 	// Eg: Developers with more than 1 deployment.
 	now := time.Now()
 	claims := &OAuthConvertStateClaims{
-		Claims: jwt.Claims{
+		RegisteredClaims: jwtutils.RegisteredClaims{
 			Issuer:    api.DeploymentID,
 			Subject:   stateString,
 			Audience:  []string{user.ID.String()},
@@ -1682,7 +1682,7 @@ func (api *API) convertUserToOauth(ctx context.Context, r *http.Request, db data
 	var claims OAuthConvertStateClaims
 
 	err = jwtutils.Verify(ctx, api.OIDCConvertKeyCache, jwtCookie.Value, &claims)
-	if xerrors.Is(err, cryptokeys.ErrKeyNotFound) || xerrors.Is(err, cryptokeys.ErrKeyInvalid) || xerrors.Is(err, jose.ErrCryptoFailure) {
+	if xerrors.Is(err, cryptokeys.ErrKeyNotFound) || xerrors.Is(err, cryptokeys.ErrKeyInvalid) || xerrors.Is(err, jose.ErrCryptoFailure) || xerrors.Is(err, jwtutils.ErrMissingKeyID) {
 		// These errors are probably because the user is mixing 2 coder deployments.
 		return database.User{}, idpsync.HTTPError{
 			Code: http.StatusBadRequest,
diff --git a/coderd/userauth_test.go b/coderd/userauth_test.go
@@ -3,6 +3,8 @@ package coderd_test
 import (
 	"context"
 	"crypto"
+	"crypto/rand"
+	"encoding/json"
 	"fmt"
 	"io"
 	"net/http"
@@ -13,6 +15,7 @@ import (
 	"time"
 
 	"github.com/coreos/go-oidc/v3/oidc"
+	"github.com/go-jose/go-jose/v4"
 	"github.com/golang-jwt/jwt/v4"
 	"github.com/google/go-github/v43/github"
 	"github.com/google/uuid"
@@ -27,10 +30,12 @@ import (
 	"github.com/coder/coder/v2/coderd/audit"
 	"github.com/coder/coder/v2/coderd/coderdtest"
 	"github.com/coder/coder/v2/coderd/coderdtest/oidctest"
+	"github.com/coder/coder/v2/coderd/cryptokeys"
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/database/dbauthz"
 	"github.com/coder/coder/v2/coderd/database/dbgen"
 	"github.com/coder/coder/v2/coderd/database/dbtestutil"
+	"github.com/coder/coder/v2/coderd/jwtutils"
 	"github.com/coder/coder/v2/coderd/notifications"
 	"github.com/coder/coder/v2/coderd/promoauth"
 	"github.com/coder/coder/v2/codersdk"
@@ -1316,22 +1321,25 @@ func TestUserOIDC(t *testing.T) {
 
 		owner := coderdtest.CreateFirstUser(t, client)
 		user, userData := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)
+		require.Equal(t, codersdk.LoginTypePassword, userData.LoginType)
 
 		claims := jwt.MapClaims{
 			"email": userData.Email,
 		}
 		var err error
 		user.HTTPClient.Jar, err = cookiejar.New(nil)
 		require.NoError(t, err)
+		user.HTTPClient.Transport = http.DefaultTransport.(*http.Transport).Clone()
 
 		ctx := testutil.Context(t, testutil.WaitShort)
+
 		convertResponse, err := user.ConvertLoginType(ctx, codersdk.ConvertLoginRequest{
 			ToType:   codersdk.LoginTypeOIDC,
 			Password: "SomeSecurePassword!",
 		})
 		require.NoError(t, err)
 
-		fake.LoginWithClient(t, user, claims, func(r *http.Request) {
+		_, _ = fake.LoginWithClient(t, user, claims, func(r *http.Request) {
 			r.URL.RawQuery = url.Values{
 				"oidc_merge_state": {convertResponse.StateString},
 			}.Encode()
@@ -1341,6 +1349,99 @@ func TestUserOIDC(t *testing.T) {
 				r.AddCookie(cookie)
 			}
 		})
+
+		info, err := client.User(ctx, userData.ID.String())
+		require.NoError(t, err)
+		require.Equal(t, codersdk.LoginTypeOIDC, info.LoginType)
+	})
+
+	t.Run("BadJWT", func(t *testing.T) {
+		t.Parallel()
+
+		var (
+			ctx    = testutil.Context(t, testutil.WaitMedium)
+			logger = slogtest.Make(t, nil)
+		)
+
+		auditor := audit.NewMock()
+		fake := oidctest.NewFakeIDP(t,
+			oidctest.WithRefresh(func(_ string) error {
+				return xerrors.New("refreshing token should never occur")
+			}),
+			oidctest.WithServing(),
+		)
+		cfg := fake.OIDCConfig(t, nil, func(cfg *coderd.OIDCConfig) {
+			cfg.AllowSignups = true
+		})
+
+		db, ps := dbtestutil.NewDB(t)
+		fetcher := &cryptokeys.DBFetcher{
+			DB: db,
+		}
+
+		kc, err := cryptokeys.NewSigningCache(ctx, logger, fetcher, codersdk.CryptoKeyFeatureOIDCConvert)
+		require.NoError(t, err)
+
+		client := coderdtest.New(t, &coderdtest.Options{
+			Auditor:             auditor,
+			OIDCConfig:          cfg,
+			Database:            db,
+			Pubsub:              ps,
+			OIDCConvertKeyCache: kc,
+		})
+
+		owner := coderdtest.CreateFirstUser(t, client)
+		user, userData := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)
+
+		claims := jwt.MapClaims{
+			"email": userData.Email,
+		}
+		user.HTTPClient.Jar, err = cookiejar.New(nil)
+		require.NoError(t, err)
+		user.HTTPClient.Transport = http.DefaultTransport.(*http.Transport).Clone()
+
+		convertResponse, err := user.ConvertLoginType(ctx, codersdk.ConvertLoginRequest{
+			ToType:   codersdk.LoginTypeOIDC,
+			Password: "SomeSecurePassword!",
+		})
+		require.NoError(t, err)
+
+		// Update the cookie to use a bad signing key. We're asserting the behavior of the scenario
+		// where a JWT gets minted on an old version of Coder but gets verified on a new version.
+		_, resp := fake.AttemptLogin(t, user, claims, func(r *http.Request) {
+			r.URL.RawQuery = url.Values{
+				"oidc_merge_state": {convertResponse.StateString},
+			}.Encode()
+			r.Header.Set(codersdk.SessionTokenHeader, user.SessionToken())
+
+			cookies := user.HTTPClient.Jar.Cookies(user.URL)
+			for i, cookie := range cookies {
+				if cookie.Name != coderd.OAuthConvertCookieValue {
+					continue
+				}
+
+				jwt := cookie.Value
+				var claims coderd.OAuthConvertStateClaims
+				err := jwtutils.Verify(ctx, kc, jwt, &claims)
+				require.NoError(t, err)
+				badJWT := generateBadJWT(t, claims)
+				cookie.Value = badJWT
+				cookies[i] = cookie
+			}
+
+			user.HTTPClient.Jar.SetCookies(user.URL, cookies)
+
+			for _, cookie := range cookies {
+				fmt.Printf("cookie: %+v\n", cookie)
+				r.AddCookie(cookie)
+			}
+		})
+		defer resp.Body.Close()
+		require.Equal(t, http.StatusBadRequest, resp.StatusCode)
+		var respErr codersdk.Response
+		err = json.NewDecoder(resp.Body).Decode(&respErr)
+		require.NoError(t, err)
+		require.Contains(t, respErr.Message, "Using an invalid jwt to authorize this action.")
 	})
 
 	t.Run("AlternateUsername", func(t *testing.T) {
@@ -2022,3 +2123,24 @@ func inflateClaims(t testing.TB, seed jwt.MapClaims, size int) jwt.MapClaims {
 	seed["random_data"] = junk
 	return seed
 }
+
+// generateBadJWT generates a JWT with a random key. It's intended to emulate the old-style JWT's we generated.
+func generateBadJWT(t *testing.T, claims interface{}) string {
+	t.Helper()
+
+	var buf [64]byte
+	_, err := rand.Read(buf[:])
+	require.NoError(t, err)
+	signer, err := jose.NewSigner(jose.SigningKey{
+		Algorithm: jose.HS512,
+		Key:       buf[:],
+	}, nil)
+	require.NoError(t, err)
+	payload, err := json.Marshal(claims)
+	require.NoError(t, err)
+	signed, err := signer.Sign(payload)
+	require.NoError(t, err)
+	compact, err := signed.CompactSerialize()
+	require.NoError(t, err)
+	return compact
+}

Original file line number	Diff line number	Diff line change
`@@ -161,6 +161,7 @@ type Options struct {`
`161`	`161`	`WorkspaceUsageTrackerTick chan time.Time`
`162`	`162`	`NotificationsEnqueuer notifications.Enqueuer`
`163`	`163`	`APIKeyEncryptionCache cryptokeys.EncryptionKeycache`
	`164`	`+ OIDCConvertKeyCache cryptokeys.SigningKeycache`
`164`	`165`	`Clock quartz.Clock`
`165`	`166`	`}`
`166`	`167`
`@@ -538,6 +539,7 @@ func NewOptions(t testing.TB, options *Options) (func(http.Handler), context.Can`
`538`	`539`	`OneTimePasscodeValidityPeriod: options.OneTimePasscodeValidityPeriod,`
`539`	`540`	`Clock: options.Clock,`
`540`	`541`	`AppEncryptionKeyCache: options.APIKeyEncryptionCache,`
	`542`	`+ OIDCConvertKeyCache: options.OIDCConvertKeyCache,`
`541`	`543`	`}`
`542`	`544`	`}`
`543`	`545`
Original file line number	Diff line number	Diff line change
`@@ -106,7 +106,7 @@ func Decrypt(ctx context.Context, d DecryptKeyProvider, token string, claims Cla`
`106`	`106`
`107`	`107`	`kid := object.Header.KeyID`
`108`	`108`	`if kid == "" {`
`109`		`- return xerrors.Errorf("expected %q header to be a string", keyIDHeaderKey)`
	`109`	`+ return ErrMissingKeyID`
`110`	`110`	`}`
`111`	`111`
`112`	`112`	`key, err := d.DecryptingKey(ctx, kid)`
Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,8 @@ import (`
`10`	`10`	`"golang.org/x/xerrors"`
`11`	`11`	`)`
`12`	`12`
	`13`	`+var ErrMissingKeyID = xerrors.New("missing key ID")`
	`14`	`+`
`13`	`15`	`const (`
`14`	`16`	`keyIDHeaderKey = "kid"`
`15`	`17`	`)`
`@@ -126,7 +128,7 @@ func Verify(ctx context.Context, v VerifyKeyProvider, token string, claims Claim`
`126`	`128`
`127`	`129`	`kid := signature.Header.KeyID`
`128`	`130`	`if kid == "" {`
`129`		`- return xerrors.Errorf("expected %q header to be a string", keyIDHeaderKey)`
	`131`	`+ return ErrMissingKeyID`
`130`	`132`	`}`
`131`	`133`
`132`	`134`	`key, err := v.VerifyingKey(ctx, kid)`