Add flag to enable this feature

Emyrk · Emyrk · commit 6d6a46e5675b · 2023-06-20T11:22:24.000-05:00
diff --git a/coderd/apidoc/docs.go b/coderd/apidoc/docs.go
diff --git a/coderd/apidoc/swagger.json b/coderd/apidoc/swagger.json
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -398,6 +398,8 @@ func New(options *Options) *API {
 		Optional:                    true,
 	})
 
+	allowOauthConversion := options.DeploymentValues.EnableOauthAccountConversion.Value()
+
 	// API rate limit middleware. The counter is local and not shared between
 	// replicas or instances of this middleware.
 	apiRateLimiter := httpmw.RateLimit(options.APIRateLimit, time.Minute)
@@ -620,7 +622,13 @@ func New(options *Options) *API {
 					r.Use(
 						apiKeyMiddleware,
 					)
-					r.Post("/", api.postConvertLoginType)
+					if allowOauthConversion {
+						r.Post("/", api.postConvertLoginType)
+					} else {
+						r.Post("/", func(rw http.ResponseWriter, r *http.Request) {
+							http.Error(rw, "Oauth conversion is not allowed, contact an administrator to turn on this feature.", http.StatusForbidden)
+						})
+					}
 				})
 			})
 			r.Group(func(r chi.Router) {
diff --git a/coderd/database/migrations/000127_merge_oidc_account.down.sql b/coderd/database/migrations/000127_merge_oidc_account.down.sql
@@ -0,0 +1,5 @@
+BEGIN;
+
+DROP TABLE oauth_merge_state;
+
+COMMIT;
diff --git a/coderd/httpmw/oauth2.go b/coderd/httpmw/oauth2.go
@@ -99,13 +99,6 @@ func ExtractOAuth2(config OAuth2Config, client *http.Client, authURLOpts map[str
 				// their password again.
 				oidcMergeState := r.URL.Query().Get("oidc_merge_state")
 				if oidcMergeState != "" {
-					_, ok := APIKeyOptional(r)
-					if !ok {
-						httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
-							Message: "Must be logged in to merge account.",
-						})
-						return
-					}
 					state = oidcMergeState
 				} else {
 					var err error
@@ -185,3 +178,12 @@ func ExtractOAuth2(config OAuth2Config, client *http.Client, authURLOpts map[str
 		})
 	}
 }
+
+func RemoveOauthStateCookie(rw http.ResponseWriter) {
+	http.SetCookie(rw, &http.Cookie{
+		Name:   codersdk.OAuth2StateCookie,
+		Value:  "",
+		Path:   "/",
+		MaxAge: -1,
+	})
+}
diff --git a/coderd/userauth.go b/coderd/userauth.go
@@ -101,7 +101,8 @@ func (api *API) postConvertLoginType(rw http.ResponseWriter, r *http.Request) {
 	err = api.Database.InTx(func(store database.Store) error {
 		// We should only ever have 1 oauth merge state per user. So delete
 		// any existing if they exist.
-		err := api.Database.DeleteUserOauthMergeStates(ctx, user.ID)
+		//nolint:gocritic // Keeping the table clean
+		err := api.Database.DeleteUserOauthMergeStates(dbauthz.AsSystemRestricted(ctx), user.ID)
 		if err != nil && !xerrors.Is(err, sql.ErrNoRows) {
 			return err
 		}
@@ -521,15 +522,16 @@ func (api *API) userOAuth2Github(rw http.ResponseWriter, r *http.Request) {
 	}
 
 	cookie, key, err := api.oauthLogin(r, oauthLoginParams{
-		User:         user,
-		Link:         link,
-		State:        state,
-		LinkedID:     githubLinkedID(ghUser),
-		LoginType:    database.LoginTypeGithub,
-		AllowSignups: api.GithubOAuth2Config.AllowSignups,
-		Email:        verifiedEmail.GetEmail(),
-		Username:     ghUser.GetLogin(),
-		AvatarURL:    ghUser.GetAvatarURL(),
+		User:                   user,
+		Link:                   link,
+		State:                  state,
+		LinkedID:               githubLinkedID(ghUser),
+		LoginType:              database.LoginTypeGithub,
+		AllowSignups:           api.GithubOAuth2Config.AllowSignups,
+		Email:                  verifiedEmail.GetEmail(),
+		Username:               ghUser.GetLogin(),
+		AvatarURL:              ghUser.GetAvatarURL(),
+		OauthConversionEnabled: api.DeploymentValues.EnableOauthAccountConversion.Value(),
 	})
 	var httpErr httpError
 	if xerrors.As(err, &httpErr) {
@@ -850,17 +852,18 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) {
 	}
 
 	cookie, key, err := api.oauthLogin(r, oauthLoginParams{
-		User:         user,
-		Link:         link,
-		State:        state,
-		LinkedID:     oidcLinkedID(idToken),
-		LoginType:    database.LoginTypeOIDC,
-		AllowSignups: api.OIDCConfig.AllowSignups,
-		Email:        email,
-		Username:     username,
-		AvatarURL:    picture,
-		UsingGroups:  usingGroups,
-		Groups:       groups,
+		User:                   user,
+		Link:                   link,
+		State:                  state,
+		LinkedID:               oidcLinkedID(idToken),
+		LoginType:              database.LoginTypeOIDC,
+		AllowSignups:           api.OIDCConfig.AllowSignups,
+		Email:                  email,
+		Username:               username,
+		AvatarURL:              picture,
+		UsingGroups:            usingGroups,
+		Groups:                 groups,
+		OauthConversionEnabled: api.DeploymentValues.EnableOauthAccountConversion.Value(),
 	})
 	var httpErr httpError
 	if xerrors.As(err, &httpErr) {
@@ -940,8 +943,9 @@ type oauthLoginParams struct {
 	AvatarURL    string
 	// Is UsingGroups is true, then the user will be assigned
 	// to the Groups provided.
-	UsingGroups bool
-	Groups      []string
+	UsingGroups            bool
+	Groups                 []string
+	OauthConversionEnabled bool
 }
 
 type httpError struct {
@@ -980,11 +984,26 @@ func (api *API) oauthLogin(r *http.Request, params oauthLoginParams) (*http.Cook
 			}
 		}
 
+		// If this is not a new user and the login type is different,
+		// we need to check if the user is trying to change their login type.
 		if user.ID != uuid.Nil && user.LoginType != params.LoginType {
+			wrongLoginTypeErr := httpError{
+				code: http.StatusForbidden,
+				msg: fmt.Sprintf("Incorrect login type, attempting to use %q but user is of login type %q",
+					params.LoginType,
+					user.LoginType,
+				),
+			}
+			if !params.OauthConversionEnabled {
+				return wrongLoginTypeErr
+			}
 			mergeState, err := api.Database.GetUserOauthMergeState(dbauthz.AsSystemRestricted(ctx), database.GetUserOauthMergeStateParams{
 				UserID:      user.ID,
 				StateString: params.State.StateString,
 			})
+			if xerrors.Is(err, sql.ErrNoRows) {
+				return wrongLoginTypeErr
+			}
 			failedMsg := fmt.Sprintf("Request to convert login type from %s to %s failed", user.LoginType, params.LoginType)
 			if err != nil {
 				return httpError{
diff --git a/codersdk/deployment.go b/codersdk/deployment.go
@@ -158,6 +158,7 @@ type DeploymentValues struct {
 	SessionDuration                 clibase.Duration                `json:"max_session_expiry,omitempty" typescript:",notnull"`
 	DisableSessionExpiryRefresh     clibase.Bool                    `json:"disable_session_expiry_refresh,omitempty" typescript:",notnull"`
 	DisablePasswordAuth             clibase.Bool                    `json:"disable_password_auth,omitempty" typescript:",notnull"`
+	EnableOauthAccountConversion    clibase.Bool                    `json:"enable_oauth_account_conversion,omitempty" typescript:",notnull"`
 	Support                         SupportConfig                   `json:"support,omitempty" typescript:",notnull"`
 	GitAuthProviders                clibase.Struct[[]GitAuthConfig] `json:"git_auth,omitempty" typescript:",notnull"`
 	SSHConfig                       SSHConfig                       `json:"config_ssh,omitempty" typescript:",notnull"`
@@ -1426,6 +1427,15 @@ when required by your organization's security policy.`,
 			Group: &deploymentGroupNetworkingHTTP,
 			YAML:  "disablePasswordAuth",
 		},
+		{
+			Name:        "Enable Oauth account conversion",
+			Description: "If enabled, users can switch from password based authentication to oauth based authentication by logging into an oidc account with the same email address.",
+			Flag:        "enable-oauth-auth-conversion",
+			Env:         "CODER_ENABLE_OAUTH_AUTH_CONVERSION",
+			Value:       &c.EnableOauthAccountConversion,
+			Group:       &deploymentGroupNetworkingHTTP,
+			YAML:        "enableOauthAuthConversion",
+		},
 		{
 			Name:          "Config Path",
 			Description:   `Specify a YAML file to load configuration from.`,
diff --git a/docs/api/general.md b/docs/api/general.md
@@ -195,6 +195,7 @@ curl -X GET http://coder-server:8080/api/v2/deployment/config \
     "disable_password_auth": true,
     "disable_path_apps": true,
     "disable_session_expiry_refresh": true,
+    "enable_oauth_account_conversion": true,
     "experiments": ["string"],
     "git_auth": {
       "value": [
diff --git a/docs/api/schemas.md b/docs/api/schemas.md
@@ -1863,6 +1863,7 @@ AuthorizationObject can represent a "set" of objects, such as: all workspaces in
     "disable_password_auth": true,
     "disable_path_apps": true,
     "disable_session_expiry_refresh": true,
+    "enable_oauth_account_conversion": true,
     "experiments": ["string"],
     "git_auth": {
       "value": [
@@ -2190,6 +2191,7 @@ AuthorizationObject can represent a "set" of objects, such as: all workspaces in
   "disable_password_auth": true,
   "disable_path_apps": true,
   "disable_session_expiry_refresh": true,
+  "enable_oauth_account_conversion": true,
   "experiments": ["string"],
   "git_auth": {
     "value": [
@@ -2381,6 +2383,7 @@ AuthorizationObject can represent a "set" of objects, such as: all workspaces in
 | `disable_password_auth`              | boolean                                                                                    | false    |              |                                                                    |
 | `disable_path_apps`                  | boolean                                                                                    | false    |              |                                                                    |
 | `disable_session_expiry_refresh`     | boolean                                                                                    | false    |              |                                                                    |
+| `enable_oauth_account_conversion`    | boolean                                                                                    | false    |              |                                                                    |
 | `experiments`                        | array of string                                                                            | false    |              |                                                                    |
 | `git_auth`                           | [clibase.Struct-array_codersdk_GitAuthConfig](#clibasestruct-array_codersdk_gitauthconfig) | false    |              |                                                                    |
 | `http_address`                       | string                                                                                     | false    |              | Http address is a string because it may be set to zero to disable. |
diff --git a/docs/cli/server.md b/docs/cli/server.md
@@ -213,6 +213,16 @@ Disable workspace apps that are not served from subdomains. Path-based apps can
 
 Disable automatic session expiry bumping due to activity. This forces all sessions to become invalid after the session expiry duration has been reached.
 
+### --enable-oauth-auth-conversion
+
+|             |                                                        |
+| ----------- | ------------------------------------------------------ |
+| Type        | <code>bool</code>                                      |
+| Environment | <code>$CODER_ENABLE_OAUTH_AUTH_CONVERSION</code>       |
+| YAML        | <code>networking.http.enableOauthAuthConversion</code> |
+
+If enabled, users can switch from password based authentication to oauth based authentication by logging into an oidc account with the same email address.
+
 ### --swagger-enable
 
 |             |                                    |
diff --git a/site/src/api/api.ts b/site/src/api/api.ts
@@ -110,16 +110,16 @@ export const login = async (
 export const convertToOauth = async (
   email: string,
   password: string,
-  oauth_provider: string,
+  to_login_type: string,
 ): Promise<TypesGen.OauthConversionResponse | undefined> => {
   const payload = JSON.stringify({
     email,
     password,
-    oauth_provider,
+    to_login_type,
   })
 
   try {
-    const response = await axios.post<TypesGen.OauthConversionResponse>("/api/v2/users/upgrade-to-oidc",
+    const response = await axios.post<TypesGen.OauthConversionResponse>("/api/v2/users/convert-login",
     payload,
     {
       headers: { ...CONTENT_TYPE_JSON },
diff --git a/site/src/api/typesGenerated.ts b/site/src/api/typesGenerated.ts
@@ -368,6 +368,7 @@ export interface DeploymentValues {
   readonly max_session_expiry?: number
   readonly disable_session_expiry_refresh?: boolean
   readonly disable_password_auth?: boolean
+  readonly enable_oauth_account_conversion?: boolean
   readonly support?: SupportConfig
   // Named type "github.com/coder/coder/cli/clibase.Struct[[]github.com/coder/coder/codersdk.GitAuthConfig]" unknown, using "any"
   // eslint-disable-next-line @typescript-eslint/no-explicit-any -- External type

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +BEGIN;
++
 +DROP TABLE oauth_merge_state;
++
 +COMMIT;