feat: add owner_oidc_access_token to coder_workspace data source

kylecarbs · kylecarbs · commit 760c4a84505b · 2023-02-05T21:49:25.000Z
See the discussion in Discord here: https://discord.com/channels/747933592273027093/1071182088490987542/1071182088490987542 Related provider PR: coder/terraform-provider-coder#91
diff --git a/coderd/provisionerdserver/provisionerdserver.go b/coderd/provisionerdserver/provisionerdserver.go
@@ -18,13 +18,15 @@ import (
 	"github.com/tabbed/pqtype"
 	"golang.org/x/exp/maps"
 	"golang.org/x/exp/slices"
+	"golang.org/x/oauth2"
 	"golang.org/x/xerrors"
 	protobuf "google.golang.org/protobuf/proto"
 
 	"cdr.dev/slog"
 
 	"github.com/coder/coder/coderd/audit"
 	"github.com/coder/coder/coderd/database"
+	"github.com/coder/coder/coderd/httpmw"
 	"github.com/coder/coder/coderd/parameter"
 	"github.com/coder/coder/coderd/telemetry"
 	"github.com/coder/coder/codersdk"
@@ -52,6 +54,7 @@ type Server struct {
 	Auditor        *atomic.Pointer[audit.Auditor]
 
 	AcquireJobDebounce time.Duration
+	OIDCConfig         httpmw.OAuth2Config
 }
 
 // AcquireJob queries the database to lock a job.
@@ -155,6 +158,14 @@ func (server *Server) AcquireJob(ctx context.Context, _ *proto.Empty) (*proto.Ac
 			return nil, failJob(fmt.Sprintf("publish workspace update: %s", err))
 		}
 
+		var workspaceOwnerOIDCAccessToken string
+		if server.OIDCConfig != nil {
+			workspaceOwnerOIDCAccessToken, err = obtainOIDCAccessToken(ctx, server.Database, server.OIDCConfig, owner.ID)
+			if err != nil {
+				return nil, failJob(fmt.Sprintf("obtain OIDC access token: %s", err))
+			}
+		}
+
 		// Compute parameters for the workspace to consume.
 		parameters, err := parameter.Compute(ctx, server.Database, parameter.ComputeScope{
 			TemplateImportJobID: templateVersion.JobID,
@@ -194,13 +205,14 @@ func (server *Server) AcquireJob(ctx context.Context, _ *proto.Empty) (*proto.Ac
 				ParameterValues:     protoParameters,
 				RichParameterValues: convertRichParameterValues(workspaceBuildParameters),
 				Metadata: &sdkproto.Provision_Metadata{
-					CoderUrl:            server.AccessURL.String(),
-					WorkspaceTransition: transition,
-					WorkspaceName:       workspace.Name,
-					WorkspaceOwner:      owner.Username,
-					WorkspaceOwnerEmail: owner.Email,
-					WorkspaceId:         workspace.ID.String(),
-					WorkspaceOwnerId:    owner.ID.String(),
+					CoderUrl:                      server.AccessURL.String(),
+					WorkspaceTransition:           transition,
+					WorkspaceName:                 workspace.Name,
+					WorkspaceOwner:                owner.Username,
+					WorkspaceOwnerEmail:           owner.Email,
+					WorkspaceOwnerOidcAccessToken: workspaceOwnerOIDCAccessToken,
+					WorkspaceId:                   workspace.ID.String(),
+					WorkspaceOwnerId:              owner.ID.String(),
 				},
 			},
 		}
@@ -1062,6 +1074,51 @@ func InsertWorkspaceResource(ctx context.Context, db database.Store, jobID uuid.
 	return nil
 }
 
+// obtainOIDCAccessToken returns a valid OpenID Connect access token
+// for the user if it's able to obtain one, otherwise it returns an empty string.
+func obtainOIDCAccessToken(ctx context.Context, db database.Store, oidcConfig httpmw.OAuth2Config, userID uuid.UUID) (string, error) {
+	link, err := db.GetUserLinkByUserIDLoginType(ctx, database.GetUserLinkByUserIDLoginTypeParams{
+		UserID:    userID,
+		LoginType: database.LoginTypeOIDC,
+	})
+	if errors.Is(err, sql.ErrNoRows) {
+		err = nil
+	}
+	if err != nil {
+		return "", xerrors.Errorf("get owner oidc link: %w", err)
+	}
+
+	if link.OAuthExpiry.Before(database.Now()) && !link.OAuthExpiry.IsZero() && link.OAuthRefreshToken != "" {
+		token, err := oidcConfig.TokenSource(ctx, &oauth2.Token{
+			AccessToken:  link.OAuthAccessToken,
+			RefreshToken: link.OAuthRefreshToken,
+			Expiry:       link.OAuthExpiry,
+		}).Token()
+		if err != nil {
+			// If OIDC fails to refresh, we return an empty string and don't fail.
+			// There isn't a way to hard-opt in to OIDC from a template, so we don't
+			// want to fail builds if users haven't authenticated for a while or something.
+			return "", nil
+		}
+		link.OAuthAccessToken = token.AccessToken
+		link.OAuthRefreshToken = token.RefreshToken
+		link.OAuthExpiry = token.Expiry
+
+		link, err = db.UpdateUserLink(ctx, database.UpdateUserLinkParams{
+			UserID:            userID,
+			LoginType:         database.LoginTypeOIDC,
+			OAuthAccessToken:  link.OAuthAccessToken,
+			OAuthRefreshToken: link.OAuthRefreshToken,
+			OAuthExpiry:       link.OAuthExpiry,
+		})
+		if err != nil {
+			return "", xerrors.Errorf("update user link: %w", err)
+		}
+	}
+
+	return link.OAuthAccessToken, nil
+}
+
 func convertValidationTypeSystem(typeSystem sdkproto.ParameterSchema_TypeSystem) (database.ParameterTypeSystem, error) {
 	switch typeSystem {
 	case sdkproto.ParameterSchema_None:
diff --git a/coderd/provisionerdserver/provisionerdserver_internal_test.go b/coderd/provisionerdserver/provisionerdserver_internal_test.go
@@ -0,0 +1,84 @@
+package provisionerdserver
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/coder/coder/coderd/database"
+	"github.com/coder/coder/coderd/database/dbfake"
+	"github.com/coder/coder/coderd/database/dbgen"
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/require"
+	"golang.org/x/oauth2"
+)
+
+func TestObtainOIDCAccessToken(t *testing.T) {
+	t.Parallel()
+	ctx := context.Background()
+	t.Run("NoToken", func(t *testing.T) {
+		t.Parallel()
+		db := dbfake.New()
+		_, err := obtainOIDCAccessToken(ctx, db, nil, uuid.Nil)
+		require.NoError(t, err)
+	})
+	t.Run("InvalidConfig", func(t *testing.T) {
+		// We still want OIDC to succeed even if exchanging the token fails.
+		t.Parallel()
+		db := dbfake.New()
+		user := dbgen.User(t, db, database.User{})
+		dbgen.UserLink(t, db, database.UserLink{
+			UserID:      user.ID,
+			LoginType:   database.LoginTypeOIDC,
+			OAuthExpiry: database.Now().Add(-time.Hour),
+		})
+		_, err := obtainOIDCAccessToken(ctx, db, &oauth2.Config{}, user.ID)
+		require.NoError(t, err)
+	})
+	t.Run("Exchange", func(t *testing.T) {
+		t.Parallel()
+		db := dbfake.New()
+		user := dbgen.User(t, db, database.User{})
+		dbgen.UserLink(t, db, database.UserLink{
+			UserID:      user.ID,
+			LoginType:   database.LoginTypeOIDC,
+			OAuthExpiry: database.Now().Add(-time.Hour),
+		})
+		_, err := obtainOIDCAccessToken(ctx, db, &oauth2Config{
+			tokenSource: func() (*oauth2.Token, error) {
+				return &oauth2.Token{
+					AccessToken: "token",
+				}, nil
+			},
+		}, user.ID)
+		require.NoError(t, err)
+		link, err := db.GetUserLinkByUserIDLoginType(ctx, database.GetUserLinkByUserIDLoginTypeParams{
+			UserID:    user.ID,
+			LoginType: database.LoginTypeOIDC,
+		})
+		require.NoError(t, err)
+		require.Equal(t, "token", link.OAuthAccessToken)
+	})
+}
+
+type oauth2Config struct {
+	tokenSource oauth2TokenSource
+}
+
+func (o *oauth2Config) TokenSource(context.Context, *oauth2.Token) oauth2.TokenSource {
+	return o.tokenSource
+}
+
+func (*oauth2Config) AuthCodeURL(string, ...oauth2.AuthCodeOption) string {
+	return ""
+}
+
+func (*oauth2Config) Exchange(context.Context, string, ...oauth2.AuthCodeOption) (*oauth2.Token, error) {
+	return &oauth2.Token{}, nil
+}
+
+type oauth2TokenSource func() (*oauth2.Token, error)
+
+func (o oauth2TokenSource) Token() (*oauth2.Token, error) {
+	return o()
+}
diff --git a/coderd/provisionerdserver/provisionerdserver_test.go b/coderd/provisionerdserver/provisionerdserver_test.go
@@ -11,6 +11,7 @@ import (
 
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/require"
+	"golang.org/x/oauth2"
 
 	"cdr.dev/slog/sloggers/slogtest"
 	"github.com/coder/coder/coderd/audit"
@@ -90,6 +91,12 @@ func TestAcquireJob(t *testing.T) {
 		ctx := context.Background()
 
 		user := dbgen.User(t, srv.Database, database.User{})
+		link := dbgen.UserLink(t, srv.Database, database.UserLink{
+			LoginType:        database.LoginTypeOIDC,
+			UserID:           user.ID,
+			OAuthExpiry:      database.Now().Add(time.Hour),
+			OAuthAccessToken: "access-token",
+		})
 		template := dbgen.Template(t, srv.Database, database.Template{
 			Name:        "template",
 			Provisioner: database.ProvisionerTypeEcho,
@@ -169,13 +176,14 @@ func TestAcquireJob(t *testing.T) {
 				WorkspaceName:    workspace.Name,
 				ParameterValues:  []*sdkproto.ParameterValue{},
 				Metadata: &sdkproto.Provision_Metadata{
-					CoderUrl:            srv.AccessURL.String(),
-					WorkspaceTransition: sdkproto.WorkspaceTransition_START,
-					WorkspaceName:       workspace.Name,
-					WorkspaceOwner:      user.Username,
-					WorkspaceOwnerEmail: user.Email,
-					WorkspaceId:         workspace.ID.String(),
-					WorkspaceOwnerId:    user.ID.String(),
+					CoderUrl:                      srv.AccessURL.String(),
+					WorkspaceTransition:           sdkproto.WorkspaceTransition_START,
+					WorkspaceName:                 workspace.Name,
+					WorkspaceOwner:                user.Username,
+					WorkspaceOwnerEmail:           user.Email,
+					WorkspaceId:                   workspace.ID.String(),
+					WorkspaceOwnerId:              user.ID.String(),
+					WorkspaceOwnerOidcAccessToken: link.OAuthAccessToken,
 				},
 			},
 		})
@@ -804,6 +812,7 @@ func setup(t *testing.T, ignoreLogErrors bool) *provisionerdserver.Server {
 	return &provisionerdserver.Server{
 		ID:           uuid.New(),
 		Logger:       slogtest.Make(t, &slogtest.Options{IgnoreErrors: ignoreLogErrors}),
+		OIDCConfig:   &oauth2.Config{},
 		AccessURL:    &url.URL{},
 		Provisioners: []database.ProvisionerType{database.ProvisionerTypeEcho},
 		Database:     db,
diff --git a/provisioner/terraform/provision.go b/provisioner/terraform/provision.go
@@ -213,6 +213,7 @@ func provisionEnv(config *proto.Provision_Config, params []*proto.ParameterValue
 		"CODER_WORKSPACE_NAME="+config.Metadata.WorkspaceName,
 		"CODER_WORKSPACE_OWNER="+config.Metadata.WorkspaceOwner,
 		"CODER_WORKSPACE_OWNER_EMAIL="+config.Metadata.WorkspaceOwnerEmail,
+		"CODER_WORKSPACE_OWNER_OIDC_ACCESS_TOKEN="+config.Metadata.WorkspaceOwnerOidcAccessToken,
 		"CODER_WORKSPACE_ID="+config.Metadata.WorkspaceId,
 		"CODER_WORKSPACE_OWNER_ID="+config.Metadata.WorkspaceOwnerId,
 	)
diff --git a/provisionersdk/proto/provisioner.pb.go b/provisionersdk/proto/provisioner.pb.go
diff --git a/provisionersdk/proto/provisioner.proto b/provisionersdk/proto/provisioner.proto

Original file line number	Diff line number	Diff line change
`@@ -213,6 +213,7 @@ func provisionEnv(config proto.Provision_Config, params []proto.ParameterValue`
`213`	`213`	`"CODER_WORKSPACE_NAME="+config.Metadata.WorkspaceName,`
`214`	`214`	`"CODER_WORKSPACE_OWNER="+config.Metadata.WorkspaceOwner,`
`215`	`215`	`"CODER_WORKSPACE_OWNER_EMAIL="+config.Metadata.WorkspaceOwnerEmail,`
	`216`	`+ "CODER_WORKSPACE_OWNER_OIDC_ACCESS_TOKEN="+config.Metadata.WorkspaceOwnerOidcAccessToken,`
`216`	`217`	`"CODER_WORKSPACE_ID="+config.Metadata.WorkspaceId,`
`217`	`218`	`"CODER_WORKSPACE_OWNER_ID="+config.Metadata.WorkspaceOwnerId,`
`218`	`219`	`)`