feat: update to plural and lowercase domain

Daniel Carrion · Daniel Carrion · commit 865710a79913 · 2022-12-01T23:51:46.000+11:00
diff --git a/cli/deployment/config.go b/cli/deployment/config.go
@@ -215,9 +215,9 @@ func newConfig() *codersdk.DeploymentConfig {
 				Flag:   "oidc-client-secret",
 				Secret: true,
 			},
-			EmailDomain: &codersdk.DeploymentConfigField[string]{
-				Name:  "OIDC Email Domain",
-				Usage: "Email domain that clients logging in with OIDC must match.",
+			EmailDomains: &codersdk.DeploymentConfigField[[]string]{
+				Name:  "OIDC Email Domains",
+				Usage: "Email domains that clients logging in with OIDC must match.",
 				Flag:  "oidc-email-domain",
 			},
 			IssuerURL: &codersdk.DeploymentConfigField[string]{
diff --git a/cli/deployment/config_test.go b/cli/deployment/config_test.go
@@ -127,7 +127,7 @@ func TestConfig(t *testing.T) {
 		Env:  map[string]string{},
 		Valid: func(config *codersdk.DeploymentConfig) {
 			require.Empty(t, config.OIDC.IssuerURL.Value)
-			require.Empty(t, config.OIDC.EmailDomain.Value)
+			require.Empty(t, config.OIDC.EmailDomains.Value)
 			require.Empty(t, config.OIDC.ClientID.Value)
 			require.Empty(t, config.OIDC.ClientSecret.Value)
 			require.True(t, config.OIDC.AllowSignups.Value)
@@ -147,7 +147,7 @@ func TestConfig(t *testing.T) {
 		},
 		Valid: func(config *codersdk.DeploymentConfig) {
 			require.Equal(t, config.OIDC.IssuerURL.Value, "https://accounts.google.com")
-			require.Equal(t, config.OIDC.EmailDomain.Value, "coder.com")
+			require.Equal(t, config.OIDC.EmailDomains.Value, "coder.com")
 			require.Equal(t, config.OIDC.ClientID.Value, "client")
 			require.Equal(t, config.OIDC.ClientSecret.Value, "secret")
 			require.False(t, config.OIDC.AllowSignups.Value)
diff --git a/cli/server.go b/cli/server.go
@@ -424,7 +424,7 @@ func Server(vip *viper.Viper, newAPI func(context.Context, *coderd.Options) (*co
 					Verifier: oidcProvider.Verifier(&oidc.Config{
 						ClientID: cfg.OIDC.ClientID.Value,
 					}),
-					EmailDomain:  cfg.OIDC.EmailDomain.Value,
+					EmailDomains: cfg.OIDC.EmailDomains.Value,
 					AllowSignups: cfg.OIDC.AllowSignups.Value,
 				}
 			}
diff --git a/cli/testdata/coder_server_--help.golden b/cli/testdata/coder_server_--help.golden
@@ -95,7 +95,7 @@ Flags:
                                                      Consumes $CODER_OIDC_CLIENT_ID
       --oidc-client-secret string                    Client secret to use for Login with OIDC.
                                                      Consumes $CODER_OIDC_CLIENT_SECRET
-      --oidc-email-domain string                     Email domain that clients logging in with
+      --oidc-email-domain string                     Email domains that clients logging in with
                                                      OIDC must match.
                                                      Consumes $CODER_OIDC_EMAIL_DOMAIN
       --oidc-ignore-email-verified                   Ignore the email_verified claim from the
diff --git a/coderd/userauth.go b/coderd/userauth.go
@@ -192,8 +192,8 @@ type OIDCConfig struct {
 	httpmw.OAuth2Config
 
 	Verifier *oidc.IDTokenVerifier
-	// EmailDomain is the domain to enforce when a user authenticates.
-	EmailDomain  string
+	// EmailDomains is the domain to enforce when a user authenticates.
+	EmailDomains []string
 	AllowSignups bool
 	// IgnoreEmailVerified allows ignoring the email_verified claim
 	// from an upstream OIDC provider. See #5065 for context.
@@ -291,17 +291,17 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) {
 	}
 	// Check if one or comma delimited list of allowed domains is provided.
 	// If a suffix matches, break and continue, otherwise error.
-	if api.OIDCConfig.EmailDomain != "" {
+	if len(api.OIDCConfig.EmailDomains) != 0 {
 		ok = false
-		for _, domain := range strings.Split(api.OIDCConfig.EmailDomain, ",") {
-			if strings.HasSuffix(strings.ToLower(email), domain) {
+		for _, domain := range api.OIDCConfig.EmailDomains {
+			if strings.HasSuffix(strings.ToLower(email), strings.ToLower(domain)) {
 				ok = true
 				break
 			}
 		}
 		if !ok {
 			httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{
-				Message: fmt.Sprintf("Your email %q is not a part of the %q domain!", email, api.OIDCConfig.EmailDomain),
+				Message: fmt.Sprintf("Your email %q is not in domains %q !", email, api.OIDCConfig.EmailDomains),
 			})
 			return
 		}
diff --git a/coderd/userauth_test.go b/coderd/userauth_test.go
@@ -482,7 +482,7 @@ func TestUserOIDC(t *testing.T) {
 		Name                string
 		Claims              jwt.MapClaims
 		AllowSignups        bool
-		EmailDomain         string
+		EmailDomains        []string
 		Username            string
 		AvatarURL           string
 		StatusCode          int
@@ -528,17 +528,21 @@ func TestUserOIDC(t *testing.T) {
 			"email_verified": true,
 		},
 		AllowSignups: true,
-		EmailDomain:  "coder.com",
-		StatusCode:   http.StatusForbidden,
+		EmailDomains: []string{
+			"coder.com",
+		},
+		StatusCode: http.StatusForbidden,
 	}, {
 		Name: "EmailDomainCaseInsensitive",
 		Claims: jwt.MapClaims{
 			"email":          "kyle@KWC.io",
 			"email_verified": true,
 		},
 		AllowSignups: true,
-		EmailDomain:  "kwc.io",
-		StatusCode:   http.StatusTemporaryRedirect,
+		EmailDomains: []string{
+			"kwc.io",
+		},
+		StatusCode: http.StatusTemporaryRedirect,
 	}, {
 		Name:         "EmptyClaims",
 		Claims:       jwt.MapClaims{},
@@ -611,7 +615,7 @@ func TestUserOIDC(t *testing.T) {
 
 			config := conf.OIDCConfig()
 			config.AllowSignups = tc.AllowSignups
-			config.EmailDomain = tc.EmailDomain
+			config.EmailDomains = tc.EmailDomains
 			config.IgnoreEmailVerified = tc.IgnoreEmailVerified
 
 			client := coderdtest.New(t, &coderdtest.Options{
diff --git a/codersdk/deploymentconfig.go b/codersdk/deploymentconfig.go
@@ -90,7 +90,7 @@ type OIDCConfig struct {
 	AllowSignups        *DeploymentConfigField[bool]     `json:"allow_signups" typescript:",notnull"`
 	ClientID            *DeploymentConfigField[string]   `json:"client_id" typescript:",notnull"`
 	ClientSecret        *DeploymentConfigField[string]   `json:"client_secret" typescript:",notnull"`
-	EmailDomain         *DeploymentConfigField[string]   `json:"email_domain" typescript:",notnull"`
+	EmailDomains        *DeploymentConfigField[[]string] `json:"email_domain" typescript:",notnull"`
 	IssuerURL           *DeploymentConfigField[string]   `json:"issuer_url" typescript:",notnull"`
 	Scopes              *DeploymentConfigField[[]string] `json:"scopes" typescript:",notnull"`
 	IgnoreEmailVerified *DeploymentConfigField[bool]     `json:"ignore_email_verified" typescript:",notnull"`

Original file line number	Diff line number	Diff line change
`@@ -424,7 +424,7 @@ func Server(vip viper.Viper, newAPI func(context.Context, coderd.Options) (*co`
`424`	`424`	`Verifier: oidcProvider.Verifier(&oidc.Config{`
`425`	`425`	`ClientID: cfg.OIDC.ClientID.Value,`
`426`	`426`	`}),`
`427`		`- EmailDomain: cfg.OIDC.EmailDomain.Value,`
	`427`	`+ EmailDomains: cfg.OIDC.EmailDomains.Value,`
`428`	`428`	`AllowSignups: cfg.OIDC.AllowSignups.Value,`
`429`	`429`	`}`
`430`	`430`	`}`