@@ -10,11 +10,14 @@ import (
1010 "errors"
1111 "fmt"
1212 "io"
13+ "math/rand"
14+ "mime"
1315 "net"
1416 "net/http"
1517 "net/http/cookiejar"
1618 "net/http/httptest"
1719 "net/url"
20+ "strconv"
1821 "strings"
1922 "testing"
2023 "time"
@@ -34,9 +37,11 @@ import (
3437 "cdr.dev/slog/sloggers/slogtest"
3538 "github.com/coder/coder/v2/coderd"
3639 "github.com/coder/coder/v2/coderd/externalauth"
40+ "github.com/coder/coder/v2/coderd/httpapi"
3741 "github.com/coder/coder/v2/coderd/promoauth"
3842 "github.com/coder/coder/v2/coderd/util/syncmap"
3943 "github.com/coder/coder/v2/codersdk"
44+ "github.com/coder/coder/v2/testutil"
4045)
4146
4247type token struct {
@@ -45,6 +50,13 @@ type token struct {
4550 exp time.Time
4651}
4752
53+ type deviceFlow struct {
54+ // userInput is the expected input to authenticate the device flow.
55+ userInput string
56+ exp time.Time
57+ granted bool
58+ }
59+
4860// FakeIDP is a functional OIDC provider.
4961// It only supports 1 OIDC client.
5062type FakeIDP struct {
@@ -77,6 +89,8 @@ type FakeIDP struct {
7789 refreshTokens * syncmap.Map [string , string ]
7890 stateToIDTokenClaims * syncmap.Map [string , jwt.MapClaims ]
7991 refreshIDTokenClaims * syncmap.Map [string , jwt.MapClaims ]
92+ // Device flow
93+ deviceCode * syncmap.Map [string , deviceFlow ]
8094
8195 // hooks
8296 // hookValidRedirectURL can be used to reject a redirect url from the
@@ -226,6 +240,8 @@ const (
226240 authorizePath = "/oauth2/authorize"
227241 keysPath = "/oauth2/keys"
228242 userInfoPath = "/oauth2/userinfo"
243+ deviceAuth = "/login/device/code"
244+ deviceVerify = "/login/device"
229245)
230246
231247func NewFakeIDP (t testing.TB , opts ... FakeIDPOpt ) * FakeIDP {
@@ -246,6 +262,7 @@ func NewFakeIDP(t testing.TB, opts ...FakeIDPOpt) *FakeIDP {
246262 refreshTokensUsed : syncmap .New [string , bool ](),
247263 stateToIDTokenClaims : syncmap .New [string , jwt.MapClaims ](),
248264 refreshIDTokenClaims : syncmap .New [string , jwt.MapClaims ](),
265+ deviceCode : syncmap .New [string , deviceFlow ](),
249266 hookOnRefresh : func (_ string ) error { return nil },
250267 hookUserInfo : func (email string ) (jwt.MapClaims , error ) { return jwt.MapClaims {}, nil },
251268 hookValidRedirectURL : func (redirectURL string ) error { return nil },
@@ -288,11 +305,12 @@ func (f *FakeIDP) updateIssuerURL(t testing.TB, issuer string) {
288305 // ProviderJSON is the JSON representation of the OpenID Connect provider
289306 // These are all the urls that the IDP will respond to.
290307 f .provider = ProviderJSON {
291- Issuer : issuer ,
292- AuthURL : u .ResolveReference (& url.URL {Path : authorizePath }).String (),
293- TokenURL : u .ResolveReference (& url.URL {Path : tokenPath }).String (),
294- JWKSURL : u .ResolveReference (& url.URL {Path : keysPath }).String (),
295- UserInfoURL : u .ResolveReference (& url.URL {Path : userInfoPath }).String (),
308+ Issuer : issuer ,
309+ AuthURL : u .ResolveReference (& url.URL {Path : authorizePath }).String (),
310+ TokenURL : u .ResolveReference (& url.URL {Path : tokenPath }).String (),
311+ JWKSURL : u .ResolveReference (& url.URL {Path : keysPath }).String (),
312+ UserInfoURL : u .ResolveReference (& url.URL {Path : userInfoPath }).String (),
313+ DeviceCodeURL : u .ResolveReference (& url.URL {Path : deviceAuth }).String (),
296314 Algorithms : []string {
297315 "RS256" ,
298316 },
@@ -467,6 +485,31 @@ func (f *FakeIDP) ExternalLogin(t testing.TB, client *codersdk.Client, opts ...f
467485 _ = res .Body .Close ()
468486}
469487
488+ // DeviceLogin does the oauth2 device flow for external auth providers.
489+ func (* FakeIDP ) DeviceLogin (t testing.TB , client * codersdk.Client , externalAuthID string ) {
490+ // First we need to initiate the device flow. This will have Coder hit the
491+ // fake IDP and get a device code.
492+ device , err := client .ExternalAuthDeviceByID (context .Background (), externalAuthID )
493+ require .NoError (t , err )
494+
495+ // Now the user needs to go to the fake IDP page and click "allow" and enter
496+ // the device code input. For our purposes, we just send an http request to
497+ // the verification url. No additional user input is needed.
498+ ctx , cancel := context .WithTimeout (context .Background (), testutil .WaitShort )
499+ defer cancel ()
500+ resp , err := client .Request (ctx , http .MethodPost , device .VerificationURI , nil )
501+ require .NoError (t , err )
502+ defer resp .Body .Close ()
503+
504+ // Now we need to exchange the device code for an access token. We do this
505+ // in this method because it is the user that does the polling for the device
506+ // auth flow, not the backend.
507+ err = client .ExternalAuthDeviceExchange (context .Background (), externalAuthID , codersdk.ExternalAuthDeviceExchange {
508+ DeviceCode : device .DeviceCode ,
509+ })
510+ require .NoError (t , err )
511+ }
512+
470513// CreateAuthCode emulates a user clicking "allow" on the IDP page. When doing
471514// unit tests, it's easier to skip this step sometimes. It does make an actual
472515// request to the IDP, so it should be equivalent to doing this "manually" with
@@ -536,12 +579,13 @@ func (f *FakeIDP) OIDCCallback(t testing.TB, state string, idTokenClaims jwt.Map
536579
537580// ProviderJSON is the .well-known/configuration JSON
538581type ProviderJSON struct {
539- Issuer string `json:"issuer"`
540- AuthURL string `json:"authorization_endpoint"`
541- TokenURL string `json:"token_endpoint"`
542- JWKSURL string `json:"jwks_uri"`
543- UserInfoURL string `json:"userinfo_endpoint"`
544- Algorithms []string `json:"id_token_signing_alg_values_supported"`
582+ Issuer string `json:"issuer"`
583+ AuthURL string `json:"authorization_endpoint"`
584+ TokenURL string `json:"token_endpoint"`
585+ JWKSURL string `json:"jwks_uri"`
586+ UserInfoURL string `json:"userinfo_endpoint"`
587+ DeviceCodeURL string `json:"device_authorization_endpoint"`
588+ Algorithms []string `json:"id_token_signing_alg_values_supported"`
545589 // This is custom
546590 ExternalAuthURL string `json:"external_auth_url"`
547591}
@@ -709,8 +753,15 @@ func (f *FakeIDP) httpHandler(t testing.TB) http.Handler {
709753 }))
710754
711755 mux .Handle (tokenPath , http .HandlerFunc (func (rw http.ResponseWriter , r * http.Request ) {
712- values , err := f .authenticateOIDCClientRequest (t , r )
756+ var values url.Values
757+ var err error
758+ if r .URL .Query ().Get ("grant_type" ) == "urn:ietf:params:oauth:grant-type:device_code" {
759+ values = r .URL .Query ()
760+ } else {
761+ values , err = f .authenticateOIDCClientRequest (t , r )
762+ }
713763 f .logger .Info (r .Context (), "http idp call token" ,
764+ slog .F ("url" , r .URL .String ()),
714765 slog .F ("valid" , err == nil ),
715766 slog .F ("grant_type" , values .Get ("grant_type" )),
716767 slog .F ("values" , values .Encode ()),
@@ -784,6 +835,37 @@ func (f *FakeIDP) httpHandler(t testing.TB) http.Handler {
784835 f .refreshTokensUsed .Store (refreshToken , true )
785836 // Always invalidate the refresh token after it is used.
786837 f .refreshTokens .Delete (refreshToken )
838+ case "urn:ietf:params:oauth:grant-type:device_code" :
839+ // Device flow
840+ var resp externalauth.ExchangeDeviceCodeResponse
841+ deviceCode := values .Get ("device_code" )
842+ if deviceCode == "" {
843+ resp .Error = "invalid_request"
844+ resp .ErrorDescription = "missing device_code"
845+ httpapi .Write (r .Context (), rw , http .StatusBadRequest , resp )
846+ return
847+ }
848+
849+ deviceFlow , ok := f .deviceCode .Load (deviceCode )
850+ if ! ok {
851+ resp .Error = "invalid_request"
852+ resp .ErrorDescription = "device_code provided not found"
853+ httpapi .Write (r .Context (), rw , http .StatusBadRequest , resp )
854+ return
855+ }
856+
857+ if ! deviceFlow .granted {
858+ // Status code ok with the error as pending.
859+ resp .Error = "authorization_pending"
860+ resp .ErrorDescription = ""
861+ httpapi .Write (r .Context (), rw , http .StatusOK , resp )
862+ return
863+ }
864+
865+ // Would be nice to get an actual email here.
866+ claims = jwt.MapClaims {
867+ "email" : "unknown-dev-auth" ,
868+ }
787869 default :
788870 t .Errorf ("unexpected grant_type %q" , values .Get ("grant_type" ))
789871 http .Error (rw , "invalid grant_type" , http .StatusBadRequest )
@@ -807,8 +889,30 @@ func (f *FakeIDP) httpHandler(t testing.TB) http.Handler {
807889 // Store the claims for the next refresh
808890 f .refreshIDTokenClaims .Store (refreshToken , claims )
809891
810- rw .Header ().Set ("Content-Type" , "application/json" )
811- _ = json .NewEncoder (rw ).Encode (token )
892+ mediaType , _ , _ := mime .ParseMediaType (r .Header .Get ("Accept" ))
893+ if mediaType == "application/x-www-form-urlencoded" {
894+ // This val encode might not work for some data structures.
895+ // It's good enough for now...
896+ rw .Header ().Set ("Content-Type" , "application/x-www-form-urlencoded" )
897+ vals := url.Values {}
898+ for k , v := range token {
899+ vals .Set (k , fmt .Sprintf ("%v" , v ))
900+ }
901+ _ , _ = rw .Write ([]byte (vals .Encode ()))
902+ return
903+ }
904+ // Default to json since the oauth2 package doesn't use Accept headers.
905+ if mediaType == "application/json" || mediaType == "" {
906+ rw .Header ().Set ("Content-Type" , "application/json" )
907+ _ = json .NewEncoder (rw ).Encode (token )
908+ return
909+ }
910+
911+ // If we get something we don't support, throw an error.
912+ httpapi .Write (r .Context (), rw , http .StatusBadRequest , codersdk.Response {
913+ Message : "'Accept' header contains unsupported media type" ,
914+ Detail : fmt .Sprintf ("Found %q" , mediaType ),
915+ })
812916 }))
813917
814918 validateMW := func (rw http.ResponseWriter , r * http.Request ) (email string , ok bool ) {
@@ -886,6 +990,125 @@ func (f *FakeIDP) httpHandler(t testing.TB) http.Handler {
886990 _ = json .NewEncoder (rw ).Encode (set )
887991 }))
888992
993+ mux .Handle (deviceVerify , http .HandlerFunc (func (rw http.ResponseWriter , r * http.Request ) {
994+ f .logger .Info (r .Context (), "http call device verify" )
995+
996+ inputParam := "user_input"
997+ userInput := r .URL .Query ().Get (inputParam )
998+ if userInput == "" {
999+ httpapi .Write (r .Context (), rw , http .StatusBadRequest , codersdk.Response {
1000+ Message : "Invalid user input" ,
1001+ Detail : fmt .Sprintf ("Hit this url again with ?%s=<user_code>" , inputParam ),
1002+ })
1003+ return
1004+ }
1005+
1006+ deviceCode := r .URL .Query ().Get ("device_code" )
1007+ if deviceCode == "" {
1008+ httpapi .Write (r .Context (), rw , http .StatusBadRequest , codersdk.Response {
1009+ Message : "Invalid device code" ,
1010+ Detail : "Hit this url again with ?device_code=<device_code>" ,
1011+ })
1012+ return
1013+ }
1014+
1015+ flow , ok := f .deviceCode .Load (deviceCode )
1016+ if ! ok {
1017+ httpapi .Write (r .Context (), rw , http .StatusBadRequest , codersdk.Response {
1018+ Message : "Invalid device code" ,
1019+ Detail : "Device code not found." ,
1020+ })
1021+ return
1022+ }
1023+
1024+ if time .Now ().After (flow .exp ) {
1025+ httpapi .Write (r .Context (), rw , http .StatusBadRequest , codersdk.Response {
1026+ Message : "Invalid device code" ,
1027+ Detail : "Device code expired." ,
1028+ })
1029+ return
1030+ }
1031+
1032+ if strings .TrimSpace (flow .userInput ) != strings .TrimSpace (userInput ) {
1033+ httpapi .Write (r .Context (), rw , http .StatusBadRequest , codersdk.Response {
1034+ Message : "Invalid device code" ,
1035+ Detail : "user code does not match" ,
1036+ })
1037+ return
1038+ }
1039+
1040+ f .deviceCode .Store (deviceCode , deviceFlow {
1041+ userInput : flow .userInput ,
1042+ exp : flow .exp ,
1043+ granted : true ,
1044+ })
1045+ httpapi .Write (r .Context (), rw , http .StatusOK , codersdk.Response {
1046+ Message : "Device authenticated!" ,
1047+ })
1048+ }))
1049+
1050+ mux .Handle (deviceAuth , http .HandlerFunc (func (rw http.ResponseWriter , r * http.Request ) {
1051+ f .logger .Info (r .Context (), "http call device auth" )
1052+
1053+ p := httpapi .NewQueryParamParser ()
1054+ p .Required ("client_id" )
1055+ clientID := p .String (r .URL .Query (), "" , "client_id" )
1056+ _ = p .String (r .URL .Query (), "" , "scopes" )
1057+ if len (p .Errors ) > 0 {
1058+ httpapi .Write (r .Context (), rw , http .StatusBadRequest , codersdk.Response {
1059+ Message : "Invalid query params" ,
1060+ Validations : p .Errors ,
1061+ })
1062+ return
1063+ }
1064+
1065+ if clientID != f .clientID {
1066+ httpapi .Write (r .Context (), rw , http .StatusBadRequest , codersdk.Response {
1067+ Message : "Invalid client id" ,
1068+ })
1069+ return
1070+ }
1071+
1072+ deviceCode := uuid .NewString ()
1073+ lifetime := time .Second * 900
1074+ flow := deviceFlow {
1075+ //nolint:gosec
1076+ userInput : fmt .Sprintf ("%d" , rand .Intn (9999999 )+ 1e8 ),
1077+ }
1078+ f .deviceCode .Store (deviceCode , deviceFlow {
1079+ userInput : flow .userInput ,
1080+ exp : time .Now ().Add (lifetime ),
1081+ })
1082+
1083+ verifyURL := f .issuerURL .ResolveReference (& url.URL {
1084+ Path : deviceVerify ,
1085+ RawQuery : url.Values {
1086+ "device_code" : {deviceCode },
1087+ "user_input" : {flow .userInput },
1088+ }.Encode (),
1089+ }).String ()
1090+
1091+ if mediaType , _ , _ := mime .ParseMediaType (r .Header .Get ("Accept" )); mediaType == "application/json" {
1092+ httpapi .Write (r .Context (), rw , http .StatusOK , map [string ]any {
1093+ "device_code" : deviceCode ,
1094+ "user_code" : flow .userInput ,
1095+ "verification_uri" : verifyURL ,
1096+ "expires_in" : int (lifetime .Seconds ()),
1097+ "interval" : 3 ,
1098+ })
1099+ return
1100+ }
1101+
1102+ // By default, GitHub form encodes these.
1103+ _ , _ = fmt .Fprint (rw , url.Values {
1104+ "device_code" : {deviceCode },
1105+ "user_code" : {flow .userInput },
1106+ "verification_uri" : {verifyURL },
1107+ "expires_in" : {strconv .Itoa (int (lifetime .Seconds ()))},
1108+ "interval" : {"3" },
1109+ }.Encode ())
1110+ }))
1111+
8891112 mux .NotFound (func (rw http.ResponseWriter , r * http.Request ) {
8901113 f .logger .Error (r .Context (), "http call not found" , slog .F ("path" , r .URL .Path ))
8911114 t .Errorf ("unexpected request to IDP at path %q. Not supported" , r .URL .Path )
@@ -987,6 +1210,8 @@ type ExternalAuthConfigOptions struct {
9871210 // completely customize the response. It captures all routes under the /external-auth-validate/*
9881211 // so the caller can do whatever they want and even add routes.
9891212 routes map [string ]func (email string , rw http.ResponseWriter , r * http.Request )
1213+
1214+ UseDeviceAuth bool
9901215}
9911216
9921217func (o * ExternalAuthConfigOptions ) AddRoute (route string , handle func (email string , rw http.ResponseWriter , r * http.Request )) * ExternalAuthConfigOptions {
@@ -1033,17 +1258,30 @@ func (f *FakeIDP) ExternalAuthConfig(t testing.TB, id string, custom *ExternalAu
10331258 }
10341259 }
10351260 instrumentF := promoauth .NewFactory (prometheus .NewRegistry ())
1261+ oauthCfg := instrumentF .New (f .clientID , f .OIDCConfig (t , nil ))
10361262 cfg := & externalauth.Config {
10371263 DisplayName : id ,
1038- InstrumentedOAuth2Config : instrumentF . New ( f . clientID , f . OIDCConfig ( t , nil )) ,
1264+ InstrumentedOAuth2Config : oauthCfg ,
10391265 ID : id ,
10401266 // No defaults for these fields by omitting the type
10411267 Type : "" ,
10421268 DisplayIcon : f .WellknownConfig ().UserInfoURL ,
10431269 // Omit the /user for the validate so we can easily append to it when modifying
10441270 // the cfg for advanced tests.
10451271 ValidateURL : f .issuerURL .ResolveReference (& url.URL {Path : "/external-auth-validate/" }).String (),
1272+ DeviceAuth : & externalauth.DeviceAuth {
1273+ Config : oauthCfg ,
1274+ ClientID : f .clientID ,
1275+ TokenURL : f .provider .TokenURL ,
1276+ Scopes : []string {},
1277+ CodeURL : f .provider .DeviceCodeURL ,
1278+ },
1279+ }
1280+
1281+ if ! custom .UseDeviceAuth {
1282+ cfg .DeviceAuth = nil
10461283 }
1284+
10471285 for _ , opt := range opts {
10481286 opt (cfg )
10491287 }
0 commit comments