Skip to content

Commit abb2c76

Browse files
EmyrkEmyrk
authored
chore: add claims to oauth link in db for debug (#10827)
* chore: add claims to oauth link in db for debug
1 parent 0534f8f commit abb2c76

File tree

19 files changed

+216
-43
lines changed

19 files changed

+216
-43
lines changed

coderd/apidoc/docs.go

Lines changed: 31 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/apidoc/swagger.json

Lines changed: 29 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/coderd.go

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -972,6 +972,10 @@ func New(options *Options) *API {
972972
r.Get("/tailnet", api.debugTailnet)
973973
r.Get("/health", api.debugDeploymentHealth)
974974
r.Get("/ws", (&healthcheck.WebsocketEchoServer{}).ServeHTTP)
975+
r.Route("/{user}", func(r chi.Router) {
976+
r.Use(httpmw.ExtractUserParam(options.Database))
977+
r.Get("/debug-link", api.userDebugOIDC)
978+
})
975979
})
976980
})
977981

coderd/coderdtest/oidctest/helper.go

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@ package oidctest
22

33
import (
44
"database/sql"
5+
"encoding/json"
56
"net/http"
67
"testing"
78
"time"
@@ -77,6 +78,7 @@ func (*LoginHelper) ExpireOauthToken(t *testing.T, db database.Store, user *code
7778
OAuthExpiry: time.Now().Add(time.Hour * -1),
7879
UserID: link.UserID,
7980
LoginType: link.LoginType,
81+
DebugContext: json.RawMessage("{}"),
8082
})
8183
require.NoError(t, err, "expire user link")
8284

coderd/database/dbauthz/dbauthz_test.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1022,6 +1022,7 @@ func (s *MethodTestSuite) TestUser() {
10221022
OAuthExpiry: link.OAuthExpiry,
10231023
UserID: link.UserID,
10241024
LoginType: link.LoginType,
1025+
DebugContext: json.RawMessage("{}"),
10251026
}).Asserts(link, rbac.ActionUpdate).Returns(link)
10261027
}))
10271028
s.Run("UpdateUserRoles", s.Subtest(func(db database.Store, check *expects) {

coderd/database/dbgen/dbgen.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -513,6 +513,7 @@ func UserLink(t testing.TB, db database.Store, orig database.UserLink) database.
513513
OAuthRefreshToken: takeFirst(orig.OAuthRefreshToken, uuid.NewString()),
514514
OAuthRefreshTokenKeyID: takeFirst(orig.OAuthRefreshTokenKeyID, sql.NullString{}),
515515
OAuthExpiry: takeFirst(orig.OAuthExpiry, dbtime.Now().Add(time.Hour*24)),
516+
DebugContext: takeFirstSlice(orig.DebugContext, json.RawMessage("{}")),
516517
})
517518

518519
require.NoError(t, err, "insert link")

coderd/database/dbmem/dbmem.go

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5106,6 +5106,7 @@ func (q *FakeQuerier) InsertUserLink(_ context.Context, args database.InsertUser
51065106
OAuthRefreshToken: args.OAuthRefreshToken,
51075107
OAuthRefreshTokenKeyID: args.OAuthRefreshTokenKeyID,
51085108
OAuthExpiry: args.OAuthExpiry,
5109+
DebugContext: args.DebugContext,
51095110
}
51105111

51115112
q.userLinks = append(q.userLinks, link)
@@ -6188,6 +6189,7 @@ func (q *FakeQuerier) UpdateUserLink(_ context.Context, params database.UpdateUs
61886189
link.OAuthRefreshToken = params.OAuthRefreshToken
61896190
link.OAuthRefreshTokenKeyID = params.OAuthRefreshTokenKeyID
61906191
link.OAuthExpiry = params.OAuthExpiry
6192+
link.DebugContext = params.DebugContext
61916193

61926194
q.userLinks[i] = link
61936195
return link, nil

coderd/database/dump.sql

Lines changed: 4 additions & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/database/migrations/000171_oidc_debug_claims.down.sql

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
BEGIN;
2+
3+
ALTER TABLE user_links DROP COLUMN debug_context;
4+
5+
COMMIT;

coderd/database/migrations/000171_oidc_debug_claims.up.sql

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
BEGIN;
2+
3+
ALTER TABLE user_links ADD COLUMN debug_context jsonb DEFAULT '{}' NOT NULL;
4+
COMMENT ON COLUMN user_links.debug_context IS 'Debug information includes information like id_token and userinfo claims.';
5+
6+
COMMIT;

coderd/database/models.go

Lines changed: 2 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/database/queries.sql.go

Lines changed: 35 additions & 23 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/database/queries/user_links.sql

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -27,10 +27,11 @@ INSERT INTO
2727
oauth_access_token_key_id,
2828
oauth_refresh_token,
2929
oauth_refresh_token_key_id,
30-
oauth_expiry
30+
oauth_expiry,
31+
debug_context
3132
)
3233
VALUES
33-
( $1, $2, $3, $4, $5, $6, $7, $8 ) RETURNING *;
34+
( $1, $2, $3, $4, $5, $6, $7, $8, $9 ) RETURNING *;
3435

3536
-- name: UpdateUserLinkedID :one
3637
UPDATE
@@ -48,6 +49,7 @@ SET
4849
oauth_access_token_key_id = $2,
4950
oauth_refresh_token = $3,
5051
oauth_refresh_token_key_id = $4,
51-
oauth_expiry = $5
52+
oauth_expiry = $5,
53+
debug_context = $6
5254
WHERE
53-
user_id = $6 AND login_type = $7 RETURNING *;
55+
user_id = $7 AND login_type = $8 RETURNING *;

coderd/httpmw/apikey.go

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -378,6 +378,9 @@ func ExtractAPIKey(rw http.ResponseWriter, r *http.Request, cfg ExtractAPIKeyCon
378378
OAuthRefreshToken: link.OAuthRefreshToken,
379379
OAuthRefreshTokenKeyID: sql.NullString{}, // dbcrypt will update as required
380380
OAuthExpiry: link.OAuthExpiry,
381+
// Refresh should keep the same debug context because we use
382+
// the original claims for the group/role sync.
383+
DebugContext: link.DebugContext,
381384
})
382385
if err != nil {
383386
return write(http.StatusInternalServerError, codersdk.Response{

coderd/provisionerdserver/provisionerdserver.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1674,6 +1674,7 @@ func obtainOIDCAccessToken(ctx context.Context, db database.Store, oidcConfig ht
16741674
OAuthRefreshToken: link.OAuthRefreshToken,
16751675
OAuthRefreshTokenKeyID: sql.NullString{}, // set by dbcrypt if required
16761676
OAuthExpiry: link.OAuthExpiry,
1677+
DebugContext: link.DebugContext,
16771678
})
16781679
if err != nil {
16791680
return "", xerrors.Errorf("update user link: %w", err)

0 commit comments

Comments
 (0)