Skip to content

chore: allow running fake idp with coderd dev #11555

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Jan 11, 2024
Merged

chore: allow running fake idp with coderd dev #11555

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
9117f1f
chore: allow running fake idp with coderd dev
Emyrk Jan 10, 2024
27d1787
wording
Emyrk Jan 10, 2024
7cd28ae
Linter
Emyrk Jan 10, 2024
1a19b1c
Linter
Emyrk Jan 10, 2024
f23d4e7
add short usage doc
Emyrk Jan 10, 2024
eab1a1a
fmt
Emyrk Jan 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
chore: allow running fake idp with coderd dev
  • Loading branch information
@Emyrk
Emyrk committed Jan 10, 2024
commit 9117f1fc72fe0b6b69a358333e0f93aa166330e5
34 changes: 29 additions & 5 deletions coderd/coderdtest/oidctest/idp.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,9 +78,12 @@ type FakeIDP struct {
// "Authorized Redirect URLs". This can be used to emulate that.
hookValidRedirectURL func(redirectURL string) error
hookUserInfo func(email string) (jwt.MapClaims, error)
hookMutateToken func(token map[string]interface{})
fakeCoderd func(req *http.Request) (*http.Response, error)
hookOnRefresh func(email string) error
// defaultIDClaims is if a new client connects and we didn't preset
// some claims.
defaultIDClaims jwt.MapClaims
hookMutateToken func(token map[string]interface{})
fakeCoderd func(req *http.Request) (*http.Response, error)
hookOnRefresh func(email string) error
// Custom authentication for the client. This is useful if you want
// to test something like PKI auth vs a client_secret.
hookAuthenticateClient func(t testing.TB, req *http.Request) (url.Values, error)
Expand Down Expand Up @@ -162,6 +165,12 @@ func WithStaticUserInfo(info jwt.MapClaims) func(*FakeIDP) {
}
}

func WithDefaultIDClaims(claims jwt.MapClaims) func(*FakeIDP) {
return func(f *FakeIDP) {
f.defaultIDClaims = claims
}
}

func WithDynamicUserInfo(userInfoFunc func(email string) (jwt.MapClaims, error)) func(*FakeIDP) {
return func(f *FakeIDP) {
f.hookUserInfo = userInfoFunc
Expand Down Expand Up @@ -679,7 +688,7 @@ func (f *FakeIDP) httpHandler(t testing.TB) http.Handler {
// Always invalidate the code after it is used.
f.codeToStateMap.Delete(code)

idTokenClaims, ok := f.stateToIDTokenClaims.Load(stateStr)
idTokenClaims, ok := f.getClaims(f.stateToIDTokenClaims, stateStr)
if !ok {
t.Errorf("missing id token claims")
http.Error(rw, "missing id token claims", http.StatusBadRequest)
Expand All @@ -699,7 +708,7 @@ func (f *FakeIDP) httpHandler(t testing.TB) http.Handler {
return
}

idTokenClaims, ok := f.refreshIDTokenClaims.Load(refreshToken)
idTokenClaims, ok := f.getClaims(f.refreshIDTokenClaims, refreshToken)
if !ok {
t.Errorf("missing id token claims in refresh")
http.Error(rw, "missing id token claims in refresh", http.StatusBadRequest)
Expand Down Expand Up @@ -971,6 +980,10 @@ func (f *FakeIDP) ExternalAuthConfig(t testing.TB, id string, custom *ExternalAu
return cfg
}

func (f *FakeIDP) AppCredentials() (string, string) {
return f.clientID, f.clientSecret
}

// OIDCConfig returns the OIDC config to use for Coderd.
func (f *FakeIDP) OIDCConfig(t testing.TB, scopes []string, opts ...func(cfg *coderd.OIDCConfig)) *coderd.OIDCConfig {
t.Helper()
Expand Down Expand Up @@ -1023,6 +1036,17 @@ func (f *FakeIDP) OIDCConfig(t testing.TB, scopes []string, opts ...func(cfg *co
return cfg
}

func (f *FakeIDP) getClaims(m *syncmap.Map[string, jwt.MapClaims], key string) (jwt.MapClaims, bool) {
v, ok := m.Load(key)
if !ok {
if f.defaultIDClaims != nil {
return f.defaultIDClaims, true
}
return nil, false
}
return v, true
}

func httpErrorCode(defaultCode int, err error) int {
var stautsErr statusHookError
status := defaultCode
Expand Down
58 changes: 58 additions & 0 deletions coderd/coderdtest/oidctest/testidp/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
package main
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This could be moved to cmd/testidp. I think it would be confusing to have packages that can be built sprinkled within the source tree.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good call 👍


import (
"flag"
"log"
"os"
"os/signal"
"testing"

"github.com/golang-jwt/jwt/v4"

"github.com/coder/coder/v2/coderd/coderdtest/oidctest"
)

func main() {
testing.Init()
_ = flag.Set("test.timeout", "0")

flag.Parse()

// This is just a way to run tests outside go test
testing.Main(func(pat, str string) (bool, error) {
return true, nil
}, []testing.InternalTest{
{
Name: "Run Fake IDP",
F: RunIDP(),
},
}, nil, nil)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This feels weird, but I understand you did it to use the oidctest package 😄, it's also possible to build a test package, typically I'd suggest to implement this that way, but it wouldn't be as easily discoverable as this is (esp. if put in cmd/).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I felt werid saying run go test -run="TestRealIDP" or something.

Another idea I had was to just implement the testing.TB struct myself and just throw log messages on the Fails(). It's not as trivial as I'd hope though, they have this: https://github.com/golang/go/blob/master/src/testing/testing.go#L899-L902

So I'd have to embed an actual testing.T struct? It just also has it's "jankiness", so just went with this for now.

}

// RunIDP needs the testing.T because our oidctest package requires the
// testing.T.
func RunIDP() func(t *testing.T) {
return func(t *testing.T) {
idp := oidctest.NewFakeIDP(t,
oidctest.WithServing(),
oidctest.WithStaticUserInfo(jwt.MapClaims{}),
oidctest.WithDefaultIDClaims(jwt.MapClaims{}),
)
id, sec := idp.AppCredentials()
prov := idp.WellknownConfig()

log.Println("IDP Issuer URL", idp.IssuerURL())
log.Println("Oauth Flags")
log.Printf(`--external-auth-providers='[{"type":"fake","client_id":"%s","client_secret":"%s","auth_url":"%s","token_url":"%s","validate_url":"%s","scopes":["openid","email","profile"]}]'`,
id, sec, prov.AuthURL, prov.TokenURL, prov.UserInfoURL,
)

log.Println("Press Ctrl+C to exit")
c := make(chan os.Signal, 1)
signal.Notify(c, os.Interrupt)
select {
case <-c:
log.Println("Closing")
}
}
}
9 changes: 4 additions & 5 deletions codersdk/deployment.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1790,11 +1790,10 @@ Write out the current server config as YAML to stdout.`,
// Env handling is done in cli.ReadGitAuthFromEnvironment
Name: "External Auth Providers",
Description: "External Authentication providers.",
// We need extra scrutiny to ensure this works, is documented, and
// tested before enabling.
YAML: "externalAuthProviders",
Value: &c.ExternalAuthConfigs,
Hidden: true,
YAML: "externalAuthProviders",
Flag: "external-auth-providers",
Value: &c.ExternalAuthConfigs,
Hidden: true,
},
{
Name: "Custom wgtunnel Host",
Expand Down