coder · kylecarbs · Aug 1, 2022 · Jul 29, 2022 · Jul 31, 2022 · Jul 31, 2022
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -42,6 +42,7 @@
     "mattn",
     "mitchellh",
     "moby",
+    "namesgenerator",
     "nfpms",
     "nhooyr",
     "nolint",

diff --git a/cli/server.go b/cli/server.go
@@ -23,6 +23,7 @@ import (
 	"sync"
 	"time"
 
+	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/coreos/go-systemd/daemon"
 	embeddedpostgres "github.com/fergusstrange/embedded-postgres"
 	"github.com/google/go-github/v43/github"
@@ -84,6 +85,12 @@ func server() *cobra.Command {
 		oauth2GithubAllowedOrganizations []string
 		oauth2GithubAllowedTeams         []string
 		oauth2GithubAllowSignups         bool
+		oidcAllowSignups                 bool
+		oidcClientID                     string
+		oidcClientSecret                 string
+		oidcEmailDomain                  string
+		oidcIssuerURL                    string
+		oidcScopes                       []string
 		telemetryEnable                  bool
 		telemetryURL                     string
 		tlsCertFile                      string
@@ -282,6 +289,38 @@ func server() *cobra.Command {
 				}
 			}
 
+			if oidcClientSecret != "" {
+				if oidcClientID == "" {
+					return xerrors.Errorf("OIDC client ID be set!")
+				}
+				if oidcIssuerURL == "" {
+					return xerrors.Errorf("OIDC issuer URL must be set!")
+				}
+
+				oidcProvider, err := oidc.NewProvider(ctx, oidcIssuerURL)
+				if err != nil {
+					return xerrors.Errorf("configure oidc provider: %w", err)
+				}
+				redirectURL, err := accessURLParsed.Parse("/api/v2/users/oidc/callback")
+				if err != nil {
+					return xerrors.Errorf("parse oidc oauth callback url: %w", err)
+				}
+				options.OIDCConfig = &coderd.OIDCConfig{
+					OAuth2Config: &oauth2.Config{
+						ClientID:     oidcClientID,
+						ClientSecret: oidcClientSecret,
+						RedirectURL:  redirectURL.String(),
+						Endpoint:     oidcProvider.Endpoint(),
+						Scopes:       oidcScopes,
+					},
+					Verifier: oidcProvider.Verifier(&oidc.Config{
+						ClientID: oidcClientID,
+					}),
+					EmailDomain:  oidcEmailDomain,
+					AllowSignups: oidcAllowSignups,
+				}
+			}
+
 			if inMemoryDatabase {
 				options.Database = databasefake.New()
 				options.Pubsub = database.NewPubsubInMemory()
@@ -340,6 +379,8 @@ func server() *cobra.Command {
 					Logger:          logger.Named("telemetry"),
 					URL:             telemetryURL,
 					GitHubOAuth:     oauth2GithubClientID != "",
+					OIDCAuth:        oidcClientID != "",
+					OIDCIssuerURL:   oidcIssuerURL,
 					Prometheus:      promEnabled,
 					STUN:            len(stunServers) != 0,
 					Tunnel:          tunnel,
@@ -636,6 +677,18 @@ func server() *cobra.Command {
 		"Specifies teams inside organizations the user must be a member of to authenticate with GitHub. Formatted as: <organization-name>/<team-slug>.")
 	cliflag.BoolVarP(root.Flags(), &oauth2GithubAllowSignups, "oauth2-github-allow-signups", "", "CODER_OAUTH2_GITHUB_ALLOW_SIGNUPS", false,
 		"Specifies whether new users can sign up with GitHub.")
+	cliflag.BoolVarP(root.Flags(), &oidcAllowSignups, "oidc-allow-signups", "", "CODER_OIDC_ALLOW_SIGNUPS", true,
+		"Specifies whether new users can sign up with OIDC.")
+	cliflag.StringVarP(root.Flags(), &oidcClientID, "oidc-client-id", "", "CODER_OIDC_CLIENT_ID", "",
+		"Specifies a client ID to use for OIDC.")
+	cliflag.StringVarP(root.Flags(), &oidcClientSecret, "oidc-client-secret", "", "CODER_OIDC_CLIENT_SECRET", "",
+		"Specifies a client secret to use for OIDC.")
+	cliflag.StringVarP(root.Flags(), &oidcEmailDomain, "oidc-email-domain", "", "CODER_OIDC_EMAIL_DOMAIN", "",
+		"Specifies an email domain that clients authenticating with OIDC must match.")
+	cliflag.StringVarP(root.Flags(), &oidcIssuerURL, "oidc-issuer-url", "", "CODER_OIDC_ISSUER_URL", "",
+		"Specifies an issuer URL to use for OIDC.")
+	cliflag.StringArrayVarP(root.Flags(), &oidcScopes, "oidc-scopes", "", "CODER_OIDC_SCOPES", []string{oidc.ScopeOpenID, "profile", "email"},
+		"Specifies scopes to grant when authenticating with OIDC.")
 	enableTelemetryByDefault := !isTest()
 	cliflag.BoolVarP(root.Flags(), &telemetryEnable, "telemetry", "", "CODER_TELEMETRY", enableTelemetryByDefault, "Specifies whether telemetry is enabled or not. Coder collects anonymized usage data to help improve our product.")
 	cliflag.StringVarP(root.Flags(), &telemetryURL, "telemetry-url", "", "CODER_TELEMETRY_URL", "https://telemetry.coder.com", "Specifies a URL to send telemetry to.")

diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -57,6 +57,7 @@ type Options struct {
 	AzureCertificates    x509.VerifyOptions
 	GoogleTokenValidator *idtoken.Validator
 	GithubOAuth2Config   *GithubOAuth2Config
+	OIDCConfig           *OIDCConfig
 	ICEServers           []webrtc.ICEServer
 	SecureAuthCookie     bool
 	SSHKeygenAlgorithm   gitsshkey.Algorithm
@@ -105,6 +106,7 @@ func New(options *Options) *API {
 	api.workspaceAgentCache = wsconncache.New(api.dialWorkspaceAgent, 0)
 	oauthConfigs := &httpmw.OAuth2Configs{
 		Github: options.GithubOAuth2Config,
+		OIDC:   options.OIDCConfig,
 	}
 	apiKeyMiddleware := httpmw.ExtractAPIKey(options.Database, oauthConfigs, false)
 
@@ -259,6 +261,10 @@ func New(options *Options) *API {
 					r.Get("/callback", api.userOAuth2Github)
 				})
 			})
+			r.Route("/oidc/callback", func(r chi.Router) {
+				r.Use(httpmw.ExtractOAuth2(options.OIDCConfig))
+				r.Get("/", api.userOIDC)
+			})
 			r.Group(func(r chi.Router) {
 				r.Use(
 					apiKeyMiddleware,

diff --git a/coderd/coderd_test.go b/coderd/coderd_test.go
@@ -248,6 +248,7 @@ func TestAuthorizeAllEndpoints(t *testing.T) {
 
 		// Has it's own auth
 		"GET:/api/v2/users/oauth2/github/callback": {NoAuthorize: true},
+		"GET:/api/v2/users/oidc/callback":          {NoAuthorize: true},
 
 		// All workspaceagents endpoints do not use rbac
 		"POST:/api/v2/workspaceagents/aws-instance-identity":      {NoAuthorize: true},

diff --git a/coderd/coderdtest/coderdtest.go b/coderd/coderdtest/coderdtest.go
@@ -63,6 +63,7 @@ type Options struct {
 	Authorizer           rbac.Authorizer
 	AzureCertificates    x509.VerifyOptions
 	GithubOAuth2Config   *coderd.GithubOAuth2Config
+	OIDCConfig           *coderd.OIDCConfig
 	GoogleTokenValidator *idtoken.Validator
 	SSHKeygenAlgorithm   gitsshkey.Algorithm
 	APIRateLimit         int
@@ -189,6 +190,7 @@ func newWithCloser(t *testing.T, options *Options) (*codersdk.Client, io.Closer)
 		AWSCertificates:      options.AWSCertificates,
 		AzureCertificates:    options.AzureCertificates,
 		GithubOAuth2Config:   options.GithubOAuth2Config,
+		OIDCConfig:           options.OIDCConfig,
 		GoogleTokenValidator: options.GoogleTokenValidator,
 		SSHKeygenAlgorithm:   options.SSHKeygenAlgorithm,
 		TURNServer:           turnServer,

diff --git a/coderd/database/dump.sql b/coderd/database/dump.sql
diff --git a/coderd/database/dump/main.go b/coderd/database/dump/main.go
@@ -31,6 +31,11 @@ func main() {
 	}
 
 	cmd := exec.Command(
+		"docker",
+		"run",
+		"--rm",
+		"--network=host",
+		"postgres:13",
 		"pg_dump",
 		"--schema-only",
 		connection,

diff --git a/coderd/database/migrations/000032_oidc.down.sql b/coderd/database/migrations/000032_oidc.down.sql
@@ -0,0 +1,7 @@
+CREATE TYPE old_login_type AS ENUM (
+    'password',
+    'github'
+);
+ALTER TABLE api_keys ALTER COLUMN login_type TYPE old_login_type USING (login_type::text::old_login_type);
+DROP TYPE login_type;
+ALTER TYPE old_login_type RENAME TO login_type;
diff --git a/coderd/database/migrations/000032_oidc.up.sql b/coderd/database/migrations/000032_oidc.up.sql
@@ -0,0 +1,8 @@
+CREATE TYPE new_login_type AS ENUM (
+    'password',
+    'github',
+    'oidc'
+);
+ALTER TABLE api_keys ALTER COLUMN login_type TYPE new_login_type USING (login_type::text::new_login_type);
+DROP TYPE login_type;
+ALTER TYPE new_login_type RENAME TO login_type;
diff --git a/coderd/database/models.go b/coderd/database/models.go
diff --git a/coderd/httpapi/httpapi.go b/coderd/httpapi/httpapi.go
@@ -7,7 +7,6 @@ import (
 	"fmt"
 	"net/http"
 	"reflect"
-	"regexp"
 	"strings"
 
 	"github.com/go-playground/validator/v10"
@@ -16,8 +15,7 @@ import (
 )
 
 var (
-	validate      *validator.Validate
-	usernameRegex = regexp.MustCompile("^[a-zA-Z0-9]+(?:-[a-zA-Z0-9]+)*$")
+	validate *validator.Validate
 )
 
 // This init is used to create a validator and register validation-specific
@@ -39,13 +37,7 @@ func init() {
 		if !ok {
 			return false
 		}
-		if len(str) > 32 {
-			return false
-		}
-		if len(str) < 1 {
-			return false
-		}
-		return usernameRegex.MatchString(str)
+		return UsernameValid(str)
 	})
 	if err != nil {
 		panic(err)

diff --git a/coderd/httpapi/httpapi_test.go b/coderd/httpapi/httpapi_test.go
@@ -81,71 +81,6 @@ func TestRead(t *testing.T) {
 	})
 }
 
-func TestReadUsername(t *testing.T) {
-	t.Parallel()
-	// Tests whether usernames are valid or not.
-	testCases := []struct {
-		Username string
-		Valid    bool
-	}{
-		{"1", true},
-		{"12", true},
-		{"123", true},
-		{"12345678901234567890", true},
-		{"123456789012345678901", true},
-		{"a", true},
-		{"a1", true},
-		{"a1b2", true},
-		{"a1b2c3d4e5f6g7h8i9j0", true},
-		{"a1b2c3d4e5f6g7h8i9j0k", true},
-		{"aa", true},
-		{"abc", true},
-		{"abcdefghijklmnopqrst", true},
-		{"abcdefghijklmnopqrstu", true},
-		{"wow-test", true},
-
-		{"", false},
-		{" ", false},
-		{" a", false},
-		{" a ", false},
-		{" 1", false},
-		{"1 ", false},
-		{" aa", false},
-		{"aa ", false},
-		{" 12", false},
-		{"12 ", false},
-		{" a1", false},
-		{"a1 ", false},
-		{" abcdefghijklmnopqrstu", false},
-		{"abcdefghijklmnopqrstu ", false},
-		{" 123456789012345678901", false},
-		{" a1b2c3d4e5f6g7h8i9j0k", false},
-		{"a1b2c3d4e5f6g7h8i9j0k ", false},
-		{"bananas_wow", false},
-		{"test--now", false},
-
-		{"123456789012345678901234567890123", false},
-		{"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", false},
-		{"123456789012345678901234567890123123456789012345678901234567890123", false},
-	}
-	type toValidate struct {
-		Username string `json:"username" validate:"username"`
-	}
-	for _, testCase := range testCases {
-		testCase := testCase
-		t.Run(testCase.Username, func(t *testing.T) {
-			t.Parallel()
-			rw := httptest.NewRecorder()
-			data, err := json.Marshal(toValidate{testCase.Username})
-			require.NoError(t, err)
-			r := httptest.NewRequest("POST", "/", bytes.NewBuffer(data))
-
-			var validate toValidate
-			require.Equal(t, testCase.Valid, httpapi.Read(rw, r, &validate))
-		})
-	}
-}
-
 func WebsocketCloseMsg(t *testing.T) {
 	t.Parallel()
 

diff --git a/coderd/httpapi/username.go b/coderd/httpapi/username.go
@@ -0,0 +1,45 @@
+package httpapi
+
+import (
+	"regexp"
+	"strings"
+
+	"github.com/moby/moby/pkg/namesgenerator"
+)
+
+var (
+	usernameValid   = regexp.MustCompile("^[a-zA-Z0-9]+(?:-[a-zA-Z0-9]+)*$")
+	usernameReplace = regexp.MustCompile("[^a-zA-Z0-9-]*")
+)
+
+// UsernameValid returns whether the input string is a valid username.
+func UsernameValid(str string) bool {
+	if len(str) > 32 {
+		return false
+	}
+	if len(str) < 1 {
+		return false
+	}
+	return usernameValid.MatchString(str)
+}
+
+// UsernameFrom returns a best-effort username from the provided string.
+//
+// It first attempts to validate the incoming string, which will
+// be returned if it is valid. It then will attempt to extract
+// the username from an email address. If no success happens during
+// these steps, a random username will be returned.
+func UsernameFrom(str string) string {
+	if UsernameValid(str) {
+		return str
+	}
+	emailAt := strings.LastIndex(str, "@")
+	if emailAt >= 0 {
+		str = str[:emailAt]
+	}
+	str = usernameReplace.ReplaceAllString(str, "")
+	if UsernameValid(str) {
+		return str
+	}
+	return strings.ReplaceAll(namesgenerator.GetRandomName(1), "_", "-")
+}