From 77bda0ceb8f7efa96611b2e93ef01f6ce3c1845b Mon Sep 17 00:00:00 2001 From: Daniel Carrion Date: Thu, 1 Dec 2022 17:00:54 +1100 Subject: [PATCH 01/12] feat: allow multiple oidc domains using comma delimmited list --- coderd/userauth.go | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/coderd/userauth.go b/coderd/userauth.go index add41cf291650..ab4ca8c1a8b83 100644 --- a/coderd/userauth.go +++ b/coderd/userauth.go @@ -289,8 +289,17 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) { } username = httpapi.UsernameFrom(username) } + // Check if one or comma delimited list of allowed domains is provided. + // If a suffix matches, break and continue, otherwise error. if api.OIDCConfig.EmailDomain != "" { - if !strings.HasSuffix(strings.ToLower(email), strings.ToLower(api.OIDCConfig.EmailDomain)) { + ok = false + for _, domain := range strings.Split(api.OIDCConfig.EmailDomain, ",") { + if strings.HasSuffix(strings.ToLower(email), domain) { + ok = true + break + } + } + if !ok { httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{ Message: fmt.Sprintf("Your email %q is not a part of the %q domain!", email, api.OIDCConfig.EmailDomain), }) From 865710a7991377d603539ac33eac66e1e141552c Mon Sep 17 00:00:00 2001 From: Daniel Carrion Date: Thu, 1 Dec 2022 23:51:46 +1100 Subject: [PATCH 02/12] feat: update to plural and lowercase domain --- cli/deployment/config.go | 6 +++--- cli/deployment/config_test.go | 4 ++-- cli/server.go | 2 +- cli/testdata/coder_server_--help.golden | 2 +- coderd/userauth.go | 12 ++++++------ coderd/userauth_test.go | 16 ++++++++++------ codersdk/deploymentconfig.go | 2 +- 7 files changed, 24 insertions(+), 20 deletions(-) diff --git a/cli/deployment/config.go b/cli/deployment/config.go index 9e1c92163192e..f70a171477d39 100644 --- a/cli/deployment/config.go +++ b/cli/deployment/config.go @@ -215,9 +215,9 @@ func newConfig() *codersdk.DeploymentConfig { Flag: "oidc-client-secret", Secret: true, }, - EmailDomain: &codersdk.DeploymentConfigField[string]{ - Name: "OIDC Email Domain", - Usage: "Email domain that clients logging in with OIDC must match.", + EmailDomains: &codersdk.DeploymentConfigField[[]string]{ + Name: "OIDC Email Domains", + Usage: "Email domains that clients logging in with OIDC must match.", Flag: "oidc-email-domain", }, IssuerURL: &codersdk.DeploymentConfigField[string]{ diff --git a/cli/deployment/config_test.go b/cli/deployment/config_test.go index ca1ad0eeabe1e..497a35fe34fc2 100644 --- a/cli/deployment/config_test.go +++ b/cli/deployment/config_test.go @@ -127,7 +127,7 @@ func TestConfig(t *testing.T) { Env: map[string]string{}, Valid: func(config *codersdk.DeploymentConfig) { require.Empty(t, config.OIDC.IssuerURL.Value) - require.Empty(t, config.OIDC.EmailDomain.Value) + require.Empty(t, config.OIDC.EmailDomains.Value) require.Empty(t, config.OIDC.ClientID.Value) require.Empty(t, config.OIDC.ClientSecret.Value) require.True(t, config.OIDC.AllowSignups.Value) @@ -147,7 +147,7 @@ func TestConfig(t *testing.T) { }, Valid: func(config *codersdk.DeploymentConfig) { require.Equal(t, config.OIDC.IssuerURL.Value, "https://accounts.google.com") - require.Equal(t, config.OIDC.EmailDomain.Value, "coder.com") + require.Equal(t, config.OIDC.EmailDomains.Value, "coder.com") require.Equal(t, config.OIDC.ClientID.Value, "client") require.Equal(t, config.OIDC.ClientSecret.Value, "secret") require.False(t, config.OIDC.AllowSignups.Value) diff --git a/cli/server.go b/cli/server.go index ea231758ab664..9ff4a57e51da9 100644 --- a/cli/server.go +++ b/cli/server.go @@ -424,7 +424,7 @@ func Server(vip *viper.Viper, newAPI func(context.Context, *coderd.Options) (*co Verifier: oidcProvider.Verifier(&oidc.Config{ ClientID: cfg.OIDC.ClientID.Value, }), - EmailDomain: cfg.OIDC.EmailDomain.Value, + EmailDomains: cfg.OIDC.EmailDomains.Value, AllowSignups: cfg.OIDC.AllowSignups.Value, } } diff --git a/cli/testdata/coder_server_--help.golden b/cli/testdata/coder_server_--help.golden index 1351da7c89915..1e1d5ec7bec1c 100644 --- a/cli/testdata/coder_server_--help.golden +++ b/cli/testdata/coder_server_--help.golden @@ -95,7 +95,7 @@ Flags: Consumes $CODER_OIDC_CLIENT_ID --oidc-client-secret string Client secret to use for Login with OIDC. Consumes $CODER_OIDC_CLIENT_SECRET - --oidc-email-domain string Email domain that clients logging in with + --oidc-email-domain string Email domains that clients logging in with OIDC must match. Consumes $CODER_OIDC_EMAIL_DOMAIN --oidc-ignore-email-verified Ignore the email_verified claim from the diff --git a/coderd/userauth.go b/coderd/userauth.go index ab4ca8c1a8b83..c9995c236f10d 100644 --- a/coderd/userauth.go +++ b/coderd/userauth.go @@ -192,8 +192,8 @@ type OIDCConfig struct { httpmw.OAuth2Config Verifier *oidc.IDTokenVerifier - // EmailDomain is the domain to enforce when a user authenticates. - EmailDomain string + // EmailDomains is the domain to enforce when a user authenticates. + EmailDomains []string AllowSignups bool // IgnoreEmailVerified allows ignoring the email_verified claim // from an upstream OIDC provider. See #5065 for context. @@ -291,17 +291,17 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) { } // Check if one or comma delimited list of allowed domains is provided. // If a suffix matches, break and continue, otherwise error. - if api.OIDCConfig.EmailDomain != "" { + if len(api.OIDCConfig.EmailDomains) != 0 { ok = false - for _, domain := range strings.Split(api.OIDCConfig.EmailDomain, ",") { - if strings.HasSuffix(strings.ToLower(email), domain) { + for _, domain := range api.OIDCConfig.EmailDomains { + if strings.HasSuffix(strings.ToLower(email), strings.ToLower(domain)) { ok = true break } } if !ok { httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{ - Message: fmt.Sprintf("Your email %q is not a part of the %q domain!", email, api.OIDCConfig.EmailDomain), + Message: fmt.Sprintf("Your email %q is not in domains %q !", email, api.OIDCConfig.EmailDomains), }) return } diff --git a/coderd/userauth_test.go b/coderd/userauth_test.go index 8727bedae3d91..5eba422867ce1 100644 --- a/coderd/userauth_test.go +++ b/coderd/userauth_test.go @@ -482,7 +482,7 @@ func TestUserOIDC(t *testing.T) { Name string Claims jwt.MapClaims AllowSignups bool - EmailDomain string + EmailDomains []string Username string AvatarURL string StatusCode int @@ -528,8 +528,10 @@ func TestUserOIDC(t *testing.T) { "email_verified": true, }, AllowSignups: true, - EmailDomain: "coder.com", - StatusCode: http.StatusForbidden, + EmailDomains: []string{ + "coder.com", + }, + StatusCode: http.StatusForbidden, }, { Name: "EmailDomainCaseInsensitive", Claims: jwt.MapClaims{ @@ -537,8 +539,10 @@ func TestUserOIDC(t *testing.T) { "email_verified": true, }, AllowSignups: true, - EmailDomain: "kwc.io", - StatusCode: http.StatusTemporaryRedirect, + EmailDomains: []string{ + "kwc.io", + }, + StatusCode: http.StatusTemporaryRedirect, }, { Name: "EmptyClaims", Claims: jwt.MapClaims{}, @@ -611,7 +615,7 @@ func TestUserOIDC(t *testing.T) { config := conf.OIDCConfig() config.AllowSignups = tc.AllowSignups - config.EmailDomain = tc.EmailDomain + config.EmailDomains = tc.EmailDomains config.IgnoreEmailVerified = tc.IgnoreEmailVerified client := coderdtest.New(t, &coderdtest.Options{ diff --git a/codersdk/deploymentconfig.go b/codersdk/deploymentconfig.go index 74e0b58b91bea..d62e6d01fca71 100644 --- a/codersdk/deploymentconfig.go +++ b/codersdk/deploymentconfig.go @@ -90,7 +90,7 @@ type OIDCConfig struct { AllowSignups *DeploymentConfigField[bool] `json:"allow_signups" typescript:",notnull"` ClientID *DeploymentConfigField[string] `json:"client_id" typescript:",notnull"` ClientSecret *DeploymentConfigField[string] `json:"client_secret" typescript:",notnull"` - EmailDomain *DeploymentConfigField[string] `json:"email_domain" typescript:",notnull"` + EmailDomains *DeploymentConfigField[[]string] `json:"email_domain" typescript:",notnull"` IssuerURL *DeploymentConfigField[string] `json:"issuer_url" typescript:",notnull"` Scopes *DeploymentConfigField[[]string] `json:"scopes" typescript:",notnull"` IgnoreEmailVerified *DeploymentConfigField[bool] `json:"ignore_email_verified" typescript:",notnull"` From d0b5240db3a9bfc820e98dcd693315f9ffc6db2d Mon Sep 17 00:00:00 2001 From: Daniel Carrion Date: Thu, 1 Dec 2022 23:53:54 +1100 Subject: [PATCH 03/12] fix: plural --- coderd/userauth.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/coderd/userauth.go b/coderd/userauth.go index c9995c236f10d..190df0a936211 100644 --- a/coderd/userauth.go +++ b/coderd/userauth.go @@ -192,7 +192,7 @@ type OIDCConfig struct { httpmw.OAuth2Config Verifier *oidc.IDTokenVerifier - // EmailDomains is the domain to enforce when a user authenticates. + // EmailDomains are the domains to enforce when a user authenticates. EmailDomains []string AllowSignups bool // IgnoreEmailVerified allows ignoring the email_verified claim From 456c6f3654507aa939cd9962f12362f4323748b4 Mon Sep 17 00:00:00 2001 From: Daniel Carrion Date: Fri, 2 Dec 2022 00:04:34 +1100 Subject: [PATCH 04/12] feat: update to greater --- coderd/userauth.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/coderd/userauth.go b/coderd/userauth.go index 190df0a936211..7cc6d836cece0 100644 --- a/coderd/userauth.go +++ b/coderd/userauth.go @@ -291,7 +291,7 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) { } // Check if one or comma delimited list of allowed domains is provided. // If a suffix matches, break and continue, otherwise error. - if len(api.OIDCConfig.EmailDomains) != 0 { + if len(api.OIDCConfig.EmailDomains) > 0 { ok = false for _, domain := range api.OIDCConfig.EmailDomains { if strings.HasSuffix(strings.ToLower(email), strings.ToLower(domain)) { From 31409cda7498d2969a8255b20bf6b7edce4dd464 Mon Sep 17 00:00:00 2001 From: Daniel Carrion Date: Fri, 2 Dec 2022 00:38:49 +1100 Subject: [PATCH 05/12] fix: update test --- cli/deployment/config_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cli/deployment/config_test.go b/cli/deployment/config_test.go index 497a35fe34fc2..09c5e08ea2f31 100644 --- a/cli/deployment/config_test.go +++ b/cli/deployment/config_test.go @@ -147,7 +147,7 @@ func TestConfig(t *testing.T) { }, Valid: func(config *codersdk.DeploymentConfig) { require.Equal(t, config.OIDC.IssuerURL.Value, "https://accounts.google.com") - require.Equal(t, config.OIDC.EmailDomains.Value, "coder.com") + require.Equal(t, config.OIDC.EmailDomains.Value, []string{"coder.com"}) require.Equal(t, config.OIDC.ClientID.Value, "client") require.Equal(t, config.OIDC.ClientSecret.Value, "secret") require.False(t, config.OIDC.AllowSignups.Value) From ba579fe03b1361aff7caacdba62f7ccea902bd29 Mon Sep 17 00:00:00 2001 From: Daniel Carrion Date: Fri, 2 Dec 2022 00:48:40 +1100 Subject: [PATCH 06/12] fix: update golden files --- cli/testdata/coder_server_--help.golden | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cli/testdata/coder_server_--help.golden b/cli/testdata/coder_server_--help.golden index 1e1d5ec7bec1c..2c63bb7be89d4 100644 --- a/cli/testdata/coder_server_--help.golden +++ b/cli/testdata/coder_server_--help.golden @@ -95,8 +95,8 @@ Flags: Consumes $CODER_OIDC_CLIENT_ID --oidc-client-secret string Client secret to use for Login with OIDC. Consumes $CODER_OIDC_CLIENT_SECRET - --oidc-email-domain string Email domains that clients logging in with - OIDC must match. + --oidc-email-domain strings Email domains that clients logging in + with OIDC must match. Consumes $CODER_OIDC_EMAIL_DOMAIN --oidc-ignore-email-verified Ignore the email_verified claim from the upstream provider. From 96278c662689e83b76875fc3f85741e678286887 Mon Sep 17 00:00:00 2001 From: Daniel Carrion Date: Fri, 2 Dec 2022 09:01:22 +1100 Subject: [PATCH 07/12] fix: plural email domains --- cli/deployment/config.go | 2 +- cli/testdata/coder_server_--help.golden | 4 ++-- codersdk/deploymentconfig.go | 2 +- docs/admin/auth.md | 2 +- site/src/api/typesGenerated.ts | 2 +- site/src/pages/DeploySettingsPage/UserAuthSettingsPage.tsx | 2 +- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/cli/deployment/config.go b/cli/deployment/config.go index f70a171477d39..b7c93caecf67d 100644 --- a/cli/deployment/config.go +++ b/cli/deployment/config.go @@ -218,7 +218,7 @@ func newConfig() *codersdk.DeploymentConfig { EmailDomains: &codersdk.DeploymentConfigField[[]string]{ Name: "OIDC Email Domains", Usage: "Email domains that clients logging in with OIDC must match.", - Flag: "oidc-email-domain", + Flag: "oidc-email-domains", }, IssuerURL: &codersdk.DeploymentConfigField[string]{ Name: "OIDC Issuer URL", diff --git a/cli/testdata/coder_server_--help.golden b/cli/testdata/coder_server_--help.golden index 2c63bb7be89d4..226ef0bce0343 100644 --- a/cli/testdata/coder_server_--help.golden +++ b/cli/testdata/coder_server_--help.golden @@ -95,9 +95,9 @@ Flags: Consumes $CODER_OIDC_CLIENT_ID --oidc-client-secret string Client secret to use for Login with OIDC. Consumes $CODER_OIDC_CLIENT_SECRET - --oidc-email-domain strings Email domains that clients logging in + --oidc-email-domains strings Email domains that clients logging in with OIDC must match. - Consumes $CODER_OIDC_EMAIL_DOMAIN + Consumes $CODER_OIDC_EMAIL_DOMAINS --oidc-ignore-email-verified Ignore the email_verified claim from the upstream provider. Consumes $CODER_OIDC_IGNORE_EMAIL_VERIFIED diff --git a/codersdk/deploymentconfig.go b/codersdk/deploymentconfig.go index d62e6d01fca71..3ff865e77d0e9 100644 --- a/codersdk/deploymentconfig.go +++ b/codersdk/deploymentconfig.go @@ -90,7 +90,7 @@ type OIDCConfig struct { AllowSignups *DeploymentConfigField[bool] `json:"allow_signups" typescript:",notnull"` ClientID *DeploymentConfigField[string] `json:"client_id" typescript:",notnull"` ClientSecret *DeploymentConfigField[string] `json:"client_secret" typescript:",notnull"` - EmailDomains *DeploymentConfigField[[]string] `json:"email_domain" typescript:",notnull"` + EmailDomains *DeploymentConfigField[[]string] `json:"email_domains" typescript:",notnull"` IssuerURL *DeploymentConfigField[string] `json:"issuer_url" typescript:",notnull"` Scopes *DeploymentConfigField[[]string] `json:"scopes" typescript:",notnull"` IgnoreEmailVerified *DeploymentConfigField[bool] `json:"ignore_email_verified" typescript:",notnull"` diff --git a/docs/admin/auth.md b/docs/admin/auth.md index ebef1d0af7b41..7a350fca5beea 100644 --- a/docs/admin/auth.md +++ b/docs/admin/auth.md @@ -72,7 +72,7 @@ to the `/etc/coder.d/coder.env` file: ```console CODER_OIDC_ISSUER_URL="https://accounts.google.com" -CODER_OIDC_EMAIL_DOMAIN="your-domain" +CODER_OIDC_EMAIL_DOMAINS="your-domain" CODER_OIDC_CLIENT_ID="533...ent.com" CODER_OIDC_CLIENT_SECRET="G0CSP...7qSM" ``` diff --git a/site/src/api/typesGenerated.ts b/site/src/api/typesGenerated.ts index df75f2080b1c4..1e73578c445ae 100644 --- a/site/src/api/typesGenerated.ts +++ b/site/src/api/typesGenerated.ts @@ -439,7 +439,7 @@ export interface OIDCConfig { readonly allow_signups: DeploymentConfigField readonly client_id: DeploymentConfigField readonly client_secret: DeploymentConfigField - readonly email_domain: DeploymentConfigField + readonly email_domains: DeploymentConfigField readonly issuer_url: DeploymentConfigField readonly scopes: DeploymentConfigField readonly ignore_email_verified: DeploymentConfigField diff --git a/site/src/pages/DeploySettingsPage/UserAuthSettingsPage.tsx b/site/src/pages/DeploySettingsPage/UserAuthSettingsPage.tsx index 582ddd3021b55..2ec91607b8c39 100644 --- a/site/src/pages/DeploySettingsPage/UserAuthSettingsPage.tsx +++ b/site/src/pages/DeploySettingsPage/UserAuthSettingsPage.tsx @@ -43,7 +43,7 @@ const UserAuthSettingsPage: React.FC = () => { options={{ client_id: deploymentConfig.oidc.client_id, allow_signups: deploymentConfig.oidc.allow_signups, - email_domain: deploymentConfig.oidc.email_domain, + email_domains: deploymentConfig.oidc.email_domains, issuer_url: deploymentConfig.oidc.issuer_url, scopes: deploymentConfig.oidc.scopes, }} From db05d72dec80275b429d198347e451326717d737 Mon Sep 17 00:00:00 2001 From: Daniel Carrion Date: Fri, 2 Dec 2022 09:05:37 +1100 Subject: [PATCH 08/12] feat: add sample multiple domains --- docs/admin/auth.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/admin/auth.md b/docs/admin/auth.md index 7a350fca5beea..ed5f7e032ff49 100644 --- a/docs/admin/auth.md +++ b/docs/admin/auth.md @@ -63,7 +63,7 @@ Navigate to your Coder host and run the following command to start up the Coder server: ```console -coder server --oidc-issuer-url="https://accounts.google.com" --oidc-email-domain="your-domain" --oidc-client-id="533...ent.com" --oidc-client-secret="G0CSP...7qSM" +coder server --oidc-issuer-url="https://accounts.google.com" --oidc-email-domain="your-domain-1,your-domain-2" --oidc-client-id="533...ent.com" --oidc-client-secret="G0CSP...7qSM" ``` Alternatively, if you are running Coder as a system service, you can achieve the @@ -72,7 +72,7 @@ to the `/etc/coder.d/coder.env` file: ```console CODER_OIDC_ISSUER_URL="https://accounts.google.com" -CODER_OIDC_EMAIL_DOMAINS="your-domain" +CODER_OIDC_EMAIL_DOMAINS="your-domain-1,your-domain-2" CODER_OIDC_CLIENT_ID="533...ent.com" CODER_OIDC_CLIENT_SECRET="G0CSP...7qSM" ``` From ff6f16d62b78387c36b344ffd14116515796013b Mon Sep 17 00:00:00 2001 From: Daniel Carrion Date: Fri, 2 Dec 2022 09:15:11 +1100 Subject: [PATCH 09/12] fix: plural --- cli/deployment/config_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cli/deployment/config_test.go b/cli/deployment/config_test.go index 09c5e08ea2f31..f83be646f8eb2 100644 --- a/cli/deployment/config_test.go +++ b/cli/deployment/config_test.go @@ -138,7 +138,7 @@ func TestConfig(t *testing.T) { Name: "OIDC", Env: map[string]string{ "CODER_OIDC_ISSUER_URL": "https://accounts.google.com", - "CODER_OIDC_EMAIL_DOMAIN": "coder.com", + "CODER_OIDC_EMAIL_DOMAINS": "coder.com", "CODER_OIDC_CLIENT_ID": "client", "CODER_OIDC_CLIENT_SECRET": "secret", "CODER_OIDC_ALLOW_SIGNUPS": "false", From 9c67a5c1004f7281049afde353c8945a76942b3c Mon Sep 17 00:00:00 2001 From: Daniel Carrion Date: Sat, 3 Dec 2022 00:41:24 +1100 Subject: [PATCH 10/12] revert from plural --- cli/deployment/config.go | 4 ++-- cli/deployment/config_test.go | 2 +- cli/testdata/coder_server_--help.golden | 2 +- docs/admin/auth.md | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/cli/deployment/config.go b/cli/deployment/config.go index b7c93caecf67d..8df0e2aad8b0a 100644 --- a/cli/deployment/config.go +++ b/cli/deployment/config.go @@ -216,9 +216,9 @@ func newConfig() *codersdk.DeploymentConfig { Secret: true, }, EmailDomains: &codersdk.DeploymentConfigField[[]string]{ - Name: "OIDC Email Domains", + Name: "OIDC Email Domain", Usage: "Email domains that clients logging in with OIDC must match.", - Flag: "oidc-email-domains", + Flag: "oidc-email-domain", }, IssuerURL: &codersdk.DeploymentConfigField[string]{ Name: "OIDC Issuer URL", diff --git a/cli/deployment/config_test.go b/cli/deployment/config_test.go index f83be646f8eb2..09c5e08ea2f31 100644 --- a/cli/deployment/config_test.go +++ b/cli/deployment/config_test.go @@ -138,7 +138,7 @@ func TestConfig(t *testing.T) { Name: "OIDC", Env: map[string]string{ "CODER_OIDC_ISSUER_URL": "https://accounts.google.com", - "CODER_OIDC_EMAIL_DOMAINS": "coder.com", + "CODER_OIDC_EMAIL_DOMAIN": "coder.com", "CODER_OIDC_CLIENT_ID": "client", "CODER_OIDC_CLIENT_SECRET": "secret", "CODER_OIDC_ALLOW_SIGNUPS": "false", diff --git a/cli/testdata/coder_server_--help.golden b/cli/testdata/coder_server_--help.golden index 226ef0bce0343..05d1f1a598ae1 100644 --- a/cli/testdata/coder_server_--help.golden +++ b/cli/testdata/coder_server_--help.golden @@ -95,7 +95,7 @@ Flags: Consumes $CODER_OIDC_CLIENT_ID --oidc-client-secret string Client secret to use for Login with OIDC. Consumes $CODER_OIDC_CLIENT_SECRET - --oidc-email-domains strings Email domains that clients logging in + --oidc-email-domain strings Email domains that clients logging in with OIDC must match. Consumes $CODER_OIDC_EMAIL_DOMAINS --oidc-ignore-email-verified Ignore the email_verified claim from the diff --git a/docs/admin/auth.md b/docs/admin/auth.md index ed5f7e032ff49..99a0f0b57b08c 100644 --- a/docs/admin/auth.md +++ b/docs/admin/auth.md @@ -72,7 +72,7 @@ to the `/etc/coder.d/coder.env` file: ```console CODER_OIDC_ISSUER_URL="https://accounts.google.com" -CODER_OIDC_EMAIL_DOMAINS="your-domain-1,your-domain-2" +CODER_OIDC_EMAIL_DOMAIN="your-domain-1,your-domain-2" CODER_OIDC_CLIENT_ID="533...ent.com" CODER_OIDC_CLIENT_SECRET="G0CSP...7qSM" ``` From 193c000819ceb6bacafc18d70dc6ea45cd5cef8c Mon Sep 17 00:00:00 2001 From: Daniel Carrion Date: Sat, 3 Dec 2022 00:52:23 +1100 Subject: [PATCH 11/12] revert plural --- cli/deployment/config.go | 2 +- cli/deployment/config_test.go | 4 ++-- cli/server.go | 2 +- cli/testdata/coder_server_--help.golden | 2 +- coderd/userauth.go | 8 ++++---- coderd/userauth_test.go | 8 ++++---- codersdk/deploymentconfig.go | 2 +- site/src/api/typesGenerated.ts | 2 +- .../src/pages/DeploySettingsPage/UserAuthSettingsPage.tsx | 2 +- 9 files changed, 16 insertions(+), 16 deletions(-) diff --git a/cli/deployment/config.go b/cli/deployment/config.go index 8df0e2aad8b0a..decaaaf01ce72 100644 --- a/cli/deployment/config.go +++ b/cli/deployment/config.go @@ -215,7 +215,7 @@ func newConfig() *codersdk.DeploymentConfig { Flag: "oidc-client-secret", Secret: true, }, - EmailDomains: &codersdk.DeploymentConfigField[[]string]{ + EmailDomain: &codersdk.DeploymentConfigField[[]string]{ Name: "OIDC Email Domain", Usage: "Email domains that clients logging in with OIDC must match.", Flag: "oidc-email-domain", diff --git a/cli/deployment/config_test.go b/cli/deployment/config_test.go index 09c5e08ea2f31..48a2249258944 100644 --- a/cli/deployment/config_test.go +++ b/cli/deployment/config_test.go @@ -127,7 +127,7 @@ func TestConfig(t *testing.T) { Env: map[string]string{}, Valid: func(config *codersdk.DeploymentConfig) { require.Empty(t, config.OIDC.IssuerURL.Value) - require.Empty(t, config.OIDC.EmailDomains.Value) + require.Empty(t, config.OIDC.EmailDomain.Value) require.Empty(t, config.OIDC.ClientID.Value) require.Empty(t, config.OIDC.ClientSecret.Value) require.True(t, config.OIDC.AllowSignups.Value) @@ -147,7 +147,7 @@ func TestConfig(t *testing.T) { }, Valid: func(config *codersdk.DeploymentConfig) { require.Equal(t, config.OIDC.IssuerURL.Value, "https://accounts.google.com") - require.Equal(t, config.OIDC.EmailDomains.Value, []string{"coder.com"}) + require.Equal(t, config.OIDC.EmailDomain.Value, []string{"coder.com"}) require.Equal(t, config.OIDC.ClientID.Value, "client") require.Equal(t, config.OIDC.ClientSecret.Value, "secret") require.False(t, config.OIDC.AllowSignups.Value) diff --git a/cli/server.go b/cli/server.go index 9ff4a57e51da9..ea231758ab664 100644 --- a/cli/server.go +++ b/cli/server.go @@ -424,7 +424,7 @@ func Server(vip *viper.Viper, newAPI func(context.Context, *coderd.Options) (*co Verifier: oidcProvider.Verifier(&oidc.Config{ ClientID: cfg.OIDC.ClientID.Value, }), - EmailDomains: cfg.OIDC.EmailDomains.Value, + EmailDomain: cfg.OIDC.EmailDomain.Value, AllowSignups: cfg.OIDC.AllowSignups.Value, } } diff --git a/cli/testdata/coder_server_--help.golden b/cli/testdata/coder_server_--help.golden index 05d1f1a598ae1..2c63bb7be89d4 100644 --- a/cli/testdata/coder_server_--help.golden +++ b/cli/testdata/coder_server_--help.golden @@ -97,7 +97,7 @@ Flags: Consumes $CODER_OIDC_CLIENT_SECRET --oidc-email-domain strings Email domains that clients logging in with OIDC must match. - Consumes $CODER_OIDC_EMAIL_DOMAINS + Consumes $CODER_OIDC_EMAIL_DOMAIN --oidc-ignore-email-verified Ignore the email_verified claim from the upstream provider. Consumes $CODER_OIDC_IGNORE_EMAIL_VERIFIED diff --git a/coderd/userauth.go b/coderd/userauth.go index 7cc6d836cece0..3a05ae71822cf 100644 --- a/coderd/userauth.go +++ b/coderd/userauth.go @@ -193,7 +193,7 @@ type OIDCConfig struct { Verifier *oidc.IDTokenVerifier // EmailDomains are the domains to enforce when a user authenticates. - EmailDomains []string + EmailDomain []string AllowSignups bool // IgnoreEmailVerified allows ignoring the email_verified claim // from an upstream OIDC provider. See #5065 for context. @@ -291,9 +291,9 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) { } // Check if one or comma delimited list of allowed domains is provided. // If a suffix matches, break and continue, otherwise error. - if len(api.OIDCConfig.EmailDomains) > 0 { + if len(api.OIDCConfig.EmailDomain) > 0 { ok = false - for _, domain := range api.OIDCConfig.EmailDomains { + for _, domain := range api.OIDCConfig.EmailDomain { if strings.HasSuffix(strings.ToLower(email), strings.ToLower(domain)) { ok = true break @@ -301,7 +301,7 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) { } if !ok { httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{ - Message: fmt.Sprintf("Your email %q is not in domains %q !", email, api.OIDCConfig.EmailDomains), + Message: fmt.Sprintf("Your email %q is not in domains %q !", email, api.OIDCConfig.EmailDomain), }) return } diff --git a/coderd/userauth_test.go b/coderd/userauth_test.go index 5eba422867ce1..6bfe3e193370b 100644 --- a/coderd/userauth_test.go +++ b/coderd/userauth_test.go @@ -482,7 +482,7 @@ func TestUserOIDC(t *testing.T) { Name string Claims jwt.MapClaims AllowSignups bool - EmailDomains []string + EmailDomain []string Username string AvatarURL string StatusCode int @@ -528,7 +528,7 @@ func TestUserOIDC(t *testing.T) { "email_verified": true, }, AllowSignups: true, - EmailDomains: []string{ + EmailDomain: []string{ "coder.com", }, StatusCode: http.StatusForbidden, @@ -539,7 +539,7 @@ func TestUserOIDC(t *testing.T) { "email_verified": true, }, AllowSignups: true, - EmailDomains: []string{ + EmailDomain: []string{ "kwc.io", }, StatusCode: http.StatusTemporaryRedirect, @@ -615,7 +615,7 @@ func TestUserOIDC(t *testing.T) { config := conf.OIDCConfig() config.AllowSignups = tc.AllowSignups - config.EmailDomains = tc.EmailDomains + config.EmailDomain = tc.EmailDomain config.IgnoreEmailVerified = tc.IgnoreEmailVerified client := coderdtest.New(t, &coderdtest.Options{ diff --git a/codersdk/deploymentconfig.go b/codersdk/deploymentconfig.go index 3ff865e77d0e9..218f45cd8541d 100644 --- a/codersdk/deploymentconfig.go +++ b/codersdk/deploymentconfig.go @@ -90,7 +90,7 @@ type OIDCConfig struct { AllowSignups *DeploymentConfigField[bool] `json:"allow_signups" typescript:",notnull"` ClientID *DeploymentConfigField[string] `json:"client_id" typescript:",notnull"` ClientSecret *DeploymentConfigField[string] `json:"client_secret" typescript:",notnull"` - EmailDomains *DeploymentConfigField[[]string] `json:"email_domains" typescript:",notnull"` + EmailDomain *DeploymentConfigField[[]string] `json:"email_domain" typescript:",notnull"` IssuerURL *DeploymentConfigField[string] `json:"issuer_url" typescript:",notnull"` Scopes *DeploymentConfigField[[]string] `json:"scopes" typescript:",notnull"` IgnoreEmailVerified *DeploymentConfigField[bool] `json:"ignore_email_verified" typescript:",notnull"` diff --git a/site/src/api/typesGenerated.ts b/site/src/api/typesGenerated.ts index 1e73578c445ae..00d0bed803ede 100644 --- a/site/src/api/typesGenerated.ts +++ b/site/src/api/typesGenerated.ts @@ -439,7 +439,7 @@ export interface OIDCConfig { readonly allow_signups: DeploymentConfigField readonly client_id: DeploymentConfigField readonly client_secret: DeploymentConfigField - readonly email_domains: DeploymentConfigField + readonly email_domain: DeploymentConfigField readonly issuer_url: DeploymentConfigField readonly scopes: DeploymentConfigField readonly ignore_email_verified: DeploymentConfigField diff --git a/site/src/pages/DeploySettingsPage/UserAuthSettingsPage.tsx b/site/src/pages/DeploySettingsPage/UserAuthSettingsPage.tsx index 2ec91607b8c39..582ddd3021b55 100644 --- a/site/src/pages/DeploySettingsPage/UserAuthSettingsPage.tsx +++ b/site/src/pages/DeploySettingsPage/UserAuthSettingsPage.tsx @@ -43,7 +43,7 @@ const UserAuthSettingsPage: React.FC = () => { options={{ client_id: deploymentConfig.oidc.client_id, allow_signups: deploymentConfig.oidc.allow_signups, - email_domains: deploymentConfig.oidc.email_domains, + email_domain: deploymentConfig.oidc.email_domain, issuer_url: deploymentConfig.oidc.issuer_url, scopes: deploymentConfig.oidc.scopes, }} From f65ce981d0d4c9270335a102e2ec532e389d02b0 Mon Sep 17 00:00:00 2001 From: Mathias Fredriksson Date: Fri, 2 Dec 2022 15:56:55 +0200 Subject: [PATCH 12/12] Update coderd/userauth.go --- coderd/userauth.go | 2 -- 1 file changed, 2 deletions(-) diff --git a/coderd/userauth.go b/coderd/userauth.go index 3a05ae71822cf..1197aa8d2cea6 100644 --- a/coderd/userauth.go +++ b/coderd/userauth.go @@ -289,8 +289,6 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) { } username = httpapi.UsernameFrom(username) } - // Check if one or comma delimited list of allowed domains is provided. - // If a suffix matches, break and continue, otherwise error. if len(api.OIDCConfig.EmailDomain) > 0 { ok = false for _, domain := range api.OIDCConfig.EmailDomain {