Skip to content

feat: add flag to disable password auth #5991

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Feb 6, 2023
Merged

feat: add flag to disable password auth #5991

merged 9 commits into from
Feb 6, 2023

Conversation

deansheather
Copy link
Member

@deansheather deansheather commented Feb 2, 2023
edited
Loading

Adds a flag --disable-password-auth that prevents the password login endpoint from working unless the user has the "owner" (aka. site admin) role.

Adds a subcommand coder server create-admin-user which creates a user directly in the database with the "owner" role, the "admin" role in every organization, and password auth. This is to avoid lock-out situations where all accounts have the login type set to an identity provider and nobody can login.

Closes #5989

cc: @ElliotG

@deansheather
feat: add flag to disable password auth
ff2ac1e 
Adds a flag --disable-password-auth that prevents the password login
endpoint from working unless the user has the "owner" (aka. site admin)
role.

Adds a subcommand `coder server create-admin-user` which creates a user
directly in the database with the "owner" role, the "admin" role in
every organization, and password auth. This is to avoid lock-out
situations where all accounts have the login type set to an identity
provider and nobody can login.
@deansheather
fixup! feat: add flag to disable password auth
68c9a38
@deansheather deansheather marked this pull request as ready for review February 2, 2023 19:22
@ammario ammario removed their request for review February 2, 2023 19:38
mtojek
mtojek reviewed Feb 3, 2023
View reviewed changes
Copy link
Member

@mtojek mtojek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good job!

cli/server.go
@@ -1607,3 +1785,71 @@ func buildLogger(cmd *cobra.Command, cfg *codersdk.DeploymentConfig) (slog.Logge
}
}, nil
}

func connectToPostgres(ctx context.Context, logger slog.Logger, driver string, dbURL string) (*sql.DB, error) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Maybe extract it to a separate file too?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I'll leave it here for now since it's mostly only used for server.go and makes sense to live here to me.

@deansheather deansheather requested a review from mtojek February 3, 2023 15:46
mtojek
mtojek reviewed Feb 3, 2023
View reviewed changes
Copy link
Member

@mtojek mtojek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code LGTM

@deansheather deansheather requested a review from mtojek February 4, 2023 16:47
mtojek
mtojek approved these changes Feb 6, 2023
View reviewed changes
Copy link
Member

@mtojek mtojek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes LGTM 👍

@smolinari
Copy link

smolinari commented Feb 6, 2023
edited
Loading

@deansheather - I really appreciate this.

One question. I'm not proficient in Go, and I looked over the PR and didn't see it, but when the --disable-password-auth is enabled, does that also cause the automatic redirect of users to the (single) OIDC provider? In other words, avoiding having the user click the one button to go to the provider? The button isn't necessary with a single provider and would allow Coder to have a proper SSO user experience.

That was the main goal of the user story in #4433, which this PR is supposed to close. 😀

Scott

@deansheather
Copy link
Member Author

@smolinari This PR doesn't do that intentionally as we still allow site owners to login via password auth. We could add an auto-redirect thing later on as long as we have a bypass.

@bpmct as per the above comment I'm removing #4433 from this PR.

kylecarbs
kylecarbs requested changes Feb 6, 2023
View reviewed changes
Copy link
Member

@kylecarbs kylecarbs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't disable the form on the FE, which it should.

@kylecarbs
Copy link
Member

Ahh my bad, I see the comments above.

@deansheather deansheather enabled auto-merge (squash) February 6, 2023 14:49
@deansheather deansheather merged commit 4fe221a into main Feb 6, 2023
@deansheather deansheather deleted the dean/disable-password-auth branch February 6, 2023 14:58
@github-actions github-actions bot locked and limited conversation to collaborators Feb 6, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@kylecarbs kylecarbs kylecarbs approved these changes

@mtojek mtojek mtojek approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

security: allow disabling built-in authentication
4 participants
@deansheather @smolinari @kylecarbs @mtojek