coder · Emyrk · Aug 11, 2023 · Aug 8, 2023 · Aug 9, 2023 · Aug 9, 2023
diff --git a/cli/testdata/coder_users_create_--help.golden b/cli/testdata/coder_users_create_--help.golden
@@ -1,15 +1,15 @@
 Usage: coder users create [flags]
 
 [1mOptions[0m
-      --disable-login bool
-          Disabling login for a user prevents the user from authenticating via
-          password or IdP login. Authentication requires an API key/token
-          generated by an admin. Be careful when using this flag as it can lock
-          the user out of their account.
-
   -e, --email string
           Specifies an email address for the new user.
 
+      --login-type string
+          Optionally specify the login type for the user. Valid values are:
+          password, none, github, oidc. Using 'none' prevents the user from
+          authenticating and requires an API key/token to be generated by an
+          admin.
+
   -p, --password string
           Specifies a password for the new user.
 

diff --git a/cli/usercreate.go b/cli/usercreate.go
@@ -2,6 +2,7 @@ package cli
 
 import (
 	"fmt"
+	"strings"
 
 	"github.com/go-playground/validator/v10"
 	"golang.org/x/xerrors"
@@ -18,6 +19,7 @@ func (r *RootCmd) userCreate() *clibase.Cmd {
 		username     string
 		password     string
 		disableLogin bool
+		loginType    string
 	)
 	client := new(codersdk.Client)
 	cmd := &clibase.Cmd{
@@ -54,7 +56,18 @@ func (r *RootCmd) userCreate() *clibase.Cmd {
 					return err
 				}
 			}
-			if password == "" && !disableLogin {
+			userLoginType := codersdk.LoginTypePassword
+			if disableLogin && loginType != "" {
+				return xerrors.New("You cannot specify both --disable-login and --login-type")
+			}
+			if disableLogin {
+				userLoginType = codersdk.LoginTypeNone
+			} else if loginType != "" {
+				userLoginType = codersdk.LoginType(loginType)
+			}
+
+			if password == "" && userLoginType == codersdk.LoginTypePassword {
+				// Generate a random password
 				password, err = cryptorand.StringCharset(cryptorand.Human, 20)
 				if err != nil {
 					return err
@@ -66,14 +79,22 @@ func (r *RootCmd) userCreate() *clibase.Cmd {
 				Username:       username,
 				Password:       password,
 				OrganizationID: organization.ID,
-				DisableLogin:   disableLogin,
+				UserLoginType:  userLoginType,
 			})
 			if err != nil {
 				return err
 			}
-			authenticationMethod := `Your password is: ` + cliui.DefaultStyles.Field.Render(password)
-			if disableLogin {
+
+			authenticationMethod := ""
+			switch codersdk.LoginType(strings.ToLower(string(userLoginType))) {
+			case codersdk.LoginTypePassword:
+				authenticationMethod = `Your password is: ` + cliui.DefaultStyles.Field.Render(password)
+			case codersdk.LoginTypeNone:
 				authenticationMethod = "Login has been disabled for this user. Contact your administrator to authenticate."
+			case codersdk.LoginTypeGithub:
+				authenticationMethod = `Login is authenticated through GitHub.`
+			case codersdk.LoginTypeOIDC:
+				authenticationMethod = `Login is authenticated through the configured OIDC provider.`
 			}
 
 			_, _ = fmt.Fprintln(inv.Stderr, `A new user has been created!
@@ -111,11 +132,22 @@ Create a workspace  `+cliui.DefaultStyles.Code.Render("coder create")+`!`)
 			Value:         clibase.StringOf(&password),
 		},
 		{
-			Flag: "disable-login",
-			Description: "Disabling login for a user prevents the user from authenticating via password or IdP login. Authentication requires an API key/token generated by an admin. " +
+			Flag:   "disable-login",
+			Hidden: true,
+			Description: "Deprecated: Use '--login-type=none'. \nDisabling login for a user prevents the user from authenticating via password or IdP login. Authentication requires an API key/token generated by an admin. " +
 				"Be careful when using this flag as it can lock the user out of their account.",
 			Value: clibase.BoolOf(&disableLogin),
 		},
+		{
+			Flag: "login-type",
+			Description: fmt.Sprintf("Optionally specify the login type for the user. Valid values are: %s. "+
+				"Using 'none' prevents the user from authenticating and requires an API key/token to be generated by an admin.",
+				strings.Join([]string{
+					string(codersdk.LoginTypePassword), string(codersdk.LoginTypeNone), string(codersdk.LoginTypeGithub), string(codersdk.LoginTypeOIDC),
+				}, ", ",
+				)),
+			Value: clibase.StringOf(&loginType),
+		},
 	}
 	return cmd
 }
diff --git a/coderd/apidoc/docs.go b/coderd/apidoc/docs.go
diff --git a/coderd/apidoc/swagger.json b/coderd/apidoc/swagger.json
diff --git a/coderd/coderdtest/coderdtest.go b/coderd/coderdtest/coderdtest.go
@@ -588,14 +588,7 @@ func createAnotherUserRetry(t *testing.T, client *codersdk.Client, organizationI
 	require.NoError(t, err)
 
 	var sessionToken string
-	if !req.DisableLogin {
-		login, err := client.LoginWithPassword(context.Background(), codersdk.LoginWithPasswordRequest{
-			Email:    req.Email,
-			Password: req.Password,
-		})
-		require.NoError(t, err)
-		sessionToken = login.SessionToken
-	} else {
+	if req.DisableLogin || req.UserLoginType == codersdk.LoginTypeNone {
 		// Cannot log in with a disabled login user. So make it an api key from
 		// the client making this user.
 		token, err := client.CreateToken(context.Background(), user.ID.String(), codersdk.CreateTokenRequest{
@@ -605,6 +598,13 @@ func createAnotherUserRetry(t *testing.T, client *codersdk.Client, organizationI
 		})
 		require.NoError(t, err)
 		sessionToken = token.Key
+	} else {
+		login, err := client.LoginWithPassword(context.Background(), codersdk.LoginWithPasswordRequest{
+			Email:    req.Email,
+			Password: req.Password,
+		})
+		require.NoError(t, err)
+		sessionToken = login.SessionToken
 	}
 
 	if user.Status == codersdk.UserStatusDormant {

diff --git a/coderd/userauth_test.go b/coderd/userauth_test.go
@@ -145,7 +145,7 @@ func TestUserLogin(t *testing.T) {
 		require.Equal(t, http.StatusUnauthorized, apiErr.StatusCode())
 	})
 	// Password auth should fail if the user is made without password login.
-	t.Run("LoginTypeNone", func(t *testing.T) {
+	t.Run("DisableLoginDeprecatedField", func(t *testing.T) {
 		t.Parallel()
 		client := coderdtest.New(t, nil)
 		user := coderdtest.CreateFirstUser(t, client)
@@ -160,6 +160,22 @@ func TestUserLogin(t *testing.T) {
 		})
 		require.Error(t, err)
 	})
+
+	t.Run("LoginTypeNone", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, nil)
+		user := coderdtest.CreateFirstUser(t, client)
+		anotherClient, anotherUser := coderdtest.CreateAnotherUserMutators(t, client, user.OrganizationID, nil, func(r *codersdk.CreateUserRequest) {
+			r.Password = ""
+			r.UserLoginType = codersdk.LoginTypeNone
+		})
+
+		_, err := anotherClient.LoginWithPassword(context.Background(), codersdk.LoginWithPasswordRequest{
+			Email:    anotherUser.Email,
+			Password: "SomeSecurePassword!",
+		})
+		require.Error(t, err)
+	})
 }
 
 func TestUserAuthMethods(t *testing.T) {

diff --git a/coderd/users.go b/coderd/users.go
@@ -287,11 +287,27 @@ func (api *API) postUser(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if req.UserLoginType == "" && req.DisableLogin {
+		// Handle the deprecated field
+		req.UserLoginType = codersdk.LoginTypeNone
+	}
+	if req.UserLoginType == "" {
+		// Default to password auth
+		req.UserLoginType = codersdk.LoginTypePassword
+	}
+
+	if req.UserLoginType != codersdk.LoginTypePassword && req.Password != "" {
+		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+			Message: fmt.Sprintf("Password cannot be set for non-password (%q) authentication.", req.UserLoginType),
+		})
+		return
+	}
+
 	// If password auth is disabled, don't allow new users to be
 	// created with a password!
-	if api.DeploymentValues.DisablePasswordAuth {
+	if api.DeploymentValues.DisablePasswordAuth && req.UserLoginType == codersdk.LoginTypePassword {
 		httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{
-			Message: "You cannot manually provision new users with password authentication disabled!",
+			Message: "Password based authentication is disabled! Unable to provision new users with password authentication.",
 		})
 		return
 	}
@@ -353,17 +369,11 @@ func (api *API) postUser(rw http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	if req.DisableLogin && req.Password != "" {
-		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
-			Message: "Cannot set password when disabling login.",
-		})
-		return
-	}
-
 	var loginType database.LoginType
-	if req.DisableLogin {
+	switch req.UserLoginType {
+	case codersdk.LoginTypeNone:
 		loginType = database.LoginTypeNone
-	} else {
+	case codersdk.LoginTypePassword:
 		err = userpassword.Validate(req.Password)
 		if err != nil {
 			httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
@@ -376,6 +386,14 @@ func (api *API) postUser(rw http.ResponseWriter, r *http.Request) {
 			return
 		}
 		loginType = database.LoginTypePassword
+	case codersdk.LoginTypeOIDC:
+		loginType = database.LoginTypeOIDC
+	case codersdk.LoginTypeGithub:
+		loginType = database.LoginTypeGithub
+	default:
+		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+			Message: fmt.Sprintf("Unsupported login type %q for manually creating new users.", req.UserLoginType),
+		})
 	}
 
 	user, _, err := api.CreateUser(ctx, api.Database, CreateUserRequest{

diff --git a/coderd/users_test.go b/coderd/users_test.go
@@ -9,6 +9,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/golang-jwt/jwt"
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -565,6 +566,71 @@ func TestPostUsers(t *testing.T) {
 			}
 		}
 	})
+
+	t.Run("CreateNoneLoginType", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, nil)
+		first := coderdtest.CreateFirstUser(t, client)
+
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancel()
+
+		user, err := client.CreateUser(ctx, codersdk.CreateUserRequest{
+			OrganizationID: first.OrganizationID,
+			Email:          "another@user.org",
+			Username:       "someone-else",
+			Password:       "",
+			UserLoginType:  codersdk.LoginTypeNone,
+		})
+		require.NoError(t, err)
+
+		found, err := client.User(ctx, user.ID.String())
+		require.NoError(t, err)
+		require.Equal(t, found.LoginType, codersdk.LoginTypeNone)
+	})
+
+	t.Run("CreateOIDCLoginType", func(t *testing.T) {
+		t.Parallel()
+		email := "another@user.org"
+		conf := coderdtest.NewOIDCConfig(t, "")
+		config := conf.OIDCConfig(t, jwt.MapClaims{
+			"email": email,
+		})
+		config.AllowSignups = false
+		config.IgnoreUserInfo = true
+
+		client := coderdtest.New(t, &coderdtest.Options{
+			OIDCConfig: config,
+		})
+		first := coderdtest.CreateFirstUser(t, client)
+
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancel()
+
+		_, err := client.CreateUser(ctx, codersdk.CreateUserRequest{
+			OrganizationID: first.OrganizationID,
+			Email:          email,
+			Username:       "someone-else",
+			Password:       "",
+			UserLoginType:  codersdk.LoginTypeOIDC,
+		})
+		require.NoError(t, err)
+
+		// Try to log in with OIDC.
+		userClient := codersdk.New(client.URL)
+		resp := oidcCallback(t, userClient, conf.EncodeClaims(t, jwt.MapClaims{
+			"email": email,
+		}))
+		require.Equal(t, resp.StatusCode, http.StatusTemporaryRedirect)
+		// Set the client to use this OIDC context
+		authCookie := authCookieValue(resp.Cookies())
+		userClient.SetSessionToken(authCookie)
+		_ = resp.Body.Close()
+
+		found, err := userClient.User(ctx, "me")
+		require.NoError(t, err)
+		require.Equal(t, found.LoginType, codersdk.LoginTypeOIDC)
+	})
 }
 
 func TestUpdateUserProfile(t *testing.T) {

diff --git a/codersdk/apikey.go b/codersdk/apikey.go
@@ -28,6 +28,7 @@ type APIKey struct {
 type LoginType string
 
 const (
+	LoginTypeUnknown  LoginType = ""
 	LoginTypePassword LoginType = "password"
 	LoginTypeGithub   LoginType = "github"
 	LoginTypeOIDC     LoginType = "oidc"