Skip to content

fix: make 'NoRefresh' honor unlimited tokens in gitauth #9472

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Sep 5, 2023
Merged

fix: make 'NoRefresh' honor unlimited tokens in gitauth #9472

merged 6 commits into from
Sep 5, 2023

Conversation

Emyrk
Copy link
Member

@Emyrk Emyrk commented Aug 31, 2023
edited
Loading

What this does

This makes NoRefresh honor GitHub's unlimited lifetime tokens. Github oauth tokens have no expiry time set.

This PR mainly just refactors all the existing tests

Testing

The existing tests were not actually testing the right things. For one, the refresh tokens were always "", so no refreshing would ever happen. The NoRefresh config value would therefore always be honored no matter what in those cases, even if there was a bug.

The new tests return fully valid oauth tokens and communicate with the fake IDP all in memory. It can check the right IDP endpoints are called (validate & refresh).

@Emyrk
chore: fix NoRefresh to honor unlimited tokens
212429b 
- improve testing coverage of gitauth
Emyrk
Emyrk commented Aug 31, 2023
View reviewed changes
coderd/gitauth/config.go Outdated
Comment on lines 66 to 81
if c.NoRefresh &&
// If the time is set to 0, then it should never expire.
// This is true for github, which has no expiry.
!gitAuthLink.OAuthExpiry.IsZero() &&
gitAuthLink.OAuthExpiry.Before(database.Now()) {
return gitAuthLink, false, nil
}

// This is additional defensive programming. Because TokenSource is an interface,
// we cannot be sure that the implementation will treat an 'IsZero' time
// as "not-expired". The default implementation does, but a custom implementation
// might not. Removing the refreshToken will guarantee a refresh will fail.
refreshToken := gitAuthLink.OAuthRefreshToken
if c.NoRefresh {
refreshToken = ""
}
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kylecarbs The existing tests for this logic pass no matter what because refreshToken was always the empty string. I am refactoring all the tests with the new fake oidc IDP.

Just want to get your eyes since all this logic isn't very well solidified.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Neat

Emyrk
Emyrk commented Aug 31, 2023
View reviewed changes
coderd/gitauth/config_test.go Outdated
Comment on lines 32 to 92
t.Run("NoRefreshExpired", func(t *testing.T) {
t.Parallel()
config := &gitauth.Config{
NoRefresh: true,
}
_, refreshed, err := config.RefreshToken(context.Background(), nil, database.GitAuthLink{
OAuthExpiry: time.Time{},
fake, config, link := setupOauth2Test(t, testConfig{
FakeIDPOpts: []oidctest.FakeIDPOpt{
oidctest.WithRefreshHook(func(_ string) error {
t.Error("refresh on the IDP was called, but NoRefresh was set")
return xerrors.New("should not be called")
}),
// The IDP should not be contacted since the token is expired. An expired
// token with 'NoRefresh' should early abort.
oidctest.WithDynamicUserInfo(func(_ string) (jwt.MapClaims, error) {
t.Error("token was validated, but it was expired and this should never have happened.")
return nil, xerrors.New("should not be called")
}),
},
GitConfigOpt: func(cfg *gitauth.Config) {
cfg.NoRefresh = true
},
})

ctx := oidc.ClientContext(context.Background(), fake.HTTPClient(nil))
// Expire the link
link.OAuthExpiry = expired

_, refreshed, err := config.RefreshToken(ctx, nil, link)
require.NoError(t, err)
require.False(t, refreshed)
})

// NoRefreshNoExpiry tests that an oauth token without an expiry is always valid.
// The "validate url" should be hit, but the refresh endpoint should not.
t.Run("NoRefreshNoExpiry", func(t *testing.T) {
t.Parallel()

validated := false
fake, config, link := setupOauth2Test(t, testConfig{
FakeIDPOpts: []oidctest.FakeIDPOpt{
oidctest.WithRefreshHook(func(_ string) error {
t.Error("refresh on the IDP was called, but NoRefresh was set")
return xerrors.New("should not be called")
}),
oidctest.WithDynamicUserInfo(func(_ string) (jwt.MapClaims, error) {
validated = true
return jwt.MapClaims{}, nil
}),
},
GitConfigOpt: func(cfg *gitauth.Config) {
cfg.NoRefresh = true
},
})

ctx := oidc.ClientContext(context.Background(), fake.HTTPClient(nil))

// Zero time used
link.OAuthExpiry = time.Time{}
_, refreshed, err := config.RefreshToken(ctx, nil, link)
require.NoError(t, err)
require.True(t, refreshed, "token without expiry is always valid")
require.True(t, validated, "token should have been validated")
})

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was one test, I made it two. Testing both an expired and and a IsZero time.

@Emyrk Emyrk marked this pull request as ready for review August 31, 2023 20:58
@Emyrk Emyrk changed the title chore: fix NoRefresh to honor unlimited tokens fix: gitauth 'NoRefresh' to honor unlimited tokens Aug 31, 2023
@Emyrk Emyrk requested a review from kylecarbs September 5, 2023 13:28
kylecarbs
kylecarbs approved these changes Sep 5, 2023
View reviewed changes
Copy link
Member

@kylecarbs kylecarbs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Only a single note on naming, but this was from the oidctest PR:

WithRefreshHook could just be WithRefresh, because other funcs like WithDynamicUserInfo drop the Hook suffix, but that's a minor.

coderd/gitauth/config.go Outdated
Comment on lines 66 to 81
if c.NoRefresh &&
// If the time is set to 0, then it should never expire.
// This is true for github, which has no expiry.
!gitAuthLink.OAuthExpiry.IsZero() &&
gitAuthLink.OAuthExpiry.Before(database.Now()) {
return gitAuthLink, false, nil
}

// This is additional defensive programming. Because TokenSource is an interface,
// we cannot be sure that the implementation will treat an 'IsZero' time
// as "not-expired". The default implementation does, but a custom implementation
// might not. Removing the refreshToken will guarantee a refresh will fail.
refreshToken := gitAuthLink.OAuthRefreshToken
if c.NoRefresh {
refreshToken = ""
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Neat

@Emyrk Emyrk changed the title fix: gitauth 'NoRefresh' to honor unlimited tokens fix: make 'NoRefresh' honor unlimited tokens in gitauth Sep 5, 2023
@Emyrk Emyrk merged commit 58f7071 into main Sep 5, 2023
@Emyrk Emyrk deleted the stevenmasley/gitauth_oauth branch September 5, 2023 14:08
@github-actions github-actions bot locked and limited conversation to collaborators Sep 5, 2023
@Emyrk Emyrk restored the stevenmasley/gitauth_oauth branch September 5, 2023 14:13
@Emyrk Emyrk deleted the stevenmasley/gitauth_oauth branch January 9, 2024 20:10
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@kylecarbs kylecarbs kylecarbs approved these changes

Assignees

@Emyrk Emyrk

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Emyrk @kylecarbs