GO-2025-3921: Coder accepts an APIKey beyond the linked OIDC expiry if there is no refresh token in github.com/coder/coder

oidctest

package

v2.1.4 Latest Latest Go to latest Published: Aug 28, 2023 License: AGPL-3.0 Imports: 34 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/coder/coder

Links

Open Source Insights

Documentation ¶

Index ¶

func WithAuthorizedRedirectURL(hook func(redirectURL string) error) func(*FakeIDP)
func WithCustomClientAuth(hook func(t testing.TB, req *http.Request) (url.Values, error)) func(*FakeIDP)
func WithDynamicUserInfo(userInfoFunc func(email string) jwt.MapClaims) func(*FakeIDP)
func WithIssuer(issuer string) func(*FakeIDP)
func WithLogging(t testing.TB, options *slogtest.Options) func(*FakeIDP)
func WithRefreshHook(hook func(email string) error) func(*FakeIDP)
func WithServing() func(*FakeIDP)
func WithStaticUserInfo(info jwt.MapClaims) func(*FakeIDP)
type FakeIDP
- func NewFakeIDP(t testing.TB, opts ...FakeIDPOpt) *FakeIDP
type FakeIDPOpt
type LoginHelper
- func NewLoginHelper(client *codersdk.Client, fake *FakeIDP) *LoginHelper

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func WithAuthorizedRedirectURL ¶

func WithAuthorizedRedirectURL(hook func(redirectURL string) error) func(*FakeIDP)

func WithCustomClientAuth ¶

func WithCustomClientAuth(hook func(t testing.TB, req *http.Request) (url.Values, error)) func(*FakeIDP)

func WithDynamicUserInfo ¶

func WithDynamicUserInfo(userInfoFunc func(email string) jwt.MapClaims) func(*FakeIDP)

func WithIssuer ¶

func WithIssuer(issuer string) func(*FakeIDP)

func WithLogging ¶

func WithLogging(t testing.TB, options *slogtest.Options) func(*FakeIDP)

WithLogging is optional, but will log some HTTP calls made to the IDP.

func WithRefreshHook ¶

func WithRefreshHook(hook func(email string) error) func(*FakeIDP)

WithRefreshHook is called when a refresh token is used. The email is the email of the user that is being refreshed assuming the claims are correct.

func WithServing ¶

func WithServing() func(*FakeIDP)

WithServing makes the IDP run an actual http server.

func WithStaticUserInfo ¶

func WithStaticUserInfo(info jwt.MapClaims) func(*FakeIDP)

WithStaticUserInfo is optional, but will return the same user info for every user on the /userinfo endpoint.

Types ¶

type FakeIDP ¶

type FakeIDP struct {
	// contains filtered or unexported fields
}

FakeIDP is a functional OIDC provider. It only supports 1 OIDC client.

func NewFakeIDP ¶

func NewFakeIDP(t testing.TB, opts ...FakeIDPOpt) *FakeIDP

func (*FakeIDP) AttemptLogin ¶

func (f *FakeIDP) AttemptLogin(t testing.TB, client *codersdk.Client, idTokenClaims jwt.MapClaims, opts ...func(r *http.Request)) (*codersdk.Client, *http.Response)

func (*FakeIDP) HTTPClient ¶

func (f *FakeIDP) HTTPClient(rest *http.Client) *http.Client

HTTPClient does nothing if IsServing is used.

If IsServing is not used, then it will return a client that will make requests to the IDP all in memory. If a request is not to the IDP, then the passed in client will be used. If no client is passed in, then any regular network requests will fail.

func (f *FakeIDP) Login(t testing.TB, client *codersdk.Client, idTokenClaims jwt.MapClaims, opts ...func(r *http.Request)) (*codersdk.Client, *http.Response)

Login does the full OIDC flow starting at the "LoginButton". The client argument is just to get the URL of the Coder instance.

The client passed in is just to get the url of the Coder instance. The actual client that is used is 100% unauthenticated and fresh.

func (*FakeIDP) LoginWithClient ¶

func (f *FakeIDP) LoginWithClient(t testing.TB, client *codersdk.Client, idTokenClaims jwt.MapClaims, opts ...func(r *http.Request)) (*codersdk.Client, *http.Response)

LoginWithClient reuses the context of the passed in client. This means the same cookies will be used. This should be an unauthenticated client in most cases.

This is a niche case, but it is needed for testing ConvertLoginType.

func (*FakeIDP) OIDCCallback ¶

func (f *FakeIDP) OIDCCallback(t testing.TB, state string, idTokenClaims jwt.MapClaims) (*http.Response, error)

OIDCCallback will emulate the IDP redirecting back to the Coder callback. This is helpful if no Coderd exists because the IDP needs to redirect to something. Essentially this is used to fake the Coderd side of the exchange. The flow starts at the user hitting the OIDC login page.

func (*FakeIDP) OIDCConfig ¶

func (f *FakeIDP) OIDCConfig(t testing.TB, scopes []string, opts ...func(cfg *coderd.OIDCConfig)) *coderd.OIDCConfig

OIDCConfig returns the OIDC config to use for Coderd.

func (*FakeIDP) RefreshUsed ¶

func (f *FakeIDP) RefreshUsed(refreshToken string) bool

RefreshUsed returns if the refresh token has been used. All refresh tokens can only be used once, then they are deleted.

func (*FakeIDP) SetCoderdCallback ¶

func (f *FakeIDP) SetCoderdCallback(callback func(req *http.Request) (*http.Response, error))

SetCoderdCallback is optional and only works if not using the IsServing. It will setup a fake "Coderd" for the IDP to call when the IDP redirects back after authenticating.

func (*FakeIDP) SetCoderdCallbackHandler ¶

func (f *FakeIDP) SetCoderdCallbackHandler(handler http.HandlerFunc)

func (*FakeIDP) SetRedirect ¶

func (f *FakeIDP) SetRedirect(t testing.TB, u string)

SetRedirect is required for the IDP to know where to redirect and call Coderd.

func (*FakeIDP) UpdateRefreshClaims ¶

func (f *FakeIDP) UpdateRefreshClaims(refreshToken string, claims jwt.MapClaims)

UpdateRefreshClaims allows the caller to change what claims are returned for a given refresh token. By default, all refreshes use the same claims as the original IDToken issuance.

type FakeIDPOpt ¶

type FakeIDPOpt func(idp *FakeIDP)

type LoginHelper ¶

type LoginHelper struct {
	// contains filtered or unexported fields
}

LoginHelper helps with logging in a user and refreshing their oauth tokens. It is mainly because refreshing oauth tokens is a bit tricky and requires some database manipulation.

func NewLoginHelper ¶

func NewLoginHelper(client *codersdk.Client, fake *FakeIDP) *LoginHelper

func (*LoginHelper) ExpireOauthToken ¶

func (*LoginHelper) ExpireOauthToken(t *testing.T, db database.Store, user *codersdk.Client) database.UserLink

ExpireOauthToken expires the oauth token for the given user.

func (*LoginHelper) ForceRefresh ¶

func (h *LoginHelper) ForceRefresh(t *testing.T, db database.Store, user *codersdk.Client, idToken jwt.MapClaims)

ForceRefresh forces the client to refresh its oauth token. It does this by expiring the oauth token, then doing an authenticated call. This will force the API Key middleware to refresh the oauth token.

A unit test assertion makes sure the refresh token is used.

func (h *LoginHelper) Login(t *testing.T, idTokenClaims jwt.MapClaims) (*codersdk.Client, *http.Response)

Login just helps by making an unauthenticated client and logging in with the given claims. All Logins should be unauthenticated, so this is a convenience method.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL