feat: add github device flow for authentication (#8232)

* feat: add github device flow for authentication

This will allow us to add a GitHub OAuth provider out-of-the-box
to reduce setup requirements.

* Improve askpass view

* Add routes to improve clarity of git auth

* Redesign the git auth page

* Refactor to add a page view

* Fix sideways layout

* Remove legacy notify

* Fix git auth redirects

* Add E2E tests

* Fix route documentation

* Fix imports

* Remove unused imports

* Fix E2E web test

* Fix friendly message appearance

* Fix layout shifting for full-screen sign-in

* Fix height going to 100%

* Fix comments

coderd/workspaceagents_test.go

@@ -6,8 +6,6 @@ import (
 	"fmt"
 	"net"
 	"net/http"
-	"net/http/httptest"
-	"regexp"
 	"runtime"
 	"strconv"
 	"strings"
@@ -17,14 +15,12 @@ import (
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"golang.org/x/oauth2"
 
 	"cdr.dev/slog"
 	"cdr.dev/slog/sloggers/slogtest"
 	"github.com/coder/coder/agent"
 	"github.com/coder/coder/coderd/coderdtest"
 	"github.com/coder/coder/coderd/database"
-	"github.com/coder/coder/coderd/gitauth"
 	"github.com/coder/coder/codersdk"
 	"github.com/coder/coder/codersdk/agentsdk"
 	"github.com/coder/coder/provisioner/echo"
@@ -1000,270 +996,6 @@ func TestWorkspaceAgentAppHealth(t *testing.T) {
 	require.EqualValues(t, codersdk.WorkspaceAppHealthUnhealthy, manifest.Apps[1].Health)
 }
 
-// nolint:bodyclose
-func TestWorkspaceAgentsGitAuth(t *testing.T) {
-	t.Parallel()
-	t.Run("NoMatchingConfig", func(t *testing.T) {
-		t.Parallel()
-		client := coderdtest.New(t, &coderdtest.Options{
-			IncludeProvisionerDaemon: true,
-			GitAuthConfigs:           []*gitauth.Config{},
-		})
-		user := coderdtest.CreateFirstUser(t, client)
-		authToken := uuid.NewString()
-		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
-			Parse:          echo.ParseComplete,
-			ProvisionPlan:  echo.ProvisionComplete,
-			ProvisionApply: echo.ProvisionApplyWithAgent(authToken),
-		})
-		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
-		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
-		workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
-		coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
-
-		agentClient := agentsdk.New(client.URL)
-		agentClient.SetSessionToken(authToken)
-		_, err := agentClient.GitAuth(context.Background(), "github.com", false)
-		var apiError *codersdk.Error
-		require.ErrorAs(t, err, &apiError)
-		require.Equal(t, http.StatusNotFound, apiError.StatusCode())
-	})
-	t.Run("ReturnsURL", func(t *testing.T) {
-		t.Parallel()
-		client := coderdtest.New(t, &coderdtest.Options{
-			IncludeProvisionerDaemon: true,
-			GitAuthConfigs: []*gitauth.Config{{
-				OAuth2Config: &testutil.OAuth2Config{},
-				ID:           "github",
-				Regex:        regexp.MustCompile(`github\.com`),
-				Type:         codersdk.GitProviderGitHub,
-			}},
-		})
-		user := coderdtest.CreateFirstUser(t, client)
-		authToken := uuid.NewString()
-		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
-			Parse:         echo.ParseComplete,
-			ProvisionPlan: echo.ProvisionComplete,
-			ProvisionApply: []*proto.Provision_Response{{
-				Type: &proto.Provision_Response_Complete{
-					Complete: &proto.Provision_Complete{
-						Resources: []*proto.Resource{{
-							Name: "example",
-							Type: "aws_instance",
-							Agents: []*proto.Agent{{
-								Id: uuid.NewString(),
-								Auth: &proto.Agent_Token{
-									Token: authToken,
-								},
-							}},
-						}},
-					},
-				},
-			}},
-		})
-		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
-		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
-		workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
-		coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
-
-		agentClient := agentsdk.New(client.URL)
-		agentClient.SetSessionToken(authToken)
-		token, err := agentClient.GitAuth(context.Background(), "github.com/asd/asd", false)
-		require.NoError(t, err)
-		require.True(t, strings.HasSuffix(token.URL, fmt.Sprintf("/gitauth/%s", "github")))
-	})
-	t.Run("UnauthorizedCallback", func(t *testing.T) {
-		t.Parallel()
-		client := coderdtest.New(t, &coderdtest.Options{
-			IncludeProvisionerDaemon: true,
-			GitAuthConfigs: []*gitauth.Config{{
-				OAuth2Config: &testutil.OAuth2Config{},
-				ID:           "github",
-				Regex:        regexp.MustCompile(`github\.com`),
-				Type:         codersdk.GitProviderGitHub,
-			}},
-		})
-		resp := coderdtest.RequestGitAuthCallback(t, "github", client)
-		require.Equal(t, http.StatusSeeOther, resp.StatusCode)
-	})
-	t.Run("AuthorizedCallback", func(t *testing.T) {
-		t.Parallel()
-		client := coderdtest.New(t, &coderdtest.Options{
-			IncludeProvisionerDaemon: true,
-			GitAuthConfigs: []*gitauth.Config{{
-				OAuth2Config: &testutil.OAuth2Config{},
-				ID:           "github",
-				Regex:        regexp.MustCompile(`github\.com`),
-				Type:         codersdk.GitProviderGitHub,
-			}},
-		})
-		_ = coderdtest.CreateFirstUser(t, client)
-		resp := coderdtest.RequestGitAuthCallback(t, "github", client)
-		require.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode)
-		location, err := resp.Location()
-		require.NoError(t, err)
-		require.Equal(t, "/gitauth", location.Path)
-
-		// Callback again to simulate updating the token.
-		resp = coderdtest.RequestGitAuthCallback(t, "github", client)
-		require.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode)
-	})
-	t.Run("ValidateURL", func(t *testing.T) {
-		t.Parallel()
-		ctx := testutil.Context(t, testutil.WaitLong)
-
-		srv := httptest.NewServer(nil)
-		defer srv.Close()
-		client := coderdtest.New(t, &coderdtest.Options{
-			IncludeProvisionerDaemon: true,
-			GitAuthConfigs: []*gitauth.Config{{
-				ValidateURL:  srv.URL,
-				OAuth2Config: &testutil.OAuth2Config{},
-				ID:           "github",
-				Regex:        regexp.MustCompile(`github\.com`),
-				Type:         codersdk.GitProviderGitHub,
-			}},
-		})
-		user := coderdtest.CreateFirstUser(t, client)
-		authToken := uuid.NewString()
-		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
-			Parse:          echo.ParseComplete,
-			ProvisionPlan:  echo.ProvisionComplete,
-			ProvisionApply: echo.ProvisionApplyWithAgent(authToken),
-		})
-		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
-		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
-		workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
-		coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
-
-		agentClient := agentsdk.New(client.URL)
-		agentClient.SetSessionToken(authToken)
-
-		resp := coderdtest.RequestGitAuthCallback(t, "github", client)
-		require.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode)
-
-		// If the validation URL says unauthorized, the callback
-		// URL to re-authenticate should be returned.
-		srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			w.WriteHeader(http.StatusUnauthorized)
-		})
-		res, err := agentClient.GitAuth(ctx, "github.com/asd/asd", false)
-		require.NoError(t, err)
-		require.NotEmpty(t, res.URL)
-
-		// If the validation URL gives a non-OK status code, this
-		// should be treated as an internal server error.
-		srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			w.WriteHeader(http.StatusForbidden)
-			w.Write([]byte("Something went wrong!"))
-		})
-		_, err = agentClient.GitAuth(ctx, "github.com/asd/asd", false)
-		var apiError *codersdk.Error
-		require.ErrorAs(t, err, &apiError)
-		require.Equal(t, http.StatusInternalServerError, apiError.StatusCode())
-		require.Equal(t, "validate git auth token: status 403: body: Something went wrong!", apiError.Detail)
-	})
-
-	t.Run("ExpiredNoRefresh", func(t *testing.T) {
-		t.Parallel()
-		client := coderdtest.New(t, &coderdtest.Options{
-			IncludeProvisionerDaemon: true,
-			GitAuthConfigs: []*gitauth.Config{{
-				OAuth2Config: &testutil.OAuth2Config{
-					Token: &oauth2.Token{
-						AccessToken:  "token",
-						RefreshToken: "something",
-						Expiry:       database.Now().Add(-time.Hour),
-					},
-				},
-				ID:        "github",
-				Regex:     regexp.MustCompile(`github\.com`),
-				Type:      codersdk.GitProviderGitHub,
-				NoRefresh: true,
-			}},
-		})
-		user := coderdtest.CreateFirstUser(t, client)
-		authToken := uuid.NewString()
-		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
-			Parse:          echo.ParseComplete,
-			ProvisionPlan:  echo.ProvisionComplete,
-			ProvisionApply: echo.ProvisionApplyWithAgent(authToken),
-		})
-		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
-		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
-		workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
-		coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
-
-		agentClient := agentsdk.New(client.URL)
-		agentClient.SetSessionToken(authToken)
-
-		token, err := agentClient.GitAuth(context.Background(), "github.com/asd/asd", false)
-		require.NoError(t, err)
-		require.NotEmpty(t, token.URL)
-
-		// In the configuration, we set our OAuth provider
-		// to return an expired token. Coder consumes this
-		// and stores it.
-		resp := coderdtest.RequestGitAuthCallback(t, "github", client)
-		require.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode)
-
-		// Because the token is expired and `NoRefresh` is specified,
-		// a redirect URL should be returned again.
-		token, err = agentClient.GitAuth(context.Background(), "github.com/asd/asd", false)
-		require.NoError(t, err)
-		require.NotEmpty(t, token.URL)
-	})
-
-	t.Run("FullFlow", func(t *testing.T) {
-		t.Parallel()
-		client := coderdtest.New(t, &coderdtest.Options{
-			IncludeProvisionerDaemon: true,
-			GitAuthConfigs: []*gitauth.Config{{
-				OAuth2Config: &testutil.OAuth2Config{},
-				ID:           "github",
-				Regex:        regexp.MustCompile(`github\.com`),
-				Type:         codersdk.GitProviderGitHub,
-			}},
-		})
-		user := coderdtest.CreateFirstUser(t, client)
-		authToken := uuid.NewString()
-		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
-			Parse:          echo.ParseComplete,
-			ProvisionPlan:  echo.ProvisionComplete,
-			ProvisionApply: echo.ProvisionApplyWithAgent(authToken),
-		})
-		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
-		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
-		workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
-		coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
-
-		agentClient := agentsdk.New(client.URL)
-		agentClient.SetSessionToken(authToken)
-
-		token, err := agentClient.GitAuth(context.Background(), "github.com/asd/asd", false)
-		require.NoError(t, err)
-		require.NotEmpty(t, token.URL)
-
-		// Start waiting for the token callback...
-		tokenChan := make(chan agentsdk.GitAuthResponse, 1)
-		go func() {
-			token, err := agentClient.GitAuth(context.Background(), "github.com/asd/asd", true)
-			assert.NoError(t, err)
-			tokenChan <- token
-		}()
-
-		time.Sleep(250 * time.Millisecond)
-
-		resp := coderdtest.RequestGitAuthCallback(t, "github", client)
-		require.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode)
-		token = <-tokenChan
-		require.Equal(t, "access_token", token.Username)
-
-		token, err = agentClient.GitAuth(context.Background(), "github.com/asd/asd", false)
-		require.NoError(t, err)
-	})
-}
-
 func TestWorkspaceAgentReportStats(t *testing.T) {
 	t.Parallel()