chore: improve fake IDP script (#11602)

* chore: testIDP using static defaults for easier reuse
2025-07-13 21:36:50 +00:00 · 2024-01-15 10:01:41 -06:00
parent f915bdf26c
commit 5087f7b5f6
5 changed files with 204 additions and 80 deletions
--- a/scripts/testidp/README.md
+++ b/scripts/testidp/README.md
@ -0,0 +1,17 @@
+# How to use
+
+Start the idp service:
+
+```bash
+$ go run main.go
+2024-01-10 16:48:01.415 [info]  stdlib: 2024/01/10 10:48:01 IDP Issuer URL http://127.0.0.1:44517
+2024-01-10 16:48:01.415 [info]  stdlib: 2024/01/10 10:48:01 Oauth Flags
+2024-01-10 16:48:01.415 [info]  stdlib: 2024/01/10 10:48:01 --external-auth-providers='[{"type":"fake","client_id":"f2df566b-a1c9-407a-8b75-480db45c6476","client_secret":"55aca4e3-7b94-44b6-9f45-ecb5e81c560d","auth_url":"http://127.0.0.1:44517/oauth2/authorize","token_url":"http://127.0.0.1:44517/oauth2/token","validate_url":"http://127.0.0.1:44517/oauth2/userinfo","scopes":["openid","email","profile"]}]'
+2024-01-10 16:48:01.415 [info]  stdlib: 2024/01/10 10:48:01 Press Ctrl+C to exit
+```
+
+Then use the flag into your coderd instance:
+
+```bash
+develop.sh -- --external-auth-providers='[{"type":"fake","client_id":"f2df566b-a1c9-407a-8b75-480db45c6476","client_secret":"55aca4e3-7b94-44b6-9f45-ecb5e81c560d","auth_url":"http://127.0.0.1:44517/oauth2/authorize","token_url":"http://127.0.0.1:44517/oauth2/token","validate_url":"http://127.0.0.1:44517/oauth2/userinfo","scopes":["openid","email","profile"]}]'
+```
--- a/scripts/testidp/main.go
+++ b/scripts/testidp/main.go
@ -0,0 +1,111 @@
+package main
+
+import (
+	"encoding/json"
+	"flag"
+	"log"
+	"os"
+	"os/signal"
+	"testing"
+	"time"
+
+	"github.com/golang-jwt/jwt/v4"
+	"github.com/stretchr/testify/require"
+
+	"cdr.dev/slog"
+	"cdr.dev/slog/sloggers/sloghuman"
+	"github.com/coder/coder/v2/coderd/coderdtest/oidctest"
+	"github.com/coder/coder/v2/codersdk"
+)
+
+// Flags
+var (
+	expiry       = flag.Duration("expiry", time.Minute*5, "Token expiry")
+	clientID     = flag.String("client-id", "static-client-id", "Client ID, set empty to be random")
+	clientSecret = flag.String("client-sec", "static-client-secret", "Client Secret, set empty to be random")
+	// By default, no regex means it will never match anything. So at least default to matching something.
+	extRegex = flag.String("ext-regex", `^(https?://)?example\.com(/.*)?$`, "External auth regex")
+)
+
+func main() {
+	testing.Init()
+	_ = flag.Set("test.timeout", "0")
+
+	flag.Parse()
+
+	// This is just a way to run tests outside go test
+	testing.Main(func(pat, str string) (bool, error) {
+		return true, nil
+	}, []testing.InternalTest{
+		{
+			Name: "Run Fake IDP",
+			F:    RunIDP(),
+		},
+	}, nil, nil)
+}
+
+type withClientSecret struct {
+	// We never unmarshal this in prod, but we need this field for testing.
+	ClientSecret string `json:"client_secret"`
+	codersdk.ExternalAuthConfig
+}
+
+// RunIDP needs the testing.T because our oidctest package requires the
+// testing.T.
+func RunIDP() func(t *testing.T) {
+	return func(t *testing.T) {
+		idp := oidctest.NewFakeIDP(t,
+			oidctest.WithServing(),
+			oidctest.WithStaticUserInfo(jwt.MapClaims{}),
+			oidctest.WithDefaultIDClaims(jwt.MapClaims{}),
+			oidctest.WithDefaultExpire(*expiry),
+			oidctest.WithStaticCredentials(*clientID, *clientSecret),
+			oidctest.WithIssuer("http://localhost:4500"),
+			oidctest.WithLogger(slog.Make(sloghuman.Sink(os.Stderr))),
+		)
+		id, sec := idp.AppCredentials()
+		prov := idp.WellknownConfig()
+		const appID = "fake"
+		coderCfg := idp.ExternalAuthConfig(t, appID, nil)
+
+		log.Println("IDP Issuer URL", idp.IssuerURL())
+		log.Println("Coderd Flags")
+		deviceCodeURL := ""
+		if coderCfg.DeviceAuth != nil {
+			deviceCodeURL = coderCfg.DeviceAuth.CodeURL
+		}
+		cfg := withClientSecret{
+			ClientSecret: sec,
+			ExternalAuthConfig: codersdk.ExternalAuthConfig{
+				Type:                appID,
+				ClientID:            id,
+				ClientSecret:        sec,
+				ID:                  appID,
+				AuthURL:             prov.AuthURL,
+				TokenURL:            prov.TokenURL,
+				ValidateURL:         prov.ExternalAuthURL,
+				AppInstallURL:       coderCfg.AppInstallURL,
+				AppInstallationsURL: coderCfg.AppInstallationsURL,
+				NoRefresh:           false,
+				Scopes:              []string{"openid", "email", "profile"},
+				ExtraTokenKeys:      coderCfg.ExtraTokenKeys,
+				DeviceFlow:          coderCfg.DeviceAuth != nil,
+				DeviceCodeURL:       deviceCodeURL,
+				Regex:               *extRegex,
+				DisplayName:         coderCfg.DisplayName,
+				DisplayIcon:         coderCfg.DisplayIcon,
+			},
+		}
+		data, err := json.Marshal([]withClientSecret{cfg})
+		require.NoError(t, err)
+		log.Printf(`--external-auth-providers='%s'`, string(data))
+
+		log.Println("Press Ctrl+C to exit")
+		c := make(chan os.Signal, 1)
+		signal.Notify(c, os.Interrupt)
+
+		// Block until ctl+c
+		<-c
+		log.Println("Closing")
+	}
+}