synced/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2025-07-23 21:32:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: Validate Git tokens before consuming them (#5167)

Browse Source 
* feat: Validate Git tokens before consuming them

This works the exact same way that the Git credential manager does. It ensures the user token is valid before returning it to the client.

It's been manually tested on GitHub, GitLab, and BitBucket.

* Fix requested changes
This commit is contained in:
Kyle Carberry
2022-11-29 19:08:27 +01:00
committed by GitHub
parent a8f5af1245
commit 8b73844f69
8 changed files with 149 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
coderd/gitauth/config.go
View File

@ -28,6 +28,10 @@ type Config struct {
// Some organizations have security policies that require
// re-authentication for every token.
NoRefresh bool
// ValidateURL ensures an access token is valid before
// returning it to the user. If omitted, tokens will
// not be validated before being returned.
ValidateURL string
}
// ConvertConfig converts the YAML configuration entry to the
@ -101,6 +105,9 @@ func ConvertConfig(entries []codersdk.GitAuthConfig, accessURL *url.URL) ([]*Con
if entry.Scopes != nil && len(entry.Scopes) > 0 {
oauth2Config.Scopes = entry.Scopes
}
if entry.ValidateURL == "" {
entry.ValidateURL = validateURL[typ]
}
var oauthConfig httpmw.OAuth2Config = oauth2Config
// Azure DevOps uses JWT token authentication!
@ -114,6 +121,7 @@ func ConvertConfig(entries []codersdk.GitAuthConfig, accessURL *url.URL) ([]*Con
Regex: regex,
Type: typ,
NoRefresh: entry.NoRefresh,
ValidateURL: validateURL[typ],
})
}
return configs, nil

9
coderd/gitauth/oauth.go
View File

@ -29,10 +29,17 @@ var endpoint = map[codersdk.GitProvider]oauth2.Endpoint{
codersdk.GitProviderGitHub: github.Endpoint,
}
// validateURL contains defaults for each provider.
var validateURL = map[codersdk.GitProvider]string{
codersdk.GitProviderGitHub: "https://api.github.com/user",
codersdk.GitProviderGitLab: "https://gitlab.com/oauth/token/info",
codersdk.GitProviderBitBucket: "https://api.bitbucket.org/2.0/user",
}
// scope contains defaults for each Git provider.
var scope = map[codersdk.GitProvider][]string{
codersdk.GitProviderAzureDevops: {"vso.code_write"},
codersdk.GitProviderBitBucket: {"repository:write"},
codersdk.GitProviderBitBucket: {"account", "repository:write"},
codersdk.GitProviderGitLab: {"write_repository"},
codersdk.GitProviderGitHub: {"repo"},
}