mirror of
https://github.com/coder/coder.git
synced 2025-07-06 15:41:45 +00:00
test: add full OIDC fake IDP (#9317)
* test: implement fake OIDC provider with full functionality * Refactor existing tests
This commit is contained in:
Steven Masley
GitHub
@ -1,25 +1,22 @@
|
||||
package coderd_test
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"io"
|
||||
"net/http"
|
||||
"regexp"
|
||||
"testing"
|
||||
|
||||
"github.com/golang-jwt/jwt"
|
||||
"github.com/google/uuid"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"github.com/golang-jwt/jwt/v4"
|
||||
"github.com/stretchr/testify/require"
|
||||
|
||||
"github.com/coder/coder/v2/coderd"
|
||||
"github.com/coder/coder/v2/coderd/coderdtest"
|
||||
"github.com/coder/coder/v2/coderd/coderdtest/oidctest"
|
||||
"github.com/coder/coder/v2/coderd/database"
|
||||
"github.com/coder/coder/v2/coderd/database/dbauthz"
|
||||
"github.com/coder/coder/v2/coderd/rbac"
|
||||
"github.com/coder/coder/v2/coderd/util/slice"
|
||||
"github.com/coder/coder/v2/codersdk"
|
||||
coderden "github.com/coder/coder/v2/enterprise/coderd"
|
||||
"github.com/coder/coder/v2/enterprise/coderd/coderdenttest"
|
||||
"github.com/coder/coder/v2/enterprise/coderd/license"
|
||||
"github.com/coder/coder/v2/testutil"
|
||||
@ -31,128 +28,123 @@ func TestUserOIDC(t *testing.T) {
|
||||
t.Run("RoleSync", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
// NoRoles is the "control group". It has claims with 0 roles
|
||||
// assigned, and asserts that the user has no roles.
|
||||
t.Run("NoRoles", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
ctx := testutil.Context(t, testutil.WaitMedium)
|
||||
conf := coderdtest.NewOIDCConfig(t, "")
|
||||
|
||||
oidcRoleName := "TemplateAuthor"
|
||||
|
||||
config := conf.OIDCConfig(t, jwt.MapClaims{}, func(cfg *coderd.OIDCConfig) {
|
||||
cfg.UserRoleMapping = map[string][]string{oidcRoleName: {rbac.RoleTemplateAdmin(), rbac.RoleUserAdmin()}}
|
||||
})
|
||||
config.AllowSignups = true
|
||||
config.UserRoleField = "roles"
|
||||
|
||||
client, _ := coderdenttest.New(t, &coderdenttest.Options{
|
||||
Options: &coderdtest.Options{
|
||||
OIDCConfig: config,
|
||||
},
|
||||
LicenseOptions: &coderdenttest.LicenseOptions{
|
||||
Features: license.Features{codersdk.FeatureUserRoleManagement: 1},
|
||||
runner := setupOIDCTest(t, oidcTestConfig{
|
||||
Config: func(cfg *coderd.OIDCConfig) {
|
||||
cfg.AllowSignups = true
|
||||
cfg.UserRoleField = "roles"
|
||||
},
|
||||
})
|
||||
|
||||
admin, err := client.User(ctx, "me")
|
||||
require.NoError(t, err)
|
||||
require.Len(t, admin.OrganizationIDs, 1)
|
||||
|
||||
resp := oidcCallback(t, client, conf.EncodeClaims(t, jwt.MapClaims{
|
||||
claims := jwt.MapClaims{
|
||||
"email": "alice@coder.com",
|
||||
}))
|
||||
require.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode)
|
||||
user, err := client.User(ctx, "alice")
|
||||
require.NoError(t, err)
|
||||
|
||||
require.Len(t, user.Roles, 0)
|
||||
roleNames := []string{}
|
||||
require.ElementsMatch(t, roleNames, []string{})
|
||||
}
|
||||
// Login a new client that signs up
|
||||
client, resp := runner.Login(t, claims)
|
||||
require.Equal(t, http.StatusOK, resp.StatusCode)
|
||||
// User should be in 0 groups.
|
||||
runner.AssertRoles(t, "alice", []string{})
|
||||
// Force a refresh, and assert nothing has changes
|
||||
runner.ForceRefresh(t, client, claims)
|
||||
runner.AssertRoles(t, "alice", []string{})
|
||||
})
|
||||
|
||||
t.Run("NewUserAndRemoveRoles", func(t *testing.T) {
|
||||
// A user has some roles, then on an oauth refresh will lose said
|
||||
// roles from an updated claim.
|
||||
t.Run("NewUserAndRemoveRolesOnRefresh", func(t *testing.T) {
|
||||
// TODO: Implement new feature to update roles/groups on OIDC
|
||||
// refresh tokens. https://github.com/coder/coder/issues/9312
|
||||
t.Skip("Refreshing tokens does not update roles :(")
|
||||
t.Parallel()
|
||||
|
||||
ctx := testutil.Context(t, testutil.WaitMedium)
|
||||
conf := coderdtest.NewOIDCConfig(t, "")
|
||||
|
||||
oidcRoleName := "TemplateAuthor"
|
||||
|
||||
config := conf.OIDCConfig(t, jwt.MapClaims{}, func(cfg *coderd.OIDCConfig) {
|
||||
cfg.UserRoleMapping = map[string][]string{oidcRoleName: {rbac.RoleTemplateAdmin(), rbac.RoleUserAdmin()}}
|
||||
})
|
||||
config.AllowSignups = true
|
||||
config.UserRoleField = "roles"
|
||||
|
||||
client, _ := coderdenttest.New(t, &coderdenttest.Options{
|
||||
Options: &coderdtest.Options{
|
||||
OIDCConfig: config,
|
||||
},
|
||||
LicenseOptions: &coderdenttest.LicenseOptions{
|
||||
Features: license.Features{codersdk.FeatureUserRoleManagement: 1},
|
||||
const oidcRoleName = "TemplateAuthor"
|
||||
runner := setupOIDCTest(t, oidcTestConfig{
|
||||
Userinfo: jwt.MapClaims{oidcRoleName: []string{rbac.RoleTemplateAdmin(), rbac.RoleUserAdmin()}},
|
||||
Config: func(cfg *coderd.OIDCConfig) {
|
||||
cfg.AllowSignups = true
|
||||
cfg.UserRoleField = "roles"
|
||||
cfg.UserRoleMapping = map[string][]string{
|
||||
oidcRoleName: {rbac.RoleTemplateAdmin(), rbac.RoleUserAdmin()},
|
||||
}
|
||||
},
|
||||
})
|
||||
|
||||
admin, err := client.User(ctx, "me")
|
||||
require.NoError(t, err)
|
||||
require.Len(t, admin.OrganizationIDs, 1)
|
||||
|
||||
resp := oidcCallback(t, client, conf.EncodeClaims(t, jwt.MapClaims{
|
||||
// User starts with the owner role
|
||||
client, resp := runner.Login(t, jwt.MapClaims{
|
||||
"email": "alice@coder.com",
|
||||
"roles": []string{"random", oidcRoleName, rbac.RoleOwner()},
|
||||
}))
|
||||
require.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode)
|
||||
_ = resp.Body.Close()
|
||||
user, err := client.User(ctx, "alice")
|
||||
require.NoError(t, err)
|
||||
})
|
||||
require.Equal(t, http.StatusOK, resp.StatusCode)
|
||||
runner.AssertRoles(t, "alice", []string{rbac.RoleTemplateAdmin(), rbac.RoleUserAdmin(), rbac.RoleOwner()})
|
||||
|
||||
require.Len(t, user.Roles, 3)
|
||||
roleNames := []string{user.Roles[0].Name, user.Roles[1].Name, user.Roles[2].Name}
|
||||
require.ElementsMatch(t, roleNames, []string{rbac.RoleTemplateAdmin(), rbac.RoleUserAdmin(), rbac.RoleOwner()})
|
||||
|
||||
// Now remove the roles with a new oidc login
|
||||
resp = oidcCallback(t, client, conf.EncodeClaims(t, jwt.MapClaims{
|
||||
// Now refresh the oauth, and check the roles are removed.
|
||||
// Force a refresh, and assert nothing has changes
|
||||
runner.ForceRefresh(t, client, jwt.MapClaims{
|
||||
"email": "alice@coder.com",
|
||||
"roles": []string{"random"},
|
||||
}))
|
||||
require.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode)
|
||||
_ = resp.Body.Close()
|
||||
user, err = client.User(ctx, "alice")
|
||||
require.NoError(t, err)
|
||||
|
||||
require.Len(t, user.Roles, 0)
|
||||
})
|
||||
runner.AssertRoles(t, "alice", []string{})
|
||||
})
|
||||
|
||||
// A user has some roles, then on another oauth login will lose said
|
||||
// roles from an updated claim.
|
||||
t.Run("NewUserAndRemoveRolesOnReAuth", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
const oidcRoleName = "TemplateAuthor"
|
||||
runner := setupOIDCTest(t, oidcTestConfig{
|
||||
Userinfo: jwt.MapClaims{oidcRoleName: []string{rbac.RoleTemplateAdmin(), rbac.RoleUserAdmin()}},
|
||||
Config: func(cfg *coderd.OIDCConfig) {
|
||||
cfg.AllowSignups = true
|
||||
cfg.UserRoleField = "roles"
|
||||
cfg.UserRoleMapping = map[string][]string{
|
||||
oidcRoleName: {rbac.RoleTemplateAdmin(), rbac.RoleUserAdmin()},
|
||||
}
|
||||
},
|
||||
})
|
||||
|
||||
// User starts with the owner role
|
||||
_, resp := runner.Login(t, jwt.MapClaims{
|
||||
"email": "alice@coder.com",
|
||||
"roles": []string{"random", oidcRoleName, rbac.RoleOwner()},
|
||||
})
|
||||
require.Equal(t, http.StatusOK, resp.StatusCode)
|
||||
runner.AssertRoles(t, "alice", []string{rbac.RoleTemplateAdmin(), rbac.RoleUserAdmin(), rbac.RoleOwner()})
|
||||
|
||||
// Now login with oauth again, and check the roles are removed.
|
||||
_, resp = runner.Login(t, jwt.MapClaims{
|
||||
"email": "alice@coder.com",
|
||||
"roles": []string{"random"},
|
||||
})
|
||||
require.Equal(t, http.StatusOK, resp.StatusCode)
|
||||
|
||||
runner.AssertRoles(t, "alice", []string{})
|
||||
})
|
||||
|
||||
// All manual role updates should fail when role sync is enabled.
|
||||
t.Run("BlockAssignRoles", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
ctx := testutil.Context(t, testutil.WaitMedium)
|
||||
conf := coderdtest.NewOIDCConfig(t, "")
|
||||
|
||||
config := conf.OIDCConfig(t, jwt.MapClaims{})
|
||||
config.AllowSignups = true
|
||||
config.UserRoleField = "roles"
|
||||
|
||||
client, _ := coderdenttest.New(t, &coderdenttest.Options{
|
||||
Options: &coderdtest.Options{
|
||||
OIDCConfig: config,
|
||||
},
|
||||
LicenseOptions: &coderdenttest.LicenseOptions{
|
||||
Features: license.Features{codersdk.FeatureUserRoleManagement: 1},
|
||||
runner := setupOIDCTest(t, oidcTestConfig{
|
||||
Config: func(cfg *coderd.OIDCConfig) {
|
||||
cfg.AllowSignups = true
|
||||
cfg.UserRoleField = "roles"
|
||||
},
|
||||
})
|
||||
|
||||
admin, err := client.User(ctx, "me")
|
||||
require.NoError(t, err)
|
||||
require.Len(t, admin.OrganizationIDs, 1)
|
||||
|
||||
resp := oidcCallback(t, client, conf.EncodeClaims(t, jwt.MapClaims{
|
||||
_, resp := runner.Login(t, jwt.MapClaims{
|
||||
"email": "alice@coder.com",
|
||||
"roles": []string{},
|
||||
}))
|
||||
require.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode)
|
||||
})
|
||||
require.Equal(t, http.StatusOK, resp.StatusCode)
|
||||
// Try to manually update user roles, even though controlled by oidc
|
||||
// role sync.
|
||||
_, err = client.UpdateUserRoles(ctx, "alice", codersdk.UpdateRoles{
|
||||
ctx := testutil.Context(t, testutil.WaitShort)
|
||||
_, err := runner.AdminClient.UpdateUserRoles(ctx, "alice", codersdk.UpdateRoles{
|
||||
Roles: []string{
|
||||
rbac.RoleTemplateAdmin(),
|
||||
},
|
||||
@ -164,199 +156,211 @@ func TestUserOIDC(t *testing.T) {
|
||||
|
||||
t.Run("Groups", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
// Assigns does a simple test of assigning a user to a group based
|
||||
// on the oidc claims.
|
||||
t.Run("Assigns", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
ctx := testutil.Context(t, testutil.WaitLong)
|
||||
conf := coderdtest.NewOIDCConfig(t, "")
|
||||
|
||||
const groupClaim = "custom-groups"
|
||||
config := conf.OIDCConfig(t, jwt.MapClaims{}, func(cfg *coderd.OIDCConfig) {
|
||||
cfg.GroupField = groupClaim
|
||||
})
|
||||
config.AllowSignups = true
|
||||
|
||||
client, _ := coderdenttest.New(t, &coderdenttest.Options{
|
||||
Options: &coderdtest.Options{
|
||||
OIDCConfig: config,
|
||||
},
|
||||
LicenseOptions: &coderdenttest.LicenseOptions{
|
||||
Features: license.Features{codersdk.FeatureTemplateRBAC: 1},
|
||||
const groupName = "bingbong"
|
||||
runner := setupOIDCTest(t, oidcTestConfig{
|
||||
Config: func(cfg *coderd.OIDCConfig) {
|
||||
cfg.AllowSignups = true
|
||||
cfg.GroupField = groupClaim
|
||||
},
|
||||
})
|
||||
|
||||
admin, err := client.User(ctx, "me")
|
||||
require.NoError(t, err)
|
||||
require.Len(t, admin.OrganizationIDs, 1)
|
||||
|
||||
groupName := "bingbong"
|
||||
group, err := client.CreateGroup(ctx, admin.OrganizationIDs[0], codersdk.CreateGroupRequest{
|
||||
ctx := testutil.Context(t, testutil.WaitShort)
|
||||
group, err := runner.AdminClient.CreateGroup(ctx, runner.AdminUser.OrganizationIDs[0], codersdk.CreateGroupRequest{
|
||||
Name: groupName,
|
||||
})
|
||||
require.NoError(t, err)
|
||||
require.Len(t, group.Members, 0)
|
||||
|
||||
resp := oidcCallback(t, client, conf.EncodeClaims(t, jwt.MapClaims{
|
||||
"email": "colin@coder.com",
|
||||
_, resp := runner.Login(t, jwt.MapClaims{
|
||||
"email": "alice@coder.com",
|
||||
groupClaim: []string{groupName},
|
||||
}))
|
||||
assert.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode)
|
||||
|
||||
group, err = client.Group(ctx, group.ID)
|
||||
require.NoError(t, err)
|
||||
require.Len(t, group.Members, 1)
|
||||
})
|
||||
require.Equal(t, http.StatusOK, resp.StatusCode)
|
||||
runner.AssertGroups(t, "alice", []string{groupName})
|
||||
})
|
||||
|
||||
// Tests the group mapping feature.
|
||||
t.Run("AssignsMapped", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
ctx := testutil.Context(t, testutil.WaitMedium)
|
||||
conf := coderdtest.NewOIDCConfig(t, "")
|
||||
const groupClaim = "custom-groups"
|
||||
|
||||
oidcGroupName := "pingpong"
|
||||
coderGroupName := "bingbong"
|
||||
|
||||
config := conf.OIDCConfig(t, jwt.MapClaims{}, func(cfg *coderd.OIDCConfig) {
|
||||
cfg.GroupMapping = map[string]string{oidcGroupName: coderGroupName}
|
||||
})
|
||||
config.AllowSignups = true
|
||||
|
||||
client, _ := coderdenttest.New(t, &coderdenttest.Options{
|
||||
Options: &coderdtest.Options{
|
||||
OIDCConfig: config,
|
||||
},
|
||||
LicenseOptions: &coderdenttest.LicenseOptions{
|
||||
Features: license.Features{codersdk.FeatureTemplateRBAC: 1},
|
||||
const oidcGroupName = "pingpong"
|
||||
const coderGroupName = "bingbong"
|
||||
runner := setupOIDCTest(t, oidcTestConfig{
|
||||
Config: func(cfg *coderd.OIDCConfig) {
|
||||
cfg.AllowSignups = true
|
||||
cfg.GroupField = groupClaim
|
||||
cfg.GroupMapping = map[string]string{oidcGroupName: coderGroupName}
|
||||
},
|
||||
})
|
||||
|
||||
admin, err := client.User(ctx, "me")
|
||||
require.NoError(t, err)
|
||||
require.Len(t, admin.OrganizationIDs, 1)
|
||||
|
||||
group, err := client.CreateGroup(ctx, admin.OrganizationIDs[0], codersdk.CreateGroupRequest{
|
||||
ctx := testutil.Context(t, testutil.WaitShort)
|
||||
group, err := runner.AdminClient.CreateGroup(ctx, runner.AdminUser.OrganizationIDs[0], codersdk.CreateGroupRequest{
|
||||
Name: coderGroupName,
|
||||
})
|
||||
require.NoError(t, err)
|
||||
require.Len(t, group.Members, 0)
|
||||
|
||||
resp := oidcCallback(t, client, conf.EncodeClaims(t, jwt.MapClaims{
|
||||
"email": "colin@coder.com",
|
||||
"groups": []string{oidcGroupName},
|
||||
}))
|
||||
assert.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode)
|
||||
|
||||
group, err = client.Group(ctx, group.ID)
|
||||
require.NoError(t, err)
|
||||
require.Len(t, group.Members, 1)
|
||||
_, resp := runner.Login(t, jwt.MapClaims{
|
||||
"email": "alice@coder.com",
|
||||
groupClaim: []string{oidcGroupName},
|
||||
})
|
||||
require.Equal(t, http.StatusOK, resp.StatusCode)
|
||||
runner.AssertGroups(t, "alice", []string{coderGroupName})
|
||||
})
|
||||
|
||||
t.Run("AddThenRemove", func(t *testing.T) {
|
||||
// User is in a group, then on an oauth refresh will lose said
|
||||
// group.
|
||||
t.Run("AddThenRemoveOnRefresh", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
ctx := testutil.Context(t, testutil.WaitLong)
|
||||
conf := coderdtest.NewOIDCConfig(t, "")
|
||||
// TODO: Implement new feature to update roles/groups on OIDC
|
||||
// refresh tokens. https://github.com/coder/coder/issues/9312
|
||||
t.Skip("Refreshing tokens does not update groups :(")
|
||||
|
||||
config := conf.OIDCConfig(t, jwt.MapClaims{})
|
||||
config.AllowSignups = true
|
||||
|
||||
client, firstUser := coderdenttest.New(t, &coderdenttest.Options{
|
||||
Options: &coderdtest.Options{
|
||||
OIDCConfig: config,
|
||||
},
|
||||
LicenseOptions: &coderdenttest.LicenseOptions{
|
||||
Features: license.Features{codersdk.FeatureTemplateRBAC: 1},
|
||||
const groupClaim = "custom-groups"
|
||||
const groupName = "bingbong"
|
||||
runner := setupOIDCTest(t, oidcTestConfig{
|
||||
Config: func(cfg *coderd.OIDCConfig) {
|
||||
cfg.AllowSignups = true
|
||||
cfg.GroupField = groupClaim
|
||||
},
|
||||
})
|
||||
|
||||
// Add some extra users/groups that should be asserted after.
|
||||
// Adding this user as there was a bug that removing 1 user removed
|
||||
// all users from the group.
|
||||
_, extra := coderdtest.CreateAnotherUser(t, client, firstUser.OrganizationID)
|
||||
groupName := "bingbong"
|
||||
group, err := client.CreateGroup(ctx, firstUser.OrganizationID, codersdk.CreateGroupRequest{
|
||||
ctx := testutil.Context(t, testutil.WaitShort)
|
||||
group, err := runner.AdminClient.CreateGroup(ctx, runner.AdminUser.OrganizationIDs[0], codersdk.CreateGroupRequest{
|
||||
Name: groupName,
|
||||
})
|
||||
require.NoError(t, err, "create group")
|
||||
require.NoError(t, err)
|
||||
require.Len(t, group.Members, 0)
|
||||
|
||||
group, err = client.PatchGroup(ctx, group.ID, codersdk.PatchGroupRequest{
|
||||
AddUsers: []string{
|
||||
firstUser.UserID.String(),
|
||||
extra.ID.String(),
|
||||
},
|
||||
client, resp := runner.Login(t, jwt.MapClaims{
|
||||
"email": "alice@coder.com",
|
||||
groupClaim: []string{groupName},
|
||||
})
|
||||
require.NoError(t, err, "patch group")
|
||||
require.Len(t, group.Members, 2, "expect both members")
|
||||
require.Equal(t, http.StatusOK, resp.StatusCode)
|
||||
runner.AssertGroups(t, "alice", []string{groupName})
|
||||
|
||||
// Now add OIDC user into the group
|
||||
resp := oidcCallback(t, client, conf.EncodeClaims(t, jwt.MapClaims{
|
||||
"email": "colin@coder.com",
|
||||
"groups": []string{groupName},
|
||||
}))
|
||||
assert.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode)
|
||||
|
||||
group, err = client.Group(ctx, group.ID)
|
||||
require.NoError(t, err)
|
||||
require.Len(t, group.Members, 3)
|
||||
|
||||
// Login to remove the OIDC user from the group
|
||||
resp = oidcCallback(t, client, conf.EncodeClaims(t, jwt.MapClaims{
|
||||
"email": "colin@coder.com",
|
||||
"groups": []string{},
|
||||
}))
|
||||
assert.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode)
|
||||
|
||||
group, err = client.Group(ctx, group.ID)
|
||||
require.NoError(t, err)
|
||||
require.Len(t, group.Members, 2)
|
||||
var expected []uuid.UUID
|
||||
for _, mem := range group.Members {
|
||||
expected = append(expected, mem.ID)
|
||||
}
|
||||
require.ElementsMatchf(t, expected, []uuid.UUID{firstUser.UserID, extra.ID}, "expected members")
|
||||
// Refresh without the group claim
|
||||
runner.ForceRefresh(t, client, jwt.MapClaims{
|
||||
"email": "alice@coder.com",
|
||||
})
|
||||
runner.AssertGroups(t, "alice", []string{})
|
||||
})
|
||||
|
||||
t.Run("AddThenRemoveOnReAuth", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
const groupClaim = "custom-groups"
|
||||
const groupName = "bingbong"
|
||||
runner := setupOIDCTest(t, oidcTestConfig{
|
||||
Config: func(cfg *coderd.OIDCConfig) {
|
||||
cfg.AllowSignups = true
|
||||
cfg.GroupField = groupClaim
|
||||
},
|
||||
})
|
||||
|
||||
ctx := testutil.Context(t, testutil.WaitShort)
|
||||
group, err := runner.AdminClient.CreateGroup(ctx, runner.AdminUser.OrganizationIDs[0], codersdk.CreateGroupRequest{
|
||||
Name: groupName,
|
||||
})
|
||||
require.NoError(t, err)
|
||||
require.Len(t, group.Members, 0)
|
||||
|
||||
_, resp := runner.Login(t, jwt.MapClaims{
|
||||
"email": "alice@coder.com",
|
||||
groupClaim: []string{groupName},
|
||||
})
|
||||
require.Equal(t, http.StatusOK, resp.StatusCode)
|
||||
runner.AssertGroups(t, "alice", []string{groupName})
|
||||
|
||||
// Refresh without the group claim
|
||||
_, resp = runner.Login(t, jwt.MapClaims{
|
||||
"email": "alice@coder.com",
|
||||
})
|
||||
require.Equal(t, http.StatusOK, resp.StatusCode)
|
||||
runner.AssertGroups(t, "alice", []string{})
|
||||
})
|
||||
|
||||
// Updating groups where the claimed group does not exist.
|
||||
t.Run("NoneMatch", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
ctx := testutil.Context(t, testutil.WaitLong)
|
||||
conf := coderdtest.NewOIDCConfig(t, "")
|
||||
|
||||
config := conf.OIDCConfig(t, jwt.MapClaims{})
|
||||
config.AllowSignups = true
|
||||
|
||||
client, _ := coderdenttest.New(t, &coderdenttest.Options{
|
||||
Options: &coderdtest.Options{
|
||||
OIDCConfig: config,
|
||||
},
|
||||
LicenseOptions: &coderdenttest.LicenseOptions{
|
||||
Features: license.Features{codersdk.FeatureTemplateRBAC: 1},
|
||||
const groupClaim = "custom-groups"
|
||||
runner := setupOIDCTest(t, oidcTestConfig{
|
||||
Config: func(cfg *coderd.OIDCConfig) {
|
||||
cfg.AllowSignups = true
|
||||
cfg.GroupField = groupClaim
|
||||
},
|
||||
})
|
||||
|
||||
admin, err := client.User(ctx, "me")
|
||||
require.NoError(t, err)
|
||||
require.Len(t, admin.OrganizationIDs, 1)
|
||||
|
||||
groupName := "bingbong"
|
||||
group, err := client.CreateGroup(ctx, admin.OrganizationIDs[0], codersdk.CreateGroupRequest{
|
||||
Name: groupName,
|
||||
_, resp := runner.Login(t, jwt.MapClaims{
|
||||
"email": "alice@coder.com",
|
||||
groupClaim: []string{"not-exists"},
|
||||
})
|
||||
require.NoError(t, err)
|
||||
require.Len(t, group.Members, 0)
|
||||
require.Equal(t, http.StatusOK, resp.StatusCode)
|
||||
runner.AssertGroups(t, "alice", []string{})
|
||||
})
|
||||
|
||||
resp := oidcCallback(t, client, conf.EncodeClaims(t, jwt.MapClaims{
|
||||
"email": "colin@coder.com",
|
||||
"groups": []string{"coolin"},
|
||||
}))
|
||||
assert.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode)
|
||||
// Updating groups where the claimed group does not exist creates
|
||||
// the group.
|
||||
t.Run("AutoCreate", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
group, err = client.Group(ctx, group.ID)
|
||||
require.NoError(t, err)
|
||||
require.Len(t, group.Members, 0)
|
||||
const groupClaim = "custom-groups"
|
||||
const groupName = "make-me"
|
||||
runner := setupOIDCTest(t, oidcTestConfig{
|
||||
Config: func(cfg *coderd.OIDCConfig) {
|
||||
cfg.AllowSignups = true
|
||||
cfg.GroupField = groupClaim
|
||||
cfg.CreateMissingGroups = true
|
||||
},
|
||||
})
|
||||
|
||||
_, resp := runner.Login(t, jwt.MapClaims{
|
||||
"email": "alice@coder.com",
|
||||
groupClaim: []string{groupName},
|
||||
})
|
||||
require.Equal(t, http.StatusOK, resp.StatusCode)
|
||||
runner.AssertGroups(t, "alice", []string{groupName})
|
||||
})
|
||||
})
|
||||
|
||||
t.Run("Refresh", func(t *testing.T) {
|
||||
t.Run("RefreshTokensMultiple", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
runner := setupOIDCTest(t, oidcTestConfig{
|
||||
Config: func(cfg *coderd.OIDCConfig) {
|
||||
cfg.AllowSignups = true
|
||||
cfg.UserRoleField = "roles"
|
||||
},
|
||||
})
|
||||
|
||||
claims := jwt.MapClaims{
|
||||
"email": "alice@coder.com",
|
||||
}
|
||||
// Login a new client that signs up
|
||||
client, resp := runner.Login(t, claims)
|
||||
require.Equal(t, http.StatusOK, resp.StatusCode)
|
||||
|
||||
// Refresh multiple times.
|
||||
for i := 0; i < 3; i++ {
|
||||
runner.ForceRefresh(t, client, claims)
|
||||
}
|
||||
})
|
||||
})
|
||||
}
|
||||
|
||||
// nolint:bodyclose
|
||||
func TestGroupSync(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
@ -470,28 +474,20 @@ func TestGroupSync(t *testing.T) {
|
||||
tc := tc
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
t.Parallel()
|
||||
ctx := testutil.Context(t, testutil.WaitLong)
|
||||
conf := coderdtest.NewOIDCConfig(t, "")
|
||||
|
||||
config := conf.OIDCConfig(t, jwt.MapClaims{}, tc.modCfg)
|
||||
|
||||
client, _, api, _ := coderdenttest.NewWithAPI(t, &coderdenttest.Options{
|
||||
Options: &coderdtest.Options{
|
||||
OIDCConfig: config,
|
||||
},
|
||||
LicenseOptions: &coderdenttest.LicenseOptions{
|
||||
Features: license.Features{codersdk.FeatureTemplateRBAC: 1},
|
||||
runner := setupOIDCTest(t, oidcTestConfig{
|
||||
Config: func(cfg *coderd.OIDCConfig) {
|
||||
cfg.GroupField = "groups"
|
||||
tc.modCfg(cfg)
|
||||
},
|
||||
})
|
||||
|
||||
admin, err := client.User(ctx, "me")
|
||||
require.NoError(t, err)
|
||||
require.Len(t, admin.OrganizationIDs, 1)
|
||||
|
||||
// Setup
|
||||
ctx := testutil.Context(t, testutil.WaitLong)
|
||||
org := runner.AdminUser.OrganizationIDs[0]
|
||||
|
||||
initialGroups := make(map[string]codersdk.Group)
|
||||
for _, group := range tc.initialOrgGroups {
|
||||
newGroup, err := client.CreateGroup(ctx, admin.OrganizationIDs[0], codersdk.CreateGroupRequest{
|
||||
newGroup, err := runner.AdminClient.CreateGroup(ctx, org, codersdk.CreateGroupRequest{
|
||||
Name: group,
|
||||
})
|
||||
require.NoError(t, err)
|
||||
@ -500,16 +496,16 @@ func TestGroupSync(t *testing.T) {
|
||||
}
|
||||
|
||||
// Create the user and add them to their initial groups
|
||||
_, user := coderdtest.CreateAnotherUser(t, client, admin.OrganizationIDs[0])
|
||||
_, user := coderdtest.CreateAnotherUser(t, runner.AdminClient, org)
|
||||
for _, group := range tc.initialUserGroups {
|
||||
_, err := client.PatchGroup(ctx, initialGroups[group].ID, codersdk.PatchGroupRequest{
|
||||
_, err := runner.AdminClient.PatchGroup(ctx, initialGroups[group].ID, codersdk.PatchGroupRequest{
|
||||
AddUsers: []string{user.ID.String()},
|
||||
})
|
||||
require.NoError(t, err)
|
||||
}
|
||||
|
||||
// nolint:gocritic
|
||||
_, err = api.Database.UpdateUserLoginType(dbauthz.AsSystemRestricted(ctx), database.UpdateUserLoginTypeParams{
|
||||
_, err := runner.API.Database.UpdateUserLoginType(dbauthz.AsSystemRestricted(ctx), database.UpdateUserLoginTypeParams{
|
||||
NewLoginType: database.LoginTypeOIDC,
|
||||
UserID: user.ID,
|
||||
})
|
||||
@ -517,11 +513,11 @@ func TestGroupSync(t *testing.T) {
|
||||
|
||||
// Log in the new user
|
||||
tc.claims["email"] = user.Email
|
||||
resp := oidcCallback(t, client, conf.EncodeClaims(t, tc.claims))
|
||||
assert.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode)
|
||||
_ = resp.Body.Close()
|
||||
_, resp := runner.Login(t, tc.claims)
|
||||
require.Equal(t, http.StatusOK, resp.StatusCode)
|
||||
|
||||
orgGroups, err := client.GroupsByOrganization(ctx, admin.OrganizationIDs[0])
|
||||
// Check group sources
|
||||
orgGroups, err := runner.AdminClient.GroupsByOrganization(ctx, org)
|
||||
require.NoError(t, err)
|
||||
|
||||
for _, group := range orgGroups {
|
||||
@ -567,24 +563,107 @@ func TestGroupSync(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
func oidcCallback(t *testing.T, client *codersdk.Client, code string) *http.Response {
|
||||
t.Helper()
|
||||
client.HTTPClient.CheckRedirect = func(req *http.Request, via []*http.Request) error {
|
||||
return http.ErrUseLastResponse
|
||||
}
|
||||
oauthURL, err := client.URL.Parse(fmt.Sprintf("/api/v2/users/oidc/callback?code=%s&state=somestate", code))
|
||||
require.NoError(t, err)
|
||||
req, err := http.NewRequestWithContext(context.Background(), "GET", oauthURL.String(), nil)
|
||||
require.NoError(t, err)
|
||||
req.AddCookie(&http.Cookie{
|
||||
Name: codersdk.OAuth2StateCookie,
|
||||
Value: "somestate",
|
||||
})
|
||||
res, err := client.HTTPClient.Do(req)
|
||||
require.NoError(t, err)
|
||||
defer res.Body.Close()
|
||||
data, err := io.ReadAll(res.Body)
|
||||
require.NoError(t, err)
|
||||
t.Log(string(data))
|
||||
return res
|
||||
// oidcTestRunner is just a helper to setup and run oidc tests.
|
||||
// An actual Coderd instance is used to run the tests.
|
||||
type oidcTestRunner struct {
|
||||
AdminClient *codersdk.Client
|
||||
AdminUser codersdk.User
|
||||
API *coderden.API
|
||||
|
||||
// Login will call the OIDC flow with an unauthenticated client.
|
||||
// The IDP will return the idToken claims.
|
||||
Login func(t *testing.T, idToken jwt.MapClaims) (*codersdk.Client, *http.Response)
|
||||
// ForceRefresh will use an authenticated codersdk.Client, and force their
|
||||
// OIDC token to be expired and require a refresh. The refresh will use the claims provided.
|
||||
// It just calls the /users/me endpoint to trigger the refresh.
|
||||
ForceRefresh func(t *testing.T, client *codersdk.Client, idToken jwt.MapClaims)
|
||||
}
|
||||
|
||||
type oidcTestConfig struct {
|
||||
Userinfo jwt.MapClaims
|
||||
|
||||
// Config allows modifying the Coderd OIDC configuration.
|
||||
Config func(cfg *coderd.OIDCConfig)
|
||||
}
|
||||
|
||||
func (r *oidcTestRunner) AssertRoles(t *testing.T, userIdent string, roles []string) {
|
||||
t.Helper()
|
||||
|
||||
ctx := testutil.Context(t, testutil.WaitMedium)
|
||||
user, err := r.AdminClient.User(ctx, userIdent)
|
||||
require.NoError(t, err)
|
||||
|
||||
roleNames := []string{}
|
||||
for _, role := range user.Roles {
|
||||
roleNames = append(roleNames, role.Name)
|
||||
}
|
||||
require.ElementsMatch(t, roles, roleNames, "expected roles")
|
||||
}
|
||||
|
||||
func (r *oidcTestRunner) AssertGroups(t *testing.T, userIdent string, groups []string) {
|
||||
t.Helper()
|
||||
|
||||
if !slice.Contains(groups, database.EveryoneGroup) {
|
||||
var cpy []string
|
||||
cpy = append(cpy, groups...)
|
||||
// always include everyone group
|
||||
cpy = append(cpy, database.EveryoneGroup)
|
||||
groups = cpy
|
||||
}
|
||||
ctx := testutil.Context(t, testutil.WaitMedium)
|
||||
user, err := r.AdminClient.User(ctx, userIdent)
|
||||
require.NoError(t, err)
|
||||
|
||||
allGroups, err := r.AdminClient.GroupsByOrganization(ctx, user.OrganizationIDs[0])
|
||||
require.NoError(t, err)
|
||||
|
||||
userInGroups := []string{}
|
||||
for _, g := range allGroups {
|
||||
for _, mem := range g.Members {
|
||||
if mem.ID == user.ID {
|
||||
userInGroups = append(userInGroups, g.Name)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
require.ElementsMatch(t, groups, userInGroups, "expected groups")
|
||||
}
|
||||
|
||||
func setupOIDCTest(t *testing.T, settings oidcTestConfig) *oidcTestRunner {
|
||||
t.Helper()
|
||||
|
||||
fake := oidctest.NewFakeIDP(t,
|
||||
oidctest.WithStaticUserInfo(settings.Userinfo),
|
||||
oidctest.WithLogging(t, nil),
|
||||
// Run fake IDP on a real webserver
|
||||
oidctest.WithServing(),
|
||||
)
|
||||
|
||||
ctx := testutil.Context(t, testutil.WaitMedium)
|
||||
cfg := fake.OIDCConfig(t, nil, settings.Config)
|
||||
owner, _, api, _ := coderdenttest.NewWithAPI(t, &coderdenttest.Options{
|
||||
Options: &coderdtest.Options{
|
||||
OIDCConfig: cfg,
|
||||
},
|
||||
LicenseOptions: &coderdenttest.LicenseOptions{
|
||||
Features: license.Features{
|
||||
codersdk.FeatureUserRoleManagement: 1,
|
||||
codersdk.FeatureTemplateRBAC: 1,
|
||||
},
|
||||
},
|
||||
})
|
||||
admin, err := owner.User(ctx, "me")
|
||||
require.NoError(t, err)
|
||||
|
||||
helper := oidctest.NewLoginHelper(owner, fake)
|
||||
|
||||
return &oidcTestRunner{
|
||||
AdminClient: owner,
|
||||
AdminUser: admin,
|
||||
API: api,
|
||||
Login: helper.Login,
|
||||
ForceRefresh: func(t *testing.T, client *codersdk.Client, idToken jwt.MapClaims) {
|
||||
helper.ForceRefresh(t, api.Database, client, idToken)
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user