feat: Add allowlist of GitHub teams for OAuth (#2849)

Fixes #2848.
2025-07-09 11:45:56 +00:00 · 2022-07-08 21:37:18 -05:00
parent c801da45f3
commit dff6e97f83
5 changed files with 134 additions and 3 deletions
--- a/coderd/database/db_test.go
+++ b/coderd/database/db_test.go
@ -14,6 +14,9 @@ import (

 func TestNestedInTx(t *testing.T) {
 	t.Parallel()
+	if testing.Short() {
+		t.SkipNow()
+	}

 	uid := uuid.New()
 	sqlDB := testSQLDB(t)
--- a/coderd/userauth.go
+++ b/coderd/userauth.go
@ -17,15 +17,23 @@ import (
 	"github.com/coder/coder/codersdk"
 )

+// GithubOAuth2Team represents a team scoped to an organization.
+type GithubOAuth2Team struct {
+	Organization string
+	Slug         string
+}
+
 // GithubOAuth2Provider exposes required functions for the Github authentication flow.
 type GithubOAuth2Config struct {
 	httpmw.OAuth2Config
 	AuthenticatedUser           func(ctx context.Context, client *http.Client) (*github.User, error)
 	ListEmails                  func(ctx context.Context, client *http.Client) ([]*github.UserEmail, error)
 	ListOrganizationMemberships func(ctx context.Context, client *http.Client) ([]*github.Membership, error)
+	ListTeams                   func(ctx context.Context, client *http.Client, org string) ([]*github.Team, error)

 	AllowSignups       bool
 	AllowOrganizations []string
+	AllowTeams         []GithubOAuth2Team
 }

 func (api *API) userAuthMethods(rw http.ResponseWriter, _ *http.Request) {
@ -64,6 +72,41 @@ func (api *API) userOAuth2Github(rw http.ResponseWriter, r *http.Request) {
 		return
 	}

+	// The default if no teams are specified is to allow all.
+	if len(api.GithubOAuth2Config.AllowTeams) > 0 {
+		teams, err := api.GithubOAuth2Config.ListTeams(r.Context(), oauthClient, *selectedMembership.Organization.Login)
+		if err != nil {
+			httpapi.Write(rw, http.StatusInternalServerError, httpapi.Response{
+				Message: "Failed to fetch teams from GitHub.",
+				Detail:  err.Error(),
+			})
+			return
+		}
+
+		var allowedTeam *github.Team
+		for _, team := range teams {
+			for _, allowTeam := range api.GithubOAuth2Config.AllowTeams {
+				if allowTeam.Organization != *selectedMembership.Organization.Login {
+					// This needs to continue because multiple organizations
+					// could exist in the allow/team listings.
+					continue
+				}
+				if allowTeam.Slug != *team.Slug {
+					continue
+				}
+				allowedTeam = team
+				break
+			}
+		}
+
+		if allowedTeam == nil {
+			httpapi.Write(rw, http.StatusUnauthorized, httpapi.Response{
+				Message: fmt.Sprintf("You aren't a member of an authorized team in the %s Github organization!", *selectedMembership.Organization.Login),
+			})
+			return
+		}
+	}
+
 	emails, err := api.GithubOAuth2Config.ListEmails(r.Context(), oauthClient)
 	if err != nil {
 		httpapi.Write(rw, http.StatusInternalServerError, httpapi.Response{
--- a/coderd/userauth_test.go
+++ b/coderd/userauth_test.go
@ -73,6 +73,30 @@ func TestUserOAuth2Github(t *testing.T) {
 		resp := oauth2Callback(t, client)
 		require.Equal(t, http.StatusUnauthorized, resp.StatusCode)
 	})
+	t.Run("NotInAllowedTeam", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, &coderdtest.Options{
+			GithubOAuth2Config: &coderd.GithubOAuth2Config{
+				AllowOrganizations: []string{"coder"},
+				AllowTeams:         []coderd.GithubOAuth2Team{{"another", "something"}, {"coder", "frontend"}},
+				OAuth2Config:       &oauth2Config{},
+				ListOrganizationMemberships: func(ctx context.Context, client *http.Client) ([]*github.Membership, error) {
+					return []*github.Membership{{
+						Organization: &github.Organization{
+							Login: github.String("coder"),
+						},
+					}}, nil
+				},
+				ListTeams: func(ctx context.Context, client *http.Client, org string) ([]*github.Team, error) {
+					return []*github.Team{{
+						Slug: github.String("nope"),
+					}}, nil
+				},
+			},
+		})
+		resp := oauth2Callback(t, client)
+		require.Equal(t, http.StatusUnauthorized, resp.StatusCode)
+	})
 	t.Run("UnverifiedEmail", func(t *testing.T) {
 		t.Parallel()
 		client := coderdtest.New(t, &coderdtest.Options{
@ -184,6 +208,43 @@ func TestUserOAuth2Github(t *testing.T) {
 		resp := oauth2Callback(t, client)
 		require.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode)
 	})
+	t.Run("SignupAllowedTeam", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, &coderdtest.Options{
+			GithubOAuth2Config: &coderd.GithubOAuth2Config{
+				AllowSignups:       true,
+				AllowOrganizations: []string{"coder"},
+				AllowTeams:         []coderd.GithubOAuth2Team{{"coder", "frontend"}},
+				OAuth2Config:       &oauth2Config{},
+				ListOrganizationMemberships: func(ctx context.Context, client *http.Client) ([]*github.Membership, error) {
+					return []*github.Membership{{
+						Organization: &github.Organization{
+							Login: github.String("coder"),
+						},
+					}}, nil
+				},
+				ListTeams: func(ctx context.Context, client *http.Client, org string) ([]*github.Team, error) {
+					return []*github.Team{{
+						Slug: github.String("frontend"),
+					}}, nil
+				},
+				AuthenticatedUser: func(ctx context.Context, client *http.Client) (*github.User, error) {
+					return &github.User{
+						Login: github.String("kyle"),
+					}, nil
+				},
+				ListEmails: func(ctx context.Context, client *http.Client) ([]*github.UserEmail, error) {
+					return []*github.UserEmail{{
+						Email:    github.String("kyle@coder.com"),
+						Verified: github.Bool(true),
+						Primary:  github.Bool(true),
+					}}, nil
+				},
+			},
+		})
+		resp := oauth2Callback(t, client)
+		require.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode)
+	})
 }

 func oauth2Callback(t *testing.T, client *codersdk.Client) *http.Response {