This commit:
- Allows configuring the OIDC claim Coder uses for email addresses (by default, this is still email)
- Allows customising the parameters sent to the upstream identity provider when requesting a token. This is still access_type=offline by default.
- Updates documentation related to the above.
* feat: Allow changing the 'group' oidc claim field
* Enable empty groups support
* fix: Delete was wiping all groups, not just the single user's groups
* Update docs
* fix: Dbfake delete group member fixed
- rbac: export rbac.Permissions
- dbauthz: move GetDeploymentDAUs, GetTemplateDAUs,
GetTemplateAverageBuildTime from querier.go to system.go
and removes auth checks
- dbauthz: remove AsSystem(), add individual roles for
autostart, provisionerd, add restricted system role for
everything else
* fix: allow disabling all password auth even if owner
Removes any and all ability to auth with a password.
* Hide create user if password auth is disabled
feat: Add initial AuthzQuerier implementation
- Adds package database/dbauthz that adds a database.Store implementation where each method goes through AuthZ checks
- Implements all database.Store methods on AuthzQuerier
- Updates and fixes unit tests where required
- Updates coderd initialization to use AuthzQuerier if codersdk.ExperimentAuthzQuerier is enabled
* added migration for api key resource
* sort of working
* auditing login
* passing the correct user id
* added and fixed tests
* gen documentation
* formatting and lint
* lint
* audit Github oauth and write tests
* audit oauth and write tests
* added defer fn for login error auditing
* fixed test
* feat: audit logout (#5998)
* Update coderd/userauth.go
Co-authored-by: Steven Masley <Emyrk@users.noreply.github.com>
* fix test
* bypassing diff generation if login/logout
* lint
---------
Co-authored-by: Steven Masley <Emyrk@users.noreply.github.com>
Adds a flag --disable-password-auth that prevents the password login
endpoint from working unless the user has the "owner" (aka. site admin)
role.
Adds a subcommand `coder server create-admin-user` which creates a user
directly in the database with the "owner" role, the "admin" role in
every organization, and password auth. This is to avoid lock-out
situations where all accounts have the login type set to an identity
provider and nobody can login.
* Allow hiding password entry, changing OpenID Connect text and OpenID Connect icon
* Docs
* Cleaning
* Fix Prettier and Go test and TS compile error
* Fix LoginPage test
* Prettier
* Fix storybook
* Add query param to un-hide password auth
* Cleaning
* Hide password by default when OIDC enabled
* Ran prettier, updated goldenfiles and ran "make gen"
* Fixed and added LoginPage test
* Ran prettier
* PR Feedback and split up SignInForm.tsx
* Updated golden files
* Fix auto-genned-files
* make gen -B
* Revert provisioner files?
* Fix lint error
---------
Co-authored-by: Kyle Carberry <kyle@coder.com>
* Adds a configuration knob CODER_OIDC_IGNORE_EMAIL_VERIFIED that allows
ignoring the email_verified OIDC claim
* Adds warning message at startup if CODER_OIDC_IGNORE_EMAIL_VERIFIED=true
* Adds warning whenever an unverified OIDC email is let through
* Skips flaky test on non-linux platforms
Co-authored-by: Mathias Fredriksson <mafredri@gmail.com>
- With the support of OIDC we began processing updates to a user's
email and username to stay in sync with the upstream provider. This
can cause issues in templates that use the user's username as a stable
identifier, potentially causing the deletion of user's home volumes.
- Fix some faulty error wrapping.
- move OAuth-related fields off of api_keys into a new user_links table
- restrict users to single form of login
- process updates to user email/usernames for OIDC
- added a login_type column to users
This was using the incorrect GitHub endpoint prior, which fetched a team
by slug. Any user in a GitHub organization can view all teams, so this
didn't block signups like intended.
I've verified this API returns an error when the calling user is not a
member of the team requested.
Fixes#3105.
