mirror of https://github.com/coder/coder.git
OAuth now uses client TLS certs (if configured) (#5042)
* OAuth now uses client TLS certs (if configured) * Update docs * Cleaning * Fix lint errors and generate static files * Fix lint error and regenerate more static files * Suppress lint error
This commit is contained in:
parent
49c7648af5
commit
9578ce9f77
|
@ -282,6 +282,16 @@ func newConfig() *codersdk.DeploymentConfig {
|
|||
Flag: "tls-min-version",
|
||||
Default: "tls12",
|
||||
},
|
||||
ClientCertFile: &codersdk.DeploymentConfigField[string]{
|
||||
Name: "TLS Client Cert File",
|
||||
Usage: "Path to certificate for client TLS authentication. It requires a PEM-encoded file.",
|
||||
Flag: "tls-client-cert-file",
|
||||
},
|
||||
ClientKeyFile: &codersdk.DeploymentConfigField[string]{
|
||||
Name: "TLS Client Key File",
|
||||
Usage: "Path to key for client TLS authentication. It requires a PEM-encoded file.",
|
||||
Flag: "tls-client-key-file",
|
||||
},
|
||||
},
|
||||
Trace: &codersdk.TraceConfig{
|
||||
Enable: &codersdk.DeploymentConfigField[bool]{
|
||||
|
|
|
@ -392,6 +392,11 @@ func Server(vip *viper.Viper, newAPI func(context.Context, *coderd.Options) (*co
|
|||
return xerrors.Errorf("OIDC issuer URL must be set!")
|
||||
}
|
||||
|
||||
ctx, err := handleOauth2ClientCertificates(ctx, cfg)
|
||||
if err != nil {
|
||||
return xerrors.Errorf("configure oidc client certificates: %w", err)
|
||||
}
|
||||
|
||||
oidcProvider, err := oidc.NewProvider(ctx, cfg.OIDC.IssuerURL.Value)
|
||||
if err != nil {
|
||||
return xerrors.Errorf("configure oidc provider: %w", err)
|
||||
|
@ -1249,3 +1254,21 @@ func startBuiltinPostgres(ctx context.Context, cfg config.Root, logger slog.Logg
|
|||
}
|
||||
return connectionURL, ep.Stop, nil
|
||||
}
|
||||
|
||||
func handleOauth2ClientCertificates(ctx context.Context, cfg *codersdk.DeploymentConfig) (context.Context, error) {
|
||||
if cfg.TLS.ClientCertFile.Value != "" && cfg.TLS.ClientKeyFile.Value != "" {
|
||||
certificates, err := loadCertificates([]string{cfg.TLS.ClientCertFile.Value}, []string{cfg.TLS.ClientKeyFile.Value})
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return context.WithValue(ctx, oauth2.HTTPClient, &http.Client{
|
||||
Transport: &http.Transport{
|
||||
TLSClientConfig: &tls.Config{ //nolint:gosec
|
||||
Certificates: certificates,
|
||||
},
|
||||
},
|
||||
}), nil
|
||||
}
|
||||
return ctx, nil
|
||||
}
|
||||
|
|
|
@ -177,6 +177,14 @@ Flags:
|
|||
used for checking the authenticity of
|
||||
client
|
||||
Consumes $CODER_TLS_CLIENT_CA_FILE
|
||||
--tls-client-cert-file string Path to certificate for client TLS
|
||||
authentication. It requires a PEM-encoded
|
||||
file.
|
||||
Consumes $CODER_TLS_CLIENT_CERT_FILE
|
||||
--tls-client-key-file string Path to key for client TLS
|
||||
authentication. It requires a PEM-encoded
|
||||
file.
|
||||
Consumes $CODER_TLS_CLIENT_KEY_FILE
|
||||
--tls-enable Whether TLS will be enabled.
|
||||
Consumes $CODER_TLS_ENABLE
|
||||
--tls-key-file strings Paths to the private keys for each of the
|
||||
|
|
|
@ -101,12 +101,14 @@ type TelemetryConfig struct {
|
|||
}
|
||||
|
||||
type TLSConfig struct {
|
||||
Enable *DeploymentConfigField[bool] `json:"enable" typescript:",notnull"`
|
||||
CertFiles *DeploymentConfigField[[]string] `json:"cert_file" typescript:",notnull"`
|
||||
ClientAuth *DeploymentConfigField[string] `json:"client_auth" typescript:",notnull"`
|
||||
ClientCAFile *DeploymentConfigField[string] `json:"client_ca_file" typescript:",notnull"`
|
||||
KeyFiles *DeploymentConfigField[[]string] `json:"key_file" typescript:",notnull"`
|
||||
MinVersion *DeploymentConfigField[string] `json:"min_version" typescript:",notnull"`
|
||||
Enable *DeploymentConfigField[bool] `json:"enable" typescript:",notnull"`
|
||||
CertFiles *DeploymentConfigField[[]string] `json:"cert_file" typescript:",notnull"`
|
||||
ClientAuth *DeploymentConfigField[string] `json:"client_auth" typescript:",notnull"`
|
||||
ClientCAFile *DeploymentConfigField[string] `json:"client_ca_file" typescript:",notnull"`
|
||||
KeyFiles *DeploymentConfigField[[]string] `json:"key_file" typescript:",notnull"`
|
||||
MinVersion *DeploymentConfigField[string] `json:"min_version" typescript:",notnull"`
|
||||
ClientCertFile *DeploymentConfigField[string] `json:"client_cert_file" typescript:",notnull"`
|
||||
ClientKeyFile *DeploymentConfigField[string] `json:"client_key_file" typescript:",notnull"`
|
||||
}
|
||||
|
||||
type TraceConfig struct {
|
||||
|
|
|
@ -75,6 +75,12 @@ Once complete, run `sudo service coder restart` to reboot Coder.
|
|||
|
||||
> When a new user is created, the `preferred_username` claim becomes the username. If this claim is empty, the email address will be stripped of the domain, and become the username (e.g. `example@coder.com` becomes `example`).
|
||||
|
||||
If your OpenID Connect provider requires client TLS certificates for authentication, you can configure them like so:
|
||||
```console
|
||||
CODER_TLS_CLIENT_CERT_FILE=/path/to/cert.pem
|
||||
CODER_TLS_CLIENT_KEY_FILE=/path/to/key.pem
|
||||
```
|
||||
|
||||
## SCIM (enterprise)
|
||||
|
||||
Coder supports user provisioning and deprovisioning via SCIM 2.0 with header
|
||||
|
|
|
@ -63,7 +63,7 @@ type TypescriptTypes struct {
|
|||
// String just combines all the codeblocks.
|
||||
func (t TypescriptTypes) String() string {
|
||||
var s strings.Builder
|
||||
_, _ = s.WriteString("// Code generated by 'make coder/scripts/apitypings/main.go'. DO NOT EDIT.\n\n")
|
||||
_, _ = s.WriteString("// Code generated by 'make site/src/api/typesGenerated.ts'. DO NOT EDIT.\n\n")
|
||||
|
||||
sortedTypes := make([]string, 0, len(t.Types))
|
||||
sortedEnums := make([]string, 0, len(t.Enums))
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
// Code generated by 'make coder/scripts/apitypings/main.go'. DO NOT EDIT.
|
||||
// Code generated by 'make site/src/api/typesGenerated.ts'. DO NOT EDIT.
|
||||
|
||||
// From codersdk/enums.go
|
||||
export type Enum = "bar" | "baz" | "foo" | "qux"
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
// Code generated by 'make coder/scripts/apitypings/main.go'. DO NOT EDIT.
|
||||
// Code generated by 'make site/src/api/typesGenerated.ts'. DO NOT EDIT.
|
||||
|
||||
// From codersdk/generics.go
|
||||
export interface ComplexGeneric<C extends comparable, S extends Single, T extends Custom> {
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
// Code generated by 'make coder/scripts/apitypings/main.go'. DO NOT EDIT.
|
||||
// Code generated by 'make site/src/api/typesGenerated.ts'. DO NOT EDIT.
|
||||
|
||||
// From codersdk/apikey.go
|
||||
export interface APIKey {
|
||||
|
@ -598,6 +598,8 @@ export interface TLSConfig {
|
|||
readonly client_ca_file: DeploymentConfigField<string>
|
||||
readonly key_file: DeploymentConfigField<string[]>
|
||||
readonly min_version: DeploymentConfigField<string>
|
||||
readonly client_cert_file: DeploymentConfigField<string>
|
||||
readonly client_key_file: DeploymentConfigField<string>
|
||||
}
|
||||
|
||||
// From codersdk/deploymentconfig.go
|
||||
|
|
Loading…
Reference in New Issue