feat: allow all GitHub login when no org is set #4837
Conversation
|
CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅ |
|
I have read the CLA Document and I hereby sign the CLA |
|
@starcatmeow sorry I've been slow to review! I'll get around to it this weekend. I appreciate the contribution! |
There was a problem hiding this comment.
Thanks for the contribution @starcatmeow!
I'm a bit worried about how easy it'll be to accidentally open up logins to the world, let's say the server admin has a typo in their org environment variable and as a result, no orgs are set. This would then allow everyone to login with the admin being non-the-wiser.
We could add a new config (--oauth2-github-allow-everyone/CODER_OAUTH2_GITHUB_ALLOW_EVERYONE) and perform additional checks in cli/server.go (to exit early on config errors). Only if this config is set would we allow orgs to be empty. Thoughts @kylecarbs?
| @@ -95,7 +98,7 @@ func (api *API) userOAuth2Github(rw http.ResponseWriter, r *http.Request) { | |||
| } | |||
|
|
|||
| // The default if no teams are specified is to allow all. | |||
| if len(api.GithubOAuth2Config.AllowTeams) > 0 { | |||
| if len(api.GithubOAuth2Config.AllowOrganizations) > 0 && len(api.GithubOAuth2Config.AllowTeams) > 0 { | |||
There was a problem hiding this comment.
This would silently allow all logins even if teams are set but organizations are not. I'd say that's a configuration error, but we shouldn't silently allow it.
We should perhaps keep this if as it was and recheck that selectedMembership is non-nil.
|
@mafredri I like that solution. While not being as clean as empty being all, it feels much less likely to cause a security breach. |
|
I like where your head is at @mafredri! Another option is to use wildcards 😉 CODER_OAUTH2_GITHUB_ALLOW_ORGANIZATIONS=*Either a separate env var or wildcard makes sense to me. I agree with the security concern around the unset behavior |
I love that suggestion. Just one question, how would we surface this option/possibility? I suppose it could be part of the This begs the question, if we go this route, should we turn this into a regex like we have for git auth URL matching? Would feel a bit weird having both "glob-ish" and "regex" styles. But also, regex is a nightmare for security so a simpler variant would win here. |
|
Yeah, perhaps going with the separate boolean flag is better for those reasons. Otherwise, yeah we can just add |
|
@starcatmeow we wanted to fast-track this so I hope it's OK I took over your PR. I would've pushed to this branch but I didn't have permissions so I opened up a new PR: #5086. Feel free to give feedback on the new approach! |
Your solution is great for both functionality and security! I'm quite busy these days so I couldn't respond in time. Thanks for all you guys sharing ideas and raising PRs! I'm going to close this. |
1 similar comment
Your solution is great for both functionality and security! I'm quite busy these days so I couldn't respond in time. Thanks for all you guys sharing ideas and raising PRs! I'm going to close this. |
Allow all GitHub login when no organization is set. This enables users to provide public access of their coder instance.