Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GitHub proxy part 5: OAuth flow to retrieve GitHub identity #49849

Merged
merged 6 commits into from
Dec 10, 2024
Merged

GitHub proxy part 5: OAuth flow to retrieve GitHub identity #49849

merged 6 commits into from
Dec 10, 2024

Conversation

greedy52
Copy link
Contributor

@greedy52 greedy52 commented Dec 5, 2024
edited
Loading

related:

GitHub OAuth flow for authenticated user overview

sequenceDiagram
    participant tsh
    participant client browser
    participant Proxy
    participant Auth
    participant GitHub
                                
    tsh->>Proxy: GitServerClient().CreateGitHubAuthRequest
    Proxy->>Auth: CreateGitHubAuthRequest
    tsh->> client browser: open
    client browser->> GitHub: redirect
    GitHub<<->>Proxy: callback
    Proxy<<->>Auth: verify callback and generate new cert with GitHub user ID
    client browser->>tsh: new cert with GitHub user ID
Loading

tsh UX example:

$ tsh status
> Profile URL:        https://teleport-test.stevexin.app:443
  Logged in as:       admin
  Cluster:            teleport-test.stevexin.app
  Roles:              access, auditor, editor
  Kubernetes:         enabled
  Valid until:        2024-12-06 07:36:28 -0500 EST [valid for 10h52m0s]
  Extensions:         login-ip, permit-agent-forwarding, permit-port-forwarding, permit-pty, private-key-policy

$ tsh git login --github-org goteleport-core-test --force
If browser window does not open automatically, open it by clicking on the link:
 http://127.0.0.1:61928/6481c191-f0f5-47e8-ad7e-60c7a84f53ec
Your GitHub username is greedy52.

$ tsh git ls
Type   Organization         Username URL                                     
------ -------------------- -------- --------------------------------------- 
GitHub goteleport-core-test greedy52 https://github.com/goteleport-core-test 

hint: use 'tsh git clone <git-clone-ssh-url>' to clone a new repository
      use 'tsh git config update' to configure an existing repository to use Teleport
      once the repository is cloned or configured, use 'git' as normal

$ tsh status | grep -A2 GitHub
  GitHub username:    greedy52
  Valid until:        2024-12-06 07:36:28 -0500 EST [valid for 10h49m0s]
  Extensions:         login-ip, permit-agent-forwarding, permit-port-forwarding, permit-pty, private-key-policy

TODO

  • make -C integrations/operator crd

@greedy52 greedy52 added the no-changelog Indicates that a PR does not require a changelog entry label Dec 5, 2024
@greedy52 greedy52 self-assigned this Dec 5, 2024
@greedy52 greedy52 mentioned this pull request Dec 5, 2024
Open
14 tasks
greedy52
greedy52 commented Dec 5, 2024
View reviewed changes
lib/auth/github.go
Comment on lines +648 to +652
// Auth was successful, return session, certificate, etc. to caller.
return a.makeGithubAuthResponse(ctx, req, userState, userResp, params.SessionTTL)
}

func (a *Server) makeGithubAuthResponse(
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just some refactoring to break the big function. same below to split getGithubUserAndTeams

@greedy52 greedy52 force-pushed the STeve/48762_github_oauth_flow branch from f30da58 to 7e9fd6e Compare December 6, 2024 01:48
@greedy52 greedy52 marked this pull request as ready for review December 6, 2024 01:49
@github-actions github-actions bot added size/lg tsh tsh - Teleport's command line tool for logging into nodes running Teleport. labels Dec 6, 2024
@greedy52 greedy52 force-pushed the STeve/48762_github_oauth_flow branch from 7e9fd6e to 5ab9743 Compare December 6, 2024 02:17
Tener
Tener reviewed Dec 6, 2024
View reviewed changes
Copy link
Contributor

@Tener Tener left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

First pass.

api/proto/teleport/legacy/types/types.proto Outdated Show resolved Hide resolved
api/proto/teleport/userloginstate/v1/userloginstate.proto Show resolved Hide resolved
api/proto/teleport/userloginstate/v1/userloginstate.proto Show resolved Hide resolved
api/types/github.go Show resolved Hide resolved
lib/auth/auth.go Show resolved Hide resolved
lib/auth/github.go Show resolved Hide resolved
lib/auth/github.go Show resolved Hide resolved
lib/auth/userloginstate/generator.go
@@ -154,6 +164,13 @@ func (g *Generator) Generate(ctx context.Context, user types.User) (*userloginst
return nil, trace.Wrap(err)
}

// Preserve states like GitHub identities across logins.
// TODO(greedy52) implement a way to remove the identity or find a way to
// avoid keeping the identity forever.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we set some kind of TTL corresponding to the TTL returned by Github for the auth request?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think Github provide any meaningful TTL for the identity itself. we might need to introduce something like role.max_external_identity_ttl = 168h

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I think we should put a limit here. A week feels like a reasonable compromise.

@greedy52 greedy52 requested a review from Tener December 9, 2024 01:59
Tener
Tener approved these changes Dec 9, 2024
View reviewed changes
Copy link
Contributor

@Tener Tener left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did another round and I feel comfortable enough approving this. Notably I was already familiar with trickier areas of this PR but it still required above-average effort due to accumulated complexity.

tool/tsh/common/git_login.go
Comment on lines +43 to +46
// TODO(greedy52) make "github-org" optional. Most likely there is only a
// single Git server configured anyway so do a "list" op then use the
// organization from that Git server. If more than one Git servers are
// found, prompt the user to pick one.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A very nice idea.

lib/auth/github.go
@@ -537,7 +537,7 @@ func newGithubOAuth2Config(connector types.GithubConnector) oauth2.Config {

// ValidateGithubAuthCallback validates Github auth callback redirect
func (a *Server) validateGithubAuthCallback(ctx context.Context, diagCtx *SSODiagContext, q url.Values) (*authclient.GithubAuthResponse, error) {
logger := log.WithFields(logrus.Fields{teleport.ComponentKey: "github"})
logger := a.logger.With(teleport.ComponentKey, "github")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel like validateGithubAuthCallback and friends could benefit from refactoring. Right now is probably not the best time, but the original code didn't anticipate the use-cases that have been added with time and it shows. Possibly the opportunity for this will arrive in the future?

smallinsky
smallinsky reviewed Dec 9, 2024
View reviewed changes
lib/client/profile.go Outdated Show resolved Hide resolved
lib/auth/gitserver/gitserverv1/github.go Show resolved Hide resolved
lib/auth/gitserver/gitserverv1/github.go
}

in.Request.ConnectorID = uuid
in.Request.ConnectorSpec = spec
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The ConnectorSpec is marked as Used only in test

teleport/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/types/types.proto

Line 5197 in 6995108

GithubConnectorSpecV3 ConnectorSpec = 15 [(gogoproto.jsontag) = "connector_spec,omitempty"];

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i did update api/proto/teleport/legacy/types/types.proto to indicate that ConnectorSpec is for both flows (basically the spec is used when not using "native" GitHub connector). I had a comment in PR description that i need to run make -C integrations/operator crd before merge.

lib/auth/gitserver/gitserverv1/github.go Show resolved Hide resolved
lib/auth/gitserver/gitserverv1/github.go Show resolved Hide resolved
@greedy52 greedy52 force-pushed the STeve/48762_github_oauth_flow branch from 3ee441e to c20d7ef Compare December 10, 2024 03:06
@greedy52 greedy52 requested a review from smallinsky December 10, 2024 03:10
@github-actions GitHub Actions
Copy link

🤖 Vercel preview here: https://docs-4q81q907q-goteleport.vercel.app/docs

@github-actions GitHub Actions
Copy link

🤖 Vercel preview here: https://docs-ie4zozxl8-goteleport.vercel.app/docs

@greedy52 greedy52 added this pull request to the merge queue Dec 10, 2024
Merged via the queue into master with commit 80a58fc Dec 10, 2024
44 checks passed
@greedy52 greedy52 deleted the STeve/48762_github_oauth_flow branch December 10, 2024 17:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smallinsky smallinsky smallinsky approved these changes

@Tener Tener Tener approved these changes

Assignees

@greedy52 greedy52

Labels
no-changelog Indicates that a PR does not require a changelog entry size/lg tsh tsh - Teleport's command line tool for logging into nodes running Teleport.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@greedy52 @Tener @smallinsky