Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GitHub proxy part 5: OAuth flow to retrieve GitHub identity #49849

Merged
merged 6 commits into from
Dec 10, 2024
Merged

GitHub proxy part 5: OAuth flow to retrieve GitHub identity #49849

merged 6 commits into from
Dec 10, 2024

Conversation

greedy52
Copy link
Contributor

@greedy52 greedy52 commented Dec 5, 2024
edited
Loading

related:

GitHub OAuth flow for authenticated user overview

sequenceDiagram
    participant tsh
    participant client browser
    participant Proxy
    participant Auth
    participant GitHub
                                
    tsh->>Proxy: GitServerClient().CreateGitHubAuthRequest
    Proxy->>Auth: CreateGitHubAuthRequest
    tsh->> client browser: open
    client browser->> GitHub: redirect
    GitHub<<->>Proxy: callback
    Proxy<<->>Auth: verify callback and generate new cert with GitHub user ID
    client browser->>tsh: new cert with GitHub user ID
Loading

tsh UX example:

$ tsh status
> Profile URL:        https://teleport-test.stevexin.app:443
  Logged in as:       admin
  Cluster:            teleport-test.stevexin.app
  Roles:              access, auditor, editor
  Kubernetes:         enabled
  Valid until:        2024-12-06 07:36:28 -0500 EST [valid for 10h52m0s]
  Extensions:         login-ip, permit-agent-forwarding, permit-port-forwarding, permit-pty, private-key-policy

$ tsh git login --github-org goteleport-core-test --force
If browser window does not open automatically, open it by clicking on the link:
 http://127.0.0.1:61928/6481c191-f0f5-47e8-ad7e-60c7a84f53ec
Your GitHub username is greedy52.

$ tsh git ls
Type   Organization         Username URL                                     
------ -------------------- -------- --------------------------------------- 
GitHub goteleport-core-test greedy52 https://github.com/goteleport-core-test 

hint: use 'tsh git clone <git-clone-ssh-url>' to clone a new repository
      use 'tsh git config update' to configure an existing repository to use Teleport
      once the repository is cloned or configured, use 'git' as normal

$ tsh status | grep -A2 GitHub
  GitHub username:    greedy52
  Valid until:        2024-12-06 07:36:28 -0500 EST [valid for 10h49m0s]
  Extensions:         login-ip, permit-agent-forwarding, permit-port-forwarding, permit-pty, private-key-policy

TODO

  • make -C integrations/operator crd

@greedy52 greedy52 added the no-changelog Indicates that a PR does not require a changelog entry label Dec 5, 2024
@greedy52 greedy52 self-assigned this Dec 5, 2024
@greedy52 greedy52 mentioned this pull request Dec 5, 2024
Closed
9 tasks
greedy52
greedy52 commented Dec 5, 2024
View reviewed changes
lib/auth/github.go
Comment on lines +648 to +652
// Auth was successful, return session, certificate, etc. to caller.
return a.makeGithubAuthResponse(ctx, req, userState, userResp, params.SessionTTL)
}

func (a *Server) makeGithubAuthResponse(
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just some refactoring to break the big function. same below to split getGithubUserAndTeams

@greedy52 greedy52 force-pushed the STeve/48762_github_oauth_flow branch from f30da58 to 7e9fd6e Compare December 6, 2024 01:48
@greedy52 greedy52 marked this pull request as ready for review December 6, 2024 01:49
@github-actions github-actions bot added size/lg tsh tsh - Teleport's command line tool for logging into nodes running Teleport. labels Dec 6, 2024
@greedy52 greedy52 force-pushed the STeve/48762_github_oauth_flow branch from 7e9fd6e to 5ab9743 Compare December 6, 2024 02:17
Tener
Tener reviewed Dec 6, 2024
View reviewed changes
Copy link
Contributor

@Tener Tener left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

First pass.

api/proto/teleport/legacy/types/types.proto Outdated Show resolved Hide resolved
api/proto/teleport/userloginstate/v1/userloginstate.proto Show resolved Hide resolved
api/proto/teleport/userloginstate/v1/userloginstate.proto Show resolved Hide resolved
api/types/github.go Show resolved Hide resolved
lib/auth/auth.go Show resolved Hide resolved
lib/auth/github.go Show resolved Hide resolved
lib/auth/github.go Show resolved Hide resolved
lib/auth/userloginstate/generator.go
@@ -154,6 +164,13 @@ func (g *Generator) Generate(ctx context.Context, user types.User) (*userloginst
return nil, trace.Wrap(err)
}

// Preserve states like GitHub identities across logins.
// TODO(greedy52) implement a way to remove the identity or find a way to
// avoid keeping the identity forever.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we set some kind of TTL corresponding to the TTL returned by Github for the auth request?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think Github provide any meaningful TTL for the identity itself. we might need to introduce something like role.max_external_identity_ttl = 168h

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I think we should put a limit here. A week feels like a reasonable compromise.

@greedy52 greedy52 requested a review from Tener December 9, 2024 01:59
Tener
Tener approved these changes Dec 9, 2024
View reviewed changes
Copy link
Contributor

@Tener Tener left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did another round and I feel comfortable enough approving this. Notably I was already familiar with trickier areas of this PR but it still required above-average effort due to accumulated complexity.

tool/tsh/common/git_login.go
Comment on lines +43 to +46
// TODO(greedy52) make "github-org" optional. Most likely there is only a
// single Git server configured anyway so do a "list" op then use the
// organization from that Git server. If more than one Git servers are
// found, prompt the user to pick one.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A very nice idea.

lib/auth/github.go
@@ -537,7 +537,7 @@ func newGithubOAuth2Config(connector types.GithubConnector) oauth2.Config {

// ValidateGithubAuthCallback validates Github auth callback redirect
func (a *Server) validateGithubAuthCallback(ctx context.Context, diagCtx *SSODiagContext, q url.Values) (*authclient.GithubAuthResponse, error) {
logger := log.WithFields(logrus.Fields{teleport.ComponentKey: "github"})
logger := a.logger.With(teleport.ComponentKey, "github")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel like validateGithubAuthCallback and friends could benefit from refactoring. Right now is probably not the best time, but the original code didn't anticipate the use-cases that have been added with time and it shows. Possibly the opportunity for this will arrive in the future?

smallinsky
smallinsky reviewed Dec 9, 2024
View reviewed changes
lib/client/profile.go Outdated Show resolved Hide resolved
lib/auth/gitserver/gitserverv1/github.go Show resolved Hide resolved
lib/auth/gitserver/gitserverv1/github.go
}

in.Request.ConnectorID = uuid
in.Request.ConnectorSpec = spec
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The ConnectorSpec is marked as Used only in test

teleport/integrations/operator/crdgen/testdata/protofiles/teleport/legacy/types/types.proto

Line 5197 in 6995108

GithubConnectorSpecV3 ConnectorSpec = 15 [(gogoproto.jsontag) = "connector_spec,omitempty"];

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i did update api/proto/teleport/legacy/types/types.proto to indicate that ConnectorSpec is for both flows (basically the spec is used when not using "native" GitHub connector). I had a comment in PR description that i need to run make -C integrations/operator crd before merge.

lib/auth/gitserver/gitserverv1/github.go Show resolved Hide resolved
lib/auth/gitserver/gitserverv1/github.go Show resolved Hide resolved
@greedy52 greedy52 force-pushed the STeve/48762_github_oauth_flow branch from 3ee441e to c20d7ef Compare December 10, 2024 03:06
@greedy52 greedy52 requested a review from smallinsky December 10, 2024 03:10
@github-actions GitHub Actions
Copy link

🤖 Vercel preview here: https://docs-4q81q907q-goteleport.vercel.app/docs

@github-actions GitHub Actions
Copy link

🤖 Vercel preview here: https://docs-ie4zozxl8-goteleport.vercel.app/docs

@greedy52 greedy52 added this pull request to the merge queue Dec 10, 2024
Merged via the queue into master with commit 80a58fc Dec 10, 2024
44 checks passed
@greedy52 greedy52 deleted the STeve/48762_github_oauth_flow branch December 10, 2024 17:50
greedy52 added a commit that referenced this pull request Jan 15, 2025
@greedy52
GitHub proxy part 5: OAuth flow to retrieve GitHub identity (#49849)
d92503d 
* GitHub proxy part 5: OAuth flow to retrieve GitHub identity

* review comments round1

* review comments round 2 and update tsh git list

* make -C integrations/operator crd

* make -C integrations/terraform docs

* fix flaky test
greedy52 added a commit that referenced this pull request Jan 16, 2025
@greedy52
GitHub proxy part 5: OAuth flow to retrieve GitHub identity (#49849)
1ec1dd7 
* GitHub proxy part 5: OAuth flow to retrieve GitHub identity

* review comments round1

* review comments round 2 and update tsh git list

* make -C integrations/operator crd

* make -C integrations/terraform docs

* fix flaky test
github-merge-queue bot pushed a commit that referenced this pull request Jan 16, 2025
@greedy52
[v17] GitHub proxy (#51086)
7ca4e53 
* GitHub Proxy part 1: github integration resource (#48999)

* github integration resource

* fix lib/web

* revert withSecrets

* use static credentials

* address review comments

* fix ut

* GitHub Proxy part 2: git_server resource, service, and RBAC (#49393)

* git_server resource and role.allow.github_permissions

* implicit RO on KindGitServer

* review comments

* fix ut

* make -C integrations/operator crd

* fix ut again

* make crds-up-to-date and make -C integrations/terraform docs

* GitHub proxy part 1.5: integration in web ui (#49561)

* GitHub proxy part 1.5: integration in web ui

* fix lint

* GitHub Proxy part 3.5: caching PluginStaticCredentials (#49472)

* GitHub Proxy part 3.5: caching PluginStaticCredentials

* fix lint

* GitHub proxy part 2.5: git_server cache (#49564)

* GitHub proxy part 2.5: git_server cache

* revert event

* fix getAll

* review comments

* GitHub Proxy part 3: gen github user cert and export CA (#49396)

* GitHub Proxy part 3: gen github user cert and export CA

* address pr comment

* minor refactor

* use cache

* fix build and cache

* GitHub proxy part 4: `tsh git ls` with unified resource (#49596)

* GitHub proxy part 4: tsh git ls

* fix ut

* update username note

* fix

* GitHub proxy part 5: OAuth flow to retrieve GitHub identity (#49849)

* GitHub proxy part 5: OAuth flow to retrieve GitHub identity

* review comments round1

* review comments round 2 and update tsh git list

* make -C integrations/operator crd

* make -C integrations/terraform docs

* fix flaky test

* GitHub proxy part 6.5: tsh git ssh/clone/config (#50044)

* GitHub proxy part 6.5: tsh git ssh/clone/config

* review comments

* fix test

* fix ut for lookpath

* fix logger and update dependency version

* go mod tidy for integrations

* GitHub proxy part 7: audit events (#49923)

* GitHub proxy part 7: audit events

* make Git Command consistent

* fix typo

* GitHub proxy: git command recorder (#50505)

* GitHub proxy: recording git command

* address review

* review comments

* allow flags after repository for git-upload-pack

* GitHub proxy part 6: proxing Git using SSH transport (#49980)

* GitHub proxy part 6: proxing Git using SSH transport

* better command parsing and update suite

* refactor

* revert unnecearrty files

* address review comments

* ut fix

* revert localsite_test.go

* change special suffix to teleport-github-org for routing

* fix routing ut

* minor typo edit

* fix ut after sshca change

* add UT to sshutils

* minor review comments

* fix api ut because of special suffix change

* GitServerReadOnlyClient

* downgrade error to warning

* run go mod tidy. not sure why it's needed

* rename mock.go to mock_test.go

* GitHub Proxy: complete audit event flow and add an enterprise guard (#51049)

* fix lint and remove accidently checked-in binary

* Fix flaky git.TestForwardServer test (#51112)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smallinsky smallinsky smallinsky approved these changes

@Tener Tener Tener approved these changes

Assignees

@greedy52 greedy52

Labels
no-changelog Indicates that a PR does not require a changelog entry size/lg tsh tsh - Teleport's command line tool for logging into nodes running Teleport.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@greedy52 @Tener @smallinsky