oidcAuthLinks validates and can repair any broken OIDC auth links from changes in OIDC providers. This function should avoid returning a fatal error as much as possible. If this function fails, it should just log the error and exit.
(ctx context.Context, logger slog.Logger, cli *http.Client, vals *codersdk.DeploymentValues, db database.Store)
| 119 | // OIDC providers. This function should avoid returning a fatal error as much as possible. |
| 120 | // If this function fails, it should just log the error and exit. |
| 121 | func oidcAuthLinks(ctx context.Context, logger slog.Logger, cli *http.Client, vals *codersdk.DeploymentValues, db database.Store) error { |
| 122 | // nolint:gocritic // Requires system privileges |
| 123 | ctx = dbauthz.AsSystemRestricted(ctx) |
| 124 | expectedIssuer, err := authlink.ResolveIssuer(ctx, cli, vals.OIDC.IssuerURL.String()) |
| 125 | if err != nil { |
| 126 | // Always log if there is a failure here |
| 127 | logger.Error(ctx, "unable to resolve OIDC 'issuer'", |
| 128 | slog.F("error", err.Error()), |
| 129 | slog.F("url", vals.OIDC.IssuerURL.String()), |
| 130 | ) |
| 131 | return nil |
| 132 | } |
| 133 | |
| 134 | analysis, err := authlink.AnalyzeOIDCLinks(ctx, db, expectedIssuer) |
| 135 | if err != nil { |
| 136 | // Do not make this error fatal |
| 137 | logger.Error(ctx, "unable to analyze OIDC links, OIDC user links cannot be verified as linked to this issuer", |
| 138 | slog.F("error", err.Error()), |
| 139 | slog.F("url", vals.OIDC.IssuerURL.String()), |
| 140 | slog.F("issuer", expectedIssuer), |
| 141 | ) |
| 142 | return nil |
| 143 | } |
| 144 | |
| 145 | if !vals.OIDC.AutoRepairLinks.Value() { |
| 146 | return nil |
| 147 | } |
| 148 | |
| 149 | // Repair any broken OIDC links |
| 150 | if analysis.MismatchedTotal() > 0 { |
| 151 | count, err := authlink.ResetMismatchedOIDCLinks(ctx, db, expectedIssuer) |
| 152 | if err != nil { |
| 153 | logger.Error(ctx, "unable to reset mismatched OIDC links", |
| 154 | slog.F("error", err.Error()), |
| 155 | slog.F("url", vals.OIDC.IssuerURL.String()), |
| 156 | slog.F("issuer", expectedIssuer), |
| 157 | ) |
| 158 | return nil |
| 159 | } |
| 160 | |
| 161 | logger.Info(ctx, "oidc users OIDC links reset", |
| 162 | slog.F("url", vals.OIDC.IssuerURL.String()), |
| 163 | slog.F("issuer", expectedIssuer), |
| 164 | slog.F("count", count), |
| 165 | ) |
| 166 | } |
| 167 | return nil |
| 168 | } |
| 169 | |
| 170 | func createOIDCConfig(ctx context.Context, logger slog.Logger, vals *codersdk.DeploymentValues) (*coderd.OIDCConfig, error) { |
| 171 | if vals.OIDC.ClientID == "" { |