()
| 20 | ) |
| 21 | |
| 22 | func (r *RootCmd) newFixOIDCLinksCommand() *serpent.Command { |
| 23 | var ( |
| 24 | pgURL string |
| 25 | pgAuth string |
| 26 | issuerURL string |
| 27 | dryRun bool |
| 28 | ) |
| 29 | fixOIDCLinksCmd := &serpent.Command{ |
| 30 | Use: "fix-oidc-links", |
| 31 | Short: "Reset OIDC linked IDs that do not match the expected issuer, allowing users to re-authenticate.", |
| 32 | Handler: func(inv *serpent.Invocation) error { |
| 33 | var ( |
| 34 | ctx, cancel = inv.SignalNotifyContext(inv.Context(), StopSignals...) |
| 35 | logger = inv.Logger.AppendSinks(sloghuman.Sink(inv.Stderr)) |
| 36 | ) |
| 37 | if r.verbose { |
| 38 | logger = logger.Leveled(slog.LevelDebug) |
| 39 | } |
| 40 | defer cancel() |
| 41 | |
| 42 | issuerURL = strings.TrimSpace(issuerURL) |
| 43 | if issuerURL == "" { |
| 44 | return xerrors.Errorf("the --%s flag is required, set it to the OIDC issuer URL (e.g. https://accounts.google.com)", "issuer-url") |
| 45 | } |
| 46 | // Resolve the canonical issuer from OIDC discovery. |
| 47 | cliui.Infof(inv.Stdout, "Resolving OIDC issuer from %q...", issuerURL) |
| 48 | // TODO: The default client might not be configured with the right certs to make this request. |
| 49 | issuer, err := authlink.ResolveIssuer(ctx, http.DefaultClient, issuerURL) |
| 50 | if err != nil { |
| 51 | return xerrors.Errorf("resolve issuer: %w", err) |
| 52 | } |
| 53 | _, _ = fmt.Fprintf(inv.Stdout, "Resolved OIDC issuer: %q\n\n", issuer) |
| 54 | |
| 55 | // Connect to the database. |
| 56 | if pgURL == "" { |
| 57 | return xerrors.New("the --postgres-url flag is required") |
| 58 | } |
| 59 | |
| 60 | sqlDriver := "postgres" |
| 61 | if codersdk.PostgresAuth(pgAuth) == codersdk.PostgresAuthAWSIAMRDS { |
| 62 | sqlDriver, err = awsiamrds.Register(inv.Context(), sqlDriver) |
| 63 | if err != nil { |
| 64 | return xerrors.Errorf("register aws rds iam auth: %w", err) |
| 65 | } |
| 66 | } |
| 67 | |
| 68 | sqlDB, err := ConnectToPostgres(ctx, logger, sqlDriver, pgURL, nil) |
| 69 | if err != nil { |
| 70 | return xerrors.Errorf("connect to postgres: %w", err) |
| 71 | } |
| 72 | defer func() { |
| 73 | _ = sqlDB.Close() |
| 74 | }() |
| 75 | db := database.New(sqlDB) |
| 76 | |
| 77 | // Run analysis. |
| 78 | analysis, err := authlink.AnalyzeOIDCLinks(ctx, db, issuer) |
| 79 | if err != nil { |
no test coverage detected