Oauth flow for Google, GitHub and GitLab

[Skemba]

This version:

• Needs (google, github, gitlab) apps to be turned for verification to be rolled into production
• Google parameter for allowed_domain was not included as it doesn't provide much more security but can be returned back to improve UX for GSuite users
• Includes HTML files that can be replaced with a better JS-based frontend code

[CLAassistant]

All committers have signed the CLA.

[kolesnikovae]

Awesome! I left a couple of comments, most of them are just nits – please take a look.

[kolesnikovae]

Do we actually need scopes to be configurable?

[Skemba]

At this point probably no, I left it in just in case someone could think of a use-case, would be easy to remove if you don't think there's anything useful we could offer?

[petethepig]

Yeah, I'd say let's remove them. Less flags is always better.

[kolesnikovae]

We should perform all the validation steps before creating oauth2.Config instance. Consider use of shallow copy (golang/go#41733).

URL would be authURL (url collides with the package name).

[Skemba]

I'm not sure I understand what should I use shallow copy for? Also if we were to call url.Parse before building oauth2.Config we would have to either pass some sort of identifier and the create it in a switch or remove url parsing to above function which would triple the amount of code. URL parsing should rarely fail so it won't influence performance that much that we created instance before if it fails.

Or did I misunderstand something?

[kolesnikovae]

I agree. My point is that when we create *oauth2.Config we should validate user input (fail fast).

BTW, am I right that scopes are passed as a space delimited string? I'm wondering if it works - CLI may not interpret that in the right way.

Next are just my subjective thoughts :) Given that we already have parsed URL at validation, should we do that again for every request? For oauthLoginHandler we use *oauth2.Config as a data container - instead we could introduce our own type to bear prepared data. But it's up to you ;)

[Skemba]

Removed scope as config flag so that won't be a problem :)

I really like the idea. Will include this.

[codecov]

Codecov Report

Merging #272 (8e1a01d) into main (8c4e0c2) will decrease coverage by 3.56%.
The diff coverage is 3.70%.

@@            Coverage Diff             @@
##             main     #272      +/-   ##
==========================================
- Coverage   53.77%   50.22%   -3.55%     
==========================================
  Files          89       92       +3     
  Lines        3638     3981     +343     
==========================================
+ Hits         1956     1999      +43     
- Misses       1482     1775     +293     
- Partials      200      207       +7     

Impacted Files	Coverage Δ
pkg/cli/server.go	0.00% <0.00%> (ø)
pkg/server/handler.go	0.43% <0.43%> (ø)
pkg/server/controller.go	24.56% <10.53%> (-6.35%)	⬇️
pkg/storage/tree/flamebearer.go	100.00% <0.00%> (ø)
scripts/decode-resp/decode.go	100.00% <0.00%> (ø)
scripts/decode-resp/main.go	0.00% <0.00%> (ø)
pkg/agent/session.go	66.40% <0.00%> (+2.46%)	⬆️
pkg/storage/tree/tree.go	81.40% <0.00%> (+18.61%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 8c4e0c2...8e1a01d. Read the comment docs.

[kolesnikovae]

Suggested change

	ctrl.log.Errorf("Error parsing jwt token: %v", err)
	ctrl.log.WithError(err).Error("parsing jwt token")

[Skemba]

Totally forgot about logrus WithError, will add in next commit

[kolesnikovae]

Well, we either can use fmt.Sprintf, or slightly modify the signature:

func (ctrl *Controller) logAndRedirect(w http.ResponseWriter, r *http.Request, format string, args ...interface{})

I think it's okay to invalidate state cookies on error regardless of anything (even if those are missing).

[Skemba]

In general only error can be passed so I'll remove this boolean parameter, pass error when it's available and log it with WithError

[petethepig]

Can we have a way of determining this automatically from request Host header?

[petethepig]

I think ideally:

• it should still be configurable
• by default just be an empty string
• and if it's an empty string the server just guesses it from host header and current request scheme (http / https)
• and we could add something to desc mentioning that you should only set it if pyroscope is under some fancy load balancer

[Skemba]

Hm interesting idea ... In general Host header shouldn't be trusted as they can be spoofed, but in this case I can't think of a problem that would cause us. Worst case scenario I can think of is spoofing the Host header which leads to wrong redirect URL and "400" error page from google. I'll look into doing this.

[Skemba]

Gitlab calls it Application ID while others call it Client ID, but it's used in the same manner in both cases

[Skemba]

We can, we would just have to write it in some kind of persistent storage so that users don't get logged out if pyroscope is restarted. It's either that or making users explicitly generate it, which I think should be a good security practice (but it does make less of the things out-of-the-box)