Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(config): sync hook and mfa config to remote #2861

Open
wants to merge 4 commits into
base: develop
Choose a base branch
from
Open

feat(config): sync hook and mfa config to remote #2861

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
bf14b18
feat(config): sync hook config to remote
sweatybridge Nov 8, 2024
531b242
feat(config): sync mfa and sessions config to remote
sweatybridge Nov 8, 2024
a153ac2
chore: regroup auth config
sweatybridge Nov 8, 2024
6fe7019
fix: validate mfa enroll and verify config
sweatybridge Nov 8, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
124 changes: 110 additions & 14 deletions pkg/config/auth.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,25 +12,24 @@ import (

type (
auth struct {
Enabled bool `toml:"enabled"`
Image string `toml:"-"`
SiteUrl string `toml:"site_url"`
AdditionalRedirectUrls []string `toml:"additional_redirect_urls"`
Enabled bool `toml:"enabled"`
Image string `toml:"-"`

JwtExpiry uint `toml:"jwt_expiry"`
EnableRefreshTokenRotation bool `toml:"enable_refresh_token_rotation"`
RefreshTokenReuseInterval uint `toml:"refresh_token_reuse_interval"`
EnableManualLinking bool `toml:"enable_manual_linking"`
SiteUrl string `toml:"site_url"`
AdditionalRedirectUrls []string `toml:"additional_redirect_urls"`
JwtExpiry uint `toml:"jwt_expiry"`
EnableRefreshTokenRotation bool `toml:"enable_refresh_token_rotation"`
RefreshTokenReuseInterval uint `toml:"refresh_token_reuse_interval"`
EnableManualLinking bool `toml:"enable_manual_linking"`
EnableSignup bool `toml:"enable_signup"`
EnableAnonymousSignIns bool `toml:"enable_anonymous_sign_ins"`

Hook hook `toml:"hook"`
MFA mfa `toml:"mfa"`
Sessions sessions `toml:"sessions"`

EnableSignup bool `toml:"enable_signup"`
EnableAnonymousSignIns bool `toml:"enable_anonymous_sign_ins"`
Email email `toml:"email"`
Sms sms `toml:"sms"`
External external `toml:"external"`
Email email `toml:"email"`
Sms sms `toml:"sms"`
External external `toml:"external"`

// Custom secrets can be injected from .env file
JwtSecret string `toml:"-" mapstructure:"jwt_secret"`
Expand Down Expand Up @@ -192,6 +191,10 @@ func (a *auth) ToUpdateAuthConfigBody() v1API.UpdateAuthConfigBody {
DisableSignup: cast.Ptr(!a.EnableSignup),
ExternalAnonymousUsersEnabled: &a.EnableAnonymousSignIns,
}
a.Hook.toAuthConfigBody(&body)
a.MFA.toAuthConfigBody(&body)
a.Sessions.toAuthConfigBody(&body)
// TODO: email
a.Sms.toAuthConfigBody(&body)
a.External.toAuthConfigBody(&body)
return body
Expand All @@ -207,12 +210,105 @@ func (a *auth) fromRemoteAuthConfig(remoteConfig v1API.AuthConfigResponse) auth
result.EnableManualLinking = cast.Val(remoteConfig.SecurityManualLinkingEnabled, false)
result.EnableSignup = !cast.Val(remoteConfig.DisableSignup, false)
result.EnableAnonymousSignIns = cast.Val(remoteConfig.ExternalAnonymousUsersEnabled, false)
result.Hook.fromAuthConfig(remoteConfig)
result.MFA.fromAuthConfig(remoteConfig)
result.Sessions.fromAuthConfig(remoteConfig)
result.Sms.fromAuthConfig(remoteConfig)
result.External = maps.Clone(result.External)
result.External.fromAuthConfig(remoteConfig)
return result
}

func (h hook) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {
if body.HookCustomAccessTokenEnabled = &h.CustomAccessToken.Enabled; *body.HookCustomAccessTokenEnabled {
body.HookCustomAccessTokenUri = &h.CustomAccessToken.URI
body.HookCustomAccessTokenSecrets = &h.CustomAccessToken.Secrets
}
if body.HookSendEmailEnabled = &h.SendEmail.Enabled; *body.HookSendEmailEnabled {
body.HookSendEmailUri = &h.SendEmail.URI
body.HookSendEmailSecrets = &h.SendEmail.Secrets
}
if body.HookSendSmsEnabled = &h.SendSMS.Enabled; *body.HookSendSmsEnabled {
body.HookSendSmsUri = &h.SendSMS.URI
body.HookSendSmsSecrets = &h.SendSMS.Secrets
}
// Enterprise and team only features
if body.HookMfaVerificationAttemptEnabled = &h.MFAVerificationAttempt.Enabled; *body.HookMfaVerificationAttemptEnabled {
body.HookMfaVerificationAttemptUri = &h.MFAVerificationAttempt.URI
body.HookMfaVerificationAttemptSecrets = &h.MFAVerificationAttempt.Secrets
}
if body.HookPasswordVerificationAttemptEnabled = &h.PasswordVerificationAttempt.Enabled; *body.HookPasswordVerificationAttemptEnabled {
body.HookPasswordVerificationAttemptUri = &h.PasswordVerificationAttempt.URI
body.HookPasswordVerificationAttemptSecrets = &h.PasswordVerificationAttempt.Secrets
}
}

func (h *hook) fromAuthConfig(remoteConfig v1API.AuthConfigResponse) {
// Ignore disabled hooks because their envs are not loaded
if h.CustomAccessToken.Enabled {
h.CustomAccessToken.URI = cast.Val(remoteConfig.HookCustomAccessTokenUri, "")
h.CustomAccessToken.Secrets = hashPrefix + cast.Val(remoteConfig.HookCustomAccessTokenSecrets, "")
}
h.CustomAccessToken.Enabled = cast.Val(remoteConfig.HookCustomAccessTokenEnabled, false)
if h.SendEmail.Enabled {
h.SendEmail.URI = cast.Val(remoteConfig.HookSendEmailUri, "")
h.SendEmail.Secrets = hashPrefix + cast.Val(remoteConfig.HookSendEmailSecrets, "")
}
h.SendEmail.Enabled = cast.Val(remoteConfig.HookSendEmailEnabled, false)
if h.SendSMS.Enabled {
h.SendSMS.URI = cast.Val(remoteConfig.HookSendSmsUri, "")
h.SendSMS.Secrets = hashPrefix + cast.Val(remoteConfig.HookSendSmsSecrets, "")
}
h.SendSMS.Enabled = cast.Val(remoteConfig.HookSendSmsEnabled, false)
// Enterprise and team only features
if h.MFAVerificationAttempt.Enabled {
h.MFAVerificationAttempt.URI = cast.Val(remoteConfig.HookMfaVerificationAttemptUri, "")
h.MFAVerificationAttempt.Secrets = hashPrefix + cast.Val(remoteConfig.HookMfaVerificationAttemptSecrets, "")
}
h.MFAVerificationAttempt.Enabled = cast.Val(remoteConfig.HookMfaVerificationAttemptEnabled, false)
if h.PasswordVerificationAttempt.Enabled {
h.PasswordVerificationAttempt.URI = cast.Val(remoteConfig.HookPasswordVerificationAttemptUri, "")
h.PasswordVerificationAttempt.Secrets = hashPrefix + cast.Val(remoteConfig.HookPasswordVerificationAttemptSecrets, "")
}
h.PasswordVerificationAttempt.Enabled = cast.Val(remoteConfig.HookPasswordVerificationAttemptEnabled, false)
}

func (m mfa) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {
body.MfaMaxEnrolledFactors = cast.UintToIntPtr(&m.MaxEnrolledFactors)
body.MfaTotpEnrollEnabled = &m.TOTP.EnrollEnabled
body.MfaTotpVerifyEnabled = &m.TOTP.VerifyEnabled
body.MfaPhoneEnrollEnabled = &m.Phone.EnrollEnabled
body.MfaPhoneVerifyEnabled = &m.Phone.VerifyEnabled
body.MfaPhoneOtpLength = cast.UintToIntPtr(&m.Phone.OtpLength)
body.MfaPhoneTemplate = &m.Phone.Template
body.MfaPhoneMaxFrequency = cast.Ptr(int(m.Phone.MaxFrequency.Seconds()))
body.MfaWebAuthnEnrollEnabled = &m.WebAuthn.EnrollEnabled
body.MfaWebAuthnVerifyEnabled = &m.WebAuthn.VerifyEnabled
}

func (m *mfa) fromAuthConfig(remoteConfig v1API.AuthConfigResponse) {
m.MaxEnrolledFactors = cast.IntToUint(cast.Val(remoteConfig.MfaMaxEnrolledFactors, 0))
m.TOTP.EnrollEnabled = cast.Val(remoteConfig.MfaTotpEnrollEnabled, false)
m.TOTP.VerifyEnabled = cast.Val(remoteConfig.MfaTotpVerifyEnabled, false)
m.Phone.EnrollEnabled = cast.Val(remoteConfig.MfaPhoneEnrollEnabled, false)
m.Phone.VerifyEnabled = cast.Val(remoteConfig.MfaPhoneVerifyEnabled, false)
m.Phone.OtpLength = cast.IntToUint(remoteConfig.MfaPhoneOtpLength)
m.Phone.Template = cast.Val(remoteConfig.MfaPhoneTemplate, "")
m.Phone.MaxFrequency = time.Duration(cast.Val(remoteConfig.MfaPhoneMaxFrequency, 0)) * time.Second
m.WebAuthn.EnrollEnabled = cast.Val(remoteConfig.MfaWebAuthnEnrollEnabled, false)
m.WebAuthn.VerifyEnabled = cast.Val(remoteConfig.MfaWebAuthnVerifyEnabled, false)
}

func (s sessions) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {
body.SessionsTimebox = cast.Ptr(int(s.Timebox.Seconds()))
body.SessionsInactivityTimeout = cast.Ptr(int(s.InactivityTimeout.Seconds()))
}

func (s *sessions) fromAuthConfig(remoteConfig v1API.AuthConfigResponse) {
s.Timebox = time.Duration(cast.Val(remoteConfig.SessionsTimebox, 0)) * time.Second
s.InactivityTimeout = time.Duration(cast.Val(remoteConfig.SessionsInactivityTimeout, 0)) * time.Second
}

func (s sms) toAuthConfigBody(body *v1API.UpdateAuthConfigBody) {
body.ExternalPhoneEnabled = &s.EnableSignup
body.SmsMaxFrequency = cast.Ptr(int(s.MaxFrequency.Seconds()))
Expand Down
196 changes: 196 additions & 0 deletions pkg/config/auth_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,202 @@ import (
"github.com/supabase/cli/pkg/cast"
)

func TestHookDiff(t *testing.T) {
t.Run("local and remote enabled", func(t *testing.T) {
c := auth{EnableSignup: true, Hook: hook{
CustomAccessToken: hookConfig{Enabled: true},
SendSMS: hookConfig{Enabled: true},
SendEmail: hookConfig{Enabled: true},
MFAVerificationAttempt: hookConfig{Enabled: true},
PasswordVerificationAttempt: hookConfig{Enabled: true},
}}
// Run test
diff, err := c.DiffWithRemote("", v1API.AuthConfigResponse{
HookCustomAccessTokenEnabled: cast.Ptr(true),
HookCustomAccessTokenUri: cast.Ptr(""),
HookCustomAccessTokenSecrets: cast.Ptr("b613679a0814d9ec772f95d778c35fc5ff1697c493715653c6c712144292c5ad"),
HookSendEmailEnabled: cast.Ptr(true),
HookSendEmailUri: cast.Ptr(""),
HookSendEmailSecrets: cast.Ptr("b613679a0814d9ec772f95d778c35fc5ff1697c493715653c6c712144292c5ad"),
HookSendSmsEnabled: cast.Ptr(true),
HookSendSmsUri: cast.Ptr(""),
HookSendSmsSecrets: cast.Ptr("b613679a0814d9ec772f95d778c35fc5ff1697c493715653c6c712144292c5ad"),
HookMfaVerificationAttemptEnabled: cast.Ptr(true),
HookMfaVerificationAttemptUri: cast.Ptr(""),
HookMfaVerificationAttemptSecrets: cast.Ptr("b613679a0814d9ec772f95d778c35fc5ff1697c493715653c6c712144292c5ad"),
HookPasswordVerificationAttemptEnabled: cast.Ptr(true),
HookPasswordVerificationAttemptUri: cast.Ptr(""),
HookPasswordVerificationAttemptSecrets: cast.Ptr("b613679a0814d9ec772f95d778c35fc5ff1697c493715653c6c712144292c5ad"),
})
// Check error
assert.NoError(t, err)
assert.Empty(t, string(diff))
})

t.Run("local enabled and disabled", func(t *testing.T) {
c := auth{EnableSignup: true, Hook: hook{
CustomAccessToken: hookConfig{Enabled: true},
MFAVerificationAttempt: hookConfig{Enabled: false},
}}
// Run test
diff, err := c.DiffWithRemote("", v1API.AuthConfigResponse{
HookCustomAccessTokenEnabled: cast.Ptr(false),
HookCustomAccessTokenUri: cast.Ptr(""),
HookCustomAccessTokenSecrets: cast.Ptr("b613679a0814d9ec772f95d778c35fc5ff1697c493715653c6c712144292c5ad"),
HookMfaVerificationAttemptEnabled: cast.Ptr(true),
HookMfaVerificationAttemptUri: cast.Ptr(""),
HookMfaVerificationAttemptSecrets: cast.Ptr("b613679a0814d9ec772f95d778c35fc5ff1697c493715653c6c712144292c5ad"),
})
// Check error
assert.NoError(t, err)

assert.Contains(t, string(diff), `[hook.mfa_verification_attempt]`)
assert.Contains(t, string(diff), `-enabled = true`)
assert.Contains(t, string(diff), `+enabled = false`)
assert.Contains(t, string(diff), `uri = ""`)
assert.Contains(t, string(diff), `secrets = ""`)

assert.Contains(t, string(diff), `[hook.custom_access_token]`)
assert.Contains(t, string(diff), `-enabled = false`)
assert.Contains(t, string(diff), `+enabled = true`)
assert.Contains(t, string(diff), `uri = ""`)
Comment on lines +61 to +70
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question

Is there an equivalent to toMatchInlineSnapshot in Go ? That could maybe be useful instead of repeating the contains for every line as it would also test for the lines order.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not that I'm aware of. But I'm interested as well.

A low hanging fruit is to write the expected diff output to a file under testdata for comparison.

assert.Contains(t, string(diff), `secrets = "hash:b613679a0814d9ec772f95d778c35fc5ff1697c493715653c6c712144292c5ad"`)
})

t.Run("local and remote disabled", func(t *testing.T) {
c := auth{EnableSignup: true}
// Run test
diff, err := c.DiffWithRemote("", v1API.AuthConfigResponse{
HookCustomAccessTokenEnabled: cast.Ptr(false),
HookSendEmailEnabled: cast.Ptr(false),
HookSendSmsEnabled: cast.Ptr(false),
HookMfaVerificationAttemptEnabled: cast.Ptr(false),
HookPasswordVerificationAttemptEnabled: cast.Ptr(false),
})
// Check error
assert.NoError(t, err)
assert.Empty(t, string(diff))
})
}

func TestMfaDiff(t *testing.T) {
t.Run("local and remote enabled", func(t *testing.T) {
c := auth{EnableSignup: true, MFA: mfa{
TOTP: factorTypeConfiguration{
EnrollEnabled: true,
VerifyEnabled: true,
},
Phone: phoneFactorTypeConfiguration{
factorTypeConfiguration: factorTypeConfiguration{
EnrollEnabled: true,
VerifyEnabled: true,
},
OtpLength: 6,
Template: "Your code is {{ .Code }}",
MaxFrequency: 5 * time.Second,
},
WebAuthn: factorTypeConfiguration{
EnrollEnabled: true,
VerifyEnabled: true,
},
MaxEnrolledFactors: 10,
}}
// Run test
diff, err := c.DiffWithRemote("", v1API.AuthConfigResponse{
MfaMaxEnrolledFactors: cast.Ptr(10),
MfaTotpEnrollEnabled: cast.Ptr(true),
MfaTotpVerifyEnabled: cast.Ptr(true),
MfaPhoneEnrollEnabled: cast.Ptr(true),
MfaPhoneVerifyEnabled: cast.Ptr(true),
MfaPhoneOtpLength: 6,
MfaPhoneTemplate: cast.Ptr("Your code is {{ .Code }}"),
MfaPhoneMaxFrequency: cast.Ptr(5),
MfaWebAuthnEnrollEnabled: cast.Ptr(true),
MfaWebAuthnVerifyEnabled: cast.Ptr(true),
})
// Check error
assert.NoError(t, err)
assert.Empty(t, string(diff))
})

t.Run("local enabled and disabled", func(t *testing.T) {
c := auth{EnableSignup: true, MFA: mfa{
TOTP: factorTypeConfiguration{
EnrollEnabled: false,
VerifyEnabled: false,
},
Phone: phoneFactorTypeConfiguration{
factorTypeConfiguration: factorTypeConfiguration{
EnrollEnabled: true,
VerifyEnabled: true,
},
},
}}
// Run test
diff, err := c.DiffWithRemote("", v1API.AuthConfigResponse{
MfaMaxEnrolledFactors: cast.Ptr(10),
MfaTotpEnrollEnabled: cast.Ptr(false),
MfaTotpVerifyEnabled: cast.Ptr(false),
MfaPhoneEnrollEnabled: cast.Ptr(false),
MfaPhoneVerifyEnabled: cast.Ptr(false),
MfaPhoneOtpLength: 6,
MfaPhoneTemplate: cast.Ptr("Your code is {{ .Code }}"),
MfaPhoneMaxFrequency: cast.Ptr(5),
MfaWebAuthnEnrollEnabled: cast.Ptr(false),
MfaWebAuthnVerifyEnabled: cast.Ptr(false),
})
// Check error
assert.NoError(t, err)
assert.Contains(t, string(diff), ` [mfa]`)
assert.Contains(t, string(diff), `-max_enrolled_factors = 10`)
assert.Contains(t, string(diff), `+max_enrolled_factors = 0`)
assert.Contains(t, string(diff), ` [mfa.totp]`)
assert.Contains(t, string(diff), ` enroll_enabled = false`)
assert.Contains(t, string(diff), ` verify_enabled = false`)
assert.Contains(t, string(diff), ` [mfa.phone]`)
assert.Contains(t, string(diff), `-enroll_enabled = false`)
assert.Contains(t, string(diff), `-verify_enabled = false`)
assert.Contains(t, string(diff), `-otp_length = 6`)
assert.Contains(t, string(diff), `-template = "Your code is {{ .Code }}"`)
assert.Contains(t, string(diff), `-max_frequency = "5s"`)
assert.Contains(t, string(diff), `+enroll_enabled = true`)
assert.Contains(t, string(diff), `+verify_enabled = true`)
assert.Contains(t, string(diff), `+otp_length = 0`)
assert.Contains(t, string(diff), `+template = ""`)
assert.Contains(t, string(diff), `+max_frequency = "0s"`)
assert.Contains(t, string(diff), ` [mfa.web_authn]`)
assert.Contains(t, string(diff), ` enroll_enabled = false`)
assert.Contains(t, string(diff), ` verify_enabled = false`)
})

t.Run("local and remote disabled", func(t *testing.T) {
c := auth{EnableSignup: true, MFA: mfa{
MaxEnrolledFactors: 10,
Phone: phoneFactorTypeConfiguration{
OtpLength: 6,
Template: "Your code is {{ .Code }}",
MaxFrequency: 5 * time.Second,
},
}}
// Run test
diff, err := c.DiffWithRemote("", v1API.AuthConfigResponse{
MfaMaxEnrolledFactors: cast.Ptr(10),
MfaTotpEnrollEnabled: cast.Ptr(false),
MfaTotpVerifyEnabled: cast.Ptr(false),
MfaPhoneEnrollEnabled: cast.Ptr(false),
MfaPhoneVerifyEnabled: cast.Ptr(false),
MfaPhoneOtpLength: 6,
MfaPhoneTemplate: cast.Ptr("Your code is {{ .Code }}"),
MfaPhoneMaxFrequency: cast.Ptr(5),
MfaWebAuthnEnrollEnabled: cast.Ptr(false),
MfaWebAuthnVerifyEnabled: cast.Ptr(false),
})
// Check error
assert.NoError(t, err)
assert.Empty(t, string(diff))
})
}

func TestSmsDiff(t *testing.T) {
t.Run("local enabled remote enabled", func(t *testing.T) {
c := auth{EnableSignup: true, Sms: sms{
Expand Down
Loading