feat: add --disable-direct flag to CLI (coder#8131)

deansheather · web-flow · commit 24b95e16c412 · 2023-06-21T20:22:43.000Z
diff --git a/cli/ping.go b/cli/ping.go
@@ -49,7 +49,13 @@ func (r *RootCmd) ping() *clibase.Cmd {
 				logger = slog.Make(sloghuman.Sink(inv.Stdout)).Leveled(slog.LevelDebug)
 			}
 
-			conn, err := client.DialWorkspaceAgent(ctx, workspaceAgent.ID, &codersdk.DialWorkspaceAgentOptions{Logger: logger})
+			if r.disableDirect {
+				_, _ = fmt.Fprintln(inv.Stderr, "Direct connections disabled.")
+			}
+			conn, err := client.DialWorkspaceAgent(ctx, workspaceAgent.ID, &codersdk.DialWorkspaceAgentOptions{
+				Logger:         logger,
+				BlockEndpoints: r.disableDirect,
+			})
 			if err != nil {
 				return err
 			}
diff --git a/cli/portforward.go b/cli/portforward.go
@@ -15,6 +15,9 @@ import (
 	"github.com/pion/udp"
 	"golang.org/x/xerrors"
 
+	"cdr.dev/slog"
+	"cdr.dev/slog/sloggers/sloghuman"
+
 	"github.com/coder/coder/agent/agentssh"
 	"github.com/coder/coder/cli/clibase"
 	"github.com/coder/coder/cli/cliui"
@@ -98,7 +101,18 @@ func (r *RootCmd) portForward() *clibase.Cmd {
 				return xerrors.Errorf("await agent: %w", err)
 			}
 
-			conn, err := client.DialWorkspaceAgent(ctx, workspaceAgent.ID, nil)
+			var logger slog.Logger
+			if r.verbose {
+				logger = slog.Make(sloghuman.Sink(inv.Stdout)).Leveled(slog.LevelDebug)
+			}
+
+			if r.disableDirect {
+				_, _ = fmt.Fprintln(inv.Stderr, "Direct connections disabled.")
+			}
+			conn, err := client.DialWorkspaceAgent(ctx, workspaceAgent.ID, &codersdk.DialWorkspaceAgentOptions{
+				Logger:         logger,
+				BlockEndpoints: r.disableDirect,
+			})
 			if err != nil {
 				return err
 			}
diff --git a/cli/root.go b/cli/root.go
@@ -60,6 +60,7 @@ const (
 	varNoFeatureWarning = "no-feature-warning"
 	varForceTty         = "force-tty"
 	varVerbose          = "verbose"
+	varDisableDirect    = "disable-direct-connections"
 	notLoggedInMessage  = "You are not logged in. Try logging in using 'coder login <url>'."
 
 	envNoVersionCheck   = "CODER_NO_VERSION_WARNING"
@@ -367,6 +368,13 @@ func (r *RootCmd) Command(subcommands []*clibase.Cmd) (*clibase.Cmd, error) {
 			Value:         clibase.BoolOf(&r.verbose),
 			Group:         globalGroup,
 		},
+		{
+			Flag:        varDisableDirect,
+			Env:         "CODER_DISABLE_DIRECT_CONNECTIONS",
+			Description: "Disable direct (P2P) connections to workspaces.",
+			Value:       clibase.BoolOf(&r.disableDirect),
+			Group:       globalGroup,
+		},
 		{
 			Flag:        "debug-http",
 			Description: "Debug codersdk HTTP requests.",
@@ -413,16 +421,17 @@ func isTest() bool {
 
 // RootCmd contains parameters and helpers useful to all commands.
 type RootCmd struct {
-	clientURL    *url.URL
-	token        string
-	globalConfig string
-	header       []string
-	agentToken   string
-	agentURL     *url.URL
-	forceTTY     bool
-	noOpen       bool
-	verbose      bool
-	debugHTTP    bool
+	clientURL     *url.URL
+	token         string
+	globalConfig  string
+	header        []string
+	agentToken    string
+	agentURL      *url.URL
+	forceTTY      bool
+	noOpen        bool
+	verbose       bool
+	disableDirect bool
+	debugHTTP     bool
 
 	noVersionCheck   bool
 	noFeatureWarning bool
@@ -524,6 +533,7 @@ func (r *RootCmd) InitClient(client *codersdk.Client) clibase.MiddlewareFunc {
 				client.PlainLogger = os.Stderr
 				client.LogBodies = true
 			}
+			client.DisableDirectConnections = r.disableDirect
 
 			// We send these requests in parallel to minimize latency.
 			var (
diff --git a/cli/speedtest.go b/cli/speedtest.go
@@ -50,13 +50,18 @@ func (r *RootCmd) speedtest() *clibase.Cmd {
 			if err != nil && !xerrors.Is(err, cliui.AgentStartError) {
 				return xerrors.Errorf("await agent: %w", err)
 			}
+
 			logger, ok := LoggerFromContext(ctx)
 			if !ok {
 				logger = slog.Make(sloghuman.Sink(inv.Stderr))
 			}
 			if r.verbose {
 				logger = logger.Leveled(slog.LevelDebug)
 			}
+
+			if r.disableDirect {
+				_, _ = fmt.Fprintln(inv.Stderr, "Direct connections disabled.")
+			}
 			conn, err := client.DialWorkspaceAgent(ctx, workspaceAgent.ID, &codersdk.DialWorkspaceAgentOptions{
 				Logger: logger,
 			})
diff --git a/cli/ssh.go b/cli/ssh.go
@@ -195,8 +195,12 @@ func (r *RootCmd) ssh() *clibase.Cmd {
 				// We don't print the error because cliui.Agent does that for us.
 			}
 
+			if r.disableDirect {
+				_, _ = fmt.Fprintln(inv.Stderr, "Direct connections disabled.")
+			}
 			conn, err := client.DialWorkspaceAgent(ctx, workspaceAgent.ID, &codersdk.DialWorkspaceAgentOptions{
-				Logger: logger,
+				Logger:         logger,
+				BlockEndpoints: r.disableDirect,
 			})
 			if err != nil {
 				return xerrors.Errorf("dial agent: %w", err)
diff --git a/cli/testdata/coder_--help.golden b/cli/testdata/coder_--help.golden
@@ -51,6 +51,9 @@ variables or flags.
       --debug-options bool
           Print all options, how they're set, then exit.
 
+      --disable-direct-connections bool, $CODER_DISABLE_DIRECT_CONNECTIONS
+          Disable direct (P2P) connections to workspaces.
+
       --global-config string, $CODER_CONFIG_DIR (default: ~/.config/coderv2)
           Path to the global `coder` config directory.
 
diff --git a/cli/vscodessh.go b/cli/vscodessh.go
@@ -17,6 +17,9 @@ import (
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/netlogtype"
 
+	"cdr.dev/slog"
+	"cdr.dev/slog/sloggers/sloghuman"
+
 	"github.com/coder/coder/cli/clibase"
 	"github.com/coder/coder/codersdk"
 )
@@ -126,7 +129,18 @@ func (r *RootCmd) vscodeSSH() *clibase.Cmd {
 				}
 			}
 
-			agentConn, err := client.DialWorkspaceAgent(ctx, agent.ID, &codersdk.DialWorkspaceAgentOptions{})
+			var logger slog.Logger
+			if r.verbose {
+				logger = slog.Make(sloghuman.Sink(inv.Stdout)).Leveled(slog.LevelDebug)
+			}
+
+			if r.disableDirect {
+				_, _ = fmt.Fprintln(inv.Stderr, "Direct connections disabled.")
+			}
+			agentConn, err := client.DialWorkspaceAgent(ctx, agent.ID, &codersdk.DialWorkspaceAgentOptions{
+				Logger:         logger,
+				BlockEndpoints: r.disableDirect,
+			})
 			if err != nil {
 				return xerrors.Errorf("dial workspace agent: %w", err)
 			}
diff --git a/codersdk/client.go b/codersdk/client.go
@@ -117,6 +117,11 @@ type Client struct {
 	// Trace can be enabled to propagate tracing spans to the Coder API.
 	// This is useful for tracking a request end-to-end.
 	Trace bool
+
+	// DisableDirectConnections forces any connections to workspaces to go
+	// through DERP, regardless of the BlockEndpoints setting on each
+	// connection.
+	DisableDirectConnections bool
 }
 
 // SessionToken returns the currently set token for the client.
diff --git a/codersdk/workspaceagents.go b/codersdk/workspaceagents.go
@@ -193,7 +193,8 @@ func (c *Client) WorkspaceAgentConnectionInfo(ctx context.Context) (*WorkspaceAg
 // @typescript-ignore DialWorkspaceAgentOptions
 type DialWorkspaceAgentOptions struct {
 	Logger slog.Logger
-	// BlockEndpoints forced a direct connection through DERP.
+	// BlockEndpoints forced a direct connection through DERP. The Client may
+	// have DisableDirect set which will override this value.
 	BlockEndpoints bool
 }
 
@@ -228,7 +229,7 @@ func (c *Client) DialWorkspaceAgent(ctx context.Context, agentID uuid.UUID, opti
 		DERPMap:        connInfo.DERPMap,
 		DERPHeader:     &header,
 		Logger:         options.Logger,
-		BlockEndpoints: options.BlockEndpoints,
+		BlockEndpoints: c.DisableDirectConnections || options.BlockEndpoints,
 	})
 	if err != nil {
 		return nil, xerrors.Errorf("create tailnet: %w", err)
diff --git a/docs/cli.md b/docs/cli.md
@@ -68,6 +68,15 @@ Coder — A tool for provisioning self-hosted development environments with Terr
 
 Print all options, how they're set, then exit.
 
+### --disable-direct-connections
+
+|             |                                                |
+| ----------- | ---------------------------------------------- |
+| Type        | <code>bool</code>                              |
+| Environment | <code>$CODER_DISABLE_DIRECT_CONNECTIONS</code> |
+
+Disable direct (P2P) connections to workspaces.
+
 ### --global-config
 
 |             |                                |
diff --git a/enterprise/cli/testdata/coder_--help.golden b/enterprise/cli/testdata/coder_--help.golden
@@ -23,6 +23,9 @@ variables or flags.
       --debug-options bool
           Print all options, how they're set, then exit.
 
+      --disable-direct-connections bool, $CODER_DISABLE_DIRECT_CONNECTIONS
+          Disable direct (P2P) connections to workspaces.
+
       --global-config string, $CODER_CONFIG_DIR (default: ~/.config/coderv2)
           Path to the global `coder` config directory.
 

Original file line number	Diff line number	Diff line change
`@@ -49,7 +49,13 @@ func (r RootCmd) ping() clibase.Cmd {`
`49`	`49`	`logger = slog.Make(sloghuman.Sink(inv.Stdout)).Leveled(slog.LevelDebug)`
`50`	`50`	`}`
`51`	`51`
`52`		`- conn, err := client.DialWorkspaceAgent(ctx, workspaceAgent.ID, &codersdk.DialWorkspaceAgentOptions{Logger: logger})`
	`52`	`+ if r.disableDirect {`
	`53`	`+ _, _ = fmt.Fprintln(inv.Stderr, "Direct connections disabled.")`
	`54`	`+ }`
	`55`	`+ conn, err := client.DialWorkspaceAgent(ctx, workspaceAgent.ID, &codersdk.DialWorkspaceAgentOptions{`
	`56`	`+ Logger: logger,`
	`57`	`+ BlockEndpoints: r.disableDirect,`
	`58`	`+ })`
`53`	`59`	`if err != nil {`
`54`	`60`	`return err`
`55`	`61`	`}`
Original file line number	Diff line number	Diff line change
`@@ -50,13 +50,18 @@ func (r RootCmd) speedtest() clibase.Cmd {`
`50`	`50`	`if err != nil && !xerrors.Is(err, cliui.AgentStartError) {`
`51`	`51`	`return xerrors.Errorf("await agent: %w", err)`
`52`	`52`	`}`
	`53`	`+`
`53`	`54`	`logger, ok := LoggerFromContext(ctx)`
`54`	`55`	`if !ok {`
`55`	`56`	`logger = slog.Make(sloghuman.Sink(inv.Stderr))`
`56`	`57`	`}`
`57`	`58`	`if r.verbose {`
`58`	`59`	`logger = logger.Leveled(slog.LevelDebug)`
`59`	`60`	`}`
	`61`	`+`
	`62`	`+ if r.disableDirect {`
	`63`	`+ _, _ = fmt.Fprintln(inv.Stderr, "Direct connections disabled.")`
	`64`	`+ }`
`60`	`65`	`conn, err := client.DialWorkspaceAgent(ctx, workspaceAgent.ID, &codersdk.DialWorkspaceAgentOptions{`
`61`	`66`	`Logger: logger,`
`62`	`67`	`})`