ExternalProxy -> WorkspaceProxy

Emyrk · Emyrk · commit 06fb88b345c1 · 2023-04-17T10:21:30.000-05:00
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -671,14 +671,13 @@ func New(options *Options) *API {
 			})
 			r.Route("/{workspaceagent}", func(r chi.Router) {
 				r.Use(
-					// Allow either API key or external proxy auth and require
-					// it.
+					// Allow either API key or external workspace proxy auth and require it.
 					apiKeyMiddlewareOptional,
-					httpmw.ExtractExternalProxy(httpmw.ExtractExternalProxyConfig{
+					httpmw.ExtractWorkspaceProxy(httpmw.ExtractWorkspaceProxyConfig{
 						DB:       options.Database,
 						Optional: true,
 					}),
-					httpmw.RequireAPIKeyOrExternalProxyAuth(),
+					httpmw.RequireAPIKeyOrWorkspaceProxyAuth(),
 
 					httpmw.ExtractWorkspaceAgentParam(options.Database),
 					httpmw.ExtractWorkspaceParam(options.Database),
diff --git a/coderd/httpmw/actor.go b/coderd/httpmw/actor.go
@@ -4,28 +4,27 @@ import (
 	"net/http"
 
 	"github.com/coder/coder/coderd/httpapi"
-	"github.com/coder/coder/coderd/rbac"
 	"github.com/coder/coder/codersdk"
 )
 
-// RequireAPIKeyOrExternalProxyAuth is middleware that should be inserted after
-// optional ExtractAPIKey and ExtractExternalProxy middlewares to ensure one of
+// RequireAPIKeyOrWorkspaceProxyAuth is middleware that should be inserted after
+// optional ExtractAPIKey and ExtractWorkspaceProxy middlewares to ensure one of
 // the two authentication methods is provided.
 //
 // If both are provided, an error is returned to avoid misuse.
-func RequireAPIKeyOrExternalProxyAuth() func(http.Handler) http.Handler {
+func RequireAPIKeyOrWorkspaceProxyAuth() func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			_, hasAPIKey := APIKeyOptional(r)
-			_, hasExternalProxy := ExternalProxyOptional(r)
+			_, hasWorkspaceProxy := WorkspaceProxyOptional(r)
 
-			if hasAPIKey && hasExternalProxy {
+			if hasAPIKey && hasWorkspaceProxy {
 				httpapi.Write(r.Context(), w, http.StatusBadRequest, codersdk.Response{
 					Message: "API key and external proxy authentication provided, but only one is allowed",
 				})
 				return
 			}
-			if !hasAPIKey && !hasExternalProxy {
+			if !hasAPIKey && !hasWorkspaceProxy {
 				httpapi.Write(r.Context(), w, http.StatusUnauthorized, codersdk.Response{
 					Message: "API key or external proxy authentication required, but none provided",
 				})
@@ -39,32 +38,11 @@ func RequireAPIKeyOrExternalProxyAuth() func(http.Handler) http.Handler {
 
 // Actor is a function that returns the request authorization. If the request is
 // unauthenticated, the second return value is false.
-//
-// If the request was authenticated with an API key, the actor will be the user
-// associated with the API key as well as the API key permissions.
-//
-// If the request was authenticated with an external proxy token, the actor will
-// be a fake system actor with full permissions.
 func Actor(r *http.Request) (Authorization, bool) {
 	userAuthz, ok := UserAuthorizationOptional(r)
 	if ok {
 		return userAuthz, true
 	}
 
-	proxy, ok := ExternalProxyOptional(r)
-	if ok {
-		return Authorization{
-			Actor: rbac.Subject{
-				ID: "proxy:" + proxy.ID.String(),
-				// We don't have a system role currently so just use owner for now.
-				// TODO: add a system role
-				Roles:  rbac.RoleNames{rbac.RoleOwner()},
-				Groups: []string{},
-				Scope:  rbac.ScopeAll,
-			},
-			ActorName: "proxy_" + proxy.Name,
-		}, true
-	}
-
 	return Authorization{}, false
 }
diff --git a/coderd/httpmw/workspaceproxy.go b/coderd/httpmw/workspaceproxy.go
@@ -18,36 +18,36 @@ import (
 )
 
 const (
-	// ExternalProxyAuthTokenHeader is the auth header used for requests from
+	// WorkspaceProxyAuthTokenHeader is the auth header used for requests from
 	// external workspace proxies.
 	//
 	// The format of an external proxy token is:
 	//     <proxy id>:<proxy secret>
 	//
 	//nolint:gosec
-	ExternalProxyAuthTokenHeader = "Coder-External-Proxy-Token"
+	WorkspaceProxyAuthTokenHeader = "Coder-External-Proxy-Token"
 )
 
-type externalProxyContextKey struct{}
+type workspaceProxyContextKey struct{}
 
-// ExternalProxy may return the workspace proxy from the ExtractExternalProxy
+// WorkspaceProxyOptional may return the workspace proxy from the ExtractWorkspaceProxy
 // middleware.
-func ExternalProxyOptional(r *http.Request) (database.WorkspaceProxy, bool) {
-	proxy, ok := r.Context().Value(externalProxyContextKey{}).(database.WorkspaceProxy)
+func WorkspaceProxyOptional(r *http.Request) (database.WorkspaceProxy, bool) {
+	proxy, ok := r.Context().Value(workspaceProxyContextKey{}).(database.WorkspaceProxy)
 	return proxy, ok
 }
 
-// ExternalProxy returns the workspace proxy from the ExtractExternalProxy
+// WorkspaceProxy returns the workspace proxy from the ExtractWorkspaceProxy
 // middleware.
-func ExternalProxy(r *http.Request) database.WorkspaceProxy {
-	proxy, ok := ExternalProxyOptional(r)
+func WorkspaceProxy(r *http.Request) database.WorkspaceProxy {
+	proxy, ok := WorkspaceProxyOptional(r)
 	if !ok {
-		panic("developer error: ExtractExternalProxy middleware not provided")
+		panic("developer error: ExtractWorkspaceProxy middleware not provided")
 	}
 	return proxy
 }
 
-type ExtractExternalProxyConfig struct {
+type ExtractWorkspaceProxyConfig struct {
 	DB database.Store
 	// Optional indicates whether the middleware should be optional. If true,
 	// any requests without the external proxy auth token header will be
@@ -56,14 +56,14 @@ type ExtractExternalProxyConfig struct {
 	Optional bool
 }
 
-// ExtractExternalProxy extracts the external workspace proxy from the request
+// ExtractWorkspaceProxy extracts the external workspace proxy from the request
 // using the external proxy auth token header.
-func ExtractExternalProxy(opts ExtractExternalProxyConfig) func(http.Handler) http.Handler {
+func ExtractWorkspaceProxy(opts ExtractWorkspaceProxyConfig) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			ctx := r.Context()
 
-			token := r.Header.Get(ExternalProxyAuthTokenHeader)
+			token := r.Header.Get(WorkspaceProxyAuthTokenHeader)
 			if token == "" {
 				if opts.Optional {
 					next.ServeHTTP(w, r)
@@ -134,7 +134,7 @@ func ExtractExternalProxy(opts ExtractExternalProxyConfig) func(http.Handler) ht
 			}
 
 			ctx = r.Context()
-			ctx = context.WithValue(ctx, externalProxyContextKey{}, proxy)
+			ctx = context.WithValue(ctx, workspaceProxyContextKey{}, proxy)
 			//nolint:gocritic // Workspace proxies have full permissions. The
 			// workspace proxy auth middleware is not mounted to every route, so
 			// they can still only access the routes that the middleware is
@@ -143,7 +143,7 @@ func ExtractExternalProxy(opts ExtractExternalProxyConfig) func(http.Handler) ht
 			subj, ok := dbauthz.ActorFromContext(ctx)
 			if !ok {
 				// This should never happen
-				httpapi.InternalServerError(w, xerrors.New("developer error: ExtractExternalProxy missing rbac actor"))
+				httpapi.InternalServerError(w, xerrors.New("developer error: ExtractWorkspaceProxy missing rbac actor"))
 				return
 			}
 			// Use the same subject for the userAuthKey
diff --git a/enterprise/coderd/coderd.go b/enterprise/coderd/coderd.go
@@ -90,7 +90,7 @@ func New(ctx context.Context, options *Options) (*API, error) {
 			r.Get("/", api.workspaceProxies)
 			r.Route("/me", func(r chi.Router) {
 				r.Use(
-					httpmw.ExtractExternalProxy(httpmw.ExtractExternalProxyConfig{
+					httpmw.ExtractWorkspaceProxy(httpmw.ExtractWorkspaceProxyConfig{
 						DB:       options.Database,
 						Optional: false,
 					}),
diff --git a/enterprise/wsproxy/proxy_test.go b/enterprise/wsproxy/proxy_test.go
@@ -13,7 +13,7 @@ import (
 	"github.com/coder/coder/enterprise/coderd/license"
 )
 
-func TestExternalProxyWorkspaceApps(t *testing.T) {
+func TestWorkspaceProxyWorkspaceApps(t *testing.T) {
 	t.Parallel()
 
 	apptest.Run(t, func(t *testing.T, opts *apptest.DeploymentOptions) *apptest.Deployment {
diff --git a/enterprise/wsproxy/wsproxysdk/client.go b/enterprise/wsproxy/wsproxysdk/client.go
@@ -23,13 +23,13 @@ type Client struct {
 // URL.
 func New(serverURL *url.URL) *Client {
 	coderSDKClient := codersdk.New(serverURL)
-	coderSDKClient.SessionTokenHeader = httpmw.ExternalProxyAuthTokenHeader
+	coderSDKClient.SessionTokenHeader = httpmw.WorkspaceProxyAuthTokenHeader
 
 	coderSDKClientIgnoreRedirects := codersdk.New(serverURL)
 	coderSDKClientIgnoreRedirects.HTTPClient.CheckRedirect = func(req *http.Request, via []*http.Request) error {
 		return http.ErrUseLastResponse
 	}
-	coderSDKClientIgnoreRedirects.SessionTokenHeader = httpmw.ExternalProxyAuthTokenHeader
+	coderSDKClientIgnoreRedirects.SessionTokenHeader = httpmw.WorkspaceProxyAuthTokenHeader
 
 	return &Client{
 		CoderSDKClient:                coderSDKClient,
diff --git a/enterprise/wsproxy/wsproxysdk/proxyinternal_test.go b/enterprise/wsproxy/wsproxysdk/proxyinternal_test.go
@@ -43,7 +43,7 @@ func Test_IssueSignedAppTokenHTML(t *testing.T) {
 
 			assert.Equal(t, r.Method, http.MethodPost)
 			assert.Equal(t, r.URL.Path, "/api/v2/workspaceproxies/me/issue-signed-app-token")
-			assert.Equal(t, r.Header.Get(httpmw.ExternalProxyAuthTokenHeader), expectedProxyToken)
+			assert.Equal(t, r.Header.Get(httpmw.WorkspaceProxyAuthTokenHeader), expectedProxyToken)
 
 			var req workspaceapps.IssueTokenRequest
 			err := json.NewDecoder(r.Body).Decode(&req)
@@ -103,7 +103,7 @@ func Test_IssueSignedAppTokenHTML(t *testing.T) {
 
 			assert.Equal(t, r.Method, http.MethodPost)
 			assert.Equal(t, r.URL.Path, "/api/v2/workspaceproxies/me/issue-signed-app-token")
-			assert.Equal(t, r.Header.Get(httpmw.ExternalProxyAuthTokenHeader), expectedProxyToken)
+			assert.Equal(t, r.Header.Get(httpmw.WorkspaceProxyAuthTokenHeader), expectedProxyToken)
 
 			rw.WriteHeader(expectedResponseStatus)
 			_, _ = rw.Write([]byte(expectedResponseBody))

Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@ import (`
`13`	`13`	`"github.com/coder/coder/enterprise/coderd/license"`
`14`	`14`	`)`
`15`	`15`
`16`		`-func TestExternalProxyWorkspaceApps(t *testing.T) {`
	`16`	`+func TestWorkspaceProxyWorkspaceApps(t *testing.T) {`
`17`	`17`	`t.Parallel()`
`18`	`18`
`19`	`19`	`apptest.Run(t, func(t testing.T, opts apptest.DeploymentOptions) *apptest.Deployment {`