Skip to content

Commit 0a1af72

Browse files
EmyrkEmyrk
committed
chore: Handle custom workspace proxy options. Remove excess
1 parent 7271e8f commit 0a1af72

File tree

3 files changed

+107
-38
lines changed

3 files changed

+107
-38
lines changed

cli/clibase/option.go

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -80,6 +80,16 @@ func (s *OptionSet) Add(opts ...Option) {
8080
*s = append(*s, opts...)
8181
}
8282

83+
func (s OptionSet) Filter(filter func(opt Option) bool) OptionSet {
84+
cpy := make(OptionSet, 0)
85+
for _, opt := range s {
86+
if filter(opt) {
87+
cpy = append(cpy, opt)
88+
}
89+
}
90+
return cpy
91+
}
92+
8393
// FlagSet returns a pflag.FlagSet for the OptionSet.
8494
func (s *OptionSet) FlagSet() *pflag.FlagSet {
8595
if s == nil {

codersdk/deployment.go

Lines changed: 71 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -333,10 +333,17 @@ type DangerousConfig struct {
333333
}
334334

335335
const (
336-
flagEnterpriseKey = "enterprise"
337-
flagSecretKey = "secret"
336+
flagEnterpriseKey = "enterprise"
337+
flagSecretKey = "secret"
338+
flagExternalProxies = "external_workspace_proxies"
338339
)
339340

341+
func IsExternalProxies(opt clibase.Option) bool {
342+
// If it is a bool, use the bool value.
343+
b, _ := strconv.ParseBool(opt.Annotations[flagExternalProxies])
344+
return b
345+
}
346+
340347
func IsSecretDeploymentOption(opt clibase.Option) bool {
341348
return opt.Annotations.IsSet(flagSecretKey)
342349
}
@@ -470,6 +477,7 @@ when required by your organization's security policy.`,
470477
Value: &c.HTTPAddress,
471478
Group: &deploymentGroupNetworkingHTTP,
472479
YAML: "httpAddress",
480+
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
473481
}
474482
tlsBindAddress := clibase.Option{
475483
Name: "TLS Address",
@@ -480,6 +488,7 @@ when required by your organization's security policy.`,
480488
Value: &c.TLS.Address,
481489
Group: &deploymentGroupNetworkingTLS,
482490
YAML: "address",
491+
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
483492
}
484493
redirectToAccessURL := clibase.Option{
485494
Name: "Redirect to Access URL",
@@ -499,6 +508,7 @@ when required by your organization's security policy.`,
499508
Env: "CODER_ACCESS_URL",
500509
Group: &deploymentGroupNetworking,
501510
YAML: "accessURL",
511+
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
502512
},
503513
{
504514
Name: "Wildcard Access URL",
@@ -508,6 +518,7 @@ when required by your organization's security policy.`,
508518
Value: &c.WildcardAccessURL,
509519
Group: &deploymentGroupNetworking,
510520
YAML: "wildcardAccessURL",
521+
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
511522
},
512523
redirectToAccessURL,
513524
{
@@ -534,7 +545,8 @@ when required by your organization's security policy.`,
534545
httpAddress,
535546
tlsBindAddress,
536547
},
537-
Group: &deploymentGroupNetworking,
548+
Group: &deploymentGroupNetworking,
549+
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
538550
},
539551
// TLS settings
540552
{
@@ -545,6 +557,7 @@ when required by your organization's security policy.`,
545557
Value: &c.TLS.Enable,
546558
Group: &deploymentGroupNetworkingTLS,
547559
YAML: "enable",
560+
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
548561
},
549562
{
550563
Name: "Redirect HTTP to HTTPS",
@@ -557,6 +570,7 @@ when required by your organization's security policy.`,
557570
UseInstead: clibase.OptionSet{redirectToAccessURL},
558571
Group: &deploymentGroupNetworkingTLS,
559572
YAML: "redirectHTTP",
573+
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
560574
},
561575
{
562576
Name: "TLS Certificate Files",
@@ -566,6 +580,7 @@ when required by your organization's security policy.`,
566580
Value: &c.TLS.CertFiles,
567581
Group: &deploymentGroupNetworkingTLS,
568582
YAML: "certFiles",
583+
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
569584
},
570585
{
571586
Name: "TLS Client CA Files",
@@ -575,6 +590,7 @@ when required by your organization's security policy.`,
575590
Value: &c.TLS.ClientCAFile,
576591
Group: &deploymentGroupNetworkingTLS,
577592
YAML: "clientCAFile",
593+
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
578594
},
579595
{
580596
Name: "TLS Client Auth",
@@ -585,6 +601,7 @@ when required by your organization's security policy.`,
585601
Value: &c.TLS.ClientAuth,
586602
Group: &deploymentGroupNetworkingTLS,
587603
YAML: "clientAuth",
604+
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
588605
},
589606
{
590607
Name: "TLS Key Files",
@@ -594,6 +611,7 @@ when required by your organization's security policy.`,
594611
Value: &c.TLS.KeyFiles,
595612
Group: &deploymentGroupNetworkingTLS,
596613
YAML: "keyFiles",
614+
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
597615
},
598616
{
599617
Name: "TLS Minimum Version",
@@ -604,6 +622,7 @@ when required by your organization's security policy.`,
604622
Value: &c.TLS.MinVersion,
605623
Group: &deploymentGroupNetworkingTLS,
606624
YAML: "minVersion",
625+
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
607626
},
608627
{
609628
Name: "TLS Client Cert File",
@@ -613,6 +632,7 @@ when required by your organization's security policy.`,
613632
Value: &c.TLS.ClientCertFile,
614633
Group: &deploymentGroupNetworkingTLS,
615634
YAML: "clientCertFile",
635+
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
616636
},
617637
{
618638
Name: "TLS Client Key File",
@@ -622,6 +642,7 @@ when required by your organization's security policy.`,
622642
Value: &c.TLS.ClientKeyFile,
623643
Group: &deploymentGroupNetworkingTLS,
624644
YAML: "clientKeyFile",
645+
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
625646
},
626647
// Derp settings
627648
{
@@ -712,6 +733,7 @@ when required by your organization's security policy.`,
712733
Value: &c.Prometheus.Enable,
713734
Group: &deploymentGroupIntrospectionPrometheus,
714735
YAML: "enable",
736+
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
715737
},
716738
{
717739
Name: "Prometheus Address",
@@ -722,6 +744,7 @@ when required by your organization's security policy.`,
722744
Value: &c.Prometheus.Address,
723745
Group: &deploymentGroupIntrospectionPrometheus,
724746
YAML: "address",
747+
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
725748
},
726749
{
727750
Name: "Prometheus Collect Agent Stats",
@@ -741,6 +764,7 @@ when required by your organization's security policy.`,
741764
Value: &c.Pprof.Enable,
742765
Group: &deploymentGroupIntrospectionPPROF,
743766
YAML: "enable",
767+
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
744768
},
745769
{
746770
Name: "pprof Address",
@@ -751,6 +775,7 @@ when required by your organization's security policy.`,
751775
Value: &c.Pprof.Address,
752776
Group: &deploymentGroupIntrospectionPPROF,
753777
YAML: "address",
778+
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
754779
},
755780
// oAuth settings
756781
{
@@ -1007,13 +1032,14 @@ when required by your organization's security policy.`,
10071032
Value: &c.Trace.Enable,
10081033
Group: &deploymentGroupIntrospectionTracing,
10091034
YAML: "enable",
1035+
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
10101036
},
10111037
{
10121038
Name: "Trace Honeycomb API Key",
10131039
Description: "Enables trace exporting to Honeycomb.io using the provided API Key.",
10141040
Flag: "trace-honeycomb-api-key",
10151041
Env: "CODER_TRACE_HONEYCOMB_API_KEY",
1016-
Annotations: clibase.Annotations{}.Mark(flagSecretKey, "true"),
1042+
Annotations: clibase.Annotations{}.Mark(flagSecretKey, "true").Mark(flagExternalProxies, "true"),
10171043
Value: &c.Trace.HoneycombAPIKey,
10181044
Group: &deploymentGroupIntrospectionTracing,
10191045
},
@@ -1025,6 +1051,7 @@ when required by your organization's security policy.`,
10251051
Value: &c.Trace.CaptureLogs,
10261052
Group: &deploymentGroupIntrospectionTracing,
10271053
YAML: "captureLogs",
1054+
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
10281055
},
10291056
// Provisioner settings
10301057
{
@@ -1074,19 +1101,21 @@ when required by your organization's security policy.`,
10741101
Flag: "dangerous-disable-rate-limits",
10751102
Env: "CODER_DANGEROUS_DISABLE_RATE_LIMITS",
10761103

1077-
Value: &c.RateLimit.DisableAll,
1078-
Hidden: true,
1104+
Value: &c.RateLimit.DisableAll,
1105+
Hidden: true,
1106+
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
10791107
},
10801108
{
10811109
Name: "API Rate Limit",
10821110
Description: "Maximum number of requests per minute allowed to the API per user, or per IP address for unauthenticated users. Negative values mean no rate limit. Some API endpoints have separate strict rate limits regardless of this value to prevent denial-of-service or brute force attacks.",
10831111
// Change the env from the auto-generated CODER_RATE_LIMIT_API to the
10841112
// old value to avoid breaking existing deployments.
1085-
Env: "CODER_API_RATE_LIMIT",
1086-
Flag: "api-rate-limit",
1087-
Default: "512",
1088-
Value: &c.RateLimit.API,
1089-
Hidden: true,
1113+
Env: "CODER_API_RATE_LIMIT",
1114+
Flag: "api-rate-limit",
1115+
Default: "512",
1116+
Value: &c.RateLimit.API,
1117+
Hidden: true,
1118+
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
10901119
},
10911120
// Logging settings
10921121
{
@@ -1096,9 +1125,10 @@ when required by your organization's security policy.`,
10961125
Env: "CODER_VERBOSE",
10971126
FlagShorthand: "v",
10981127

1099-
Value: &c.Verbose,
1100-
Group: &deploymentGroupIntrospectionLogging,
1101-
YAML: "verbose",
1128+
Value: &c.Verbose,
1129+
Group: &deploymentGroupIntrospectionLogging,
1130+
YAML: "verbose",
1131+
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
11021132
},
11031133
{
11041134
Name: "Human Log Location",
@@ -1109,6 +1139,7 @@ when required by your organization's security policy.`,
11091139
Value: &c.Logging.Human,
11101140
Group: &deploymentGroupIntrospectionLogging,
11111141
YAML: "humanPath",
1142+
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
11121143
},
11131144
{
11141145
Name: "JSON Log Location",
@@ -1119,6 +1150,7 @@ when required by your organization's security policy.`,
11191150
Value: &c.Logging.JSON,
11201151
Group: &deploymentGroupIntrospectionLogging,
11211152
YAML: "jsonPath",
1153+
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
11221154
},
11231155
{
11241156
Name: "Stackdriver Log Location",
@@ -1129,6 +1161,7 @@ when required by your organization's security policy.`,
11291161
Value: &c.Logging.Stackdriver,
11301162
Group: &deploymentGroupIntrospectionLogging,
11311163
YAML: "stackdriverPath",
1164+
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
11321165
},
11331166
// ☢️ Dangerous settings
11341167
{
@@ -1157,6 +1190,7 @@ when required by your organization's security policy.`,
11571190
Env: "CODER_EXPERIMENTS",
11581191
Value: &c.Experiments,
11591192
YAML: "experiments",
1193+
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
11601194
},
11611195
{
11621196
Name: "Update Check",
@@ -1199,6 +1233,7 @@ when required by your organization's security policy.`,
11991233
Value: &c.ProxyTrustedHeaders,
12001234
Group: &deploymentGroupNetworking,
12011235
YAML: "proxyTrustedHeaders",
1236+
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
12021237
},
12031238
{
12041239
Name: "Proxy Trusted Origins",
@@ -1208,6 +1243,7 @@ when required by your organization's security policy.`,
12081243
Value: &c.ProxyTrustedOrigins,
12091244
Group: &deploymentGroupNetworking,
12101245
YAML: "proxyTrustedOrigins",
1246+
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
12111247
},
12121248
{
12131249
Name: "Cache Directory",
@@ -1243,28 +1279,31 @@ when required by your organization's security policy.`,
12431279
Value: &c.SecureAuthCookie,
12441280
Group: &deploymentGroupNetworking,
12451281
YAML: "secureAuthCookie",
1282+
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
12461283
},
12471284
{
12481285
Name: "Strict-Transport-Security",
12491286
Description: "Controls if the 'Strict-Transport-Security' header is set on all static file responses. " +
12501287
"This header should only be set if the server is accessed via HTTPS. This value is the MaxAge in seconds of " +
12511288
"the header.",
1252-
Default: "0",
1253-
Flag: "strict-transport-security",
1254-
Env: "CODER_STRICT_TRANSPORT_SECURITY",
1255-
Value: &c.StrictTransportSecurity,
1256-
Group: &deploymentGroupNetworkingTLS,
1257-
YAML: "strictTransportSecurity",
1289+
Default: "0",
1290+
Flag: "strict-transport-security",
1291+
Env: "CODER_STRICT_TRANSPORT_SECURITY",
1292+
Value: &c.StrictTransportSecurity,
1293+
Group: &deploymentGroupNetworkingTLS,
1294+
YAML: "strictTransportSecurity",
1295+
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
12581296
},
12591297
{
12601298
Name: "Strict-Transport-Security Options",
12611299
Description: "Two optional fields can be set in the Strict-Transport-Security header; 'includeSubDomains' and 'preload'. " +
12621300
"The 'strict-transport-security' flag must be set to a non-zero value for these options to be used.",
1263-
Flag: "strict-transport-security-options",
1264-
Env: "CODER_STRICT_TRANSPORT_SECURITY_OPTIONS",
1265-
Value: &c.StrictTransportSecurityOptions,
1266-
Group: &deploymentGroupNetworkingTLS,
1267-
YAML: "strictTransportSecurityOptions",
1301+
Flag: "strict-transport-security-options",
1302+
Env: "CODER_STRICT_TRANSPORT_SECURITY_OPTIONS",
1303+
Value: &c.StrictTransportSecurityOptions,
1304+
Group: &deploymentGroupNetworkingTLS,
1305+
YAML: "strictTransportSecurityOptions",
1306+
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
12681307
},
12691308
{
12701309
Name: "SSH Keygen Algorithm",
@@ -1308,7 +1347,7 @@ when required by your organization's security policy.`,
13081347
Description: "Whether Coder only allows connections to workspaces via the browser.",
13091348
Flag: "browser-only",
13101349
Env: "CODER_BROWSER_ONLY",
1311-
Annotations: clibase.Annotations{}.Mark(flagEnterpriseKey, "true"),
1350+
Annotations: clibase.Annotations{}.Mark(flagEnterpriseKey, "true").Mark(flagExternalProxies, "true"),
13121351
Value: &c.BrowserOnly,
13131352
Group: &deploymentGroupNetworking,
13141353
YAML: "browserOnly",
@@ -1328,17 +1367,19 @@ when required by your organization's security policy.`,
13281367
Flag: "disable-path-apps",
13291368
Env: "CODER_DISABLE_PATH_APPS",
13301369

1331-
Value: &c.DisablePathApps,
1332-
YAML: "disablePathApps",
1370+
Value: &c.DisablePathApps,
1371+
YAML: "disablePathApps",
1372+
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
13331373
},
13341374
{
13351375
Name: "Disable Owner Workspace Access",
13361376
Description: "Remove the permission for the 'owner' role to have workspace execution on all workspaces. This prevents the 'owner' from ssh, apps, and terminal access based on the 'owner' role. They still have their user permissions to access their own workspaces.",
13371377
Flag: "disable-owner-workspace-access",
13381378
Env: "CODER_DISABLE_OWNER_WORKSPACE_ACCESS",
13391379

1340-
Value: &c.DisableOwnerWorkspaceExec,
1341-
YAML: "disableOwnerWorkspaceAccess",
1380+
Value: &c.DisableOwnerWorkspaceExec,
1381+
YAML: "disableOwnerWorkspaceAccess",
1382+
Annotations: clibase.Annotations{}.Mark(flagExternalProxies, "true"),
13421383
},
13431384
{
13441385
Name: "Session Duration",

0 commit comments

Comments
 (0)