Skip to content

Commit 0f77db3

Browse files
deansheatherdeansheather
committed
pr comments
1 parent aa200ff commit 0f77db3

File tree

5 files changed

+33
-2
lines changed

5 files changed

+33
-2
lines changed

coderd/database/dbauthz/system.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -440,7 +440,7 @@ func (q *querier) InsertParameterSchema(ctx context.Context, arg database.Insert
440440
}
441441

442442
func (q *querier) GetWorkspaceProxyByHostname(ctx context.Context, params database.GetWorkspaceProxyByHostnameParams) (database.WorkspaceProxy, error) {
443-
if err := q.authorizeContext(ctx, rbac.ActionCreate, rbac.ResourceSystem); err != nil {
443+
if err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceSystem); err != nil {
444444
return database.WorkspaceProxy{}, err
445445
}
446446
return q.db.GetWorkspaceProxyByHostname(ctx, params)

coderd/workspaceapps.go

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -153,7 +153,10 @@ type ValidWorkspaceAppHostnameOpts struct {
153153
// ValidWorkspaceAppHostname checks if the given host is a valid workspace app
154154
// hostname based on the provided options. It returns a scheme to force on
155155
// success. If the hostname is not valid or doesn't match, an empty string is
156-
// returned.
156+
// returned. Any error returned is a 500 error.
157+
//
158+
// For hosts that match a wildcard app hostname, the scheme is forced to be the
159+
// corresponding access URL scheme.
157160
func (api *API) ValidWorkspaceAppHostname(ctx context.Context, host string, opts ValidWorkspaceAppHostnameOpts) (string, error) {
158161
if opts.AllowPrimaryAccessURL && (host == api.AccessURL.Hostname() || host == api.AccessURL.Host) {
159162
// Force the redirect URI to have the same scheme as the access URL for

coderd/workspaceapps/apptest/apptest.go

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -111,6 +111,11 @@ func Run(t *testing.T, factory DeploymentFactory) {
111111
}
112112

113113
u := *appDetails.PathAppBaseURL
114+
if u.Scheme == "http" {
115+
u.Scheme = "ws"
116+
} else {
117+
u.Scheme = "wss"
118+
}
114119
u.Path = fmt.Sprintf("/api/v2/workspaceagents/%s/pty", appDetails.Agent.ID.String())
115120

116121
ctx := testutil.Context(t, testutil.WaitLong)

enterprise/coderd/workspaceproxy.go

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -240,6 +240,9 @@ func (api *API) reconnectingPTYSignedToken(rw http.ResponseWriter, r *http.Reque
240240
}
241241

242242
u, err := url.Parse(req.URL)
243+
if err == nil && u.Scheme != "ws" && u.Scheme != "wss" {
244+
err = xerrors.Errorf("invalid URL scheme %q, expected 'ws' or 'wss'", u.Scheme)
245+
}
243246
if err != nil {
244247
httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
245248
Message: "Invalid URL.",

enterprise/coderd/workspaceproxy_test.go

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -275,6 +275,26 @@ func TestReconnectingPTYSignedToken(t *testing.T) {
275275
require.Contains(t, sdkErr.Response.Message, "Invalid URL")
276276
})
277277

278+
t.Run("BadURL", func(t *testing.T) {
279+
t.Parallel()
280+
281+
u := *u
282+
u.Scheme = "ftp"
283+
284+
ctx := testutil.Context(t, testutil.WaitLong)
285+
res, err := client.IssueReconnectingPTYSignedToken(ctx, codersdk.IssueReconnectingPTYSignedTokenRequest{
286+
URL: u.String(),
287+
AgentID: agentID,
288+
})
289+
require.Error(t, err)
290+
require.Empty(t, res)
291+
var sdkErr *codersdk.Error
292+
require.ErrorAs(t, err, &sdkErr)
293+
require.Equal(t, http.StatusBadRequest, sdkErr.StatusCode())
294+
require.Contains(t, sdkErr.Response.Message, "Invalid URL")
295+
require.Contains(t, sdkErr.Response.Detail, "scheme")
296+
})
297+
278298
t.Run("BadURLPath", func(t *testing.T) {
279299
t.Parallel()
280300

0 commit comments

Comments
 (0)