coder
diff --git a/‎coderd/coderd.go
Lines changed: 2 additions & 7 deletions b/‎coderd/coderd.go
Lines changed: 2 additions & 7 deletions
diff --git a/‎coderd/database/dbauthz/querier.go
Lines changed: 4 additions & 0 deletions b/‎coderd/database/dbauthz/querier.go
Lines changed: 4 additions & 0 deletions
diff --git a/‎coderd/database/dbfake/databasefake.go
Lines changed: 38 additions & 0 deletions b/‎coderd/database/dbfake/databasefake.go
Lines changed: 38 additions & 0 deletions
diff --git a/‎coderd/database/dbfake/databasefake_test.go
Lines changed: 90 additions & 0 deletions b/‎coderd/database/dbfake/databasefake_test.go
Lines changed: 90 additions & 0 deletions
diff --git a/‎coderd/database/migrations/000115_workspace_proxy_token.down.sql renamed to ‎coderd/database/migrations/000117_workspace_proxy_token.down.sql b/‎coderd/database/migrations/000115_workspace_proxy_token.down.sql renamed to ‎coderd/database/migrations/000117_workspace_proxy_token.down.sql
diff --git a/‎coderd/database/migrations/000115_workspace_proxy_token.up.sql renamed to ‎coderd/database/migrations/000117_workspace_proxy_token.up.sql b/‎coderd/database/migrations/000115_workspace_proxy_token.up.sql renamed to ‎coderd/database/migrations/000117_workspace_proxy_token.up.sql
diff --git a/‎coderd/database/migrations/testdata/fixtures/000115_workspace_proxy_token.up.sql renamed to ‎coderd/database/migrations/testdata/fixtures/000117_workspace_proxy_token.up.sql b/‎coderd/database/migrations/testdata/fixtures/000115_workspace_proxy_token.up.sql renamed to ‎coderd/database/migrations/testdata/fixtures/000117_workspace_proxy_token.up.sql
diff --git a/‎coderd/database/querier.go
Lines changed: 8 additions & 0 deletions b/‎coderd/database/querier.go
Lines changed: 8 additions & 0 deletions
diff --git a/‎coderd/database/querier_test.go
Lines changed: 96 additions & 0 deletions b/‎coderd/database/querier_test.go
Lines changed: 96 additions & 0 deletions
diff --git a/‎coderd/database/queries.sql.go
Lines changed: 50 additions & 0 deletions b/‎coderd/database/queries.sql.go
Lines changed: 50 additions & 0 deletions
@@ -51,7 +51,6 @@ import (
 	"github.com/coder/coder/coderd/httpmw"
 	"github.com/coder/coder/coderd/metricscache"
 	"github.com/coder/coder/coderd/provisionerdserver"
-	"github.com/coder/coder/coderd/proxycache"
 	"github.com/coder/coder/coderd/rbac"
 	"github.com/coder/coder/coderd/schedule"
 	"github.com/coder/coder/coderd/telemetry"
@@ -279,9 +278,6 @@ func New(options *Options) *API {
 		},
 	)
 
-	ctx, cancel := context.WithCancel(context.Background())
-	proxyCache := proxycache.New(ctx, options.Logger.Named("proxy_cache"), options.Database, time.Minute*5)
-
 	staticHandler := site.Handler(site.FS(), binFS, binHashes)
 	// Static file handler must be wrapped with HSTS handler if the
 	// StrictTransportSecurityAge is set. We only need to set this header on
@@ -293,6 +289,7 @@ func New(options *Options) *API {
 		OIDC:   options.OIDCConfig,
 	}
 
+	ctx, cancel := context.WithCancel(context.Background())
 	r := chi.NewRouter()
 	api := &API{
 		ctx:    ctx,
@@ -317,7 +314,6 @@ func New(options *Options) *API {
 			options.AppSecurityKey,
 		),
 		metricsCache:          metricsCache,
-		ProxyCache:            proxyCache,
 		Auditor:               atomic.Pointer[audit.Auditor]{},
 		TemplateScheduleStore: options.TemplateScheduleStore,
 		Experiments:           experiments,
@@ -826,8 +822,7 @@ type API struct {
 	workspaceAgentCache   *wsconncache.Cache
 	updateChecker         *updatecheck.Checker
 	WorkspaceAppsProvider workspaceapps.SignedTokenProvider
-	workspaceAppServer *workspaceapps.Server
-	ProxyCache         *proxycache.Cache
+	workspaceAppServer    *workspaceapps.Server
 
 	// Experiments contains the list of experiments currently enabled.
 	// This is used to gate features that are not yet ready for production.
 
@@ -1697,6 +1697,10 @@ func (q *querier) GetWorkspaceProxyByID(ctx context.Context, id uuid.UUID) (data
 	return fetch(q.log, q.auth, q.db.GetWorkspaceProxyByID)(ctx, id)
 }
 
+func (q *querier) GetWorkspaceProxyByHostname(ctx context.Context, hostname string) (database.WorkspaceProxy, error) {
+	return fetch(q.log, q.auth, q.db.GetWorkspaceProxyByHostname)(ctx, hostname)
+}
+
 func (q *querier) InsertWorkspaceProxy(ctx context.Context, arg database.InsertWorkspaceProxyParams) (database.WorkspaceProxy, error) {
 	return insert(q.log, q.auth, rbac.ResourceWorkspaceProxy, q.db.InsertWorkspaceProxy)(ctx, arg)
 }
 
@@ -6,6 +6,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"reflect"
+	"regexp"
 	"sort"
 	"strings"
 	"sync"
@@ -18,10 +19,13 @@ import (
 	"golang.org/x/xerrors"
 
 	"github.com/coder/coder/coderd/database"
+	"github.com/coder/coder/coderd/httpapi"
 	"github.com/coder/coder/coderd/rbac"
 	"github.com/coder/coder/coderd/util/slice"
 )
 
+var validProxyByHostnameRegex = regexp.MustCompile(`^[a-zA-Z0-9.-]+$`)
+
 // FakeDatabase is helpful for knowing if the underlying db is an in memory fake
 // database. This is only in the databasefake package, so will only be used
 // by unit tests.
@@ -5022,6 +5026,40 @@ func (q *fakeQuerier) GetWorkspaceProxyByID(_ context.Context, id uuid.UUID) (da
 	return database.WorkspaceProxy{}, sql.ErrNoRows
 }
 
+func (q *fakeQuerier) GetWorkspaceProxyByHostname(_ context.Context, hostname string) (database.WorkspaceProxy, error) {
+	q.mutex.Lock()
+	defer q.mutex.Unlock()
+
+	// Return zero rows if this is called with a non-sanitized hostname. The SQL
+	// version of this query does the same thing.
+	if !validProxyByHostnameRegex.MatchString(hostname) {
+		return database.WorkspaceProxy{}, sql.ErrNoRows
+	}
+
+	// This regex matches the SQL version.
+	accessURLRegex := regexp.MustCompile(`[^:]*://` + regexp.QuoteMeta(hostname) + `([:/]?.)*`)
+
+	for _, proxy := range q.workspaceProxies {
+		if proxy.Deleted {
+			continue
+		}
+		if accessURLRegex.MatchString(proxy.Url) {
+			return proxy, nil
+		}
+
+		// Compile the app hostname regex. This is slow sadly.
+		wildcardRegexp, err := httpapi.CompileHostnamePattern(proxy.WildcardHostname)
+		if err != nil {
+			return database.WorkspaceProxy{}, xerrors.Errorf("compile hostname pattern %q for proxy %q (%s): %w", proxy.WildcardHostname, proxy.Name, proxy.ID.String(), err)
+		}
+		if _, ok := httpapi.ExecuteHostnamePattern(wildcardRegexp, hostname); ok {
+			return proxy, nil
+		}
+	}
+
+	return database.WorkspaceProxy{}, sql.ErrNoRows
+}
+
 func (q *fakeQuerier) InsertWorkspaceProxy(_ context.Context, arg database.InsertWorkspaceProxyParams) (database.WorkspaceProxy, error) {
 	q.mutex.Lock()
 	defer q.mutex.Unlock()
 
@@ -129,6 +129,96 @@ func TestUserOrder(t *testing.T) {
 	}
 }
 
+func TestProxyByHostname(t *testing.T) {
+	t.Parallel()
+
+	db := dbfake.New()
+
+	// Insert a bunch of different proxies.
+	proxies := []struct {
+		name             string
+		accessURL        string
+		wildcardHostname string
+	}{
+		{
+			name:             "one",
+			accessURL:        "https://one.coder.com",
+			wildcardHostname: "*.wildcard.one.coder.com",
+		},
+		{
+			name:             "two",
+			accessURL:        "https://two.coder.com",
+			wildcardHostname: "*--suffix.two.coder.com",
+		},
+	}
+	for _, p := range proxies {
+		dbgen.WorkspaceProxy(t, db, database.WorkspaceProxy{
+			Name:             p.name,
+			Url:              p.accessURL,
+			WildcardHostname: p.wildcardHostname,
+		})
+	}
+
+	cases := []struct {
+		name           string
+		testHostname   string
+		matchProxyName string
+	}{
+		{
+			name:           "NoMatch",
+			testHostname:   "test.com",
+			matchProxyName: "",
+		},
+		{
+			name:           "MatchAccessURL",
+			testHostname:   "one.coder.com",
+			matchProxyName: "one",
+		},
+		{
+			name:           "MatchWildcard",
+			testHostname:   "something.wildcard.one.coder.com",
+			matchProxyName: "one",
+		},
+		{
+			name:           "MatchSuffix",
+			testHostname:   "something--suffix.two.coder.com",
+			matchProxyName: "two",
+		},
+		{
+			name:           "ValidateHostname/1",
+			testHostname:   ".*ne.coder.com",
+			matchProxyName: "",
+		},
+		{
+			name:           "ValidateHostname/2",
+			testHostname:   "https://one.coder.com",
+			matchProxyName: "",
+		},
+		{
+			name:           "ValidateHostname/3",
+			testHostname:   "one.coder.com:8080/hello",
+			matchProxyName: "",
+		},
+	}
+
+	for _, c := range cases {
+		c := c
+		t.Run(c.name, func(t *testing.T) {
+			t.Parallel()
+
+			proxy, err := db.GetWorkspaceProxyByHostname(context.Background(), c.testHostname)
+			if c.matchProxyName == "" {
+				require.ErrorIs(t, err, sql.ErrNoRows)
+				require.Empty(t, proxy)
+			} else {
+				require.NoError(t, err)
+				require.NotEmpty(t, proxy)
+				require.Equal(t, c.matchProxyName, proxy.Name)
+			}
+		})
+	}
+}
+
 func methods(rt reflect.Type) map[string]bool {
 	methods := make(map[string]bool)
 	for i := 0; i < rt.NumMethod(); i++ {
 
@@ -4,6 +4,7 @@ package database_test
 
 import (
 	"context"
+	"database/sql"
 	"testing"
 	"time"
 
@@ -127,3 +128,98 @@ func TestInsertWorkspaceAgentStartupLogs(t *testing.T) {
 	})
 	require.True(t, database.IsStartupLogsLimitError(err))
 }
+
+func TestProxyByHostname(t *testing.T) {
+	t.Parallel()
+	if testing.Short() {
+		t.SkipNow()
+	}
+	sqlDB := testSQLDB(t)
+	err := migrations.Up(sqlDB)
+	require.NoError(t, err)
+	db := database.New(sqlDB)
+
+	// Insert a bunch of different proxies.
+	proxies := []struct {
+		name             string
+		accessURL        string
+		wildcardHostname string
+	}{
+		{
+			name:             "one",
+			accessURL:        "https://one.coder.com",
+			wildcardHostname: "*.wildcard.one.coder.com",
+		},
+		{
+			name:             "two",
+			accessURL:        "https://two.coder.com",
+			wildcardHostname: "*--suffix.two.coder.com",
+		},
+	}
+	for _, p := range proxies {
+		dbgen.WorkspaceProxy(t, db, database.WorkspaceProxy{
+			Name:             p.name,
+			Url:              p.accessURL,
+			WildcardHostname: p.wildcardHostname,
+		})
+	}
+
+	cases := []struct {
+		name           string
+		testHostname   string
+		matchProxyName string
+	}{
+		{
+			name:           "NoMatch",
+			testHostname:   "test.com",
+			matchProxyName: "",
+		},
+		{
+			name:           "MatchAccessURL",
+			testHostname:   "one.coder.com",
+			matchProxyName: "one",
+		},
+		{
+			name:           "MatchWildcard",
+			testHostname:   "something.wildcard.one.coder.com",
+			matchProxyName: "one",
+		},
+		{
+			name:           "MatchSuffix",
+			testHostname:   "something--suffix.two.coder.com",
+			matchProxyName: "two",
+		},
+		{
+			name:           "ValidateHostname/1",
+			testHostname:   ".*ne.coder.com",
+			matchProxyName: "",
+		},
+		{
+			name:           "ValidateHostname/2",
+			testHostname:   "https://one.coder.com",
+			matchProxyName: "",
+		},
+		{
+			name:           "ValidateHostname/3",
+			testHostname:   "one.coder.com:8080/hello",
+			matchProxyName: "",
+		},
+	}
+
+	for _, c := range cases {
+		c := c
+		t.Run(c.name, func(t *testing.T) {
+			t.Parallel()
+
+			proxy, err := db.GetWorkspaceProxyByHostname(context.Background(), c.testHostname)
+			if c.matchProxyName == "" {
+				require.ErrorIs(t, err, sql.ErrNoRows)
+				require.Empty(t, proxy)
+			} else {
+				require.NoError(t, err)
+				require.NotEmpty(t, proxy)
+				require.Equal(t, c.matchProxyName, proxy.Name)
+			}
+		})
+	}
+}
Original file line number	Diff line number	Diff line change
`@@ -1697,6 +1697,10 @@ func (q *querier) GetWorkspaceProxyByID(ctx context.Context, id uuid.UUID) (data`
`1697`	`1697`	`return fetch(q.log, q.auth, q.db.GetWorkspaceProxyByID)(ctx, id)`
`1698`	`1698`	`}`
`1699`	`1699`
	`1700`	`+func (q *querier) GetWorkspaceProxyByHostname(ctx context.Context, hostname string) (database.WorkspaceProxy, error) {`
	`1701`	`+ return fetch(q.log, q.auth, q.db.GetWorkspaceProxyByHostname)(ctx, hostname)`
	`1702`	`+}`
	`1703`	`+`
`1700`	`1704`	`func (q *querier) InsertWorkspaceProxy(ctx context.Context, arg database.InsertWorkspaceProxyParams) (database.WorkspaceProxy, error) {`
`1701`	`1705`	`return insert(q.log, q.auth, rbac.ResourceWorkspaceProxy, q.db.InsertWorkspaceProxy)(ctx, arg)`
`1702`	`1706`	`}`