chore: refactor CLI agent auth tests as unit tests

spikecurtis · spikecurtis · commit 46dfec736d91 · 2025-08-28T10:58:32.000Z
diff --git a/cli/agent.go b/cli/agent.go
@@ -178,7 +178,7 @@ func (r *RootCmd) workspaceAgent() *serpent.Command {
 				slog.F("auth", r.agentAuth),
 				slog.F("version", version),
 			)
-			client, err := r.createAgentClient(ctx)
+			client, err := r.CreateAgentClient(ctx)
 			if err != nil {
 				return xerrors.Errorf("create agent client: %w", err)
 			}
diff --git a/cli/agent_test.go b/cli/agent_test.go
@@ -1,7 +1,6 @@
 package cli_test
 
 import (
-	"context"
 	"fmt"
 	"net/http"
 	"os"
@@ -11,7 +10,6 @@ import (
 	"sync/atomic"
 	"testing"
 
-	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
@@ -21,10 +19,7 @@ import (
 	"github.com/coder/coder/v2/coderd/coderdtest"
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/database/dbfake"
-	"github.com/coder/coder/v2/coderd/database/dbtestutil"
 	"github.com/coder/coder/v2/codersdk"
-	"github.com/coder/coder/v2/codersdk/workspacesdk"
-	"github.com/coder/coder/v2/provisionersdk/proto"
 	"github.com/coder/coder/v2/testutil"
 )
 
@@ -64,158 +59,6 @@ func TestWorkspaceAgent(t *testing.T) {
 		}, testutil.WaitLong, testutil.IntervalMedium)
 	})
 
-	t.Run("Azure", func(t *testing.T) {
-		t.Parallel()
-		instanceID := "instanceidentifier"
-		certificates, metadataClient := coderdtest.NewAzureInstanceIdentity(t, instanceID)
-		db, ps := dbtestutil.NewDB(t,
-			dbtestutil.WithDumpOnFailure(),
-		)
-		client := coderdtest.New(t, &coderdtest.Options{
-			Database:          db,
-			Pubsub:            ps,
-			AzureCertificates: certificates,
-		})
-		user := coderdtest.CreateFirstUser(t, client)
-		r := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
-			OrganizationID: user.OrganizationID,
-			OwnerID:        user.UserID,
-		}).WithAgent(func(agents []*proto.Agent) []*proto.Agent {
-			agents[0].Auth = &proto.Agent_InstanceId{InstanceId: instanceID}
-			return agents
-		}).Do()
-
-		inv, _ := clitest.New(t, "agent", "--auth", "azure-instance-identity", "--agent-url", client.URL.String())
-		inv = inv.WithContext(
-			//nolint:revive,staticcheck
-			context.WithValue(inv.Context(), "azure-client", metadataClient),
-		)
-
-		ctx := inv.Context()
-		clitest.Start(t, inv)
-		coderdtest.NewWorkspaceAgentWaiter(t, client, r.Workspace.ID).
-			MatchResources(matchAgentWithVersion).Wait()
-		workspace, err := client.Workspace(ctx, r.Workspace.ID)
-		require.NoError(t, err)
-		resources := workspace.LatestBuild.Resources
-		if assert.NotEmpty(t, workspace.LatestBuild.Resources) && assert.NotEmpty(t, resources[0].Agents) {
-			assert.NotEmpty(t, resources[0].Agents[0].Version)
-		}
-		dialer, err := workspacesdk.New(client).
-			DialAgent(ctx, resources[0].Agents[0].ID, nil)
-		require.NoError(t, err)
-		defer dialer.Close()
-		require.True(t, dialer.AwaitReachable(ctx))
-	})
-
-	t.Run("AWS", func(t *testing.T) {
-		t.Parallel()
-		instanceID := "instanceidentifier"
-		certificates, metadataClient := coderdtest.NewAWSInstanceIdentity(t, instanceID)
-		db, ps := dbtestutil.NewDB(t,
-			dbtestutil.WithDumpOnFailure(),
-		)
-		client := coderdtest.New(t, &coderdtest.Options{
-			Database:        db,
-			Pubsub:          ps,
-			AWSCertificates: certificates,
-		})
-		user := coderdtest.CreateFirstUser(t, client)
-		r := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
-			OrganizationID: user.OrganizationID,
-			OwnerID:        user.UserID,
-		}).WithAgent(func(agents []*proto.Agent) []*proto.Agent {
-			agents[0].Auth = &proto.Agent_InstanceId{InstanceId: instanceID}
-			return agents
-		}).Do()
-
-		inv, _ := clitest.New(t, "agent", "--auth", "aws-instance-identity", "--agent-url", client.URL.String())
-		inv = inv.WithContext(
-			//nolint:revive,staticcheck
-			context.WithValue(inv.Context(), "aws-client", metadataClient),
-		)
-
-		clitest.Start(t, inv)
-		ctx := inv.Context()
-		coderdtest.NewWorkspaceAgentWaiter(t, client, r.Workspace.ID).
-			MatchResources(matchAgentWithVersion).
-			Wait()
-		workspace, err := client.Workspace(ctx, r.Workspace.ID)
-		require.NoError(t, err)
-		resources := workspace.LatestBuild.Resources
-		if assert.NotEmpty(t, resources) && assert.NotEmpty(t, resources[0].Agents) {
-			assert.NotEmpty(t, resources[0].Agents[0].Version)
-		}
-		dialer, err := workspacesdk.New(client).
-			DialAgent(ctx, resources[0].Agents[0].ID, nil)
-		require.NoError(t, err)
-		defer dialer.Close()
-		require.True(t, dialer.AwaitReachable(ctx))
-	})
-
-	t.Run("GoogleCloud", func(t *testing.T) {
-		t.Parallel()
-		instanceID := "instanceidentifier"
-		validator, metadataClient := coderdtest.NewGoogleInstanceIdentity(t, instanceID, false)
-		db, ps := dbtestutil.NewDB(t,
-			dbtestutil.WithDumpOnFailure(),
-		)
-		client := coderdtest.New(t, &coderdtest.Options{
-			Database:             db,
-			Pubsub:               ps,
-			GoogleTokenValidator: validator,
-		})
-		owner := coderdtest.CreateFirstUser(t, client)
-		member, memberUser := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)
-		r := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
-			OrganizationID: owner.OrganizationID,
-			OwnerID:        memberUser.ID,
-		}).WithAgent(func(agents []*proto.Agent) []*proto.Agent {
-			agents[0].Auth = &proto.Agent_InstanceId{InstanceId: instanceID}
-			return agents
-		}).Do()
-
-		inv, cfg := clitest.New(t, "agent", "--auth", "google-instance-identity", "--agent-url", client.URL.String())
-		clitest.SetupConfig(t, member, cfg)
-
-		clitest.Start(t,
-			inv.WithContext(
-				//nolint:revive,staticcheck
-				context.WithValue(inv.Context(), "gcp-client", metadataClient),
-			),
-		)
-
-		ctx := inv.Context()
-		coderdtest.NewWorkspaceAgentWaiter(t, client, r.Workspace.ID).
-			MatchResources(matchAgentWithVersion).
-			Wait()
-		workspace, err := client.Workspace(ctx, r.Workspace.ID)
-		require.NoError(t, err)
-		resources := workspace.LatestBuild.Resources
-		if assert.NotEmpty(t, resources) && assert.NotEmpty(t, resources[0].Agents) {
-			assert.NotEmpty(t, resources[0].Agents[0].Version)
-		}
-		dialer, err := workspacesdk.New(client).DialAgent(ctx, resources[0].Agents[0].ID, nil)
-		require.NoError(t, err)
-		defer dialer.Close()
-		require.True(t, dialer.AwaitReachable(ctx))
-		sshClient, err := dialer.SSHClient(ctx)
-		require.NoError(t, err)
-		defer sshClient.Close()
-		session, err := sshClient.NewSession()
-		require.NoError(t, err)
-		defer session.Close()
-		key := "CODER_AGENT_TOKEN"
-		command := "sh -c 'echo $" + key + "'"
-		if runtime.GOOS == "windows" {
-			command = "cmd.exe /c echo %" + key + "%"
-		}
-		token, err := session.CombinedOutput(command)
-		require.NoError(t, err)
-		_, err = uuid.Parse(strings.TrimSpace(string(token)))
-		require.NoError(t, err)
-	})
-
 	t.Run("PostStartup", func(t *testing.T) {
 		t.Parallel()
 
diff --git a/cli/exp_mcp.go b/cli/exp_mcp.go
@@ -148,7 +148,7 @@ func (r *RootCmd) mcpConfigureClaudeCode() *serpent.Command {
 				binPath = testBinaryName
 			}
 			configureClaudeEnv := map[string]string{}
-			agentClient, err := r.createAgentClient(inv.Context())
+			agentClient, err := r.CreateAgentClient(inv.Context())
 			if err != nil {
 				cliui.Warnf(inv.Stderr, "failed to create agent client: %s", err)
 			} else {
@@ -494,7 +494,7 @@ func (r *RootCmd) mcpServer() *serpent.Command {
 			}
 
 			// Try to create an agent client for status reporting.  Not validated.
-			agentClient, err := r.createAgentClient(inv.Context())
+			agentClient, err := r.CreateAgentClient(inv.Context())
 			if err == nil {
 				cliui.Infof(inv.Stderr, "Agent URL      : %s", agentClient.SDK.URL.String())
 				srv.agentClient = agentClient
diff --git a/cli/externalauth.go b/cli/externalauth.go
@@ -75,7 +75,7 @@ fi
 				return xerrors.Errorf("agent token not found")
 			}
 
-			client, err := r.createAgentClient(ctx)
+			client, err := r.CreateAgentClient(ctx)
 			if err != nil {
 				return xerrors.Errorf("create agent client: %w", err)
 			}
diff --git a/cli/gitaskpass.go b/cli/gitaskpass.go
@@ -33,7 +33,7 @@ func (r *RootCmd) gitAskpass() *serpent.Command {
 				return xerrors.Errorf("parse host: %w", err)
 			}
 
-			client, err := r.createAgentClient(ctx)
+			client, err := r.CreateAgentClient(ctx)
 			if err != nil {
 				return xerrors.Errorf("create agent client: %w", err)
 			}
diff --git a/cli/gitssh.go b/cli/gitssh.go
@@ -38,7 +38,7 @@ func (r *RootCmd) gitssh() *serpent.Command {
 				return err
 			}
 
-			client, err := r.createAgentClient(ctx)
+			client, err := r.CreateAgentClient(ctx)
 			if err != nil {
 				return xerrors.Errorf("create agent client: %w", err)
 			}
diff --git a/cli/root.go b/cli/root.go
@@ -688,9 +688,9 @@ func (r *RootCmd) createUnauthenticatedClient(ctx context.Context, serverURL *ur
 	return &client, err
 }
 
-// createAgentClient returns a new client from the command context.  It works
+// CreateAgentClient returns a new client from the command context.  It works
 // just like InitClient, but uses the agent token and URL instead.
-func (r *RootCmd) createAgentClient(ctx context.Context) (*agentsdk.Client, error) {
+func (r *RootCmd) CreateAgentClient(ctx context.Context) (*agentsdk.Client, error) {
 	agentURL := r.agentURL
 	if agentURL == nil || agentURL.String() == "" {
 		return nil, xerrors.Errorf("%s must be set", envAgentURL)
diff --git a/cli/root_test.go b/cli/root_test.go
@@ -10,11 +10,14 @@ import (
 	"sync/atomic"
 	"testing"
 
+	"golang.org/x/xerrors"
+
 	"github.com/coder/serpent"
 
 	"github.com/coder/coder/v2/coderd"
 	"github.com/coder/coder/v2/coderd/coderdtest"
 	"github.com/coder/coder/v2/codersdk"
+	"github.com/coder/coder/v2/codersdk/agentsdk"
 	"github.com/coder/coder/v2/pty/ptytest"
 	"github.com/coder/coder/v2/testutil"
 
@@ -275,3 +278,82 @@ func TestHandlersOK(t *testing.T) {
 
 	clitest.HandlersOK(t, cmd)
 }
+
+func TestCreateAgentClient_Token(t *testing.T) {
+	t.Parallel()
+
+	client := createAgentWithFlags(t,
+		"--agent-token", "fake-token",
+		"--agent-url", "http://coder.fake")
+	require.Equal(t, "fake-token", client.GetSessionToken())
+}
+
+func TestCreateAgentClient_Google(t *testing.T) {
+	t.Parallel()
+
+	client := createAgentWithFlags(t,
+		"--auth", "google-instance-identity",
+		"--agent-url", "http://coder.fake")
+	provider, ok := client.RefreshableSessionTokenProvider.(*agentsdk.InstanceIdentitySessionTokenProvider)
+	require.True(t, ok)
+	require.NotNil(t, provider.TokenExchanger)
+	require.IsType(t, &agentsdk.GoogleSessionTokenExchanger{}, provider.TokenExchanger)
+}
+
+func TestCreateAgentClient_AWS(t *testing.T) {
+	t.Parallel()
+
+	client := createAgentWithFlags(t,
+		"--auth", "aws-instance-identity",
+		"--agent-url", "http://coder.fake")
+	provider, ok := client.RefreshableSessionTokenProvider.(*agentsdk.InstanceIdentitySessionTokenProvider)
+	require.True(t, ok)
+	require.NotNil(t, provider.TokenExchanger)
+	require.IsType(t, &agentsdk.AWSSessionTokenExchanger{}, provider.TokenExchanger)
+}
+
+func TestCreateAgentClient_Azure(t *testing.T) {
+	t.Parallel()
+
+	client := createAgentWithFlags(t,
+		"--auth", "azure-instance-identity",
+		"--agent-url", "http://coder.fake")
+	provider, ok := client.RefreshableSessionTokenProvider.(*agentsdk.InstanceIdentitySessionTokenProvider)
+	require.True(t, ok)
+	require.NotNil(t, provider.TokenExchanger)
+	require.IsType(t, &agentsdk.AzureSessionTokenExchanger{}, provider.TokenExchanger)
+}
+
+func createAgentWithFlags(t *testing.T, flags ...string) *agentsdk.Client {
+	t.Helper()
+	r := &cli.RootCmd{}
+	var client *agentsdk.Client
+	subCmd := agentClientCommand(r, &client)
+	cmd, err := r.Command([]*serpent.Command{subCmd})
+	require.NoError(t, err)
+	inv, _ := clitest.NewWithCommand(t, cmd,
+		append([]string{"agent-client"}, flags...)...)
+	err = inv.Run()
+	require.NoError(t, err)
+	require.NotNil(t, client)
+	return client
+}
+
+// agentClientCommand creates a subcommand that creates an agent client and stores it in the provided clientRef. Used to
+// test the properties of the client with various root command flags.
+func agentClientCommand(r *cli.RootCmd, clientRef **agentsdk.Client) *serpent.Command {
+	return &serpent.Command{
+		Use:   "agent-client",
+		Short: `Creates and agent client for testing.`,
+		// This command isn't useful to manually execute.
+		Hidden: true,
+		Handler: func(inv *serpent.Invocation) error {
+			client, err := r.CreateAgentClient(inv.Context())
+			if err != nil {
+				return xerrors.Errorf("create agent client: %w", err)
+			}
+			*clientRef = client
+			return nil
+		},
+	}
+}
diff --git a/codersdk/agentsdk/agentsdk.go b/codersdk/agentsdk/agentsdk.go
diff --git a/codersdk/agentsdk/aws.go b/codersdk/agentsdk/aws.go
diff --git a/codersdk/agentsdk/azure.go b/codersdk/agentsdk/azure.go
diff --git a/codersdk/agentsdk/google.go b/codersdk/agentsdk/google.go

Original file line number	Diff line number	Diff line change
`@@ -178,7 +178,7 @@ func (r RootCmd) workspaceAgent() serpent.Command {`
`178`	`178`	`slog.F("auth", r.agentAuth),`
`179`	`179`	`slog.F("version", version),`
`180`	`180`	`)`
`181`		`- client, err := r.createAgentClient(ctx)`
	`181`	`+ client, err := r.CreateAgentClient(ctx)`
`182`	`182`	`if err != nil {`
`183`	`183`	`return xerrors.Errorf("create agent client: %w", err)`
`184`	`184`	`}`
Original file line number	Diff line number	Diff line change
`@@ -75,7 +75,7 @@ fi`
`75`	`75`	`return xerrors.Errorf("agent token not found")`
`76`	`76`	`}`
`77`	`77`
`78`		`- client, err := r.createAgentClient(ctx)`
	`78`	`+ client, err := r.CreateAgentClient(ctx)`
`79`	`79`	`if err != nil {`
`80`	`80`	`return xerrors.Errorf("create agent client: %w", err)`
`81`	`81`	`}`
Original file line number	Diff line number	Diff line change
`@@ -33,7 +33,7 @@ func (r RootCmd) gitAskpass() serpent.Command {`
`33`	`33`	`return xerrors.Errorf("parse host: %w", err)`
`34`	`34`	`}`
`35`	`35`
`36`		`- client, err := r.createAgentClient(ctx)`
	`36`	`+ client, err := r.CreateAgentClient(ctx)`
`37`	`37`	`if err != nil {`
`38`	`38`	`return xerrors.Errorf("create agent client: %w", err)`
`39`	`39`	`}`
Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,7 @@ func (r RootCmd) gitssh() serpent.Command {`
`38`	`38`	`return err`
`39`	`39`	`}`
`40`	`40`
`41`		`- client, err := r.createAgentClient(ctx)`
	`41`	`+ client, err := r.CreateAgentClient(ctx)`
`42`	`42`	`if err != nil {`
`43`	`43`	`return xerrors.Errorf("create agent client: %w", err)`
`44`	`44`	`}`