feat: add session token to provisioner

sreya · sreya · commit 478001a1ead2 · 2023-05-16T02:49:22.000Z
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -964,6 +964,7 @@ func (api *API) CreateInMemoryProvisionerDaemon(ctx context.Context, debounce ti
 		TemplateScheduleStore: api.TemplateScheduleStore,
 		AcquireJobDebounce:    debounce,
 		Logger:                api.Logger.Named(fmt.Sprintf("provisionerd-%s", daemon.Name)),
+		DeploymentValues:      api.DeploymentValues,
 	})
 	if err != nil {
 		return nil, err
diff --git a/coderd/provisionerdserver/provisionerdserver.go b/coderd/provisionerdserver/provisionerdserver.go
@@ -2,10 +2,12 @@ package provisionerdserver
 
 import (
 	"context"
+	"crypto/sha256"
 	"database/sql"
 	"encoding/json"
 	"errors"
 	"fmt"
+	"net"
 	"net/http"
 	"net/url"
 	"reflect"
@@ -37,6 +39,7 @@ import (
 	"github.com/coder/coder/coderd/telemetry"
 	"github.com/coder/coder/coderd/tracing"
 	"github.com/coder/coder/codersdk"
+	"github.com/coder/coder/cryptorand"
 	"github.com/coder/coder/provisioner"
 	"github.com/coder/coder/provisionerd/proto"
 	"github.com/coder/coder/provisionersdk"
@@ -62,6 +65,7 @@ type Server struct {
 	QuotaCommitter        *atomic.Pointer[proto.QuotaCommitter]
 	Auditor               *atomic.Pointer[audit.Auditor]
 	TemplateScheduleStore *atomic.Pointer[schedule.TemplateScheduleStore]
+	DeploymentValues      *codersdk.DeploymentValues
 
 	AcquireJobDebounce time.Duration
 	OIDCConfig         httpmw.OAuth2Config
@@ -193,6 +197,11 @@ func (server *Server) AcquireJob(ctx context.Context, _ *proto.Empty) (*proto.Ac
 			}
 		}
 
+		sessionToken, err := server.regenerateSessionToken(ctx, owner, workspace)
+		if err != nil {
+			return nil, failJob(fmt.Sprintf("regenerate session token: %s", err))
+		}
+
 		// Compute parameters for the workspace to consume.
 		parameters, err := parameter.Compute(ctx, server.Database, parameter.ComputeScope{
 			TemplateImportJobID: templateVersion.JobID,
@@ -286,6 +295,7 @@ func (server *Server) AcquireJob(ctx context.Context, _ *proto.Empty) (*proto.Ac
 					WorkspaceOwnerId:              owner.ID.String(),
 					TemplateName:                  template.Name,
 					TemplateVersion:               templateVersion.Name,
+					CoderSessionToken:             sessionToken,
 				},
 				LogLevel: input.LogLevel,
 			},
@@ -1410,6 +1420,79 @@ func InsertWorkspaceResource(ctx context.Context, db database.Store, jobID uuid.
 	return nil
 }
 
+func workspaceSessionTokenName(workspace database.Workspace) string {
+	return fmt.Sprintf("%s_%s_session_token", workspace.OwnerID, workspace.ID)
+}
+
+// Generates a new ID and secret for an API key.
+// TODO put API key logic in separate package.
+func GenerateAPIKeyIDSecret() (id string, secret string, err error) {
+	// Length of an API Key ID.
+	id, err = cryptorand.String(10)
+	if err != nil {
+		return "", "", err
+	}
+	// Length of an API Key secret.
+	secret, err = cryptorand.String(22)
+	if err != nil {
+		return "", "", err
+	}
+	return id, secret, nil
+}
+
+func (server *Server) regenerateSessionToken(ctx context.Context, user database.User, workspace database.Workspace) (string, error) {
+	id, secret, err := GenerateAPIKeyIDSecret()
+	if err != nil {
+		return "", xerrors.Errorf("generate API key: %w", err)
+	}
+	hashed := sha256.Sum256([]byte(secret))
+
+	err = server.Database.InTx(
+		func(tx database.Store) error {
+			key, err := tx.GetAPIKeyByName(ctx, database.GetAPIKeyByNameParams{
+				UserID:    workspace.OwnerID,
+				TokenName: workspaceSessionTokenName(workspace),
+			})
+			if err == nil {
+				err = tx.DeleteAPIKeyByID(ctx, key.ID)
+				if err != nil {
+					return xerrors.Errorf("delete api key: %w", err)
+				}
+			}
+			if err != nil && !xerrors.Is(err, sql.ErrNoRows) {
+				return xerrors.Errorf("get api key by name: %w", err)
+			}
+
+			ip := net.IPv4(0, 0, 0, 0)
+			bitlen := len(ip) * 8
+			_, err = tx.InsertAPIKey(ctx, database.InsertAPIKeyParams{
+				ID:              id,
+				UserID:          workspace.OwnerID,
+				LifetimeSeconds: int64(server.DeploymentValues.SessionDuration.Value().Seconds()),
+				ExpiresAt:       database.Now().Add(server.DeploymentValues.SessionDuration.Value()).UTC(),
+				IPAddress: pqtype.Inet{
+					IPNet: net.IPNet{
+						IP:   ip,
+						Mask: net.CIDRMask(bitlen, bitlen),
+					},
+					Valid: true,
+				},
+				CreatedAt:    database.Now(),
+				UpdatedAt:    database.Now(),
+				HashedSecret: hashed[:],
+				LoginType:    user.LoginType,
+				Scope:        database.APIKeyScopeAll,
+				TokenName:    workspaceSessionTokenName(workspace),
+			})
+
+			return nil
+		}, nil)
+	if err != nil {
+		return "", xerrors.Errorf("regenerate API key: %w", err)
+	}
+	return fmt.Sprintf("%s-%s", id, secret), nil
+}
+
 // obtainOIDCAccessToken returns a valid OpenID Connect access token
 // for the user if it's able to obtain one, otherwise it returns an empty string.
 func obtainOIDCAccessToken(ctx context.Context, db database.Store, oidcConfig httpmw.OAuth2Config, userID uuid.UUID) (string, error) {
diff --git a/provisioner/terraform/provision.go b/provisioner/terraform/provision.go
@@ -220,6 +220,7 @@ func provisionEnv(config *proto.Provision_Config, params []*proto.ParameterValue
 		"CODER_WORKSPACE_OWNER_OIDC_ACCESS_TOKEN="+config.Metadata.WorkspaceOwnerOidcAccessToken,
 		"CODER_WORKSPACE_ID="+config.Metadata.WorkspaceId,
 		"CODER_WORKSPACE_OWNER_ID="+config.Metadata.WorkspaceOwnerId,
+		"CODER_SESSION_TOKEN="+config.Metadata.CoderSessionToken,
 	)
 	for key, value := range provisionersdk.AgentScriptEnv() {
 		env = append(env, key+"="+value)
diff --git a/provisionersdk/proto/provisioner.pb.go b/provisionersdk/proto/provisioner.pb.go
diff --git a/provisionersdk/proto/provisioner.proto b/provisionersdk/proto/provisioner.proto
@@ -241,6 +241,7 @@ message Provision {
         string template_name = 8;
         string template_version = 9;
         string workspace_owner_oidc_access_token = 10;
+	string coder_session_token = 11;
     }
 
     // Config represents execution configuration shared by both Plan and

Original file line number	Diff line number	Diff line change
`@@ -220,6 +220,7 @@ func provisionEnv(config proto.Provision_Config, params []proto.ParameterValue`
`220`	`220`	`"CODER_WORKSPACE_OWNER_OIDC_ACCESS_TOKEN="+config.Metadata.WorkspaceOwnerOidcAccessToken,`
`221`	`221`	`"CODER_WORKSPACE_ID="+config.Metadata.WorkspaceId,`
`222`	`222`	`"CODER_WORKSPACE_OWNER_ID="+config.Metadata.WorkspaceOwnerId,`
	`223`	`+ "CODER_SESSION_TOKEN="+config.Metadata.CoderSessionToken,`
`223`	`224`	`)`
`224`	`225`	`for key, value := range provisionersdk.AgentScriptEnv() {`
`225`	`226`	`env = append(env, key+"="+value)`
Original file line number	Diff line number	Diff line change
`@@ -241,6 +241,7 @@ message Provision {`
`241`	`241`	`string template_name = 8;`
`242`	`242`	`string template_version = 9;`
`243`	`243`	`string workspace_owner_oidc_access_token = 10;`
	`244`	`+ string coder_session_token = 11;`
`244`	`245`	`}`
`245`	`246`
`246`	`247`	`// Config represents execution configuration shared by both Plan and`