Renames from PR feedback

Emyrk · Emyrk · commit 50fa1cae9599 · 2023-04-14T12:49:49.000-05:00
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -460,7 +460,7 @@ func New(options *Options) *API {
 		// All CSP errors will be logged
 		r.Post("/csp/reports", api.logReportCSPViolations)
 
-		r.Get("/buildinfo", buildInfo)
+		r.Get("/buildinfo", buildInfo(api.AccessURL))
 		r.Route("/deployment", func(r chi.Router) {
 			r.Use(apiKeyMiddleware)
 			r.Get("/config", api.deploymentValues)
diff --git a/coderd/deployment.go b/coderd/deployment.go
@@ -2,6 +2,7 @@ package coderd
 
 import (
 	"net/http"
+	"net/url"
 
 	"github.com/coder/coder/buildinfo"
 	"github.com/coder/coder/coderd/httpapi"
@@ -67,11 +68,15 @@ func (api *API) deploymentStats(rw http.ResponseWriter, r *http.Request) {
 // @Tags General
 // @Success 200 {object} codersdk.BuildInfoResponse
 // @Router /buildinfo [get]
-func buildInfo(rw http.ResponseWriter, r *http.Request) {
-	httpapi.Write(r.Context(), rw, http.StatusOK, codersdk.BuildInfoResponse{
-		ExternalURL: buildinfo.ExternalURL(),
-		Version:     buildinfo.Version(),
-	})
+func buildInfo(accessURL *url.URL) http.HandlerFunc {
+	return func(rw http.ResponseWriter, r *http.Request) {
+		httpapi.Write(r.Context(), rw, http.StatusOK, codersdk.BuildInfoResponse{
+			ExternalURL:      buildinfo.ExternalURL(),
+			Version:          buildinfo.Version(),
+			DashboardURL:     accessURL.String(),
+			IsWorkspaceProxy: false,
+		})
+	}
 }
 
 // @Summary SSH Config
diff --git a/coderd/httpmw/apikey.go b/coderd/httpmw/apikey.go
@@ -47,8 +47,9 @@ type userAuthKey struct{}
 
 type Authorization struct {
 	Actor rbac.Subject
-	// ActorName is required for logging and human friendly related
-	// identification.
+	// ActorName is required for logging and human friendly related identification.
+	// It is usually the "username" of the user, but it can be the name of the
+	// external workspace proxy or other service type actor.
 	ActorName string
 }
 
diff --git a/coderd/workspaceapps/apptest/apptest.go b/coderd/workspaceapps/apptest/apptest.go
@@ -170,7 +170,7 @@ func Run(t *testing.T, factory DeploymentFactory) {
 			require.Equal(t, http.StatusSeeOther, resp.StatusCode)
 			loc, err := resp.Location()
 			require.NoError(t, err)
-			require.Equal(t, appDetails.APIClient.URL.Host, loc.Host)
+			require.Equal(t, appDetails.SDKClient.URL.Host, loc.Host)
 			require.Equal(t, "/api/v2/applications/auth-redirect", loc.Path)
 
 			redirectURIStr := loc.Query().Get("redirect_uri")
@@ -189,7 +189,7 @@ func Run(t *testing.T, factory DeploymentFactory) {
 		t.Run("NoAccessShould404", func(t *testing.T) {
 			t.Parallel()
 
-			userClient, _ := coderdtest.CreateAnotherUser(t, appDetails.APIClient, appDetails.FirstUser.OrganizationID, rbac.RoleMember())
+			userClient, _ := coderdtest.CreateAnotherUser(t, appDetails.SDKClient, appDetails.FirstUser.OrganizationID, rbac.RoleMember())
 			userAppClient := appDetails.AppClient(t)
 			userAppClient.SetSessionToken(userClient.SessionToken())
 
@@ -393,9 +393,9 @@ func Run(t *testing.T, factory DeploymentFactory) {
 					defer cancel()
 
 					// Get the current user and API key.
-					user, err := appDetails.APIClient.User(ctx, codersdk.Me)
+					user, err := appDetails.SDKClient.User(ctx, codersdk.Me)
 					require.NoError(t, err)
-					currentAPIKey, err := appDetails.APIClient.APIKeyByID(ctx, appDetails.FirstUser.UserID.String(), strings.Split(appDetails.APIClient.SessionToken(), "-")[0])
+					currentAPIKey, err := appDetails.SDKClient.APIKeyByID(ctx, appDetails.FirstUser.UserID.String(), strings.Split(appDetails.SDKClient.SessionToken(), "-")[0])
 					require.NoError(t, err)
 
 					appClient := appDetails.AppClient(t)
@@ -422,12 +422,12 @@ func Run(t *testing.T, factory DeploymentFactory) {
 					gotLocation, err := resp.Location()
 					require.NoError(t, err)
 					// This should always redirect to the primary access URL.
-					require.Equal(t, appDetails.APIClient.URL.Host, gotLocation.Host)
+					require.Equal(t, appDetails.SDKClient.URL.Host, gotLocation.Host)
 					require.Equal(t, "/api/v2/applications/auth-redirect", gotLocation.Path)
 					require.Equal(t, u.String(), gotLocation.Query().Get("redirect_uri"))
 
 					// Load the application auth-redirect endpoint.
-					resp, err = requestWithRetries(ctx, t, appDetails.APIClient, http.MethodGet, "/api/v2/applications/auth-redirect", nil, codersdk.WithQueryParam(
+					resp, err = requestWithRetries(ctx, t, appDetails.SDKClient, http.MethodGet, "/api/v2/applications/auth-redirect", nil, codersdk.WithQueryParam(
 						"redirect_uri", u.String(),
 					))
 					require.NoError(t, err)
@@ -467,18 +467,18 @@ func Run(t *testing.T, factory DeploymentFactory) {
 					apiKey := cookie.Value
 
 					// Fetch the API key from the API.
-					apiKeyInfo, err := appDetails.APIClient.APIKeyByID(ctx, appDetails.FirstUser.UserID.String(), strings.Split(apiKey, "-")[0])
+					apiKeyInfo, err := appDetails.SDKClient.APIKeyByID(ctx, appDetails.FirstUser.UserID.String(), strings.Split(apiKey, "-")[0])
 					require.NoError(t, err)
 					require.Equal(t, user.ID, apiKeyInfo.UserID)
 					require.Equal(t, codersdk.LoginTypePassword, apiKeyInfo.LoginType)
 					require.WithinDuration(t, currentAPIKey.ExpiresAt, apiKeyInfo.ExpiresAt, 5*time.Second)
 					require.EqualValues(t, currentAPIKey.LifetimeSeconds, apiKeyInfo.LifetimeSeconds)
 
 					// Verify the API key permissions
-					appTokenAPIClient := codersdk.New(appDetails.APIClient.URL)
+					appTokenAPIClient := codersdk.New(appDetails.SDKClient.URL)
 					appTokenAPIClient.SetSessionToken(apiKey)
-					appTokenAPIClient.HTTPClient.CheckRedirect = appDetails.APIClient.HTTPClient.CheckRedirect
-					appTokenAPIClient.HTTPClient.Transport = appDetails.APIClient.HTTPClient.Transport
+					appTokenAPIClient.HTTPClient.CheckRedirect = appDetails.SDKClient.HTTPClient.CheckRedirect
+					appTokenAPIClient.HTTPClient.Transport = appDetails.SDKClient.HTTPClient.Transport
 
 					var (
 						canCreateApplicationConnect = "can-create-application_connect"
@@ -543,7 +543,7 @@ func Run(t *testing.T, factory DeploymentFactory) {
 		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
 		defer cancel()
 
-		u := *appDetails.APIClient.URL
+		u := *appDetails.SDKClient.URL
 		u.Host = "app--agent--workspace--username.test.coder.com"
 		u.Path = "/api/v2/users/me"
 		resp, err := requestWithRetries(ctx, t, appDetails.AppClient(t), http.MethodGet, u.String(), nil)
@@ -597,7 +597,7 @@ func Run(t *testing.T, factory DeploymentFactory) {
 		t.Run("NoAccessShould401", func(t *testing.T) {
 			t.Parallel()
 
-			userClient, _ := coderdtest.CreateAnotherUser(t, appDetails.APIClient, appDetails.FirstUser.OrganizationID, rbac.RoleMember())
+			userClient, _ := coderdtest.CreateAnotherUser(t, appDetails.SDKClient, appDetails.FirstUser.OrganizationID, rbac.RoleMember())
 			userAppClient := appDetails.AppClient(t)
 			userAppClient.SetSessionToken(userClient.SessionToken())
 
@@ -827,7 +827,7 @@ func Run(t *testing.T, factory DeploymentFactory) {
 
 			// Create a template-admin user in the same org. We don't use an owner
 			// since they have access to everything.
-			ownerClient = appDetails.APIClient
+			ownerClient = appDetails.SDKClient
 			user, err := ownerClient.CreateUser(ctx, codersdk.CreateUserRequest{
 				Email:          "user@coder.com",
 				Username:       "user",
@@ -1170,7 +1170,7 @@ func Run(t *testing.T, factory DeploymentFactory) {
 				// server.
 				secWebSocketKey := "test-dean-was-here"
 				req.Header["Sec-WebSocket-Key"] = []string{secWebSocketKey}
-				req.Header.Set(codersdk.SessionTokenHeader, appDetails.APIClient.SessionToken())
+				req.Header.Set(codersdk.SessionTokenHeader, appDetails.SDKClient.SessionToken())
 
 				resp, err := doWithRetries(t, appDetails.AppClient(t), req)
 				require.NoError(t, err)
diff --git a/coderd/workspaceapps/apptest/setup.go b/coderd/workspaceapps/apptest/setup.go
@@ -58,8 +58,8 @@ type DeploymentOptions struct {
 type Deployment struct {
 	Options *DeploymentOptions
 
-	// APIClient should be logged in as the admin user.
-	APIClient      *codersdk.Client
+	// SDKClient should be logged in as the admin user.
+	SDKClient      *codersdk.Client
 	FirstUser      codersdk.CreateFirstUserResponse
 	PathAppBaseURL *url.URL
 
@@ -114,7 +114,7 @@ type AppDetails struct {
 // The client is authenticated as the first user by default.
 func (d *AppDetails) AppClient(t *testing.T) *codersdk.Client {
 	client := codersdk.New(d.PathAppBaseURL)
-	client.SetSessionToken(d.APIClient.SessionToken())
+	client.SetSessionToken(d.SDKClient.SessionToken())
 	forceURLTransport(t, client)
 	client.HTTPClient.CheckRedirect = func(req *http.Request, via []*http.Request) error {
 		return http.ErrUseLastResponse
@@ -166,15 +166,15 @@ func setupProxyTestWithFactory(t *testing.T, factory DeploymentFactory, opts *De
 
 	// Configure the HTTP client to not follow redirects and to route all
 	// requests regardless of hostname to the coderd test server.
-	deployment.APIClient.HTTPClient.CheckRedirect = func(req *http.Request, via []*http.Request) error {
+	deployment.SDKClient.HTTPClient.CheckRedirect = func(req *http.Request, via []*http.Request) error {
 		return http.ErrUseLastResponse
 	}
-	forceURLTransport(t, deployment.APIClient)
+	forceURLTransport(t, deployment.SDKClient)
 
 	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitMedium)
 	defer cancel()
 
-	me, err := deployment.APIClient.User(ctx, codersdk.Me)
+	me, err := deployment.SDKClient.User(ctx, codersdk.Me)
 	require.NoError(t, err)
 
 	if opts.noWorkspace {
@@ -187,7 +187,7 @@ func setupProxyTestWithFactory(t *testing.T, factory DeploymentFactory, opts *De
 	if opts.port == 0 {
 		opts.port = appServer(t)
 	}
-	workspace, agnt := createWorkspaceWithApps(t, deployment.APIClient, deployment.FirstUser.OrganizationID, me, opts.port)
+	workspace, agnt := createWorkspaceWithApps(t, deployment.SDKClient, deployment.FirstUser.OrganizationID, me, opts.port)
 
 	return &AppDetails{
 		Deployment: deployment,
diff --git a/coderd/workspaceapps/proxy.go b/coderd/workspaceapps/proxy.go
@@ -85,6 +85,12 @@ type Server struct {
 	WorkspaceConnCache  *wsconncache.Cache
 	AppSecurityKey      SecurityKey
 
+	// DisablePathApps disables path-based apps. This is a security feature as path
+	// based apps share the same cookie as the dashboard, and are susceptible to XSS
+	// by a malicious workspace app.
+	//
+	// Subdomain apps are safer with their cookies scoped to the subdomain, and XSS
+	// calls to the dashboard are not possible due to CORs.
 	DisablePathApps  bool
 	SecureAuthCookie bool
 
diff --git a/coderd/workspaceapps/request.go b/coderd/workspaceapps/request.go
@@ -32,7 +32,7 @@ type IssueTokenRequest struct {
 	PathAppBaseURL string `json:"path_app_base_url"`
 	// AppHostname is the optional hostname for subdomain apps on the external
 	// proxy. It must start with an asterisk.
-	AppHostname string `json:"subdomain_app_hostname"`
+	AppHostname string `json:"app_hostname"`
 	// AppPath is the path of the user underneath the app base path.
 	AppPath string `json:"app_path"`
 	// AppQuery is the query parameters the user provided in the app request.
diff --git a/coderd/workspaceapps_test.go b/coderd/workspaceapps_test.go
@@ -281,7 +281,7 @@ func TestWorkspaceApps(t *testing.T) {
 
 		return &apptest.Deployment{
 			Options:          opts,
-			APIClient:        client,
+			SDKClient:        client,
 			FirstUser:        user,
 			PathAppBaseURL:   client.URL,
 			AppHostServesAPI: true,
diff --git a/codersdk/deployment.go b/codersdk/deployment.go
@@ -1576,7 +1576,12 @@ type BuildInfoResponse struct {
 	// Version returns the semantic version of the build.
 	Version string `json:"version"`
 
-	WorkspaceProxy *WorkspaceProxyBuildInfo `json:"workspace_proxy,omitempty"`
+	// DashboardURL is the URL to hit the deployment's dashboard.
+	// For external workspace proxies, this is the coderd they are connected
+	// to.
+	DashboardURL string `json:"dashboard_url"`
+
+	IsWorkspaceProxy bool `json:"is_workspace_proxy"`
 }
 
 type WorkspaceProxyBuildInfo struct {
diff --git a/enterprise/wsproxy/proxy.go b/enterprise/wsproxy/proxy.go
@@ -221,12 +221,9 @@ func (s *Server) DialWorkspaceAgent(id uuid.UUID) (*codersdk.WorkspaceAgentConn,
 
 func (s *Server) buildInfo(rw http.ResponseWriter, r *http.Request) {
 	httpapi.Write(r.Context(), rw, http.StatusOK, codersdk.BuildInfoResponse{
-		ExternalURL: buildinfo.ExternalURL(),
-		Version:     buildinfo.Version(),
-		WorkspaceProxy: &codersdk.WorkspaceProxyBuildInfo{
-			IsWorkspaceProxy: true,
-			DashboardURL:     s.PrimaryAccessURL.String(),
-		},
+		ExternalURL:  buildinfo.ExternalURL(),
+		Version:      buildinfo.Version(),
+		DashboardURL: s.PrimaryAccessURL.String(),
 	})
 }
 
diff --git a/enterprise/wsproxy/proxy_test.go b/enterprise/wsproxy/proxy_test.go
@@ -62,7 +62,7 @@ func TestExternalProxyWorkspaceApps(t *testing.T) {
 
 		return &apptest.Deployment{
 			Options:          opts,
-			APIClient:        client,
+			SDKClient:        client,
 			FirstUser:        user,
 			PathAppBaseURL:   proxyAPI.Options.AccessURL,
 			AppHostServesAPI: false,
