Pull app security key from primary

Emyrk · Emyrk · commit 5356400e5102 · 2023-04-19T09:41:58.000-05:00
diff --git a/cli/server.go b/cli/server.go
@@ -621,17 +621,6 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 					}
 				}
 
-				if cfg.Dangerous.DevAppSecurityKey.Value() != "" {
-					_, err := workspaceapps.KeyFromString(cfg.Dangerous.DevAppSecurityKey.Value())
-					if err != nil {
-						return xerrors.Errorf("invalid dev app security key: %w", err)
-					}
-					err = tx.UpsertAppSecurityKey(ctx, cfg.Dangerous.DevAppSecurityKey.Value())
-					if err != nil {
-						return xerrors.Errorf("Insert dev app security key: %w", err)
-					}
-				}
-
 				// Read the app signing key from the DB. We store it hex encoded
 				// since the config table uses strings for the value and we
 				// don't want to deal with automatic encoding issues.
diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go
@@ -181,6 +181,7 @@ var (
 					rbac.ResourceUserData.Type:           {rbac.ActionCreate, rbac.ActionUpdate},
 					rbac.ResourceWorkspace.Type:          {rbac.ActionUpdate},
 					rbac.ResourceWorkspaceExecution.Type: {rbac.ActionCreate},
+					rbac.ResourceWorkspaceProxy.Type:     {rbac.ActionCreate, rbac.ActionUpdate, rbac.ActionDelete},
 				}),
 				Org:  map[string][]rbac.Permission{},
 				User: []rbac.Permission{},
diff --git a/codersdk/deployment.go b/codersdk/deployment.go
@@ -328,9 +328,8 @@ type LoggingConfig struct {
 }
 
 type DangerousConfig struct {
-	AllowPathAppSharing         clibase.Bool   `json:"allow_path_app_sharing" typescript:",notnull"`
-	AllowPathAppSiteOwnerAccess clibase.Bool   `json:"allow_path_app_site_owner_access" typescript:",notnull"`
-	DevAppSecurityKey           clibase.String `json:"dev_app_security_key" typescript:",notnull"`
+	AllowPathAppSharing         clibase.Bool `json:"allow_path_app_sharing" typescript:",notnull"`
+	AllowPathAppSiteOwnerAccess clibase.Bool `json:"allow_path_app_site_owner_access" typescript:",notnull"`
 }
 
 const (
@@ -1186,15 +1185,6 @@ when required by your organization's security policy.`,
 			Value: &c.Dangerous.AllowPathAppSiteOwnerAccess,
 			Group: &deploymentGroupDangerous,
 		},
-		{
-			Name:        "App Security Key (Development Only)",
-			Description: "Used to override the app security key stored in the database. This should never be used in production.",
-			Flag:        "dangerous-dev-app-security-key",
-			Default:     "",
-			Value:       &c.Dangerous.DevAppSecurityKey,
-			Annotations: clibase.Annotations{}.Mark("secret", "true"),
-			Hidden:      true,
-		},
 		// Misc. settings
 		{
 			Name:        "Experiments",
diff --git a/enterprise/cli/proxyserver.go b/enterprise/cli/proxyserver.go
@@ -26,7 +26,6 @@ import (
 	"github.com/coder/coder/cli/cliui"
 	"github.com/coder/coder/coderd/httpapi"
 	"github.com/coder/coder/coderd/httpmw"
-	"github.com/coder/coder/coderd/workspaceapps"
 	"github.com/coder/coder/codersdk"
 	"github.com/coder/coder/enterprise/wsproxy"
 )
@@ -55,7 +54,6 @@ func (r *RootCmd) proxyServer() *clibase.Cmd {
 		}
 		proxySessionToken clibase.String
 		primaryAccessURL  clibase.URL
-		appSecuritYKey    clibase.String
 	)
 	opts.Add(
 		// Options only for external workspace proxies
@@ -83,20 +81,6 @@ func (r *RootCmd) proxyServer() *clibase.Cmd {
 			Group:       &externalProxyOptionGroup,
 			Hidden:      false,
 		},
-
-		// TODO: This will eventually be pulled over an authenticated api endpoint.
-		clibase.Option{
-			Name:        "App Security Key",
-			Description: "App security key used for decrypting/verifying app tokens sent from coderd.",
-			Flag:        "app-security-key",
-			Env:         "CODER_APP_SECURITY_KEY",
-			YAML:        "appSecurityKey",
-			Default:     "",
-			Value:       &appSecuritYKey,
-			Group:       &externalProxyOptionGroup,
-			Hidden:      false,
-			Annotations: clibase.Annotations{}.Mark("secret", "true"),
-		},
 	)
 
 	cmd := &clibase.Cmd{
@@ -113,11 +97,6 @@ func (r *RootCmd) proxyServer() *clibase.Cmd {
 				return xerrors.Errorf("primary access URL must be http or https: url=%s", primaryAccessURL.String())
 			}
 
-			secKey, err := workspaceapps.KeyFromString(appSecuritYKey.Value())
-			if err != nil {
-				return xerrors.Errorf("app security key: %w", err)
-			}
-
 			var closers closers
 			// Main command context for managing cancellation of running
 			// services.
@@ -236,14 +215,13 @@ func (r *RootCmd) proxyServer() *clibase.Cmd {
 				closers.Add(closeFunc)
 			}
 
-			proxy, err := wsproxy.New(&wsproxy.Options{
+			proxy, err := wsproxy.New(ctx, &wsproxy.Options{
 				Logger:             logger,
 				DashboardURL:       primaryAccessURL.Value(),
 				AccessURL:          cfg.AccessURL.Value(),
 				AppHostname:        appHostname,
 				AppHostnameRegex:   appHostnameRegex,
 				RealIPConfig:       realIPConfig,
-				AppSecurityKey:     secKey,
 				Tracing:            tracer,
 				PrometheusRegistry: prometheusRegistry,
 				APIRateLimit:       int(cfg.RateLimit.API.Value()),
diff --git a/enterprise/coderd/coderdenttest/proxytest.go b/enterprise/coderd/coderdenttest/proxytest.go
@@ -115,14 +115,14 @@ func NewWorkspaceProxy(t *testing.T, coderdAPI *coderd.API, owner *codersdk.Clie
 	})
 	require.NoError(t, err, "failed to create workspace proxy")
 
-	wssrv, err := wsproxy.New(&wsproxy.Options{
-		Logger:            slogtest.Make(t, nil).Leveled(slog.LevelDebug),
-		DashboardURL:      coderdAPI.AccessURL,
-		AccessURL:         accessURL,
-		AppHostname:       options.AppHostname,
-		AppHostnameRegex:  appHostnameRegex,
-		RealIPConfig:      coderdAPI.RealIPConfig,
-		AppSecurityKey:    coderdAPI.AppSecurityKey,
+	wssrv, err := wsproxy.New(ctx, &wsproxy.Options{
+		Logger:           slogtest.Make(t, nil).Leveled(slog.LevelDebug),
+		DashboardURL:     coderdAPI.AccessURL,
+		AccessURL:        accessURL,
+		AppHostname:      options.AppHostname,
+		AppHostnameRegex: appHostnameRegex,
+		RealIPConfig:     coderdAPI.RealIPConfig,
+		//AppSecurityKey:    coderdAPI.AppSecurityKey,
 		Tracing:           coderdAPI.TracerProvider,
 		APIRateLimit:      coderdAPI.APIRateLimit,
 		SecureAuthCookie:  coderdAPI.SecureAuthCookie,
diff --git a/enterprise/wsproxy/wsproxy.go b/enterprise/wsproxy/wsproxy.go
@@ -49,9 +49,6 @@ type Options struct {
 	AppHostnameRegex *regexp.Regexp
 
 	RealIPConfig *httpmw.RealIPConfig
-	// TODO: @emyrk this key needs to be provided via a file or something?
-	//		Maybe we should curl it from the primary over some secure connection?
-	AppSecurityKey workspaceapps.SecurityKey
 
 	Tracing            trace.TracerProvider
 	PrometheusRegistry *prometheus.Registry
@@ -72,7 +69,6 @@ func (o *Options) Validate() error {
 	errs.Required("RealIPConfig", o.RealIPConfig)
 	errs.Required("PrometheusRegistry", o.PrometheusRegistry)
 	errs.NotEmpty("ProxySessionToken", o.ProxySessionToken)
-	errs.NotEmpty("AppSecurityKey", o.AppSecurityKey)
 
 	if len(errs) > 0 {
 		return errs
@@ -107,7 +103,7 @@ type Server struct {
 	cancel context.CancelFunc
 }
 
-func New(opts *Options) (*Server, error) {
+func New(ctx context.Context, opts *Options) (*Server, error) {
 	if opts.PrometheusRegistry == nil {
 		opts.PrometheusRegistry = prometheus.NewRegistry()
 	}
@@ -116,13 +112,34 @@ func New(opts *Options) (*Server, error) {
 		return nil, err
 	}
 
-	// TODO: implement some ping and registration logic
 	client := wsproxysdk.New(opts.DashboardURL)
 	err := client.SetSessionToken(opts.ProxySessionToken)
 	if err != nil {
 		return nil, xerrors.Errorf("set client token: %w", err)
 	}
 
+	// TODO: Probably do some version checking here
+	info, err := client.SDKClient.BuildInfo(ctx)
+	if err != nil {
+		return nil, xerrors.Errorf("failed to fetch build info from %q: %w", opts.DashboardURL, err)
+	}
+	if info.WorkspaceProxy {
+		return nil, xerrors.Errorf("%q is a workspace proxy, not a primary coderd instance", opts.DashboardURL)
+	}
+
+	regResp, err := client.RegisterWorkspaceProxy(ctx, wsproxysdk.RegisterWorkspaceProxyRequest{
+		AccessURL:        opts.AccessURL.String(),
+		WildcardHostname: opts.AppHostname,
+	})
+	if err != nil {
+		return nil, xerrors.Errorf("register proxy: %w", err)
+	}
+
+	secKey, err := workspaceapps.KeyFromString(regResp.AppSecurityKey)
+	if err != nil {
+		return nil, xerrors.Errorf("parse app security key: %w", err)
+	}
+
 	r := chi.NewRouter()
 	ctx, cancel := context.WithCancel(context.Background())
 	s := &Server{
@@ -149,11 +166,11 @@ func New(opts *Options) (*Server, error) {
 			AccessURL:    opts.AccessURL,
 			AppHostname:  opts.AppHostname,
 			Client:       client,
-			SecurityKey:  s.Options.AppSecurityKey,
+			SecurityKey:  secKey,
 			Logger:       s.Logger.Named("proxy_token_provider"),
 		},
 		WorkspaceConnCache: wsconncache.New(s.DialWorkspaceAgent, 0),
-		AppSecurityKey:     opts.AppSecurityKey,
+		AppSecurityKey:     secKey,
 
 		DisablePathApps:  opts.DisablePathApps,
 		SecureAuthCookie: opts.SecureAuthCookie,
