Add header-process flag

code-asher · code-asher · commit 538d2fcd1b31 · 2023-08-11T15:28:12.000-08:00
This allows specifying a command to run that can output headers for
cases where users require dynamic headers (like to authenticate to their
VPN).

The primary use case is to add this flag in SSH configs created by the
VS Code plugin, although maybe config-ssh should do the same.
diff --git a/cli/login.go b/cli/login.go
@@ -76,7 +76,7 @@ func (r *RootCmd) login() *clibase.Cmd {
 				serverURL.Scheme = "https"
 			}
 
-			client, err := r.createUnauthenticatedClient(serverURL)
+			client, err := r.createUnauthenticatedClient(ctx, serverURL)
 			if err != nil {
 				return err
 			}
diff --git a/cli/root.go b/cli/root.go
@@ -13,6 +13,7 @@ import (
 	"net/http"
 	"net/url"
 	"os"
+	"os/exec"
 	"os/signal"
 	"path/filepath"
 	"runtime"
@@ -55,6 +56,7 @@ const (
 	varAgentToken       = "agent-token"
 	varAgentURL         = "agent-url"
 	varHeader           = "header"
+	varHeaderProcess    = "header-process"
 	varNoOpen           = "no-open"
 	varNoVersionCheck   = "no-version-warning"
 	varNoFeatureWarning = "no-feature-warning"
@@ -356,6 +358,13 @@ func (r *RootCmd) Command(subcommands []*clibase.Cmd) (*clibase.Cmd, error) {
 			Value:       clibase.StringArrayOf(&r.header),
 			Group:       globalGroup,
 		},
+		{
+			Flag:        varHeaderProcess,
+			Env:         "CODER_HEADER_PROCESS",
+			Description: "An external process that outputs JSON-encoded key-value pairs to be used as additional HTTP headers added to all requests.",
+			Value:       clibase.StringOf(&r.headerProcess),
+			Group:       globalGroup,
+		},
 		{
 			Flag:        varNoOpen,
 			Env:         "CODER_NO_OPEN",
@@ -437,6 +446,7 @@ type RootCmd struct {
 	token         string
 	globalConfig  string
 	header        []string
+	headerProcess string
 	agentToken    string
 	agentURL      *url.URL
 	forceTTY      bool
@@ -540,9 +550,7 @@ func (r *RootCmd) initClientInternal(client *codersdk.Client, allowTokenMissing
 					return err
 				}
 			}
-			err = r.setClient(
-				client, r.clientURL,
-			)
+			err = r.setClient(inv.Context(), client, r.clientURL)
 			if err != nil {
 				return err
 			}
@@ -592,7 +600,7 @@ func (r *RootCmd) initClientInternal(client *codersdk.Client, allowTokenMissing
 	}
 }
 
-func (r *RootCmd) setClient(client *codersdk.Client, serverURL *url.URL) error {
+func (r *RootCmd) setClient(ctx context.Context, client *codersdk.Client, serverURL *url.URL) error {
 	transport := &headerTransport{
 		transport: http.DefaultTransport,
 		header:    http.Header{},
@@ -604,16 +612,39 @@ func (r *RootCmd) setClient(client *codersdk.Client, serverURL *url.URL) error {
 		}
 		transport.header.Add(parts[0], parts[1])
 	}
+	if r.headerProcess != "" {
+		shell := "sh"
+		caller := "-c"
+		if runtime.GOOS == "windows" {
+			shell = "cmd.exe"
+			caller = "/c"
+		}
+		// #nosec
+		cmd := exec.CommandContext(ctx, shell, caller, r.headerProcess)
+		cmd.Env = append(os.Environ(), "CODER_URL="+serverURL.String())
+		out, err := cmd.Output()
+		if err != nil {
+			return xerrors.Errorf("failed to run %v (out: %q): %w", cmd.Args, out, err)
+		}
+		var headers map[string]string
+		err = json.Unmarshal(out, &headers)
+		if err != nil {
+			return xerrors.Errorf("failed to parse json from %v (out: %q): %w", cmd.Args, out, err)
+		}
+		for key, value := range headers {
+			transport.header.Add(key, value)
+		}
+	}
 	client.URL = serverURL
 	client.HTTPClient = &http.Client{
 		Transport: transport,
 	}
 	return nil
 }
 
-func (r *RootCmd) createUnauthenticatedClient(serverURL *url.URL) (*codersdk.Client, error) {
+func (r *RootCmd) createUnauthenticatedClient(ctx context.Context, serverURL *url.URL) (*codersdk.Client, error) {
 	var client codersdk.Client
-	err := r.setClient(&client, serverURL)
+	err := r.setClient(ctx, &client, serverURL)
 	return &client, err
 }
 
diff --git a/cli/root_test.go b/cli/root_test.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"net/http"
 	"net/http/httptest"
+	"runtime"
 	"strings"
 	"sync/atomic"
 	"testing"
@@ -72,20 +73,28 @@ func TestRoot(t *testing.T) {
 	t.Run("Header", func(t *testing.T) {
 		t.Parallel()
 
+		var url string
 		var called int64
 		srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			atomic.AddInt64(&called, 1)
 			assert.Equal(t, "wow", r.Header.Get("X-Testing"))
 			assert.Equal(t, "Dean was Here!", r.Header.Get("Cool-Header"))
+			assert.Equal(t, "very-wow-"+url, r.Header.Get("X-Process-Testing"))
 			w.WriteHeader(http.StatusGone)
 		}))
 		defer srv.Close()
+		url = srv.URL
 		buf := new(bytes.Buffer)
+		coderUrlEnv := "$CODER_URL"
+		if runtime.GOOS == "windows" {
+			coderUrlEnv = "%CODER_URL%"
+		}
 		inv, _ := clitest.New(t,
 			"--no-feature-warning",
 			"--no-version-warning",
 			"--header", "X-Testing=wow",
 			"--header", "Cool-Header=Dean was Here!",
+			"--header-process", "printf '{\"X-Process-Testing\": \"very-wow-'"+coderUrlEnv+"'\"}'",
 			"login", srv.URL,
 		)
 		inv.Stdout = buf
@@ -97,8 +106,8 @@ func TestRoot(t *testing.T) {
 	})
 }
 
-// TestDERPHeaders ensures that the client sends the global `--header`s to the
-// DERP server when connecting.
+// TestDERPHeaders ensures that the client sends the global `--header`s and
+// `--header-process` to the DERP server when connecting.
 func TestDERPHeaders(t *testing.T) {
 	t.Parallel()
 
@@ -129,8 +138,9 @@ func TestDERPHeaders(t *testing.T) {
 	// Inject custom /derp handler so we can inspect the headers.
 	var (
 		expectedHeaders = map[string]string{
-			"X-Test-Header": "test-value",
-			"Cool-Header":   "Dean was Here!",
+			"X-Test-Header":     "test-value",
+			"Cool-Header":       "Dean was Here!",
+			"X-Process-Testing": "very-wow",
 		}
 		derpCalled int64
 	)
@@ -159,9 +169,12 @@ func TestDERPHeaders(t *testing.T) {
 		"--no-version-warning",
 		"ping", workspace.Name,
 		"-n", "1",
+		"--header-process", "printf '{\"X-Process-Testing\": \"very-wow\"}'",
 	}
 	for k, v := range expectedHeaders {
-		args = append(args, "--header", fmt.Sprintf("%s=%s", k, v))
+		if k != "X-Process-Testing" {
+			args = append(args, "--header", fmt.Sprintf("%s=%s", k, v))
+		}
 	}
 	inv, root := clitest.New(t, args...)
 	clitest.SetupConfig(t, client, root)
diff --git a/cli/testdata/coder_--help.golden b/cli/testdata/coder_--help.golden
@@ -62,6 +62,10 @@ variables or flags.
           Additional HTTP headers added to all requests. Provide as key=value.
           Can be specified multiple times.
 
+      --header-process string, $CODER_HEADER_PROCESS
+          An external process that outputs JSON-encoded key-value pairs to be
+          used as additional HTTP headers added to all requests.
+
       --no-feature-warning bool, $CODER_NO_FEATURE_WARNING
           Suppress warnings about unlicensed features.
 
diff --git a/cli/vscodessh.go b/cli/vscodessh.go
@@ -86,7 +86,7 @@ func (r *RootCmd) vscodeSSH() *clibase.Cmd {
 			client.SetSessionToken(string(sessionToken))
 
 			// This adds custom headers to the request!
-			err = r.setClient(client, serverURL)
+			err = r.setClient(ctx, client, serverURL)
 			if err != nil {
 				return xerrors.Errorf("set client: %w", err)
 			}
diff --git a/docs/cli.md b/docs/cli.md
@@ -96,6 +96,15 @@ Path to the global `coder` config directory.
 
 Additional HTTP headers added to all requests. Provide as key=value. Can be specified multiple times.
 
+### --header-process
+
+|             |                                    |
+| ----------- | ---------------------------------- |
+| Type        | <code>string</code>                |
+| Environment | <code>$CODER_HEADER_PROCESS</code> |
+
+An external process that outputs JSON-encoded key-value pairs to be used as additional HTTP headers added to all requests.
+
 ### --no-feature-warning
 
 |             |                                        |
diff --git a/enterprise/cli/testdata/coder_--help.golden b/enterprise/cli/testdata/coder_--help.golden
@@ -33,6 +33,10 @@ variables or flags.
           Additional HTTP headers added to all requests. Provide as key=value.
           Can be specified multiple times.
 
+      --header-process string, $CODER_HEADER_PROCESS
+          An external process that outputs JSON-encoded key-value pairs to be
+          used as additional HTTP headers added to all requests.
+
       --no-feature-warning bool, $CODER_NO_FEATURE_WARNING
           Suppress warnings about unlicensed features.
 

Original file line number	Diff line number	Diff line change
`@@ -76,7 +76,7 @@ func (r RootCmd) login() clibase.Cmd {`
`76`	`76`	`serverURL.Scheme = "https"`
`77`	`77`	`}`
`78`	`78`
`79`		`- client, err := r.createUnauthenticatedClient(serverURL)`
	`79`	`+ client, err := r.createUnauthenticatedClient(ctx, serverURL)`
`80`	`80`	`if err != nil {`
`81`	`81`	`return err`
`82`	`82`	`}`
Original file line number	Diff line number	Diff line change
`@@ -86,7 +86,7 @@ func (r RootCmd) vscodeSSH() clibase.Cmd {`
`86`	`86`	`client.SetSessionToken(string(sessionToken))`
`87`	`87`
`88`	`88`	`// This adds custom headers to the request!`
`89`		`- err = r.setClient(client, serverURL)`
	`89`	`+ err = r.setClient(ctx, client, serverURL)`
`90`	`90`	`if err != nil {`
`91`	`91`	`return xerrors.Errorf("set client: %w", err)`
`92`	`92`	`}`