Merge branch 'groups' of github.com:coder/coder into groups

BrunoQuaresma · BrunoQuaresma · commit 85e05c3bc8d4 · 2022-09-26T19:22:40.000Z
diff --git a/agent/agent_test.go b/agent/agent_test.go
@@ -481,19 +481,6 @@ func TestAgent(t *testing.T) {
 		}
 	})
 
-	t.Run("Tailnet", func(t *testing.T) {
-		t.Parallel()
-		derpMap := tailnettest.RunDERPAndSTUN(t)
-		conn, _ := setupAgent(t, codersdk.WorkspaceAgentMetadata{
-			DERPMap: derpMap,
-		}, 0)
-		defer conn.Close()
-		require.Eventually(t, func() bool {
-			_, err := conn.Ping()
-			return err == nil
-		}, testutil.WaitLong, testutil.IntervalFast)
-	})
-
 	t.Run("Speedtest", func(t *testing.T) {
 		t.Parallel()
 		if testing.Short() {
diff --git a/cli/server.go b/cli/server.go
@@ -328,9 +328,10 @@ func Server(newAPI func(context.Context, *coderd.Options) (*coderd.API, error))
 			}
 
 			defaultRegion := &tailcfg.DERPRegion{
-				RegionID:   derpServerRegionID,
-				RegionCode: derpServerRegionCode,
-				RegionName: derpServerRegionName,
+				EmbeddedRelay: true,
+				RegionID:      derpServerRegionID,
+				RegionCode:    derpServerRegionCode,
+				RegionName:    derpServerRegionName,
 				Nodes: []*tailcfg.DERPNode{{
 					Name:      fmt.Sprintf("%db", derpServerRegionID),
 					RegionID:  derpServerRegionID,
diff --git a/coderd/coderdtest/coderdtest.go b/coderd/coderdtest/coderdtest.go
@@ -196,9 +196,10 @@ func NewOptions(t *testing.T, options *Options) (*httptest.Server, context.Cance
 		DERPMap: &tailcfg.DERPMap{
 			Regions: map[int]*tailcfg.DERPRegion{
 				1: {
-					RegionID:   1,
-					RegionCode: "coder",
-					RegionName: "Coder",
+					EmbeddedRelay: true,
+					RegionID:      1,
+					RegionCode:    "coder",
+					RegionName:    "Coder",
 					Nodes: []*tailcfg.DERPNode{{
 						Name:             "1a",
 						RegionID:         1,
diff --git a/coderd/rbac/authz.go b/coderd/rbac/authz.go
@@ -23,9 +23,8 @@ type PreparedAuthorized interface {
 }
 
 // Filter takes in a list of objects, and will filter the list removing all
-// the elements the subject does not have permission for. This function slows
-// down if the list contains objects of multiple types. Attempt to only
-// filter objects of the same type for faster performance.
+// the elements the subject does not have permission for. All objects must be
+// of the same type.
 func Filter[O Objecter](ctx context.Context, auth Authorizer, subjID string, subjRoles []string, scope Scope, groups []string, action Action, objects []O) ([]O, error) {
 	ctx, span := tracing.StartSpan(ctx, trace.WithAttributes(
 		attribute.String("subject_id", subjID),
@@ -38,26 +37,20 @@ func Filter[O Objecter](ctx context.Context, auth Authorizer, subjID string, sub
 		// Nothing to filter
 		return objects, nil
 	}
+	objectType := objects[0].RBACObject().Type
 
 	filtered := make([]O, 0)
-	prepared := make(map[string]PreparedAuthorized)
-
-	for i := range objects {
-		object := objects[i]
-		objectType := object.RBACObject().Type
-		// objectAuth is the prepared authorization for the object type.
-		objectAuth, ok := prepared[object.RBACObject().Type]
-		if !ok {
-			var err error
-			objectAuth, err = auth.PrepareByRoleName(ctx, subjID, subjRoles, scope, groups, action, objectType)
-			if err != nil {
-				return nil, xerrors.Errorf("prepare: %w", err)
-			}
-			prepared[objectType] = objectAuth
-		}
+	prepared, err := auth.PrepareByRoleName(ctx, subjID, subjRoles, scope, groups, action, objectType)
+	if err != nil {
+		return nil, xerrors.Errorf("prepare: %w", err)
+	}
 
+	for _, object := range objects {
 		rbacObj := object.RBACObject()
-		err := objectAuth.Authorize(ctx, rbacObj)
+		if rbacObj.Type != objectType {
+			return nil, xerrors.Errorf("object types must be uniform across the set (%s), found %s", objectType, object.RBACObject().Type)
+		}
+		err := prepared.Authorize(ctx, rbacObj)
 		if err == nil {
 			filtered = append(filtered, object)
 		}
diff --git a/coderd/rbac/authz_internal_test.go b/coderd/rbac/authz_internal_test.go
@@ -40,15 +40,15 @@ func (w fakeObject) RBACObject() Object {
 }
 
 // TODO: @emyrk Bring back this test when private/public templates are removed
-//	in favor of groups.
-//func TestFilterError(t *testing.T) {
-//	t.Parallel()
-//	auth, err := NewAuthorizer()
-//	require.NoError(t, err)
 //
-//	_, err = Filter(context.Background(), auth, uuid.NewString(), []string{}, ScopeAll, []string{}, ActionRead, []Object{ResourceUser, ResourceWorkspace})
-//	require.ErrorContains(t, err, "object types must be uniform")
-//}
+//	in favor of groups.
+func TestFilterError(t *testing.T) {
+	t.Parallel()
+	auth := NewAuthorizer()
+
+	_, err := Filter(context.Background(), auth, uuid.NewString(), []string{}, ScopeAll, []string{}, ActionRead, []Object{ResourceUser, ResourceWorkspace})
+	require.ErrorContains(t, err, "object types must be uniform")
+}
 
 // TestFilter ensures the filter acts the same as an individual authorize.
 // It generates a random set of objects, then runs the Filter batch function
diff --git a/coderd/rbac/partial.go b/coderd/rbac/partial.go
@@ -5,6 +5,7 @@ import (
 
 	"golang.org/x/xerrors"
 
+	"github.com/open-policy-agent/opa/ast"
 	"github.com/open-policy-agent/opa/rego"
 
 	"github.com/coder/coder/coderd/tracing"
@@ -32,6 +33,18 @@ func (pa *PartialAuthorizer) Authorize(ctx context.Context, object Object) error
 		return nil
 	}
 
+	// No queries means always false
+	if len(pa.preparedQueries) == 0 {
+		return ForbiddenWithInternal(xerrors.Errorf("policy disallows request"), pa.input, nil)
+	}
+
+	parsed, err := ast.InterfaceToValue(map[string]interface{}{
+		"object": object,
+	})
+	if err != nil {
+		return xerrors.Errorf("parse object: %w", err)
+	}
+
 	// How to interpret the results of the partial queries.
 	// We have a list of queries that are along the lines of:
 	// 	`input.object.org_owner = ""; "me" = input.object.owner`
@@ -45,9 +58,7 @@ func (pa *PartialAuthorizer) Authorize(ctx context.Context, object Object) error
 EachQueryLoop:
 	for _, q := range pa.preparedQueries {
 		// We need to eval each query with the newly known fields.
-		results, err := q.Eval(ctx, rego.EvalInput(map[string]interface{}{
-			"object": object,
-		}))
+		results, err := q.Eval(ctx, rego.EvalParsedInput(parsed))
 		if err != nil {
 			continue EachQueryLoop
 		}
diff --git a/coderd/users.go b/coderd/users.go
@@ -1018,9 +1018,27 @@ func (api *API) postLogout(rw http.ResponseWriter, r *http.Request) {
 	}
 	http.SetCookie(rw, cookie)
 
+	// This code should be removed after Jan 1 2023.
+	// This code logs out of the old session cookie before we renamed it
+	// if it is a valid coder token. Otherwise, this old cookie hangs around
+	// and we never log out of the user.
+	oldCookie, err := r.Cookie("session_token")
+	if err == nil && oldCookie != nil {
+		_, _, err := httpmw.SplitAPIToken(oldCookie.Value)
+		if err == nil {
+			cookie := &http.Cookie{
+				// MaxAge < 0 means to delete the cookie now.
+				MaxAge: -1,
+				Name:   "session_token",
+				Path:   "/",
+			}
+			http.SetCookie(rw, cookie)
+		}
+	}
+
 	// Delete the session token from database.
 	apiKey := httpmw.APIKey(r)
-	err := api.Database.DeleteAPIKeyByID(ctx, apiKey.ID)
+	err = api.Database.DeleteAPIKeyByID(ctx, apiKey.ID)
 	if err != nil {
 		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
 			Message: "Internal error deleting API key.",
diff --git a/coderd/workspaceagents.go b/coderd/workspaceagents.go
@@ -226,9 +226,44 @@ func (api *API) dialWorkspaceAgentTailnet(r *http.Request, agentID uuid.UUID) (*
 		_ = serverConn.Close()
 	}()
 
+	derpMap := api.DERPMap.Clone()
+	for _, region := range derpMap.Regions {
+		if !region.EmbeddedRelay {
+			continue
+		}
+		var node *tailcfg.DERPNode
+		for _, n := range region.Nodes {
+			if n.STUNOnly {
+				continue
+			}
+			node = n
+			break
+		}
+		if node == nil {
+			continue
+		}
+		// TODO: This should dial directly to execute the
+		// DERP server instead of contacting localhost.
+		//
+		// This requires modification of Tailscale internals
+		// to pipe through a proxy function per-region, so
+		// this is an easy and mostly reliable hack for now.
+		cloned := node.Clone()
+		// Add p for proxy.
+		// This first node supports TLS.
+		cloned.Name += "p"
+		cloned.IPv4 = "127.0.0.1"
+		cloned.InsecureForTests = true
+		region.Nodes = append(region.Nodes, cloned.Clone())
+		// This second node forces HTTP.
+		cloned.Name += "-http"
+		cloned.ForceHTTP = true
+		region.Nodes = append(region.Nodes, cloned)
+	}
+
 	conn, err := tailnet.NewConn(&tailnet.Options{
 		Addresses: []netip.Prefix{netip.PrefixFrom(tailnet.IP(), 128)},
-		DERPMap:   api.DERPMap,
+		DERPMap:   derpMap,
 		Logger:    api.Logger.Named("tailnet").Leveled(slog.LevelDebug),
 	})
 	if err != nil {
diff --git a/codersdk/workspaceagents.go b/codersdk/workspaceagents.go
@@ -10,6 +10,7 @@ import (
 	"net/http"
 	"net/http/cookiejar"
 	"net/netip"
+	"strconv"
 	"time"
 
 	"cloud.google.com/go/compute/metadata"
@@ -208,7 +209,42 @@ func (c *Client) WorkspaceAgentMetadata(ctx context.Context) (WorkspaceAgentMeta
 		return WorkspaceAgentMetadata{}, readBodyAsError(res)
 	}
 	var agentMetadata WorkspaceAgentMetadata
-	return agentMetadata, json.NewDecoder(res.Body).Decode(&agentMetadata)
+	err = json.NewDecoder(res.Body).Decode(&agentMetadata)
+	if err != nil {
+		return WorkspaceAgentMetadata{}, err
+	}
+	accessingPort := c.URL.Port()
+	if accessingPort == "" {
+		accessingPort = "80"
+		if c.URL.Scheme == "https" {
+			accessingPort = "443"
+		}
+	}
+	accessPort, err := strconv.Atoi(accessingPort)
+	if err != nil {
+		return WorkspaceAgentMetadata{}, xerrors.Errorf("convert accessing port %q: %w", accessingPort, err)
+	}
+	// Agents can provide an arbitrary access URL that may be different
+	// that the globally configured one. This breaks the built-in DERP,
+	// which would continue to reference the global access URL.
+	//
+	// This converts all built-in DERPs to use the access URL that the
+	// metadata request was performed with.
+	for _, region := range agentMetadata.DERPMap.Regions {
+		if !region.EmbeddedRelay {
+			continue
+		}
+
+		for _, node := range region.Nodes {
+			if node.STUNOnly {
+				continue
+			}
+			node.HostName = c.URL.Hostname()
+			node.DERPPort = accessPort
+			node.ForceHTTP = c.URL.Scheme == "http"
+		}
+	}
+	return agentMetadata, nil
 }
 
 func (c *Client) ListenWorkspaceAgentTailnet(ctx context.Context) (net.Conn, error) {
diff --git a/codersdk/workspaceagents_test.go b/codersdk/workspaceagents_test.go
@@ -0,0 +1,49 @@
+package codersdk_test
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"strconv"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"tailscale.com/tailcfg"
+
+	"github.com/coder/coder/coderd/httpapi"
+	"github.com/coder/coder/codersdk"
+)
+
+func TestWorkspaceAgentMetadata(t *testing.T) {
+	t.Parallel()
+	// This test ensures that the DERP map returned properly
+	// mutates built-in DERPs with the client access URL.
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		httpapi.Write(context.Background(), w, http.StatusOK, codersdk.WorkspaceAgentMetadata{
+			DERPMap: &tailcfg.DERPMap{
+				Regions: map[int]*tailcfg.DERPRegion{
+					1: {
+						EmbeddedRelay: true,
+						RegionID:      1,
+						Nodes: []*tailcfg.DERPNode{{
+							HostName: "bananas.org",
+							DERPPort: 1,
+						}},
+					},
+				},
+			},
+		})
+	}))
+	parsed, err := url.Parse(srv.URL)
+	require.NoError(t, err)
+	client := codersdk.New(parsed)
+	metadata, err := client.WorkspaceAgentMetadata(context.Background())
+	require.NoError(t, err)
+	region := metadata.DERPMap.Regions[1]
+	require.True(t, region.EmbeddedRelay)
+	require.Len(t, region.Nodes, 1)
+	node := region.Nodes[0]
+	require.Equal(t, parsed.Hostname(), node.HostName)
+	require.Equal(t, parsed.Port(), strconv.Itoa(node.DERPPort))
+}
diff --git a/go.mod b/go.mod
@@ -40,7 +40,7 @@ replace github.com/tcnksm/go-httpstat => github.com/kylecarbs/go-httpstat v0.0.0
 
 // There are a few minor changes we make to Tailscale that we're slowly upstreaming. Compare here:
 // https://github.com/tailscale/tailscale/compare/main...coder:tailscale:main
-replace tailscale.com => github.com/coder/tailscale v1.1.1-0.20220914175845-85b85d9a52ee
+replace tailscale.com => github.com/coder/tailscale v1.1.1-0.20220926024748-50f068456c6c
 
 // Switch to our fork that imports fixes from http://github.com/tailscale/ssh.
 // See: https://github.com/coder/coder/issues/3371
diff --git a/go.sum b/go.sum
@@ -349,8 +349,8 @@ github.com/coder/retry v1.3.0 h1:5lAAwt/2Cm6lVmnfBY7sOMXcBOwcwJhmV5QGSELIVWY=
 github.com/coder/retry v1.3.0/go.mod h1:tXuRgZgWjUnU5LZPT4lJh4ew2elUhexhlnXzrJWdyFY=
 github.com/coder/ssh v0.0.0-20220811105153-fcea99919338 h1:tN5GKFT68YLVzJoA8AHuiMNJ0qlhoD3pGN3JY9gxSko=
 github.com/coder/ssh v0.0.0-20220811105153-fcea99919338/go.mod h1:ZSS+CUoKHDrqVakTfTWUlKSr9MtMFkC4UvtQKD7O914=
-github.com/coder/tailscale v1.1.1-0.20220914175845-85b85d9a52ee h1:77WUcIAL5FRQtd97/gOV66MJHLPhsPw+3vMxoEvcadI=
-github.com/coder/tailscale v1.1.1-0.20220914175845-85b85d9a52ee/go.mod h1:5amxy08qijEa8bcTW2SeIy4MIqcmd7LMsuOxqOlj2Ak=
+github.com/coder/tailscale v1.1.1-0.20220926024748-50f068456c6c h1:xa6lr5Pj87Is26tgpzwBsEGKL7aVz7/fRGgY9QIbf3E=
+github.com/coder/tailscale v1.1.1-0.20220926024748-50f068456c6c/go.mod h1:5amxy08qijEa8bcTW2SeIy4MIqcmd7LMsuOxqOlj2Ak=
 github.com/containerd/aufs v0.0.0-20200908144142-dab0cbea06f4/go.mod h1:nukgQABAEopAHvB6j7cnP5zJ+/3aVcE7hCYqvIwAHyE=
 github.com/containerd/aufs v0.0.0-20201003224125-76a6863f2989/go.mod h1:AkGGQs9NM2vtYHaUen+NljV0/baGCAPELGm2q9ZXpWU=
 github.com/containerd/aufs v0.0.0-20210316121734-20793ff83c97/go.mod h1:kL5kd6KM5TzQjR79jljyi4olc1Vrx6XBlcyj3gNv2PU=
