comments

deansheather · deansheather · commit dc884eb326e8 · 2023-04-17T16:33:31.000Z
diff --git a/coderd/workspaceapps/apptest/apptest.go b/coderd/workspaceapps/apptest/apptest.go
@@ -33,7 +33,7 @@ import (
 // Run runs the entire workspace app test suite against deployments minted
 // by the provided factory.
 func Run(t *testing.T, factory DeploymentFactory) {
-	setupProxyTest := func(t *testing.T, opts *DeploymentOptions) *AppDetails {
+	setupProxyTest := func(t *testing.T, opts *DeploymentOptions) *Details {
 		return setupProxyTestWithFactory(t, factory, opts)
 	}
 
@@ -811,7 +811,7 @@ func Run(t *testing.T, factory DeploymentFactory) {
 	t.Run("AppSharing", func(t *testing.T) {
 		t.Parallel()
 
-		setup := func(t *testing.T, allowPathAppSharing, allowSiteOwnerAccess bool) (appDetails *AppDetails, workspace codersdk.Workspace, agnt codersdk.WorkspaceAgent, user codersdk.User, ownerClient *codersdk.Client, client *codersdk.Client, clientInOtherOrg *codersdk.Client, clientWithNoAuth *codersdk.Client) {
+		setup := func(t *testing.T, allowPathAppSharing, allowSiteOwnerAccess bool) (appDetails *Details, workspace codersdk.Workspace, agnt codersdk.WorkspaceAgent, user codersdk.User, ownerClient *codersdk.Client, client *codersdk.Client, clientInOtherOrg *codersdk.Client, clientWithNoAuth *codersdk.Client) {
 			//nolint:gosec
 			const password = "SomeSecurePassword!"
 
@@ -910,7 +910,7 @@ func Run(t *testing.T, factory DeploymentFactory) {
 			return appDetails, workspace, agnt, user, ownerClient, client, clientInOtherOrg, clientWithNoAuth
 		}
 
-		verifyAccess := func(t *testing.T, appDetails *AppDetails, isPathApp bool, username, workspaceName, agentName, appName string, client *codersdk.Client, shouldHaveAccess, shouldRedirectToLogin bool) {
+		verifyAccess := func(t *testing.T, appDetails *Details, isPathApp bool, username, workspaceName, agentName, appName string, client *codersdk.Client, shouldHaveAccess, shouldRedirectToLogin bool) {
 			t.Helper()
 
 			ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
diff --git a/coderd/workspaceapps/apptest/setup.go b/coderd/workspaceapps/apptest/setup.go
@@ -87,8 +87,8 @@ type App struct {
 	Query string
 }
 
-// AppDetails are the full test details returned from setupProxyTestWithFactory.
-type AppDetails struct {
+// Details are the full test details returned from setupProxyTestWithFactory.
+type Details struct {
 	*Deployment
 
 	Me codersdk.User
@@ -112,7 +112,7 @@ type AppDetails struct {
 // are not followed by default.
 //
 // The client is authenticated as the first user by default.
-func (d *AppDetails) AppClient(t *testing.T) *codersdk.Client {
+func (d *Details) AppClient(t *testing.T) *codersdk.Client {
 	client := codersdk.New(d.PathAppBaseURL)
 	client.SetSessionToken(d.SDKClient.SessionToken())
 	forceURLTransport(t, client)
@@ -124,7 +124,7 @@ func (d *AppDetails) AppClient(t *testing.T) *codersdk.Client {
 }
 
 // PathAppURL returns the URL for the given path app.
-func (d *AppDetails) PathAppURL(app App) *url.URL {
+func (d *Details) PathAppURL(app App) *url.URL {
 	appPath := fmt.Sprintf("/@%s/%s/apps/%s", app.Username, app.WorkspaceName, app.AppSlugOrPort)
 
 	u := *d.PathAppBaseURL
@@ -135,7 +135,7 @@ func (d *AppDetails) PathAppURL(app App) *url.URL {
 }
 
 // SubdomainAppURL returns the URL for the given subdomain app.
-func (d *AppDetails) SubdomainAppURL(app App) *url.URL {
+func (d *Details) SubdomainAppURL(app App) *url.URL {
 	host := fmt.Sprintf("%s--%s--%s--%s", app.AppSlugOrPort, app.AgentName, app.WorkspaceName, app.Username)
 
 	u := *d.PathAppBaseURL
@@ -151,7 +151,7 @@ func (d *AppDetails) SubdomainAppURL(app App) *url.URL {
 // 3. Create a template version, template and workspace with many apps.
 // 4. Start a workspace agent.
 // 5. Returns details about the deployment and its apps.
-func setupProxyTestWithFactory(t *testing.T, factory DeploymentFactory, opts *DeploymentOptions) *AppDetails {
+func setupProxyTestWithFactory(t *testing.T, factory DeploymentFactory, opts *DeploymentOptions) *Details {
 	if opts == nil {
 		opts = &DeploymentOptions{}
 	}
@@ -178,7 +178,7 @@ func setupProxyTestWithFactory(t *testing.T, factory DeploymentFactory, opts *De
 	require.NoError(t, err)
 
 	if opts.noWorkspace {
-		return &AppDetails{
+		return &Details{
 			Deployment: deployment,
 			Me:         me,
 		}
@@ -189,7 +189,7 @@ func setupProxyTestWithFactory(t *testing.T, factory DeploymentFactory, opts *De
 	}
 	workspace, agnt := createWorkspaceWithApps(t, deployment.SDKClient, deployment.FirstUser.OrganizationID, me, opts.port)
 
-	return &AppDetails{
+	return &Details{
 		Deployment: deployment,
 		Me:         me,
 		Workspace:  &workspace,
@@ -336,8 +336,12 @@ func createWorkspaceWithApps(t *testing.T, client *codersdk.Client, orgID uuid.U
 	agentClient.SetSessionToken(authToken)
 
 	// TODO (@dean): currently, the primary app host is used when generating
-	// this URL and we don't have any plans to change that until we let
-	// templates pick which proxy they want to use.
+	// the port URL we tell the agent to use. We don't have any plans to change
+	// that until we let templates pick which proxy they want to use in the
+	// terraform.
+	//
+	// This means that all port URLs generated in code-server etc. will be sent
+	// to the primary.
 	appHostCtx := testutil.Context(t, testutil.WaitLong)
 	primaryAppHost, err := client.AppHost(appHostCtx)
 	require.NoError(t, err)
diff --git a/coderd/workspaceapps/db.go b/coderd/workspaceapps/db.go
@@ -55,11 +55,11 @@ func NewDBTokenProvider(log slog.Logger, accessURL *url.URL, authz rbac.Authoriz
 	}
 }
 
-func (p *DBTokenProvider) TokenFromRequest(r *http.Request) (*SignedToken, bool) {
-	return TokenFromRequest(r, p.SigningKey)
+func (p *DBTokenProvider) FromRequest(r *http.Request) (*SignedToken, bool) {
+	return FromRequest(r, p.SigningKey)
 }
 
-func (p *DBTokenProvider) IssueToken(ctx context.Context, rw http.ResponseWriter, r *http.Request, issueReq IssueTokenRequest) (*SignedToken, string, bool) {
+func (p *DBTokenProvider) Issue(ctx context.Context, rw http.ResponseWriter, r *http.Request, issueReq IssueTokenRequest) (*SignedToken, string, bool) {
 	// nolint:gocritic // We need to make a number of database calls. Setting a system context here
 	//                 // is simpler than calling dbauthz.AsSystemRestricted on every call.
 	//                 // dangerousSystemCtx is only used for database calls. The actual authentication
diff --git a/coderd/workspaceapps/provider.go b/coderd/workspaceapps/provider.go
@@ -45,7 +45,7 @@ func ResolveRequest(rw http.ResponseWriter, r *http.Request, opts ResolveRequest
 		return nil, false
 	}
 
-	token, ok := opts.SignedTokenProvider.TokenFromRequest(r)
+	token, ok := opts.SignedTokenProvider.FromRequest(r)
 	if ok && token.MatchesRequest(appReq) {
 		// The request has a valid signed app token and it matches the request.
 		return token, true
@@ -60,7 +60,7 @@ func ResolveRequest(rw http.ResponseWriter, r *http.Request, opts ResolveRequest
 		AppQuery:       opts.AppQuery,
 	}
 
-	token, tokenStr, ok := opts.SignedTokenProvider.IssueToken(r.Context(), rw, r, issueReq)
+	token, tokenStr, ok := opts.SignedTokenProvider.Issue(r.Context(), rw, r, issueReq)
 	if !ok {
 		return nil, false
 	}
@@ -80,17 +80,17 @@ func ResolveRequest(rw http.ResponseWriter, r *http.Request, opts ResolveRequest
 
 // SignedTokenProvider provides signed workspace app tokens (aka. app tickets).
 type SignedTokenProvider interface {
-	// TokenFromRequest returns a parsed token from the request. If the request
-	// does not contain a signed app token or is is invalid (expired, invalid
+	// FromRequest returns a parsed token from the request. If the request does
+	// not contain a signed app token or is is invalid (expired, invalid
 	// signature, etc.), it returns false.
-	TokenFromRequest(r *http.Request) (*SignedToken, bool)
-	// IssueToken mints a new token for the given app request. It uses the
-	// long-lived session token in the HTTP request to authenticate and
-	// authorize the client for the given workspace app. The token is returned
-	// in struct and string form. The string form should be written as a cookie.
+	FromRequest(r *http.Request) (*SignedToken, bool)
+	// Issue mints a new token for the given app request. It uses the long-lived
+	// session token in the HTTP request to authenticate and authorize the
+	// client for the given workspace app. The token is returned in struct and
+	// string form. The string form should be written as a cookie.
 	//
 	// If the request is invalid or the user is not authorized to access the
 	// app, false is returned. An error page is written to the response writer
 	// in this case.
-	IssueToken(ctx context.Context, rw http.ResponseWriter, r *http.Request, appReq IssueTokenRequest) (*SignedToken, string, bool)
+	Issue(ctx context.Context, rw http.ResponseWriter, r *http.Request, appReq IssueTokenRequest) (*SignedToken, string, bool)
 }
diff --git a/coderd/workspaceapps/token.go b/coderd/workspaceapps/token.go
@@ -220,7 +220,7 @@ func (k SecurityKey) DecryptAPIKey(encryptedAPIKey string) (string, error) {
 	return payload.APIKey, nil
 }
 
-func TokenFromRequest(r *http.Request, key SecurityKey) (*SignedToken, bool) {
+func FromRequest(r *http.Request, key SecurityKey) (*SignedToken, bool) {
 	// Get the existing token from the request.
 	tokenCookie, err := r.Cookie(codersdk.DevURLSignedAppTokenCookie)
 	if err == nil {
diff --git a/enterprise/coderd/workspaceproxy.go b/enterprise/coderd/workspaceproxy.go
@@ -195,7 +195,7 @@ func (api *API) workspaceProxyIssueSignedAppToken(rw http.ResponseWriter, r *htt
 	userReq.Header.Set(codersdk.SessionTokenHeader, req.SessionToken)
 
 	// Exchange the token.
-	token, tokenStr, ok := api.AGPL.WorkspaceAppsProvider.IssueToken(ctx, rw, userReq, req)
+	token, tokenStr, ok := api.AGPL.WorkspaceAppsProvider.Issue(ctx, rw, userReq, req)
 	if !ok {
 		return
 	}
diff --git a/enterprise/wsproxy/tokenprovider.go b/enterprise/wsproxy/tokenprovider.go
@@ -23,11 +23,11 @@ type ProxyTokenProvider struct {
 	Logger      slog.Logger
 }
 
-func (p *ProxyTokenProvider) TokenFromRequest(r *http.Request) (*workspaceapps.SignedToken, bool) {
-	return workspaceapps.TokenFromRequest(r, p.SecurityKey)
+func (p *ProxyTokenProvider) FromRequest(r *http.Request) (*workspaceapps.SignedToken, bool) {
+	return workspaceapps.FromRequest(r, p.SecurityKey)
 }
 
-func (p *ProxyTokenProvider) IssueToken(ctx context.Context, rw http.ResponseWriter, r *http.Request, issueReq workspaceapps.IssueTokenRequest) (*workspaceapps.SignedToken, string, bool) {
+func (p *ProxyTokenProvider) Issue(ctx context.Context, rw http.ResponseWriter, r *http.Request, issueReq workspaceapps.IssueTokenRequest) (*workspaceapps.SignedToken, string, bool) {
 	appReq := issueReq.AppRequest.Normalize()
 	err := appReq.Validate()
 	if err != nil {

Original file line number	Diff line number	Diff line change
`@@ -55,11 +55,11 @@ func NewDBTokenProvider(log slog.Logger, accessURL *url.URL, authz rbac.Authoriz`
`55`	`55`	`}`
`56`	`56`	`}`
`57`	`57`
`58`		`-func (p DBTokenProvider) TokenFromRequest(r http.Request) (*SignedToken, bool) {`
`59`		`- return TokenFromRequest(r, p.SigningKey)`
	`58`	`+func (p DBTokenProvider) FromRequest(r http.Request) (*SignedToken, bool) {`
	`59`	`+ return FromRequest(r, p.SigningKey)`
`60`	`60`	`}`
`61`	`61`
`62`		`-func (p DBTokenProvider) IssueToken(ctx context.Context, rw http.ResponseWriter, r http.Request, issueReq IssueTokenRequest) (*SignedToken, string, bool) {`
	`62`	`+func (p DBTokenProvider) Issue(ctx context.Context, rw http.ResponseWriter, r http.Request, issueReq IssueTokenRequest) (*SignedToken, string, bool) {`
`63`	`63`	`// nolint:gocritic // We need to make a number of database calls. Setting a system context here`
`64`	`64`	`// // is simpler than calling dbauthz.AsSystemRestricted on every call.`
`65`	`65`	`// // dangerousSystemCtx is only used for database calls. The actual authentication`
Original file line number	Diff line number	Diff line change
`@@ -220,7 +220,7 @@ func (k SecurityKey) DecryptAPIKey(encryptedAPIKey string) (string, error) {`
`220`	`220`	`return payload.APIKey, nil`
`221`	`221`	`}`
`222`	`222`
`223`		`-func TokenFromRequest(r http.Request, key SecurityKey) (SignedToken, bool) {`
	`223`	`+func FromRequest(r http.Request, key SecurityKey) (SignedToken, bool) {`
`224`	`224`	`// Get the existing token from the request.`
`225`	`225`	`tokenCookie, err := r.Cookie(codersdk.DevURLSignedAppTokenCookie)`
`226`	`226`	`if err == nil {`
Original file line number	Diff line number	Diff line change
`@@ -195,7 +195,7 @@ func (api API) workspaceProxyIssueSignedAppToken(rw http.ResponseWriter, r htt`
`195`	`195`	`userReq.Header.Set(codersdk.SessionTokenHeader, req.SessionToken)`
`196`	`196`
`197`	`197`	`// Exchange the token.`
`198`		`- token, tokenStr, ok := api.AGPL.WorkspaceAppsProvider.IssueToken(ctx, rw, userReq, req)`
	`198`	`+ token, tokenStr, ok := api.AGPL.WorkspaceAppsProvider.Issue(ctx, rw, userReq, req)`
`199`	`199`	`if !ok {`
`200`	`200`	`return`
`201`	`201`	`}`
Original file line number	Diff line number	Diff line change
`@@ -23,11 +23,11 @@ type ProxyTokenProvider struct {`
`23`	`23`	`Logger slog.Logger`
`24`	`24`	`}`
`25`	`25`
`26`		`-func (p ProxyTokenProvider) TokenFromRequest(r http.Request) (*workspaceapps.SignedToken, bool) {`
`27`		`- return workspaceapps.TokenFromRequest(r, p.SecurityKey)`
	`26`	`+func (p ProxyTokenProvider) FromRequest(r http.Request) (*workspaceapps.SignedToken, bool) {`
	`27`	`+ return workspaceapps.FromRequest(r, p.SecurityKey)`
`28`	`28`	`}`
`29`	`29`
`30`		`-func (p ProxyTokenProvider) IssueToken(ctx context.Context, rw http.ResponseWriter, r http.Request, issueReq workspaceapps.IssueTokenRequest) (*workspaceapps.SignedToken, string, bool) {`
	`30`	`+func (p ProxyTokenProvider) Issue(ctx context.Context, rw http.ResponseWriter, r http.Request, issueReq workspaceapps.IssueTokenRequest) (*workspaceapps.SignedToken, string, bool) {`
`31`	`31`	`appReq := issueReq.AppRequest.Normalize()`
`32`	`32`	`err := appReq.Validate()`
`33`	`33`	`if err != nil {`