Check workspace proxy hostnames for subdomain apps

Emyrk · Emyrk · commit ec04552995b9 · 2023-04-11T11:02:39.000-05:00
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -51,6 +51,7 @@ import (
 	"github.com/coder/coder/coderd/httpmw"
 	"github.com/coder/coder/coderd/metricscache"
 	"github.com/coder/coder/coderd/provisionerdserver"
+	"github.com/coder/coder/coderd/proxycache"
 	"github.com/coder/coder/coderd/rbac"
 	"github.com/coder/coder/coderd/schedule"
 	"github.com/coder/coder/coderd/telemetry"
@@ -272,6 +273,9 @@ func New(options *Options) *API {
 		},
 	)
 
+	ctx, cancel := context.WithCancel(context.Background())
+	proxyCache := proxycache.New(ctx, options.Logger.Named("proxy_cache"), options.Database, time.Minute*5)
+
 	staticHandler := site.Handler(site.FS(), binFS, binHashes)
 	// Static file handler must be wrapped with HSTS handler if the
 	// StrictTransportSecurityAge is set. We only need to set this header on
@@ -284,7 +288,6 @@ func New(options *Options) *API {
 	}
 
 	r := chi.NewRouter()
-	ctx, cancel := context.WithCancel(context.Background())
 	api := &API{
 		ctx:    ctx,
 		cancel: cancel,
@@ -308,6 +311,7 @@ func New(options *Options) *API {
 			options.AppSecurityKey,
 		),
 		metricsCache:          metricsCache,
+		ProxyCache:            proxyCache,
 		Auditor:               atomic.Pointer[audit.Auditor]{},
 		TemplateScheduleStore: options.TemplateScheduleStore,
 		Experiments:           experiments,
@@ -816,7 +820,8 @@ type API struct {
 	workspaceAgentCache   *wsconncache.Cache
 	updateChecker         *updatecheck.Checker
 	WorkspaceAppsProvider workspaceapps.SignedTokenProvider
-	workspaceAppServer    *workspaceapps.Server
+	workspaceAppServer *workspaceapps.Server
+	ProxyCache         *proxycache.Cache
 
 	// Experiments contains the list of experiments currently enabled.
 	// This is used to gate features that are not yet ready for production.
diff --git a/coderd/proxycache/cache.go b/coderd/proxycache/cache.go
@@ -0,0 +1,148 @@
+package proxycache
+
+import (
+	"context"
+	"regexp"
+	"runtime/pprof"
+	"sync"
+	"time"
+
+	"github.com/coder/coder/coderd/database/dbauthz"
+
+	"github.com/coder/coder/coderd/httpapi"
+
+	"cdr.dev/slog"
+	"github.com/coder/coder/coderd/database"
+)
+
+// Cache is used to cache workspace proxies to prevent having to do a database
+// call each time the list of workspace proxies is required. Workspace proxies
+// are very infrequently updated, so this cache should rarely change.
+//
+// The accessor functions on the cache are intended to optimize the hot path routes
+// in the API. Meaning, this cache can implement the specific logic required to
+// using the cache in the API, instead of just returning the slice of proxies.
+type Cache struct {
+	db       database.Store
+	log      slog.Logger
+	interval time.Duration
+
+	// ctx controls the lifecycle of the cache.
+	ctx    context.Context
+	cancel func()
+
+	// Data
+	mu sync.RWMutex
+	// cachedValues is the list of workspace proxies that are currently cached.
+	// This is the raw data from the database.
+	cachedValues []database.WorkspaceProxy
+	// cachedPatterns is a map of the workspace proxy patterns to their compiled
+	// regular expressions.
+	cachedPatterns map[string]*regexp.Regexp
+}
+
+func New(ctx context.Context, log slog.Logger, db database.Store, interval time.Duration) *Cache {
+	if interval == 0 {
+		interval = 5 * time.Minute
+	}
+	ctx, cancel := context.WithCancel(ctx)
+	c := &Cache{
+		ctx:      ctx,
+		db:       db,
+		log:      log,
+		cancel:   cancel,
+		interval: interval,
+
+		cachedPatterns: map[string]*regexp.Regexp{},
+	}
+	return c
+}
+
+// ExecuteHostnamePattern is used to determine if a given hostname matches
+// any of the workspace proxy patterns. If it does, the subdomain for the app
+// is returned. If it does not, an empty string is returned with 'false'.
+func (c *Cache) ExecuteHostnamePattern(host string) (string, bool) {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+
+	for _, rg := range c.cachedPatterns {
+		sub, ok := httpapi.ExecuteHostnamePattern(rg, host)
+		if ok {
+			return sub, ok
+		}
+	}
+	return "", false
+}
+
+func (c *Cache) run() {
+	// Load the initial cache.
+	c.updateCache()
+	ticker := time.NewTicker(c.interval)
+	pprof.Do(c.ctx, pprof.Labels("service", "proxy-cache"), func(ctx context.Context) {
+		for {
+			select {
+			case <-ticker.C:
+				c.updateCache()
+			case <-c.ctx.Done():
+				return
+			}
+		}
+	})
+}
+
+// ForceUpdate can be called externally to force an update of the cache.
+// The regular update interval will still be used.
+func (c *Cache) ForceUpdate() {
+	c.updateCache()
+}
+
+// updateCache is used to update the cache with the latest values from the database.
+func (c *Cache) updateCache() {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	proxies, err := c.db.GetWorkspaceProxies(dbauthz.AsSystemRestricted(c.ctx))
+	if err != nil {
+		c.log.Error(c.ctx, "failed to get workspace proxies", slog.Error(err))
+		return
+	}
+
+	c.cachedValues = proxies
+
+	keep := make(map[string]struct{})
+	for _, p := range proxies {
+		if p.WildcardHostname == "" {
+			// It is possible some moons do not support subdomain apps.
+			continue
+		}
+
+		keep[p.WildcardHostname] = struct{}{}
+		if _, ok := c.cachedPatterns[p.WildcardHostname]; ok {
+			// pattern is already cached
+			continue
+		}
+
+		rg, err := httpapi.CompileHostnamePattern(p.WildcardHostname)
+		if err != nil {
+			c.log.Error(c.ctx, "failed to compile workspace proxy pattern",
+				slog.Error(err),
+				slog.F("proxy_id", p.ID),
+				slog.F("proxy_name", p.Name),
+				slog.F("proxy_hostname", p.WildcardHostname),
+			)
+			continue
+		}
+		c.cachedPatterns[p.WildcardHostname] = rg
+	}
+
+	// Remove any excess patterns
+	for k := range c.cachedPatterns {
+		if _, ok := keep[k]; !ok {
+			delete(c.cachedPatterns, k)
+		}
+	}
+}
+
+func (c *Cache) Close() {
+	c.cancel()
+}
diff --git a/coderd/workspaceapps.go b/coderd/workspaceapps.go
@@ -83,7 +83,7 @@ func (api *API) workspaceApplicationAuth(rw http.ResponseWriter, r *http.Request
 
 	// Ensure that the redirect URI is a subdomain of api.Hostname and is a
 	// valid app subdomain.
-	subdomain, ok := httpapi.ExecuteHostnamePattern(api.AppHostnameRegex, u.Host)
+	subdomain, ok := api.executeHostnamePattern(u.Host)
 	if !ok {
 		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
 			Message: "The redirect_uri query parameter must be a valid app subdomain.",
@@ -141,3 +141,14 @@ func (api *API) workspaceApplicationAuth(rw http.ResponseWriter, r *http.Request
 	u.RawQuery = q.Encode()
 	http.Redirect(rw, r, u.String(), http.StatusSeeOther)
 }
+
+// executeHostnamePattern will check if a hostname is a valid subdomain based
+// app. First it checks the primary's hostname, then checks if the hostname
+// is valid for any workspace proxy domain.
+func (api *API) executeHostnamePattern(hostname string) (string, bool) {
+	subdomain, ok := httpapi.ExecuteHostnamePattern(api.AppHostnameRegex, hostname)
+	if ok {
+		return subdomain, true
+	}
+	return api.ProxyCache.ExecuteHostnamePattern(hostname)
+}
diff --git a/enterprise/coderd/workspaceproxy.go b/enterprise/coderd/workspaceproxy.go
@@ -100,6 +100,9 @@ func (api *API) postWorkspaceProxy(rw http.ResponseWriter, r *http.Request) {
 		Proxy:      convertProxy(proxy),
 		ProxyToken: fullToken,
 	})
+
+	// Force update the proxy cache to ensure the new proxy is available.
+	api.AGPL.ProxyCache.ForceUpdate()
 }
 
 // nolint:revive

Original file line number	Diff line number	Diff line change
`@@ -100,6 +100,9 @@ func (api API) postWorkspaceProxy(rw http.ResponseWriter, r http.Request) {`
`100`	`100`	`Proxy: convertProxy(proxy),`
`101`	`101`	`ProxyToken: fullToken,`
`102`	`102`	`})`
	`103`	`+`
	`104`	`+ // Force update the proxy cache to ensure the new proxy is available.`
	`105`	`+ api.AGPL.ProxyCache.ForceUpdate()`
`103`	`106`	`}`
`104`	`107`
`105`	`108`	`// nolint:revive`