coder
diff --git a/‎.vscode/settings.json
Lines changed: 7 additions & 0 deletions b/‎.vscode/settings.json
Lines changed: 7 additions & 0 deletions
diff --git a/‎agent/agent.go
Lines changed: 15 additions & 0 deletions b/‎agent/agent.go
Lines changed: 15 additions & 0 deletions
diff --git a/‎agent/agent_test.go
Lines changed: 33 additions & 0 deletions b/‎agent/agent_test.go
Lines changed: 33 additions & 0 deletions
diff --git a/‎cli/agent.go
Lines changed: 2 additions & 1 deletion b/‎cli/agent.go
Lines changed: 2 additions & 1 deletion
diff --git a/‎cli/config/server.yaml
Lines changed: 25 additions & 0 deletions b/‎cli/config/server.yaml
Lines changed: 25 additions & 0 deletions
diff --git a/‎cli/deployment/config.go
Lines changed: 49 additions & 0 deletions b/‎cli/deployment/config.go
Lines changed: 49 additions & 0 deletions
diff --git a/‎cli/deployment/config_test.go
Lines changed: 39 additions & 0 deletions b/‎cli/deployment/config_test.go
Lines changed: 39 additions & 0 deletions
diff --git a/‎cli/gitaskpass.go
Lines changed: 83 additions & 0 deletions b/‎cli/gitaskpass.go
Lines changed: 83 additions & 0 deletions
@@ -1,6 +1,8 @@
 {
   "cSpell.words": [
+    "afero",
     "apps",
+    "ASKPASS",
     "awsidentity",
     "bodyclose",
     "buildinfo",
@@ -19,16 +21,20 @@
     "derphttp",
     "derpmap",
     "devel",
+    "devtunnel",
     "dflags",
     "drpc",
     "drpcconn",
     "drpcmux",
     "drpcserver",
     "Dsts",
+    "embeddedpostgres",
     "enablements",
+    "errgroup",
     "eventsourcemock",
     "fatih",
     "Formik",
+    "gitauth",
     "gitsshkey",
     "goarch",
     "gographviz",
@@ -78,6 +84,7 @@
     "parameterscopeid",
     "pqtype",
     "prometheusmetrics",
+    "promhttp",
     "promptui",
     "protobuf",
     "provisionerd",
 
@@ -26,6 +26,7 @@ import (
 	"github.com/gliderlabs/ssh"
 	"github.com/google/uuid"
 	"github.com/pkg/sftp"
+	"github.com/spf13/afero"
 	"go.uber.org/atomic"
 	gossh "golang.org/x/crypto/ssh"
 	"golang.org/x/xerrors"
@@ -35,6 +36,7 @@ import (
 	"cdr.dev/slog"
 	"github.com/coder/coder/agent/usershell"
 	"github.com/coder/coder/buildinfo"
+	"github.com/coder/coder/coderd/gitauth"
 	"github.com/coder/coder/codersdk"
 	"github.com/coder/coder/pty"
 	"github.com/coder/coder/tailnet"
@@ -53,6 +55,7 @@ const (
 )
 
 type Options struct {
+	Filesystem             afero.Fs
 	ExchangeToken          func(ctx context.Context) error
 	Client                 Client
 	ReconnectingPTYTimeout time.Duration
@@ -72,6 +75,9 @@ func New(options Options) io.Closer {
 	if options.ReconnectingPTYTimeout == 0 {
 		options.ReconnectingPTYTimeout = 5 * time.Minute
 	}
+	if options.Filesystem == nil {
+		options.Filesystem = afero.NewOsFs()
+	}
 	ctx, cancelFunc := context.WithCancel(context.Background())
 	server := &agent{
 		reconnectingPTYTimeout: options.ReconnectingPTYTimeout,
@@ -81,6 +87,7 @@ func New(options Options) io.Closer {
 		envVars:                options.EnvironmentVariables,
 		client:                 options.Client,
 		exchangeToken:          options.ExchangeToken,
+		filesystem:             options.Filesystem,
 		stats:                  &Stats{},
 	}
 	server.init(ctx)
@@ -91,6 +98,7 @@ type agent struct {
 	logger        slog.Logger
 	client        Client
 	exchangeToken func(ctx context.Context) error
+	filesystem    afero.Fs
 
 	reconnectingPTYs       sync.Map
 	reconnectingPTYTimeout time.Duration
@@ -171,6 +179,13 @@ func (a *agent) run(ctx context.Context) error {
 		}()
 	}
 
+	if metadata.GitAuthConfigs > 0 {
+		err = gitauth.OverrideVSCodeConfigs(a.filesystem)
+		if err != nil {
+			return xerrors.Errorf("override vscode configuration for git auth: %w", err)
+		}
+	}
+
 	// This automatically closes when the context ends!
 	appReporterCtx, appReporterCtxCancel := context.WithCancel(ctx)
 	defer appReporterCtxCancel()
 
@@ -27,6 +27,7 @@ import (
 	"github.com/google/uuid"
 	"github.com/pion/udp"
 	"github.com/pkg/sftp"
+	"github.com/spf13/afero"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.uber.org/goleak"
@@ -543,6 +544,38 @@ func TestAgent(t *testing.T) {
 			return initialized.Load() == 2
 		}, testutil.WaitShort, testutil.IntervalFast)
 	})
+
+	t.Run("WriteVSCodeConfigs", func(t *testing.T) {
+		t.Parallel()
+		client := &client{
+			t:       t,
+			agentID: uuid.New(),
+			metadata: codersdk.WorkspaceAgentMetadata{
+				GitAuthConfigs: 1,
+			},
+			statsChan:   make(chan *codersdk.AgentStats),
+			coordinator: tailnet.NewCoordinator(),
+		}
+		filesystem := afero.NewMemMapFs()
+		closer := agent.New(agent.Options{
+			ExchangeToken: func(ctx context.Context) error {
+				return nil
+			},
+			Client:     client,
+			Logger:     slogtest.Make(t, nil).Leveled(slog.LevelInfo),
+			Filesystem: filesystem,
+		})
+		t.Cleanup(func() {
+			_ = closer.Close()
+		})
+		home, err := os.UserHomeDir()
+		require.NoError(t, err)
+		path := filepath.Join(home, ".vscode-server", "data", "Machine", "settings.json")
+		require.Eventually(t, func() bool {
+			_, err := filesystem.Stat(path)
+			return err == nil
+		}, testutil.WaitShort, testutil.IntervalFast)
+	})
 }
 
 func setupSSHCommand(t *testing.T, beforeArgs []string, afterArgs []string) *exec.Cmd {
 
@@ -169,8 +169,9 @@ func workspaceAgent() *cobra.Command {
 				},
 				EnvironmentVariables: map[string]string{
 					// Override the "CODER_AGENT_TOKEN" variable in all
-					// shells so "gitssh" works!
+					// shells so "gitssh" and "gitaskpass" works!
 					"CODER_AGENT_TOKEN": client.SessionToken,
+					"GIT_ASKPASS":       executablePath,
 				},
 			})
 			<-cmd.Context().Done()
 
@@ -0,0 +1,25 @@
+# Coder Server Configuration
+
+# Automatically authenticate HTTP(s) Git requests.
+gitauth:
+# Supported: azure-devops, bitbucket, github, gitlab
+# - type: github
+#   client_id: xxxxxx
+#   client_secret: xxxxxx
+
+# Multiple providers are an Enterprise feature.
+# Contact sales@coder.com for a license.
+# 
+# If multiple providers are used, a unique "id"
+# must be provided for each one.
+# - id: example
+#   type: azure-devops
+#   client_id: xxxxxxx
+#   client_secret: xxxxxxx
+# A custom regex can be used to match a specific
+# repository or organization to limit auth scope.
+#   regex: github.com/coder
+# Custom authentication and token URLs should be
+# used for self-managed Git provider deployments.
+#   auth_url: https://example.com/oauth/authorize
+#   token_url: https://example.com/oauth/token
@@ -97,6 +97,12 @@ func newConfig() *codersdk.DeploymentConfig {
 				},
 			},
 		},
+		GitAuth: &codersdk.DeploymentConfigField[[]codersdk.GitAuthConfig]{
+			Name:    "Git Auth",
+			Usage:   "Automatically authenticate Git inside workspaces.",
+			Flag:    "gitauth",
+			Default: []codersdk.GitAuthConfig{},
+		},
 		Prometheus: &codersdk.PrometheusConfig{
 			Enable: &codersdk.DeploymentConfigField[bool]{
 				Name:  "Prometheus Enable",
@@ -407,6 +413,9 @@ func setConfig(prefix string, vip *viper.Viper, target interface{}) {
 				value = append(value, strings.Split(entry, ",")...)
 			}
 			val.FieldByName("Value").Set(reflect.ValueOf(value))
+		case []codersdk.GitAuthConfig:
+			values := readSliceFromViper[codersdk.GitAuthConfig](vip, prefix, value)
+			val.FieldByName("Value").Set(reflect.ValueOf(values))
 		default:
 			panic(fmt.Sprintf("unsupported type %T", value))
 		}
@@ -437,6 +446,44 @@ func setConfig(prefix string, vip *viper.Viper, target interface{}) {
 	}
 }
 
+// readSliceFromViper reads a typed mapping from the key provided.
+// This enables environment variables like CODER_GITAUTH_<index>_CLIENT_ID.
+func readSliceFromViper[T any](vip *viper.Viper, key string, value any) []T {
+	elementType := reflect.TypeOf(value).Elem()
+	returnValues := make([]T, 0)
+	for entry := 0; true; entry++ {
+		// Only create an instance when the entry exists in viper...
+		// otherwise we risk
+		var instance *reflect.Value
+		for i := 0; i < elementType.NumField(); i++ {
+			fve := elementType.Field(i)
+			prop := fve.Tag.Get("json")
+			// For fields that are omitted in JSON, we use a YAML tag.
+			if prop == "-" {
+				prop = fve.Tag.Get("yaml")
+			}
+			value := vip.Get(fmt.Sprintf("%s.%d.%s", key, entry, prop))
+			if value == nil {
+				continue
+			}
+			if instance == nil {
+				newType := reflect.Indirect(reflect.New(elementType))
+				instance = &newType
+			}
+			instance.Field(i).Set(reflect.ValueOf(value))
+		}
+		if instance == nil {
+			break
+		}
+		value, ok := instance.Interface().(T)
+		if !ok {
+			continue
+		}
+		returnValues = append(returnValues, value)
+	}
+	return returnValues
+}
+
 func NewViper() *viper.Viper {
 	dc := newConfig()
 	vip := viper.New()
@@ -516,6 +563,8 @@ func setFlags(prefix string, flagset *pflag.FlagSet, vip *viper.Viper, target in
 			_ = flagset.DurationP(flg, shorthand, vip.GetDuration(prefix), usage)
 		case []string:
 			_ = flagset.StringSliceP(flg, shorthand, vip.GetStringSlice(prefix), usage)
+		case []codersdk.GitAuthConfig:
+			// Ignore this one!
 		default:
 			panic(fmt.Sprintf("unsupported type %T", typ))
 		}
 
@@ -148,6 +148,45 @@ func TestConfig(t *testing.T) {
 			require.Equal(t, []string{"coder"}, config.OAuth2.Github.AllowedTeams.Value)
 			require.Equal(t, config.OAuth2.Github.AllowSignups.Value, true)
 		},
+	}, {
+		Name: "GitAuth",
+		Env: map[string]string{
+			"CODER_GITAUTH_0_ID":            "hello",
+			"CODER_GITAUTH_0_TYPE":          "github",
+			"CODER_GITAUTH_0_CLIENT_ID":     "client",
+			"CODER_GITAUTH_0_CLIENT_SECRET": "secret",
+			"CODER_GITAUTH_0_AUTH_URL":      "https://auth.com",
+			"CODER_GITAUTH_0_TOKEN_URL":     "https://token.com",
+			"CODER_GITAUTH_0_REGEX":         "github.com",
+
+			"CODER_GITAUTH_1_ID":            "another",
+			"CODER_GITAUTH_1_TYPE":          "gitlab",
+			"CODER_GITAUTH_1_CLIENT_ID":     "client-2",
+			"CODER_GITAUTH_1_CLIENT_SECRET": "secret-2",
+			"CODER_GITAUTH_1_AUTH_URL":      "https://auth-2.com",
+			"CODER_GITAUTH_1_TOKEN_URL":     "https://token-2.com",
+			"CODER_GITAUTH_1_REGEX":         "gitlab.com",
+		},
+		Valid: func(config *codersdk.DeploymentConfig) {
+			require.Len(t, config.GitAuth.Value, 2)
+			require.Equal(t, []codersdk.GitAuthConfig{{
+				ID:           "hello",
+				Type:         "github",
+				ClientID:     "client",
+				ClientSecret: "secret",
+				AuthURL:      "https://auth.com",
+				TokenURL:     "https://token.com",
+				Regex:        "github.com",
+			}, {
+				ID:           "another",
+				Type:         "gitlab",
+				ClientID:     "client-2",
+				ClientSecret: "secret-2",
+				AuthURL:      "https://auth-2.com",
+				TokenURL:     "https://token-2.com",
+				Regex:        "gitlab.com",
+			}}, config.GitAuth.Value)
+		},
 	}} {
 		tc := tc
 		t.Run(tc.Name, func(t *testing.T) {
 
@@ -0,0 +1,83 @@
+package cli
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+	"os/signal"
+	"time"
+
+	"github.com/spf13/cobra"
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/cli/cliui"
+	"github.com/coder/coder/coderd/gitauth"
+	"github.com/coder/coder/codersdk"
+	"github.com/coder/retry"
+)
+
+// gitAskpass is used by the Coder agent to automatically authenticate
+// with Git providers based on a hostname.
+func gitAskpass() *cobra.Command {
+	return &cobra.Command{
+		Use:    "gitaskpass",
+		Hidden: true,
+		Args:   cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			ctx := cmd.Context()
+
+			ctx, stop := signal.NotifyContext(ctx, interruptSignals...)
+			defer stop()
+
+			user, host, err := gitauth.ParseAskpass(args[0])
+			if err != nil {
+				return xerrors.Errorf("parse host: %w", err)
+			}
+
+			client, err := createAgentClient(cmd)
+			if err != nil {
+				return xerrors.Errorf("create agent client: %w", err)
+			}
+
+			token, err := client.WorkspaceAgentGitAuth(ctx, host, false)
+			if err != nil {
+				var apiError *codersdk.Error
+				if errors.As(err, &apiError) && apiError.StatusCode() == http.StatusNotFound {
+					// This prevents the "Run 'coder --help' for usage"
+					// message from occurring.
+					cmd.Printf("%s\n", apiError.Message)
+					return cliui.Canceled
+				}
+				return xerrors.Errorf("get git token: %w", err)
+			}
+			if token.URL != "" {
+				if err := openURL(cmd, token.URL); err != nil {
+					cmd.Printf("Your browser has been opened to authenticate with Git:\n\n\t%s\n\n", token.URL)
+				} else {
+					cmd.Printf("Open the following URL to authenticate with Git:\n\n\t%s\n\n", token.URL)
+				}
+
+				for r := retry.New(250*time.Millisecond, 10*time.Second); r.Wait(ctx); {
+					token, err = client.WorkspaceAgentGitAuth(ctx, host, true)
+					if err != nil {
+						continue
+					}
+					cmd.Printf("\nYou've been authenticated with Git!\n")
+					break
+				}
+			}
+
+			if token.Password != "" {
+				if user == "" {
+					fmt.Fprintln(cmd.OutOrStdout(), token.Username)
+				} else {
+					fmt.Fprintln(cmd.OutOrStdout(), token.Password)
+				}
+			} else {
+				fmt.Fprintln(cmd.OutOrStdout(), token.Username)
+			}
+
+			return nil
+		},
+	}
+}