feat: Allow setting deployment wide ssh config settings

coder · Emyrk · Mar 16, 2023 · Mar 14, 2023 · Mar 15, 2023 · Mar 15, 2023
commit 79535d0435c41d71b0928d32b712a00d040b6af1
diff --git a/cli/server.go b/cli/server.go
@@ -672,6 +672,11 @@ flags, and YAML configuration. The precedence is as follows:
 				return xerrors.Errorf("parse real ip config: %w", err)
 			}
 
+			configSSHOptions, err := cfg.CLISSH.ParseOptions()
+			if err != nil {
+				return xerrors.Errorf("parse ssh config options \"%v\" %w", cfg.CLISSH.SSHConfigOptions, err)
+			}
+
 			options := &coderd.Options{
 				AccessURL:                   cfg.AccessURL.Value(),
 				AppHostname:                 appHostname,
@@ -696,6 +701,10 @@ flags, and YAML configuration. The precedence is as follows:
 				LoginRateLimit:              loginRateLimit,
 				FilesRateLimit:              filesRateLimit,
 				HTTPClient:                  httpClient,
+				ConfigSSH: codersdk.CLISSHConfigResponse{
+					DeploymentName:   cfg.CLISSH.DeploymentName.String(),
+					SSHConfigOptions: configSSHOptions,
+				},
 			}
 			if tlsConfig != nil {
 				options.TLSCertificates = tlsConfig.Certificates

diff --git a/coderd/clissh.go b/coderd/clissh.go
@@ -0,0 +1,17 @@
+package coderd
+
+import (
+	"net/http"
+
+	"github.com/coder/coder/coderd/httpapi"
+)
+
+// @Summary SSH information for clients
+// @ID cli-ssh-config
+// @Produce json
+// @Tags General
+// @Success 200 {object} codersdk.BuildInfoResponse
+// @Router /ssh-config [get]
+func (a *API) cliSSHConfig(rw http.ResponseWriter, r *http.Request) {
+	httpapi.Write(r.Context(), rw, http.StatusOK, a.ConfigSSH)
+}
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -138,6 +138,9 @@ type Options struct {
 	DeploymentValues            *codersdk.DeploymentValues
 	UpdateCheckOptions          *updatecheck.Options // Set non-nil to enable update checking.
 
+	// ConfigSSH is the response clients use to configure config-ssh locally.
+	ConfigSSH codersdk.CLISSHConfigResponse
+
 	HTTPClient *http.Client
 }
 
@@ -399,6 +402,13 @@ func New(options *Options) *API {
 		r.Post("/csp/reports", api.logReportCSPViolations)
 
 		r.Get("/buildinfo", buildInfo)
+		r.Route("/ssh-config", func(r chi.Router) {
+			// Require auth for this route to prevent leaking the SSH config.
+			// to non-authenticated users. Also some config settings might
+			// be dependent on the user.
+			r.Use(apiKeyMiddleware)
+			r.Get("/", api.cliSSHConfig)
+		})
 		r.Route("/deployment", func(r chi.Router) {
 			r.Use(apiKeyMiddleware)
 			r.Get("/config", api.deploymentValues)

diff --git a/codersdk/deployment.go b/codersdk/deployment.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"flag"
+	"fmt"
 	"math"
 	"net/http"
 	"os"
@@ -160,6 +161,7 @@ type DeploymentValues struct {
 	DisablePasswordAuth             clibase.Bool                    `json:"disable_password_auth,omitempty" typescript:",notnull"`
 	Support                         SupportConfig                   `json:"support,omitempty" typescript:",notnull"`
 	GitAuthProviders                clibase.Struct[[]GitAuthConfig] `json:"git_auth,omitempty" typescript:",notnull"`
+	CLISSH                          CLISSHConfig                    `json:"cli_ssh,omitempty" typescript:",notnull"`
 
 	Config      clibase.String `json:"config,omitempty" typescript:",notnull"`
 	WriteConfig clibase.Bool   `json:"write_config,omitempty" typescript:",notnull"`
@@ -168,6 +170,30 @@ type DeploymentValues struct {
 	Address clibase.HostPort `json:"address,omitempty" typescript:",notnull"`
 }
 
+// CLISSHConfig is configuration the cli & vscode extension use for configuring
+// ssh connections.
+type CLISSHConfig struct {
+	// DeploymentName is the config-ssh Hostname prefix
+	DeploymentName clibase.String
+	// SSHConfigOptions are additional options to add to the ssh config file.
+	// This will override defaults.
+	SSHConfigOptions clibase.Strings
+}
+
+func (c CLISSHConfig) ParseOptions() (map[string]string, error) {
+	m := make(map[string]string)
+	for _, opt := range c.SSHConfigOptions {
+		// Only split once, the value could contain an equals sign.
+		// The key should never, so this is safe.
+		parts := strings.SplitN(opt, "=", 1)
+		if len(parts) != 2 {
+			return nil, fmt.Errorf("invalid config-ssh option %q", opt)
+		}
+		m[parts[0]] = parts[1]
+	}
+	return m, nil
+}
+
 type DERP struct {
 	Server DERPServerConfig `json:"server" typescript:",notnull"`
 	Config DERPConfig       `json:"config" typescript:",notnull"`
@@ -390,6 +416,11 @@ when required by your organization's security policy.`,
 		deploymentGroupDangerous = clibase.Group{
 			Name: "⚠️ Dangerous",
 		}
+		deploymentGroupClient = clibase.Group{
+			Name: "Client",
+			Description: "These options change the behavior of how clients interact with the Coder. " +
+				"Clients include the coder cli, vs code extension, and the web UI.",
+		}
 		deploymentGroupConfig = clibase.Group{
 			Name:        "Config",
 			Description: `Use a YAML configuration file when your server launch become unwieldy.`,
@@ -1265,6 +1296,29 @@ when required by your organization's security policy.`,
 			Group:         &deploymentGroupConfig,
 			Value:         &c.Config,
 		},
+		{
+			Name:        "CLI SSH Deployment Name",
+			Description: "The CLI SSH deployment name is the used in the Hostname of the ssh config.",
+			Flag:        "cli-ssh-deployment-name",
+			Env:         "CLI_SSH_DEPLOYMENT_NAME",
+			YAML:        "cliSSHDeploymentName",
+			Group:       &deploymentGroupClient,
+			Value:       &c.CLISSH.DeploymentName,
+			Hidden:      false,
+			Default:     "coder",
+		},
+		{
+			Name: "CLI SSH Config Options",
+			Description: "These cli config options will override the default ssh config options. " +
+				"Provide options in key=value format seperated by commas." +
+				"Using this incorrectly can break ssh to your deployment. Use cautiously.",
+			Flag:   "cli-ssh-options",
+			Env:    "CLI_SSH_OPTIONS",
+			YAML:   "cliSSHOptions",
+			Group:  &deploymentGroupClient,
+			Value:  &c.CLISSH.SSHConfigOptions,
+			Hidden: false,
+		},
 		{
 			Name: "Write Config",
 			Description: `
@@ -1580,3 +1634,25 @@ type DeploymentStats struct {
 	Workspaces   WorkspaceDeploymentStats    `json:"workspaces"`
 	SessionCount SessionCountDeploymentStats `json:"session_count"`
 }
+
+type CLISSHConfigResponse struct {
+	DeploymentName   string            `json:"deployment_name"`
+	SSHConfigOptions map[string]string `json:"ssh_config_options"`
+}
+
+// SSHConfiguration returns information about the SSH configuration for the
+// Coder instance.
+func (c *Client) SSHConfiguration(ctx context.Context) (CLISSHConfigResponse, error) {
+	res, err := c.Request(ctx, http.MethodGet, "/api/v2/ssh-config", nil)
+	if err != nil {
+		return CLISSHConfigResponse{}, err
+	}
+	defer res.Body.Close()
+
+	if res.StatusCode != http.StatusOK {
+		return CLISSHConfigResponse{}, ReadBodyAsError(res)
+	}
+
+	var cliConfig CLISSHConfigResponse
+	return cliConfig, json.NewDecoder(res.Body).Decode(&cliConfig)
+}
diff --git a/site/src/api/typesGenerated.ts b/site/src/api/typesGenerated.ts
@@ -135,6 +135,18 @@ export interface BuildInfoResponse {
   readonly version: string
 }
 
+// From codersdk/deployment.go
+export interface CLISSHConfig {
+  readonly DeploymentName: string
+  readonly SSHConfigOptions: string[]
+}
+
+// From codersdk/deployment.go
+export interface CLISSHConfigResponse {
+  readonly deployment_name: string
+  readonly ssh_config_options: Record<string, string>
+}
+
 // From codersdk/parameters.go
 export interface ComputedParameter extends Parameter {
   readonly source_value: string
@@ -359,6 +371,7 @@ export interface DeploymentValues {
   // Named type "github.com/coder/coder/cli/clibase.Struct[[]github.com/coder/coder/codersdk.GitAuthConfig]" unknown, using "any"
   // eslint-disable-next-line @typescript-eslint/no-explicit-any -- TODO explain why this is needed
   readonly git_auth?: any
+  readonly cli_ssh?: CLISSHConfig
   readonly config?: string
   readonly write_config?: boolean
   // Named type "github.com/coder/coder/cli/clibase.HostPort" unknown, using "any"