Add proxy token provider

coder · deansheather · Apr 17, 2023 · Apr 5, 2023 · Apr 5, 2023 · Apr 6, 2023
commit 020b4b5155958c0b8799c186e7bf00ed79dc5521
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -338,12 +338,14 @@ func New(options *Options) *API {
 		AccessURL:        api.AccessURL,
 		Hostname:         api.AppHostname,
 		HostnameRegex:    api.AppHostnameRegex,
-		DeploymentValues: options.DeploymentValues,
 		RealIPConfig:     options.RealIPConfig,
 
 		SignedTokenProvider: api.WorkspaceAppsProvider,
 		WorkspaceConnCache:  api.workspaceAgentCache,
 		AppSecurityKey:      options.AppSecurityKey,
+
+		DisablePathApps:     options.DeploymentValues.DisablePathApps.Value(),
+		SecureAuthCookie:    options.DeploymentValues.SecureAuthCookie.Value(),
 	}
 
 	apiKeyMiddleware := httpmw.ExtractAPIKeyMW(httpmw.ExtractAPIKeyConfig{

diff --git a/coderd/httpmw/apikey.go b/coderd/httpmw/apikey.go
@@ -167,7 +167,7 @@ func ExtractAPIKey(rw http.ResponseWriter, r *http.Request, cfg ExtractAPIKeyCon
 		return nil, nil, false
 	}
 
-	token := apiTokenFromRequest(r)
+	token := ApiTokenFromRequest(r)
 	if token == "" {
 		return optionalWrite(http.StatusUnauthorized, codersdk.Response{
 			Message: SignedOutErrorMessage,
@@ -376,14 +376,14 @@ func ExtractAPIKey(rw http.ResponseWriter, r *http.Request, cfg ExtractAPIKeyCon
 	return &key, &authz, true
 }
 
-// apiTokenFromRequest returns the api token from the request.
+// ApiTokenFromRequest returns the api token from the request.
 // Find the session token from:
 // 1: The cookie
 // 1: The devurl cookie
 // 3: The old cookie
 // 4. The coder_session_token query parameter
 // 5. The custom auth header
-func apiTokenFromRequest(r *http.Request) string {
+func ApiTokenFromRequest(r *http.Request) string {
 	cookie, err := r.Cookie(codersdk.SessionTokenCookie)
 	if err == nil && cookie.Value != "" {
 		return cookie.Value

diff --git a/coderd/httpmw/workspaceagent.go b/coderd/httpmw/workspaceagent.go
@@ -32,7 +32,7 @@ func ExtractWorkspaceAgent(db database.Store) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 			ctx := r.Context()
-			tokenValue := apiTokenFromRequest(r)
+			tokenValue := ApiTokenFromRequest(r)
 			if tokenValue == "" {
 				httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{
 					Message: fmt.Sprintf("Cookie %q must be provided.", codersdk.SessionTokenCookie),

diff --git a/coderd/workspaceapps/db.go b/coderd/workspaceapps/db.go
@@ -55,23 +55,7 @@ func NewDBTokenProvider(log slog.Logger, accessURL *url.URL, authz rbac.Authoriz
 }
 
 func (p *DBTokenProvider) TokenFromRequest(r *http.Request) (*SignedToken, bool) {
-	// Get the existing token from the request.
-	tokenCookie, err := r.Cookie(codersdk.DevURLSignedAppTokenCookie)
-	if err == nil {
-		token, err := p.SigningKey.VerifySignedToken(tokenCookie.Value)
-		if err == nil {
-			req := token.Request.Normalize()
-			err := req.Validate()
-			if err == nil {
-				// The request has a valid signed app token, which is a valid
-				// token signed by us. The caller must check that it matches
-				// the request.
-				return &token, true
-			}
-		}
-	}
-
-	return nil, false
+	return TokenFromRequest(r, p.SigningKey)
 }
 
 // ResolveRequest takes an app request, checks if it's valid and authenticated,

diff --git a/coderd/workspaceapps/proxy.go b/coderd/workspaceapps/proxy.go
@@ -78,14 +78,16 @@ type Server struct {
 	Hostname string
 	// HostnameRegex contains the regex version of Hostname as generated by
 	// httpapi.CompileHostnamePattern(). It MUST be set if Hostname is set.
-	HostnameRegex    *regexp.Regexp
-	DeploymentValues *codersdk.DeploymentValues
-	RealIPConfig     *httpmw.RealIPConfig
+	HostnameRegex *regexp.Regexp
+	RealIPConfig  *httpmw.RealIPConfig
 
 	SignedTokenProvider SignedTokenProvider
 	WorkspaceConnCache  *wsconncache.Cache
 	AppSecurityKey      SecurityKey
 
+	DisablePathApps  bool
+	SecureAuthCookie bool
+
 	websocketWaitMutex sync.Mutex
 	websocketWaitGroup sync.WaitGroup
 }
@@ -120,7 +122,7 @@ func (s *Server) Attach(r chi.Router) {
 // workspaceAppsProxyPath proxies requests to a workspace application
 // through a relative URL path.
 func (s *Server) workspaceAppsProxyPath(rw http.ResponseWriter, r *http.Request) {
-	if s.DeploymentValues.DisablePathApps.Value() {
+	if s.DisablePathApps {
 		site.RenderStaticErrorPage(rw, r, site.ErrorPageData{
 			Status:       http.StatusUnauthorized,
 			Title:        "Unauthorized",
@@ -385,7 +387,7 @@ func (s *Server) setWorkspaceAppCookie(rw http.ResponseWriter, r *http.Request,
 		MaxAge:   0,
 		HttpOnly: true,
 		SameSite: http.SameSiteLaxMode,
-		Secure:   s.DeploymentValues.SecureAuthCookie.Value(),
+		Secure:   s.SecureAuthCookie,
 	})
 
 	return true

diff --git a/coderd/workspaceapps/token.go b/coderd/workspaceapps/token.go
@@ -4,13 +4,15 @@ import (
 	"encoding/base64"
 	"encoding/hex"
 	"encoding/json"
+	"net/http"
 	"time"
 
 	"github.com/go-jose/go-jose/v3"
 	"github.com/google/uuid"
 	"golang.org/x/xerrors"
 
 	"github.com/coder/coder/coderd/database"
+	"github.com/coder/coder/codersdk"
 )
 
 const (
@@ -217,3 +219,23 @@ func (k SecurityKey) DecryptAPIKey(encryptedAPIKey string) (string, error) {
 
 	return payload.APIKey, nil
 }
+
+func TokenFromRequest(r *http.Request, key SecurityKey) (*SignedToken, bool) {
+	// Get the existing token from the request.
+	tokenCookie, err := r.Cookie(codersdk.DevURLSignedAppTokenCookie)
+	if err == nil {
+		token, err := key.VerifySignedToken(tokenCookie.Value)
+		if err == nil {
+			req := token.Request.Normalize()
+			err := req.Validate()
+			if err == nil {
+				// The request has a valid signed app token, which is a valid
+				// token signed by us. The caller must check that it matches
+				// the request.
+				return &token, true
+			}
+		}
+	}
+
+	return nil, false
+}
diff --git a/enterprise/coderd/workspaceproxy_test.go b/enterprise/coderd/workspaceproxy_test.go
@@ -1,16 +1,21 @@
 package coderd_test
 
 import (
+	"net/http/httptest"
 	"testing"
 
 	"github.com/google/uuid"
 	"github.com/moby/moby/pkg/namesgenerator"
 	"github.com/stretchr/testify/require"
 
+	"cdr.dev/slog"
+	"cdr.dev/slog/sloggers/slogtest"
+	"github.com/coder/coder/agent"
 	"github.com/coder/coder/coderd/coderdtest"
 	"github.com/coder/coder/coderd/database/dbtestutil"
 	"github.com/coder/coder/coderd/workspaceapps"
 	"github.com/coder/coder/codersdk"
+	"github.com/coder/coder/codersdk/agentsdk"
 	"github.com/coder/coder/enterprise/coderd/coderdenttest"
 	"github.com/coder/coder/enterprise/coderd/license"
 	"github.com/coder/coder/enterprise/wsproxy/wsproxysdk"
@@ -92,7 +97,21 @@ func TestIssueSignedAppToken(t *testing.T) {
 	template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
 	coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
 	workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
-	coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
+	build := coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
+	workspace.LatestBuild = build
+
+	// Connect an agent to the workspace
+	agentClient := agentsdk.New(client.URL)
+	agentClient.SetSessionToken(authToken)
+	agentCloser := agent.New(agent.Options{
+		Client: agentClient,
+		Logger: slogtest.Make(t, nil).Named("agent").Leveled(slog.LevelDebug),
+	})
+	defer func() {
+		_ = agentCloser.Close()
+	}()
+
+	coderdtest.AwaitWorkspaceAgents(t, client, workspace.ID)
 
 	ctx := testutil.Context(t, testutil.WaitLong)
 	proxyRes, err := client.CreateWorkspaceProxy(ctx, codersdk.CreateWorkspaceProxyRequest{
@@ -119,16 +138,23 @@ func TestIssueSignedAppToken(t *testing.T) {
 		require.Error(t, err)
 	})
 
+	goodRequest := wsproxysdk.IssueSignedAppTokenRequest{
+		AppRequest: workspaceapps.Request{
+			BasePath:          "/app",
+			AccessMethod:      workspaceapps.AccessMethodTerminal,
+			WorkspaceAndAgent: workspace.ID.String(),
+			AgentNameOrID:     build.Resources[0].Agents[0].ID.String(),
+		},
+		SessionToken: client.SessionToken(),
+	}
 	t.Run("OK", func(t *testing.T) {
-		_, err = proxyClient.IssueSignedAppToken(ctx, wsproxysdk.IssueSignedAppTokenRequest{
-			AppRequest: workspaceapps.Request{
-				BasePath:          "/app",
-				AccessMethod:      workspaceapps.AccessMethodTerminal,
-				UsernameOrID:      user.UserID.String(),
-				WorkspaceAndAgent: workspace.ID.String(),
-			},
-			SessionToken: client.SessionToken(),
-		})
+		_, err = proxyClient.IssueSignedAppToken(ctx, goodRequest)
 		require.NoError(t, err)
 	})
+
+	t.Run("OKHTML", func(t *testing.T) {
+		rw := httptest.NewRecorder()
+		_, ok := proxyClient.IssueSignedAppTokenHTML(ctx, rw, goodRequest)
+		require.True(t, ok, "expected true")
+	})
 }
diff --git a/enterprise/wsproxy/mw.go b/enterprise/wsproxy/mw.go
@@ -0,0 +1,42 @@
+package wsproxy
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+
+	"github.com/coder/coder/coderd/httpapi"
+	"github.com/coder/coder/coderd/httpmw"
+	"github.com/coder/coder/codersdk"
+)
+
+type userTokenKey struct{}
+
+// UserSessionToken returns session token from ExtractSessionTokenMW
+func UserSessionToken(r *http.Request) string {
+	key, ok := r.Context().Value(userTokenKey{}).(string)
+	if !ok {
+		panic("developer error: ExtractSessionTokenMW middleware not provided")
+	}
+	return key
+}
+
+func ExtractSessionTokenMW() func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+			token := httpmw.ApiTokenFromRequest(r)
+			if token == "" {
+				// TODO: If this is empty, we should attempt to smuggle their
+				// 		token from the primary. If the user is not logged in there
+				//		they should be redirected to a login page.
+				httpapi.Write(r.Context(), rw, http.StatusUnauthorized, codersdk.Response{
+					Message: httpmw.SignedOutErrorMessage,
+					Detail:  fmt.Sprintf("Cookie %q or query parameter must be provided.", codersdk.SessionTokenCookie),
+				})
+				return
+			}
+			ctx := context.WithValue(r.Context(), userTokenKey{}, token)
+			next.ServeHTTP(rw, r.WithContext(ctx))
+		})
+	}
+}
diff --git a/enterprise/wsproxy/proxy.go b/enterprise/wsproxy/proxy.go
@@ -11,6 +11,7 @@ import (
 	"github.com/google/uuid"
 	"github.com/prometheus/client_golang/prometheus"
 	"go.opentelemetry.io/otel/trace"
+	"golang.org/x/xerrors"
 
 	"cdr.dev/slog"
 	"github.com/coder/coder/buildinfo"
@@ -19,6 +20,7 @@ import (
 	"github.com/coder/coder/coderd/workspaceapps"
 	"github.com/coder/coder/coderd/wsconncache"
 	"github.com/coder/coder/codersdk"
+	"github.com/coder/coder/enterprise/wsproxy/wsproxysdk"
 )
 
 type Options struct {
@@ -83,19 +85,22 @@ type Server struct {
 	cancel context.CancelFunc
 }
 
-func New(opts *Options) *Server {
+func New(opts *Options) (*Server, error) {
 	if opts.PrometheusRegistry == nil {
 		opts.PrometheusRegistry = prometheus.NewRegistry()
 	}
 
-	client := codersdk.New(opts.PrimaryAccessURL)
+	client := wsproxysdk.New(opts.PrimaryAccessURL)
 	// TODO: @emyrk we need to implement some form of authentication for the
 	// 		external proxy to the the primary. This allows us to make workspace
 	//		connections.
 	//		Ideally we reuse the same client as the cli, but this can be changed.
 	//		If the auth fails, we need some logic to retry and make sure this client
 	//		is always authenticated and usable.
-	client.SetSessionToken("fake-token")
+	err := client.SetSessionToken("fake-token")
+	if err != nil {
+		return nil, xerrors.Errorf("set client token: %w", err)
+	}
 
 	r := chi.NewRouter()
 	ctx, cancel := context.WithCancel(context.Background())
@@ -116,13 +121,19 @@ func New(opts *Options) *Server {
 		AccessURL:     opts.AccessURL,
 		Hostname:      opts.AppHostname,
 		HostnameRegex: opts.AppHostnameRegex,
-		// TODO: @emyrk We should reduce the options passed in here.
-		DeploymentValues: nil,
-		RealIPConfig:     opts.RealIPConfig,
-		// TODO: @emyrk we need to implement this for external token providers.
-		SignedTokenProvider: nil,
-		WorkspaceConnCache:  wsconncache.New(s.DialWorkspaceAgent, 0),
-		AppSecurityKey:      opts.AppSecurityKey,
+		RealIPConfig:  opts.RealIPConfig,
+		SignedTokenProvider: &ProxyTokenProvider{
+			DashboardURL: opts.PrimaryAccessURL,
+			Client:       client,
+			SecurityKey:  s.Options.AppSecurityKey,
+			Logger:       s.Logger.Named("proxy_token_provider"),
+		},
+		WorkspaceConnCache: wsconncache.New(s.DialWorkspaceAgent, 0),
+		AppSecurityKey:     opts.AppSecurityKey,
+
+		// TODO: We need to pass some deployment values to here
+		DisablePathApps:  false,
+		SecureAuthCookie: false,
 	}
 
 	// Routes
@@ -137,6 +148,7 @@ func New(opts *Options) *Server {
 		httpmw.ExtractRealIP(s.Options.RealIPConfig),
 		httpmw.Logger(s.Logger),
 		httpmw.Prometheus(s.PrometheusRegistry),
+		ExtractSessionTokenMW(),
 
 		// SubdomainAppMW is a middleware that handles all requests to the
 		// subdomain based workspace apps.
@@ -171,7 +183,7 @@ func New(opts *Options) *Server {
 
 	// TODO: @emyrk Buildinfo and healthz routes.
 
-	return s
+	return s, nil
 }
 
 func (s *Server) Close() error {