coder · deansheather · Apr 20, 2023 · Apr 18, 2023 · Apr 18, 2023 · Apr 20, 2023
diff --git a/coderd/apidoc/docs.go b/coderd/apidoc/docs.go
diff --git a/coderd/apidoc/swagger.json b/coderd/apidoc/swagger.json
diff --git a/coderd/database/dbauthz/querier.go b/coderd/database/dbauthz/querier.go
@@ -1701,10 +1701,6 @@ func (q *querier) GetWorkspaceProxyByName(ctx context.Context, name string) (dat
 	return fetch(q.log, q.auth, q.db.GetWorkspaceProxyByName)(ctx, name)
 }
 
-func (q *querier) GetWorkspaceProxyByHostname(ctx context.Context, hostname string) (database.WorkspaceProxy, error) {
-	return fetch(q.log, q.auth, q.db.GetWorkspaceProxyByHostname)(ctx, hostname)
-}
-
 func (q *querier) InsertWorkspaceProxy(ctx context.Context, arg database.InsertWorkspaceProxyParams) (database.WorkspaceProxy, error) {
 	return insert(q.log, q.auth, rbac.ResourceWorkspaceProxy, q.db.InsertWorkspaceProxy)(ctx, arg)
 }

diff --git a/coderd/database/dbauthz/system.go b/coderd/database/dbauthz/system.go
@@ -438,3 +438,10 @@ func (q *querier) InsertParameterSchema(ctx context.Context, arg database.Insert
 	}
 	return q.db.InsertParameterSchema(ctx, arg)
 }
+
+func (q *querier) GetWorkspaceProxyByHostname(ctx context.Context, params database.GetWorkspaceProxyByHostnameParams) (database.WorkspaceProxy, error) {
+	if err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceSystem); err != nil {
+		return database.WorkspaceProxy{}, err
+	}
+	return q.db.GetWorkspaceProxyByHostname(ctx, params)
+}
diff --git a/coderd/database/dbfake/databasefake.go b/coderd/database/dbfake/databasefake.go
@@ -24,7 +24,7 @@ import (
 	"github.com/coder/coder/coderd/util/slice"
 )
 
-var validProxyByHostnameRegex = regexp.MustCompile(`^[a-zA-Z0-9.-]+$`)
+var validProxyByHostnameRegex = regexp.MustCompile(`^[a-zA-Z0-9._-]+$`)
 
 // FakeDatabase is helpful for knowing if the underlying db is an in memory fake
 // database. This is only in the databasefake package, so will only be used
@@ -5142,34 +5142,36 @@ func (q *fakeQuerier) GetWorkspaceProxyByName(_ context.Context, name string) (d
 	return database.WorkspaceProxy{}, sql.ErrNoRows
 }
 
-func (q *fakeQuerier) GetWorkspaceProxyByHostname(_ context.Context, hostname string) (database.WorkspaceProxy, error) {
+func (q *fakeQuerier) GetWorkspaceProxyByHostname(_ context.Context, params database.GetWorkspaceProxyByHostnameParams) (database.WorkspaceProxy, error) {
 	q.mutex.RLock()
 	defer q.mutex.RUnlock()
 
 	// Return zero rows if this is called with a non-sanitized hostname. The SQL
 	// version of this query does the same thing.
-	if !validProxyByHostnameRegex.MatchString(hostname) {
+	if !validProxyByHostnameRegex.MatchString(params.Hostname) {
 		return database.WorkspaceProxy{}, sql.ErrNoRows
 	}
 
 	// This regex matches the SQL version.
-	accessURLRegex := regexp.MustCompile(`[^:]*://` + regexp.QuoteMeta(hostname) + `([:/]?.)*`)
+	accessURLRegex := regexp.MustCompile(`[^:]*://` + regexp.QuoteMeta(params.Hostname) + `([:/]?.)*`)
 
 	for _, proxy := range q.workspaceProxies {
 		if proxy.Deleted {
 			continue
 		}
-		if accessURLRegex.MatchString(proxy.Url) {
+		if params.AllowAccessUrl && accessURLRegex.MatchString(proxy.Url) {
 			return proxy, nil
 		}
 
 		// Compile the app hostname regex. This is slow sadly.
-		wildcardRegexp, err := httpapi.CompileHostnamePattern(proxy.WildcardHostname)
-		if err != nil {
-			return database.WorkspaceProxy{}, xerrors.Errorf("compile hostname pattern %q for proxy %q (%s): %w", proxy.WildcardHostname, proxy.Name, proxy.ID.String(), err)
-		}
-		if _, ok := httpapi.ExecuteHostnamePattern(wildcardRegexp, hostname); ok {
-			return proxy, nil
+		if params.AllowWildcardHostname {
+			wildcardRegexp, err := httpapi.CompileHostnamePattern(proxy.WildcardHostname)
+			if err != nil {
+				return database.WorkspaceProxy{}, xerrors.Errorf("compile hostname pattern %q for proxy %q (%s): %w", proxy.WildcardHostname, proxy.Name, proxy.ID.String(), err)
+			}
+			if _, ok := httpapi.ExecuteHostnamePattern(wildcardRegexp, params.Hostname); ok {
+				return proxy, nil
+			}
 		}
 	}
 

diff --git a/coderd/database/dbfake/databasefake_test.go b/coderd/database/dbfake/databasefake_test.go
@@ -160,44 +160,74 @@ func TestProxyByHostname(t *testing.T) {
 	}
 
 	cases := []struct {
-		name           string
-		testHostname   string
-		matchProxyName string
+		name              string
+		testHostname      string
+		allowAccessURL    bool
+		allowWildcardHost bool
+		matchProxyName    string
 	}{
 		{
-			name:           "NoMatch",
-			testHostname:   "test.com",
-			matchProxyName: "",
+			name:              "NoMatch",
+			testHostname:      "test.com",
+			allowAccessURL:    true,
+			allowWildcardHost: true,
+			matchProxyName:    "",
 		},
 		{
-			name:           "MatchAccessURL",
-			testHostname:   "one.coder.com",
-			matchProxyName: "one",
+			name:              "MatchAccessURL",
+			testHostname:      "one.coder.com",
+			allowAccessURL:    true,
+			allowWildcardHost: true,
+			matchProxyName:    "one",
 		},
 		{
-			name:           "MatchWildcard",
-			testHostname:   "something.wildcard.one.coder.com",
-			matchProxyName: "one",
+			name:              "MatchWildcard",
+			testHostname:      "something.wildcard.one.coder.com",
+			allowAccessURL:    true,
+			allowWildcardHost: true,
+			matchProxyName:    "one",
 		},
 		{
-			name:           "MatchSuffix",
-			testHostname:   "something--suffix.two.coder.com",
-			matchProxyName: "two",
+			name:              "MatchSuffix",
+			testHostname:      "something--suffix.two.coder.com",
+			allowAccessURL:    true,
+			allowWildcardHost: true,
+			matchProxyName:    "two",
 		},
 		{
-			name:           "ValidateHostname/1",
-			testHostname:   ".*ne.coder.com",
-			matchProxyName: "",
+			name:              "ValidateHostname/1",
+			testHostname:      ".*ne.coder.com",
+			allowAccessURL:    true,
+			allowWildcardHost: true,
+			matchProxyName:    "",
 		},
 		{
-			name:           "ValidateHostname/2",
-			testHostname:   "https://one.coder.com",
-			matchProxyName: "",
+			name:              "ValidateHostname/2",
+			testHostname:      "https://one.coder.com",
+			allowAccessURL:    true,
+			allowWildcardHost: true,
+			matchProxyName:    "",
 		},
 		{
-			name:           "ValidateHostname/3",
-			testHostname:   "one.coder.com:8080/hello",
-			matchProxyName: "",
+			name:              "ValidateHostname/3",
+			testHostname:      "one.coder.com:8080/hello",
+			allowAccessURL:    true,
+			allowWildcardHost: true,
+			matchProxyName:    "",
+		},
+		{
+			name:              "IgnoreAccessURLMatch",
+			testHostname:      "one.coder.com",
+			allowAccessURL:    false,
+			allowWildcardHost: true,
+			matchProxyName:    "",
+		},
+		{
+			name:              "IgnoreWildcardMatch",
+			testHostname:      "hi.wildcard.one.coder.com",
+			allowAccessURL:    true,
+			allowWildcardHost: false,
+			matchProxyName:    "",
 		},
 	}
 
@@ -206,7 +236,11 @@ func TestProxyByHostname(t *testing.T) {
 		t.Run(c.name, func(t *testing.T) {
 			t.Parallel()
 
-			proxy, err := db.GetWorkspaceProxyByHostname(context.Background(), c.testHostname)
+			proxy, err := db.GetWorkspaceProxyByHostname(context.Background(), database.GetWorkspaceProxyByHostnameParams{
+				Hostname:              c.testHostname,
+				AllowAccessUrl:        c.allowAccessURL,
+				AllowWildcardHostname: c.allowWildcardHost,
+			})
 			if c.matchProxyName == "" {
 				require.ErrorIs(t, err, sql.ErrNoRows)
 				require.Empty(t, proxy)

diff --git a/coderd/database/querier.go b/coderd/database/querier.go