coder
diff --git a/‎.github/workflows/build.yml
+4-4 b/‎.github/workflows/build.yml
+4-4
diff --git a/‎.github/workflows/release.yml
+1-1 b/‎.github/workflows/release.yml
+1-1
diff --git a/‎CHANGELOG.md
+8 b/‎CHANGELOG.md
+8
diff --git a/‎build.gradle.kts
+1-1 b/‎build.gradle.kts
+1-1
diff --git a/‎gradle.properties
+1-1 b/‎gradle.properties
+1-1
diff --git a/‎src/main/kotlin/com/coder/gateway/CoderGatewayConnectionProvider.kt
+1-1 b/‎src/main/kotlin/com/coder/gateway/CoderGatewayConnectionProvider.kt
+1-1
diff --git a/‎src/main/kotlin/com/coder/gateway/sdk/CoderCLIManager.kt
+7 b/‎src/main/kotlin/com/coder/gateway/sdk/CoderCLIManager.kt
+7
diff --git a/‎src/main/kotlin/com/coder/gateway/sdk/CoderRestClientService.kt
+48-46 b/‎src/main/kotlin/com/coder/gateway/sdk/CoderRestClientService.kt
+48-46
diff --git a/‎src/main/resources/messages/CoderGatewayBundle.properties
+4-4 b/‎src/main/resources/messages/CoderGatewayBundle.properties
+4-4
diff --git a/‎src/test/fixtures/tls/chain-intermediate.crt
+17 b/‎src/test/fixtures/tls/chain-intermediate.crt
+17
diff --git a/‎src/test/fixtures/tls/chain-intermediate.key
+27 b/‎src/test/fixtures/tls/chain-intermediate.key
+27
@@ -22,7 +22,7 @@ jobs:
           - windows-latest
     runs-on: ${{ matrix.platform }}
     steps:
-      - uses: actions/checkout@v4.1.0
+      - uses: actions/checkout@v4.1.1
 
       - uses: actions/setup-java@v3
         with:
@@ -55,7 +55,7 @@ jobs:
     steps:
       # Check out current repository
       - name: Fetch Sources
-        uses: actions/checkout@v4.1.0
+        uses: actions/checkout@v4.1.1
 
       # Setup Java 11 environment for the next steps
       - name: Setup Java
@@ -110,7 +110,7 @@ jobs:
 
       # Run Qodana inspections
       - name: Qodana - Code Inspection
-        uses: JetBrains/qodana-action@v2023.2.6
+        uses: JetBrains/qodana-action@v2023.2.8
 
       # Prepare plugin archive content for creating artifact
       - name: Prepare Plugin Artifact
@@ -139,7 +139,7 @@ jobs:
 
       # Check out current repository
       - name: Fetch Sources
-        uses: actions/checkout@v4.1.0
+        uses: actions/checkout@v4.1.1
 
       # Remove old release drafts by using the curl request for the available releases with draft flag
       - name: Remove Old Release Drafts
 
@@ -15,7 +15,7 @@ jobs:
 
       # Check out current repository
       - name: Fetch Sources
-        uses: actions/checkout@v4.1.0
+        uses: actions/checkout@v4.1.1
         with:
           ref: ${{ github.event.release.tag_name }}
 
 
@@ -4,6 +4,14 @@
 
 ## Unreleased
 
+## 2.9.1 - 2023-11-06
+
+### Fixed
+
+- Set the `CODER_HEADER_COMMAND` environment variable when executing the CLI with the setting value.
+
+## 2.9.0 - 2023-10-27
+
 ### Added
 
 - Configuration options for mTLS.
 
@@ -24,7 +24,7 @@ version = properties("pluginVersion")
 dependencies {
     implementation("com.squareup.retrofit2:retrofit:2.9.0")
     // define a BOM and its version
-    implementation(platform("com.squareup.okhttp3:okhttp-bom:4.11.0"))
+    implementation(platform("com.squareup.okhttp3:okhttp-bom:4.12.0"))
     implementation("com.squareup.retrofit2:converter-gson:2.9.0")
     implementation("com.squareup.okhttp3:okhttp")
     implementation("com.squareup.okhttp3:logging-interceptor")
 
@@ -3,7 +3,7 @@
 pluginGroup=com.coder.gateway
 pluginName=coder-gateway
 # SemVer format -> https://semver.org
-pluginVersion=2.9.0-eap.0
+pluginVersion=2.9.1-eap.0
 # See https://plugins.jetbrains.com/docs/intellij/build-number-ranges.html
 # for insight into build numbers and IntelliJ Platform versions.
 pluginSinceBuild=233.6745
 
@@ -140,7 +140,7 @@ class CoderGatewayConnectionProvider : GatewayConnectionProvider {
         if (token == null) { // User aborted.
             throw IllegalArgumentException("Unable to connect to $deploymentURL, $TOKEN is missing")
         }
-        val client = CoderRestClient(deploymentURL, token.first,null, settings)
+        val client = CoderRestClient(deploymentURL, token.first, null, settings)
         return try {
             Pair(client, client.me().username)
         } catch (ex: AuthenticationResponseException) {
 
@@ -101,6 +101,12 @@ class CoderCLIManager @JvmOverloads constructor(
     fun downloadCLI(): Boolean {
         val etag = getBinaryETag()
         val conn = remoteBinaryURL.openConnection() as HttpURLConnection
+        if (settings.headerCommand.isNotBlank()) {
+            val headersFromHeaderCommand = CoderRestClient.getHeaders(deploymentURL, settings.headerCommand)
+            for ((key, value) in headersFromHeaderCommand) {
+                conn.setRequestProperty(key, value)
+            }
+        }
         if (etag != null) {
             logger.info("Found existing binary at $localBinaryPath; calculated hash as $etag")
             conn.setRequestProperty("If-None-Match", "\"$etag\"")
@@ -364,6 +370,7 @@ class CoderCLIManager @JvmOverloads constructor(
     private fun exec(vararg args: String): String {
         val stdout = ProcessExecutor()
             .command(localBinaryPath.toString(), *args)
+            .environment("CODER_HEADER_COMMAND", settings.headerCommand)
             .exitValues(0)
             .readOutput(true)
             .execute()
 
@@ -19,6 +19,7 @@ import com.google.gson.Gson
 import com.google.gson.GsonBuilder
 import com.intellij.ide.plugins.PluginManagerCore
 import com.intellij.openapi.components.Service
+import com.intellij.openapi.diagnostic.Logger
 import com.intellij.openapi.extensions.PluginId
 import com.intellij.openapi.util.SystemInfo
 import okhttp3.OkHttpClient
@@ -36,7 +37,6 @@ import java.net.URL
 import java.nio.file.Path
 import java.security.KeyFactory
 import java.security.KeyStore
-import java.security.PrivateKey
 import java.security.cert.CertificateException
 import java.security.cert.CertificateFactory
 import java.security.cert.X509Certificate
@@ -47,6 +47,7 @@ import java.util.Base64
 import java.util.Locale
 import java.util.UUID
 import javax.net.ssl.HostnameVerifier
+import javax.net.ssl.KeyManager
 import javax.net.ssl.KeyManagerFactory
 import javax.net.ssl.SNIHostName
 import javax.net.ssl.SSLContext
@@ -251,53 +252,56 @@ class CoderRestClient(
     }
 }
 
-fun coderSocketFactory(settings: CoderSettingsState) : SSLSocketFactory {
-    if (settings.tlsCertPath.isBlank() || settings.tlsKeyPath.isBlank()) {
-        return SSLSocketFactory.getDefault() as SSLSocketFactory
-    }
+fun SSLContextFromPEMs(certPath: String, keyPath: String, caPath: String) : SSLContext {
+    var km: Array<KeyManager>? = null
+    if (certPath.isNotBlank() && keyPath.isNotBlank()) {
+        val certificateFactory = CertificateFactory.getInstance("X.509")
+        val certInputStream = FileInputStream(expandPath(certPath))
+        val certChain = certificateFactory.generateCertificates(certInputStream)
+        certInputStream.close()
+
+        // ideally we would use something like PemReader from BouncyCastle, but
+        // BC is used by the IDE.  This makes using BC very impractical since
+        // type casting will mismatch due to the different class loaders.
+        val privateKeyPem = File(expandPath(keyPath)).readText()
+        val start: Int = privateKeyPem.indexOf("-----BEGIN PRIVATE KEY-----")
+        val end: Int = privateKeyPem.indexOf("-----END PRIVATE KEY-----", start)
+        val pemBytes: ByteArray = Base64.getDecoder().decode(
+            privateKeyPem.substring(start + "-----BEGIN PRIVATE KEY-----".length, end)
+                .replace("\\s+".toRegex(), "")
+        )
+
+        val privateKey = try {
+            val kf = KeyFactory.getInstance("RSA")
+            val keySpec = PKCS8EncodedKeySpec(pemBytes)
+            kf.generatePrivate(keySpec)
+        } catch (e: InvalidKeySpecException) {
+            val kf = KeyFactory.getInstance("EC")
+            val keySpec = PKCS8EncodedKeySpec(pemBytes)
+            kf.generatePrivate(keySpec)
+        }
 
-    val certificateFactory = CertificateFactory.getInstance("X.509")
-    val certInputStream = FileInputStream(expandPath(settings.tlsCertPath))
-    val certChain = certificateFactory.generateCertificates(certInputStream)
-    certInputStream.close()
-
-    // ideally we would use something like PemReader from BouncyCastle, but
-    // BC is used by the IDE.  This makes using BC very impractical since
-    // type casting will mismatch due to the different class loaders.
-    val privateKeyPem = File(expandPath(settings.tlsKeyPath)).readText()
-    val start: Int = privateKeyPem.indexOf("-----BEGIN PRIVATE KEY-----")
-    val end: Int = privateKeyPem.indexOf("-----END PRIVATE KEY-----", start)
-    val pemBytes: ByteArray = Base64.getDecoder().decode(
-        privateKeyPem.substring(start + "-----BEGIN PRIVATE KEY-----".length, end)
-            .replace("\\s+".toRegex(), "")
-    )
-
-    var privateKey : PrivateKey
-    try {
-        val kf = KeyFactory.getInstance("RSA")
-        val keySpec = PKCS8EncodedKeySpec(pemBytes)
-        privateKey = kf.generatePrivate(keySpec)
-    } catch (e: InvalidKeySpecException) {
-        val kf = KeyFactory.getInstance("EC")
-        val keySpec = PKCS8EncodedKeySpec(pemBytes)
-        privateKey = kf.generatePrivate(keySpec)
-    }
-
-    val keyStore = KeyStore.getInstance(KeyStore.getDefaultType())
-    keyStore.load(null)
-    certChain.withIndex().forEach {
-        keyStore.setCertificateEntry("cert${it.index}", it.value as X509Certificate)
-    }
-    keyStore.setKeyEntry("key", privateKey, null, certChain.toTypedArray())
+        val keyStore = KeyStore.getInstance(KeyStore.getDefaultType())
+        keyStore.load(null)
+        certChain.withIndex().forEach {
+            keyStore.setCertificateEntry("cert${it.index}", it.value as X509Certificate)
+        }
+        keyStore.setKeyEntry("key", privateKey, null, certChain.toTypedArray())
 
-    val keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm())
-    keyManagerFactory.init(keyStore, null)
+        val keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm())
+        keyManagerFactory.init(keyStore, null)
+        km = keyManagerFactory.keyManagers
+    }
 
     val sslContext = SSLContext.getInstance("TLS")
 
-    val trustManagers = coderTrustManagers(settings.tlsCAPath)
-    sslContext.init(keyManagerFactory.keyManagers, trustManagers, null)
+    val trustManagers = coderTrustManagers(caPath)
+    sslContext.init(km, trustManagers, null)
+    return sslContext
+}
 
+fun coderSocketFactory(settings: CoderSettingsState) : SSLSocketFactory {
+    val sslContext = SSLContextFromPEMs(settings.tlsCertPath, settings.tlsKeyPath, settings.tlsCAPath)
     if (settings.tlsAlternateHostname.isBlank()) {
         return sslContext.socketFactory
     }
@@ -393,12 +397,11 @@ class AlternateNameSSLSocketFactory(private val delegate: SSLSocketFactory, priv
 }
 
 class CoderHostnameVerifier(private val alternateName: String) : HostnameVerifier {
+    val logger = Logger.getInstance(CoderRestClientService::class.java.simpleName)
     override fun verify(host: String, session: SSLSession): Boolean {
         if (alternateName.isEmpty()) {
-            println("using default hostname verifier, alternateName is  empty")
             return OkHostnameVerifier.verify(host, session)
         }
-        println("Looking for alternate hostname: $alternateName")
         val certs = session.peerCertificates ?: return false
         for (cert in certs) {
             if (cert !is X509Certificate) {
@@ -411,13 +414,12 @@ class CoderHostnameVerifier(private val alternateName: String) : HostnameVerifie
                     continue
                 }
                 val hostname = entry[1] as String
-                println("Found cert hostname: $hostname")
+                logger.debug("Found cert hostname: $hostname")
                 if (hostname.lowercase(Locale.getDefault()) == alternateName) {
                     return true
                 }
             }
         }
-        println("No matching hostname found")
         return false
     }
 }
 
@@ -93,20 +93,20 @@ gateway.connector.settings.header-command.comment=An external command that \
   outputs additional HTTP headers added to all requests. The command must \
   output each header as `key=value` on its own line. The following \
   environment variables will be available to the process: CODER_URL.
-gateway.connector.settings.tls-cert-path.title=Cert Path:
+gateway.connector.settings.tls-cert-path.title=Cert path:
 gateway.connector.settings.tls-cert-path.comment=Optionally set this to \
   the path of a certificate to use for TLS connections. The certificate \
   should be in X.509 PEM format.
-gateway.connector.settings.tls-key-path.title=Key Path:
+gateway.connector.settings.tls-key-path.title=Key path:
 gateway.connector.settings.tls-key-path.comment=Optionally set this to \
   the path of the private key that corresponds to the above cert path to use \
   for TLS connections. The key should be in X.509 PEM format.
-gateway.connector.settings.tls-ca-path.title=CA Path:
+gateway.connector.settings.tls-ca-path.title=CA path:
 gateway.connector.settings.tls-ca-path.comment=Optionally set this to \
   the path of a file containing certificates for an alternate certificate \
   authority used to verify TLS certs returned by the Coder service. \
   The file should be in X.509 PEM format.
-gateway.connector.settings.tls-alt-name.title=Alt Hostname:
+gateway.connector.settings.tls-alt-name.title=Alt hostname:
 gateway.connector.settings.tls-alt-name.comment=Optionally set this to \
   an alternate hostname used for verifying TLS connections. This is useful \
   when the hostname used to connect to the Coder service does not match the \
 
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICvjCCAaagAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAwwJVEVT
+VC1yb290MCAXDTIzMTAzMDAyMzY0M1oYDzIxMjMxMDA2MDIzNjQzWjAcMRowGAYD
+VQQDDBFURVNULWludGVybWVkaWF0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAMGD9oILmMRcplGkcNdSZMsBR7C2yoPtL9iRp3V2BKpiRZvQuXHSQsdc
+S0Tpk6vnIWQTLkCjVRawL9BoOzwK3FZQti9iXRMnHuzl0gQGZGiHJZ2P/efWaVvn
+cmH3Cu2oNCVePhgYAMOiipYGQPcjnQ2kUvMLldZ9+WC+EcaD+FA/kaccPX+kOxQg
+qQ0MnPQFfno0F8gylOac+ouKOsXya+jlctgK3dxC73/I+Cdq8xrOJ8lXOYxggleB
+ZRXNWWUhrzomn4rUP9wNBrQzFCGcqIS+QjlACjlyn0gPU//ZGVRZ8gZXoI8pDYuB
+lRyWpt970/ZPFuiyfiasAAAc8gJ3C7cCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
+BgkqhkiG9w0BAQsFAAOCAQEAdHRiLqlYAyGNMPj6wzJt3XmwDbU5yEWor4q+GmA9
+fupirWXeSqKiqngDfvHlQNKgDlm10Kuk7LDVUcAP27Xnv/uFmHIUF+4g/eIjxvog
+RorUD2I9hi0Wyww7E8th/JfnuDX4YbIQrv1r5P4JaCoc0C2NBd1hO1Er2GdNEoXm
+UYoZg6/P5YQkWSLYtLPswb/Hf63DvzG94H6HnFBYlumt/5xYLrfD1Lx8099wZVdR
+qWXSi/tYi0HJGGUynZCvjdUu5En7eDoyWclGHz3stOUkBlz0efz01bxpiGsE/rRG
+Xr6qJt45N0Zktytk5TphoeDAeFB5ZHRRatZsg9CyZGoaIA==
+-----END CERTIFICATE-----
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAwYP2gguYxFymUaRw11JkywFHsLbKg+0v2JGndXYEqmJFm9C5
+cdJCx1xLROmTq+chZBMuQKNVFrAv0Gg7PArcVlC2L2JdEyce7OXSBAZkaIclnY/9
+59ZpW+dyYfcK7ag0JV4+GBgAw6KKlgZA9yOdDaRS8wuV1n35YL4RxoP4UD+Rpxw9
+f6Q7FCCpDQyc9AV+ejQXyDKU5pz6i4o6xfJr6OVy2Ard3ELvf8j4J2rzGs4nyVc5
+jGCCV4FlFc1ZZSGvOiafitQ/3A0GtDMUIZyohL5COUAKOXKfSA9T/9kZVFnyBleg
+jykNi4GVHJam33vT9k8W6LJ+JqwAABzyAncLtwIDAQABAoIBAQC+gC43rzrgc2S3
+km4TSmU3AzeT2x5Z6TDkvd5gX6IQKVXlIgCs8BQVNeJTIK3i2FGits8diqzE/QTU
+4QcPAJIP1rzCwM5ngGeNRmEM3U4TKJf7GDkX9ZcahimwDwaPFrre3nu6NEbsUCKl
+tdpWcJS3TUDrSkhjMvhAKFxPVLMqKvNK3xg81OmubYDHJ7dmmobJDzklmRlrFCNL
+RcQSUYnYruIY4pLmpxVvkFShdxy4oM3f6qanp/nxVvO1of+bqL9fQlgLXSYt83eK
+qlUKDdZx/IfckS/DU/8s/PnC5KbrAZB/vNcTIN7USsuAZgP/a8XDLrcH121YZEjW
+gIwleYUBAoGBAOtkBKYu+DqlB6xsDJ4XiNji1J19Kmkea+rK5YH21RJlAW3Uh9Y+
+tu9J0iQqqQgyIT+v8U0b6uvKjGUoKYbGha7Cl2X93tFL6QGhfewWF/Yqnzr6cBip
+IGfHTTWRkZCeNyDII2VEn4B5E+0emCp0p9B8ffr/bUHgFr/wLLD/sDyXAoGBANJ1
+XYLK+ilWvL3iV9pcvbuHMP7igXP/wOJsoOpMNixBVhzSm4FZWk4duHdRvMQysk8f
+KFiEx+0EJwYyBpbnBCRemhFzergV+6a8tJ4x4rBaVOQBTdLJLPypU5tcLP0iWX+b
+oyp7mRT+1ffQ2RcFZBRN6bOvcFrkwdiEl6lglu3hAoGBALnTLpxmrg3V5FXowpk3
+aRAXGdPuUMHFg1pKrJ5J1vF7jYI/6rBmuBH1jBCDIQfYU0ksw2ilJnLYZrcg2o+M
+P1K0ScL5hKJjs+FWtMrgsi/ie+uac030jiF/Q+OLNIgfbtPRS6gRYX2Rl/p0UZoK
+l8RN00KHzJ/ZoPwLRazBXUanAoGBAKzVv9bS1MCwP859HILymMpxyvX3lDJsPb51
+UW0462BKw+plt1lxxOzUEZLD6I8Dx1WdE+gmG331ZAr9eFXjII6xtjtQp96YBxO2
+c2pbM3x6oq6gt4W8uxpAAK5c84Fq/S8D5OrVmDEa2yNqO25hegAGwD9Ve6LZrKwg
+r+Bkt25hAoGAdfY0dHAbZpBSSBixb+XsnDxAne8I4OwTOpExdSH1V1Q85CdTlYLq
+FoLuy4rqdrF9kFnasn66diaqUtVaubdG8GyJXTGh1rpOGTjhAjAWCl27fOcO/Ffv
+7MqsNI8qhOwIJYaBZ8PXtROp5rf3reqjHu9KqfMj+a2sADiF4bW7KYg=
+-----END RSA PRIVATE KEY-----
Original file line number	Diff line number	Diff line change
`@@ -140,7 +140,7 @@ class CoderGatewayConnectionProvider : GatewayConnectionProvider {`
`140`	`140`	`if (token == null) { // User aborted.`
`141`	`141`	`throw IllegalArgumentException("Unable to connect to $deploymentURL, $TOKEN is missing")`
`142`	`142`	`}`
`143`		`- val client = CoderRestClient(deploymentURL, token.first,null, settings)`
	`143`	`+ val client = CoderRestClient(deploymentURL, token.first, null, settings)`
`144`	`144`	`return try {`
`145`	`145`	`Pair(client, client.me().username)`
`146`	`146`	`} catch (ex: AuthenticationResponseException) {`