Add credentials process setting

code-asher · code-asher · commit 337418d09680 · 2023-08-04T13:47:57.000-08:00
This will be called before requests and before configuring SSH to set
custom headers.
diff --git a/package.json b/package.json
@@ -47,6 +47,11 @@
           "markdownDescription": "If true, the extension will not verify the authenticity of the remote host. This is useful for self-signed certificates.",
           "type": "boolean",
           "default": false
+        },
+        "coder.credentialsProcess": {
+          "markdownDescription": "This command will be executed before each request and before configuring the Coder CLI. The command must output JSON and handle any expiration or caching on its own.  Currently the JSON can contain the key `headers` which is a map of header names to values. The following environment variables will be available to the process: `CODER_URL`.",
+          "type": "string",
+          "default": ""
         }
       }
     },
diff --git a/src/commands.ts b/src/commands.ts
@@ -70,8 +70,10 @@ export class Commands {
                   severity: vscode.InputBoxValidationSeverity.Error,
                 }
               }
+              // This could be something like the credentials process erroring
+              // or an invalid session token.
               return {
-                message: "Invalid session token! (" + message + ")",
+                message: "Failed to authenticate: " + message,
                 severity: vscode.InputBoxValidationSeverity.Error,
               }
             })
diff --git a/src/credentials.test.ts b/src/credentials.test.ts
@@ -0,0 +1,49 @@
+import { it, expect } from "vitest"
+import { getCredentials } from "./credentials"
+
+const logger = {
+  writeToCoderOutputChannel() {
+    // no-op
+  },
+}
+
+it("should return undefined", async () => {
+  expect(getCredentials(undefined, undefined, logger)).resolves.toBeUndefined()
+  expect(getCredentials("foo", undefined, logger)).resolves.toBeUndefined()
+  expect(getCredentials(undefined, "foo", logger)).resolves.toBeUndefined()
+})
+
+it("should return credentials", async () => {
+  await expect(
+    getCredentials("foo", `node -e 'process.stdout.write(JSON.stringify({headers: {foo: "bar"}}))'`, logger),
+  ).resolves.toStrictEqual({ headers: { foo: "bar" } })
+  await expect(
+    getCredentials("foo", `node -e 'process.stdout.write(JSON.stringify({headers: {}}))'`, logger),
+  ).resolves.toStrictEqual({ headers: {} })
+  await expect(
+    getCredentials("foo", `node -e 'process.stdout.write(JSON.stringify({}))'`, logger),
+  ).resolves.toStrictEqual({})
+})
+
+it("should have access to environment variables", async () => {
+  const coderUrl = "dev.coder.com"
+  await expect(
+    getCredentials(
+      coderUrl,
+      `node -e 'process.stdout.write(JSON.stringify({ headers: {url: process.env.CODER_URL}}))'`,
+      logger,
+    ),
+  ).resolves.toStrictEqual({ headers: { url: coderUrl } })
+})
+
+it("should error on non-zero exit", async () => {
+  await expect(getCredentials("foo", `node -e 'process.exit(10)'`, logger)).rejects.toMatch(
+    /exited unexpectedly with code 10/,
+  )
+})
+
+it("should error on bad JSON", async () => {
+  await expect(getCredentials("foo", `node -e 'process.stdout.write("baz")'`, logger)).rejects.toMatch(
+    /malformed JSON: SyntaxError/,
+  )
+})
diff --git a/src/credentials.ts b/src/credentials.ts
@@ -0,0 +1,64 @@
+import * as cp from "child_process"
+import * as util from "util"
+
+// Credentials describes the expected JSON from the credentials process.
+export interface Credentials {
+  // headers is a map of header name to value.
+  headers: Record<string, string>
+}
+
+export interface Logger {
+  writeToCoderOutputChannel(message: string): void
+}
+
+interface ExecException {
+  code?: number
+  stderr?: string
+  stdout?: string
+}
+
+function isExecException(err: unknown): err is ExecException {
+  return typeof (err as ExecException).code !== "undefined"
+}
+
+// TODO: getCredentials might make more sense to directly implement on Storage
+// but it is difficult to test Storage right now since we use vitest instead of
+// the standard extension testing framework which would give us access to vscode
+// APIs.  We should revert the testing framework then consider moving this.
+
+// getCredentials calls the credentials process and parses the JSON from
+// stdout.  Both stdout and stderr are logged on error but stderr is otherwise
+// ignored.  Throws an error if the process exits with non-zero or the JSON is
+// invalid.  Returns undefined if there is no credentials process set.  No
+// effort is made to validate the JSON other than making sure it can be
+// parsed.
+export async function getCredentials(
+  url: string | undefined,
+  command: string | undefined,
+  logger: Logger,
+): Promise<Credentials | undefined> {
+  if (typeof url === "string" && url.trim().length > 0 && typeof command === "string" && command.trim().length > 0) {
+    try {
+      const { stdout } = await util.promisify(cp.exec)(command, {
+        env: {
+          ...process.env,
+          CODER_URL: url,
+        },
+      })
+      try {
+        return JSON.parse(stdout)
+      } catch (error) {
+        throw new Error(`Credentials process output malformed JSON: ${error}`)
+      }
+    } catch (error) {
+      if (isExecException(error)) {
+        logger.writeToCoderOutputChannel(`Credentials process exited unexpectedly with code ${error.code}`)
+        logger.writeToCoderOutputChannel(`stdout: ${error.stdout}`)
+        logger.writeToCoderOutputChannel(`stderr: ${error.stderr}`)
+        throw new Error(`Credentials process exited unexpectedly with code ${error.code}`)
+      }
+      throw new Error(`Credentials process exited unexpectedly: ${error}`)
+    }
+  }
+  return undefined
+}
diff --git a/src/extension.ts b/src/extension.ts
@@ -66,6 +66,21 @@ export async function activate(ctx: vscode.ExtensionContext): Promise<void> {
   const storage = new Storage(output, ctx.globalState, ctx.secrets, ctx.globalStorageUri, ctx.logUri)
   await storage.init()
 
+  // Add credentials from credentials process.
+  axios.interceptors.request.use(async (config) => {
+    const creds = await storage.getCredentials()
+    if (!creds) {
+      return config
+    }
+    return {
+      ...config,
+      headers: {
+        ...config.headers,
+        ...creds.headers,
+      },
+    }
+  })
+
   const myWorkspacesProvider = new WorkspaceProvider(WorkspaceQuery.Mine, storage)
   const allWorkspacesProvider = new WorkspaceProvider(WorkspaceQuery.All, storage)
 
@@ -81,8 +96,10 @@ export async function activate(ctx: vscode.ExtensionContext): Promise<void> {
         }
       }
     })
-    .catch(() => {
-      // Not authenticated!
+    .catch((error) => {
+      // This should be a failure to make the request, like the credentials
+      // process errored.
+      vscodeProposed.window.showErrorMessage("Failed to check user authentication: " + error.message)
     })
     .finally(() => {
       vscode.commands.executeCommand("setContext", "coder.loaded", true)
diff --git a/src/remote.ts b/src/remote.ts
@@ -508,9 +508,16 @@ export class Remote {
     }
 
     const escape = (str: string): string => `"${str.replace(/"/g, '\\"')}"`
+
+    // Add credentials from credentials process.
+    const creds = await this.storage.getCredentials()
+    const headers = Object.keys(creds?.headers || {}).map((header) => {
+      return ` --header ${escape(`${header}=${creds?.headers[header]}`)}`
+    })
+
     const sshValues: SSHValues = {
       Host: `${Remote.Prefix}*`,
-      ProxyCommand: `${escape(binaryPath)} vscodessh --network-info-dir ${escape(
+      ProxyCommand: `${escape(binaryPath)}${headers.join(" ")} vscodessh --network-info-dir ${escape(
         this.storage.getNetworkInfoPath(),
       )} --session-token-file ${escape(this.storage.getSessionTokenPath())} --url-file ${escape(
         this.storage.getURLPath(),
diff --git a/src/storage.ts b/src/storage.ts
@@ -11,6 +11,7 @@ import os from "os"
 import path from "path"
 import prettyBytes from "pretty-bytes"
 import * as vscode from "vscode"
+import { Credentials, getCredentials } from "./credentials"
 
 export class Storage {
   public workspace?: Workspace
@@ -382,6 +383,10 @@ export class Storage {
       await fs.rm(this.getSessionTokenPath(), { force: true })
     }
   }
+
+  public async getCredentials(url = this.getURL()): Promise<Credentials | undefined> {
+    return getCredentials(url, vscode.workspace.getConfiguration().get("coder.credentialsProcess"), this)
+  }
 }
 
 // goos returns the Go format for the current platform.

Original file line number	Diff line number	Diff line change
`@@ -47,6 +47,11 @@`
`47`	`47`	`"markdownDescription": "If true, the extension will not verify the authenticity of the remote host. This is useful for self-signed certificates.",`
`48`	`48`	`"type": "boolean",`
`49`	`49`	`"default": false`
	`50`	`+ },`
	`51`	`+ "coder.credentialsProcess": {`
	`52`	+ "markdownDescription": "This command will be executed before each request and before configuring the Coder CLI. The command must output JSON and handle any expiration or caching on its own. Currently the JSON can contain the key `headers` which is a map of header names to values. The following environment variables will be available to the process: `CODER_URL`.",
	`53`	`+ "type": "string",`
	`54`	`+ "default": ""`
`50`	`55`	`}`
`51`	`56`	`}`
`52`	`57`	`},`
Original file line number	Diff line number	Diff line change
`@@ -70,8 +70,10 @@ export class Commands {`
`70`	`70`	`severity: vscode.InputBoxValidationSeverity.Error,`
`71`	`71`	`}`
`72`	`72`	`}`
	`73`	`+ // This could be something like the credentials process erroring`
	`74`	`+ // or an invalid session token.`
`73`	`75`	`return {`
`74`		`- message: "Invalid session token! (" + message + ")",`
	`76`	`+ message: "Failed to authenticate: " + message,`
`75`	`77`	`severity: vscode.InputBoxValidationSeverity.Error,`
`76`	`78`	`}`
`77`	`79`	`})`
Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,7 @@ import os from "os"`
`11`	`11`	`import path from "path"`
`12`	`12`	`import prettyBytes from "pretty-bytes"`
`13`	`13`	`import * as vscode from "vscode"`
	`14`	`+import { Credentials, getCredentials } from "./credentials"`
`14`	`15`
`15`	`16`	`export class Storage {`
`16`	`17`	`public workspace?: Workspace`
`@@ -382,6 +383,10 @@ export class Storage {`
`382`	`383`	`await fs.rm(this.getSessionTokenPath(), { force: true })`
`383`	`384`	`}`
`384`	`385`	`}`
	`386`	`+`
	`387`	`+ public async getCredentials(url = this.getURL()): Promise<Credentials \| undefined> {`
	`388`	`+ return getCredentials(url, vscode.workspace.getConfiguration().get("coder.credentialsProcess"), this)`
	`389`	`+ }`
`385`	`390`	`}`
`386`	`391`
`387`	`392`	`// goos returns the Go format for the current platform.`