projectoperations
diff --git a/‎cli/deployment/flags.go
Lines changed: 1 addition & 1 deletion b/‎cli/deployment/flags.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎cli/server.go
Lines changed: 11 additions & 3 deletions b/‎cli/server.go
Lines changed: 11 additions & 3 deletions
diff --git a/‎coderd/activitybump_test.go
Lines changed: 9 additions & 1 deletion b/‎coderd/activitybump_test.go
Lines changed: 9 additions & 1 deletion
diff --git a/‎coderd/coderd.go
Lines changed: 13 additions & 4 deletions b/‎coderd/coderd.go
Lines changed: 13 additions & 4 deletions
diff --git a/‎coderd/coderdtest/authorize_test.go
Lines changed: 1 addition & 1 deletion b/‎coderd/coderdtest/authorize_test.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/coderdtest/coderdtest.go
Lines changed: 10 additions & 0 deletions b/‎coderd/coderdtest/coderdtest.go
Lines changed: 10 additions & 0 deletions
diff --git a/‎coderd/httpapi/url.go
Lines changed: 80 additions & 13 deletions b/‎coderd/httpapi/url.go
Lines changed: 80 additions & 13 deletions
@@ -32,7 +32,7 @@ func Flags() *codersdk.DeploymentFlags {
 			Name:        "Wildcard Address URL",
 			Flag:        "wildcard-access-url",
 			EnvVar:      "CODER_WILDCARD_ACCESS_URL",
-			Description: `Specifies the wildcard hostname to use for workspace applications in the form "*.example.com".`,
+			Description: `Specifies the wildcard hostname to use for workspace applications in the form "*.example.com" or "*-suffix.example.com". Ports or schemes should not be included. The scheme will be copied from the access URL.`,
 		},
 		Address: &codersdk.StringFlag{
 			Name:        "Bind Address",
 
@@ -17,6 +17,7 @@ import (
 	"os/signal"
 	"os/user"
 	"path/filepath"
+	"regexp"
 	"strconv"
 	"strings"
 	"sync"
@@ -53,6 +54,7 @@ import (
 	"github.com/coder/coder/coderd/database/migrations"
 	"github.com/coder/coder/coderd/devtunnel"
 	"github.com/coder/coder/coderd/gitsshkey"
+	"github.com/coder/coder/coderd/httpapi"
 	"github.com/coder/coder/coderd/prometheusmetrics"
 	"github.com/coder/coder/coderd/telemetry"
 	"github.com/coder/coder/coderd/tracing"
@@ -297,13 +299,19 @@ func Server(dflags *codersdk.DeploymentFlags, newAPI func(context.Context, *code
 				return xerrors.Errorf("create derp map: %w", err)
 			}
 
-			appHostname := strings.TrimPrefix(dflags.WildcardAccessURL.Value, "http://")
-			appHostname = strings.TrimPrefix(appHostname, "https://")
-			appHostname = strings.TrimPrefix(appHostname, "*.")
+			appHostname := strings.TrimSpace(dflags.WildcardAccessURL.Value)
+			var appHostnameRegex *regexp.Regexp
+			if appHostname != "" {
+				appHostnameRegex, err = httpapi.CompileHostnamePattern(appHostname)
+				if err != nil {
+					return xerrors.Errorf("parse wildcard access URL %q: %w", appHostname, err)
+				}
+			}
 
 			options := &coderd.Options{
 				AccessURL:                   accessURLParsed,
 				AppHostname:                 appHostname,
+				AppHostnameRegex:            appHostnameRegex,
 				Logger:                      logger.Named("coderd"),
 				Database:                    databasefake.New(),
 				DERPMap:                     derpMap,
 
@@ -23,7 +23,15 @@ func TestWorkspaceActivityBump(t *testing.T) {
 	setupActivityTest := func(t *testing.T) (client *codersdk.Client, workspace codersdk.Workspace, assertBumped func(want bool)) {
 		var ttlMillis int64 = 60 * 1000
 
-		client, _, workspace, _ = setupProxyTest(t, func(cwr *codersdk.CreateWorkspaceRequest) {
+		client = coderdtest.New(t, &coderdtest.Options{
+			AppHostname:                 proxyTestSubdomainRaw,
+			IncludeProvisionerDaemon:    true,
+			AgentStatsRefreshInterval:   time.Millisecond * 100,
+			MetricsCacheRefreshInterval: time.Millisecond * 100,
+		})
+		user := coderdtest.CreateFirstUser(t, client)
+
+		workspace = createWorkspaceWithApps(t, client, user.OrganizationID, 1234, func(cwr *codersdk.CreateWorkspaceRequest) {
 			cwr.TTLMillis = &ttlMillis
 		})
 
 
@@ -6,6 +6,7 @@ import (
 	"net/http"
 	"net/url"
 	"path/filepath"
+	"regexp"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -46,11 +47,16 @@ import (
 type Options struct {
 	AccessURL *url.URL
 	// AppHostname should be the wildcard hostname to use for workspace
-	// applications without the asterisk or leading dot. E.g. "apps.coder.com".
+	// applications INCLUDING the asterisk, (optional) suffix and leading dot.
+	// E.g. "*.apps.coder.com" or "*-apps.coder.com".
 	AppHostname string
-	Logger      slog.Logger
-	Database    database.Store
-	Pubsub      database.Pubsub
+	// AppHostnameRegex contains the regex version of options.AppHostname as
+	// generated by httpapi.CompileHostnamePattern(). It MUST be set if
+	// options.AppHostname is set.
+	AppHostnameRegex *regexp.Regexp
+	Logger           slog.Logger
+	Database         database.Store
+	Pubsub           database.Pubsub
 
 	// CacheDir is used for caching files served by the API.
 	CacheDir string
@@ -90,6 +96,9 @@ func New(options *Options) *API {
 	if options == nil {
 		options = &Options{}
 	}
+	if options.AppHostname != "" && options.AppHostnameRegex == nil || options.AppHostname == "" && options.AppHostnameRegex != nil {
+		panic("coderd: both AppHostname and AppHostnameRegex must be set or unset")
+	}
 	if options.AgentConnectionUpdateFrequency == 0 {
 		options.AgentConnectionUpdateFrequency = 3 * time.Second
 	}
 
@@ -11,7 +11,7 @@ func TestAuthorizeAllEndpoints(t *testing.T) {
 	t.Parallel()
 	client, _, api := coderdtest.NewWithAPI(t, &coderdtest.Options{
 		// Required for any subdomain-based proxy tests to pass.
-		AppHostname:              "test.coder.com",
+		AppHostname:              "*.test.coder.com",
 		Authorizer:               &coderdtest.RecordingAuthorizer{},
 		IncludeProvisionerDaemon: true,
 	})
 
@@ -20,6 +20,7 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"net/url"
+	"regexp"
 	"strconv"
 	"strings"
 	"testing"
@@ -49,6 +50,7 @@ import (
 	"github.com/coder/coder/coderd/database"
 	"github.com/coder/coder/coderd/database/dbtestutil"
 	"github.com/coder/coder/coderd/gitsshkey"
+	"github.com/coder/coder/coderd/httpapi"
 	"github.com/coder/coder/coderd/rbac"
 	"github.com/coder/coder/coderd/telemetry"
 	"github.com/coder/coder/coderd/util/ptr"
@@ -172,13 +174,21 @@ func NewOptions(t *testing.T, options *Options) (*httptest.Server, context.Cance
 		options.SSHKeygenAlgorithm = gitsshkey.AlgorithmEd25519
 	}
 
+	var appHostnameRegex *regexp.Regexp
+	if options.AppHostname != "" {
+		var err error
+		appHostnameRegex, err = httpapi.CompileHostnamePattern(options.AppHostname)
+		require.NoError(t, err)
+	}
+
 	return srv, cancelFunc, &coderd.Options{
 		AgentConnectionUpdateFrequency: 150 * time.Millisecond,
 		// Force a long disconnection timeout to ensure
 		// agents are not marked as disconnected during slow tests.
 		AgentInactiveDisconnectTimeout: testutil.WaitShort,
 		AccessURL:                      serverURL,
 		AppHostname:                    options.AppHostname,
+		AppHostnameRegex:               appHostnameRegex,
 		Logger:                         slogtest.Make(t, nil).Leveled(slog.LevelDebug),
 		CacheDir:                       t.TempDir(),
 		Database:                       db,
 
@@ -17,20 +17,9 @@ var (
 		// {PORT/APP_NAME}--{AGENT_NAME}--{WORKSPACE_NAME}--{USERNAME}
 		`^(?P<AppName>%[1]s)--(?P<AgentName>%[1]s)--(?P<WorkspaceName>%[1]s)--(?P<Username>%[1]s)$`,
 		nameRegex))
-)
-
-// SplitSubdomain splits a subdomain from the rest of the hostname. E.g.:
-//   - "foo.bar.com" becomes "foo", "bar.com"
-//   - "foo.bar.baz.com" becomes "foo", "bar.baz.com"
-//   - "foo" becomes "foo", ""
-func SplitSubdomain(hostname string) (subdomain string, rest string) {
-	toks := strings.SplitN(hostname, ".", 2)
-	if len(toks) < 2 {
-		return toks[0], ""
-	}
 
-	return toks[0], toks[1]
-}
+	validHostnameLabelRegex = regexp.MustCompile(`^[a-z0-9]([-a-z0-9]*[a-z0-9])?$`)
+)
 
 // ApplicationURL is a parsed application URL hostname.
 type ApplicationURL struct {
@@ -111,3 +100,81 @@ func HostnamesMatch(a, b string) bool {
 
 	return strings.EqualFold(aHost, bHost)
 }
+
+// CompileHostnamePattern compiles a hostname pattern into a regular expression.
+// A hostname pattern is a string that may contain a single wildcard character
+// at the beginning. The wildcard character matches any number of hostname-safe
+// characters excluding periods. The pattern is case-insensitive.
+//
+// The supplied pattern:
+//   - must not start or end with a period
+//   - must contain exactly one asterisk at the beginning
+//   - must not contain any other wildcard characters
+//   - must not contain any other characters that are not hostname-safe (including
+//     whitespace)
+//   - must contain at least two hostname labels/segments (i.e. "foo" or "*" are
+//     not valid patterns, but "foo.bar" and "*.bar" are).
+//
+// The returned regular expression will match an entire hostname with optional
+// trailing periods and whitespace. The first submatch will be the wildcard
+// match.
+func CompileHostnamePattern(pattern string) (*regexp.Regexp, error) {
+	pattern = strings.ToLower(pattern)
+	if strings.Contains(pattern, "http:") || strings.Contains(pattern, "https:") {
+		return nil, xerrors.Errorf("hostname pattern must not contain a scheme: %q", pattern)
+	}
+	if strings.Contains(pattern, ":") {
+		return nil, xerrors.Errorf("hostname pattern must not contain a port: %q", pattern)
+	}
+	if strings.HasPrefix(pattern, ".") || strings.HasSuffix(pattern, ".") {
+		return nil, xerrors.Errorf("hostname pattern must not start or end with a period: %q", pattern)
+	}
+	if strings.Count(pattern, ".") < 1 {
+		return nil, xerrors.Errorf("hostname pattern must contain at least two labels/segments: %q", pattern)
+	}
+	if strings.Count(pattern, "*") != 1 {
+		return nil, xerrors.Errorf("hostname pattern must contain exactly one asterisk: %q", pattern)
+	}
+	if !strings.HasPrefix(pattern, "*") {
+		return nil, xerrors.Errorf("hostname pattern must only contain an asterisk at the beginning: %q", pattern)
+	}
+	for i, label := range strings.Split(pattern, ".") {
+		if i == 0 {
+			// We have to allow the asterisk to be a valid hostname label.
+			label = strings.TrimPrefix(label, "*")
+			label = "a" + label
+		}
+		if !validHostnameLabelRegex.MatchString(label) {
+			return nil, xerrors.Errorf("hostname pattern contains invalid label %q: %q", label, pattern)
+		}
+	}
+
+	// Replace periods with escaped periods.
+	regexPattern := strings.ReplaceAll(pattern, ".", "\\.")
+
+	// Capture wildcard match.
+	regexPattern = strings.Replace(regexPattern, "*", "([^.]+)", 1)
+
+	// Allow trailing period.
+	regexPattern = regexPattern + "\\.?"
+
+	// Allow optional port number.
+	regexPattern += "(:\\d+)?"
+
+	// Allow leading and trailing whitespace.
+	regexPattern = `^\s*` + regexPattern + `\s*$`
+
+	return regexp.Compile(regexPattern)
+}
+
+// ExecuteHostnamePattern executes a pattern generated by CompileHostnamePattern
+// and returns the wildcard match. If the pattern does not match the hostname,
+// returns false.
+func ExecuteHostnamePattern(pattern *regexp.Regexp, hostname string) (string, bool) {
+	matches := pattern.FindStringSubmatch(hostname)
+	if len(matches) < 2 {
+		return "", false
+	}
+
+	return matches[1], true
+}