fix: Replace access URL for built-in DERP servers (#4197)

Fixes #4195.
2025-07-12 00:14:10 +00:00 · 2022-09-26 12:56:04 -05:00
parent ee4b934601
commit 39cf329404
8 changed files with 133 additions and 24 deletions
--- a/codersdk/workspaceagents.go
+++ b/codersdk/workspaceagents.go
@ -10,6 +10,7 @@ import (
 	"net/http"
 	"net/http/cookiejar"
 	"net/netip"
+	"strconv"
 	"time"

 	"cloud.google.com/go/compute/metadata"
@ -208,7 +209,42 @@ func (c *Client) WorkspaceAgentMetadata(ctx context.Context) (WorkspaceAgentMeta
 		return WorkspaceAgentMetadata{}, readBodyAsError(res)
 	}
 	var agentMetadata WorkspaceAgentMetadata
-	return agentMetadata, json.NewDecoder(res.Body).Decode(&agentMetadata)
+	err = json.NewDecoder(res.Body).Decode(&agentMetadata)
+	if err != nil {
+		return WorkspaceAgentMetadata{}, err
+	}
+	accessingPort := c.URL.Port()
+	if accessingPort == "" {
+		accessingPort = "80"
+		if c.URL.Scheme == "https" {
+			accessingPort = "443"
+		}
+	}
+	accessPort, err := strconv.Atoi(accessingPort)
+	if err != nil {
+		return WorkspaceAgentMetadata{}, xerrors.Errorf("convert accessing port %q: %w", accessingPort, err)
+	}
+	// Agents can provide an arbitrary access URL that may be different
+	// that the globally configured one. This breaks the built-in DERP,
+	// which would continue to reference the global access URL.
+	//
+	// This converts all built-in DERPs to use the access URL that the
+	// metadata request was performed with.
+	for _, region := range agentMetadata.DERPMap.Regions {
+		if !region.EmbeddedRelay {
+			continue
+		}
+
+		for _, node := range region.Nodes {
+			if node.STUNOnly {
+				continue
+			}
+			node.HostName = c.URL.Hostname()
+			node.DERPPort = accessPort
+			node.ForceHTTP = c.URL.Scheme == "http"
+		}
+	}
+	return agentMetadata, nil
 }

 func (c *Client) ListenWorkspaceAgentTailnet(ctx context.Context) (net.Conn, error) {
--- a/codersdk/workspaceagents_test.go
+++ b/codersdk/workspaceagents_test.go
@ -0,0 +1,49 @@
+package codersdk_test
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"strconv"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"tailscale.com/tailcfg"
+
+	"github.com/coder/coder/coderd/httpapi"
+	"github.com/coder/coder/codersdk"
+)
+
+func TestWorkspaceAgentMetadata(t *testing.T) {
+	t.Parallel()
+	// This test ensures that the DERP map returned properly
+	// mutates built-in DERPs with the client access URL.
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		httpapi.Write(context.Background(), w, http.StatusOK, codersdk.WorkspaceAgentMetadata{
+			DERPMap: &tailcfg.DERPMap{
+				Regions: map[int]*tailcfg.DERPRegion{
+					1: {
+						EmbeddedRelay: true,
+						RegionID:      1,
+						Nodes: []*tailcfg.DERPNode{{
+							HostName: "bananas.org",
+							DERPPort: 1,
+						}},
+					},
+				},
+			},
+		})
+	}))
+	parsed, err := url.Parse(srv.URL)
+	require.NoError(t, err)
+	client := codersdk.New(parsed)
+	metadata, err := client.WorkspaceAgentMetadata(context.Background())
+	require.NoError(t, err)
+	region := metadata.DERPMap.Regions[1]
+	require.True(t, region.EmbeddedRelay)
+	require.Len(t, region.Nodes, 1)
+	node := region.Nodes[0]
+	require.Equal(t, parsed.Hostname(), node.HostName)
+	require.Equal(t, parsed.Port(), strconv.Itoa(node.DERPPort))
+}