chore: add workspace proxies to the backend (#7032)

Co-authored-by: Dean Sheather <dean@deansheather.com>
2025-07-06 15:41:45 +00:00 · 2023-04-17 14:57:21 -05:00
parent dc5e16ae22
commit 658246d5f2
61 changed files with 3641 additions and 757 deletions
--- a/enterprise/coderd/coderd.go
+++ b/enterprise/coderd/coderd.go
@ -83,11 +83,24 @@ func New(ctx context.Context, options *Options) (*API, error) {
 		})
 		r.Route("/workspaceproxies", func(r chi.Router) {
 			r.Use(
-				apiKeyMiddleware,
 				api.moonsEnabledMW,
 			)
-			r.Post("/", api.postWorkspaceProxy)
-			r.Get("/", api.workspaceProxies)
+			r.Group(func(r chi.Router) {
+				r.Use(
+					apiKeyMiddleware,
+				)
+				r.Post("/", api.postWorkspaceProxy)
+				r.Get("/", api.workspaceProxies)
+			})
+			r.Route("/me", func(r chi.Router) {
+				r.Use(
+					httpmw.ExtractWorkspaceProxy(httpmw.ExtractWorkspaceProxyConfig{
+						DB:       options.Database,
+						Optional: false,
+					}),
+				)
+				r.Post("/issue-signed-app-token", api.workspaceProxyIssueSignedAppToken)
+			})
 			// TODO: Add specific workspace proxy endpoints.
 			// r.Route("/{proxyName}", func(r chi.Router) {
 			//	r.Use(
--- a/enterprise/coderd/coderdenttest/proxytest.go
+++ b/enterprise/coderd/coderdenttest/proxytest.go
@ -0,0 +1,142 @@
+package coderdenttest
+
+import (
+	"context"
+	"crypto/tls"
+	"fmt"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"regexp"
+	"sync"
+	"testing"
+
+	"github.com/moby/moby/pkg/namesgenerator"
+	"github.com/prometheus/client_golang/prometheus"
+	"github.com/stretchr/testify/require"
+
+	"cdr.dev/slog"
+	"cdr.dev/slog/sloggers/slogtest"
+	"github.com/coder/coder/coderd/httpapi"
+	"github.com/coder/coder/codersdk"
+	"github.com/coder/coder/enterprise/coderd"
+	"github.com/coder/coder/enterprise/wsproxy"
+)
+
+type ProxyOptions struct {
+	Name string
+
+	TLSCertificates []tls.Certificate
+	AppHostname     string
+	DisablePathApps bool
+
+	// ProxyURL is optional
+	ProxyURL *url.URL
+}
+
+// NewWorkspaceProxy will configure a wsproxy.Server with the given options.
+// The new wsproxy will register itself with the given coderd.API instance.
+// The first user owner client is required to create the wsproxy on the coderd
+// api server.
+func NewWorkspaceProxy(t *testing.T, coderdAPI *coderd.API, owner *codersdk.Client, options *ProxyOptions) *wsproxy.Server {
+	ctx, cancelFunc := context.WithCancel(context.Background())
+	t.Cleanup(cancelFunc)
+
+	if options == nil {
+		options = &ProxyOptions{}
+	}
+
+	// HTTP Server
+	var mutex sync.RWMutex
+	var handler http.Handler
+	srv := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		mutex.RLock()
+		defer mutex.RUnlock()
+		if handler == nil {
+			http.Error(w, "handler not set", http.StatusServiceUnavailable)
+		}
+
+		handler.ServeHTTP(w, r)
+	}))
+	srv.Config.BaseContext = func(_ net.Listener) context.Context {
+		return ctx
+	}
+	if options.TLSCertificates != nil {
+		srv.TLS = &tls.Config{
+			Certificates: options.TLSCertificates,
+			MinVersion:   tls.VersionTLS12,
+		}
+		srv.StartTLS()
+	} else {
+		srv.Start()
+	}
+	t.Cleanup(srv.Close)
+
+	tcpAddr, ok := srv.Listener.Addr().(*net.TCPAddr)
+	require.True(t, ok)
+
+	serverURL, err := url.Parse(srv.URL)
+	require.NoError(t, err)
+
+	serverURL.Host = fmt.Sprintf("localhost:%d", tcpAddr.Port)
+
+	accessURL := options.ProxyURL
+	if accessURL == nil {
+		accessURL = serverURL
+	}
+
+	// TODO: Stun and derp stuff
+	// derpPort, err := strconv.Atoi(serverURL.Port())
+	// require.NoError(t, err)
+	//
+	// stunAddr, stunCleanup := stuntest.ServeWithPacketListener(t, nettype.Std{})
+	// t.Cleanup(stunCleanup)
+	//
+	// derpServer := derp.NewServer(key.NewNode(), tailnet.Logger(slogtest.Make(t, nil).Named("derp").Leveled(slog.LevelDebug)))
+	// derpServer.SetMeshKey("test-key")
+
+	var appHostnameRegex *regexp.Regexp
+	if options.AppHostname != "" {
+		var err error
+		appHostnameRegex, err = httpapi.CompileHostnamePattern(options.AppHostname)
+		require.NoError(t, err)
+	}
+
+	if options.Name == "" {
+		options.Name = namesgenerator.GetRandomName(1)
+	}
+
+	proxyRes, err := owner.CreateWorkspaceProxy(ctx, codersdk.CreateWorkspaceProxyRequest{
+		Name:             options.Name,
+		Icon:             "/emojis/flag.png",
+		URL:              accessURL.String(),
+		WildcardHostname: options.AppHostname,
+	})
+	require.NoError(t, err, "failed to create workspace proxy")
+
+	wssrv, err := wsproxy.New(&wsproxy.Options{
+		Logger:            slogtest.Make(t, nil).Leveled(slog.LevelDebug),
+		DashboardURL:      coderdAPI.AccessURL,
+		AccessURL:         accessURL,
+		AppHostname:       options.AppHostname,
+		AppHostnameRegex:  appHostnameRegex,
+		RealIPConfig:      coderdAPI.RealIPConfig,
+		AppSecurityKey:    coderdAPI.AppSecurityKey,
+		Tracing:           coderdAPI.TracerProvider,
+		APIRateLimit:      coderdAPI.APIRateLimit,
+		SecureAuthCookie:  coderdAPI.SecureAuthCookie,
+		ProxySessionToken: proxyRes.ProxyToken,
+		DisablePathApps:   options.DisablePathApps,
+		// We need a new registry to not conflict with the coderd internal
+		// proxy metrics.
+		PrometheusRegistry: prometheus.NewRegistry(),
+	})
+	require.NoError(t, err)
+
+	mutex.Lock()
+	handler = wssrv.Handler
+	mutex.Unlock()
+
+	return wssrv
+}
--- a/enterprise/coderd/workspaceproxy.go
+++ b/enterprise/coderd/workspaceproxy.go
@ -1,6 +1,7 @@
 package coderd

 import (
+	"crypto/sha256"
 	"database/sql"
 	"fmt"
 	"net/http"
@ -12,7 +13,10 @@ import (
 	"github.com/coder/coder/coderd/audit"
 	"github.com/coder/coder/coderd/database"
 	"github.com/coder/coder/coderd/httpapi"
+	"github.com/coder/coder/coderd/workspaceapps"
 	"github.com/coder/coder/codersdk"
+	"github.com/coder/coder/cryptorand"
+	"github.com/coder/coder/enterprise/wsproxy/wsproxysdk"
 )

 // @Summary Create workspace proxy
@ -20,7 +24,7 @@ import (
 // @Security CoderSessionToken
 // @Accept json
 // @Produce json
-// @Tags Templates
+// @Tags Enterprise
 // @Param request body codersdk.CreateWorkspaceProxyRequest true "Create workspace proxy request"
 // @Success 201 {object} codersdk.WorkspaceProxy
 // @Router /workspaceproxies [post]
@ -50,23 +54,35 @@ func (api *API) postWorkspaceProxy(rw http.ResponseWriter, r *http.Request) {
 		return
 	}

-	if _, err := httpapi.CompileHostnamePattern(req.WildcardHostname); err != nil {
-		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
-			Message: "Wildcard URL is invalid.",
-			Detail:  err.Error(),
-		})
-		return
+	if req.WildcardHostname != "" {
+		if _, err := httpapi.CompileHostnamePattern(req.WildcardHostname); err != nil {
+			httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+				Message: "Wildcard URL is invalid.",
+				Detail:  err.Error(),
+			})
+			return
+		}
 	}

+	id := uuid.New()
+	secret, err := cryptorand.HexString(64)
+	if err != nil {
+		httpapi.InternalServerError(rw, err)
+		return
+	}
+	hashedSecret := sha256.Sum256([]byte(secret))
+	fullToken := fmt.Sprintf("%s:%s", id, secret)
+
 	proxy, err := api.Database.InsertWorkspaceProxy(ctx, database.InsertWorkspaceProxyParams{
-		ID:               uuid.New(),
-		Name:             req.Name,
-		DisplayName:      req.DisplayName,
-		Icon:             req.Icon,
-		Url:              req.URL,
-		WildcardHostname: req.WildcardHostname,
-		CreatedAt:        database.Now(),
-		UpdatedAt:        database.Now(),
+		ID:                id,
+		Name:              req.Name,
+		DisplayName:       req.DisplayName,
+		Icon:              req.Icon,
+		Url:               req.URL,
+		WildcardHostname:  req.WildcardHostname,
+		TokenHashedSecret: hashedSecret[:],
+		CreatedAt:         database.Now(),
+		UpdatedAt:         database.Now(),
 	})
 	if database.IsUniqueViolation(err) {
 		httpapi.Write(ctx, rw, http.StatusConflict, codersdk.Response{
@ -80,7 +96,10 @@ func (api *API) postWorkspaceProxy(rw http.ResponseWriter, r *http.Request) {
 	}

 	aReq.New = proxy
-	httpapi.Write(ctx, rw, http.StatusCreated, convertProxy(proxy))
+	httpapi.Write(ctx, rw, http.StatusCreated, codersdk.CreateWorkspaceProxyResponse{
+		Proxy:      convertProxy(proxy),
+		ProxyToken: fullToken,
+	})
 }

 // nolint:revive
@ -137,3 +156,55 @@ func convertProxy(p database.WorkspaceProxy) codersdk.WorkspaceProxy {
 		Deleted:          p.Deleted,
 	}
 }
+
+// @Summary Issue signed workspace app token
+// @ID issue-signed-workspace-app-token
+// @Security CoderSessionToken
+// @Accept json
+// @Produce json
+// @Tags Enterprise
+// @Param request body workspaceapps.IssueTokenRequest true "Issue signed app token request"
+// @Success 201 {object} wsproxysdk.IssueSignedAppTokenResponse
+// @Router /workspaceproxies/me/issue-signed-app-token [post]
+// @x-apidocgen {"skip": true}
+func (api *API) workspaceProxyIssueSignedAppToken(rw http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	// NOTE: this endpoint will return JSON on success, but will (usually)
+	// return a self-contained HTML error page on failure. The external proxy
+	// should forward any non-201 response to the client.
+
+	var req workspaceapps.IssueTokenRequest
+	if !httpapi.Read(ctx, rw, r, &req) {
+		return
+	}
+
+	// userReq is a http request from the user on the other side of the proxy.
+	// Although the workspace proxy is making this call, we want to use the user's
+	// authorization context to create the token.
+	//
+	// We can use the existing request context for all tracing/logging purposes.
+	// Any workspace proxy auth uses different context keys so we don't need to
+	// worry about that.
+	userReq, err := http.NewRequestWithContext(ctx, "GET", req.AppRequest.BasePath, nil)
+	if err != nil {
+		// This should never happen
+		httpapi.InternalServerError(rw, xerrors.Errorf("[DEV ERROR] new request: %w", err))
+		return
+	}
+	userReq.Header.Set(codersdk.SessionTokenHeader, req.SessionToken)
+
+	// Exchange the token.
+	token, tokenStr, ok := api.AGPL.WorkspaceAppsProvider.Issue(ctx, rw, userReq, req)
+	if !ok {
+		return
+	}
+	if token == nil {
+		httpapi.InternalServerError(rw, xerrors.New("nil token after calling token provider"))
+		return
+	}
+
+	httpapi.Write(ctx, rw, http.StatusCreated, wsproxysdk.IssueSignedAppTokenResponse{
+		SignedTokenStr: tokenStr,
+	})
+}
--- a/enterprise/coderd/workspaceproxy_test.go
+++ b/enterprise/coderd/workspaceproxy_test.go
@ -1,15 +1,27 @@
 package coderd_test

 import (
+	"net/http/httptest"
+	"net/http/httputil"
 	"testing"

+	"github.com/google/uuid"
 	"github.com/moby/moby/pkg/namesgenerator"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

+	"cdr.dev/slog"
+	"cdr.dev/slog/sloggers/slogtest"
+	"github.com/coder/coder/agent"
 	"github.com/coder/coder/coderd/coderdtest"
+	"github.com/coder/coder/coderd/database/dbtestutil"
+	"github.com/coder/coder/coderd/workspaceapps"
 	"github.com/coder/coder/codersdk"
+	"github.com/coder/coder/codersdk/agentsdk"
 	"github.com/coder/coder/enterprise/coderd/coderdenttest"
 	"github.com/coder/coder/enterprise/coderd/license"
+	"github.com/coder/coder/enterprise/wsproxy/wsproxysdk"
+	"github.com/coder/coder/provisioner/echo"
 	"github.com/coder/coder/testutil"
 )

@ -36,7 +48,7 @@ func TestWorkspaceProxyCRUD(t *testing.T) {
 			},
 		})
 		ctx := testutil.Context(t, testutil.WaitLong)
-		proxy, err := client.CreateWorkspaceProxy(ctx, codersdk.CreateWorkspaceProxyRequest{
+		proxyRes, err := client.CreateWorkspaceProxy(ctx, codersdk.CreateWorkspaceProxyRequest{
 			Name:             namesgenerator.GetRandomName(1),
 			Icon:             "/emojis/flag.png",
 			URL:              "https://" + namesgenerator.GetRandomName(1) + ".com",
@ -44,9 +56,117 @@ func TestWorkspaceProxyCRUD(t *testing.T) {
 		})
 		require.NoError(t, err)

-		proxies, err := client.WorkspaceProxiesByOrganization(ctx)
+		proxies, err := client.WorkspaceProxies(ctx)
 		require.NoError(t, err)
 		require.Len(t, proxies, 1)
-		require.Equal(t, proxy, proxies[0])
+		require.Equal(t, proxyRes.Proxy, proxies[0])
+		require.NotEmpty(t, proxyRes.ProxyToken)
+	})
+}
+
+func TestIssueSignedAppToken(t *testing.T) {
+	t.Parallel()
+
+	dv := coderdtest.DeploymentValues(t)
+	dv.Experiments = []string{
+		string(codersdk.ExperimentMoons),
+		"*",
+	}
+
+	db, pubsub := dbtestutil.NewDB(t)
+	client := coderdenttest.New(t, &coderdenttest.Options{
+		Options: &coderdtest.Options{
+			DeploymentValues:         dv,
+			Database:                 db,
+			Pubsub:                   pubsub,
+			IncludeProvisionerDaemon: true,
+		},
+	})
+
+	user := coderdtest.CreateFirstUser(t, client)
+	_ = coderdenttest.AddLicense(t, client, coderdenttest.LicenseOptions{
+		Features: license.Features{
+			codersdk.FeatureWorkspaceProxy: 1,
+		},
+	})
+
+	// Create a workspace + apps
+	authToken := uuid.NewString()
+	version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
+		Parse:          echo.ParseComplete,
+		ProvisionApply: echo.ProvisionApplyWithAgent(authToken),
+	})
+	template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+	coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+	workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
+	build := coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
+	workspace.LatestBuild = build
+
+	// Connect an agent to the workspace
+	agentClient := agentsdk.New(client.URL)
+	agentClient.SetSessionToken(authToken)
+	agentCloser := agent.New(agent.Options{
+		Client: agentClient,
+		Logger: slogtest.Make(t, nil).Named("agent").Leveled(slog.LevelDebug),
+	})
+	t.Cleanup(func() {
+		_ = agentCloser.Close()
+	})
+
+	coderdtest.AwaitWorkspaceAgents(t, client, workspace.ID)
+
+	createProxyCtx := testutil.Context(t, testutil.WaitLong)
+	proxyRes, err := client.CreateWorkspaceProxy(createProxyCtx, codersdk.CreateWorkspaceProxyRequest{
+		Name:             namesgenerator.GetRandomName(1),
+		Icon:             "/emojis/flag.png",
+		URL:              "https://" + namesgenerator.GetRandomName(1) + ".com",
+		WildcardHostname: "*.sub.example.com",
+	})
+	require.NoError(t, err)
+
+	proxyClient := wsproxysdk.New(client.URL)
+	proxyClient.SetSessionToken(proxyRes.ProxyToken)
+
+	t.Run("BadAppRequest", func(t *testing.T) {
+		t.Parallel()
+
+		ctx := testutil.Context(t, testutil.WaitLong)
+		_, err = proxyClient.IssueSignedAppToken(ctx, workspaceapps.IssueTokenRequest{
+			// Invalid request.
+			AppRequest:   workspaceapps.Request{},
+			SessionToken: client.SessionToken(),
+		})
+		require.Error(t, err)
+	})
+
+	goodRequest := workspaceapps.IssueTokenRequest{
+		AppRequest: workspaceapps.Request{
+			BasePath:      "/app",
+			AccessMethod:  workspaceapps.AccessMethodTerminal,
+			AgentNameOrID: build.Resources[0].Agents[0].ID.String(),
+		},
+		SessionToken: client.SessionToken(),
+	}
+	t.Run("OK", func(t *testing.T) {
+		t.Parallel()
+
+		ctx := testutil.Context(t, testutil.WaitLong)
+		_, err = proxyClient.IssueSignedAppToken(ctx, goodRequest)
+		require.NoError(t, err)
+	})
+
+	t.Run("OKHTML", func(t *testing.T) {
+		t.Parallel()
+
+		rw := httptest.NewRecorder()
+		ctx := testutil.Context(t, testutil.WaitLong)
+		_, ok := proxyClient.IssueSignedAppTokenHTML(ctx, rw, goodRequest)
+		if !assert.True(t, ok, "expected true") {
+			resp := rw.Result()
+			defer resp.Body.Close()
+			dump, err := httputil.DumpResponse(resp, true)
+			require.NoError(t, err)
+			t.Log(string(dump))
+		}
 	})
 }