fix(coderd): pass block endpoints into servertailnet (#12149)

2025-07-21 01:28:49 +00:00 · 2024-03-07 23:29:54 -06:00
parent d2a74cf547
commit 66154f937e
8 changed files with 62 additions and 2 deletions
--- a/coderd/coderd.go
+++ b/coderd/coderd.go
@ -489,6 +489,7 @@ func New(options *Options) *API {
 		func(context.Context) (tailnet.MultiAgentConn, error) {
 			return (*api.TailnetCoordinator.Load()).ServeMultiAgent(uuid.New()), nil
 		},
+		options.DeploymentValues.DERP.Config.BlockDirect.Value(),
 		api.TracerProvider,
 	)
 	if err != nil {
--- a/coderd/tailnet.go
+++ b/coderd/tailnet.go
@ -49,6 +49,7 @@ func NewServerTailnet(
 	derpMapFn func() *tailcfg.DERPMap,
 	derpForceWebSockets bool,
 	getMultiAgent func(context.Context) (tailnet.MultiAgentConn, error),
+	blockEndpoints bool,
 	traceProvider trace.TracerProvider,
 ) (*ServerTailnet, error) {
 	logger = logger.Named("servertailnet")
@ -56,6 +57,7 @@ func NewServerTailnet(
 		Addresses:           []netip.Prefix{netip.PrefixFrom(tailnet.IP(), 128)},
 		DERPForceWebSockets: derpForceWebSockets,
 		Logger:              logger,
+		BlockEndpoints:      blockEndpoints,
 	})
 	if err != nil {
 		return nil, xerrors.Errorf("create tailnet conn: %w", err)
@ -166,6 +168,12 @@ func NewServerTailnet(
 	return tn, nil
 }

+// Conn is used to access the underlying tailnet conn of the ServerTailnet. It
+// should only be used for read-only purposes.
+func (s *ServerTailnet) Conn() *tailnet.Conn {
+	return s.conn
+}
+
 func (s *ServerTailnet) nodeCallback(node *tailnet.Node) {
 	pn, err := tailnet.NodeToProto(node)
 	if err != nil {
--- a/coderd/tailnet_test.go
+++ b/coderd/tailnet_test.go
@ -303,6 +303,36 @@ func TestServerTailnet_ReverseProxy(t *testing.T) {

 		assert.Equal(t, expectedResponseCode, res.StatusCode)
 	})
+
+	t.Run("BlockEndpoints", func(t *testing.T) {
+		t.Parallel()
+
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancel()
+
+		agents, serverTailnet := setupServerTailnetAgent(t, 1, tailnettest.DisableSTUN)
+		a := agents[0]
+
+		require.True(t, serverTailnet.Conn().GetBlockEndpoints(), "expected BlockEndpoints to be set")
+
+		u, err := url.Parse(fmt.Sprintf("http://127.0.0.1:%d", codersdk.WorkspaceAgentHTTPAPIServerPort))
+		require.NoError(t, err)
+
+		rp := serverTailnet.ReverseProxy(u, u, a.id)
+
+		rw := httptest.NewRecorder()
+		req := httptest.NewRequest(
+			http.MethodGet,
+			u.String(),
+			nil,
+		).WithContext(ctx)
+
+		rp.ServeHTTP(rw, req)
+		res := rw.Result()
+		defer res.Body.Close()
+
+		assert.Equal(t, http.StatusOK, res.StatusCode)
+	})
 }

 type wrappedListener struct {
@ -375,6 +405,7 @@ func setupServerTailnetAgent(t *testing.T, agentNum int, opts ...tailnettest.DER
 		func() *tailcfg.DERPMap { return derpMap },
 		false,
 		func(context.Context) (tailnet.MultiAgentConn, error) { return coord.ServeMultiAgent(uuid.New()), nil },
+		!derpMap.HasSTUN(),
 		trace.NewNoopTracerProvider(),
 	)
 	require.NoError(t, err)