chore: support signed token query param for web terminal (#7197)

* chore: add endpoint to get token for web terminal * chore: support signed token query param for web terminal
2025-07-18 14:17:22 +00:00 · 2023-04-20 16:59:45 -07:00
parent ac3c530283
commit 68667323f3
25 changed files with 886 additions and 164 deletions
--- a/coderd/workspaceapps/apptest/apptest.go
+++ b/coderd/workspaceapps/apptest/apptest.go
@ -22,6 +22,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/xerrors"
+	"nhooyr.io/websocket"

 	"github.com/coder/coder/coderd/coderdtest"
 	"github.com/coder/coder/coderd/rbac"
@ -46,43 +47,9 @@ func Run(t *testing.T, factory DeploymentFactory) {
 			t.Skip("ConPTY appears to be inconsistent on Windows.")
 		}

-		appDetails := setupProxyTest(t, nil)
-
-		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
-		defer cancel()
-
-		// Run the test against the path app hostname since that's where the
-		// reconnecting-pty proxy server we want to test is mounted.
-		client := appDetails.AppClient(t)
-		conn, err := client.WorkspaceAgentReconnectingPTY(ctx, appDetails.Agent.ID, uuid.New(), 80, 80, "/bin/bash")
-		require.NoError(t, err)
-		defer conn.Close()
-
-		// First attempt to resize the TTY.
-		// The websocket will close if it fails!
-		data, err := json.Marshal(codersdk.ReconnectingPTYRequest{
-			Height: 250,
-			Width:  250,
-		})
-		require.NoError(t, err)
-		_, err = conn.Write(data)
-		require.NoError(t, err)
-		bufRead := bufio.NewReader(conn)
-
-		// Brief pause to reduce the likelihood that we send keystrokes while
-		// the shell is simultaneously sending a prompt.
-		time.Sleep(100 * time.Millisecond)
-
-		data, err = json.Marshal(codersdk.ReconnectingPTYRequest{
-			Data: "echo test\r\n",
-		})
-		require.NoError(t, err)
-		_, err = conn.Write(data)
-		require.NoError(t, err)
-
-		expectLine := func(matcher func(string) bool) {
+		expectLine := func(r *bufio.Reader, matcher func(string) bool) {
 			for {
-				line, err := bufRead.ReadString('\n')
+				line, err := r.ReadString('\n')
 				require.NoError(t, err)
 				if matcher(line) {
 					break
@ -96,8 +63,93 @@ func Run(t *testing.T, factory DeploymentFactory) {
 			return strings.Contains(line, "test") && !strings.Contains(line, "echo")
 		}

-		expectLine(matchEchoCommand)
-		expectLine(matchEchoOutput)
+		t.Run("OK", func(t *testing.T) {
+			appDetails := setupProxyTest(t, nil)
+
+			ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+			defer cancel()
+
+			// Run the test against the path app hostname since that's where the
+			// reconnecting-pty proxy server we want to test is mounted.
+			client := appDetails.AppClient(t)
+			conn, err := client.WorkspaceAgentReconnectingPTY(ctx, appDetails.Agent.ID, uuid.New(), 80, 80, "/bin/bash")
+			require.NoError(t, err)
+			defer conn.Close()
+
+			// First attempt to resize the TTY.
+			// The websocket will close if it fails!
+			data, err := json.Marshal(codersdk.ReconnectingPTYRequest{
+				Height: 250,
+				Width:  250,
+			})
+			require.NoError(t, err)
+			_, err = conn.Write(data)
+			require.NoError(t, err)
+			bufRead := bufio.NewReader(conn)
+
+			// Brief pause to reduce the likelihood that we send keystrokes while
+			// the shell is simultaneously sending a prompt.
+			time.Sleep(100 * time.Millisecond)
+
+			data, err = json.Marshal(codersdk.ReconnectingPTYRequest{
+				Data: "echo test\r\n",
+			})
+			require.NoError(t, err)
+			_, err = conn.Write(data)
+			require.NoError(t, err)
+
+			expectLine(bufRead, matchEchoCommand)
+			expectLine(bufRead, matchEchoOutput)
+		})
+
+		t.Run("SignedTokenQueryParameter", func(t *testing.T) {
+			t.Parallel()
+
+			appDetails := setupProxyTest(t, nil)
+			if appDetails.AppHostIsPrimary {
+				t.Skip("Tickets are not used for terminal requests on the primary.")
+			}
+
+			u := *appDetails.PathAppBaseURL
+			if u.Scheme == "http" {
+				u.Scheme = "ws"
+			} else {
+				u.Scheme = "wss"
+			}
+			u.Path = fmt.Sprintf("/api/v2/workspaceagents/%s/pty", appDetails.Agent.ID.String())
+
+			ctx := testutil.Context(t, testutil.WaitLong)
+			issueRes, err := appDetails.SDKClient.IssueReconnectingPTYSignedToken(ctx, codersdk.IssueReconnectingPTYSignedTokenRequest{
+				URL:     u.String(),
+				AgentID: appDetails.Agent.ID,
+			})
+			require.NoError(t, err)
+
+			// Try to connect to the endpoint with the signed token and no other
+			// authentication.
+			q := u.Query()
+			q.Set("reconnect", uuid.NewString())
+			q.Set("height", strconv.Itoa(24))
+			q.Set("width", strconv.Itoa(80))
+			q.Set("command", `/bin/sh -c "echo test"`)
+			q.Set(codersdk.SignedAppTokenQueryParameter, issueRes.SignedToken)
+			u.RawQuery = q.Encode()
+
+			//nolint:bodyclose
+			wsConn, res, err := websocket.Dial(ctx, u.String(), nil)
+			if !assert.NoError(t, err) {
+				dump, err := httputil.DumpResponse(res, true)
+				if err == nil {
+					t.Log(string(dump))
+				}
+				return
+			}
+			defer wsConn.Close(websocket.StatusNormalClosure, "")
+			conn := websocket.NetConn(ctx, wsConn, websocket.MessageBinary)
+			bufRead := bufio.NewReader(conn)
+
+			expectLine(bufRead, matchEchoOutput)
+		})
 	})

 	t.Run("WorkspaceAppsProxyPath", func(t *testing.T) {