feat: Add browser-only connections to Enterprise (#4135)

* feat: Add browser-only connections to Enterprise

Fixes #4131.

* Fix formatting

enterprise/coderd/coderd.go

@@ -52,7 +52,6 @@ func New(ctx context.Context, options *Options) (*API, error) {
 		OIDC:   options.OIDCConfig,
 	}
 	apiKeyMiddleware := httpmw.ExtractAPIKey(options.Database, oauthConfigs, false)
-
 	api.AGPL.APIHandler.Group(func(r chi.Router) {
 		r.Get("/entitlements", api.serveEntitlements)
 		r.Route("/licenses", func(r chi.Router) {
@@ -88,7 +87,9 @@ func New(ctx context.Context, options *Options) (*API, error) {
 type Options struct {
 	*coderd.Options
 
-	AuditLogging               bool
+	AuditLogging bool
+	// Whether to block non-browser connections.
+	BrowserOnly                bool
 	SCIMAPIKey                 []byte
 	EntitlementsUpdateInterval time.Duration
 	Keys                       map[string]ed25519.PublicKey
@@ -107,6 +108,7 @@ type entitlements struct {
 	hasLicense  bool
 	activeUsers codersdk.Feature
 	auditLogs   codersdk.Entitlement
+	browserOnly codersdk.Entitlement
 	scim        codersdk.Entitlement
 }
 
@@ -131,8 +133,9 @@ func (api *API) updateEntitlements(ctx context.Context) error {
 			Enabled:     false,
 			Entitlement: codersdk.EntitlementNotEntitled,
 		},
-		auditLogs: codersdk.EntitlementNotEntitled,
-		scim:      codersdk.EntitlementNotEntitled,
+		auditLogs:   codersdk.EntitlementNotEntitled,
+		scim:        codersdk.EntitlementNotEntitled,
+		browserOnly: codersdk.EntitlementNotEntitled,
 	}
 
 	// Here we loop through licenses to detect enabled features.
@@ -165,6 +168,9 @@ func (api *API) updateEntitlements(ctx context.Context) error {
 		if claims.Features.AuditLog > 0 {
 			entitlements.auditLogs = entitlement
 		}
+		if claims.Features.BrowserOnly > 0 {
+			entitlements.browserOnly = entitlement
+		}
 		if claims.Features.SCIM > 0 {
 			entitlements.scim = entitlement
 		}
@@ -174,7 +180,7 @@ func (api *API) updateEntitlements(ctx context.Context) error {
 		auditor := agplaudit.NewNop()
 		// A flag could be added to the options that would allow disabling
 		// enhanced audit logging here!
-		if entitlements.auditLogs == codersdk.EntitlementEntitled && api.AuditLogging {
+		if entitlements.auditLogs != codersdk.EntitlementNotEntitled && api.AuditLogging {
 			auditor = audit.NewAuditor(
 				audit.DefaultFilter,
 				backends.NewPostgres(api.Database, true),
@@ -184,6 +190,14 @@ func (api *API) updateEntitlements(ctx context.Context) error {
 		api.AGPL.Auditor.Store(&auditor)
 	}
 
+	if entitlements.browserOnly != api.entitlements.browserOnly {
+		var handler func(rw http.ResponseWriter) bool
+		if entitlements.browserOnly != codersdk.EntitlementNotEntitled && api.BrowserOnly {
+			handler = api.shouldBlockNonBrowserConnections
+		}
+		api.AGPL.WorkspaceClientCoordinateOverride.Store(&handler)
+	}
+
 	api.entitlements = entitlements
 
 	return nil
@@ -230,6 +244,15 @@ func (api *API) serveEntitlements(rw http.ResponseWriter, r *http.Request) {
 			"Audit logging is enabled but your license for this feature is expired.")
 	}
 
+	resp.Features[codersdk.FeatureBrowserOnly] = codersdk.Feature{
+		Entitlement: entitlements.browserOnly,
+		Enabled:     api.BrowserOnly,
+	}
+	if entitlements.browserOnly == codersdk.EntitlementGracePeriod && api.BrowserOnly {
+		resp.Warnings = append(resp.Warnings,
+			"Browser only connections are enabled but your license for this feature is expired.")
+	}
+
 	httpapi.Write(ctx, rw, http.StatusOK, resp)
 }