feat: Add agent authentication based on instance ID (#336)

* feat: Add agent authentication based on instance ID Each cloud has it's own unique instance identity signatures, which can be used for zero-token authentication. This change adds support for tracking by "instance_id", and automatically authenticating with Google Cloud. * Add test for CLI * Fix workspace agent request name * Fix race with adding to wait group * Fix name of instance identity token
2025-07-03 16:13:58 +00:00 · 2022-02-21 14:36:29 -06:00
parent 67613da86d
commit 8958b641e9
41 changed files with 752 additions and 251 deletions
--- a/coderd/coderdtest/coderdtest.go
+++ b/coderd/coderdtest/coderdtest.go
@ -15,6 +15,9 @@ import (
 	"github.com/google/uuid"
 	"github.com/moby/moby/pkg/namesgenerator"
 	"github.com/stretchr/testify/require"
+	"go.opencensus.io/stats/view"
+	"google.golang.org/api/idtoken"
+	"google.golang.org/api/option"

 	"cdr.dev/slog"
 	"cdr.dev/slog/sloggers/slogtest"
@ -29,9 +32,31 @@ import (
 	"github.com/coder/coder/provisionersdk/proto"
 )

+type Options struct {
+	GoogleTokenValidator *idtoken.Validator
+}
+
 // New constructs an in-memory coderd instance and returns
 // the connected client.
-func New(t *testing.T) *codersdk.Client {
+func New(t *testing.T, options *Options) *codersdk.Client {
+	// Stops the opencensus.io worker from leaking a goroutine.
+	// The worker isn't used anyways, and is an indirect dependency
+	// of the Google Cloud SDK.
+	t.Cleanup(func() {
+		view.Stop()
+	})
+
+	if options == nil {
+		options = &Options{}
+	}
+	if options.GoogleTokenValidator == nil {
+		ctx, cancelFunc := context.WithCancel(context.Background())
+		t.Cleanup(cancelFunc)
+		var err error
+		options.GoogleTokenValidator, err = idtoken.NewValidator(ctx, option.WithoutAuthentication())
+		require.NoError(t, err)
+	}
+
 	// This can be hotswapped for a live database instance.
 	db := databasefake.New()
 	pubsub := database.NewPubsubInMemory()
@ -59,6 +84,8 @@ func New(t *testing.T) *codersdk.Client {
 		Logger:   slogtest.Make(t, nil).Leveled(slog.LevelDebug),
 		Database: db,
 		Pubsub:   pubsub,
+
+		GoogleTokenValidator: options.GoogleTokenValidator,
 	})
 	srv := httptest.NewUnstartedServer(handler)
 	srv.Config.BaseContext = func(_ net.Listener) context.Context {