selfhosted
/
coder
mirror of https://github.com/coder/coder.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
coder/coderd/workspaceapps.go

207 lines
6.9 KiB
Go
Raw Permalink Normal View History

feat: Add workspace application support (#1773) * feat: Add app support This adds apps as a property to a workspace agent. The resource is added to the Terraform provider here: https://github.com/coder/terraform-provider-coder/pull/17 Apps will be opened in the dashboard or via the CLI with `coder open <name>`. If `command` is specified, a terminal will appear locally and in the web. If `target` is specified, the browser will open to an exposed instance of that target. * Compare fields in apps test * Update Terraform provider to use relative path * Add some basic structure for routing * chore: Remove interface from coderd and lift API surface Abstracting coderd into an interface added misdirection because the interface was never intended to be fulfilled outside of a single implementation. This lifts the abstraction, and attaches all handlers to a root struct named `*coderd.API`. * Add basic proxy logic * Add proxying based on path * Add app proxying for wildcards * Add wsconncache * fix: Race when writing to a closed pipe This is such an intermittent race it's difficult to track, but regardless this is an improvement to the code. * fix: Race when writing to a closed pipe This is such an intermittent race it's difficult to track, but regardless this is an improvement to the code. * fix: Race when writing to a closed pipe This is such an intermittent race it's difficult to track, but regardless this is an improvement to the code. * fix: Race when writing to a closed pipe This is such an intermittent race it's difficult to track, but regardless this is an improvement to the code. * Add workspace route proxying endpoint - Makes the workspace conn cache concurrency-safe - Reduces unnecessary open checks in `peer.Channel` - Fixes the use of a temporary context when dialing a workspace agent * Add embed errors * chore: Refactor site to improve testing It was difficult to develop this package due to the embed build tag being mandatory on the tests. The logic to test doesn't require any embedded files. * Add test for error handler * Remove unused access url * Add RBAC tests * Fix dial agent syntax * Fix linting errors * Fix gen * Fix icon required * Adjust migration number * Fix proxy error status code * Fix empty db lookup
2022-06-04 20:13:37 +00:00
package coderd
import (
chore: support signed token query param for web terminal (#7197) * chore: add endpoint to get token for web terminal * chore: support signed token query param for web terminal
2023-04-20 23:59:45 +00:00
"context"
chore: add workspace proxies to the backend (#7032) Co-authored-by: Dean Sheather <dean@deansheather.com>
2023-04-17 19:57:21 +00:00
"database/sql"
feat: Add workspace application support (#1773) * feat: Add app support This adds apps as a property to a workspace agent. The resource is added to the Terraform provider here: https://github.com/coder/terraform-provider-coder/pull/17 Apps will be opened in the dashboard or via the CLI with `coder open <name>`. If `command` is specified, a terminal will appear locally and in the web. If `target` is specified, the browser will open to an exposed instance of that target. * Compare fields in apps test * Update Terraform provider to use relative path * Add some basic structure for routing * chore: Remove interface from coderd and lift API surface Abstracting coderd into an interface added misdirection because the interface was never intended to be fulfilled outside of a single implementation. This lifts the abstraction, and attaches all handlers to a root struct named `*coderd.API`. * Add basic proxy logic * Add proxying based on path * Add app proxying for wildcards * Add wsconncache * fix: Race when writing to a closed pipe This is such an intermittent race it's difficult to track, but regardless this is an improvement to the code. * fix: Race when writing to a closed pipe This is such an intermittent race it's difficult to track, but regardless this is an improvement to the code. * fix: Race when writing to a closed pipe This is such an intermittent race it's difficult to track, but regardless this is an improvement to the code. * fix: Race when writing to a closed pipe This is such an intermittent race it's difficult to track, but regardless this is an improvement to the code. * Add workspace route proxying endpoint - Makes the workspace conn cache concurrency-safe - Reduces unnecessary open checks in `peer.Channel` - Fixes the use of a temporary context when dialing a workspace agent * Add embed errors * chore: Refactor site to improve testing It was difficult to develop this package due to the embed build tag being mandatory on the tests. The logic to test doesn't require any embedded files. * Add test for error handler * Remove unused access url * Add RBAC tests * Fix dial agent syntax * Fix linting errors * Fix gen * Fix icon required * Adjust migration number * Fix proxy error status code * Fix empty db lookup
2022-06-04 20:13:37 +00:00
"net/http"
"net/url"
chore: support signed token query param for web terminal (#7197) * chore: add endpoint to get token for web terminal * chore: support signed token query param for web terminal
2023-04-20 23:59:45 +00:00
"strings"
feat: secure and cross-domain subdomain-based proxying (#4136) Co-authored-by: Kyle Carberry <kyle@carberry.com>
2022-09-22 22:30:32 +00:00
"time"
feat: Add workspace application support (#1773) * feat: Add app support This adds apps as a property to a workspace agent. The resource is added to the Terraform provider here: https://github.com/coder/terraform-provider-coder/pull/17 Apps will be opened in the dashboard or via the CLI with `coder open <name>`. If `command` is specified, a terminal will appear locally and in the web. If `target` is specified, the browser will open to an exposed instance of that target. * Compare fields in apps test * Update Terraform provider to use relative path * Add some basic structure for routing * chore: Remove interface from coderd and lift API surface Abstracting coderd into an interface added misdirection because the interface was never intended to be fulfilled outside of a single implementation. This lifts the abstraction, and attaches all handlers to a root struct named `*coderd.API`. * Add basic proxy logic * Add proxying based on path * Add app proxying for wildcards * Add wsconncache * fix: Race when writing to a closed pipe This is such an intermittent race it's difficult to track, but regardless this is an improvement to the code. * fix: Race when writing to a closed pipe This is such an intermittent race it's difficult to track, but regardless this is an improvement to the code. * fix: Race when writing to a closed pipe This is such an intermittent race it's difficult to track, but regardless this is an improvement to the code. * fix: Race when writing to a closed pipe This is such an intermittent race it's difficult to track, but regardless this is an improvement to the code. * Add workspace route proxying endpoint - Makes the workspace conn cache concurrency-safe - Reduces unnecessary open checks in `peer.Channel` - Fixes the use of a temporary context when dialing a workspace agent * Add embed errors * chore: Refactor site to improve testing It was difficult to develop this package due to the embed build tag being mandatory on the tests. The logic to test doesn't require any embedded files. * Add test for error handler * Remove unused access url * Add RBAC tests * Fix dial agent syntax * Fix linting errors * Fix gen * Fix icon required * Adjust migration number * Fix proxy error status code * Fix empty db lookup
2022-06-04 20:13:37 +00:00
chore: add workspace proxies to the backend (#7032) Co-authored-by: Dean Sheather <dean@deansheather.com>
2023-04-17 19:57:21 +00:00
"golang.org/x/xerrors"
chore: add /v2 to import module path (#9072) * chore: add /v2 to import module path go mod requires semantic versioning with versions greater than 1.x This was a mechanical update by running: ``` go install github.com/marwan-at-work/mod/cmd/mod@latest mod upgrade ``` Migrate generated files to import /v2 * Fix gen
2023-08-18 18:55:43 +00:00
"github.com/coder/coder/v2/coderd/apikey"
"github.com/coder/coder/v2/coderd/database"
"github.com/coder/coder/v2/coderd/database/dbauthz"
refactor(coderd/database): split `Time` and `Now` into `dbtime` package (#9482) Ref: #9380
2023-09-01 16:50:12 +00:00
"github.com/coder/coder/v2/coderd/database/dbtime"
chore: add /v2 to import module path (#9072) * chore: add /v2 to import module path go mod requires semantic versioning with versions greater than 1.x This was a mechanical update by running: ``` go install github.com/marwan-at-work/mod/cmd/mod@latest mod upgrade ``` Migrate generated files to import /v2 * Fix gen
2023-08-18 18:55:43 +00:00
"github.com/coder/coder/v2/coderd/httpapi"
"github.com/coder/coder/v2/coderd/httpmw"
"github.com/coder/coder/v2/coderd/rbac"
"github.com/coder/coder/v2/coderd/workspaceapps"
chore: move app URL parsing to its own package (#11651) * chore: move app url parsing to it's own package
2024-01-17 16:41:42 +00:00
"github.com/coder/coder/v2/coderd/workspaceapps/appurl"
chore: add /v2 to import module path (#9072) * chore: add /v2 to import module path go mod requires semantic versioning with versions greater than 1.x This was a mechanical update by running: ``` go install github.com/marwan-at-work/mod/cmd/mod@latest mod upgrade ``` Migrate generated files to import /v2 * Fix gen
2023-08-18 18:55:43 +00:00
"github.com/coder/coder/v2/codersdk"
feat: secure and cross-domain subdomain-based proxying (#4136) Co-authored-by: Kyle Carberry <kyle@carberry.com>
2022-09-22 22:30:32 +00:00
)
docs: applications and authorization (#5477) * docs: Applications * WIP * WIP * WIP * Fix: consume * Fix: @Description * Fix * Fix: s/none//g * Fix: godoc nice * Fix: description * Fix: It * Fix: code sample trim empty line * More fixes * Fix: br
2022-12-21 14:37:30 +00:00
// @Summary Get applications host
feat: Validate swagger definitions (#5694) * docs: audit, deploymentconfig, files, parameters * Swagger comments in workspacebuilds.go * structs in workspacebuilds.go * workspaceagents: instance identity * workspaceagents.go in progress * workspaceagents.go in progress * Agents * workspacebuilds.go * /workspaces * templates.go, templateversions.go * templateversion.go in progress * cancel * templateversions * wip * Merge * x-apidocgen * NullTime hack not needed anymore * Fix: x-apidocgen * Members * Fixes * Fix * WIP * WIP * Users * Logout * User profile * Status suspend activate * User roles * User tokens * Keys * SSH key * All * Typo * Fix * Entitlements * Groups * SCIM * Fix * Fix * Clean templates * Sort API pages * Fix: HashedSecret * WIP * WIP * WIP * Fix: cover workspaceagents * Assert: consistent ID and summary * Assert: success or failure defined * Fix: parallel * Refactor * Support enterprise * Go comment goes to top * Security * assertPathParametersDefined * assertUniqueRoutes * assertRequestBody * More fixes * Fix: exceptions * Fix field format * Address PR comments * Refactor
2023-01-13 11:27:21 +00:00
// @ID get-applications-host
docs: applications and authorization (#5477) * docs: Applications * WIP * WIP * WIP * Fix: consume * Fix: @Description * Fix * Fix: s/none//g * Fix: godoc nice * Fix: description * Fix: It * Fix: code sample trim empty line * More fixes * Fix: br
2022-12-21 14:37:30 +00:00
// @Security CoderSessionToken
// @Produce json
// @Tags Applications
chore: move agent functions from `codersdk` into `agentsdk` (#5903) * chore: rename `AgentConn` to `WorkspaceAgentConn` The codersdk was becoming bloated with consts for the workspace agent that made no sense to a reader. `Tailnet*` is an example of these consts. * chore: remove `Get` prefix from *Client functions * chore: remove `BypassRatelimits` option in `codersdk.Client` It feels wrong to have this as a direct option because it's so infrequently needed by API callers. It's better to directly modify headers in the two places that we actually use it. * Merge `appearance.go` and `buildinfo.go` into `deployment.go` * Merge `experiments.go` and `features.go` into `deployment.go` * Fix `make gen` referencing old type names * Merge `error.go` into `client.go` `codersdk.Response` lived in `error.go`, which is wrong. * chore: refactor workspace agent functions into agentsdk It was odd conflating the codersdk that clients should use with functions that only the agent should use. This separates them into two SDKs that are closely coupled, but separate. * Merge `insights.go` into `deployment.go` * Merge `organizationmember.go` into `organizations.go` * Merge `quota.go` into `workspaces.go` * Rename `sse.go` to `serversentevents.go` * Rename `codersdk.WorkspaceAppHostResponse` to `codersdk.AppHostResponse` * Format `.vscode/settings.json` * Fix outdated naming in `api.ts` * Fix app host response * Fix unsupported type * Fix imported type
2023-01-29 21:47:24 +00:00
// @Success 200 {object} codersdk.AppHostResponse
docs: applications and authorization (#5477) * docs: Applications * WIP * WIP * WIP * Fix: consume * Fix: @Description * Fix * Fix: s/none//g * Fix: godoc nice * Fix: description * Fix: It * Fix: code sample trim empty line * More fixes * Fix: br
2022-12-21 14:37:30 +00:00
// @Router /applications/host [get]
chore: Drop application host call, default to regions for info (#7457) * chore: Drop application host call, default to regions for info
2023-05-09 14:28:25 +00:00
// @Deprecated use api/v2/regions and see the primary proxy.
feat: secure and cross-domain subdomain-based proxying (#4136) Co-authored-by: Kyle Carberry <kyle@carberry.com>
2022-09-22 22:30:32 +00:00
func (api *API) appHost(rw http.ResponseWriter, r *http.Request) {
chore: move agent functions from `codersdk` into `agentsdk` (#5903) * chore: rename `AgentConn` to `WorkspaceAgentConn` The codersdk was becoming bloated with consts for the workspace agent that made no sense to a reader. `Tailnet*` is an example of these consts. * chore: remove `Get` prefix from *Client functions * chore: remove `BypassRatelimits` option in `codersdk.Client` It feels wrong to have this as a direct option because it's so infrequently needed by API callers. It's better to directly modify headers in the two places that we actually use it. * Merge `appearance.go` and `buildinfo.go` into `deployment.go` * Merge `experiments.go` and `features.go` into `deployment.go` * Fix `make gen` referencing old type names * Merge `error.go` into `client.go` `codersdk.Response` lived in `error.go`, which is wrong. * chore: refactor workspace agent functions into agentsdk It was odd conflating the codersdk that clients should use with functions that only the agent should use. This separates them into two SDKs that are closely coupled, but separate. * Merge `insights.go` into `deployment.go` * Merge `organizationmember.go` into `organizations.go` * Merge `quota.go` into `workspaces.go` * Rename `sse.go` to `serversentevents.go` * Rename `codersdk.WorkspaceAppHostResponse` to `codersdk.AppHostResponse` * Format `.vscode/settings.json` * Fix outdated naming in `api.ts` * Fix app host response * Fix unsupported type * Fix imported type
2023-01-29 21:47:24 +00:00
httpapi.Write(r.Context(), rw, http.StatusOK, codersdk.AppHostResponse{
fix: allow ports in wildcard url configuration (#11657) * fix: allow ports in wildcard url configuration This just forwards the port to the ui that generates urls. Our existing parsing + regex already supported ports for subdomain app requests.
2024-01-18 15:44:05 +00:00
Host: appurl.SubdomainAppHost(api.AppHostname, api.AccessURL),
feat: secure and cross-domain subdomain-based proxying (#4136) Co-authored-by: Kyle Carberry <kyle@carberry.com>
2022-09-22 22:30:32 +00:00
})
}
feat: use JWT ticket to avoid DB queries on apps (#6148) Issue a JWT ticket on the first request with a short expiry that contains details about which workspace/agent/app combo the ticket is valid for.
2023-03-07 19:38:11 +00:00
// workspaceApplicationAuth is an endpoint on the main router that handles
// redirects from the subdomain handler.
//
// This endpoint is under /api so we don't return the friendly error page here.
// Any errors on this endpoint should be errors that are unlikely to happen
// in production unless the user messes with the URL.
//
// @Summary Redirect to URI with encrypted API key
// @ID redirect-to-uri-with-encrypted-api-key
// @Security CoderSessionToken
// @Tags Applications
// @Param redirect_uri query string false "Redirect destination"
// @Success 307
// @Router /applications/auth-redirect [get]
func (api *API) workspaceApplicationAuth(rw http.ResponseWriter, r *http.Request) {
ctx := r.Context()
apiKey := httpmw.APIKey(r)
if !api.Authorize(r, rbac.ActionCreate, apiKey) {
httpapi.ResourceNotFound(rw)
return
}
feat: app sharing (now open source!) (#4378)
2022-10-14 16:46:38 +00:00
feat: use JWT ticket to avoid DB queries on apps (#6148) Issue a JWT ticket on the first request with a short expiry that contains details about which workspace/agent/app combo the ticket is valid for.
2023-03-07 19:38:11 +00:00
// Get the redirect URI from the query parameters and parse it.
redirectURI := r.URL.Query().Get(workspaceapps.RedirectURIQueryParam)
if redirectURI == "" {
httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
Message: "Missing redirect_uri query parameter.",
})
return
}
u, err := url.Parse(redirectURI)
if err != nil {
httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
Message: "Invalid redirect_uri query parameter.",
Detail: err.Error(),
})
return
}
feat: secure and cross-domain subdomain-based proxying (#4136) Co-authored-by: Kyle Carberry <kyle@carberry.com>
2022-09-22 22:30:32 +00:00
chore: support signed token query param for web terminal (#7197) * chore: add endpoint to get token for web terminal * chore: support signed token query param for web terminal
2023-04-20 23:59:45 +00:00
u.Scheme, err = api.ValidWorkspaceAppHostname(ctx, u.Host, ValidWorkspaceAppHostnameOpts{
// Allow all hosts except primary access URL since we don't need app
// tokens on the primary dashboard URL.
AllowPrimaryAccessURL: false,
AllowPrimaryWildcard: true,
AllowProxyAccessURL: true,
AllowProxyWildcard: true,
})
if err != nil {
httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
Message: "Failed to verify redirect_uri query parameter.",
Detail: err.Error(),
})
return
chore: add workspace proxies to the backend (#7032) Co-authored-by: Dean Sheather <dean@deansheather.com>
2023-04-17 19:57:21 +00:00
}
chore: support signed token query param for web terminal (#7197) * chore: add endpoint to get token for web terminal * chore: support signed token query param for web terminal
2023-04-20 23:59:45 +00:00
if u.Scheme == "" {
httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
Message: "Invalid redirect_uri.",
Detail: "The redirect_uri query parameter must be the primary wildcard app hostname, a workspace proxy access URL or a workspace proxy wildcard app hostname.",
})
return
feat: use JWT ticket to avoid DB queries on apps (#6148) Issue a JWT ticket on the first request with a short expiry that contains details about which workspace/agent/app combo the ticket is valid for.
2023-03-07 19:38:11 +00:00
}
// Create the application_connect-scoped API key with the same lifetime as
// the current session.
exp := apiKey.ExpiresAt
lifetimeSeconds := apiKey.LifetimeSeconds
chore: merge apikey/token session config values (#12817) * chore: merge apikey/token session config values There is a confusing difference between an apikey and a token. This difference leaks into our configs. This change does not resolve the difference. It only groups the config values to try and manage any bloat that occurs from adding more similar config values
2024-04-10 15:34:49 +00:00
if exp.IsZero() || time.Until(exp) > api.DeploymentValues.Sessions.DefaultDuration.Value() {
exp = dbtime.Now().Add(api.DeploymentValues.Sessions.DefaultDuration.Value())
lifetimeSeconds = int64(api.DeploymentValues.Sessions.DefaultDuration.Value().Seconds())
feat: use JWT ticket to avoid DB queries on apps (#6148) Issue a JWT ticket on the first request with a short expiry that contains details about which workspace/agent/app combo the ticket is valid for.
2023-03-07 19:38:11 +00:00
}
feat: add session token injection to provisioner (#7461)
2023-05-18 04:29:22 +00:00
cookie, _, err := api.createAPIKey(ctx, apikey.CreateParams{
chore: pass lifetime directly into api key generate (#11715) Rather than passing all the deployment values. This is to make it easier to generate API keys as part of the oauth flow. I also added and fixed a test for when the lifetime is set and the default and expiration are unset. Co-authored-by: Steven Masley <stevenmasley@gmail.com>
2024-01-22 20:42:55 +00:00
UserID: apiKey.UserID,
LoginType: database.LoginTypePassword,
chore: merge apikey/token session config values (#12817) * chore: merge apikey/token session config values There is a confusing difference between an apikey and a token. This difference leaks into our configs. This change does not resolve the difference. It only groups the config values to try and manage any bloat that occurs from adding more similar config values
2024-04-10 15:34:49 +00:00
DefaultLifetime: api.DeploymentValues.Sessions.DefaultDuration.Value(),
chore: pass lifetime directly into api key generate (#11715) Rather than passing all the deployment values. This is to make it easier to generate API keys as part of the oauth flow. I also added and fixed a test for when the lifetime is set and the default and expiration are unset. Co-authored-by: Steven Masley <stevenmasley@gmail.com>
2024-01-22 20:42:55 +00:00
ExpiresAt: exp,
LifetimeSeconds: lifetimeSeconds,
Scope: database.APIKeyScopeApplicationConnect,
feat: use JWT ticket to avoid DB queries on apps (#6148) Issue a JWT ticket on the first request with a short expiry that contains details about which workspace/agent/app combo the ticket is valid for.
2023-03-07 19:38:11 +00:00
})
if err != nil {
httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
Message: "Failed to create API key.",
Detail: err.Error(),
})
return
}
// Encrypt the API key.
chore: move app proxying code to workspaceapps pkg (#6998) * chore: move app proxying code to workspaceapps pkg Moves path-app, subdomain-app and reconnecting PTY proxying to the new workspaceapps.WorkspaceAppServer struct. This is in preparation for external workspace proxies. Updates app logout flow to avoid redirecting to coder-logout.${app_host} on logout. Instead, all subdomain app tokens owned by the logging-out user will be deleted every time you logout for simplicity sake. Tests will remain in their original package, pending being moved to an apptest package (or similar). Co-authored-by: Steven Masley <stevenmasley@coder.com>
2023-04-05 18:41:55 +00:00
encryptedAPIKey, err := api.AppSecurityKey.EncryptAPIKey(workspaceapps.EncryptedAPIKeyPayload{
feat: use JWT ticket to avoid DB queries on apps (#6148) Issue a JWT ticket on the first request with a short expiry that contains details about which workspace/agent/app combo the ticket is valid for.
2023-03-07 19:38:11 +00:00
APIKey: cookie.Value,
})
if err != nil {
httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
Message: "Failed to encrypt API key.",
Detail: err.Error(),
feat: Add workspace application support (#1773) * feat: Add app support This adds apps as a property to a workspace agent. The resource is added to the Terraform provider here: https://github.com/coder/terraform-provider-coder/pull/17 Apps will be opened in the dashboard or via the CLI with `coder open <name>`. If `command` is specified, a terminal will appear locally and in the web. If `target` is specified, the browser will open to an exposed instance of that target. * Compare fields in apps test * Update Terraform provider to use relative path * Add some basic structure for routing * chore: Remove interface from coderd and lift API surface Abstracting coderd into an interface added misdirection because the interface was never intended to be fulfilled outside of a single implementation. This lifts the abstraction, and attaches all handlers to a root struct named `*coderd.API`. * Add basic proxy logic * Add proxying based on path * Add app proxying for wildcards * Add wsconncache * fix: Race when writing to a closed pipe This is such an intermittent race it's difficult to track, but regardless this is an improvement to the code. * fix: Race when writing to a closed pipe This is such an intermittent race it's difficult to track, but regardless this is an improvement to the code. * fix: Race when writing to a closed pipe This is such an intermittent race it's difficult to track, but regardless this is an improvement to the code. * fix: Race when writing to a closed pipe This is such an intermittent race it's difficult to track, but regardless this is an improvement to the code. * Add workspace route proxying endpoint - Makes the workspace conn cache concurrency-safe - Reduces unnecessary open checks in `peer.Channel` - Fixes the use of a temporary context when dialing a workspace agent * Add embed errors * chore: Refactor site to improve testing It was difficult to develop this package due to the embed build tag being mandatory on the tests. The logic to test doesn't require any embedded files. * Add test for error handler * Remove unused access url * Add RBAC tests * Fix dial agent syntax * Fix linting errors * Fix gen * Fix icon required * Adjust migration number * Fix proxy error status code * Fix empty db lookup
2022-06-04 20:13:37 +00:00
})
feat: use JWT ticket to avoid DB queries on apps (#6148) Issue a JWT ticket on the first request with a short expiry that contains details about which workspace/agent/app combo the ticket is valid for.
2023-03-07 19:38:11 +00:00
return
feat: Add serving applications on subdomains and port-based proxying (#3753) Co-authored-by: Dean Sheather <dean@deansheather.com>
2022-09-13 17:31:33 +00:00
}
feat: use JWT ticket to avoid DB queries on apps (#6148) Issue a JWT ticket on the first request with a short expiry that contains details about which workspace/agent/app combo the ticket is valid for.
2023-03-07 19:38:11 +00:00
// Redirect to the redirect URI with the encrypted API key in the query
// parameters.
q := u.Query()
chore: move app proxying code to workspaceapps pkg (#6998) * chore: move app proxying code to workspaceapps pkg Moves path-app, subdomain-app and reconnecting PTY proxying to the new workspaceapps.WorkspaceAppServer struct. This is in preparation for external workspace proxies. Updates app logout flow to avoid redirecting to coder-logout.${app_host} on logout. Instead, all subdomain app tokens owned by the logging-out user will be deleted every time you logout for simplicity sake. Tests will remain in their original package, pending being moved to an apptest package (or similar). Co-authored-by: Steven Masley <stevenmasley@coder.com>
2023-04-05 18:41:55 +00:00
q.Set(workspaceapps.SubdomainProxyAPIKeyParam, encryptedAPIKey)
feat: use JWT ticket to avoid DB queries on apps (#6148) Issue a JWT ticket on the first request with a short expiry that contains details about which workspace/agent/app combo the ticket is valid for.
2023-03-07 19:38:11 +00:00
u.RawQuery = q.Encode()
chore: add workspace proxies to the backend (#7032) Co-authored-by: Dean Sheather <dean@deansheather.com>
2023-04-17 19:57:21 +00:00
http.Redirect(rw, r, u.String(), http.StatusSeeOther)
feat: Add serving applications on subdomains and port-based proxying (#3753) Co-authored-by: Dean Sheather <dean@deansheather.com>
2022-09-13 17:31:33 +00:00
}
chore: support signed token query param for web terminal (#7197) * chore: add endpoint to get token for web terminal * chore: support signed token query param for web terminal
2023-04-20 23:59:45 +00:00
type ValidWorkspaceAppHostnameOpts struct {
AllowPrimaryAccessURL bool
AllowPrimaryWildcard bool
AllowProxyAccessURL bool
AllowProxyWildcard bool
}
// ValidWorkspaceAppHostname checks if the given host is a valid workspace app
// hostname based on the provided options. It returns a scheme to force on
// success. If the hostname is not valid or doesn't match, an empty string is
// returned. Any error returned is a 500 error.
//
// For hosts that match a wildcard app hostname, the scheme is forced to be the
// corresponding access URL scheme.
func (api *API) ValidWorkspaceAppHostname(ctx context.Context, host string, opts ValidWorkspaceAppHostnameOpts) (string, error) {
if opts.AllowPrimaryAccessURL && (host == api.AccessURL.Hostname() || host == api.AccessURL.Host) {
// Force the redirect URI to have the same scheme as the access URL for
// security purposes.
return api.AccessURL.Scheme, nil
}
if opts.AllowPrimaryWildcard && api.AppHostnameRegex != nil {
chore: move app URL parsing to its own package (#11651) * chore: move app url parsing to it's own package
2024-01-17 16:41:42 +00:00
_, ok := appurl.ExecuteHostnamePattern(api.AppHostnameRegex, host)
chore: support signed token query param for web terminal (#7197) * chore: add endpoint to get token for web terminal * chore: support signed token query param for web terminal
2023-04-20 23:59:45 +00:00
if ok {
// Force the redirect URI to have the same scheme as the access URL
// for security purposes.
return api.AccessURL.Scheme, nil
}
}
// Ensure that the redirect URI is a subdomain of api.Hostname and is a
// valid app subdomain.
if opts.AllowProxyAccessURL || opts.AllowProxyWildcard {
// Strip the port for the database query.
host = strings.Split(host, ":")[0]
// nolint:gocritic // system query
systemCtx := dbauthz.AsSystemRestricted(ctx)
proxy, err := api.Database.GetWorkspaceProxyByHostname(systemCtx, database.GetWorkspaceProxyByHostnameParams{
Hostname: host,
AllowAccessUrl: opts.AllowProxyAccessURL,
AllowWildcardHostname: opts.AllowProxyWildcard,
})
if xerrors.Is(err, sql.ErrNoRows) {
return "", nil
}
if err != nil {
return "", xerrors.Errorf("get workspace proxy by hostname %q: %w", host, err)
}
proxyURL, err := url.Parse(proxy.Url)
if err != nil {
return "", xerrors.Errorf("parse proxy URL %q: %w", proxy.Url, err)
}
// Force the redirect URI to use the same scheme as the proxy access URL
// for security purposes.
return proxyURL.Scheme, nil
}
return "", nil
}