2022-06-04 20:13:37 +00:00
|
|
|
package coderd_test
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
2022-09-22 22:30:32 +00:00
|
|
|
"encoding/json"
|
2022-06-04 20:13:37 +00:00
|
|
|
"fmt"
|
|
|
|
"io"
|
|
|
|
"net"
|
|
|
|
"net/http"
|
2022-10-14 16:46:38 +00:00
|
|
|
"net/http/httputil"
|
2022-09-13 17:31:33 +00:00
|
|
|
"net/url"
|
2022-09-22 22:30:32 +00:00
|
|
|
"strings"
|
2022-06-04 20:13:37 +00:00
|
|
|
"testing"
|
2022-08-21 22:32:53 +00:00
|
|
|
"time"
|
2022-06-04 20:13:37 +00:00
|
|
|
|
|
|
|
"github.com/google/uuid"
|
2022-08-17 17:09:45 +00:00
|
|
|
"github.com/stretchr/testify/assert"
|
2022-06-04 20:13:37 +00:00
|
|
|
"github.com/stretchr/testify/require"
|
|
|
|
|
|
|
|
"cdr.dev/slog/sloggers/slogtest"
|
|
|
|
"github.com/coder/coder/agent"
|
|
|
|
"github.com/coder/coder/coderd/coderdtest"
|
2022-09-13 17:31:33 +00:00
|
|
|
"github.com/coder/coder/coderd/httpapi"
|
2022-10-23 18:21:49 +00:00
|
|
|
"github.com/coder/coder/coderd/httpmw"
|
2022-09-13 17:31:33 +00:00
|
|
|
"github.com/coder/coder/coderd/rbac"
|
2022-06-04 20:13:37 +00:00
|
|
|
"github.com/coder/coder/codersdk"
|
|
|
|
"github.com/coder/coder/provisioner/echo"
|
|
|
|
"github.com/coder/coder/provisionersdk/proto"
|
2022-08-09 17:17:00 +00:00
|
|
|
"github.com/coder/coder/testutil"
|
2022-06-04 20:13:37 +00:00
|
|
|
)
|
|
|
|
|
2022-09-13 17:31:33 +00:00
|
|
|
const (
|
2022-10-14 16:46:38 +00:00
|
|
|
proxyTestAgentName = "agent-name"
|
|
|
|
proxyTestAppNameFake = "test-app-fake"
|
|
|
|
proxyTestAppNameOwner = "test-app-owner"
|
|
|
|
proxyTestAppNameAuthenticated = "test-app-authenticated"
|
|
|
|
proxyTestAppNamePublic = "test-app-public"
|
|
|
|
proxyTestAppQuery = "query=true"
|
2022-10-14 18:25:11 +00:00
|
|
|
proxyTestAppBody = "hello world from apps test"
|
2022-09-22 22:30:32 +00:00
|
|
|
|
2022-10-14 18:25:11 +00:00
|
|
|
proxyTestSubdomainRaw = "*.test.coder.com"
|
|
|
|
proxyTestSubdomain = "test.coder.com"
|
2022-09-13 17:31:33 +00:00
|
|
|
)
|
|
|
|
|
2022-09-22 22:30:32 +00:00
|
|
|
func TestGetAppHost(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
|
2022-10-14 18:25:11 +00:00
|
|
|
cases := []string{"", proxyTestSubdomainRaw}
|
2022-09-22 22:30:32 +00:00
|
|
|
for _, c := range cases {
|
|
|
|
c := c
|
|
|
|
name := c
|
|
|
|
if name == "" {
|
|
|
|
name = "Empty"
|
|
|
|
}
|
|
|
|
t.Run(name, func(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
client := coderdtest.New(t, &coderdtest.Options{
|
|
|
|
AppHostname: c,
|
|
|
|
})
|
|
|
|
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
|
|
|
|
defer cancel()
|
|
|
|
|
|
|
|
// Should not leak to unauthenticated users.
|
|
|
|
host, err := client.GetAppHost(ctx)
|
|
|
|
require.Error(t, err)
|
|
|
|
require.Equal(t, "", host.Host)
|
|
|
|
|
|
|
|
_ = coderdtest.CreateFirstUser(t, client)
|
|
|
|
host, err = client.GetAppHost(ctx)
|
|
|
|
require.NoError(t, err)
|
2022-12-01 20:39:19 +00:00
|
|
|
domain := strings.Split(host.Host, ":")[0]
|
|
|
|
require.Equal(t, c, domain)
|
2022-09-22 22:30:32 +00:00
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-09-13 17:31:33 +00:00
|
|
|
// setupProxyTest creates a workspace with an agent and some apps. It returns a
|
2022-09-22 22:30:32 +00:00
|
|
|
// codersdk client, the first user, the workspace, and the port number the test
|
|
|
|
// listener is running on.
|
2022-10-14 18:25:11 +00:00
|
|
|
func setupProxyTest(t *testing.T, customAppHost ...string) (*codersdk.Client, codersdk.CreateFirstUserResponse, codersdk.Workspace, uint16) {
|
2022-06-04 20:13:37 +00:00
|
|
|
// #nosec
|
|
|
|
ln, err := net.Listen("tcp", ":0")
|
|
|
|
require.NoError(t, err)
|
|
|
|
server := http.Server{
|
2022-08-21 22:32:53 +00:00
|
|
|
ReadHeaderTimeout: time.Minute,
|
2022-06-04 20:13:37 +00:00
|
|
|
Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
2022-08-17 17:09:45 +00:00
|
|
|
_, err := r.Cookie(codersdk.SessionTokenKey)
|
|
|
|
assert.ErrorIs(t, err, http.ErrNoCookie)
|
2022-10-23 18:21:49 +00:00
|
|
|
w.Header().Set("X-Forwarded-For", r.Header.Get("X-Forwarded-For"))
|
2022-06-04 20:13:37 +00:00
|
|
|
w.WriteHeader(http.StatusOK)
|
2022-09-13 17:31:33 +00:00
|
|
|
_, _ = w.Write([]byte(proxyTestAppBody))
|
2022-06-04 20:13:37 +00:00
|
|
|
}),
|
|
|
|
}
|
|
|
|
t.Cleanup(func() {
|
|
|
|
_ = server.Close()
|
|
|
|
_ = ln.Close()
|
|
|
|
})
|
|
|
|
go server.Serve(ln)
|
2022-09-13 17:31:33 +00:00
|
|
|
tcpAddr, ok := ln.Addr().(*net.TCPAddr)
|
|
|
|
require.True(t, ok)
|
2022-06-04 20:13:37 +00:00
|
|
|
|
2022-10-14 18:25:11 +00:00
|
|
|
appHost := proxyTestSubdomainRaw
|
|
|
|
if len(customAppHost) > 0 {
|
|
|
|
appHost = customAppHost[0]
|
|
|
|
}
|
|
|
|
|
2022-06-27 18:50:52 +00:00
|
|
|
client := coderdtest.New(t, &coderdtest.Options{
|
2022-10-14 18:25:11 +00:00
|
|
|
AppHostname: appHost,
|
2022-09-20 21:17:24 +00:00
|
|
|
IncludeProvisionerDaemon: true,
|
|
|
|
AgentStatsRefreshInterval: time.Millisecond * 100,
|
|
|
|
MetricsCacheRefreshInterval: time.Millisecond * 100,
|
2022-10-23 18:21:49 +00:00
|
|
|
RealIPConfig: &httpmw.RealIPConfig{
|
|
|
|
TrustedOrigins: []*net.IPNet{{
|
|
|
|
IP: net.ParseIP("127.0.0.1"),
|
|
|
|
Mask: net.CIDRMask(8, 32),
|
|
|
|
}},
|
|
|
|
TrustedHeaders: []string{
|
|
|
|
"CF-Connecting-IP",
|
|
|
|
},
|
|
|
|
},
|
2022-06-27 18:50:52 +00:00
|
|
|
})
|
2022-12-02 22:16:07 +00:00
|
|
|
|
2022-06-04 20:13:37 +00:00
|
|
|
user := coderdtest.CreateFirstUser(t, client)
|
2022-10-14 18:25:11 +00:00
|
|
|
|
2022-11-04 04:45:43 +00:00
|
|
|
workspace := createWorkspaceWithApps(t, client, user.OrganizationID, appHost, uint16(tcpAddr.Port))
|
2022-10-14 18:25:11 +00:00
|
|
|
|
|
|
|
// Configure the HTTP client to not follow redirects and to route all
|
|
|
|
// requests regardless of hostname to the coderd test server.
|
|
|
|
client.HTTPClient.CheckRedirect = func(req *http.Request, via []*http.Request) error {
|
|
|
|
return http.ErrUseLastResponse
|
|
|
|
}
|
|
|
|
defaultTransport, ok := http.DefaultTransport.(*http.Transport)
|
|
|
|
require.True(t, ok)
|
|
|
|
transport := defaultTransport.Clone()
|
|
|
|
transport.DialContext = func(ctx context.Context, network, addr string) (net.Conn, error) {
|
|
|
|
return (&net.Dialer{}).DialContext(ctx, network, client.URL.Host)
|
|
|
|
}
|
|
|
|
client.HTTPClient.Transport = transport
|
2022-11-13 20:06:03 +00:00
|
|
|
t.Cleanup(func() {
|
|
|
|
transport.CloseIdleConnections()
|
|
|
|
})
|
2022-10-14 18:25:11 +00:00
|
|
|
|
|
|
|
return client, user, workspace, uint16(tcpAddr.Port)
|
|
|
|
}
|
|
|
|
|
2022-11-04 04:45:43 +00:00
|
|
|
func createWorkspaceWithApps(t *testing.T, client *codersdk.Client, orgID uuid.UUID, appHost string, port uint16, workspaceMutators ...func(*codersdk.CreateWorkspaceRequest)) codersdk.Workspace {
|
2022-06-04 20:13:37 +00:00
|
|
|
authToken := uuid.NewString()
|
2022-10-14 16:46:38 +00:00
|
|
|
|
2022-10-14 18:25:11 +00:00
|
|
|
appURL := fmt.Sprintf("http://127.0.0.1:%d?%s", port, proxyTestAppQuery)
|
|
|
|
version := coderdtest.CreateTemplateVersion(t, client, orgID, &echo.Responses{
|
2022-11-11 22:45:58 +00:00
|
|
|
Parse: echo.ParseComplete,
|
|
|
|
ProvisionPlan: echo.ProvisionComplete,
|
|
|
|
ProvisionApply: []*proto.Provision_Response{{
|
2022-06-04 20:13:37 +00:00
|
|
|
Type: &proto.Provision_Response_Complete{
|
|
|
|
Complete: &proto.Provision_Complete{
|
|
|
|
Resources: []*proto.Resource{{
|
|
|
|
Name: "example",
|
|
|
|
Type: "aws_instance",
|
|
|
|
Agents: []*proto.Agent{{
|
2022-09-13 17:31:33 +00:00
|
|
|
Id: uuid.NewString(),
|
|
|
|
Name: proxyTestAgentName,
|
2022-06-04 20:13:37 +00:00
|
|
|
Auth: &proto.Agent_Token{
|
|
|
|
Token: authToken,
|
|
|
|
},
|
2022-09-13 17:31:33 +00:00
|
|
|
Apps: []*proto.App{
|
|
|
|
{
|
2022-10-28 17:41:31 +00:00
|
|
|
Slug: proxyTestAppNameFake,
|
|
|
|
DisplayName: proxyTestAppNameFake,
|
2022-10-14 16:46:38 +00:00
|
|
|
SharingLevel: proto.AppSharingLevel_OWNER,
|
2022-09-13 17:31:33 +00:00
|
|
|
// Hopefully this IP and port doesn't exist.
|
|
|
|
Url: "http://127.1.0.1:65535",
|
|
|
|
},
|
2022-10-14 16:46:38 +00:00
|
|
|
{
|
2022-10-28 17:41:31 +00:00
|
|
|
Slug: proxyTestAppNameOwner,
|
|
|
|
DisplayName: proxyTestAppNameOwner,
|
2022-10-14 16:46:38 +00:00
|
|
|
SharingLevel: proto.AppSharingLevel_OWNER,
|
|
|
|
Url: appURL,
|
|
|
|
},
|
|
|
|
{
|
2022-10-28 17:41:31 +00:00
|
|
|
Slug: proxyTestAppNameAuthenticated,
|
|
|
|
DisplayName: proxyTestAppNameAuthenticated,
|
2022-10-14 16:46:38 +00:00
|
|
|
SharingLevel: proto.AppSharingLevel_AUTHENTICATED,
|
|
|
|
Url: appURL,
|
|
|
|
},
|
|
|
|
{
|
2022-10-28 17:41:31 +00:00
|
|
|
Slug: proxyTestAppNamePublic,
|
|
|
|
DisplayName: proxyTestAppNamePublic,
|
2022-10-14 16:46:38 +00:00
|
|
|
SharingLevel: proto.AppSharingLevel_PUBLIC,
|
|
|
|
Url: appURL,
|
|
|
|
},
|
2022-09-13 17:31:33 +00:00
|
|
|
},
|
2022-06-04 20:13:37 +00:00
|
|
|
}},
|
|
|
|
}},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}},
|
|
|
|
})
|
2022-10-14 18:25:11 +00:00
|
|
|
template := coderdtest.CreateTemplate(t, client, orgID, version.ID)
|
2022-06-04 20:13:37 +00:00
|
|
|
coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
|
2022-10-14 18:25:11 +00:00
|
|
|
workspace := coderdtest.CreateWorkspace(t, client, orgID, template.ID, workspaceMutators...)
|
2022-06-04 20:13:37 +00:00
|
|
|
coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
|
|
|
|
|
|
|
|
agentClient := codersdk.New(client.URL)
|
2022-11-09 13:31:24 +00:00
|
|
|
agentClient.SetSessionToken(authToken)
|
2022-11-04 04:45:43 +00:00
|
|
|
if appHost != "" {
|
|
|
|
metadata, err := agentClient.WorkspaceAgentMetadata(context.Background())
|
|
|
|
require.NoError(t, err)
|
2022-12-01 20:39:19 +00:00
|
|
|
proxyURL := fmt.Sprintf(
|
2022-11-04 04:45:43 +00:00
|
|
|
"http://{{port}}--%s--%s--%s%s",
|
|
|
|
proxyTestAgentName,
|
|
|
|
workspace.Name,
|
|
|
|
"testuser",
|
|
|
|
strings.ReplaceAll(appHost, "*", ""),
|
2022-12-01 20:39:19 +00:00
|
|
|
)
|
|
|
|
if client.URL.Port() != "" {
|
|
|
|
proxyURL += fmt.Sprintf(":%s", client.URL.Port())
|
|
|
|
}
|
|
|
|
require.Equal(t, proxyURL, metadata.VSCodePortProxyURI)
|
2022-11-04 04:45:43 +00:00
|
|
|
}
|
2022-09-01 01:09:44 +00:00
|
|
|
agentCloser := agent.New(agent.Options{
|
2022-10-24 03:35:08 +00:00
|
|
|
Client: agentClient,
|
|
|
|
Logger: slogtest.Make(t, nil).Named("agent"),
|
2022-06-04 20:13:37 +00:00
|
|
|
})
|
|
|
|
t.Cleanup(func() {
|
|
|
|
_ = agentCloser.Close()
|
|
|
|
})
|
2022-10-03 21:01:13 +00:00
|
|
|
coderdtest.AwaitWorkspaceAgents(t, client, workspace.ID)
|
2022-09-13 17:31:33 +00:00
|
|
|
|
2022-10-14 18:25:11 +00:00
|
|
|
return workspace
|
2022-09-13 17:31:33 +00:00
|
|
|
}
|
2022-06-04 20:13:37 +00:00
|
|
|
|
2022-09-13 17:31:33 +00:00
|
|
|
func TestWorkspaceAppsProxyPath(t *testing.T) {
|
|
|
|
t.Parallel()
|
2022-09-22 22:30:32 +00:00
|
|
|
client, firstUser, workspace, _ := setupProxyTest(t)
|
2022-09-13 17:31:33 +00:00
|
|
|
|
|
|
|
t.Run("LoginWithoutAuth", func(t *testing.T) {
|
2022-07-11 18:46:01 +00:00
|
|
|
t.Parallel()
|
|
|
|
client := codersdk.New(client.URL)
|
|
|
|
client.HTTPClient.CheckRedirect = func(req *http.Request, via []*http.Request) error {
|
|
|
|
return http.ErrUseLastResponse
|
|
|
|
}
|
2022-08-09 17:17:00 +00:00
|
|
|
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
|
|
|
|
defer cancel()
|
|
|
|
|
2022-12-02 22:16:07 +00:00
|
|
|
resp, err := requestWithRetries(ctx, t, client, http.MethodGet, fmt.Sprintf("/@me/%s/apps/%s", workspace.Name, proxyTestAppNameOwner), nil)
|
2022-07-11 18:46:01 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
defer resp.Body.Close()
|
2022-09-13 17:31:33 +00:00
|
|
|
|
2022-09-22 22:30:32 +00:00
|
|
|
require.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode)
|
2022-09-13 17:31:33 +00:00
|
|
|
loc, err := resp.Location()
|
2022-07-11 18:46:01 +00:00
|
|
|
require.NoError(t, err)
|
2022-09-13 17:31:33 +00:00
|
|
|
require.True(t, loc.Query().Has("message"))
|
|
|
|
require.True(t, loc.Query().Has("redirect"))
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("NoAccessShould404", func(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
|
2022-09-22 22:30:32 +00:00
|
|
|
userClient := coderdtest.CreateAnotherUser(t, client, firstUser.OrganizationID, rbac.RoleMember())
|
2022-09-13 17:31:33 +00:00
|
|
|
userClient.HTTPClient.CheckRedirect = client.HTTPClient.CheckRedirect
|
|
|
|
userClient.HTTPClient.Transport = client.HTTPClient.Transport
|
|
|
|
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
|
|
|
|
defer cancel()
|
|
|
|
|
2022-12-02 22:16:07 +00:00
|
|
|
resp, err := requestWithRetries(ctx, t, userClient, http.MethodGet, fmt.Sprintf("/@me/%s/apps/%s", workspace.Name, proxyTestAppNameOwner), nil)
|
2022-09-13 17:31:33 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
defer resp.Body.Close()
|
|
|
|
require.Equal(t, http.StatusNotFound, resp.StatusCode)
|
2022-07-11 18:46:01 +00:00
|
|
|
})
|
|
|
|
|
2022-06-04 20:13:37 +00:00
|
|
|
t.Run("RedirectsWithSlash", func(t *testing.T) {
|
|
|
|
t.Parallel()
|
2022-08-09 17:17:00 +00:00
|
|
|
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
|
|
|
|
defer cancel()
|
|
|
|
|
2022-12-02 22:16:07 +00:00
|
|
|
resp, err := requestWithRetries(ctx, t, client, http.MethodGet, fmt.Sprintf("/@me/%s/apps/%s", workspace.Name, proxyTestAppNameOwner), nil)
|
2022-06-04 20:13:37 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
defer resp.Body.Close()
|
|
|
|
require.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode)
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("RedirectsWithQuery", func(t *testing.T) {
|
|
|
|
t.Parallel()
|
2022-08-09 17:17:00 +00:00
|
|
|
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
|
|
|
|
defer cancel()
|
|
|
|
|
2022-12-02 22:16:07 +00:00
|
|
|
resp, err := requestWithRetries(ctx, t, client, http.MethodGet, fmt.Sprintf("/@me/%s/apps/%s/", workspace.Name, proxyTestAppNameOwner), nil)
|
2022-06-04 20:13:37 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
defer resp.Body.Close()
|
|
|
|
require.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode)
|
|
|
|
loc, err := resp.Location()
|
|
|
|
require.NoError(t, err)
|
2022-09-13 17:31:33 +00:00
|
|
|
require.Equal(t, proxyTestAppQuery, loc.RawQuery)
|
2022-06-04 20:13:37 +00:00
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("Proxies", func(t *testing.T) {
|
|
|
|
t.Parallel()
|
2022-08-09 17:17:00 +00:00
|
|
|
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
|
|
|
|
defer cancel()
|
|
|
|
|
2022-12-02 22:16:07 +00:00
|
|
|
resp, err := requestWithRetries(ctx, t, client, http.MethodGet, fmt.Sprintf("/@me/%s/apps/%s/?%s", workspace.Name, proxyTestAppNameOwner, proxyTestAppQuery), nil)
|
2022-06-04 20:13:37 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
defer resp.Body.Close()
|
|
|
|
body, err := io.ReadAll(resp.Body)
|
|
|
|
require.NoError(t, err)
|
2022-09-13 17:31:33 +00:00
|
|
|
require.Equal(t, proxyTestAppBody, string(body))
|
|
|
|
require.Equal(t, http.StatusOK, resp.StatusCode)
|
|
|
|
})
|
|
|
|
|
2022-10-23 18:21:49 +00:00
|
|
|
t.Run("ForwardsIP", func(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
|
|
|
|
defer cancel()
|
|
|
|
|
2022-12-02 22:16:07 +00:00
|
|
|
resp, err := requestWithRetries(ctx, t, client, http.MethodGet, fmt.Sprintf("/@me/%s/apps/%s/?%s", workspace.Name, proxyTestAppNameOwner, proxyTestAppQuery), nil, func(r *http.Request) {
|
2022-10-23 18:21:49 +00:00
|
|
|
r.Header.Set("Cf-Connecting-IP", "1.1.1.1")
|
|
|
|
})
|
|
|
|
require.NoError(t, err)
|
|
|
|
defer resp.Body.Close()
|
|
|
|
body, err := io.ReadAll(resp.Body)
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.Equal(t, proxyTestAppBody, string(body))
|
|
|
|
require.Equal(t, http.StatusOK, resp.StatusCode)
|
|
|
|
require.Equal(t, "1.1.1.1,127.0.0.1", resp.Header.Get("X-Forwarded-For"))
|
|
|
|
})
|
|
|
|
|
2022-06-04 20:13:37 +00:00
|
|
|
t.Run("ProxyError", func(t *testing.T) {
|
|
|
|
t.Parallel()
|
2022-08-09 17:17:00 +00:00
|
|
|
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
|
|
|
|
defer cancel()
|
|
|
|
|
2022-10-14 16:46:38 +00:00
|
|
|
resp, err := client.Request(ctx, http.MethodGet, fmt.Sprintf("/@me/%s/apps/%s/", workspace.Name, proxyTestAppNameFake), nil)
|
2022-06-04 20:13:37 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
defer resp.Body.Close()
|
2022-10-04 16:30:55 +00:00
|
|
|
require.Equal(t, http.StatusBadGateway, resp.StatusCode)
|
2022-06-04 20:13:37 +00:00
|
|
|
})
|
|
|
|
}
|
2022-09-13 17:31:33 +00:00
|
|
|
|
2022-09-22 22:30:32 +00:00
|
|
|
func TestWorkspaceApplicationAuth(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
// The OK test checks the entire end-to-end flow of authentication.
|
|
|
|
t.Run("End-to-End", func(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
client, firstUser, workspace, _ := setupProxyTest(t)
|
|
|
|
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
|
|
|
|
defer cancel()
|
|
|
|
|
|
|
|
// Get the current user and API key.
|
|
|
|
user, err := client.User(ctx, codersdk.Me)
|
|
|
|
require.NoError(t, err)
|
2022-11-09 13:31:24 +00:00
|
|
|
currentAPIKey, err := client.GetAPIKey(ctx, firstUser.UserID.String(), strings.Split(client.SessionToken(), "-")[0])
|
2022-09-22 22:30:32 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
// Try to load the application without authentication.
|
2022-10-14 16:46:38 +00:00
|
|
|
subdomain := fmt.Sprintf("%s--%s--%s--%s", proxyTestAppNameOwner, proxyTestAgentName, workspace.Name, user.Username)
|
2022-09-22 22:30:32 +00:00
|
|
|
u, err := url.Parse(fmt.Sprintf("http://%s.%s/test", subdomain, proxyTestSubdomain))
|
|
|
|
require.NoError(t, err)
|
|
|
|
req, err := http.NewRequestWithContext(ctx, http.MethodGet, u.String(), nil)
|
|
|
|
require.NoError(t, err)
|
2022-12-02 22:16:07 +00:00
|
|
|
|
|
|
|
var resp *http.Response
|
|
|
|
resp, err = doWithRetries(t, client, req)
|
2022-09-22 22:30:32 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
resp.Body.Close()
|
|
|
|
|
|
|
|
// Check that the Location is correct.
|
|
|
|
require.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode)
|
|
|
|
gotLocation, err := resp.Location()
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.Equal(t, client.URL.Host, gotLocation.Host)
|
|
|
|
require.Equal(t, "/api/v2/applications/auth-redirect", gotLocation.Path)
|
|
|
|
require.Equal(t, u.String(), gotLocation.Query().Get("redirect_uri"))
|
|
|
|
|
|
|
|
// Load the application auth-redirect endpoint.
|
2022-12-02 22:16:07 +00:00
|
|
|
resp, err = requestWithRetries(ctx, t, client, http.MethodGet, "/api/v2/applications/auth-redirect", nil, codersdk.WithQueryParam(
|
2022-10-09 20:01:18 +00:00
|
|
|
"redirect_uri", u.String(),
|
|
|
|
))
|
2022-09-22 22:30:32 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
defer resp.Body.Close()
|
|
|
|
|
|
|
|
require.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode)
|
|
|
|
gotLocation, err = resp.Location()
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
// Copy the query parameters and then check equality.
|
|
|
|
u.RawQuery = gotLocation.RawQuery
|
|
|
|
require.Equal(t, u, gotLocation)
|
|
|
|
|
|
|
|
// Verify the API key is set.
|
|
|
|
var encryptedAPIKey string
|
|
|
|
for k, v := range gotLocation.Query() {
|
|
|
|
// The query parameter may change dynamically in the future and is
|
|
|
|
// not exported, so we just use a fuzzy check instead.
|
|
|
|
if strings.Contains(k, "api_key") {
|
|
|
|
encryptedAPIKey = v[0]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
require.NotEmpty(t, encryptedAPIKey, "no API key was set in the query parameters")
|
|
|
|
|
|
|
|
// Decrypt the API key by following the request.
|
|
|
|
t.Log("navigating to: ", gotLocation.String())
|
|
|
|
req, err = http.NewRequestWithContext(ctx, "GET", gotLocation.String(), nil)
|
|
|
|
require.NoError(t, err)
|
|
|
|
resp, err = client.HTTPClient.Do(req)
|
|
|
|
require.NoError(t, err)
|
|
|
|
resp.Body.Close()
|
|
|
|
require.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode)
|
|
|
|
cookies := resp.Cookies()
|
|
|
|
require.Len(t, cookies, 1)
|
|
|
|
apiKey := cookies[0].Value
|
|
|
|
|
|
|
|
// Fetch the API key.
|
|
|
|
apiKeyInfo, err := client.GetAPIKey(ctx, firstUser.UserID.String(), strings.Split(apiKey, "-")[0])
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.Equal(t, user.ID, apiKeyInfo.UserID)
|
|
|
|
require.Equal(t, codersdk.LoginTypePassword, apiKeyInfo.LoginType)
|
|
|
|
require.WithinDuration(t, currentAPIKey.ExpiresAt, apiKeyInfo.ExpiresAt, 5*time.Second)
|
|
|
|
|
|
|
|
// Verify the API key permissions
|
|
|
|
appClient := codersdk.New(client.URL)
|
2022-11-09 13:31:24 +00:00
|
|
|
appClient.SetSessionToken(apiKey)
|
2022-09-22 22:30:32 +00:00
|
|
|
appClient.HTTPClient.CheckRedirect = client.HTTPClient.CheckRedirect
|
|
|
|
appClient.HTTPClient.Transport = client.HTTPClient.Transport
|
|
|
|
|
|
|
|
var (
|
|
|
|
canCreateApplicationConnect = "can-create-application_connect"
|
|
|
|
canReadUserMe = "can-read-user-me"
|
|
|
|
)
|
|
|
|
authRes, err := appClient.CheckAuthorization(ctx, codersdk.AuthorizationRequest{
|
|
|
|
Checks: map[string]codersdk.AuthorizationCheck{
|
|
|
|
canCreateApplicationConnect: {
|
|
|
|
Object: codersdk.AuthorizationObject{
|
|
|
|
ResourceType: "application_connect",
|
|
|
|
OwnerID: "me",
|
|
|
|
OrganizationID: firstUser.OrganizationID.String(),
|
|
|
|
},
|
|
|
|
Action: "create",
|
|
|
|
},
|
|
|
|
canReadUserMe: {
|
|
|
|
Object: codersdk.AuthorizationObject{
|
|
|
|
ResourceType: "user",
|
|
|
|
OwnerID: "me",
|
|
|
|
ResourceID: firstUser.UserID.String(),
|
|
|
|
},
|
|
|
|
Action: "read",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
})
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
require.True(t, authRes[canCreateApplicationConnect])
|
|
|
|
require.False(t, authRes[canReadUserMe])
|
|
|
|
|
|
|
|
// Load the application page with the API key set.
|
|
|
|
gotLocation, err = resp.Location()
|
|
|
|
require.NoError(t, err)
|
|
|
|
t.Log("navigating to: ", gotLocation.String())
|
|
|
|
req, err = http.NewRequestWithContext(ctx, "GET", gotLocation.String(), nil)
|
|
|
|
require.NoError(t, err)
|
|
|
|
req.Header.Set(codersdk.SessionCustomHeader, apiKey)
|
|
|
|
resp, err = client.HTTPClient.Do(req)
|
|
|
|
require.NoError(t, err)
|
|
|
|
resp.Body.Close()
|
|
|
|
require.Equal(t, http.StatusOK, resp.StatusCode)
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("VerifyRedirectURI", func(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
client, _, _, _ := setupProxyTest(t)
|
|
|
|
|
|
|
|
cases := []struct {
|
|
|
|
name string
|
|
|
|
redirectURI string
|
|
|
|
status int
|
|
|
|
messageContains string
|
|
|
|
}{
|
|
|
|
{
|
|
|
|
name: "NoRedirectURI",
|
|
|
|
redirectURI: "",
|
|
|
|
status: http.StatusBadRequest,
|
|
|
|
messageContains: "Missing redirect_uri query parameter",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "InvalidURI",
|
|
|
|
redirectURI: "not a url",
|
|
|
|
status: http.StatusBadRequest,
|
|
|
|
messageContains: "Invalid redirect_uri query parameter",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "NotMatchAppHostname",
|
|
|
|
redirectURI: "https://app--agent--workspace--user.not-a-match.com",
|
|
|
|
status: http.StatusBadRequest,
|
|
|
|
messageContains: "The redirect_uri query parameter must be a valid app subdomain",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "InvalidAppURL",
|
|
|
|
redirectURI: "https://not-an-app." + proxyTestSubdomain,
|
|
|
|
status: http.StatusBadRequest,
|
|
|
|
messageContains: "The redirect_uri query parameter must be a valid app subdomain",
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, c := range cases {
|
|
|
|
c := c
|
|
|
|
t.Run(c.name, func(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
|
|
|
|
defer cancel()
|
|
|
|
|
2022-12-02 22:16:07 +00:00
|
|
|
resp, err := requestWithRetries(ctx, t, client, http.MethodGet, "/api/v2/applications/auth-redirect", nil,
|
2022-10-09 20:01:18 +00:00
|
|
|
codersdk.WithQueryParam("redirect_uri", c.redirectURI),
|
|
|
|
)
|
2022-09-22 22:30:32 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
defer resp.Body.Close()
|
|
|
|
require.Equal(t, http.StatusBadRequest, resp.StatusCode)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
// This test ensures that the subdomain handler does nothing if --app-hostname
|
|
|
|
// is not set by the admin.
|
|
|
|
func TestWorkspaceAppsProxySubdomainPassthrough(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
// No AppHostname set.
|
|
|
|
client := coderdtest.New(t, &coderdtest.Options{
|
|
|
|
AppHostname: "",
|
|
|
|
})
|
|
|
|
firstUser := coderdtest.CreateFirstUser(t, client)
|
|
|
|
|
|
|
|
// Configure the HTTP client to always route all requests to the coder test
|
|
|
|
// server.
|
|
|
|
defaultTransport, ok := http.DefaultTransport.(*http.Transport)
|
|
|
|
require.True(t, ok)
|
|
|
|
transport := defaultTransport.Clone()
|
|
|
|
transport.DialContext = func(ctx context.Context, network, addr string) (net.Conn, error) {
|
|
|
|
return (&net.Dialer{}).DialContext(ctx, network, client.URL.Host)
|
|
|
|
}
|
|
|
|
client.HTTPClient.Transport = transport
|
2022-11-13 20:06:03 +00:00
|
|
|
t.Cleanup(func() {
|
|
|
|
transport.CloseIdleConnections()
|
|
|
|
})
|
2022-09-22 22:30:32 +00:00
|
|
|
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
|
|
|
|
defer cancel()
|
|
|
|
|
|
|
|
uri := fmt.Sprintf("http://app--agent--workspace--username.%s/api/v2/users/me", proxyTestSubdomain)
|
2022-12-02 22:16:07 +00:00
|
|
|
resp, err := requestWithRetries(ctx, t, client, http.MethodGet, uri, nil)
|
2022-09-22 22:30:32 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
defer resp.Body.Close()
|
|
|
|
|
|
|
|
// Should look like a codersdk.User response.
|
|
|
|
require.Equal(t, http.StatusOK, resp.StatusCode)
|
|
|
|
var user codersdk.User
|
|
|
|
err = json.NewDecoder(resp.Body).Decode(&user)
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.Equal(t, firstUser.UserID, user.ID)
|
|
|
|
}
|
|
|
|
|
|
|
|
// This test ensures that the subdomain handler blocks the request if it looks
|
|
|
|
// like a workspace app request but the configured app hostname differs from the
|
|
|
|
// request, or the request is not a valid app subdomain but the hostname
|
|
|
|
// matches.
|
|
|
|
func TestWorkspaceAppsProxySubdomainBlocked(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
setup := func(t *testing.T, appHostname string) *codersdk.Client {
|
|
|
|
client := coderdtest.New(t, &coderdtest.Options{
|
|
|
|
AppHostname: appHostname,
|
|
|
|
})
|
|
|
|
_ = coderdtest.CreateFirstUser(t, client)
|
|
|
|
|
|
|
|
// Configure the HTTP client to always route all requests to the coder test
|
|
|
|
// server.
|
|
|
|
defaultTransport, ok := http.DefaultTransport.(*http.Transport)
|
|
|
|
require.True(t, ok)
|
|
|
|
transport := defaultTransport.Clone()
|
|
|
|
transport.DialContext = func(ctx context.Context, network, addr string) (net.Conn, error) {
|
|
|
|
return (&net.Dialer{}).DialContext(ctx, network, client.URL.Host)
|
|
|
|
}
|
|
|
|
client.HTTPClient.Transport = transport
|
2022-11-13 20:06:03 +00:00
|
|
|
t.Cleanup(func() {
|
|
|
|
transport.CloseIdleConnections()
|
|
|
|
})
|
2022-09-22 22:30:32 +00:00
|
|
|
|
|
|
|
return client
|
|
|
|
}
|
|
|
|
|
|
|
|
t.Run("InvalidSubdomain", func(t *testing.T) {
|
|
|
|
t.Parallel()
|
2022-10-14 18:25:11 +00:00
|
|
|
client := setup(t, proxyTestSubdomainRaw)
|
2022-09-22 22:30:32 +00:00
|
|
|
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
|
|
|
|
defer cancel()
|
|
|
|
|
|
|
|
uri := fmt.Sprintf("http://not-an-app-subdomain.%s/api/v2/users/me", proxyTestSubdomain)
|
2022-12-02 22:16:07 +00:00
|
|
|
resp, err := requestWithRetries(ctx, t, client, http.MethodGet, uri, nil)
|
2022-09-22 22:30:32 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
defer resp.Body.Close()
|
|
|
|
|
2022-10-04 16:30:55 +00:00
|
|
|
// Should have a HTML error response.
|
2022-09-22 22:30:32 +00:00
|
|
|
require.Equal(t, http.StatusBadRequest, resp.StatusCode)
|
2022-10-04 16:30:55 +00:00
|
|
|
body, err := io.ReadAll(resp.Body)
|
2022-09-22 22:30:32 +00:00
|
|
|
require.NoError(t, err)
|
2022-10-04 16:30:55 +00:00
|
|
|
require.Contains(t, string(body), "Could not parse subdomain application URL")
|
2022-09-22 22:30:32 +00:00
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2022-09-13 17:31:33 +00:00
|
|
|
func TestWorkspaceAppsProxySubdomain(t *testing.T) {
|
|
|
|
t.Parallel()
|
2022-10-14 18:25:11 +00:00
|
|
|
client, firstUser, _, port := setupProxyTest(t)
|
2022-09-13 17:31:33 +00:00
|
|
|
|
|
|
|
// proxyURL generates a URL for the proxy subdomain. The default path is a
|
|
|
|
// slash.
|
2022-10-14 18:25:11 +00:00
|
|
|
proxyURL := func(t *testing.T, client *codersdk.Client, appNameOrPort interface{}, pathAndQuery ...string) string {
|
2022-09-13 17:31:33 +00:00
|
|
|
t.Helper()
|
|
|
|
|
|
|
|
var (
|
|
|
|
appName string
|
|
|
|
port uint16
|
|
|
|
)
|
|
|
|
if val, ok := appNameOrPort.(string); ok {
|
|
|
|
appName = val
|
|
|
|
} else {
|
|
|
|
port, ok = appNameOrPort.(uint16)
|
|
|
|
require.True(t, ok)
|
|
|
|
}
|
|
|
|
|
2022-10-14 18:25:11 +00:00
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
|
|
|
|
defer cancel()
|
|
|
|
|
|
|
|
me, err := client.User(ctx, codersdk.Me)
|
2022-09-13 17:31:33 +00:00
|
|
|
require.NoError(t, err, "get current user details")
|
|
|
|
|
2022-11-10 18:25:46 +00:00
|
|
|
res, err := client.Workspaces(ctx, codersdk.WorkspaceFilter{
|
2022-10-14 18:25:11 +00:00
|
|
|
Owner: codersdk.Me,
|
|
|
|
})
|
|
|
|
require.NoError(t, err, "get workspaces")
|
2022-11-10 18:25:46 +00:00
|
|
|
require.Len(t, res.Workspaces, 1, "expected 1 workspace")
|
2022-10-14 18:25:11 +00:00
|
|
|
|
|
|
|
appHost, err := client.GetAppHost(ctx)
|
|
|
|
require.NoError(t, err, "get app host")
|
|
|
|
|
|
|
|
subdomain := httpapi.ApplicationURL{
|
2022-10-28 17:41:31 +00:00
|
|
|
AppSlug: appName,
|
2022-09-13 17:31:33 +00:00
|
|
|
Port: port,
|
|
|
|
AgentName: proxyTestAgentName,
|
2022-11-10 18:25:46 +00:00
|
|
|
WorkspaceName: res.Workspaces[0].Name,
|
2022-09-13 17:31:33 +00:00
|
|
|
Username: me.Username,
|
2022-10-14 18:25:11 +00:00
|
|
|
}.String()
|
|
|
|
|
|
|
|
hostname := strings.Replace(appHost.Host, "*", subdomain, 1)
|
2022-09-13 17:31:33 +00:00
|
|
|
|
|
|
|
actualPath := "/"
|
|
|
|
query := ""
|
|
|
|
if len(pathAndQuery) > 0 {
|
|
|
|
actualPath = pathAndQuery[0]
|
|
|
|
}
|
|
|
|
if len(pathAndQuery) > 1 {
|
|
|
|
query = pathAndQuery[1]
|
|
|
|
}
|
|
|
|
|
|
|
|
return (&url.URL{
|
|
|
|
Scheme: "http",
|
|
|
|
Host: hostname,
|
|
|
|
Path: actualPath,
|
|
|
|
RawQuery: query,
|
|
|
|
}).String()
|
|
|
|
}
|
|
|
|
|
|
|
|
t.Run("NoAccessShould401", func(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
|
2022-09-22 22:30:32 +00:00
|
|
|
userClient := coderdtest.CreateAnotherUser(t, client, firstUser.OrganizationID, rbac.RoleMember())
|
2022-09-13 17:31:33 +00:00
|
|
|
userClient.HTTPClient.CheckRedirect = client.HTTPClient.CheckRedirect
|
|
|
|
userClient.HTTPClient.Transport = client.HTTPClient.Transport
|
|
|
|
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
|
|
|
|
defer cancel()
|
|
|
|
|
2022-12-02 22:16:07 +00:00
|
|
|
resp, err := requestWithRetries(ctx, t, userClient, http.MethodGet, proxyURL(t, client, proxyTestAppNameOwner), nil)
|
2022-09-13 17:31:33 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
defer resp.Body.Close()
|
|
|
|
require.Equal(t, http.StatusNotFound, resp.StatusCode)
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("RedirectsWithSlash", func(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
|
|
|
|
defer cancel()
|
|
|
|
|
2022-10-14 18:25:11 +00:00
|
|
|
slashlessURL := proxyURL(t, client, proxyTestAppNameOwner, "")
|
2022-12-02 22:16:07 +00:00
|
|
|
resp, err := requestWithRetries(ctx, t, client, http.MethodGet, slashlessURL, nil)
|
2022-09-13 17:31:33 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
defer resp.Body.Close()
|
|
|
|
require.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode)
|
|
|
|
|
|
|
|
loc, err := resp.Location()
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.Equal(t, slashlessURL+"/?"+proxyTestAppQuery, loc.String())
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("RedirectsWithQuery", func(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
|
|
|
|
defer cancel()
|
|
|
|
|
2022-10-14 18:25:11 +00:00
|
|
|
querylessURL := proxyURL(t, client, proxyTestAppNameOwner, "/", "")
|
2022-12-02 22:16:07 +00:00
|
|
|
resp, err := requestWithRetries(ctx, t, client, http.MethodGet, querylessURL, nil)
|
2022-09-13 17:31:33 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
defer resp.Body.Close()
|
|
|
|
require.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode)
|
|
|
|
|
|
|
|
loc, err := resp.Location()
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.Equal(t, proxyTestAppQuery, loc.RawQuery)
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("Proxies", func(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
|
|
|
|
defer cancel()
|
|
|
|
|
2022-12-02 22:16:07 +00:00
|
|
|
resp, err := requestWithRetries(ctx, t, client, http.MethodGet, proxyURL(t, client, proxyTestAppNameOwner, "/", proxyTestAppQuery), nil)
|
2022-09-13 17:31:33 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
defer resp.Body.Close()
|
|
|
|
body, err := io.ReadAll(resp.Body)
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.Equal(t, proxyTestAppBody, string(body))
|
|
|
|
require.Equal(t, http.StatusOK, resp.StatusCode)
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("ProxiesPort", func(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
|
|
|
|
defer cancel()
|
|
|
|
|
2022-12-02 22:16:07 +00:00
|
|
|
resp, err := requestWithRetries(ctx, t, client, http.MethodGet, proxyURL(t, client, port, "/", proxyTestAppQuery), nil)
|
2022-09-13 17:31:33 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
defer resp.Body.Close()
|
|
|
|
body, err := io.ReadAll(resp.Body)
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.Equal(t, proxyTestAppBody, string(body))
|
|
|
|
require.Equal(t, http.StatusOK, resp.StatusCode)
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("ProxyError", func(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
|
|
|
|
defer cancel()
|
|
|
|
|
2022-10-14 18:25:11 +00:00
|
|
|
resp, err := client.Request(ctx, http.MethodGet, proxyURL(t, client, proxyTestAppNameFake, "/", ""), nil)
|
2022-09-13 17:31:33 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
defer resp.Body.Close()
|
|
|
|
require.Equal(t, http.StatusBadGateway, resp.StatusCode)
|
|
|
|
})
|
2022-10-06 12:38:22 +00:00
|
|
|
|
|
|
|
t.Run("ProxyPortMinimumError", func(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
|
|
|
|
defer cancel()
|
|
|
|
|
|
|
|
port := uint16(codersdk.MinimumListeningPort - 1)
|
2022-12-02 22:16:07 +00:00
|
|
|
resp, err := requestWithRetries(ctx, t, client, http.MethodGet, proxyURL(t, client, port, "/", proxyTestAppQuery), nil)
|
2022-10-06 12:38:22 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
defer resp.Body.Close()
|
|
|
|
|
|
|
|
// Should have an error response.
|
|
|
|
require.Equal(t, http.StatusBadRequest, resp.StatusCode)
|
|
|
|
var resBody codersdk.Response
|
|
|
|
err = json.NewDecoder(resp.Body).Decode(&resBody)
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.Contains(t, resBody.Message, "Coder reserves ports less than")
|
|
|
|
})
|
2022-10-14 18:25:11 +00:00
|
|
|
|
|
|
|
t.Run("SuffixWildcardOK", func(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
client, _, _, _ := setupProxyTest(t, "*-suffix.test.coder.com")
|
|
|
|
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
|
|
|
|
defer cancel()
|
|
|
|
|
|
|
|
u := proxyURL(t, client, proxyTestAppNameOwner, "/", proxyTestAppQuery)
|
|
|
|
t.Logf("url: %s", u)
|
|
|
|
|
2022-12-02 22:16:07 +00:00
|
|
|
resp, err := requestWithRetries(ctx, t, client, http.MethodGet, u, nil)
|
2022-10-14 18:25:11 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
defer resp.Body.Close()
|
|
|
|
body, err := io.ReadAll(resp.Body)
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.Equal(t, proxyTestAppBody, string(body))
|
|
|
|
require.Equal(t, http.StatusOK, resp.StatusCode)
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("SuffixWildcardNotMatch", func(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
client, _, _, _ := setupProxyTest(t, "*-suffix.test.coder.com")
|
|
|
|
|
|
|
|
t.Run("NoSuffix", func(t *testing.T) {
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
|
|
|
|
defer cancel()
|
|
|
|
|
|
|
|
u := proxyURL(t, client, proxyTestAppNameOwner, "/", proxyTestAppQuery)
|
|
|
|
// Replace the -suffix with nothing.
|
|
|
|
u = strings.Replace(u, "-suffix", "", 1)
|
|
|
|
|
2022-12-02 22:16:07 +00:00
|
|
|
resp, err := requestWithRetries(ctx, t, client, http.MethodGet, u, nil)
|
2022-10-14 18:25:11 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
defer resp.Body.Close()
|
|
|
|
body, err := io.ReadAll(resp.Body)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
// It's probably rendering the dashboard, so only ensure that the body
|
|
|
|
// doesn't match.
|
|
|
|
require.NotContains(t, string(body), proxyTestAppBody)
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("DifferentSuffix", func(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
|
|
|
|
defer cancel()
|
|
|
|
|
|
|
|
u := proxyURL(t, client, proxyTestAppNameOwner, "/", proxyTestAppQuery)
|
|
|
|
// Replace the -suffix with something else.
|
|
|
|
u = strings.Replace(u, "-suffix", "-not-suffix", 1)
|
|
|
|
|
2022-12-02 22:16:07 +00:00
|
|
|
resp, err := requestWithRetries(ctx, t, client, http.MethodGet, u, nil)
|
2022-10-14 18:25:11 +00:00
|
|
|
require.NoError(t, err)
|
|
|
|
defer resp.Body.Close()
|
|
|
|
body, err := io.ReadAll(resp.Body)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
// It's probably rendering the dashboard, so only ensure that the body
|
|
|
|
// doesn't match.
|
|
|
|
require.NotContains(t, string(body), proxyTestAppBody)
|
|
|
|
})
|
|
|
|
})
|
2022-09-13 17:31:33 +00:00
|
|
|
}
|
2022-10-14 16:46:38 +00:00
|
|
|
|
|
|
|
func TestAppSharing(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
setup := func(t *testing.T) (workspace codersdk.Workspace, agnt codersdk.WorkspaceAgent, user codersdk.User, client *codersdk.Client, clientInOtherOrg *codersdk.Client, clientWithNoAuth *codersdk.Client) {
|
|
|
|
//nolint:gosec
|
|
|
|
const password = "password"
|
|
|
|
|
|
|
|
client, _, workspace, _ = setupProxyTest(t)
|
|
|
|
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
|
|
|
|
t.Cleanup(cancel)
|
|
|
|
|
|
|
|
user, err := client.User(ctx, codersdk.Me)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
// Verify that the apps have the correct sharing levels set.
|
|
|
|
workspaceBuild, err := client.WorkspaceBuild(ctx, workspace.LatestBuild.ID)
|
|
|
|
require.NoError(t, err)
|
|
|
|
agnt = workspaceBuild.Resources[0].Agents[0]
|
|
|
|
found := map[string]codersdk.WorkspaceAppSharingLevel{}
|
|
|
|
expected := map[string]codersdk.WorkspaceAppSharingLevel{
|
|
|
|
proxyTestAppNameFake: codersdk.WorkspaceAppSharingLevelOwner,
|
|
|
|
proxyTestAppNameOwner: codersdk.WorkspaceAppSharingLevelOwner,
|
|
|
|
proxyTestAppNameAuthenticated: codersdk.WorkspaceAppSharingLevelAuthenticated,
|
|
|
|
proxyTestAppNamePublic: codersdk.WorkspaceAppSharingLevelPublic,
|
|
|
|
}
|
|
|
|
for _, app := range agnt.Apps {
|
2022-10-28 17:41:31 +00:00
|
|
|
found[app.DisplayName] = app.SharingLevel
|
2022-10-14 16:46:38 +00:00
|
|
|
}
|
|
|
|
require.Equal(t, expected, found, "apps have incorrect sharing levels")
|
|
|
|
|
|
|
|
// Create a user in a different org.
|
|
|
|
otherOrg, err := client.CreateOrganization(ctx, codersdk.CreateOrganizationRequest{
|
|
|
|
Name: "a-different-org",
|
|
|
|
})
|
|
|
|
require.NoError(t, err)
|
|
|
|
userInOtherOrg, err := client.CreateUser(ctx, codersdk.CreateUserRequest{
|
|
|
|
Email: "no-template-access@coder.com",
|
|
|
|
Username: "no-template-access",
|
|
|
|
Password: password,
|
|
|
|
OrganizationID: otherOrg.ID,
|
|
|
|
})
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
clientInOtherOrg = codersdk.New(client.URL)
|
|
|
|
loginRes, err := clientInOtherOrg.LoginWithPassword(ctx, codersdk.LoginWithPasswordRequest{
|
|
|
|
Email: userInOtherOrg.Email,
|
|
|
|
Password: password,
|
|
|
|
})
|
|
|
|
require.NoError(t, err)
|
2022-11-09 13:31:24 +00:00
|
|
|
clientInOtherOrg.SetSessionToken(loginRes.SessionToken)
|
2022-10-14 16:46:38 +00:00
|
|
|
clientInOtherOrg.HTTPClient.CheckRedirect = func(req *http.Request, via []*http.Request) error {
|
|
|
|
return http.ErrUseLastResponse
|
|
|
|
}
|
|
|
|
|
|
|
|
// Create an unauthenticated codersdk client.
|
|
|
|
clientWithNoAuth = codersdk.New(client.URL)
|
|
|
|
clientWithNoAuth.HTTPClient.CheckRedirect = func(req *http.Request, via []*http.Request) error {
|
|
|
|
return http.ErrUseLastResponse
|
|
|
|
}
|
|
|
|
|
|
|
|
return workspace, agnt, user, client, clientInOtherOrg, clientWithNoAuth
|
|
|
|
}
|
|
|
|
|
|
|
|
verifyAccess := func(t *testing.T, username, workspaceName, agentName, appName string, client *codersdk.Client, shouldHaveAccess, shouldRedirectToLogin bool) {
|
|
|
|
t.Helper()
|
|
|
|
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
|
|
|
|
defer cancel()
|
|
|
|
|
|
|
|
// If the client has a session token, we also want to check that a
|
|
|
|
// scoped key works.
|
|
|
|
clients := []*codersdk.Client{client}
|
2022-11-09 13:31:24 +00:00
|
|
|
if client.SessionToken() != "" {
|
2022-10-14 16:46:38 +00:00
|
|
|
token, err := client.CreateToken(ctx, codersdk.Me, codersdk.CreateTokenRequest{
|
|
|
|
Scope: codersdk.APIKeyScopeApplicationConnect,
|
|
|
|
})
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
scopedClient := codersdk.New(client.URL)
|
2022-11-09 13:31:24 +00:00
|
|
|
scopedClient.SetSessionToken(token.Key)
|
2022-10-14 16:46:38 +00:00
|
|
|
scopedClient.HTTPClient.CheckRedirect = client.HTTPClient.CheckRedirect
|
|
|
|
|
|
|
|
clients = append(clients, scopedClient)
|
|
|
|
}
|
|
|
|
|
|
|
|
for i, client := range clients {
|
|
|
|
msg := fmt.Sprintf("client %d", i)
|
|
|
|
|
|
|
|
appPath := fmt.Sprintf("/@%s/%s.%s/apps/%s/?%s", username, workspaceName, agentName, appName, proxyTestAppQuery)
|
2022-12-02 22:16:07 +00:00
|
|
|
res, err := requestWithRetries(ctx, t, client, http.MethodGet, appPath, nil)
|
2022-10-14 16:46:38 +00:00
|
|
|
require.NoError(t, err, msg)
|
|
|
|
|
|
|
|
dump, err := httputil.DumpResponse(res, true)
|
|
|
|
res.Body.Close()
|
|
|
|
require.NoError(t, err, msg)
|
|
|
|
t.Logf("response dump: %s", dump)
|
|
|
|
|
|
|
|
if !shouldHaveAccess {
|
|
|
|
if shouldRedirectToLogin {
|
|
|
|
assert.Equal(t, http.StatusTemporaryRedirect, res.StatusCode, "should not have access, expected temporary redirect. "+msg)
|
|
|
|
location, err := res.Location()
|
|
|
|
require.NoError(t, err, msg)
|
|
|
|
assert.Equal(t, "/login", location.Path, "should not have access, expected redirect to /login. "+msg)
|
|
|
|
} else {
|
|
|
|
// If the user doesn't have access we return 404 to avoid
|
|
|
|
// leaking information about the existence of the app.
|
|
|
|
assert.Equal(t, http.StatusNotFound, res.StatusCode, "should not have access, expected not found. "+msg)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if shouldHaveAccess {
|
|
|
|
assert.Equal(t, http.StatusOK, res.StatusCode, "should have access, expected ok. "+msg)
|
|
|
|
assert.Contains(t, string(dump), "hello world", "should have access, expected hello world. "+msg)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
t.Run("Level", func(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
workspace, agent, user, client, clientInOtherOrg, clientWithNoAuth := setup(t)
|
|
|
|
|
|
|
|
t.Run("Owner", func(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
// Owner should be able to access their own workspace.
|
|
|
|
verifyAccess(t, user.Username, workspace.Name, agent.Name, proxyTestAppNameOwner, client, true, false)
|
|
|
|
|
|
|
|
// Authenticated users should not have access to a workspace that
|
|
|
|
// they do not own.
|
|
|
|
verifyAccess(t, user.Username, workspace.Name, agent.Name, proxyTestAppNameOwner, clientInOtherOrg, false, false)
|
|
|
|
|
|
|
|
// Unauthenticated user should not have any access.
|
|
|
|
verifyAccess(t, user.Username, workspace.Name, agent.Name, proxyTestAppNameOwner, clientWithNoAuth, false, true)
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("Authenticated", func(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
// Owner should be able to access their own workspace.
|
|
|
|
verifyAccess(t, user.Username, workspace.Name, agent.Name, proxyTestAppNameAuthenticated, client, true, false)
|
|
|
|
|
|
|
|
// Authenticated users should be able to access the workspace.
|
|
|
|
verifyAccess(t, user.Username, workspace.Name, agent.Name, proxyTestAppNameAuthenticated, clientInOtherOrg, true, false)
|
|
|
|
|
|
|
|
// Unauthenticated user should not have any access.
|
|
|
|
verifyAccess(t, user.Username, workspace.Name, agent.Name, proxyTestAppNameAuthenticated, clientWithNoAuth, false, true)
|
|
|
|
})
|
|
|
|
|
|
|
|
t.Run("Public", func(t *testing.T) {
|
|
|
|
t.Parallel()
|
|
|
|
|
|
|
|
// Owner should be able to access their own workspace.
|
|
|
|
verifyAccess(t, user.Username, workspace.Name, agent.Name, proxyTestAppNamePublic, client, true, false)
|
|
|
|
|
|
|
|
// Authenticated users should be able to access the workspace.
|
|
|
|
verifyAccess(t, user.Username, workspace.Name, agent.Name, proxyTestAppNamePublic, clientInOtherOrg, true, false)
|
|
|
|
|
|
|
|
// Unauthenticated user should be able to access the workspace.
|
|
|
|
verifyAccess(t, user.Username, workspace.Name, agent.Name, proxyTestAppNamePublic, clientWithNoAuth, true, false)
|
|
|
|
})
|
|
|
|
})
|
|
|
|
}
|