mirror of https://github.com/coder/coder.git
866 lines
26 KiB
Go
866 lines
26 KiB
Go
package workspaceapps_test
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"io"
|
|
"net"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"net/http/httputil"
|
|
"net/url"
|
|
"strings"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/google/uuid"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
|
|
"github.com/coder/coder/v2/agent/agenttest"
|
|
"github.com/coder/coder/v2/coderd/coderdtest"
|
|
"github.com/coder/coder/v2/coderd/httpapi"
|
|
"github.com/coder/coder/v2/coderd/httpmw"
|
|
"github.com/coder/coder/v2/coderd/workspaceapps"
|
|
"github.com/coder/coder/v2/codersdk"
|
|
"github.com/coder/coder/v2/provisioner/echo"
|
|
"github.com/coder/coder/v2/provisionersdk/proto"
|
|
"github.com/coder/coder/v2/testutil"
|
|
)
|
|
|
|
func Test_ResolveRequest(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
const (
|
|
agentName = "agent"
|
|
appNameOwner = "app-owner"
|
|
appNameAuthed = "app-authed"
|
|
appNamePublic = "app-public"
|
|
appNameInvalidURL = "app-invalid-url"
|
|
appNameUnhealthy = "app-unhealthy"
|
|
|
|
// This agent will never connect, so it will never become "connected".
|
|
agentNameUnhealthy = "agent-unhealthy"
|
|
appNameAgentUnhealthy = "app-agent-unhealthy"
|
|
|
|
// This is not a valid URL we listen on in the test, but it needs to be
|
|
// set to a value.
|
|
appURL = "http://localhost:8080"
|
|
)
|
|
allApps := []string{appNameOwner, appNameAuthed, appNamePublic}
|
|
|
|
// Start a listener for a server that always responds with 500 for the
|
|
// unhealthy app.
|
|
unhealthySrv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
w.WriteHeader(http.StatusInternalServerError)
|
|
_, _ = w.Write([]byte("unhealthy"))
|
|
}))
|
|
|
|
deploymentValues := coderdtest.DeploymentValues(t)
|
|
deploymentValues.DisablePathApps = false
|
|
deploymentValues.Dangerous.AllowPathAppSharing = true
|
|
deploymentValues.Dangerous.AllowPathAppSiteOwnerAccess = true
|
|
|
|
client, closer, api := coderdtest.NewWithAPI(t, &coderdtest.Options{
|
|
AppHostname: "*.test.coder.com",
|
|
DeploymentValues: deploymentValues,
|
|
IncludeProvisionerDaemon: true,
|
|
AgentStatsRefreshInterval: time.Millisecond * 100,
|
|
MetricsCacheRefreshInterval: time.Millisecond * 100,
|
|
RealIPConfig: &httpmw.RealIPConfig{
|
|
TrustedOrigins: []*net.IPNet{{
|
|
IP: net.ParseIP("127.0.0.1"),
|
|
Mask: net.CIDRMask(8, 32),
|
|
}},
|
|
TrustedHeaders: []string{
|
|
"CF-Connecting-IP",
|
|
},
|
|
},
|
|
})
|
|
t.Cleanup(func() {
|
|
_ = closer.Close()
|
|
})
|
|
|
|
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitMedium)
|
|
defer cancel()
|
|
|
|
firstUser := coderdtest.CreateFirstUser(t, client)
|
|
me, err := client.User(ctx, codersdk.Me)
|
|
require.NoError(t, err)
|
|
|
|
secondUserClient, _ := coderdtest.CreateAnotherUser(t, client, firstUser.OrganizationID)
|
|
|
|
agentAuthToken := uuid.NewString()
|
|
version := coderdtest.CreateTemplateVersion(t, client, firstUser.OrganizationID, &echo.Responses{
|
|
Parse: echo.ParseComplete,
|
|
ProvisionPlan: echo.PlanComplete,
|
|
ProvisionApply: []*proto.Response{{
|
|
Type: &proto.Response_Apply{
|
|
Apply: &proto.ApplyComplete{
|
|
Resources: []*proto.Resource{{
|
|
Name: "example",
|
|
Type: "aws_instance",
|
|
Agents: []*proto.Agent{
|
|
{
|
|
Id: uuid.NewString(),
|
|
Name: agentName,
|
|
Auth: &proto.Agent_Token{
|
|
Token: agentAuthToken,
|
|
},
|
|
Apps: []*proto.App{
|
|
{
|
|
Slug: appNameOwner,
|
|
DisplayName: appNameOwner,
|
|
SharingLevel: proto.AppSharingLevel_OWNER,
|
|
Url: appURL,
|
|
},
|
|
{
|
|
Slug: appNameAuthed,
|
|
DisplayName: appNameAuthed,
|
|
SharingLevel: proto.AppSharingLevel_AUTHENTICATED,
|
|
Url: appURL,
|
|
},
|
|
{
|
|
Slug: appNamePublic,
|
|
DisplayName: appNamePublic,
|
|
SharingLevel: proto.AppSharingLevel_PUBLIC,
|
|
Url: appURL,
|
|
},
|
|
{
|
|
Slug: appNameInvalidURL,
|
|
DisplayName: appNameInvalidURL,
|
|
SharingLevel: proto.AppSharingLevel_PUBLIC,
|
|
Url: "test:path/to/app",
|
|
},
|
|
{
|
|
Slug: appNameUnhealthy,
|
|
DisplayName: appNameUnhealthy,
|
|
SharingLevel: proto.AppSharingLevel_PUBLIC,
|
|
Url: appURL,
|
|
Healthcheck: &proto.Healthcheck{
|
|
Url: unhealthySrv.URL,
|
|
Interval: 1,
|
|
Threshold: 1,
|
|
},
|
|
},
|
|
},
|
|
},
|
|
{
|
|
Id: uuid.NewString(),
|
|
Name: agentNameUnhealthy,
|
|
Auth: &proto.Agent_Token{
|
|
Token: uuid.NewString(),
|
|
},
|
|
Apps: []*proto.App{
|
|
{
|
|
Slug: appNameAgentUnhealthy,
|
|
DisplayName: appNameAgentUnhealthy,
|
|
SharingLevel: proto.AppSharingLevel_PUBLIC,
|
|
Url: appURL,
|
|
},
|
|
},
|
|
},
|
|
},
|
|
}},
|
|
},
|
|
},
|
|
}},
|
|
})
|
|
template := coderdtest.CreateTemplate(t, client, firstUser.OrganizationID, version.ID)
|
|
coderdtest.AwaitTemplateVersionJobCompleted(t, client, version.ID)
|
|
workspace := coderdtest.CreateWorkspace(t, client, firstUser.OrganizationID, template.ID)
|
|
coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, workspace.LatestBuild.ID)
|
|
|
|
_ = agenttest.New(t, client.URL, agentAuthToken)
|
|
resources := coderdtest.AwaitWorkspaceAgents(t, client, workspace.ID, agentName)
|
|
|
|
agentID := uuid.Nil
|
|
for _, resource := range resources {
|
|
for _, agnt := range resource.Agents {
|
|
if agnt.Name == agentName {
|
|
agentID = agnt.ID
|
|
}
|
|
}
|
|
}
|
|
require.NotEqual(t, uuid.Nil, agentID)
|
|
|
|
t.Run("OK", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
cases := []struct {
|
|
name string
|
|
workspaceNameOrID string
|
|
agentNameOrID string
|
|
}{
|
|
{
|
|
name: "Names",
|
|
workspaceNameOrID: workspace.Name,
|
|
agentNameOrID: agentName,
|
|
},
|
|
{
|
|
name: "IDs",
|
|
workspaceNameOrID: workspace.ID.String(),
|
|
agentNameOrID: agentID.String(),
|
|
},
|
|
}
|
|
|
|
for _, c := range cases {
|
|
c := c
|
|
|
|
t.Run(c.name, func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
// Try resolving a request for each app as the owner, without a
|
|
// token, then use the token to resolve each app.
|
|
for _, app := range allApps {
|
|
req := (workspaceapps.Request{
|
|
AccessMethod: workspaceapps.AccessMethodPath,
|
|
BasePath: "/app",
|
|
UsernameOrID: me.Username,
|
|
WorkspaceNameOrID: c.workspaceNameOrID,
|
|
AgentNameOrID: c.agentNameOrID,
|
|
AppSlugOrPort: app,
|
|
}).Normalize()
|
|
|
|
t.Log("app", app)
|
|
rw := httptest.NewRecorder()
|
|
r := httptest.NewRequest("GET", "/app", nil)
|
|
r.Header.Set(codersdk.SessionTokenHeader, client.SessionToken())
|
|
|
|
// Try resolving the request without a token.
|
|
token, ok := workspaceapps.ResolveRequest(rw, r, workspaceapps.ResolveRequestOptions{
|
|
Logger: api.Logger,
|
|
SignedTokenProvider: api.WorkspaceAppsProvider,
|
|
DashboardURL: api.AccessURL,
|
|
PathAppBaseURL: api.AccessURL,
|
|
AppHostname: api.AppHostname,
|
|
AppRequest: req,
|
|
})
|
|
w := rw.Result()
|
|
if !assert.True(t, ok) {
|
|
dump, err := httputil.DumpResponse(w, true)
|
|
require.NoError(t, err, "error dumping failed response")
|
|
t.Log(string(dump))
|
|
return
|
|
}
|
|
_ = w.Body.Close()
|
|
|
|
require.Equal(t, &workspaceapps.SignedToken{
|
|
Request: req,
|
|
Expiry: token.Expiry, // ignored to avoid flakiness
|
|
UserID: me.ID,
|
|
WorkspaceID: workspace.ID,
|
|
AgentID: agentID,
|
|
AppURL: appURL,
|
|
}, token)
|
|
require.NotZero(t, token.Expiry)
|
|
require.WithinDuration(t, time.Now().Add(workspaceapps.DefaultTokenExpiry), token.Expiry, time.Minute)
|
|
|
|
// Check that the token was set in the response and is valid.
|
|
require.Len(t, w.Cookies(), 1)
|
|
cookie := w.Cookies()[0]
|
|
require.Equal(t, codersdk.SignedAppTokenCookie, cookie.Name)
|
|
require.Equal(t, req.BasePath, cookie.Path)
|
|
|
|
parsedToken, err := api.AppSecurityKey.VerifySignedToken(cookie.Value)
|
|
require.NoError(t, err)
|
|
// normalize expiry
|
|
require.WithinDuration(t, token.Expiry, parsedToken.Expiry, 2*time.Second)
|
|
parsedToken.Expiry = token.Expiry
|
|
require.Equal(t, token, &parsedToken)
|
|
|
|
// Try resolving the request with the token only.
|
|
rw = httptest.NewRecorder()
|
|
r = httptest.NewRequest("GET", "/app", nil)
|
|
r.AddCookie(cookie)
|
|
|
|
secondToken, ok := workspaceapps.ResolveRequest(rw, r, workspaceapps.ResolveRequestOptions{
|
|
Logger: api.Logger,
|
|
SignedTokenProvider: api.WorkspaceAppsProvider,
|
|
DashboardURL: api.AccessURL,
|
|
PathAppBaseURL: api.AccessURL,
|
|
AppHostname: api.AppHostname,
|
|
AppRequest: req,
|
|
})
|
|
require.True(t, ok)
|
|
// normalize expiry
|
|
require.WithinDuration(t, token.Expiry, secondToken.Expiry, 2*time.Second)
|
|
secondToken.Expiry = token.Expiry
|
|
require.Equal(t, token, secondToken)
|
|
}
|
|
})
|
|
}
|
|
})
|
|
|
|
t.Run("AuthenticatedOtherUser", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
for _, app := range allApps {
|
|
req := (workspaceapps.Request{
|
|
AccessMethod: workspaceapps.AccessMethodPath,
|
|
BasePath: "/app",
|
|
UsernameOrID: me.Username,
|
|
WorkspaceNameOrID: workspace.Name,
|
|
AgentNameOrID: agentName,
|
|
AppSlugOrPort: app,
|
|
}).Normalize()
|
|
|
|
t.Log("app", app)
|
|
rw := httptest.NewRecorder()
|
|
r := httptest.NewRequest("GET", "/app", nil)
|
|
r.Header.Set(codersdk.SessionTokenHeader, secondUserClient.SessionToken())
|
|
|
|
token, ok := workspaceapps.ResolveRequest(rw, r, workspaceapps.ResolveRequestOptions{
|
|
Logger: api.Logger,
|
|
SignedTokenProvider: api.WorkspaceAppsProvider,
|
|
DashboardURL: api.AccessURL,
|
|
PathAppBaseURL: api.AccessURL,
|
|
AppHostname: api.AppHostname,
|
|
AppRequest: req,
|
|
})
|
|
w := rw.Result()
|
|
_ = w.Body.Close()
|
|
if app == appNameOwner {
|
|
require.False(t, ok)
|
|
require.Nil(t, token)
|
|
require.NotZero(t, w.StatusCode)
|
|
require.Equal(t, http.StatusNotFound, w.StatusCode)
|
|
return
|
|
}
|
|
require.True(t, ok)
|
|
require.NotNil(t, token)
|
|
require.Zero(t, w.StatusCode)
|
|
}
|
|
})
|
|
|
|
t.Run("Unauthenticated", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
for _, app := range allApps {
|
|
req := (workspaceapps.Request{
|
|
AccessMethod: workspaceapps.AccessMethodPath,
|
|
BasePath: "/app",
|
|
UsernameOrID: me.Username,
|
|
WorkspaceNameOrID: workspace.Name,
|
|
AgentNameOrID: agentName,
|
|
AppSlugOrPort: app,
|
|
}).Normalize()
|
|
|
|
t.Log("app", app)
|
|
rw := httptest.NewRecorder()
|
|
r := httptest.NewRequest("GET", "/app", nil)
|
|
token, ok := workspaceapps.ResolveRequest(rw, r, workspaceapps.ResolveRequestOptions{
|
|
Logger: api.Logger,
|
|
SignedTokenProvider: api.WorkspaceAppsProvider,
|
|
DashboardURL: api.AccessURL,
|
|
PathAppBaseURL: api.AccessURL,
|
|
AppHostname: api.AppHostname,
|
|
AppRequest: req,
|
|
})
|
|
w := rw.Result()
|
|
if app != appNamePublic {
|
|
require.False(t, ok)
|
|
require.Nil(t, token)
|
|
require.NotZero(t, rw.Code)
|
|
require.NotEqual(t, http.StatusOK, rw.Code)
|
|
} else {
|
|
if !assert.True(t, ok) {
|
|
dump, err := httputil.DumpResponse(w, true)
|
|
require.NoError(t, err, "error dumping failed response")
|
|
t.Log(string(dump))
|
|
return
|
|
}
|
|
require.NotNil(t, token)
|
|
if rw.Code != 0 && rw.Code != http.StatusOK {
|
|
t.Fatalf("expected 200 (or unset) response code, got %d", rw.Code)
|
|
}
|
|
}
|
|
_ = w.Body.Close()
|
|
}
|
|
})
|
|
|
|
t.Run("Invalid", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
req := (workspaceapps.Request{
|
|
AccessMethod: "invalid",
|
|
}).Normalize()
|
|
rw := httptest.NewRecorder()
|
|
r := httptest.NewRequest("GET", "/app", nil)
|
|
token, ok := workspaceapps.ResolveRequest(rw, r, workspaceapps.ResolveRequestOptions{
|
|
Logger: api.Logger,
|
|
SignedTokenProvider: api.WorkspaceAppsProvider,
|
|
DashboardURL: api.AccessURL,
|
|
PathAppBaseURL: api.AccessURL,
|
|
AppHostname: api.AppHostname,
|
|
AppRequest: req,
|
|
})
|
|
require.False(t, ok)
|
|
require.Nil(t, token)
|
|
})
|
|
|
|
t.Run("SplitWorkspaceAndAgent", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
cases := []struct {
|
|
name string
|
|
workspaceAndAgent string
|
|
workspace string
|
|
agent string
|
|
ok bool
|
|
}{
|
|
{
|
|
name: "WorkspaceOnly",
|
|
workspaceAndAgent: workspace.Name,
|
|
workspace: workspace.Name,
|
|
agent: "",
|
|
ok: true,
|
|
},
|
|
{
|
|
name: "WorkspaceAndAgent",
|
|
workspaceAndAgent: fmt.Sprintf("%s.%s", workspace.Name, agentName),
|
|
workspace: workspace.Name,
|
|
agent: agentName,
|
|
ok: true,
|
|
},
|
|
{
|
|
name: "WorkspaceID",
|
|
workspaceAndAgent: workspace.ID.String(),
|
|
workspace: workspace.ID.String(),
|
|
agent: "",
|
|
ok: true,
|
|
},
|
|
{
|
|
name: "WorkspaceIDAndAgentID",
|
|
workspaceAndAgent: fmt.Sprintf("%s.%s", workspace.ID, agentID),
|
|
workspace: workspace.ID.String(),
|
|
agent: agentID.String(),
|
|
ok: true,
|
|
},
|
|
{
|
|
name: "Invalid1",
|
|
workspaceAndAgent: "invalid",
|
|
ok: false,
|
|
},
|
|
{
|
|
name: "Invalid2",
|
|
workspaceAndAgent: ".",
|
|
ok: false,
|
|
},
|
|
{
|
|
name: "Slash",
|
|
workspaceAndAgent: fmt.Sprintf("%s/%s", workspace.Name, agentName),
|
|
ok: false,
|
|
},
|
|
}
|
|
|
|
for _, c := range cases {
|
|
t.Run(c.name, func(t *testing.T) {
|
|
req := (workspaceapps.Request{
|
|
AccessMethod: workspaceapps.AccessMethodPath,
|
|
BasePath: "/app",
|
|
UsernameOrID: me.Username,
|
|
WorkspaceAndAgent: c.workspaceAndAgent,
|
|
AppSlugOrPort: appNamePublic,
|
|
}).Normalize()
|
|
|
|
rw := httptest.NewRecorder()
|
|
r := httptest.NewRequest("GET", "/app", nil)
|
|
r.Header.Set(codersdk.SessionTokenHeader, client.SessionToken())
|
|
|
|
token, ok := workspaceapps.ResolveRequest(rw, r, workspaceapps.ResolveRequestOptions{
|
|
Logger: api.Logger,
|
|
SignedTokenProvider: api.WorkspaceAppsProvider,
|
|
DashboardURL: api.AccessURL,
|
|
PathAppBaseURL: api.AccessURL,
|
|
AppHostname: api.AppHostname,
|
|
AppRequest: req,
|
|
})
|
|
w := rw.Result()
|
|
if !assert.Equal(t, c.ok, ok) {
|
|
dump, err := httputil.DumpResponse(w, true)
|
|
require.NoError(t, err, "error dumping failed response")
|
|
t.Log(string(dump))
|
|
return
|
|
}
|
|
if c.ok {
|
|
require.NotNil(t, token)
|
|
require.Equal(t, token.WorkspaceNameOrID, c.workspace)
|
|
require.Equal(t, token.AgentNameOrID, c.agent)
|
|
require.Equal(t, token.WorkspaceID, workspace.ID)
|
|
require.Equal(t, token.AgentID, agentID)
|
|
} else {
|
|
require.Nil(t, token)
|
|
}
|
|
_ = w.Body.Close()
|
|
})
|
|
}
|
|
})
|
|
|
|
t.Run("TokenDoesNotMatchRequest", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
badToken := workspaceapps.SignedToken{
|
|
Request: (workspaceapps.Request{
|
|
AccessMethod: workspaceapps.AccessMethodPath,
|
|
BasePath: "/app",
|
|
UsernameOrID: me.Username,
|
|
WorkspaceNameOrID: workspace.Name,
|
|
AgentNameOrID: agentName,
|
|
// App name differs
|
|
AppSlugOrPort: appNamePublic,
|
|
}).Normalize(),
|
|
Expiry: time.Now().Add(time.Minute),
|
|
UserID: me.ID,
|
|
WorkspaceID: workspace.ID,
|
|
AgentID: agentID,
|
|
AppURL: appURL,
|
|
}
|
|
badTokenStr, err := api.AppSecurityKey.SignToken(badToken)
|
|
require.NoError(t, err)
|
|
|
|
req := (workspaceapps.Request{
|
|
AccessMethod: workspaceapps.AccessMethodPath,
|
|
BasePath: "/app",
|
|
UsernameOrID: me.Username,
|
|
WorkspaceNameOrID: workspace.Name,
|
|
AgentNameOrID: agentName,
|
|
// App name differs
|
|
AppSlugOrPort: appNameOwner,
|
|
}).Normalize()
|
|
|
|
rw := httptest.NewRecorder()
|
|
r := httptest.NewRequest("GET", "/app", nil)
|
|
r.Header.Set(codersdk.SessionTokenHeader, client.SessionToken())
|
|
r.AddCookie(&http.Cookie{
|
|
Name: codersdk.SignedAppTokenCookie,
|
|
Value: badTokenStr,
|
|
})
|
|
|
|
// Even though the token is invalid, we should still perform request
|
|
// resolution without failure since we'll just ignore the bad token.
|
|
token, ok := workspaceapps.ResolveRequest(rw, r, workspaceapps.ResolveRequestOptions{
|
|
Logger: api.Logger,
|
|
SignedTokenProvider: api.WorkspaceAppsProvider,
|
|
DashboardURL: api.AccessURL,
|
|
PathAppBaseURL: api.AccessURL,
|
|
AppHostname: api.AppHostname,
|
|
AppRequest: req,
|
|
})
|
|
require.True(t, ok)
|
|
require.NotNil(t, token)
|
|
require.Equal(t, appNameOwner, token.AppSlugOrPort)
|
|
|
|
// Cookie should be set in response, and it should be a different
|
|
// token.
|
|
w := rw.Result()
|
|
_ = w.Body.Close()
|
|
cookies := w.Cookies()
|
|
require.Len(t, cookies, 1)
|
|
require.Equal(t, cookies[0].Name, codersdk.SignedAppTokenCookie)
|
|
require.NotEqual(t, cookies[0].Value, badTokenStr)
|
|
parsedToken, err := api.AppSecurityKey.VerifySignedToken(cookies[0].Value)
|
|
require.NoError(t, err)
|
|
require.Equal(t, appNameOwner, parsedToken.AppSlugOrPort)
|
|
})
|
|
|
|
t.Run("PortPathBlocked", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
req := (workspaceapps.Request{
|
|
AccessMethod: workspaceapps.AccessMethodPath,
|
|
BasePath: "/app",
|
|
UsernameOrID: me.Username,
|
|
WorkspaceNameOrID: workspace.Name,
|
|
AgentNameOrID: agentName,
|
|
AppSlugOrPort: "8080",
|
|
}).Normalize()
|
|
|
|
rw := httptest.NewRecorder()
|
|
r := httptest.NewRequest("GET", "/app", nil)
|
|
r.Header.Set(codersdk.SessionTokenHeader, client.SessionToken())
|
|
|
|
token, ok := workspaceapps.ResolveRequest(rw, r, workspaceapps.ResolveRequestOptions{
|
|
Logger: api.Logger,
|
|
SignedTokenProvider: api.WorkspaceAppsProvider,
|
|
DashboardURL: api.AccessURL,
|
|
PathAppBaseURL: api.AccessURL,
|
|
AppHostname: api.AppHostname,
|
|
AppRequest: req,
|
|
})
|
|
require.False(t, ok)
|
|
require.Nil(t, token)
|
|
})
|
|
|
|
t.Run("PortSubdomain", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
req := (workspaceapps.Request{
|
|
AccessMethod: workspaceapps.AccessMethodSubdomain,
|
|
BasePath: "/",
|
|
UsernameOrID: me.Username,
|
|
WorkspaceNameOrID: workspace.Name,
|
|
AgentNameOrID: agentName,
|
|
AppSlugOrPort: "9090",
|
|
}).Normalize()
|
|
|
|
rw := httptest.NewRecorder()
|
|
r := httptest.NewRequest("GET", "/", nil)
|
|
r.Header.Set(codersdk.SessionTokenHeader, client.SessionToken())
|
|
|
|
token, ok := workspaceapps.ResolveRequest(rw, r, workspaceapps.ResolveRequestOptions{
|
|
Logger: api.Logger,
|
|
SignedTokenProvider: api.WorkspaceAppsProvider,
|
|
DashboardURL: api.AccessURL,
|
|
PathAppBaseURL: api.AccessURL,
|
|
AppHostname: api.AppHostname,
|
|
AppRequest: req,
|
|
})
|
|
require.True(t, ok)
|
|
require.Equal(t, req.AppSlugOrPort, token.AppSlugOrPort)
|
|
require.Equal(t, "http://127.0.0.1:9090", token.AppURL)
|
|
})
|
|
|
|
t.Run("Terminal", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
req := (workspaceapps.Request{
|
|
AccessMethod: workspaceapps.AccessMethodTerminal,
|
|
BasePath: "/app",
|
|
AgentNameOrID: agentID.String(),
|
|
}).Normalize()
|
|
|
|
rw := httptest.NewRecorder()
|
|
r := httptest.NewRequest("GET", "/app", nil)
|
|
r.Header.Set(codersdk.SessionTokenHeader, client.SessionToken())
|
|
|
|
token, ok := workspaceapps.ResolveRequest(rw, r, workspaceapps.ResolveRequestOptions{
|
|
Logger: api.Logger,
|
|
SignedTokenProvider: api.WorkspaceAppsProvider,
|
|
DashboardURL: api.AccessURL,
|
|
PathAppBaseURL: api.AccessURL,
|
|
AppHostname: api.AppHostname,
|
|
AppRequest: req,
|
|
})
|
|
require.True(t, ok)
|
|
require.Equal(t, req.AccessMethod, token.AccessMethod)
|
|
require.Equal(t, req.BasePath, token.BasePath)
|
|
require.Empty(t, token.UsernameOrID)
|
|
require.Empty(t, token.WorkspaceNameOrID)
|
|
require.Equal(t, req.AgentNameOrID, token.Request.AgentNameOrID)
|
|
require.Empty(t, token.AppSlugOrPort)
|
|
require.Empty(t, token.AppURL)
|
|
})
|
|
|
|
t.Run("InsufficientPermissions", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
req := (workspaceapps.Request{
|
|
AccessMethod: workspaceapps.AccessMethodPath,
|
|
BasePath: "/app",
|
|
UsernameOrID: me.Username,
|
|
WorkspaceNameOrID: workspace.Name,
|
|
AgentNameOrID: agentName,
|
|
AppSlugOrPort: appNameOwner,
|
|
}).Normalize()
|
|
|
|
rw := httptest.NewRecorder()
|
|
r := httptest.NewRequest("GET", "/app", nil)
|
|
r.Header.Set(codersdk.SessionTokenHeader, secondUserClient.SessionToken())
|
|
|
|
token, ok := workspaceapps.ResolveRequest(rw, r, workspaceapps.ResolveRequestOptions{
|
|
Logger: api.Logger,
|
|
SignedTokenProvider: api.WorkspaceAppsProvider,
|
|
DashboardURL: api.AccessURL,
|
|
PathAppBaseURL: api.AccessURL,
|
|
AppHostname: api.AppHostname,
|
|
AppRequest: req,
|
|
})
|
|
require.False(t, ok)
|
|
require.Nil(t, token)
|
|
})
|
|
|
|
t.Run("UserNotFound", func(t *testing.T) {
|
|
t.Parallel()
|
|
req := (workspaceapps.Request{
|
|
AccessMethod: workspaceapps.AccessMethodPath,
|
|
BasePath: "/app",
|
|
UsernameOrID: "thisuserdoesnotexist",
|
|
WorkspaceNameOrID: workspace.Name,
|
|
AgentNameOrID: agentName,
|
|
AppSlugOrPort: appNameOwner,
|
|
}).Normalize()
|
|
|
|
rw := httptest.NewRecorder()
|
|
r := httptest.NewRequest("GET", "/app", nil)
|
|
r.Header.Set(codersdk.SessionTokenHeader, client.SessionToken())
|
|
|
|
token, ok := workspaceapps.ResolveRequest(rw, r, workspaceapps.ResolveRequestOptions{
|
|
Logger: api.Logger,
|
|
SignedTokenProvider: api.WorkspaceAppsProvider,
|
|
DashboardURL: api.AccessURL,
|
|
PathAppBaseURL: api.AccessURL,
|
|
AppHostname: api.AppHostname,
|
|
AppRequest: req,
|
|
})
|
|
require.False(t, ok)
|
|
require.Nil(t, token)
|
|
})
|
|
|
|
t.Run("RedirectSubdomainAuth", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
req := (workspaceapps.Request{
|
|
AccessMethod: workspaceapps.AccessMethodSubdomain,
|
|
BasePath: "/",
|
|
UsernameOrID: me.Username,
|
|
WorkspaceNameOrID: workspace.Name,
|
|
AgentNameOrID: agentName,
|
|
AppSlugOrPort: appNameOwner,
|
|
}).Normalize()
|
|
|
|
rw := httptest.NewRecorder()
|
|
r := httptest.NewRequest("GET", "/some-path", nil)
|
|
// Should not be used as the hostname in the redirect URI.
|
|
r.Host = "app.com"
|
|
|
|
token, ok := workspaceapps.ResolveRequest(rw, r, workspaceapps.ResolveRequestOptions{
|
|
Logger: api.Logger,
|
|
SignedTokenProvider: api.WorkspaceAppsProvider,
|
|
DashboardURL: api.AccessURL,
|
|
PathAppBaseURL: api.AccessURL,
|
|
AppHostname: api.AppHostname,
|
|
AppRequest: req,
|
|
AppPath: "/some-path",
|
|
})
|
|
require.False(t, ok)
|
|
require.Nil(t, token)
|
|
|
|
w := rw.Result()
|
|
defer w.Body.Close()
|
|
require.Equal(t, http.StatusSeeOther, w.StatusCode)
|
|
|
|
loc, err := w.Location()
|
|
require.NoError(t, err)
|
|
|
|
require.Equal(t, api.AccessURL.Scheme, loc.Scheme)
|
|
require.Equal(t, api.AccessURL.Host, loc.Host)
|
|
require.Equal(t, "/api/v2/applications/auth-redirect", loc.Path)
|
|
|
|
redirectURIStr := loc.Query().Get(workspaceapps.RedirectURIQueryParam)
|
|
redirectURI, err := url.Parse(redirectURIStr)
|
|
require.NoError(t, err)
|
|
|
|
appHost := httpapi.ApplicationURL{
|
|
AppSlugOrPort: req.AppSlugOrPort,
|
|
AgentName: req.AgentNameOrID,
|
|
WorkspaceName: req.WorkspaceNameOrID,
|
|
Username: req.UsernameOrID,
|
|
}
|
|
host := strings.Replace(api.AppHostname, "*", appHost.String(), 1)
|
|
|
|
require.Equal(t, "http", redirectURI.Scheme)
|
|
require.Equal(t, host, redirectURI.Host)
|
|
require.Equal(t, "/some-path", redirectURI.Path)
|
|
})
|
|
|
|
t.Run("UnhealthyAgent", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
req := (workspaceapps.Request{
|
|
AccessMethod: workspaceapps.AccessMethodPath,
|
|
BasePath: "/app",
|
|
UsernameOrID: me.Username,
|
|
WorkspaceNameOrID: workspace.Name,
|
|
AgentNameOrID: agentNameUnhealthy,
|
|
AppSlugOrPort: appNameAgentUnhealthy,
|
|
}).Normalize()
|
|
|
|
rw := httptest.NewRecorder()
|
|
r := httptest.NewRequest("GET", "/app", nil)
|
|
r.Header.Set(codersdk.SessionTokenHeader, client.SessionToken())
|
|
|
|
token, ok := workspaceapps.ResolveRequest(rw, r, workspaceapps.ResolveRequestOptions{
|
|
Logger: api.Logger,
|
|
SignedTokenProvider: api.WorkspaceAppsProvider,
|
|
DashboardURL: api.AccessURL,
|
|
PathAppBaseURL: api.AccessURL,
|
|
AppHostname: api.AppHostname,
|
|
AppRequest: req,
|
|
})
|
|
require.False(t, ok, "request succeeded even though agent is not connected")
|
|
require.Nil(t, token)
|
|
|
|
w := rw.Result()
|
|
defer w.Body.Close()
|
|
require.Equal(t, http.StatusBadGateway, w.StatusCode)
|
|
|
|
body, err := io.ReadAll(w.Body)
|
|
require.NoError(t, err)
|
|
bodyStr := string(body)
|
|
bodyStr = strings.ReplaceAll(bodyStr, """, `"`)
|
|
// It'll either be "connecting" or "disconnected". Both are OK for this
|
|
// test.
|
|
require.Contains(t, bodyStr, `Agent state is "`)
|
|
})
|
|
|
|
t.Run("UnhealthyApp", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
require.Eventually(t, func() bool {
|
|
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitShort)
|
|
defer cancel()
|
|
|
|
agent, err := client.WorkspaceAgent(ctx, agentID)
|
|
if err != nil {
|
|
t.Log("could not get agent", err)
|
|
return false
|
|
}
|
|
|
|
for _, app := range agent.Apps {
|
|
if app.Slug == appNameUnhealthy {
|
|
t.Log("app is", app.Health)
|
|
return app.Health == codersdk.WorkspaceAppHealthUnhealthy
|
|
}
|
|
}
|
|
|
|
t.Log("could not find app")
|
|
return false
|
|
}, testutil.WaitLong, testutil.IntervalFast, "wait for app to become unhealthy")
|
|
|
|
req := (workspaceapps.Request{
|
|
AccessMethod: workspaceapps.AccessMethodPath,
|
|
BasePath: "/app",
|
|
UsernameOrID: me.Username,
|
|
WorkspaceNameOrID: workspace.Name,
|
|
AgentNameOrID: agentName,
|
|
AppSlugOrPort: appNameUnhealthy,
|
|
}).Normalize()
|
|
|
|
rw := httptest.NewRecorder()
|
|
r := httptest.NewRequest("GET", "/app", nil)
|
|
r.Header.Set(codersdk.SessionTokenHeader, client.SessionToken())
|
|
|
|
token, ok := workspaceapps.ResolveRequest(rw, r, workspaceapps.ResolveRequestOptions{
|
|
Logger: api.Logger,
|
|
SignedTokenProvider: api.WorkspaceAppsProvider,
|
|
DashboardURL: api.AccessURL,
|
|
PathAppBaseURL: api.AccessURL,
|
|
AppHostname: api.AppHostname,
|
|
AppRequest: req,
|
|
})
|
|
require.False(t, ok, "request succeeded even though app is unhealthy")
|
|
require.Nil(t, token)
|
|
|
|
w := rw.Result()
|
|
defer w.Body.Close()
|
|
require.Equal(t, http.StatusBadGateway, w.StatusCode)
|
|
|
|
body, err := io.ReadAll(w.Body)
|
|
require.NoError(t, err)
|
|
bodyStr := string(body)
|
|
bodyStr = strings.ReplaceAll(bodyStr, """, `"`)
|
|
require.Contains(t, bodyStr, `App health is "unhealthy"`)
|
|
})
|
|
}
|