NotificationsYou must be signed in to change notification settings
Fork1.1k
Star11.6k

Commit421347b

committed

chore: refactor instance identity to be a SessionTokenProvider

1 parentad7200f commit421347bCopy full SHA for 421347b

File tree

31 files changed

+471

-376

lines changed

agent
- agent.go
- agenttest
  - agent.go
  - client.go
cli
coderd
- externalauth_test.go
- gitsshkey_test.go
- insights_test.go
- prometheusmetrics
  - insights
    - metricscollector_test.go
  - prometheusmetrics_test.go
- workspaceagents_test.go
- workspaceagentsrpc_test.go
- workspaceapps/apptest
  - setup.go
- workspaceresourceauth_test.go
codersdk
- agentsdk
- toolsdk
  - toolsdk_test.go
enterprise/coderd
scaletest
- createworkspaces
  - run_test.go
- workspacebuild
  - run_test.go

31 files changed

+471

-376

lines changed

`‎agent/agent.go‎`

Lines changed: 4 additions & 14 deletions

Original file line number	Diff line number	Diff line change
`@@ -74,7 +74,6 @@ type Options struct {`
`74`	`74`	`LogDirstring`
`75`	`75`	`TempDirstring`
`76`	`76`	`ScriptDataDirstring`
`77`		`-ExchangeTokenfunc(ctx context.Context) (string,error)`
`78`	`77`	`ClientClient`
`79`	`78`	`ReconnectingPTYTimeout time.Duration`
`80`	`79`	`EnvironmentVariablesmap[string]string`
`@@ -99,6 +98,7 @@ type Client interface {`
`99`	`98`	`proto.DRPCAgentClient26, tailnetproto.DRPCTailnetClient26,error,`
`100`	`99`	`)`
`101`	`100`	`tailnet.DERPMapRewriter`
	`101`	`+agentsdk.RefreshableSessionTokenProvider`
`102`	`102`	`}`
`103`	`103`
`104`	`104`	`typeAgentinterface {`
`@@ -131,11 +131,6 @@ func New(options Options) Agent {`
`131`	`131`	`}`
`132`	`132`	`options.ScriptDataDir=options.TempDir`
`133`	`133`	`}`
`134`		`-ifoptions.ExchangeToken==nil {`
`135`		`-options.ExchangeToken=func(_ context.Context) (string,error) {`
`136`		`-return"",nil`
`137`		`-}`
`138`		`-}`
`139`	`134`	`ifoptions.ReportMetadataInterval==0 {`
`140`	`135`	`options.ReportMetadataInterval=time.Second`
`141`	`136`	`}`
`@@ -172,7 +167,6 @@ func New(options Options) Agent {`
`172`	`167`	`coordDisconnected:make(chanstruct{}),`
`173`	`168`	`environmentVariables:options.EnvironmentVariables,`
`174`	`169`	`client:options.Client,`
`175`		`-exchangeToken:options.ExchangeToken,`
`176`	`170`	`filesystem:options.Filesystem,`
`177`	`171`	`logDir:options.LogDir,`
`178`	`172`	`tempDir:options.TempDir,`
`@@ -203,7 +197,6 @@ func New(options Options) Agent {`
`203`	`197`	`// coordinator during shut down.`
`204`	`198`	`close(a.coordDisconnected)`
`205`	`199`	`a.announcementBanners.Store(new([]codersdk.BannerConfig))`
`206`		`-a.sessionToken.Store(new(string))`
`207`	`200`	`a.init()`
`208`	`201`	`returna`
`209`	`202`	`}`
`@@ -212,7 +205,6 @@ type agent struct {`
`212`	`205`	`clock quartz.Clock`
`213`	`206`	`logger slog.Logger`
`214`	`207`	`clientClient`
`215`		`-exchangeTokenfunc(ctx context.Context) (string,error)`
`216`	`208`	`tailnetListenPortuint16`
`217`	`209`	`filesystem afero.Fs`
`218`	`210`	`logDirstring`
`@@ -254,7 +246,6 @@ type agent struct {`
`254`	`246`	`scriptRunner*agentscripts.Runner`
`255`	`247`	`announcementBanners atomic.Pointer[[]codersdk.BannerConfig]// announcementBanners is atomic because it is periodically updated.`
`256`	`248`	`announcementBannersRefreshInterval time.Duration`
`257`		`-sessionToken atomic.Pointer[string]`
`258`	`249`	`sshServer*agentssh.Server`
`259`	`250`	`sshMaxTimeout time.Duration`
`260`	`251`	`blockFileTransferbool`
`@@ -916,11 +907,10 @@ func (a *agent) run() (retErr error) {`
`916`	`907`	`// This allows the agent to refresh its token if necessary.`
`917`	`908`	`// For instance identity this is required, since the instance`
`918`	`909`	`// may not have re-provisioned, but a new agent ID was created.`
`919`		`-sessionToken,err:=a.exchangeToken(a.hardCtx)`
	`910`	`+err:=a.client.RefreshToken(a.hardCtx)`
`920`	`911`	`iferr!=nil {`
`921`		`-returnxerrors.Errorf("exchange token: %w",err)`
	`912`	`+returnxerrors.Errorf("refresh token: %w",err)`
`922`	`913`	`}`
`923`		`-a.sessionToken.Store(&sessionToken)`
`924`	`914`
`925`	`915`	`// ConnectRPC returns the dRPC connection we use for the Agent and Tailnet v2+ APIs`
`926`	`916`	`aAPI,tAPI,err:=a.client.ConnectRPC26(a.hardCtx)`
`@@ -1359,7 +1349,7 @@ func (a *agent) updateCommandEnv(current []string) (updated []string, err error)`
`1359`	`1349`	`"CODER_WORKSPACE_OWNER_NAME":manifest.OwnerName,`
`1360`	`1350`
`1361`	`1351`	`// Specific Coder subcommands require the agent token exposed!`
`1362`		`-"CODER_AGENT_TOKEN":*a.sessionToken.Load(),`
	`1352`	`+"CODER_AGENT_TOKEN":a.client.GetSessionToken(),`
`1363`	`1353`
`1364`	`1354`	`// Git on Windows resolves with UNIX-style paths.`
`1365`	`1355`	`// If using backslashes, it's unable to find the executable.`

`‎agent/agenttest/agent.go‎`

Lines changed: 1 addition & 9 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,6 @@`
`1`	`1`	`package agenttest`
`2`	`2`
`3`	`3`	`import (`
`4`		`-"context"`
`5`	`4`	`"net/url"`
`6`	`5`	`"testing"`
`7`	`6`
`@@ -31,18 +30,11 @@ func New(t testing.TB, coderURL url.URL, agentToken string, opts ...func(agent`
`31`	`30`	`}`
`32`	`31`
`33`	`32`	`ifo.Client==nil {`
`34`		`-agentClient:=agentsdk.New(coderURL)`
`35`		`-agentClient.SetSessionToken(agentToken)`
	`33`	`+agentClient:=agentsdk.New(coderURL,agentsdk.UsingFixedToken(agentToken))`
`36`	`34`	`agentClient.SDK.SetLogger(log)`
`37`	`35`	`o.Client=agentClient`
`38`	`36`	`}`
`39`	`37`
`40`		`-ifo.ExchangeToken==nil {`
`41`		`-o.ExchangeToken=func(_ context.Context) (string,error) {`
`42`		`-returnagentToken,nil`
`43`		`-}`
`44`		`-}`
`45`		`-`
`46`	`38`	`ifo.LogDir=="" {`
`47`	`39`	`o.LogDir=t.TempDir()`
`48`	`40`	`}`

`‎agent/agenttest/client.go‎`

Lines changed: 16 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,7 @@ package agenttest`
`3`	`3`	`import (`
`4`	`4`	`"context"`
`5`	`5`	`"io"`
	`6`	`+"net/http"`
`6`	`7`	`"slices"`
`7`	`8`	`"sync"`
`8`	`9`	`"sync/atomic"`
`@@ -28,6 +29,7 @@ import (`
`28`	`29`	`"github.com/coder/coder/v2/tailnet"`
`29`	`30`	`"github.com/coder/coder/v2/tailnet/proto"`
`30`	`31`	`"github.com/coder/coder/v2/testutil"`
	`32`	`+"github.com/coder/websocket"`
`31`	`33`	`)`
`32`	`34`
`33`	`35`	`conststatsInterval=500*time.Millisecond`
`@@ -92,6 +94,20 @@ type Client struct {`
`92`	`94`	`derpMapOnce sync.Once`
`93`	`95`	`}`
`94`	`96`
	`97`	`+func (c*Client)AsRequestOption() codersdk.RequestOption {`
	`98`	`+returnfunc(request*http.Request) {}`
	`99`	`+}`
	`100`	`+`
	`101`	`+func (cClient)SetDialOption(websocket.DialOptions) {}`
	`102`	`+`
	`103`	`+func (c*Client)GetSessionToken()string {`
	`104`	`+return"agenttest-token"`
	`105`	`+}`
	`106`	`+`
	`107`	`+func (c*Client)RefreshToken(context.Context)error {`
	`108`	`+returnnil`
	`109`	`+}`
	`110`	`+`
`95`	`111`	`func (Client)RewriteDERPMap(tailcfg.DERPMap) {}`
`96`	`112`
`97`	`113`	`func (c*Client)Close() {`

`‎cli/agent.go‎`

Lines changed: 3 additions & 86 deletions

Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,6 @@ import (`
`15`	`15`	`"strings"`
`16`	`16`	`"time"`
`17`	`17`
`18`		`-"cloud.google.com/go/compute/metadata"`
`19`	`18`	`"golang.org/x/xerrors"`
`20`	`19`	`"gopkg.in/natefinch/lumberjack.v2"`
`21`	`20`
`@@ -40,7 +39,6 @@ import (`
`40`	`39`
`41`	`40`	`func (rRootCmd)workspaceAgent()serpent.Command {`
`42`	`41`	`var (`
`43`		`-authstring`
`44`	`42`	`logDirstring`
`45`	`43`	`scriptDataDirstring`
`46`	`44`	`pprofAddressstring`
`@@ -177,11 +175,10 @@ func (r RootCmd) workspaceAgent() serpent.Command {`
`177`	`175`	`version:=buildinfo.Version()`
`178`	`176`	`logger.Info(ctx,"agent is starting now",`
`179`	`177`	`slog.F("url",r.agentURL),`
`180`		`-slog.F("auth",auth),`
	`178`	`+slog.F("auth",r.agentAuth),`
`181`	`179`	`slog.F("version",version),`
`182`	`180`	`)`
`183`		`-`
`184`		`-client:=agentsdk.New(r.agentURL)`
	`181`	`+client,err:=r.createAgentClient(ctx)`
`185`	`182`	`client.SDK.SetLogger(logger)`
`186`	`183`	`// Set a reasonable timeout so requests can't hang forever!`
`187`	`184`	`// The timeout needs to be reasonably long, because requests`
`@@ -214,68 +211,6 @@ func (r RootCmd) workspaceAgent() serpent.Command {`
`214`	`211`	`ignorePorts[port]="debug"`
`215`	`212`	`}`
`216`	`213`
`217`		`-// exchangeToken returns a session token.`
`218`		`-// This is abstracted to allow for the same looping condition`
`219`		`-// regardless of instance identity auth type.`
`220`		`-varexchangeTokenfunc(context.Context) (agentsdk.AuthenticateResponse,error)`
`221`		`-switchauth {`
`222`		`-case"token":`
`223`		`-token,_:=inv.ParsedFlags().GetString(varAgentToken)`
`224`		`-iftoken=="" {`
`225`		`-tokenFile,_:=inv.ParsedFlags().GetString(varAgentTokenFile)`
`226`		`-iftokenFile!="" {`
`227`		`-tokenBytes,err:=os.ReadFile(tokenFile)`
`228`		`-iferr!=nil {`
`229`		`-returnxerrors.Errorf("read token file %q: %w",tokenFile,err)`
`230`		`-}`
`231`		`-token=strings.TrimSpace(string(tokenBytes))`
`232`		`-}`
`233`		`-}`
`234`		`-iftoken=="" {`
`235`		`-returnxerrors.Errorf("CODER_AGENT_TOKEN or CODER_AGENT_TOKEN_FILE must be set for token auth")`
`236`		`-}`
`237`		`-client.SetSessionToken(token)`
`238`		`-case"google-instance-identity":`
`239`		`-// This is only done for testing to mock client authentication.`
`240`		`-// This will never be set in a production scenario.`
`241`		`-vargcpClient*metadata.Client`
`242`		`-gcpClientRaw:=ctx.Value("gcp-client")`
`243`		`-ifgcpClientRaw!=nil {`
`244`		`-gcpClient,_=gcpClientRaw.(*metadata.Client)`
`245`		`-}`
`246`		`-exchangeToken=func(ctx context.Context) (agentsdk.AuthenticateResponse,error) {`
`247`		`-returnclient.AuthGoogleInstanceIdentity(ctx,"",gcpClient)`
`248`		`-}`
`249`		`-case"aws-instance-identity":`
`250`		`-// This is only done for testing to mock client authentication.`
`251`		`-// This will never be set in a production scenario.`
`252`		`-varawsClient*http.Client`
`253`		`-awsClientRaw:=ctx.Value("aws-client")`
`254`		`-ifawsClientRaw!=nil {`
`255`		`-awsClient,_=awsClientRaw.(*http.Client)`
`256`		`-ifawsClient!=nil {`
`257`		`-client.SDK.HTTPClient=awsClient`
`258`		`-}`
`259`		`-}`
`260`		`-exchangeToken=func(ctx context.Context) (agentsdk.AuthenticateResponse,error) {`
`261`		`-returnclient.AuthAWSInstanceIdentity(ctx)`
`262`		`-}`
`263`		`-case"azure-instance-identity":`
`264`		`-// This is only done for testing to mock client authentication.`
`265`		`-// This will never be set in a production scenario.`
`266`		`-varazureClient*http.Client`
`267`		`-azureClientRaw:=ctx.Value("azure-client")`
`268`		`-ifazureClientRaw!=nil {`
`269`		`-azureClient,_=azureClientRaw.(*http.Client)`
`270`		`-ifazureClient!=nil {`
`271`		`-client.SDK.HTTPClient=azureClient`
`272`		`-}`
`273`		`-}`
`274`		`-exchangeToken=func(ctx context.Context) (agentsdk.AuthenticateResponse,error) {`
`275`		`-returnclient.AuthAzureInstanceIdentity(ctx)`
`276`		`-}`
`277`		`-}`
`278`		`-`
`279`	`214`	`executablePath,err:=os.Executable()`
`280`	`215`	`iferr!=nil {`
`281`	`216`	`returnxerrors.Errorf("getting os executable: %w",err)`
`@@ -343,18 +278,7 @@ func (r RootCmd) workspaceAgent() serpent.Command {`
`343`	`278`	`LogDir:logDir,`
`344`	`279`	`ScriptDataDir:scriptDataDir,`
`345`	`280`	`// #nosec G115 - Safe conversion as tailnet listen port is within uint16 range (0-65535)`
`346`		`-TailnetListenPort:uint16(tailnetListenPort),`
`347`		`-ExchangeToken:func(ctx context.Context) (string,error) {`
`348`		`-ifexchangeToken==nil {`
`349`		`-returnclient.SDK.SessionToken(),nil`
`350`		`-}`
`351`		`-resp,err:=exchangeToken(ctx)`
`352`		`-iferr!=nil {`
`353`		`-return"",err`
`354`		`-}`
`355`		`-client.SetSessionToken(resp.SessionToken)`
`356`		`-returnresp.SessionToken,nil`
`357`		`-},`
	`281`	`+TailnetListenPort:uint16(tailnetListenPort),`
`358`	`282`	`EnvironmentVariables:environmentVariables,`
`359`	`283`	`IgnorePorts:ignorePorts,`
`360`	`284`	`SSHMaxTimeout:sshMaxTimeout,`
`@@ -400,13 +324,6 @@ func (r RootCmd) workspaceAgent() serpent.Command {`
`400`	`324`	`}`
`401`	`325`
`402`	`326`	`cmd.Options= serpent.OptionSet{`
`403`		`-{`
`404`		`-Flag:"auth",`
`405`		`-Default:"token",`
`406`		`-Description:"Specify the authentication type to use for the agent.",`
`407`		`-Env:"CODER_AGENT_AUTH",`
`408`		`-Value:serpent.StringOf(&auth),`
`409`		`-},`
`410`	`327`	`{`
`411`	`328`	`Flag:"log-dir",`
`412`	`329`	`Default:os.TempDir(),`

`‎cli/exp_mcp.go‎`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -148,7 +148,7 @@ func (r RootCmd) mcpConfigureClaudeCode() serpent.Command {`
`148`	`148`	`binPath=testBinaryName`
`149`	`149`	`}`
`150`	`150`	`configureClaudeEnv:=map[string]string{}`
`151`		`-agentClient,err:=r.createAgentClient()`
	`151`	`+agentClient,err:=r.createAgentClient(inv.Context())`
`152`	`152`	`iferr!=nil {`
`153`	`153`	`cliui.Warnf(inv.Stderr,"failed to create agent client: %s",err)`
`154`	`154`	`}else {`
`@@ -494,7 +494,7 @@ func (r RootCmd) mcpServer() serpent.Command {`
`494`	`494`	`}`
`495`	`495`
`496`	`496`	`// Try to create an agent client for status reporting. Not validated.`
`497`		`-agentClient,err:=r.createAgentClient()`
	`497`	`+agentClient,err:=r.createAgentClient(inv.Context())`
`498`	`498`	`iferr==nil {`
`499`	`499`	`cliui.Infof(inv.Stderr,"Agent URL : %s",agentClient.SDK.URL.String())`
`500`	`500`	`srv.agentClient=agentClient`

`‎cli/externalauth.go‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -75,7 +75,7 @@ fi`
`75`	`75`	`returnxerrors.Errorf("agent token not found")`
`76`	`76`	`}`
`77`	`77`
`78`		`-client,err:=r.tryCreateAgentClient()`
	`78`	`+client,err:=r.createAgentClient(ctx)`
`79`	`79`	`iferr!=nil {`
`80`	`80`	`returnxerrors.Errorf("create agent client: %w",err)`
`81`	`81`	`}`

`‎cli/gitaskpass.go‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -33,7 +33,7 @@ func (r RootCmd) gitAskpass() serpent.Command {`
`33`	`33`	`returnxerrors.Errorf("parse host: %w",err)`
`34`	`34`	`}`
`35`	`35`
`36`		`-client,err:=r.tryCreateAgentClient()`
	`36`	`+client,err:=r.createAgentClient(ctx)`
`37`	`37`	`iferr!=nil {`
`38`	`38`	`returnxerrors.Errorf("create agent client: %w",err)`
`39`	`39`	`}`

`‎cli/gitaskpass_test.go‎`

Lines changed: 4 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,7 @@ import (`
`16`	`16`	`"github.com/coder/coder/v2/codersdk"`
`17`	`17`	`"github.com/coder/coder/v2/codersdk/agentsdk"`
`18`	`18`	`"github.com/coder/coder/v2/pty/ptytest"`
	`19`	`+"github.com/coder/coder/v2/testutil"`
`19`	`20`	`)`
`20`	`21`
`21`	`22`	`funcTestGitAskpass(t*testing.T) {`
`@@ -65,6 +66,7 @@ func TestGitAskpass(t *testing.T) {`
`65`	`66`
`66`	`67`	`t.Run("Poll",func(t*testing.T) {`
`67`	`68`	`t.Parallel()`
	`69`	`+ctx:=testutil.Context(t,testutil.WaitShort)`
`68`	`70`	`resp:= atomic.Pointer[agentsdk.ExternalAuthResponse]{}`
`69`	`71`	`resp.Store(&agentsdk.ExternalAuthResponse{`
`70`	`72`	`URL:"https://something.org",`
`@@ -86,6 +88,7 @@ func TestGitAskpass(t *testing.T) {`
`86`	`88`
`87`	`89`	`inv,_:=clitest.New(t,"--agent-url",url,"--no-open","Username for 'https://github.com':")`
`88`	`90`	`inv.Environ.Set("GIT_PREFIX","/")`
	`91`	`+inv.Environ.Set("CODER_AGENT_TOKEN","fake-token")`
`89`	`92`	`stdout:=ptytest.New(t)`
`90`	`93`	`inv.Stdout=stdout.Output()`
`91`	`94`	`stderr:=ptytest.New(t)`
`@@ -94,7 +97,7 @@ func TestGitAskpass(t *testing.T) {`
`94`	`97`	`err:=inv.Run()`
`95`	`98`	`assert.NoError(t,err)`
`96`	`99`	`}()`
`97`		`-<-poll`
	`100`	`+testutil.RequireReceive(ctx,t,poll)`
`98`	`101`	`stderr.ExpectMatch("Open the following URL to authenticate")`
`99`	`102`	`resp.Store(&agentsdk.ExternalAuthResponse{`
`100`	`103`	`Username:"username",`

`‎cli/gitssh.go‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,7 @@ func (r RootCmd) gitssh() serpent.Command {`
`38`	`38`	`returnerr`
`39`	`39`	`}`
`40`	`40`
`41`		`-client,err:=r.tryCreateAgentClient()`
	`41`	`+client,err:=r.createAgentClient(ctx)`
`42`	`42`	`iferr!=nil {`
`43`	`43`	`returnxerrors.Errorf("create agent client: %w",err)`
`44`	`44`	`}`

`‎cli/gitssh_test.go‎`

Lines changed: 1 addition & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -54,8 +54,7 @@ func prepareTestGitSSH(ctx context.Context, t testing.T) (agentsdk.Client, str`
`54`	`54`	`}).WithAgent().Do()`
`55`	`55`
`56`	`56`	`// start workspace agent`
`57`		`-agentClient:=agentsdk.New(client.URL)`
`58`		`-agentClient.SetSessionToken(r.AgentToken)`
	`57`	`+agentClient:=agentsdk.New(client.URL,agentsdk.UsingFixedToken(r.AgentToken))`
`59`	`58`	`_=agenttest.New(t,client.URL,r.AgentToken,func(o*agent.Options) {`
`60`	`59`	`o.Client=agentClient`
`61`	`60`	`})`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit421347b

File tree

31 files changed

31 files changed

`‎agent/agent.go‎`

`‎agent/agenttest/agent.go‎`

`‎agent/agenttest/client.go‎`

`‎cli/agent.go‎`

`‎cli/exp_mcp.go‎`

`‎cli/externalauth.go‎`

`‎cli/gitaskpass.go‎`

`‎cli/gitaskpass_test.go‎`

`‎cli/gitssh.go‎`

`‎cli/gitssh_test.go‎`

0 commit comments