NotificationsYou must be signed in to change notification settings
Fork1k
Star11.1k

Commit7a59dc6

committed

chore: refactor instance identity to be a SessionTokenProvider

1 parent192c81e commit7a59dc6Copy full SHA for 7a59dc6

File tree

33 files changed

+488

-401

lines changed

agent
- agent.go
- agent_test.go
- agenttest
  - agent.go
  - client.go
cli
coderd
- externalauth_test.go
- gitsshkey_test.go
- insights_test.go
- prometheusmetrics
  - insights
    - metricscollector_test.go
  - prometheusmetrics_test.go
- workspaceagents_test.go
- workspaceagentsrpc_test.go
- workspaceapps/apptest
  - setup.go
- workspaceresourceauth_test.go
codersdk
- agentsdk
- toolsdk
  - toolsdk_test.go
enterprise/coderd
scaletest
- createworkspaces
  - run_test.go
- workspacebuild
  - run_test.go

33 files changed

+488

-401

lines changed

`‎agent/agent.go‎`

Lines changed: 4 additions & 14 deletions

Original file line number	Diff line number	Diff line change
`@@ -74,7 +74,6 @@ type Options struct {`
`74`	`74`	`LogDirstring`
`75`	`75`	`TempDirstring`
`76`	`76`	`ScriptDataDirstring`
`77`		`-ExchangeTokenfunc(ctx context.Context) (string,error)`
`78`	`77`	`ClientClient`
`79`	`78`	`ReconnectingPTYTimeout time.Duration`
`80`	`79`	`EnvironmentVariablesmap[string]string`
`@@ -99,6 +98,7 @@ type Client interface {`
`99`	`98`	`proto.DRPCAgentClient26, tailnetproto.DRPCTailnetClient26,error,`
`100`	`99`	`)`
`101`	`100`	`tailnet.DERPMapRewriter`
	`101`	`+agentsdk.RefreshableSessionTokenProvider`
`102`	`102`	`}`
`103`	`103`
`104`	`104`	`typeAgentinterface {`
`@@ -131,11 +131,6 @@ func New(options Options) Agent {`
`131`	`131`	`}`
`132`	`132`	`options.ScriptDataDir=options.TempDir`
`133`	`133`	`}`
`134`		`-ifoptions.ExchangeToken==nil {`
`135`		`-options.ExchangeToken=func(_ context.Context) (string,error) {`
`136`		`-return"",nil`
`137`		`-}`
`138`		`-}`
`139`	`134`	`ifoptions.ReportMetadataInterval==0 {`
`140`	`135`	`options.ReportMetadataInterval=time.Second`
`141`	`136`	`}`
`@@ -172,7 +167,6 @@ func New(options Options) Agent {`
`172`	`167`	`coordDisconnected:make(chanstruct{}),`
`173`	`168`	`environmentVariables:options.EnvironmentVariables,`
`174`	`169`	`client:options.Client,`
`175`		`-exchangeToken:options.ExchangeToken,`
`176`	`170`	`filesystem:options.Filesystem,`
`177`	`171`	`logDir:options.LogDir,`
`178`	`172`	`tempDir:options.TempDir,`
`@@ -203,7 +197,6 @@ func New(options Options) Agent {`
`203`	`197`	`// coordinator during shut down.`
`204`	`198`	`close(a.coordDisconnected)`
`205`	`199`	`a.announcementBanners.Store(new([]codersdk.BannerConfig))`
`206`		`-a.sessionToken.Store(new(string))`
`207`	`200`	`a.init()`
`208`	`201`	`returna`
`209`	`202`	`}`
`@@ -212,7 +205,6 @@ type agent struct {`
`212`	`205`	`clock quartz.Clock`
`213`	`206`	`logger slog.Logger`
`214`	`207`	`clientClient`
`215`		`-exchangeTokenfunc(ctx context.Context) (string,error)`
`216`	`208`	`tailnetListenPortuint16`
`217`	`209`	`filesystem afero.Fs`
`218`	`210`	`logDirstring`
`@@ -254,7 +246,6 @@ type agent struct {`
`254`	`246`	`scriptRunner*agentscripts.Runner`
`255`	`247`	`announcementBanners atomic.Pointer[[]codersdk.BannerConfig]// announcementBanners is atomic because it is periodically updated.`
`256`	`248`	`announcementBannersRefreshInterval time.Duration`
`257`		`-sessionToken atomic.Pointer[string]`
`258`	`249`	`sshServer*agentssh.Server`
`259`	`250`	`sshMaxTimeout time.Duration`
`260`	`251`	`blockFileTransferbool`
`@@ -916,11 +907,10 @@ func (a *agent) run() (retErr error) {`
`916`	`907`	`// This allows the agent to refresh its token if necessary.`
`917`	`908`	`// For instance identity this is required, since the instance`
`918`	`909`	`// may not have re-provisioned, but a new agent ID was created.`
`919`		`-sessionToken,err:=a.exchangeToken(a.hardCtx)`
	`910`	`+err:=a.client.RefreshToken(a.hardCtx)`
`920`	`911`	`iferr!=nil {`
`921`		`-returnxerrors.Errorf("exchange token: %w",err)`
	`912`	`+returnxerrors.Errorf("refresh token: %w",err)`
`922`	`913`	`}`
`923`		`-a.sessionToken.Store(&sessionToken)`
`924`	`914`
`925`	`915`	`// ConnectRPC returns the dRPC connection we use for the Agent and Tailnet v2+ APIs`
`926`	`916`	`aAPI,tAPI,err:=a.client.ConnectRPC26(a.hardCtx)`
`@@ -1359,7 +1349,7 @@ func (a *agent) updateCommandEnv(current []string) (updated []string, err error)`
`1359`	`1349`	`"CODER_WORKSPACE_OWNER_NAME":manifest.OwnerName,`
`1360`	`1350`
`1361`	`1351`	`// Specific Coder subcommands require the agent token exposed!`
`1362`		`-"CODER_AGENT_TOKEN":*a.sessionToken.Load(),`
	`1352`	`+"CODER_AGENT_TOKEN":a.client.GetSessionToken(),`
`1363`	`1353`
`1364`	`1354`	`// Git on Windows resolves with UNIX-style paths.`
`1365`	`1355`	`// If using backslashes, it's unable to find the executable.`

`‎agent/agent_test.go‎`

Lines changed: 9 additions & 22 deletions

Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,6 @@ import (`
`22`	`22`	`"slices"`
`23`	`23`	`"strconv"`
`24`	`24`	`"strings"`
`25`		`-"sync/atomic"`
`26`	`25`	`"testing"`
`27`	`26`	`"time"`
`28`	`27`
`@@ -2926,11 +2925,11 @@ func TestAgent_Speedtest(t *testing.T) {`
`2926`	`2925`
`2927`	`2926`	`funcTestAgent_Reconnect(t*testing.T) {`
`2928`	`2927`	`t.Parallel()`
	`2928`	`+ctx:=testutil.Context(t,testutil.WaitShort)`
`2929`	`2929`	`logger:=testutil.Logger(t)`
`2930`	`2930`	`// After the agent is disconnected from a coordinator, it's supposed`
`2931`	`2931`	`// to reconnect!`
`2932`		`-coordinator:=tailnet.NewCoordinator(logger)`
`2933`		`-defercoordinator.Close()`
	`2932`	`+fCoordinator:=tailnettest.NewFakeCoordinator()`
`2934`	`2933`
`2935`	`2934`	`agentID:=uuid.New()`
`2936`	`2935`	`statsCh:=make(chan*proto.Stats,50)`
`@@ -2942,27 +2941,21 @@ func TestAgent_Reconnect(t *testing.T) {`
`2942`	`2941`	`DERPMap:derpMap,`
`2943`	`2942`	`},`
`2944`	`2943`	`statsCh,`
`2945`		`-coordinator,`
	`2944`	`+fCoordinator,`
`2946`	`2945`	`)`
`2947`	`2946`	`deferclient.Close()`
`2948`		`-initialized:= atomic.Int32{}`
	`2947`	`+`
`2949`	`2948`	`closer:=agent.New(agent.Options{`
`2950`		`-ExchangeToken:func(ctx context.Context) (string,error) {`
`2951`		`-initialized.Add(1)`
`2952`		`-return"",nil`
`2953`		`-},`
`2954`	`2949`	`Client:client,`
`2955`	`2950`	`Logger:logger.Named("agent"),`
`2956`	`2951`	`})`
`2957`	`2952`	`defercloser.Close()`
`2958`	`2953`
`2959`		`-require.Eventually(t,func()bool {`
`2960`		`-returncoordinator.Node(agentID)!=nil`
`2961`		`-},testutil.WaitShort,testutil.IntervalFast)`
`2962`		`-client.LastWorkspaceAgent()`
`2963`		`-require.Eventually(t,func()bool {`
`2964`		`-returninitialized.Load()==2`
`2965`		`-},testutil.WaitShort,testutil.IntervalFast)`
	`2954`	`+call1:=testutil.RequireReceive(ctx,t,fCoordinator.CoordinateCalls)`
	`2955`	`+close(call1.Resps)// hang up`
	`2956`	`+// expect reconnect`
	`2957`	`+testutil.RequireReceive(ctx,t,fCoordinator.CoordinateCalls)`
	`2958`	`+closer.Close()`
`2966`	`2959`	`}`
`2967`	`2960`
`2968`	`2961`	`funcTestAgent_WriteVSCodeConfigs(t*testing.T) {`
`@@ -2984,9 +2977,6 @@ func TestAgent_WriteVSCodeConfigs(t *testing.T) {`
`2984`	`2977`	`deferclient.Close()`
`2985`	`2978`	`filesystem:=afero.NewMemMapFs()`
`2986`	`2979`	`closer:=agent.New(agent.Options{`
`2987`		`-ExchangeToken:func(ctx context.Context) (string,error) {`
`2988`		`-return"",nil`
`2989`		`-},`
`2990`	`2980`	`Client:client,`
`2991`	`2981`	`Logger:logger.Named("agent"),`
`2992`	`2982`	`Filesystem:filesystem,`
`@@ -3015,9 +3005,6 @@ func TestAgent_DebugServer(t *testing.T) {`
`3015`	`3005`	`conn,_,_,_,agnt:=setupAgent(t, agentsdk.Manifest{`
`3016`	`3006`	`DERPMap:derpMap,`
`3017`	`3007`	`},0,func(cagenttest.Client,oagent.Options) {`
`3018`		`-o.ExchangeToken=func(context.Context) (string,error) {`
`3019`		`-return"token",nil`
`3020`		`-}`
`3021`	`3008`	`o.LogDir=logDir`
`3022`	`3009`	`})`
`3023`	`3010`

`‎agent/agenttest/agent.go‎`

Lines changed: 1 addition & 9 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,6 @@`
`1`	`1`	`package agenttest`
`2`	`2`
`3`	`3`	`import (`
`4`		`-"context"`
`5`	`4`	`"net/url"`
`6`	`5`	`"testing"`
`7`	`6`
`@@ -31,18 +30,11 @@ func New(t testing.TB, coderURL url.URL, agentToken string, opts ...func(agent`
`31`	`30`	`}`
`32`	`31`
`33`	`32`	`ifo.Client==nil {`
`34`		`-agentClient:=agentsdk.New(coderURL)`
`35`		`-agentClient.SetSessionToken(agentToken)`
	`33`	`+agentClient:=agentsdk.New(coderURL,agentsdk.UsingFixedToken(agentToken))`
`36`	`34`	`agentClient.SDK.SetLogger(log)`
`37`	`35`	`o.Client=agentClient`
`38`	`36`	`}`
`39`	`37`
`40`		`-ifo.ExchangeToken==nil {`
`41`		`-o.ExchangeToken=func(_ context.Context) (string,error) {`
`42`		`-returnagentToken,nil`
`43`		`-}`
`44`		`-}`
`45`		`-`
`46`	`38`	`ifo.LogDir=="" {`
`47`	`39`	`o.LogDir=t.TempDir()`
`48`	`40`	`}`

`‎agent/agenttest/client.go‎`

Lines changed: 16 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,7 @@ package agenttest`
`3`	`3`	`import (`
`4`	`4`	`"context"`
`5`	`5`	`"io"`
	`6`	`+"net/http"`
`6`	`7`	`"slices"`
`7`	`8`	`"sync"`
`8`	`9`	`"sync/atomic"`
`@@ -28,6 +29,7 @@ import (`
`28`	`29`	`"github.com/coder/coder/v2/tailnet"`
`29`	`30`	`"github.com/coder/coder/v2/tailnet/proto"`
`30`	`31`	`"github.com/coder/coder/v2/testutil"`
	`32`	`+"github.com/coder/websocket"`
`31`	`33`	`)`
`32`	`34`
`33`	`35`	`conststatsInterval=500*time.Millisecond`
`@@ -92,6 +94,20 @@ type Client struct {`
`92`	`94`	`derpMapOnce sync.Once`
`93`	`95`	`}`
`94`	`96`
	`97`	`+func (*Client)AsRequestOption() codersdk.RequestOption {`
	`98`	`+returnfunc(_*http.Request) {}`
	`99`	`+}`
	`100`	`+`
	`101`	`+func (Client)SetDialOption(websocket.DialOptions) {}`
	`102`	`+`
	`103`	`+func (*Client)GetSessionToken()string {`
	`104`	`+return"agenttest-token"`
	`105`	`+}`
	`106`	`+`
	`107`	`+func (*Client)RefreshToken(context.Context)error {`
	`108`	`+returnnil`
	`109`	`+}`
	`110`	`+`
`95`	`111`	`func (Client)RewriteDERPMap(tailcfg.DERPMap) {}`
`96`	`112`
`97`	`113`	`func (c*Client)Close() {`

`‎cli/agent.go‎`

Lines changed: 6 additions & 86 deletions

Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,6 @@ import (`
`15`	`15`	`"strings"`
`16`	`16`	`"time"`
`17`	`17`
`18`		`-"cloud.google.com/go/compute/metadata"`
`19`	`18`	`"golang.org/x/xerrors"`
`20`	`19`	`"gopkg.in/natefinch/lumberjack.v2"`
`21`	`20`
`@@ -40,7 +39,6 @@ import (`
`40`	`39`
`41`	`40`	`func (rRootCmd)workspaceAgent()serpent.Command {`
`42`	`41`	`var (`
`43`		`-authstring`
`44`	`42`	`logDirstring`
`45`	`43`	`scriptDataDirstring`
`46`	`44`	`pprofAddressstring`
`@@ -177,11 +175,13 @@ func (r RootCmd) workspaceAgent() serpent.Command {`
`177`	`175`	`version:=buildinfo.Version()`
`178`	`176`	`logger.Info(ctx,"agent is starting now",`
`179`	`177`	`slog.F("url",r.agentURL),`
`180`		`-slog.F("auth",auth),`
	`178`	`+slog.F("auth",r.agentAuth),`
`181`	`179`	`slog.F("version",version),`
`182`	`180`	`)`
`183`		`-`
`184`		`-client:=agentsdk.New(r.agentURL)`
	`181`	`+client,err:=r.createAgentClient(ctx)`
	`182`	`+iferr!=nil {`
	`183`	`+returnxerrors.Errorf("create agent client: %w",err)`
	`184`	`+}`
`185`	`185`	`client.SDK.SetLogger(logger)`
`186`	`186`	`// Set a reasonable timeout so requests can't hang forever!`
`187`	`187`	`// The timeout needs to be reasonably long, because requests`
`@@ -214,68 +214,6 @@ func (r RootCmd) workspaceAgent() serpent.Command {`
`214`	`214`	`ignorePorts[port]="debug"`
`215`	`215`	`}`
`216`	`216`
`217`		`-// exchangeToken returns a session token.`
`218`		`-// This is abstracted to allow for the same looping condition`
`219`		`-// regardless of instance identity auth type.`
`220`		`-varexchangeTokenfunc(context.Context) (agentsdk.AuthenticateResponse,error)`
`221`		`-switchauth {`
`222`		`-case"token":`
`223`		`-token,_:=inv.ParsedFlags().GetString(varAgentToken)`
`224`		`-iftoken=="" {`
`225`		`-tokenFile,_:=inv.ParsedFlags().GetString(varAgentTokenFile)`
`226`		`-iftokenFile!="" {`
`227`		`-tokenBytes,err:=os.ReadFile(tokenFile)`
`228`		`-iferr!=nil {`
`229`		`-returnxerrors.Errorf("read token file %q: %w",tokenFile,err)`
`230`		`-}`
`231`		`-token=strings.TrimSpace(string(tokenBytes))`
`232`		`-}`
`233`		`-}`
`234`		`-iftoken=="" {`
`235`		`-returnxerrors.Errorf("CODER_AGENT_TOKEN or CODER_AGENT_TOKEN_FILE must be set for token auth")`
`236`		`-}`
`237`		`-client.SetSessionToken(token)`
`238`		`-case"google-instance-identity":`
`239`		`-// This is only done for testing to mock client authentication.`
`240`		`-// This will never be set in a production scenario.`
`241`		`-vargcpClient*metadata.Client`
`242`		`-gcpClientRaw:=ctx.Value("gcp-client")`
`243`		`-ifgcpClientRaw!=nil {`
`244`		`-gcpClient,_=gcpClientRaw.(*metadata.Client)`
`245`		`-}`
`246`		`-exchangeToken=func(ctx context.Context) (agentsdk.AuthenticateResponse,error) {`
`247`		`-returnclient.AuthGoogleInstanceIdentity(ctx,"",gcpClient)`
`248`		`-}`
`249`		`-case"aws-instance-identity":`
`250`		`-// This is only done for testing to mock client authentication.`
`251`		`-// This will never be set in a production scenario.`
`252`		`-varawsClient*http.Client`
`253`		`-awsClientRaw:=ctx.Value("aws-client")`
`254`		`-ifawsClientRaw!=nil {`
`255`		`-awsClient,_=awsClientRaw.(*http.Client)`
`256`		`-ifawsClient!=nil {`
`257`		`-client.SDK.HTTPClient=awsClient`
`258`		`-}`
`259`		`-}`
`260`		`-exchangeToken=func(ctx context.Context) (agentsdk.AuthenticateResponse,error) {`
`261`		`-returnclient.AuthAWSInstanceIdentity(ctx)`
`262`		`-}`
`263`		`-case"azure-instance-identity":`
`264`		`-// This is only done for testing to mock client authentication.`
`265`		`-// This will never be set in a production scenario.`
`266`		`-varazureClient*http.Client`
`267`		`-azureClientRaw:=ctx.Value("azure-client")`
`268`		`-ifazureClientRaw!=nil {`
`269`		`-azureClient,_=azureClientRaw.(*http.Client)`
`270`		`-ifazureClient!=nil {`
`271`		`-client.SDK.HTTPClient=azureClient`
`272`		`-}`
`273`		`-}`
`274`		`-exchangeToken=func(ctx context.Context) (agentsdk.AuthenticateResponse,error) {`
`275`		`-returnclient.AuthAzureInstanceIdentity(ctx)`
`276`		`-}`
`277`		`-}`
`278`		`-`
`279`	`217`	`executablePath,err:=os.Executable()`
`280`	`218`	`iferr!=nil {`
`281`	`219`	`returnxerrors.Errorf("getting os executable: %w",err)`
`@@ -343,18 +281,7 @@ func (r RootCmd) workspaceAgent() serpent.Command {`
`343`	`281`	`LogDir:logDir,`
`344`	`282`	`ScriptDataDir:scriptDataDir,`
`345`	`283`	`// #nosec G115 - Safe conversion as tailnet listen port is within uint16 range (0-65535)`
`346`		`-TailnetListenPort:uint16(tailnetListenPort),`
`347`		`-ExchangeToken:func(ctx context.Context) (string,error) {`
`348`		`-ifexchangeToken==nil {`
`349`		`-returnclient.SDK.SessionToken(),nil`
`350`		`-}`
`351`		`-resp,err:=exchangeToken(ctx)`
`352`		`-iferr!=nil {`
`353`		`-return"",err`
`354`		`-}`
`355`		`-client.SetSessionToken(resp.SessionToken)`
`356`		`-returnresp.SessionToken,nil`
`357`		`-},`
	`284`	`+TailnetListenPort:uint16(tailnetListenPort),`
`358`	`285`	`EnvironmentVariables:environmentVariables,`
`359`	`286`	`IgnorePorts:ignorePorts,`
`360`	`287`	`SSHMaxTimeout:sshMaxTimeout,`
`@@ -400,13 +327,6 @@ func (r RootCmd) workspaceAgent() serpent.Command {`
`400`	`327`	`}`
`401`	`328`
`402`	`329`	`cmd.Options= serpent.OptionSet{`
`403`		`-{`
`404`		`-Flag:"auth",`
`405`		`-Default:"token",`
`406`		`-Description:"Specify the authentication type to use for the agent.",`
`407`		`-Env:"CODER_AGENT_AUTH",`
`408`		`-Value:serpent.StringOf(&auth),`
`409`		`-},`
`410`	`330`	`{`
`411`	`331`	`Flag:"log-dir",`
`412`	`332`	`Default:os.TempDir(),`

`‎cli/exp_mcp.go‎`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -148,7 +148,7 @@ func (r RootCmd) mcpConfigureClaudeCode() serpent.Command {`
`148`	`148`	`binPath=testBinaryName`
`149`	`149`	`}`
`150`	`150`	`configureClaudeEnv:=map[string]string{}`
`151`		`-agentClient,err:=r.createAgentClient()`
	`151`	`+agentClient,err:=r.createAgentClient(inv.Context())`
`152`	`152`	`iferr!=nil {`
`153`	`153`	`cliui.Warnf(inv.Stderr,"failed to create agent client: %s",err)`
`154`	`154`	`}else {`
`@@ -494,7 +494,7 @@ func (r RootCmd) mcpServer() serpent.Command {`
`494`	`494`	`}`
`495`	`495`
`496`	`496`	`// Try to create an agent client for status reporting. Not validated.`
`497`		`-agentClient,err:=r.createAgentClient()`
	`497`	`+agentClient,err:=r.createAgentClient(inv.Context())`
`498`	`498`	`iferr==nil {`
`499`	`499`	`cliui.Infof(inv.Stderr,"Agent URL : %s",agentClient.SDK.URL.String())`
`500`	`500`	`srv.agentClient=agentClient`

`‎cli/externalauth.go‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -75,7 +75,7 @@ fi`
`75`	`75`	`returnxerrors.Errorf("agent token not found")`
`76`	`76`	`}`
`77`	`77`
`78`		`-client,err:=r.tryCreateAgentClient()`
	`78`	`+client,err:=r.createAgentClient(ctx)`
`79`	`79`	`iferr!=nil {`
`80`	`80`	`returnxerrors.Errorf("create agent client: %w",err)`
`81`	`81`	`}`

`‎cli/gitaskpass.go‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -33,7 +33,7 @@ func (r RootCmd) gitAskpass() serpent.Command {`
`33`	`33`	`returnxerrors.Errorf("parse host: %w",err)`
`34`	`34`	`}`
`35`	`35`
`36`		`-client,err:=r.tryCreateAgentClient()`
	`36`	`+client,err:=r.createAgentClient(ctx)`
`37`	`37`	`iferr!=nil {`
`38`	`38`	`returnxerrors.Errorf("create agent client: %w",err)`
`39`	`39`	`}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit7a59dc6

File tree

33 files changed

33 files changed

`‎agent/agent.go‎`

`‎agent/agent_test.go‎`

`‎agent/agenttest/agent.go‎`

`‎agent/agenttest/client.go‎`

`‎cli/agent.go‎`

`‎cli/exp_mcp.go‎`

`‎cli/externalauth.go‎`

`‎cli/gitaskpass.go‎`

0 commit comments