coder/coder-jetbrains-toolboxPublic

NotificationsYou must be signed in to change notification settings
Fork4
Star12

Commit912237d

authored

feat: automatic mTLS certificate regeneration and retry mechanism (#224)

This adds support for automatically recovering from SSL handshake errorswhen certificates expired. When an SSL error occurs, the plugin will nowattempt to execute a configured external command to refreshcertificates. If successful, the SSL context is reloaded and the failedrequest is transparently retried. This improves reliability inenvironments with short-lived or frequently rotating certificates.Netflix requested this, they don't have a reliable mechanism to detectand refresh the certificates before any major disruption in CoderToolbox.

1 parentb7fa471 commit912237dCopy full SHA for 912237d

File tree

14 files changed

+181

-31

lines changed

CHANGELOG.md
src
- main/kotlin/com/coder/toolbox
  - CoderRemoteProvider.kt
  - cli
    - CoderCLIManager.kt
  - sdk
    - CoderHttpClientBuilder.kt
    - CoderRestClient.kt
    - interceptors
      - CertificateRefreshInterceptor.kt
  - settings
    - ReadOnlyCoderSettings.kt
  - store
    - CoderSettingsStore.kt
    - StoreKeys.kt
  - util
    - CoderProtocolHandler.kt
    - TLS.kt
  - views
    - ConnectStep.kt
    - DeploymentUrlStep.kt
- test/kotlin/com/coder/toolbox/settings
  - CoderSettingsTest.kt

14 files changed

+181

-31

lines changed

`‎CHANGELOG.md‎`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,7 @@`
`5`	`5`	`###Added`
`6`	`6`
`7`	`7`	`- application name can now be displayed as the main title page instead of the URL`
	`8`	`+- automatic mTLS certificate regeneration and retry mechanism`
`8`	`9`
`9`	`10`	`###Changed`
`10`	`11`

`‎src/main/kotlin/com/coder/toolbox/CoderRemoteProvider.kt‎`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -414,14 +414,14 @@ class CoderRemoteProvider(`
`414`	`414`	`* Auto-login only on first the firs run if there is a url & token configured or the auth`
`415`	`415`	`* should be done via certificates.`
`416`	`416`	`*/`
`417`		`-privatefunshouldDoAutoSetup():Boolean= firstRun&& (canAutoLogin()\|\|!settings.requireTokenAuth)`
	`417`	`+privatefunshouldDoAutoSetup():Boolean= firstRun&& (canAutoLogin()\|\|!settings.requiresTokenAuth)`
`418`	`418`
`419`	`419`	`funcanAutoLogin():Boolean=!context.secrets.tokenFor(context.deploymentUrl).isNullOrBlank()`
`420`	`420`
`421`	`421`	`privatefunonConnect(client:CoderRestClient,cli:CoderCLIManager) {`
`422`	`422`	`// Store the URL and token for use next time.`
`423`	`423`	`context.settingsStore.updateLastUsedUrl(client.url)`
`424`		`-if (context.settingsStore.requireTokenAuth) {`
	`424`	`+if (context.settingsStore.requiresTokenAuth) {`
`425`	`425`	`context.secrets.storeTokenFor(client.url, client.token?:"")`
`426`	`426`	`context.logger.info("Deployment URL and token were stored and will be available for automatic connection")`
`427`	`427`	`}else {`

`‎src/main/kotlin/com/coder/toolbox/cli/CoderCLIManager.kt‎`

Lines changed: 3 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,7 @@ import com.coder.toolbox.sdk.v2.models.Workspace`
`19`	`19`	`importcom.coder.toolbox.sdk.v2.models.WorkspaceAgent`
`20`	`20`	`importcom.coder.toolbox.settings.SignatureFallbackStrategy.ALLOW`
`21`	`21`	`importcom.coder.toolbox.util.InvalidVersionException`
	`22`	`+importcom.coder.toolbox.util.ReloadableTlsContext`
`22`	`23`	`importcom.coder.toolbox.util.SemVer`
`23`	`24`	`importcom.coder.toolbox.util.escape`
`24`	`25`	`importcom.coder.toolbox.util.escapeSubcommand`
`@@ -153,7 +154,8 @@ class CoderCLIManager(`
`153`	`154`	`}`
`154`	`155`	`val okHttpClient=CoderHttpClientBuilder.build(`
`155`	`156`	`context,`
`156`		`- interceptors`
	`157`	`+ interceptors,`
	`158`	`+ReloadableTlsContext(context.settingsStore.readOnly().tls)`
`157`	`159`	`)`
`158`	`160`
`159`	`161`	`val retrofit=Retrofit.Builder()`

`‎src/main/kotlin/com/coder/toolbox/sdk/CoderHttpClientBuilder.kt‎`

Lines changed: 6 additions & 11 deletions

Original file line number	Diff line number	Diff line change
`@@ -2,24 +2,19 @@ package com.coder.toolbox.sdk`
`2`	`2`
`3`	`3`	`importcom.coder.toolbox.CoderToolboxContext`
`4`	`4`	`importcom.coder.toolbox.util.CoderHostnameVerifier`
`5`		`-importcom.coder.toolbox.util.coderSocketFactory`
`6`		`-importcom.coder.toolbox.util.coderTrustManagers`
	`5`	`+importcom.coder.toolbox.util.ReloadableTlsContext`
`7`	`6`	`importcom.jetbrains.toolbox.api.remoteDev.connection.ProxyAuth`
`8`	`7`	`importokhttp3.Credentials`
`9`	`8`	`importokhttp3.Interceptor`
`10`	`9`	`importokhttp3.OkHttpClient`
`11`		`-importjavax.net.ssl.X509TrustManager`
`12`	`10`
`13`	`11`	`object CoderHttpClientBuilder {`
`14`	`12`	`funbuild(`
`15`	`13`	`context:CoderToolboxContext,`
`16`		`-interceptors:List<Interceptor>`
	`14`	`+interceptors:List<Interceptor>,`
	`15`	`+tlsContext:ReloadableTlsContext`
`17`	`16`	`):OkHttpClient {`
`18`		`-val settings= context.settingsStore.readOnly()`
`19`		`-`
`20`		`-val socketFactory= coderSocketFactory(settings.tls)`
`21`		`-val trustManagers= coderTrustManagers(settings.tls.caPath)`
`22`		`-var builder=OkHttpClient.Builder()`
	`17`	`+val builder=OkHttpClient.Builder()`
`23`	`18`
`24`	`19`	`context.proxySettings.getProxy()?.let { proxy->`
`25`	`20`	`context.logger.info("proxy:$proxy")`
`@@ -43,8 +38,8 @@ object CoderHttpClientBuilder {`
`43`	`38`	`.build()`
`44`	`39`	`}`
`45`	`40`
`46`		`- builder.sslSocketFactory(socketFactory, trustManagers[0]asX509TrustManager)`
`47`		`- .hostnameVerifier(CoderHostnameVerifier(settings.tls.altHostname))`
	`41`	`+ builder.sslSocketFactory(tlsContext.sslSocketFactory, tlsContext.trustManager)`
	`42`	`+ .hostnameVerifier(CoderHostnameVerifier(context.settingsStore.tls.altHostname))`
`48`	`43`	`.retryOnConnectionFailure(true)`
`49`	`44`
`50`	`45`	`interceptors.forEach { interceptor->`

`‎src/main/kotlin/com/coder/toolbox/sdk/CoderRestClient.kt‎`

Lines changed: 11 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,7 @@ import com.coder.toolbox.sdk.convertors.LoggingConverterFactory`
`7`	`7`	`importcom.coder.toolbox.sdk.convertors.OSConverter`
`8`	`8`	`importcom.coder.toolbox.sdk.convertors.UUIDConverter`
`9`	`9`	`importcom.coder.toolbox.sdk.ex.APIResponseException`
	`10`	`+importcom.coder.toolbox.sdk.interceptors.CertificateRefreshInterceptor`
`10`	`11`	`importcom.coder.toolbox.sdk.interceptors.Interceptors`
`11`	`12`	`importcom.coder.toolbox.sdk.v2.CoderV2RestFacade`
`12`	`13`	`importcom.coder.toolbox.sdk.v2.models.ApiErrorResponse`
`@@ -20,6 +21,7 @@ import com.coder.toolbox.sdk.v2.models.WorkspaceBuild`
`20`	`21`	`importcom.coder.toolbox.sdk.v2.models.WorkspaceBuildReason`
`21`	`22`	`importcom.coder.toolbox.sdk.v2.models.WorkspaceResource`
`22`	`23`	`importcom.coder.toolbox.sdk.v2.models.WorkspaceTransition`
	`24`	`+importcom.coder.toolbox.util.ReloadableTlsContext`
`23`	`25`	`importcom.squareup.moshi.Moshi`
`24`	`26`	`importokhttp3.OkHttpClient`
`25`	`27`	`importretrofit2.Response`
`@@ -40,6 +42,7 @@ open class CoderRestClient(`
`40`	`42`	`valtoken:String?,`
`41`	`43`	`privatevalpluginVersion:String ="development",`
`42`	`44`	`) {`
	`45`	`+privatelateinitvar tlsContext:ReloadableTlsContext`
`43`	`46`	`privatelateinitvar moshi:Moshi`
`44`	`47`	`privatelateinitvar httpClient:OkHttpClient`
`45`	`48`	`privatelateinitvar retroRestClient:CoderV2RestFacade`
`@@ -60,12 +63,17 @@ open class CoderRestClient(`
`60`	`63`	`.add(OSConverter())`
`61`	`64`	`.add(UUIDConverter())`
`62`	`65`	`.build()`
	`66`	`+`
	`67`	`+ tlsContext=ReloadableTlsContext(context.settingsStore.readOnly().tls)`
	`68`	`+`
`63`	`69`	`val interceptors= buildList {`
`64`		`-if (context.settingsStore.requireTokenAuth) {`
	`70`	`+if (context.settingsStore.requiresTokenAuth) {`
`65`	`71`	`if (token.isNullOrBlank()) {`
`66`	`72`	`throwIllegalStateException("Token is required for$url deployment")`
`67`	`73`	`}`
`68`	`74`	`add(Interceptors.tokenAuth(token))`
	`75`	`+ }elseif (context.settingsStore.requiresMTlsAuth&& context.settingsStore.tls.certRefreshCommand?.isNotBlank()==true) {`
	`76`	`+ add(CertificateRefreshInterceptor(context, tlsContext))`
`69`	`77`	`}`
`70`	`78`	`add((Interceptors.userAgent(pluginVersion)))`
`71`	`79`	`add(Interceptors.externalHeaders(context, url))`
`@@ -74,7 +82,8 @@ open class CoderRestClient(`
`74`	`82`
`75`	`83`	`httpClient=CoderHttpClientBuilder.build(`
`76`	`84`	`context,`
`77`		`- interceptors`
	`85`	`+ interceptors,`
	`86`	`+ tlsContext`
`78`	`87`	`)`
`79`	`88`
`80`	`89`	`retroRestClient=`

`‎src/main/kotlin/com/coder/toolbox/sdk/interceptors/CertificateRefreshInterceptor.kt‎`

Lines changed: 53 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,53 @@`
	`1`	`+packagecom.coder.toolbox.sdk.interceptors`
	`2`	`+`
	`3`	`+importcom.coder.toolbox.CoderToolboxContext`
	`4`	`+importcom.coder.toolbox.util.ReloadableTlsContext`
	`5`	`+importokhttp3.Interceptor`
	`6`	`+importokhttp3.Response`
	`7`	`+importorg.zeroturnaround.exec.ProcessExecutor`
	`8`	`+importjavax.net.ssl.SSLHandshakeException`
	`9`	`+importjavax.net.ssl.SSLPeerUnverifiedException`
	`10`	`+`
	`11`	`+classCertificateRefreshInterceptor(`
	`12`	`+privatevalcontext:CoderToolboxContext,`
	`13`	`+privatevaltlsContext:ReloadableTlsContext`
	`14`	`+) : Interceptor {`
	`15`	`+overridefunintercept(chain:Interceptor.Chain):Response {`
	`16`	`+val request= chain.request()`
	`17`	`+try {`
	`18`	`+return chain.proceed(request)`
	`19`	`+ }catch (e:Exception) {`
	`20`	`+if ((eisSSLHandshakeException\|\| eisSSLPeerUnverifiedException)&& (e.message?.contains("certificate_expired")==true)) {`
	`21`	`+val command= context.settingsStore.tls.certRefreshCommand`
	`22`	`+if (command.isNullOrBlank()) {`
	`23`	`+throwIllegalStateException(`
	`24`	`+"Certificate expiration interceptor was set but the refresh command was removed in the meantime",`
	`25`	`+ e`
	`26`	`+ )`
	`27`	`+ }`
	`28`	`+`
	`29`	`+ context.logger.info("SSL handshake exception encountered: certificates expired. Running certificate refresh command:$command")`
	`30`	`+try {`
	`31`	`+val result=ProcessExecutor()`
	`32`	`+ .command(command.split("").toList())`
	`33`	`+ .exitValueNormal()`
	`34`	`+ .readOutput(true)`
	`35`	`+ .execute()`
	`36`	+ context.logger.info("`$command`:${result.outputUTF8()}")
	`37`	`+`
	`38`	`+if (result.exitValue==0) {`
	`39`	`+ context.logger.info("Certificate refresh command executed successfully. Reloading SSL certificates.")`
	`40`	`+ tlsContext.reload()`
	`41`	`+// Retry the request`
	`42`	`+return chain.proceed(request)`
	`43`	`+ }else {`
	`44`	`+ context.logger.error("Certificate refresh command failed with exit code${result.exitValue}")`
	`45`	`+ }`
	`46`	`+ }catch (ex:Exception) {`
	`47`	`+ context.logger.error(ex,"Failed to execute certificate refresh command")`
	`48`	`+ }`
	`49`	`+ }`
	`50`	`+throw e`
	`51`	`+ }`
	`52`	`+ }`
	`53`	`+}`

`‎src/main/kotlin/com/coder/toolbox/settings/ReadOnlyCoderSettings.kt‎`

Lines changed: 12 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -114,7 +114,12 @@ interface ReadOnlyCoderSettings {`
`114`	`114`	`/**`
`115`	`115`	`* Whether login should be done with a token`
`116`	`116`	`*/`
`117`		`-val requireTokenAuth:Boolean`
	`117`	`+val requiresTokenAuth:Boolean`
	`118`	`+`
	`119`	`+/**`
	`120`	`+ * Whether the authentication is done with certificates.`
	`121`	`+*/`
	`122`	`+val requiresMTlsAuth:Boolean`
`118`	`123`
`119`	`124`	`/**`
`120`	`125`	`* Whether to add --disable-autostart to the proxy command. This works`
`@@ -216,6 +221,12 @@ interface ReadOnlyTLSSettings {`
`216`	`221`	`* Coder service does not match the hostname in the TLS certificate.`
`217`	`222`	`*/`
`218`	`223`	`val altHostname:String?`
	`224`	`+`
	`225`	`+/**`
	`226`	`+ * Command to run when certificates expire and SSLHandshakeException`
	`227`	+ * is raised with `Received fatal alert: certificate_expired` as message
	`228`	`+*/`
	`229`	`+val certRefreshCommand:String?`
`219`	`230`	`}`
`220`	`231`
`221`	`232`	`enumclassSignatureFallbackStrategy {`

`‎src/main/kotlin/com/coder/toolbox/store/CoderSettingsStore.kt‎`

Lines changed: 6 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -32,7 +32,8 @@ class CoderSettingsStore(`
`32`	`32`	`overridevalcertPath:String?,`
`33`	`33`	`overridevalkeyPath:String?,`
`34`	`34`	`overridevalcaPath:String?,`
`35`		`-overridevalaltHostname:String?`
	`35`	`+overridevalaltHostname:String?,`
	`36`	`+overridevalcertRefreshCommand:String?`
`36`	`37`	`) : ReadOnlyTLSSettings`
`37`	`38`
`38`	`39`	`// Properties implementation`
`@@ -62,9 +63,11 @@ class CoderSettingsStore(`
`62`	`63`	`certPath= store[TLS_CERT_PATH],`
`63`	`64`	`keyPath= store[TLS_KEY_PATH],`
`64`	`65`	`caPath= store[TLS_CA_PATH],`
`65`		`- altHostname= store[TLS_ALTERNATE_HOSTNAME]`
	`66`	`+ altHostname= store[TLS_ALTERNATE_HOSTNAME],`
	`67`	`+ certRefreshCommand= store[TLS_CERT_REFRESH_COMMAND]`
`66`	`68`	`)`
`67`		`-overrideval requireTokenAuth:Boolean get()= tls.certPath.isNullOrBlank()\|\| tls.keyPath.isNullOrBlank()`
	`69`	`+overrideval requiresTokenAuth:Boolean get()= tls.certPath.isNullOrBlank()\|\| tls.keyPath.isNullOrBlank()`
	`70`	`+overrideval requiresMTlsAuth:Boolean get()= tls.certPath?.isNotBlank()==true&& tls.keyPath?.isNotBlank()==true`
`68`	`71`	`overrideval disableAutostart:Boolean`
`69`	`72`	`get()= store[DISABLE_AUTOSTART]?.toBooleanStrictOrNull()?: (getOS()==OS.MAC)`
`70`	`73`	`overrideval isSshWildcardConfigEnabled:Boolean`

`‎src/main/kotlin/com/coder/toolbox/store/StoreKeys.kt‎`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,8 @@ internal const val TLS_CA_PATH = "tlsCAPath"`
`36`	`36`
`37`	`37`	`internalconstvalTLS_ALTERNATE_HOSTNAME="tlsAlternateHostname"`
`38`	`38`
	`39`	`+internalconstvalTLS_CERT_REFRESH_COMMAND="tlsCertRefreshCommand"`
	`40`	`+`
`39`	`41`	`internalconstvalDISABLE_AUTOSTART="disableAutostart"`
`40`	`42`
`41`	`43`	`internalconstvalENABLE_SSH_WILDCARD_CONFIG="enableSshWildcardConfig"`

`‎src/main/kotlin/com/coder/toolbox/util/CoderProtocolHandler.kt‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -70,7 +70,7 @@ open class CoderProtocolHandler(`
`70`	`70`
`71`	`71`	`context.logger.info("Handling$uri...")`
`72`	`72`	`val deploymentURL= resolveDeploymentUrl(params)?:return`
`73`		`-val token=if (!context.settingsStore.requireTokenAuth)nullelse resolveToken(params)?:return`
	`73`	`+val token=if (!context.settingsStore.requiresTokenAuth)nullelse resolveToken(params)?:return`
`74`	`74`	`val workspaceName= resolveWorkspaceName(params)?:return`
`75`	`75`
`76`	`76`	`suspendfunonConnect(`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit912237d

File tree

14 files changed

14 files changed

`‎CHANGELOG.md‎`

`‎src/main/kotlin/com/coder/toolbox/CoderRemoteProvider.kt‎`

`‎src/main/kotlin/com/coder/toolbox/cli/CoderCLIManager.kt‎`

`‎src/main/kotlin/com/coder/toolbox/sdk/CoderHttpClientBuilder.kt‎`

`‎src/main/kotlin/com/coder/toolbox/sdk/CoderRestClient.kt‎`

`‎src/main/kotlin/com/coder/toolbox/sdk/interceptors/CertificateRefreshInterceptor.kt‎`

`‎src/main/kotlin/com/coder/toolbox/settings/ReadOnlyCoderSettings.kt‎`

`‎src/main/kotlin/com/coder/toolbox/store/CoderSettingsStore.kt‎`

`‎src/main/kotlin/com/coder/toolbox/store/StoreKeys.kt‎`

`‎src/main/kotlin/com/coder/toolbox/util/CoderProtocolHandler.kt‎`

0 commit comments