Movatterモバイル変換

[0]ホーム
URL:

Alert  Affected byGO-2024-2602 and 1 other vulnerabilities
Alert GO-2024-2602: Incorrect email domain verification in github.com/coder/coder
Alert GO-2024-3228: Coder vulnerable to post-auth URL redirection to untrusted site ('Open Redirect') in github.com/coder/coder
Notice  The highest tagged major version isv2.

coderd

package
v0.27.3Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest Published: Aug 1, 2023 License:AGPL-3.0Imports:98Imported by:0

Details

Repository

github.com/coder/coder

Links

Documentation

Index

Constants

View Source
const (OAuthConvertCookieValue = "coder_oauth_convert_jwt")

Variables

This section is empty.

Functions

funcAuthorizeFilteradded inv0.6.0

func AuthorizeFilter[Orbac.Objecter](h *HTTPAuthorizer, r *http.Request, actionrbac.Action, objects []O) ([]O,error)

AuthorizeFilter takes a list of objects and returns the filtered list ofobjects that the user is authorized to perform the given action on.This is faster than calling Authorize() on each object.

funcLatencyCheckadded inv0.23.3

func LatencyCheck()http.HandlerFunc

LatencyCheck is an endpoint for the web ui to measure latency with.allowAll allows any Origin to get timing information. The allowAll shouldonly be set in dev modes.

funcReadExperimentsadded inv0.26.2

func ReadExperiments(logslog.Logger, raw []string)codersdk.Experiments

nolint:revive

Types

typeAPIadded inv0.6.1

type API struct {// DeploymentID is loaded from the database on startup.DeploymentIDstring*Options// ID is a uniquely generated ID on initialization.// This is used to associate objects with a specific// Coder API instance, like workspace agents to a// specific replica.IDuuid.UUIDAuditoratomic.Pointer[audit.Auditor]WorkspaceClientCoordinateOverrideatomic.Pointer[func(rwhttp.ResponseWriter)bool]TailnetCoordinatoratomic.Pointer[tailnet.Coordinator]QuotaCommitteratomic.Pointer[proto.QuotaCommitter]// WorkspaceProxyHostsFn returns the hosts of healthy workspace proxies// for header reasons.WorkspaceProxyHostsFnatomic.Pointer[func() []string]// TemplateScheduleStore is a pointer to an atomic pointer because this is// passed to another struct, and we want them all to be the same reference.TemplateScheduleStore *atomic.Pointer[schedule.TemplateScheduleStore]// UserQuietHoursScheduleStore is a pointer to an atomic pointer for the// same reason as TemplateScheduleStore.UserQuietHoursScheduleStore *atomic.Pointer[schedule.UserQuietHoursScheduleStore]HTTPAuth *HTTPAuthorizer// APIHandler serves "/api/v2"APIHandler chi.Router// RootHandler serves "/"RootHandler chi.Router// SiteHandler serves static files for the dashboard.SiteHandler *site.HandlerWebsocketWaitMutexsync.MutexWebsocketWaitGroupsync.WaitGroupWorkspaceAppsProviderworkspaceapps.SignedTokenProvider// Experiments contains the list of experiments currently enabled.// This is used to gate features that are not yet ready for production.Experimentscodersdk.Experiments// contains filtered or unexported fields}

funcNew

func New(options *Options) *API

@securitydefinitions.apiKey CoderSessionToken@in header@name Coder-Session-TokenNew constructs a Coder API handler.

func (*API)Authorizeadded inv0.6.1

func (api *API) Authorize(r *http.Request, actionrbac.Action, objectrbac.Objecter)bool

Authorize will return false if the user is not authorized to do the action.This function will log appropriately, but the caller must return anerror to the api client.Eg:

if !api.Authorize(...) {httpapi.Forbidden(rw)return}

func (*API)Closeadded inv0.6.1

func (api *API) Close()error

Close waits for all WebSocket connections to drain before returning.

func (*API)CreateInMemoryProvisionerDaemonadded inv0.12.8

func (api *API) CreateInMemoryProvisionerDaemon(ctxcontext.Context, debouncetime.Duration) (clientproto.DRPCProvisionerDaemonClient, errerror)

CreateInMemoryProvisionerDaemon is an in-memory connection to a provisionerd.Useful when starting coderd and provisionerd in the same process.

func (*API)CreateUseradded inv0.9.0

func (api *API) CreateUser(ctxcontext.Context, storedatabase.Store, reqCreateUserRequest) (database.User,uuid.UUID,error)

func (*API)PrimaryRegionadded inv0.23.1

func (api *API) PrimaryRegion(ctxcontext.Context) (codersdk.Region,error)

PrimaryRegion exposes the user facing values of a workspace proxy tobe used by a user.

func (*API)PrimaryWorkspaceProxyadded inv0.24.0

func (api *API) PrimaryWorkspaceProxy(ctxcontext.Context) (database.WorkspaceProxy,error)

PrimaryWorkspaceProxy returns the primary workspace proxy for the site.

func (*API)ValidWorkspaceAppHostnameadded inv0.23.0

func (api *API) ValidWorkspaceAppHostname(ctxcontext.Context, hoststring, optsValidWorkspaceAppHostnameOpts) (string,error)

ValidWorkspaceAppHostname checks if the given host is a valid workspace apphostname based on the provided options. It returns a scheme to force onsuccess. If the hostname is not valid or doesn't match, an empty string isreturned. Any error returned is a 500 error.

For hosts that match a wildcard app hostname, the scheme is forced to be thecorresponding access URL scheme.

typeCreateUserRequestadded inv0.9.0

type CreateUserRequest struct {codersdk.CreateUserRequestCreateOrganizationboolLoginTypedatabase.LoginType}

typeGithubOAuth2Configadded inv0.4.4

type GithubOAuth2Config struct {httpmw.OAuth2ConfigAuthenticatedUser           func(ctxcontext.Context, client *http.Client) (*github.User,error)ListEmails                  func(ctxcontext.Context, client *http.Client) ([]*github.UserEmail,error)ListOrganizationMemberships func(ctxcontext.Context, client *http.Client) ([]*github.Membership,error)TeamMembership              func(ctxcontext.Context, client *http.Client, org, team, usernamestring) (*github.Membership,error)AllowSignupsboolAllowEveryoneboolAllowOrganizations []stringAllowTeams         []GithubOAuth2Team}

GithubOAuth2Provider exposes required functions for the Github authentication flow.

typeGithubOAuth2Teamadded inv0.7.8

type GithubOAuth2Team struct {OrganizationstringSlugstring}

GithubOAuth2Team represents a team scoped to an organization.

typeHTTPAuthorizeradded inv0.8.7

type HTTPAuthorizer struct {Authorizerrbac.AuthorizerLoggerslog.Logger}

func (*HTTPAuthorizer)Authorizeadded inv0.8.7

func (h *HTTPAuthorizer) Authorize(r *http.Request, actionrbac.Action, objectrbac.Objecter)bool

Authorize will return false if the user is not authorized to do the action.This function will log appropriately, but the caller must return anerror to the api client.Eg:

if !h.Authorize(...) {httpapi.Forbidden(rw)return}

func (*HTTPAuthorizer)AuthorizeSQLFilteradded inv0.9.3

func (h *HTTPAuthorizer) AuthorizeSQLFilter(r *http.Request, actionrbac.Action, objectTypestring) (rbac.PreparedAuthorized,error)

AuthorizeSQLFilter returns an authorization filter that can used in aSQL 'WHERE' clause. If the filter is used, the resulting rows returnedfrom postgres are already authorized, and the caller does not need tocall 'Authorize()' on the returned objects.Note the authorization is only for the given action and object type.

typeOAuthConvertStateClaimsadded inv0.25.0

type OAuthConvertStateClaims struct {jwt.RegisteredClaimsUserIDuuid.UUID          `json:"user_id"`Statestring             `json:"state"`FromLoginTypecodersdk.LoginType `json:"from_login_type"`ToLoginTypecodersdk.LoginType `json:"to_login_type"`}

typeOIDCConfigadded inv0.8.2

type OIDCConfig struct {httpmw.OAuth2ConfigProvider *oidc.ProviderVerifier *oidc.IDTokenVerifier// EmailDomains are the domains to enforce when a user authenticates.EmailDomain  []stringAllowSignupsbool// IgnoreEmailVerified allows ignoring the email_verified claim// from an upstream OIDC provider. See #5065 for context.IgnoreEmailVerifiedbool// UsernameField selects the claim field to be used as the created user's// username.UsernameFieldstring// EmailField selects the claim field to be used as the created user's// email.EmailFieldstring// AuthURLParams are additional parameters to be passed to the OIDC provider// when requesting an access token.AuthURLParams map[string]string// IgnoreUserInfo causes Coder to only use claims from the ID token to// process OIDC logins. This is useful if the OIDC provider does not// support the userinfo endpoint, or if the userinfo endpoint causes// undesirable behavior.IgnoreUserInfobool// GroupField selects the claim field to be used as the created user's// groups. If the group field is the empty string, then no group updates// will ever come from the OIDC provider.GroupFieldstring// GroupMapping controls how groups returned by the OIDC provider get mapped// to groups within Coder.// map[oidcGroupName]coderGroupNameGroupMapping map[string]string// SignInText is the text to display on the OIDC login buttonSignInTextstring// IconURL points to the URL of an icon to display on the OIDC login buttonIconURLstring}

typeOptions

type Options struct {AccessURL *url.URL// AppHostname should be the wildcard hostname to use for workspace// applications INCLUDING the asterisk, (optional) suffix and leading dot.// It will use the same scheme and port number as the access URL.// E.g. "*.apps.coder.com" or "*-apps.coder.com".AppHostnamestring// AppHostnameRegex contains the regex version of options.AppHostname as// generated by httpapi.CompileHostnamePattern(). It MUST be set if// options.AppHostname is set.AppHostnameRegex *regexp.RegexpLoggerslog.LoggerDatabasedatabase.StorePubsubpubsub.Pubsub// CacheDir is used for caching files served by the API.CacheDirstringAuditoraudit.AuditorAgentConnectionUpdateFrequencytime.DurationAgentInactiveDisconnectTimeouttime.DurationAWSCertificatesawsidentity.CertificatesAuthorizerrbac.AuthorizerAzureCertificatesx509.VerifyOptionsGoogleTokenValidator           *idtoken.ValidatorGithubOAuth2Config             *GithubOAuth2ConfigOIDCConfig                     *OIDCConfigPrometheusRegistry             *prometheus.RegistrySecureAuthCookieboolStrictTransportSecurityCfghttpmw.HSTSConfigSSHKeygenAlgorithmgitsshkey.AlgorithmTelemetrytelemetry.ReporterTracerProvidertrace.TracerProviderGitAuthConfigs                 []*gitauth.ConfigRealIPConfig                   *httpmw.RealIPConfigTrialGenerator                 func(ctxcontext.Context, emailstring)error// TLSCertificates is used to mesh DERP servers securely.TLSCertificates             []tls.CertificateTailnetCoordinatortailnet.CoordinatorDERPServer                  *derp.ServerDERPMap                     *tailcfg.DERPMapSwaggerEndpointboolSetUserGroups               func(ctxcontext.Context, txdatabase.Store, userIDuuid.UUID, groupNames []string)errorTemplateScheduleStore       *atomic.Pointer[schedule.TemplateScheduleStore]UserQuietHoursScheduleStore *atomic.Pointer[schedule.UserQuietHoursScheduleStore]// AppSecurityKey is the crypto key used to sign and encrypt tokens related to// workspace applications. It consists of both a signing and encryption key.AppSecurityKeyworkspaceapps.SecurityKeyHealthcheckFunc    func(ctxcontext.Context, apiKeystring) *healthcheck.ReportHealthcheckTimeouttime.DurationHealthcheckRefreshtime.Duration// OAuthSigningKey is the crypto key used to sign and encrypt state strings// related to OAuth. This is a symmetric secret key using hmac to sign payloads.// So this secret should **never** be exposed to the client.OAuthSigningKey [32]byte// APIRateLimit is the minutely throughput rate limit per user or ip.// Setting a rate limit <0 will disable the rate limiter across the entire// app. Some specific routes have their own configurable rate limits.APIRateLimitintLoginRateLimitintFilesRateLimitintMetricsCacheRefreshIntervaltime.DurationAgentStatsRefreshIntervaltime.DurationDeploymentValues            *codersdk.DeploymentValuesUpdateCheckOptions          *updatecheck.Options// Set non-nil to enable update checking.// SSHConfig is the response clients use to configure config-ssh locally.SSHConfigcodersdk.SSHConfigResponseHTTPClient *http.ClientUpdateAgentMetrics func(ctxcontext.Context, username, workspaceName, agentNamestring, metrics []agentsdk.AgentMetric)}

Options are requires parameters for Coder to start.

typeServerTailnetadded inv0.26.2

type ServerTailnet struct {// contains filtered or unexported fields}

funcNewServerTailnetadded inv0.26.2

func NewServerTailnet(ctxcontext.Context,loggerslog.Logger,derpServer *derp.Server,derpMap *tailcfg.DERPMap,getMultiAgent func(context.Context) (tailnet.MultiAgentConn,error),cache *wsconncache.Cache,) (*ServerTailnet,error)

NewServerTailnet creates a new tailnet intended for use by coderd. Itautomatically falls back to wsconncache if a legacy agent is encountered.

func (*ServerTailnet)AgentConnadded inv0.26.2

func (s *ServerTailnet) AgentConn(ctxcontext.Context, agentIDuuid.UUID) (*codersdk.WorkspaceAgentConn, func(),error)

func (*ServerTailnet)Closeadded inv0.26.2

func (s *ServerTailnet) Close()error

func (*ServerTailnet)DialAgentNetConnadded inv0.26.2

func (s *ServerTailnet) DialAgentNetConn(ctxcontext.Context, agentIDuuid.UUID, network, addrstring) (net.Conn,error)

func (*ServerTailnet)ReverseProxyadded inv0.26.2

func (s *ServerTailnet) ReverseProxy(targetURL, dashboardURL *url.URL, agentIDuuid.UUID) (_ *httputil.ReverseProxy, release func(), _error)

typeValidWorkspaceAppHostnameOptsadded inv0.23.0

type ValidWorkspaceAppHostnameOpts struct {AllowPrimaryAccessURLboolAllowPrimaryWildcardboolAllowProxyAccessURLboolAllowProxyWildcardbool}

Source Files

View all Source files

Directories

PathSynopsis
Package apidoc GENERATED BY SWAG; DO NOT EDIT This file was generated by swaggo/swag
Package apidoc GENERATED BY SWAG; DO NOT EDIT This file was generated by swaggo/swag
Package autobuild contains logic for scheduling workspace builds in the background.
Package autobuild contains logic for scheduling workspace builds in the background.
Package database connects to external services for stateful storage.
Package database connects to external services for stateful storage.
db2sdk
Package db2sdk provides common conversion routines from database types to codersdk types
Package db2sdk provides common conversion routines from database types to codersdk types
dbauthz
Package dbauthz provides an authorization layer on top of the database.
Package dbauthz provides an authorization layer on top of the database.
dbmetrics
Code generated by coderd/database/gen/metrics.
Code generated by coderd/database/gen/metrics.
dbmock
Package dbmock is a generated GoMock package.
Package dbmock is a generated GoMock package.
Code generated by rbacgen/main.go.
Code generated by rbacgen/main.go.
regosql
Package regosql converts rego queries into SQL WHERE clauses.
Package regosql converts rego queries into SQL WHERE clauses.
regosql/sqltypes
Package sqltypes contains the types used to convert rego queries into SQL.
Package sqltypes contains the types used to convert rego queries into SQL.
package schedule provides utilities for managing template and workspace autostart and autostop schedules.
package schedule provides utilities for managing template and workspace autostart and autostop schedules.
Package updatecheck provides a mechanism for periodically checking for updates to Coder.
Package updatecheck provides a mechanism for periodically checking for updates to Coder.
util
ptr
Package ptr contains some utility methods related to pointers.
Package ptr contains some utility methods related to pointers.
tz
Package tz includes utilities for cross-platform timezone/location detection.
Package tz includes utilities for cross-platform timezone/location detection.
Package wsbuilder provides the Builder object, which encapsulates the common business logic of inserting a new workspace build into the database.
Package wsbuilder provides the Builder object, which encapsulates the common business logic of inserting a new workspace build into the database.
Package wsconncache caches workspace agent connections by UUID.
Package wsconncache caches workspace agent connections by UUID.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f orF : Jump to
y orY : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic.Learn more.
[8]ページ先頭
©2009-2025 Movatter.jp