workspaceapps

Documentation

Index

• Constants
• type AccessMethod
• type Provider
  • func New(log slog.Logger, accessURL *url.URL, authz rbac.Authorizer, db database.Store, ...) *Provider
  • func (p *Provider) GenerateTicket(payload Ticket) (string, error)
  • func (p *Provider) ParseTicket(ticketStr string) (Ticket, error)
  • func (p *Provider) ResolveRequest(rw http.ResponseWriter, r *http.Request, appReq Request) (*Ticket, bool)
• type Request
  • func (r Request) Validate() error
• type Ticket
  • func (t Ticket) MatchesRequest(req Request) bool

Constants

const (
	// TODO(@deansheather): configurable expiry
	TicketExpiry = time.Minute

	// RedirectURIQueryParam is the query param for the app URL to be passed
	// back to the API auth endpoint on the main access URL.
	RedirectURIQueryParam = "redirect_uri"
)

Types

type AccessMethod

type AccessMethod string

const (
	AccessMethodPath      AccessMethod = "path"
	AccessMethodSubdomain AccessMethod = "subdomain"
)

type Provider

type Provider struct {
	Logger slog.Logger

	AccessURL        *url.URL
	Authorizer       rbac.Authorizer
	Database         database.Store
	DeploymentValues *codersdk.DeploymentValues
	OAuth2Configs    *httpmw.OAuth2Configs
	TicketSigningKey []byte
}

Provider provides authentication and authorization for workspace apps. TODO(@deansheather): also provide workspace apps as a whole to remove all app code from coderd.

func New

func New(log slog.Logger, accessURL *url.URL, authz rbac.Authorizer, db database.Store, cfg *codersdk.DeploymentValues, oauth2Cfgs *httpmw.OAuth2Configs, ticketSigningKey []byte) *Provider

func (*Provider) GenerateTicket

func (p *Provider) GenerateTicket(payload Ticket) (string, error)

func (*Provider) ParseTicket

func (p *Provider) ParseTicket(ticketStr string) (Ticket, error)

func (*Provider) ResolveRequest

func (p *Provider) ResolveRequest(rw http.ResponseWriter, r *http.Request, appReq Request) (*Ticket, bool)

ResolveRequest takes an app request, checks if it's valid and authenticated, and returns a ticket with details about the app.

The ticket is written as a signed JWT into a cookie and will be automatically used in the next request to the same app to avoid database calls.

Upstream code should avoid any database calls ever.

type Request

type Request struct {
	AccessMethod AccessMethod
	// BasePath of the app. For path apps, this is the path prefix in the router
	// for this particular app. For subdomain apps, this should be "/". This is
	// used for setting the cookie path.
	BasePath string

	UsernameOrID string
	// WorkspaceAndAgent xor WorkspaceNameOrID are required.
	WorkspaceAndAgent string // "workspace" or "workspace.agent"
	WorkspaceNameOrID string
	// AgentNameOrID is not required if the workspace has only one agent.
	AgentNameOrID string
	AppSlugOrPort string
}

func (Request) Validate

func (r Request) Validate() error

type Ticket

type Ticket struct {
	// Request details.
	AccessMethod      AccessMethod `json:"access_method"`
	UsernameOrID      string       `json:"username_or_id"`
	WorkspaceNameOrID string       `json:"workspace_name_or_id"`
	AgentNameOrID     string       `json:"agent_name_or_id"`
	AppSlugOrPort     string       `json:"app_slug_or_port"`

	// Trusted resolved details.
	Expiry      int64     `json:"expiry"` // set by GenerateTicket if unset
	UserID      uuid.UUID `json:"user_id"`
	WorkspaceID uuid.UUID `json:"workspace_id"`
	AgentID     uuid.UUID `json:"agent_id"`
	AppURL      string    `json:"app_url"`
}

Ticket is the struct data contained inside a workspace app ticket JWE. It contains the details of the workspace app that the ticket is valid for to avoid database queries.

The JSON field names are short to reduce the size of the ticket.

func (Ticket) MatchesRequest

func (t Ticket) MatchesRequest(req Request) bool