coderd

package
v0.23.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 3, 2023 License: AGPL-3.0 Imports: 93 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AuthorizeFilter added in v0.6.0

func AuthorizeFilter[O rbac.Objecter](h *HTTPAuthorizer, r *http.Request, action rbac.Action, objects []O) ([]O, error)

AuthorizeFilter takes a list of objects and returns the filtered list of objects that the user is authorized to perform the given action on. This is faster than calling Authorize() on each object.

func ConvertProvisionerJobStatus added in v0.8.3

func ConvertProvisionerJobStatus(provisionerJob database.ProvisionerJob) codersdk.ProvisionerJobStatus

func GenerateAPIKeyIDSecret added in v0.13.6

func GenerateAPIKeyIDSecret() (id string, secret string, err error)

Generates a new ID and secret for an API key.

Types

type API added in v0.6.1

type API struct {
	*Options
	// ID is a uniquely generated ID on initialization.
	// This is used to associate objects with a specific
	// Coder API instance, like workspace agents to a
	// specific replica.
	ID                                uuid.UUID
	Auditor                           atomic.Pointer[audit.Auditor]
	WorkspaceClientCoordinateOverride atomic.Pointer[func(rw http.ResponseWriter) bool]
	TailnetCoordinator                atomic.Pointer[tailnet.Coordinator]
	QuotaCommitter                    atomic.Pointer[proto.QuotaCommitter]
	// WorkspaceProxyHostsFn returns the hosts of healthy workspace proxies
	// for header reasons.
	WorkspaceProxyHostsFn atomic.Pointer[func() []string]
	// TemplateScheduleStore is a pointer to an atomic pointer because this is
	// passed to another struct, and we want them all to be the same reference.
	TemplateScheduleStore *atomic.Pointer[schedule.TemplateScheduleStore]

	HTTPAuth *HTTPAuthorizer

	// APIHandler serves "/api/v2"
	APIHandler chi.Router
	// RootHandler serves "/"
	RootHandler chi.Router

	WebsocketWaitMutex sync.Mutex
	WebsocketWaitGroup sync.WaitGroup

	WorkspaceAppsProvider workspaceapps.SignedTokenProvider

	// Experiments contains the list of experiments currently enabled.
	// This is used to gate features that are not yet ready for production.
	Experiments codersdk.Experiments
	// contains filtered or unexported fields
}

func New

func New(options *Options) *API

@securitydefinitions.apiKey CoderSessionToken @in header @name Coder-Session-Token New constructs a Coder API handler.

func (*API) Authorize added in v0.6.1

func (api *API) Authorize(r *http.Request, action rbac.Action, object rbac.Objecter) bool

Authorize will return false if the user is not authorized to do the action. This function will log appropriately, but the caller must return an error to the api client. Eg:

if !api.Authorize(...) {
	httpapi.Forbidden(rw)
	return
}

func (*API) Close added in v0.6.1

func (api *API) Close() error

Close waits for all WebSocket connections to drain before returning.

func (*API) CreateInMemoryProvisionerDaemon added in v0.12.8

func (api *API) CreateInMemoryProvisionerDaemon(ctx context.Context, debounce time.Duration) (client proto.DRPCProvisionerDaemonClient, err error)

CreateInMemoryProvisionerDaemon is an in-memory connection to a provisionerd. Useful when starting coderd and provisionerd in the same process.

func (*API) CreateUser added in v0.9.0

func (api *API) CreateUser(ctx context.Context, store database.Store, req CreateUserRequest) (database.User, uuid.UUID, error)

func (*API) PrimaryRegion added in v0.23.1

func (api *API) PrimaryRegion(ctx context.Context) (codersdk.Region, error)

func (*API) ValidWorkspaceAppHostname added in v0.23.0

func (api *API) ValidWorkspaceAppHostname(ctx context.Context, host string, opts ValidWorkspaceAppHostnameOpts) (string, error)

ValidWorkspaceAppHostname checks if the given host is a valid workspace app hostname based on the provided options. It returns a scheme to force on success. If the hostname is not valid or doesn't match, an empty string is returned. Any error returned is a 500 error.

For hosts that match a wildcard app hostname, the scheme is forced to be the corresponding access URL scheme.

type CreateUserRequest added in v0.9.0

type CreateUserRequest struct {
	codersdk.CreateUserRequest
	LoginType database.LoginType
}

type GithubOAuth2Config added in v0.4.4

type GithubOAuth2Config struct {
	httpmw.OAuth2Config
	AuthenticatedUser           func(ctx context.Context, client *http.Client) (*github.User, error)
	ListEmails                  func(ctx context.Context, client *http.Client) ([]*github.UserEmail, error)
	ListOrganizationMemberships func(ctx context.Context, client *http.Client) ([]*github.Membership, error)
	TeamMembership              func(ctx context.Context, client *http.Client, org, team, username string) (*github.Membership, error)

	AllowSignups       bool
	AllowEveryone      bool
	AllowOrganizations []string
	AllowTeams         []GithubOAuth2Team
}

GithubOAuth2Provider exposes required functions for the Github authentication flow.

type GithubOAuth2Team added in v0.7.8

type GithubOAuth2Team struct {
	Organization string
	Slug         string
}

GithubOAuth2Team represents a team scoped to an organization.

type HTTPAuthorizer added in v0.8.7

type HTTPAuthorizer struct {
	Authorizer rbac.Authorizer
	Logger     slog.Logger
}

func (*HTTPAuthorizer) Authorize added in v0.8.7

func (h *HTTPAuthorizer) Authorize(r *http.Request, action rbac.Action, object rbac.Objecter) bool

Authorize will return false if the user is not authorized to do the action. This function will log appropriately, but the caller must return an error to the api client. Eg:

if !h.Authorize(...) {
	httpapi.Forbidden(rw)
	return
}

func (*HTTPAuthorizer) AuthorizeSQLFilter added in v0.9.3

func (h *HTTPAuthorizer) AuthorizeSQLFilter(r *http.Request, action rbac.Action, objectType string) (rbac.PreparedAuthorized, error)

AuthorizeSQLFilter returns an authorization filter that can used in a SQL 'WHERE' clause. If the filter is used, the resulting rows returned from postgres are already authorized, and the caller does not need to call 'Authorize()' on the returned objects. Note the authorization is only for the given action and object type.

type OIDCConfig added in v0.8.2

type OIDCConfig struct {
	httpmw.OAuth2Config

	Provider *oidc.Provider
	Verifier *oidc.IDTokenVerifier
	// EmailDomains are the domains to enforce when a user authenticates.
	EmailDomain  []string
	AllowSignups bool
	// IgnoreEmailVerified allows ignoring the email_verified claim
	// from an upstream OIDC provider. See #5065 for context.
	IgnoreEmailVerified bool
	// UsernameField selects the claim field to be used as the created user's
	// username.
	UsernameField string
	// EmailField selects the claim field to be used as the created user's
	// email.
	EmailField string
	// AuthURLParams are additional parameters to be passed to the OIDC provider
	// when requesting an access token.
	AuthURLParams map[string]string
	// IgnoreUserInfo causes Coder to only use claims from the ID token to
	// process OIDC logins. This is useful if the OIDC provider does not
	// support the userinfo endpoint, or if the userinfo endpoint causes
	// undesirable behavior.
	IgnoreUserInfo bool
	// GroupField selects the claim field to be used as the created user's
	// groups. If the group field is the empty string, then no group updates
	// will ever come from the OIDC provider.
	GroupField string
	// GroupMapping controls how groups returned by the OIDC provider get mapped
	// to groups within Coder.
	// map[oidcGroupName]coderGroupName
	GroupMapping map[string]string
	// SignInText is the text to display on the OIDC login button
	SignInText string
	// IconURL points to the URL of an icon to display on the OIDC login button
	IconURL string
}

type Options

type Options struct {
	AccessURL *url.URL
	// AppHostname should be the wildcard hostname to use for workspace
	// applications INCLUDING the asterisk, (optional) suffix and leading dot.
	// It will use the same scheme and port number as the access URL.
	// E.g. "*.apps.coder.com" or "*-apps.coder.com".
	AppHostname string
	// AppHostnameRegex contains the regex version of options.AppHostname as
	// generated by httpapi.CompileHostnamePattern(). It MUST be set if
	// options.AppHostname is set.
	AppHostnameRegex *regexp.Regexp
	Logger           slog.Logger
	Database         database.Store
	Pubsub           database.Pubsub

	// CacheDir is used for caching files served by the API.
	CacheDir string

	Auditor                        audit.Auditor
	AgentConnectionUpdateFrequency time.Duration
	AgentInactiveDisconnectTimeout time.Duration
	AWSCertificates                awsidentity.Certificates
	Authorizer                     rbac.Authorizer
	AzureCertificates              x509.VerifyOptions
	GoogleTokenValidator           *idtoken.Validator
	GithubOAuth2Config             *GithubOAuth2Config
	OIDCConfig                     *OIDCConfig
	PrometheusRegistry             *prometheus.Registry
	SecureAuthCookie               bool
	StrictTransportSecurityCfg     httpmw.HSTSConfig
	SSHKeygenAlgorithm             gitsshkey.Algorithm
	Telemetry                      telemetry.Reporter
	TracerProvider                 trace.TracerProvider
	GitAuthConfigs                 []*gitauth.Config
	RealIPConfig                   *httpmw.RealIPConfig
	TrialGenerator                 func(ctx context.Context, email string) error
	// TLSCertificates is used to mesh DERP servers securely.
	TLSCertificates       []tls.Certificate
	TailnetCoordinator    tailnet.Coordinator
	DERPServer            *derp.Server
	DERPMap               *tailcfg.DERPMap
	SwaggerEndpoint       bool
	SetUserGroups         func(ctx context.Context, tx database.Store, userID uuid.UUID, groupNames []string) error
	TemplateScheduleStore *atomic.Pointer[schedule.TemplateScheduleStore]
	// AppSecurityKey is the crypto key used to sign and encrypt tokens related to
	// workspace applications. It consists of both a signing and encryption key.
	AppSecurityKey     workspaceapps.SecurityKey
	HealthcheckFunc    func(ctx context.Context) (*healthcheck.Report, error)
	HealthcheckTimeout time.Duration
	HealthcheckRefresh time.Duration

	// APIRateLimit is the minutely throughput rate limit per user or ip.
	// Setting a rate limit <0 will disable the rate limiter across the entire
	// app. Some specific routes have their own configurable rate limits.
	APIRateLimit   int
	LoginRateLimit int
	FilesRateLimit int

	MetricsCacheRefreshInterval time.Duration
	AgentStatsRefreshInterval   time.Duration
	DeploymentValues            *codersdk.DeploymentValues
	UpdateCheckOptions          *updatecheck.Options // Set non-nil to enable update checking.

	// SSHConfig is the response clients use to configure config-ssh locally.
	SSHConfig codersdk.SSHConfigResponse

	HTTPClient *http.Client

	UpdateAgentMetrics func(ctx context.Context, username, workspaceName, agentName string, metrics []agentsdk.AgentMetric)
}

Options are requires parameters for Coder to start.

type ValidWorkspaceAppHostnameOpts added in v0.23.0

type ValidWorkspaceAppHostnameOpts struct {
	AllowPrimaryAccessURL bool
	AllowPrimaryWildcard  bool
	AllowProxyAccessURL   bool
	AllowProxyWildcard    bool
}

Directories

Path Synopsis
Package apidoc GENERATED BY SWAG; DO NOT EDIT This file was generated by swaggo/swag
Package apidoc GENERATED BY SWAG; DO NOT EDIT This file was generated by swaggo/swag
autobuild
Package database connects to external services for stateful storage.
Package database connects to external services for stateful storage.
dbauthz
Package dbauthz provides an authorization layer on top of the database.
Package dbauthz provides an authorization layer on top of the database.
Code generated by rbacgen/main.go.
Code generated by rbacgen/main.go.
regosql
Package regosql converts rego queries into SQL WHERE clauses.
Package regosql converts rego queries into SQL WHERE clauses.
regosql/sqltypes
Package sqltypes contains the types used to convert rego queries into SQL.
Package sqltypes contains the types used to convert rego queries into SQL.
package schedule provides utilities for managing template and workspace autostart and autostop schedules.
package schedule provides utilities for managing template and workspace autostart and autostop schedules.
Package updatecheck provides a mechanism for periodically checking for updates to Coder.
Package updatecheck provides a mechanism for periodically checking for updates to Coder.
util
ptr
Package ptr contains some utility methods related to pointers.
Package ptr contains some utility methods related to pointers.
tz
Package tz includes utilities for cross-platform timezone/location detection.
Package tz includes utilities for cross-platform timezone/location detection.
Package wsconncache caches workspace agent connections by UUID.
Package wsconncache caches workspace agent connections by UUID.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL