package cli

import (

"bufio"

"bytes"

"context"

"crypto/tls"

"crypto/x509"

"encoding/base64"

"encoding/json"

"errors"

"flag"

"fmt"

"io"

"net/http"

"net/url"

"os"

"os/exec"

"os/signal"

"path/filepath"

"runtime"

"runtime/trace"

"slices"

"strings"

"sync"

"syscall"

"text/tabwriter"

"time"

"github.com/mattn/go-isatty"

"github.com/mitchellh/go-wordwrap"

"golang.org/x/mod/semver"

"golang.org/x/xerrors"

"github.com/coder/coder/v2/buildinfo"

"github.com/coder/coder/v2/cli/cliui"

"github.com/coder/coder/v2/cli/config"

"github.com/coder/coder/v2/cli/gitauth"

"github.com/coder/coder/v2/cli/sessionstore"

"github.com/coder/coder/v2/cli/telemetry"

"github.com/coder/coder/v2/codersdk"

"github.com/coder/coder/v2/codersdk/agentsdk"

"github.com/coder/pretty"

"github.com/coder/quartz"

"github.com/coder/serpent"

)

var (

Caret = pretty.Sprint(cliui.DefaultStyles.Prompt, "")

// Applied as annotations to workspace commands

// so they display in a separated "help" section.

workspaceCommand = map[string]string{

"workspaces": "",

}

// ErrSilent is a sentinel error that tells the command handler to just exit with a non-zero error, but not print

// anything.

ErrSilent = xerrors.New("silent error")

errKeyringNotSupported = xerrors.New("keyring storage is not supported on this operating system; omit --use-keyring to use file-based storage")

)

const (

varURL = "url"

varToken = "token"

varHeader = "header"

varHeaderCommand = "header-command"

varNoOpen = "no-open"

varNoVersionCheck = "no-version-warning"

varNoFeatureWarning = "no-feature-warning"

varForceTty = "force-tty"

varVerbose = "verbose"

varDisableDirect = "disable-direct-connections"

varDisableNetworkTelemetry = "disable-network-telemetry"

varUseKeyring = "use-keyring"

varClientTLSCAFile = "client-tls-ca-file"

varClientTLSCertFile = "client-tls-cert-file"

varClientTLSKeyFile = "client-tls-key-file"

notLoggedInMessage = "You are not logged in. Try logging in using '%s login <url>'."

envNoVersionCheck = "CODER_NO_VERSION_WARNING"

envNoFeatureWarning = "CODER_NO_FEATURE_WARNING"

envSessionToken = "CODER_SESSION_TOKEN"

envUseKeyring = "CODER_USE_KEYRING"

envClientTLSCAFile = "CODER_CLIENT_TLS_CA_FILE"

envClientTLSCertFile = "CODER_CLIENT_TLS_CERT_FILE"

envClientTLSKeyFile = "CODER_CLIENT_TLS_KEY_FILE"

//nolint:gosec

envAgentToken = "CODER_AGENT_TOKEN"

//nolint:gosec

envAgentTokenFile = "CODER_AGENT_TOKEN_FILE"

envAgentURL = "CODER_AGENT_URL"

envAgentAuth = "CODER_AGENT_AUTH"

envAgentName = "CODER_AGENT_NAME"

envURL = "CODER_URL"

)

func (r *RootCmd) CoreSubcommands() []*serpent.Command {

// Please re-sort this list alphabetically if you change it!

return []*serpent.Command{

r.agentsCommand(),

r.completion(),

r.dotfiles(),

externalAuth(),

r.login(),

r.logout(),

r.netcheck(),

r.notifications(),

r.organizations(),

r.portForward(),

r.publickey(),

r.resetPassword(),

r.secrets(),

r.sharing(),

r.state(),

r.tasksCommand(),

r.templates(),

r.tokens(),

r.users(),

r.version(defaultVersionInfo),

// Workspace Commands

r.autoupdate(),

r.configSSH(),

r.Create(CreateOptions{}),

r.deleteWorkspace(),

r.favorite(),

r.list(),

r.logs(),

r.open(),

r.ping(),

r.rename(),

r.restart(),

r.schedules(),

r.show(),

r.speedtest(),

r.ssh(),

r.start(),

r.stat(),

r.stop(),

r.unfavorite(),

r.update(),

r.whoami(),

// Hidden

r.connectCmd(),

gitssh(),

r.support(),

r.vpnDaemon(),

r.vscodeSSH(),

workspaceAgent(),

}

}

// AGPLExperimental returns all AGPL experimental subcommands.

func (r *RootCmd) AGPLExperimental() []*serpent.Command {

return []*serpent.Command{

r.scaletestCmd(),

r.errorExample(),

r.chatCommand(),

r.mcpCommand(),

r.promptExample(),

r.rptyCommand(),

r.syncCommand(),

}

}

// AGPL returns all AGPL commands including any non-core commands that are

// duplicated in the Enterprise CLI.

func (r *RootCmd) AGPL() []*serpent.Command {

all := append(

r.CoreSubcommands(),

r.Server( /* Do not import coderd here. */ nil),

r.Provisioners(),

ExperimentalCommand(r.AGPLExperimental()),

)

return all

}

// ExperimentalCommand creates an experimental command that is hidden and has

// the given subcommands.

func ExperimentalCommand(subcommands []*serpent.Command) *serpent.Command {

cmd := &serpent.Command{

Use: "exp",

Short: "Internal commands for testing and experimentation. These are prone to breaking changes with no notice.",

Handler: func(i *serpent.Invocation) error {

return i.Command.HelpHandler(i)

},

Hidden: true,

Children: subcommands,

}

return cmd

}

// RunWithSubcommands runs the root command with the given subcommands.

// It is abstracted to enable the Enterprise code to add commands.

func (r *RootCmd) RunWithSubcommands(subcommands []*serpent.Command) {

// This configuration is not available as a standard option because we

// want to trace the entire program, including Options parsing.

goTraceFilePath, ok := os.LookupEnv("CODER_GO_TRACE")

if ok {

traceFile, err := os.OpenFile(goTraceFilePath, os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0o644)

if err != nil {

panic(fmt.Sprintf("failed to open trace file: %v", err))

}

defer traceFile.Close()

if err := trace.Start(traceFile); err != nil {

panic(fmt.Sprintf("failed to start trace: %v", err))

}

defer trace.Stop()

}

cmd, err := r.Command(subcommands)

if err != nil {

panic(err)

}

err = cmd.Invoke().WithOS().Run()

if err != nil {

code := 1

var exitErr *exitError

if errors.As(err, &exitErr) {

code = exitErr.code

err = exitErr.err

}

if errors.Is(err, cliui.ErrCanceled) {

//nolint:revive,gocritic

os.Exit(code)

}

if errors.Is(err, ErrSilent) {

//nolint:revive,gocritic

os.Exit(code)

}

f := PrettyErrorFormatter{w: os.Stderr, verbose: r.verbose}

if err != nil {

f.Format(err)

}

//nolint:revive,gocritic

os.Exit(code)

}

}

func (r *RootCmd) Command(subcommands []*serpent.Command) (*serpent.Command, error) {

if r.clock == nil {

r.clock = quartz.NewReal()

}

fmtLong := `Coder %s — A tool for provisioning self-hosted development environments with Terraform.

`

hiddenAgentAuth := &AgentAuth{}

cmd := &serpent.Command{

Use: "coder [global-flags] <subcommand>",

Long: fmt.Sprintf(fmtLong, buildinfo.Version()) + FormatExamples(

Example{

Description: "Start a Coder server",

Command: "coder server",

},

Example{

Description: "Get started by creating a template from an example",

Command: "coder templates init",

},

),

Handler: func(i *serpent.Invocation) error {

if r.versionFlag {

return r.version(defaultVersionInfo).Handler(i)

}

// The GIT_ASKPASS environment variable must point at

// a binary with no arguments. To prevent writing

// cross-platform scripts to invoke the Coder binary

// with a `gitaskpass` subcommand, we override the entrypoint

// to check if the command was invoked.

if gitauth.CheckCommand(i.Args, i.Environ.ToOS()) {

return gitAskpass(hiddenAgentAuth).Handler(i)

}

return i.Command.HelpHandler(i)

},

}

cmd.AddSubcommands(subcommands...)

// Set default help handler for all commands.

cmd.Walk(func(c *serpent.Command) {

if c.HelpHandler == nil {

c.HelpHandler = helpFn()

}

})

var merr error

// Add [flags] to usage when appropriate.

cmd.Walk(func(cmd *serpent.Command) {

const flags = "[flags]"

if strings.Contains(cmd.Use, flags) {

merr = errors.Join(

merr,

xerrors.Errorf(

"command %q shouldn't have %q in usage since it's automatically populated",

cmd.FullUsage(),

flags,

),

)

return

}

var hasFlag bool

for _, opt := range cmd.Options {

if opt.Flag != "" {

hasFlag = true

break

}

}

if !hasFlag {

return

}

// We insert [flags] between the command's name and its arguments.

tokens := strings.SplitN(cmd.Use, " ", 2)

if len(tokens) == 1 {

cmd.Use = fmt.Sprintf("%s %s", tokens[0], flags)

return

}

cmd.Use = fmt.Sprintf("%s %s %s", tokens[0], flags, tokens[1])

})

// Add aliases when appropriate.

cmd.Walk(func(cmd *serpent.Command) {

// TODO: we should really be consistent about naming.

if cmd.Name() == "delete" || cmd.Name() == "remove" {

if !slices.Contains(cmd.Aliases, "rm") {

cmd.Aliases = append(cmd.Aliases, "rm")

}

}

})

// Sanity-check command options.

cmd.Walk(func(cmd *serpent.Command) {

for _, opt := range cmd.Options {

// Verify that every option is configurable.

if opt.Flag == "" && opt.Env == "" {

if cmd.Name() == "server" {

// The server command is funky and has YAML-only options, e.g.

// support links.

return

}

if cmd.Name() == "boundary" {

// The boundary command is integrated from the boundary package

// and has YAML-only options (e.g., allowlist from config file)

// that don't have flags or env vars.

return

}

merr = errors.Join(

merr,

xerrors.Errorf("option %q in %q should have a flag or env", opt.Name, cmd.FullName()),

)

}

}

})

if merr != nil {

return nil, merr

}

var debugOptions bool

// Add a wrapper to every command to enable debugging options.

cmd.Walk(func(cmd *serpent.Command) {

h := cmd.Handler

if h == nil {

// We should never have a nil handler, but if we do, do not

// wrap it. Wrapping it just hides a nil pointer dereference.

// If a nil handler exists, this is a developer bug. If no handler

// is required for a command such as command grouping (e.g. `users'

// and 'groups'), then the handler should be set to the helper

// function.

// func(inv *serpent.Invocation) error {

// return inv.Command.HelpHandler(inv)

// }

return

}

cmd.Handler = func(i *serpent.Invocation) error {

if !debugOptions {

return h(i)

}

tw := tabwriter.NewWriter(i.Stdout, 0, 0, 4, ' ', 0)

_, _ = fmt.Fprintf(tw, "Option\tValue Source\n")

for _, opt := range cmd.Options {

_, _ = fmt.Fprintf(tw, "%q\t%v\n", opt.Name, opt.ValueSource)

}

tw.Flush()

return nil

}

})

// Add the PrintDeprecatedOptions middleware to all commands.

cmd.Walk(func(cmd *serpent.Command) {

if cmd.Middleware == nil {

cmd.Middleware = PrintDeprecatedOptions()

} else {

cmd.Middleware = serpent.Chain(cmd.Middleware, PrintDeprecatedOptions())

}

})

if r.clientURL == nil {

r.clientURL = new(url.URL)

}

globalGroup := &serpent.Group{

Name: "Global",

Description: `Global options are applied to all commands. They can be set using environment variables or flags.`,

}

cmd.Options = serpent.OptionSet{

{

Flag: varURL,

Env: envURL,

Description: "URL to a deployment.",

Value: serpent.URLOf(r.clientURL),

Group: globalGroup,

},

{

Flag: "debug-options",

Description: "Print all options, how they're set, then exit.",

Value: serpent.BoolOf(&debugOptions),

Group: globalGroup,

},

{

Flag: varToken,

Env: envSessionToken,

Description: fmt.Sprintf("Specify an authentication token. For security reasons setting %s is preferred.", envSessionToken),

Value: serpent.StringOf(&r.token),

Group: globalGroup,

},

{

Flag: varNoVersionCheck,

Env: envNoVersionCheck,

Description: "Suppress warning when client and server versions do not match.",

Value: serpent.BoolOf(&r.noVersionCheck),

Group: globalGroup,

},

{

Flag: varNoFeatureWarning,

Env: envNoFeatureWarning,

Description: "Suppress warnings about unlicensed features.",

Value: serpent.BoolOf(&r.noFeatureWarning),

Group: globalGroup,

},

{

Flag: varHeader,

Env: "CODER_HEADER",

Description: "Additional HTTP headers added to all requests. Provide as " + `key=value` + ". Can be specified multiple times.",

Value: serpent.StringArrayOf(&r.header),

Group: globalGroup,

},

{

Flag: varHeaderCommand,

Env: "CODER_HEADER_COMMAND",

Description: "An external command that outputs additional HTTP headers added to all requests. The command must output each header as `key=value` on its own line.",

Value: serpent.StringOf(&r.headerCommand),

Group: globalGroup,

},

{

Flag: varNoOpen,

Env: "CODER_NO_OPEN",

Description: "Suppress opening the browser when logging in, or starting the server.",

Value: serpent.BoolOf(&r.noOpen),

Hidden: true,

Group: globalGroup,

},

{

Flag: varForceTty,

Env: "CODER_FORCE_TTY",

Hidden: false,

Description: "Force the use of a TTY.",

Value: serpent.BoolOf(&r.forceTTY),

Group: globalGroup,

},

{

Flag: varVerbose,

FlagShorthand: "v",

Env: "CODER_VERBOSE",

Description: "Enable verbose output.",

Value: serpent.BoolOf(&r.verbose),

Group: globalGroup,

},

{

Flag: varDisableDirect,

Env: "CODER_DISABLE_DIRECT_CONNECTIONS",

Description: "Disable direct (P2P) connections to workspaces.",

Value: serpent.BoolOf(&r.disableDirect),

Group: globalGroup,

},

{

Flag: varDisableNetworkTelemetry,

Env: "CODER_DISABLE_NETWORK_TELEMETRY",

Description: "Disable network telemetry. Network telemetry is collected when connecting to workspaces using the CLI, and is forwarded to the server. If telemetry is also enabled on the server, it may be sent to Coder. Network telemetry is used to measure network quality and detect regressions.",

Value: serpent.BoolOf(&r.disableNetworkTelemetry),

Group: globalGroup,

},

{

Flag: varClientTLSCAFile,

Env: envClientTLSCAFile,

Description: "Path to a CA certificate file to trust for API and DERP connections.",

Value: serpent.StringOf(&r.tlsCAFile),

Group: globalGroup,

},

{

Flag: varClientTLSCertFile,

Env: envClientTLSCertFile,

Description: "Path to a client certificate file for mTLS authentication with API and DERP. Requires --client-tls-key-file.",

Value: serpent.StringOf(&r.tlsClientCertFile),

Group: globalGroup,

},

{

Flag: varClientTLSKeyFile,

Env: envClientTLSKeyFile,

Description: "Path to a client private key file for mTLS authentication with API and DERP. Requires --client-tls-cert-file.",

Value: serpent.StringOf(&r.tlsClientKeyFile),

Group: globalGroup,

},

{

Flag: varUseKeyring,

Env: envUseKeyring,

Description: "Store and retrieve session tokens using the operating system " +

"keyring. This flag is ignored and file-based storage is used when " +

"--global-config is set or keyring usage is not supported on the current " +

"platform. Set to false to force file-based storage on supported platforms.",

Default: "true",

Value: serpent.BoolOf(&r.useKeyring),

Group: globalGroup,

},

{

Flag: "debug-http",

Description: "Debug codersdk HTTP requests.",

Value: serpent.BoolOf(&r.debugHTTP),

Group: globalGroup,

Hidden: true,

},

{

Flag: config.FlagName,

Env: "CODER_CONFIG_DIR",

Description: "Path to the global `coder` config directory.",

Default: config.DefaultDir(),

Value: serpent.StringOf(&r.globalConfig),

Group: globalGroup,

},

{

Flag: "version",

// This was requested by a customer to assist with their migration.

// They have two Coder CLIs, and want to tell the difference by running

// the same base command.

Description: "Run the version command. Useful for v1 customers migrating to v2.",

Value: serpent.BoolOf(&r.versionFlag),

Hidden: true,

},

}

hiddenAgentAuth.AttachOptions(cmd, true)

return cmd, nil

}

// RootCmd contains parameters and helpers useful to all commands.

type RootCmd struct {

clientURL *url.URL

token string

tokenBackend sessionstore.Backend

globalConfig string

header []string

headerCommand string

forceTTY bool

noOpen bool

verbose bool

versionFlag bool

disableDirect bool

debugHTTP bool

disableNetworkTelemetry bool

noVersionCheck bool

noFeatureWarning bool

useKeyring bool

keyringServiceName string

useKeyringWithGlobalConfig bool

// clock is used for time-dependent operations. Initialized to

// quartz.NewReal() in Command() if not set via SetClock.

clock quartz.Clock

// TLS configuration for custom CA or client certificates.

tlsCAFile string

tlsClientCertFile string

tlsClientKeyFile string

tlsConfig *tls.Config

}

// SetClock sets the clock used for time-dependent operations.

// Must be called before Command() to take effect.

func (r *RootCmd) SetClock(clk quartz.Clock) {

r.clock = clk

}

// ensureClientURL loads the client URL from the config file if it

// wasn't provided via --url or CODER_URL.

func (r *RootCmd) ensureClientURL() error {

if r.clientURL != nil && r.clientURL.String() != "" {

return nil

}

rawURL, err := r.createConfig().URL().Read()

// If the configuration files are absent, the user is logged out.

if os.IsNotExist(err) {

binPath, err := os.Executable()

if err != nil {

binPath = "coder"

}

return xerrors.Errorf(notLoggedInMessage, binPath)

}

if err != nil {

return err

}

r.clientURL, err = url.Parse(strings.TrimSpace(rawURL))

return err

}

// ensureTLSConfig loads the TLS configuration from files if specified.

// The resulting config is used for both API requests and DERP connections.

// If tlsConfig is already set programmatically, file-based configuration is skipped.

func (r *RootCmd) ensureTLSConfig() error {

// Already loaded or programmatically set - skip file loading

if r.tlsConfig != nil {

return nil

}

// No TLS config needed

if r.tlsCAFile == "" && r.tlsClientCertFile == "" && r.tlsClientKeyFile == "" {

return nil

}

// Validate that cert and key are specified together

if (r.tlsClientCertFile == "") != (r.tlsClientKeyFile == "") {

return xerrors.Errorf("--%s and --%s must be specified together", varClientTLSCertFile, varClientTLSKeyFile)

}

tlsConfig := &tls.Config{

MinVersion: tls.VersionTLS12,

}

// Load CA certificate if specified

if r.tlsCAFile != "" {

caData, err := os.ReadFile(r.tlsCAFile)

if err != nil {

return xerrors.Errorf("read TLS CA file %q: %w", r.tlsCAFile, err)

}

caPool := x509.NewCertPool()

if !caPool.AppendCertsFromPEM(caData) {

return xerrors.Errorf("failed to parse CA certificate in %q", r.tlsCAFile)

}

tlsConfig.RootCAs = caPool

}

// Load client certificate if specified

if r.tlsClientCertFile != "" && r.tlsClientKeyFile != "" {

cert, err := tls.LoadX509KeyPair(r.tlsClientCertFile, r.tlsClientKeyFile)

if err != nil {

return xerrors.Errorf("load TLS client certificate: %w", err)

}

tlsConfig.Certificates = []tls.Certificate{cert}

}

r.tlsConfig = tlsConfig

return nil

}

// InitClient creates and configures a new client with authentication, telemetry,

// and version checks.

func (r *RootCmd) InitClient(inv *serpent.Invocation) (*codersdk.Client, error) {

if err := r.ensureClientURL(); err != nil {

return nil, err

}

if r.token == "" {

tok, err := r.ensureTokenBackend().Read(r.clientURL)

// Even if there isn't a token, we don't care.

// Some API routes can be unauthenticated.

if err != nil && !xerrors.Is(err, os.ErrNotExist) {

if xerrors.Is(err, sessionstore.ErrNotImplemented) {

return nil, errKeyringNotSupported

}

return nil, err

}

if tok != "" {

r.token = tok

}

}

// Load TLS config from files if specified

if err := r.ensureTLSConfig(); err != nil {

return nil, err

}

// Configure HTTP client with transport wrappers

httpClient, err := r.createHTTPClient(inv.Context(), r.clientURL, inv)

if err != nil {

return nil, err

}

clientOpts := []codersdk.ClientOption{

codersdk.WithSessionToken(r.token),

codersdk.WithHTTPClient(httpClient),

}

if r.disableDirect {

clientOpts = append(clientOpts, codersdk.WithDisableDirectConnections())

}

if r.tlsConfig != nil {

clientOpts = append(clientOpts, codersdk.WithDERPTLSConfig(r.tlsConfig))

}

if r.debugHTTP {

clientOpts = append(clientOpts,

codersdk.WithPlainLogger(os.Stderr),

codersdk.WithLogBodies(),

)

}

return codersdk.New(r.clientURL, clientOpts...), nil

}

// TryInitClient is similar to InitClient but doesn't error when credentials are missing.

// This allows commands to run without requiring authentication, but still use auth if available.

func (r *RootCmd) TryInitClient(inv *serpent.Invocation) (*codersdk.Client, error) {

conf := r.createConfig()

// Read the client URL stored on disk.

if r.clientURL == nil || r.clientURL.String() == "" {

rawURL, err := conf.URL().Read()

// If the configuration files are absent, just continue without URL

if err != nil {

// Continue with a nil or empty URL

if !os.IsNotExist(err) {

return nil, err

}

} else {

r.clientURL, err = url.Parse(strings.TrimSpace(rawURL))

if err != nil {

return nil, err

}

}

}

if r.token == "" {

tok, err := r.ensureTokenBackend().Read(r.clientURL)

// Even if there isn't a token, we don't care.

// Some API routes can be unauthenticated.

if err != nil && !xerrors.Is(err, os.ErrNotExist) {

if xerrors.Is(err, sessionstore.ErrNotImplemented) {

return nil, errKeyringNotSupported

}

return nil, err

}

if tok != "" {

r.token = tok

}

}

// Only configure the client if we have a URL

if r.clientURL != nil && r.clientURL.String() != "" {

// Load TLS config from files if specified

if err := r.ensureTLSConfig(); err != nil {

return nil, err

}

// Configure HTTP client with transport wrappers

httpClient, err := r.createHTTPClient(inv.Context(), r.clientURL, inv)

if err != nil {

return nil, err

}

clientOpts := []codersdk.ClientOption{

codersdk.WithSessionToken(r.token),

codersdk.WithHTTPClient(httpClient),

}

if r.disableDirect {

clientOpts = append(clientOpts, codersdk.WithDisableDirectConnections())

}

if r.tlsConfig != nil {

clientOpts = append(clientOpts, codersdk.WithDERPTLSConfig(r.tlsConfig))

}

if r.debugHTTP {

clientOpts = append(clientOpts,

codersdk.WithPlainLogger(os.Stderr),

codersdk.WithLogBodies(),

)

}

return codersdk.New(r.clientURL, clientOpts...), nil

}

// Return a minimal client if no URL is available

return &codersdk.Client{}, nil

}

// HeaderTransport creates a new transport that executes `--header-command`

// if it is set to add headers for all outbound requests.

func (r *RootCmd) HeaderTransport(ctx context.Context, serverURL *url.URL) (*codersdk.HeaderTransport, error) {

return headerTransport(ctx, serverURL, r.header, r.headerCommand)

}

func (r *RootCmd) createHTTPClient(ctx context.Context, serverURL *url.URL, inv *serpent.Invocation) (*http.Client, error) {

transport := http.DefaultTransport

// Apply custom TLS config if specified

if r.tlsConfig != nil {

// Clone the default transport and apply TLS config

defaultTransport, ok := http.DefaultTransport.(*http.Transport)

if !ok {

return nil, xerrors.New("cannot apply TLS config: http.DefaultTransport is not *http.Transport")

}

customTransport := defaultTransport.Clone()

customTransport.TLSClientConfig = r.tlsConfig

transport = customTransport

}

transport = wrapTransportWithTelemetryHeader(transport, inv)

transport = wrapTransportWithUserAgentHeader(transport, inv)

if !r.noVersionCheck {

transport = wrapTransportWithVersionCheck(transport, inv, buildinfo.Version(), func(ctx context.Context) (codersdk.BuildInfoResponse, error) {

// Create a new client without any wrapped transport

// otherwise it creates an infinite loop!

basicClient := codersdk.New(serverURL)

return basicClient.BuildInfo(ctx)

})

}

if !r.noFeatureWarning {

transport = wrapTransportWithEntitlementsCheck(transport, inv.Stderr)

}

headerTransport, err := r.HeaderTransport(ctx, serverURL)

if err != nil {

return nil, xerrors.Errorf("create header transport: %w", err)

}

// The header transport has to come last.

// codersdk checks for the header transport to get headers

// to clone on the DERP client.

headerTransport.Transport = transport

return &http.Client{

Transport: headerTransport,

}, nil

}

func (r *RootCmd) createUnauthenticatedClient(ctx context.Context, serverURL *url.URL, inv *serpent.Invocation) (*codersdk.Client, error) {

// Load TLS config for login and other unauthenticated requests

if err := r.ensureTLSConfig(); err != nil {

return nil, err

}

httpClient, err := r.createHTTPClient(ctx, serverURL, inv)

if err != nil {

return nil, err

}

client := codersdk.New(serverURL, codersdk.WithHTTPClient(httpClient))

return client, nil

}

// ensureTokenBackend returns the session token storage backend, creating it if necessary.

// This must be called after flags are parsed so we can respect the value of the --use-keyring

// flag.

func (r *RootCmd) ensureTokenBackend() sessionstore.Backend {

if r.tokenBackend == nil {

// Checking for the --global-config directory being set is a bit wonky but necessary

// to allow extensions that invoke the CLI with this flag (e.g. VS code) to continue

// working without modification. In the future we should modify these extensions to

// either access the credential in the keyring (like Coder Desktop) or some other

// approach that doesn't rely on the session token being stored on disk.

assumeExtensionInUse := r.globalConfig != config.DefaultDir() && !r.useKeyringWithGlobalConfig

keyringSupported := runtime.GOOS == "windows" || runtime.GOOS == "darwin"

if r.useKeyring && !assumeExtensionInUse && keyringSupported {

serviceName := sessionstore.DefaultServiceName

if r.keyringServiceName != "" {

serviceName = r.keyringServiceName

}

r.tokenBackend = sessionstore.NewKeyringWithService(serviceName)

} else {

r.tokenBackend = sessionstore.NewFile(r.createConfig)

}

}

return r.tokenBackend

}

// WithKeyringServiceName sets a custom keyring service name for testing purposes.

// This allows tests to use isolated keyring storage while still exercising the

// genuine storage backend selection logic in ensureTokenBackend().

func (r *RootCmd) WithKeyringServiceName(serviceName string) {

r.keyringServiceName = serviceName

}

// UseKeyringWithGlobalConfig enables the use of the keyring storage backend

// when the --global-config directory is set. This is only intended as an override

// for tests, which require specifying the global config directory for test isolation.

func (r *RootCmd) UseKeyringWithGlobalConfig() {

r.useKeyringWithGlobalConfig = true

}

type AgentAuth struct {

// Agent Client config

agentToken string

agentTokenFile string

agentURL url.URL

agentAuth string

agentName string

}

func (a *AgentAuth) AttachOptions(cmd *serpent.Command, hidden bool) {

cmd.Options = append(cmd.Options, serpent.Option{

Name: "Agent Token",

Description: "An agent authentication token.",

Flag: "agent-token",

Env: envAgentToken,

Value: serpent.StringOf(&a.agentToken),

Hidden: hidden,

}, serpent.Option{

Name: "Agent Token File",

Description: "A file containing an agent authentication token.",

Flag: "agent-token-file",

Env: envAgentTokenFile,

Value: serpent.StringOf(&a.agentTokenFile),

Hidden: hidden,

}, serpent.Option{

Name: "Agent URL",

Description: "URL for an agent to access your deployment.",

Flag: "agent-url",

Env: envAgentURL,

Value: serpent.URLOf(&a.agentURL),

Hidden: hidden,

}, serpent.Option{

Name: "Agent Auth",

Description: "Specify the authentication type to use for the agent.",

Flag: "auth",

Env: envAgentAuth,

Default: "token",

Value: serpent.StringOf(&a.agentAuth),

Hidden: hidden,

}, serpent.Option{

Name: "Agent Name",

Description: "The name of the agent to authenticate as (only applicable for instance identity).",

Flag: "agent-name",

Env: envAgentName,

Value: serpent.StringOf(&a.agentName),

Hidden: hidden,

})

}

// CreateClient returns a new agent client from the command context. It works

// just like InitClient, but uses the agent token and URL instead.

func (a *AgentAuth) CreateClient() (*agentsdk.Client, error) {

agentURL := a.agentURL

if agentURL.String() == "" {

return nil, xerrors.Errorf("%s must be set", envAgentURL)

}

var iiOpts []agentsdk.InstanceIdentityOption

if a.agentName != "" {

iiOpts = append(iiOpts, agentsdk.WithInstanceIdentityAgentName(a.agentName))

}

switch a.agentAuth {

case "token":

token := a.agentToken

if token == "" {

if a.agentTokenFile == "" {

return nil, xerrors.Errorf("Either %s or %s must be set", envAgentToken, envAgentTokenFile)

}

tokenBytes, err := os.ReadFile(a.agentTokenFile)

if err != nil {

return nil, xerrors.Errorf("read token file %q: %w", a.agentTokenFile, err)

}

token = strings.TrimSpace(string(tokenBytes))

}

if token == "" {

return nil, xerrors.Errorf("CODER_AGENT_TOKEN or CODER_AGENT_TOKEN_FILE must be set for token auth")

}

return agentsdk.New(&a.agentURL, agentsdk.WithFixedToken(token)), nil

case "google-instance-identity":

return agentsdk.New(&a.agentURL, agentsdk.WithGoogleInstanceIdentity("", nil, iiOpts...)), nil

case "aws-instance-identity":

return agentsdk.New(&a.agentURL, agentsdk.WithAWSInstanceIdentity(iiOpts...)), nil

case "azure-instance-identity":

return agentsdk.New(&a.agentURL, agentsdk.WithAzureInstanceIdentity(iiOpts...)), nil

default:

return nil, xerrors.Errorf("unknown agent auth type: %s", a.agentAuth)

}

}

type OrganizationContext struct {

// FlagSelect is the value passed in via the --org flag

FlagSelect string

}

func NewOrganizationContext() *OrganizationContext {

return &OrganizationContext{}

}