feat: Add browser-only connections to Enterprise

kylecarbs · kylecarbs · commit b251098b5267 · 2022-09-20T18:15:57.000Z
Fixes #4131.
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -493,8 +493,9 @@ func New(options *Options) *API {
 
 type API struct {
 	*Options
-	Auditor  atomic.Pointer[audit.Auditor]
-	HTTPAuth *HTTPAuthorizer
+	Auditor                           atomic.Pointer[audit.Auditor]
+	WorkspaceClientCoordinateOverride atomic.Pointer[func(rw http.ResponseWriter) bool]
+	HTTPAuth                          *HTTPAuthorizer
 
 	// APIHandler serves "/api/v2"
 	APIHandler chi.Router
diff --git a/coderd/workspaceagents.go b/coderd/workspaceagents.go
@@ -384,7 +384,7 @@ func (api *API) workspaceAgentCoordinate(rw http.ResponseWriter, r *http.Request
 	}
 }
 
-// workspaceAgentClientCoordinate accepts a WebSocket that reads node network updates.
+// WorkspaceAgentClientCoordinate accepts a WebSocket that reads node network updates.
 // After accept a PubSub starts listening for new connection node updates
 // which are written to the WebSocket.
 func (api *API) workspaceAgentClientCoordinate(rw http.ResponseWriter, r *http.Request) {
@@ -393,6 +393,11 @@ func (api *API) workspaceAgentClientCoordinate(rw http.ResponseWriter, r *http.R
 		httpapi.ResourceNotFound(rw)
 		return
 	}
+	// This is used by Enterprise code to control the functionality of this route.
+	override := api.WorkspaceClientCoordinateOverride.Load()
+	if override != nil && (*override)(rw) {
+		return
+	}
 
 	api.websocketWaitMutex.Lock()
 	api.websocketWaitGroup.Add(1)
diff --git a/codersdk/features.go b/codersdk/features.go
@@ -15,11 +15,12 @@ const (
 )
 
 const (
-	FeatureUserLimit = "user_limit"
-	FeatureAuditLog  = "audit_log"
+	FeatureUserLimit   = "user_limit"
+	FeatureAuditLog    = "audit_log"
+	FeatureBrowserOnly = "browser_only"
 )
 
-var FeatureNames = []string{FeatureUserLimit, FeatureAuditLog}
+var FeatureNames = []string{FeatureUserLimit, FeatureAuditLog, FeatureBrowserOnly}
 
 type Feature struct {
 	Entitlement Entitlement `json:"entitlement"`
diff --git a/codersdk/workspaceagents.go b/codersdk/workspaceagents.go
@@ -270,12 +270,14 @@ func (c *Client) DialWorkspaceAgentTailnet(ctx context.Context, logger slog.Logg
 	}
 	ctx, cancelFunc := context.WithCancel(ctx)
 	closed := make(chan struct{})
+	first := make(chan error)
 	go func() {
 		defer close(closed)
+		isFirst := true
 		for retrier := retry.New(50*time.Millisecond, 10*time.Second); retrier.Wait(ctx); {
 			logger.Debug(ctx, "connecting")
 			// nolint:bodyclose
-			ws, _, err := websocket.Dial(ctx, coordinateURL.String(), &websocket.DialOptions{
+			ws, res, err := websocket.Dial(ctx, coordinateURL.String(), &websocket.DialOptions{
 				HTTPClient: httpClient,
 				// Need to disable compression to avoid a data-race.
 				CompressionMode: websocket.CompressionDisabled,
@@ -284,11 +286,22 @@ func (c *Client) DialWorkspaceAgentTailnet(ctx context.Context, logger slog.Logg
 				_ = ws.Close(websocket.StatusAbnormalClosure, "")
 				return
 			}
+			if isFirst {
+				if res.StatusCode == http.StatusConflict {
+					first <- readBodyAsError(res)
+					return
+				}
+				isFirst = false
+				close(first)
+			}
 			if err != nil {
 				logger.Debug(ctx, "failed to dial", slog.Error(err))
-				_ = ws.Close(websocket.StatusAbnormalClosure, "")
 				continue
 			}
+			if isFirst {
+				isFirst = false
+				close(first)
+			}
 			sendNode, errChan := tailnet.ServeCoordinator(websocket.NetConn(ctx, ws, websocket.MessageBinary), func(node []*tailnet.Node) error {
 				return conn.UpdateNodes(node)
 			})
@@ -307,13 +320,19 @@ func (c *Client) DialWorkspaceAgentTailnet(ctx context.Context, logger slog.Logg
 			_ = ws.Close(websocket.StatusAbnormalClosure, "")
 		}
 	}()
+	err = <-first
+	if err != nil {
+		cancelFunc()
+		_ = conn.Close()
+		return nil, err
+	}
 	return &agent.Conn{
 		Conn: conn,
 		CloseFunc: func() {
 			cancelFunc()
 			<-closed
 		},
-	}, nil
+	}, err
 }
 
 // WorkspaceAgent returns an agent by ID.
diff --git a/docs/admin/enterprise.md b/docs/admin/enterprise.md
@@ -6,6 +6,7 @@ Contact sales@coder.com to obtain a license.
 These features are:
 
  * Audit Logging
+ * Browser Only Connections
 
 ## Adding your license key
 
diff --git a/enterprise/cli/server.go b/enterprise/cli/server.go
@@ -6,6 +6,7 @@ import (
 	"github.com/spf13/cobra"
 
 	"github.com/coder/coder/cli/cliflag"
+	"github.com/coder/coder/cli/cliui"
 	"github.com/coder/coder/enterprise/coderd"
 
 	agpl "github.com/coder/coder/cli"
@@ -15,19 +16,25 @@ import (
 func server() *cobra.Command {
 	var (
 		auditLogging bool
+		browserOnly  bool
 	)
 	cmd := agpl.Server(func(ctx context.Context, options *agplcoderd.Options) (*agplcoderd.API, error) {
 		api, err := coderd.New(ctx, &coderd.Options{
 			AuditLogging: auditLogging,
+			BrowserOnly:  browserOnly,
 			Options:      options,
 		})
 		if err != nil {
 			return nil, err
 		}
 		return api.AGPL, nil
 	})
+	enterpriseOnly := cliui.Styles.Keyword.Render("This is an Enterprise feature. Contact sales@coder.com for licensing")
+
 	cliflag.BoolVarP(cmd.Flags(), &auditLogging, "audit-logging", "", "CODER_AUDIT_LOGGING", true,
-		"Specifies whether audit logging is enabled.")
+		"Specifies whether audit logging is enabled. "+enterpriseOnly)
+	cliflag.BoolVarP(cmd.Flags(), &browserOnly, "browser-only", "", "CODER_BROWSER_ONLY", false,
+		"Whether Coder only allows connections to workspaces via the browser. "+enterpriseOnly)
 
 	return cmd
 }
diff --git a/enterprise/coderd/coderd.go b/enterprise/coderd/coderd.go
@@ -52,7 +52,6 @@ func New(ctx context.Context, options *Options) (*API, error) {
 		OIDC:   options.OIDCConfig,
 	}
 	apiKeyMiddleware := httpmw.ExtractAPIKey(options.Database, oauthConfigs, false)
-
 	api.AGPL.APIHandler.Group(func(r chi.Router) {
 		r.Get("/entitlements", api.serveEntitlements)
 		r.Route("/licenses", func(r chi.Router) {
@@ -75,7 +74,9 @@ func New(ctx context.Context, options *Options) (*API, error) {
 type Options struct {
 	*coderd.Options
 
-	AuditLogging               bool
+	AuditLogging bool
+	// Whether to block non-browser connections.
+	BrowserOnly                bool
 	EntitlementsUpdateInterval time.Duration
 	Keys                       map[string]ed25519.PublicKey
 }
@@ -93,6 +94,7 @@ type entitlements struct {
 	hasLicense  bool
 	activeUsers codersdk.Feature
 	auditLogs   codersdk.Entitlement
+	browserOnly codersdk.Entitlement
 }
 
 func (api *API) Close() error {
@@ -149,13 +151,16 @@ func (api *API) updateEntitlements(ctx context.Context) error {
 		if claims.Features.AuditLog > 0 {
 			entitlements.auditLogs = entitlement
 		}
+		if claims.Features.BrowserOnly > 0 {
+			entitlements.browserOnly = entitlement
+		}
 	}
 
 	if entitlements.auditLogs != api.entitlements.auditLogs {
 		auditor := agplaudit.NewNop()
 		// A flag could be added to the options that would allow disabling
 		// enhanced audit logging here!
-		if entitlements.auditLogs == codersdk.EntitlementEntitled && api.AuditLogging {
+		if entitlements.auditLogs != codersdk.EntitlementNotEntitled && api.AuditLogging {
 			auditor = audit.NewAuditor(
 				audit.DefaultFilter,
 				backends.NewPostgres(api.Database, true),
@@ -165,6 +170,14 @@ func (api *API) updateEntitlements(ctx context.Context) error {
 		api.AGPL.Auditor.Store(&auditor)
 	}
 
+	if entitlements.browserOnly != api.entitlements.browserOnly {
+		var handler func(rw http.ResponseWriter) bool
+		if entitlements.browserOnly != codersdk.EntitlementNotEntitled && api.BrowserOnly {
+			handler = api.shouldBlockNonBrowserConnections
+		}
+		api.AGPL.WorkspaceClientCoordinateOverride.Store(&handler)
+	}
+
 	api.entitlements = entitlements
 
 	return nil
@@ -210,6 +223,15 @@ func (api *API) serveEntitlements(rw http.ResponseWriter, r *http.Request) {
 			"Audit logging is enabled but your license for this feature is expired.")
 	}
 
+	resp.Features[codersdk.FeatureBrowserOnly] = codersdk.Feature{
+		Entitlement: entitlements.browserOnly,
+		Enabled:     api.BrowserOnly,
+	}
+	if entitlements.browserOnly == codersdk.EntitlementGracePeriod && api.BrowserOnly {
+		resp.Warnings = append(resp.Warnings,
+			"Browser only connections are enabled but your license for this feature is expired.")
+	}
+
 	httpapi.Write(rw, http.StatusOK, resp)
 }
 
diff --git a/enterprise/coderd/coderd_test.go b/enterprise/coderd/coderd_test.go
@@ -84,15 +84,18 @@ func TestEntitlements(t *testing.T) {
 	})
 	t.Run("Warnings", func(t *testing.T) {
 		t.Parallel()
-		client := coderdenttest.New(t, nil)
+		client := coderdenttest.New(t, &coderdenttest.Options{
+			BrowserOnly: true,
+		})
 		first := coderdtest.CreateFirstUser(t, client)
 		for i := 0; i < 4; i++ {
 			coderdtest.CreateAnotherUser(t, client, first.OrganizationID)
 		}
 		coderdenttest.AddLicense(t, client, coderdenttest.LicenseOptions{
-			UserLimit: 4,
-			AuditLog:  true,
-			GraceAt:   time.Now().Add(-time.Second),
+			UserLimit:   4,
+			AuditLog:    true,
+			BrowserOnly: true,
+			GraceAt:     time.Now().Add(-time.Second),
 		})
 		res, err := client.Entitlements(context.Background())
 		require.NoError(t, err)
@@ -107,11 +110,18 @@ func TestEntitlements(t *testing.T) {
 		assert.True(t, al.Enabled)
 		assert.Nil(t, al.Limit)
 		assert.Nil(t, al.Actual)
-		assert.Len(t, res.Warnings, 2)
+		bo := res.Features[codersdk.FeatureBrowserOnly]
+		assert.Equal(t, codersdk.EntitlementGracePeriod, bo.Entitlement)
+		assert.True(t, bo.Enabled)
+		assert.Nil(t, bo.Limit)
+		assert.Nil(t, bo.Actual)
+		assert.Len(t, res.Warnings, 3)
 		assert.Contains(t, res.Warnings,
 			"Your deployment has 5 active users but is only licensed for 4.")
 		assert.Contains(t, res.Warnings,
 			"Audit logging is enabled but your license for this feature is expired.")
+		assert.Contains(t, res.Warnings,
+			"Browser only connections are enabled but your license for this feature is expired.")
 	})
 	t.Run("Pubsub", func(t *testing.T) {
 		t.Parallel()
diff --git a/enterprise/coderd/coderdenttest/coderdenttest.go b/enterprise/coderd/coderdenttest/coderdenttest.go
@@ -36,6 +36,7 @@ func init() {
 
 type Options struct {
 	*coderdtest.Options
+	BrowserOnly                bool
 	EntitlementsUpdateInterval time.Duration
 }
 
@@ -55,6 +56,7 @@ func NewWithAPI(t *testing.T, options *Options) (*codersdk.Client, io.Closer, *c
 	srv, cancelFunc, oop := coderdtest.NewOptions(t, options.Options)
 	coderAPI, err := coderd.New(context.Background(), &coderd.Options{
 		AuditLogging:               true,
+		BrowserOnly:                options.BrowserOnly,
 		Options:                    oop,
 		EntitlementsUpdateInterval: options.EntitlementsUpdateInterval,
 		Keys: map[string]ed25519.PublicKey{
@@ -82,6 +84,7 @@ type LicenseOptions struct {
 	ExpiresAt   time.Time
 	UserLimit   int64
 	AuditLog    bool
+	BrowserOnly bool
 }
 
 // AddLicense generates a new license with the options provided and inserts it.
@@ -105,6 +108,10 @@ func GenerateLicense(t *testing.T, options LicenseOptions) string {
 	if options.AuditLog {
 		auditLog = 1
 	}
+	browserOnly := int64(0)
+	if options.BrowserOnly {
+		browserOnly = 1
+	}
 	c := &coderd.Claims{
 		RegisteredClaims: jwt.RegisteredClaims{
 			Issuer:    "test@testing.test",
@@ -117,8 +124,9 @@ func GenerateLicense(t *testing.T, options LicenseOptions) string {
 		AccountID:      options.AccountID,
 		Version:        coderd.CurrentVersion,
 		Features: coderd.Features{
-			UserLimit: options.UserLimit,
-			AuditLog:  auditLog,
+			UserLimit:   options.UserLimit,
+			AuditLog:    auditLog,
+			BrowserOnly: browserOnly,
 		},
 	}
 	tok := jwt.NewWithClaims(jwt.SigningMethodEdDSA, c)
diff --git a/enterprise/coderd/licenses.go b/enterprise/coderd/licenses.go
@@ -45,8 +45,9 @@ var key20220812 []byte
 var Keys = map[string]ed25519.PublicKey{"2022-08-12": ed25519.PublicKey(key20220812)}
 
 type Features struct {
-	UserLimit int64 `json:"user_limit"`
-	AuditLog  int64 `json:"audit_log"`
+	UserLimit   int64 `json:"user_limit"`
+	AuditLog    int64 `json:"audit_log"`
+	BrowserOnly int64 `json:"browser_only"`
 }
 
 type Claims struct {
diff --git a/enterprise/coderd/workspaceagents.go b/enterprise/coderd/workspaceagents.go
@@ -0,0 +1,21 @@
+package coderd
+
+import (
+	"net/http"
+
+	"github.com/coder/coder/coderd/httpapi"
+	"github.com/coder/coder/codersdk"
+)
+
+func (api *API) shouldBlockNonBrowserConnections(rw http.ResponseWriter) bool {
+	api.entitlementsMu.Lock()
+	browserOnly := api.entitlements.browserOnly
+	api.entitlementsMu.Unlock()
+	if api.BrowserOnly && browserOnly != codersdk.EntitlementNotEntitled {
+		httpapi.Write(rw, http.StatusConflict, codersdk.Response{
+			Message: "Non-browser connections are disabled for your deployment.",
+		})
+		return true
+	}
+	return false
+}
diff --git a/enterprise/coderd/workspaceagents_test.go b/enterprise/coderd/workspaceagents_test.go

Original file line number	Diff line number	Diff line change
`@@ -384,7 +384,7 @@ func (api API) workspaceAgentCoordinate(rw http.ResponseWriter, r http.Request`
`384`	`384`	`}`
`385`	`385`	`}`
`386`	`386`
`387`		`-// workspaceAgentClientCoordinate accepts a WebSocket that reads node network updates.`
	`387`	`+// WorkspaceAgentClientCoordinate accepts a WebSocket that reads node network updates.`
`388`	`388`	`// After accept a PubSub starts listening for new connection node updates`
`389`	`389`	`// which are written to the WebSocket.`
`390`	`390`	`func (api API) workspaceAgentClientCoordinate(rw http.ResponseWriter, r http.Request) {`
`@@ -393,6 +393,11 @@ func (api API) workspaceAgentClientCoordinate(rw http.ResponseWriter, r http.R`
`393`	`393`	`httpapi.ResourceNotFound(rw)`
`394`	`394`	`return`
`395`	`395`	`}`
	`396`	`+ // This is used by Enterprise code to control the functionality of this route.`
	`397`	`+ override := api.WorkspaceClientCoordinateOverride.Load()`
	`398`	`+ if override != nil && (*override)(rw) {`
	`399`	`+ return`
	`400`	`+ }`
`396`	`401`
`397`	`402`	`api.websocketWaitMutex.Lock()`
`398`	`403`	`api.websocketWaitGroup.Add(1)`
Original file line number	Diff line number	Diff line change
`@@ -15,11 +15,12 @@ const (`
`15`	`15`	`)`
`16`	`16`
`17`	`17`	`const (`
`18`		`- FeatureUserLimit = "user_limit"`
`19`		`- FeatureAuditLog = "audit_log"`
	`18`	`+ FeatureUserLimit = "user_limit"`
	`19`	`+ FeatureAuditLog = "audit_log"`
	`20`	`+ FeatureBrowserOnly = "browser_only"`
`20`	`21`	`)`
`21`	`22`
`22`		`-var FeatureNames = []string{FeatureUserLimit, FeatureAuditLog}`
	`23`	`+var FeatureNames = []string{FeatureUserLimit, FeatureAuditLog, FeatureBrowserOnly}`
`23`	`24`
`24`	`25`	`type Feature struct {`
`25`	`26`	Entitlement Entitlement `json:"entitlement"`