Add test for CLI

kylecarbs · kylecarbs · commit d16496c4bf99 · 2022-02-20T19:10:50.000Z
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -108,7 +108,7 @@ func New(options *Options) http.Handler {
 
 		r.Route("/workspaceagent", func(r chi.Router) {
 			r.Route("/authenticate", func(r chi.Router) {
-				r.Post("/google-instance-identity", api.postWorkspaceAgentAuthenticateGoogleInstanceIdentity)
+				r.Post("/google-instance-identity", api.postAuthenticateWorkspaceAgentUsingGoogleInstanceIdentity)
 			})
 		})
 
diff --git a/coderd/workspaceagent.go b/coderd/workspaceagent.go
@@ -13,8 +13,7 @@ import (
 	"github.com/mitchellh/mapstructure"
 )
 
-// WorkspaceAgentAuthenticateGoogleInstanceIdentityRequest
-type WorkspaceAgentAuthenticateGoogleInstanceIdentityRequest struct {
+type AuthenticateWorkspaceAgentUsingGoogleInstanceIdentity struct {
 	JSONWebToken string `json:"json_web_token" validate:"required"`
 }
 
@@ -27,8 +26,8 @@ type WorkspaceAgentAuthenticateResponse struct {
 // Google Compute Engine supports instance identity verification:
 // https://cloud.google.com/compute/docs/instances/verifying-instance-identity
 // Using this, we can exchange a signed instance payload for an agent token.
-func (api *api) postWorkspaceAgentAuthenticateGoogleInstanceIdentity(rw http.ResponseWriter, r *http.Request) {
-	var req WorkspaceAgentAuthenticateGoogleInstanceIdentityRequest
+func (api *api) postAuthenticateWorkspaceAgentUsingGoogleInstanceIdentity(rw http.ResponseWriter, r *http.Request) {
+	var req AuthenticateWorkspaceAgentUsingGoogleInstanceIdentity
 	if !httpapi.Read(rw, r, &req) {
 		return
 	}
diff --git a/coderd/workspaceagent_test.go b/coderd/workspaceagent_test.go
@@ -14,17 +14,18 @@ import (
 	"time"
 
 	"cloud.google.com/go/compute/metadata"
+	"github.com/golang-jwt/jwt"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/api/idtoken"
+	"google.golang.org/api/option"
+
 	"github.com/coder/coder/coderd"
 	"github.com/coder/coder/coderd/coderdtest"
 	"github.com/coder/coder/codersdk"
 	"github.com/coder/coder/cryptorand"
 	"github.com/coder/coder/database"
 	"github.com/coder/coder/provisioner/echo"
 	"github.com/coder/coder/provisionersdk/proto"
-	"github.com/golang-jwt/jwt"
-	"github.com/stretchr/testify/require"
-	"google.golang.org/api/idtoken"
-	"google.golang.org/api/option"
 )
 
 func TestPostWorkspaceAgentAuthenticateGoogleInstanceIdentity(t *testing.T) {
@@ -37,7 +38,7 @@ func TestPostWorkspaceAgentAuthenticateGoogleInstanceIdentity(t *testing.T) {
 		client := coderdtest.New(t, &coderdtest.Options{
 			GoogleTokenValidator: validator,
 		})
-		_, err := client.WorkspaceAgentAuthenticateGoogleInstanceIdentity(context.Background(), "", createMetadataClient(signedKey))
+		_, err := client.AuthenticateWorkspaceAgentUsingGoogleCloudIdentity(context.Background(), "", createMetadataClient(signedKey))
 		var apiErr *codersdk.Error
 		require.ErrorAs(t, err, &apiErr)
 		require.Equal(t, http.StatusUnauthorized, apiErr.StatusCode())
@@ -51,7 +52,7 @@ func TestPostWorkspaceAgentAuthenticateGoogleInstanceIdentity(t *testing.T) {
 		client := coderdtest.New(t, &coderdtest.Options{
 			GoogleTokenValidator: validator,
 		})
-		_, err := client.WorkspaceAgentAuthenticateGoogleInstanceIdentity(context.Background(), "", createMetadataClient(signedKey))
+		_, err := client.AuthenticateWorkspaceAgentUsingGoogleCloudIdentity(context.Background(), "", createMetadataClient(signedKey))
 		var apiErr *codersdk.Error
 		require.ErrorAs(t, err, &apiErr)
 		require.Equal(t, http.StatusNotFound, apiErr.StatusCode())
@@ -91,7 +92,7 @@ func TestPostWorkspaceAgentAuthenticateGoogleInstanceIdentity(t *testing.T) {
 		require.NoError(t, err)
 		coderdtest.AwaitWorkspaceProvisionJob(t, client, user.Organization, firstHistory.ProvisionJobID)
 
-		_, err = client.WorkspaceAgentAuthenticateGoogleInstanceIdentity(context.Background(), "", createMetadataClient(signedKey))
+		_, err = client.AuthenticateWorkspaceAgentUsingGoogleCloudIdentity(context.Background(), "", createMetadataClient(signedKey))
 		require.NoError(t, err)
 	})
 }
@@ -117,7 +118,7 @@ func createMetadataClient(signedKey string) *metadata.Client {
 }
 
 // Create's a signed JWT with a randomly generated private key.
-func createSignedToken(t *testing.T, instanceID string, claims *jwt.MapClaims) (string, string, *rsa.PrivateKey) {
+func createSignedToken(t *testing.T, instanceID string, claims *jwt.MapClaims) (signedKey string, keyID string, privateKey *rsa.PrivateKey) {
 	keyID, err := cryptorand.String(12)
 	require.NoError(t, err)
 	if claims == nil {
@@ -132,11 +133,11 @@ func createSignedToken(t *testing.T, instanceID string, claims *jwt.MapClaims) (
 	}
 	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
 	token.Header["kid"] = keyID
-	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	privateKey, err = rsa.GenerateKey(rand.Reader, 2048)
 	require.NoError(t, err)
-	signed, err := token.SignedString(privateKey)
+	signedKey, err = token.SignedString(privateKey)
 	require.NoError(t, err)
-	return signed, keyID, privateKey
+	return signedKey, keyID, privateKey
 }
 
 // Create's a validator that verifies against the provided private key.
diff --git a/codersdk/workspaceagent.go b/codersdk/workspaceagent.go
@@ -7,22 +7,29 @@ import (
 	"net/http"
 
 	"cloud.google.com/go/compute/metadata"
-	"github.com/coder/coder/coderd"
 	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/coderd"
 )
 
-func (c *Client) WorkspaceAgentAuthenticateGoogleInstanceIdentity(ctx context.Context, serviceAccount string, gcpClient *metadata.Client) (coderd.WorkspaceAgentAuthenticateResponse, error) {
+// AuthenticateWorkspaceAgentUsingGoogleCloudIdentity uses the Google Compute Engine Metadata API to
+// fetch a signed JWT, and exchange it for a session token for a workspace agent.
+//
+// The requesting instance must be registered as a resource in the latest history for a workspace.
+func (c *Client) AuthenticateWorkspaceAgentUsingGoogleCloudIdentity(ctx context.Context, serviceAccount string, gcpClient *metadata.Client) (coderd.WorkspaceAgentAuthenticateResponse, error) {
 	if serviceAccount == "" {
+		// This is the default name specified by Google.
 		serviceAccount = "default"
 	}
 	if gcpClient == nil {
 		gcpClient = metadata.NewClient(c.httpClient)
 	}
+	// "format=full" is required, otherwise the responding payload will be missing "instance_id".
 	jwt, err := gcpClient.Get(fmt.Sprintf("instance/service-accounts/%s/identity?audience=coder&format=full", serviceAccount))
 	if err != nil {
 		return coderd.WorkspaceAgentAuthenticateResponse{}, xerrors.Errorf("get metadata identity: %w", err)
 	}
-	res, err := c.request(ctx, http.MethodPost, "/api/v2/workspaceagent/authenticate/google-instance-identity", coderd.WorkspaceAgentAuthenticateGoogleInstanceIdentityRequest{
+	res, err := c.request(ctx, http.MethodPost, "/api/v2/workspaceagent/authenticate/google-instance-identity", coderd.AuthenticateWorkspaceAgentUsingGoogleInstanceIdentity{
 		JSONWebToken: jwt,
 	})
 	if err != nil {
diff --git a/codersdk/workspaceagent_test.go b/codersdk/workspaceagent_test.go
@@ -0,0 +1,37 @@
+package codersdk_test
+
+import (
+	"bytes"
+	"context"
+	"io"
+	"net/http"
+	"testing"
+
+	"cloud.google.com/go/compute/metadata"
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/coderd/coderdtest"
+)
+
+func TestAuthenticateWorkspaceAgentUsingGoogleCloudIdentity(t *testing.T) {
+	t.Parallel()
+	t.Run("Error", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, nil)
+		_, err := client.AuthenticateWorkspaceAgentUsingGoogleCloudIdentity(context.Background(), "", metadata.NewClient(&http.Client{
+			Transport: roundTripper(func(req *http.Request) (*http.Response, error) {
+				return &http.Response{
+					StatusCode: http.StatusOK,
+					Body:       io.NopCloser(bytes.NewReader([]byte("sometoken"))),
+				}, nil
+			}),
+		}))
+		require.Error(t, err)
+	})
+}
+
+type roundTripper func(req *http.Request) (*http.Response, error)
+
+func (r roundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	return r(req)
+}

Original file line number	Diff line number	Diff line change
`@@ -13,8 +13,7 @@ import (`
`13`	`13`	`"github.com/mitchellh/mapstructure"`
`14`	`14`	`)`
`15`	`15`
`16`		`-// WorkspaceAgentAuthenticateGoogleInstanceIdentityRequest`
`17`		`-type WorkspaceAgentAuthenticateGoogleInstanceIdentityRequest struct {`
	`16`	`+type AuthenticateWorkspaceAgentUsingGoogleInstanceIdentity struct {`
`18`	`17`	JSONWebToken string `json:"json_web_token" validate:"required"`
`19`	`18`	`}`
`20`	`19`
`@@ -27,8 +26,8 @@ type WorkspaceAgentAuthenticateResponse struct {`
`27`	`26`	`// Google Compute Engine supports instance identity verification:`
`28`	`27`	`// https://cloud.google.com/compute/docs/instances/verifying-instance-identity`
`29`	`28`	`// Using this, we can exchange a signed instance payload for an agent token.`
`30`		`-func (api api) postWorkspaceAgentAuthenticateGoogleInstanceIdentity(rw http.ResponseWriter, r http.Request) {`
`31`		`- var req WorkspaceAgentAuthenticateGoogleInstanceIdentityRequest`
	`29`	`+func (api api) postAuthenticateWorkspaceAgentUsingGoogleInstanceIdentity(rw http.ResponseWriter, r http.Request) {`
	`30`	`+ var req AuthenticateWorkspaceAgentUsingGoogleInstanceIdentity`
`32`	`31`	`if !httpapi.Read(rw, r, &req) {`
`33`	`32`	`return`
`34`	`33`	`}`