From f218dfb8969c16f5a6bc44f45e90a39a26864907 Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Wed, 27 Mar 2024 13:39:43 -0500 Subject: [PATCH 1/7] chore: docs explaining GIT_ASKPASS behavior - VSCode configuration requirements --- docs/admin/external-auth.md | 28 ++++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/docs/admin/external-auth.md b/docs/admin/external-auth.md index 0ee5025393845..04356dab1f8f9 100644 --- a/docs/admin/external-auth.md +++ b/docs/admin/external-auth.md @@ -212,8 +212,32 @@ you can require users authenticate via git prior to creating a workspace: ![Git authentication in template](../images/admin/git-auth-template.png) -The following example will require users authenticate via GitHub and auto-clone -a repo into the `~/coder` directory. +### `GIT_ASKPASS` will auto-refresh tokens + +
+

+ This is the preferred authentication method. +

+
+ +By default, the coder agent is configured to respond to `GIT_ASKPASS` prompts. +Meaning, with no additional configuration, external authentication will work +with native `git` commands. + +Note: Some IDE's override the `GIT_ASKPASS` environment variable and need to be +configured. + +**VSCode** + +- Set `git.terminalAuthentication` to `false` +- Set `git.useIntegratedAskPass` to `false` + +### Hard coded tokens do not auto-refresh + +If the token is required to be inserted into the workspace, for example +[GitHub cli](https://cli.github.com/), the auth token can be inserted from the +template. This token will not auto-refresh. The following example will +authenticate via GitHub and auto-clone a repo into the `~/coder` directory. ```hcl data "coder_external_auth" "github" { From 56048da4f560a4e1cc3acf488c74b66d87e98a7f Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Wed, 27 Mar 2024 13:59:44 -0500 Subject: [PATCH 2/7] add warning if run from outside workspace command only works if inside --- cli/externalauth.go | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/cli/externalauth.go b/cli/externalauth.go index a5123a3e23134..d3dd407ae8e14 100644 --- a/cli/externalauth.go +++ b/cli/externalauth.go @@ -2,6 +2,7 @@ package cli import ( "encoding/json" + "fmt" "golang.org/x/xerrors" @@ -9,6 +10,7 @@ import ( "github.com/coder/coder/v2/cli/cliui" "github.com/coder/coder/v2/codersdk/agentsdk" + "github.com/coder/pretty" "github.com/coder/serpent" ) @@ -68,6 +70,11 @@ fi ctx, stop := inv.SignalNotifyContext(ctx, StopSignals...) defer stop() + if r.agentToken == "" { + _, _ = fmt.Fprint(inv.Stderr, pretty.Sprintf(headLineStyle(), "No agent token found, this command must be run from inside a running workspace.\n")) + return xerrors.Errorf("agent token not found") + } + client, err := r.createAgentClient() if err != nil { return xerrors.Errorf("create agent client: %w", err) From 838fb0fa3cb3cd6d73e74ea4e5e11d415c65ef46 Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Wed, 27 Mar 2024 14:05:47 -0500 Subject: [PATCH 3/7] Rephrase to focus on git not ASK_PASS --- docs/admin/external-auth.md | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/docs/admin/external-auth.md b/docs/admin/external-auth.md index 04356dab1f8f9..924a9d2194d0a 100644 --- a/docs/admin/external-auth.md +++ b/docs/admin/external-auth.md @@ -212,7 +212,7 @@ you can require users authenticate via git prior to creating a workspace: ![Git authentication in template](../images/admin/git-auth-template.png) -### `GIT_ASKPASS` will auto-refresh tokens +### Native git authentication will auto-refresh tokens

@@ -220,9 +220,17 @@ you can require users authenticate via git prior to creating a workspace:

-By default, the coder agent is configured to respond to `GIT_ASKPASS` prompts. -Meaning, with no additional configuration, external authentication will work -with native `git` commands. +By default, the coder agent will configure native `git` authentication via the +`GIT_ASKPASS` environment variable. Meaning, with no additional configuration, +external authentication will work with native `git` commands. + +To check the auth token being used **from inside a running workspace**, run: + +```shell +# If the exit code is non-zero, then the user is not authenticated with the +# external provider. +coder external-auth access-token + ``` Note: Some IDE's override the `GIT_ASKPASS` environment variable and need to be configured. From d686bcf3e7be9c68d915b72852517f5f5de84e35 Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Wed, 27 Mar 2024 14:10:32 -0500 Subject: [PATCH 4/7] make fmt --- docs/admin/external-auth.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/admin/external-auth.md b/docs/admin/external-auth.md index 924a9d2194d0a..b2b647243805c 100644 --- a/docs/admin/external-auth.md +++ b/docs/admin/external-auth.md @@ -230,7 +230,7 @@ To check the auth token being used **from inside a running workspace**, run: # If the exit code is non-zero, then the user is not authenticated with the # external provider. coder external-auth access-token - ``` +``` Note: Some IDE's override the `GIT_ASKPASS` environment variable and need to be configured. From 8759807e2a781e8c392ac6bf09b0845d649c6f8e Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Wed, 27 Mar 2024 14:20:50 -0500 Subject: [PATCH 5/7] fixup tests to insert an agent token --- cli/externalauth_test.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/cli/externalauth_test.go b/cli/externalauth_test.go index 3a4aa0721e3a4..4e04ce6b89e09 100644 --- a/cli/externalauth_test.go +++ b/cli/externalauth_test.go @@ -24,7 +24,7 @@ func TestExternalAuth(t *testing.T) { })) t.Cleanup(srv.Close) url := srv.URL - inv, _ := clitest.New(t, "--agent-url", url, "external-auth", "access-token", "github") + inv, _ := clitest.New(t, "--agent-url", url, "--agent-token", "foo", "external-auth", "access-token", "github") pty := ptytest.New(t) inv.Stdout = pty.Output() waiter := clitest.StartWithWaiter(t, inv) @@ -40,7 +40,7 @@ func TestExternalAuth(t *testing.T) { })) t.Cleanup(srv.Close) url := srv.URL - inv, _ := clitest.New(t, "--agent-url", url, "external-auth", "access-token", "github") + inv, _ := clitest.New(t, "--agent-url", url, "--agent-token", "foo", "external-auth", "access-token", "github") pty := ptytest.New(t) inv.Stdout = pty.Output() clitest.Start(t, inv) @@ -55,7 +55,7 @@ func TestExternalAuth(t *testing.T) { })) t.Cleanup(srv.Close) url := srv.URL - inv, _ := clitest.New(t, "--agent-url", url, "external-auth", "access-token") + inv, _ := clitest.New(t, "--agent-url", url, "--agent-token", "foo", "external-auth", "access-token") watier := clitest.StartWithWaiter(t, inv) watier.RequireContains("wanted 1 args but got 0") }) @@ -71,7 +71,7 @@ func TestExternalAuth(t *testing.T) { })) t.Cleanup(srv.Close) url := srv.URL - inv, _ := clitest.New(t, "--agent-url", url, "external-auth", "access-token", "github", "--extra", "hey") + inv, _ := clitest.New(t, "--agent-url", url, "--agent-token", "foo", "external-auth", "access-token", "github", "--extra", "hey") pty := ptytest.New(t) inv.Stdout = pty.Output() clitest.Start(t, inv) From 836dc7153afde193ab99b9085f11a2936f62e6d6 Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Wed, 27 Mar 2024 14:32:41 -0500 Subject: [PATCH 6/7] mention our extension --- docs/admin/external-auth.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/admin/external-auth.md b/docs/admin/external-auth.md index b2b647243805c..f27b45d8776d1 100644 --- a/docs/admin/external-auth.md +++ b/docs/admin/external-auth.md @@ -237,6 +237,11 @@ configured. **VSCode** +Use the [Coder](https://marketplace.visualstudio.com/items?itemName=coder.coder-remote) +extension to automatically configure these settings for you! + +Otherwise, you can manually configure the following settings: + - Set `git.terminalAuthentication` to `false` - Set `git.useIntegratedAskPass` to `false` From cc351b8496bcacbe49df153b109f8d3f69107f78 Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Wed, 27 Mar 2024 14:36:25 -0500 Subject: [PATCH 7/7] Make fmt --- docs/admin/external-auth.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/admin/external-auth.md b/docs/admin/external-auth.md index f27b45d8776d1..2f785c5c51bd0 100644 --- a/docs/admin/external-auth.md +++ b/docs/admin/external-auth.md @@ -237,7 +237,8 @@ configured. **VSCode** -Use the [Coder](https://marketplace.visualstudio.com/items?itemName=coder.coder-remote) +Use the +[Coder](https://marketplace.visualstudio.com/items?itemName=coder.coder-remote) extension to automatically configure these settings for you! Otherwise, you can manually configure the following settings: