Thanks to visit codestin.com
Credit goes to github.com

Skip to content

feat: Add agent authentication based on instance ID #336

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Feb 21, 2022
Merged

feat: Add agent authentication based on instance ID #336

merged 7 commits into from
Feb 21, 2022

Conversation

kylecarbs
Copy link
Member

Each cloud has it's own unique instance identity signatures, which
can be used for zero-token authentication. This change adds support
for tracking by "instance_id", and automatically authenticating
with Google Cloud.

@kylecarbs
feat: Add agent authentication based on instance ID
1b65d08 
Each cloud has it's own unique instance identity signatures, which
can be used for zero-token authentication. This change adds support
for tracking by "instance_id", and automatically authenticating
with Google Cloud.
@kylecarbs kylecarbs self-assigned this Feb 20, 2022
@codecov
Copy link

codecov bot commented Feb 20, 2022
edited
Loading

Codecov Report

Merging #336 (648f40a) into main (67613da) will increase coverage by 0.13%.
The diff coverage is 64.75%.

Impacted file tree graph

@@            Coverage Diff             @@
##             main     #336      +/-   ##
==========================================
+ Coverage   67.39%   67.52%   +0.13%     
==========================================
  Files         143      145       +2     
  Lines        7806     7918     +112     
  Branches       77       77              
==========================================
+ Hits         5261     5347      +86     
- Misses       2008     2026      +18     
- Partials      537      545       +8
Flag Coverage Δ
unittest-go-macos-latest 66.49% <66.37%> (+0.21%) ⬆️
unittest-go-ubuntu-latest 67.41% <64.75%> (+0.24%) ⬆️
unittest-go-windows-2022 65.89% <66.37%> (+0.06%) ⬆️
unittest-js 63.61% <ø> (ø)
Impacted Files Coverage Δ
provisioner/terraform/provision.go 70.17% <44.44%> (-1.45%) ⬇️
coderd/workspaceagent.go 52.63% <52.63%> (ø)
codersdk/workspaceagent.go 54.16% <54.16%> (ø)
coderd/coderd.go 95.37% <100.00%> (+0.17%) ⬆️
coderd/coderdtest/coderdtest.go 100.00% <100.00%> (ø)
coderd/provisionerdaemons.go 60.20% <100.00%> (+2.53%) ⬆️
provisionerd/provisionerd.go 69.72% <0.00%> (+0.39%) ⬆️
peer/channel.go 82.45% <0.00%> (+0.58%) ⬆️
... and 2 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 67613da...648f40a. Read the comment docs.

@kylecarbs kylecarbs marked this pull request as ready for review February 20, 2022 19:15
bryphe-coder
bryphe-coder reviewed Feb 21, 2022
View reviewed changes
coderd/coderd.go
@@ -18,6 +19,8 @@ type Options struct {
Logger slog.Logger
Database database.Store
Pubsub database.Pubsub

GoogleTokenValidator *idtoken.Validator
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, interesting - so we'll have to add token validation for all the cloud instances we support?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

seems like longer term we might want to refactor these into some common interface or something

Copy link
Contributor

@bryphe-coder bryphe-coder Feb 21, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That sounds like a great idea @jawnsy ! @misskniss - I'm also thinking we'll need to track the work for adding additional validators for stuff we want to have in Alpha (EC2, Azure?)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tried to abstract it, but didn't think it was worth it. It'll make more intricate testing harder, because we want to mock the metadata server n' such.

Maybe eventually we can, but I wanted to keep the handlers in coderd.

bryphe-coder
bryphe-coder reviewed Feb 21, 2022
View reviewed changes
coderd/workspaceagent.go
Comment on lines +71 to +74
// This token should only be exchanged if the instance ID is valid
// for the latest history. If an instance ID is recycled by a cloud,
// we'd hate to leak access to a user's workspace.
latestHistory, err := api.Database.GetWorkspaceHistoryByWorkspaceIDWithoutAfter(r.Context(), resourceHistory.WorkspaceID)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for calling this out, didn't think about this case until reading through the code 👍

bryphe-coder
bryphe-coder reviewed Feb 21, 2022
View reviewed changes
codersdk/workspaceagent_test.go
Comment on lines +35 to +37
func (r roundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
return r(req)
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Neato, nice helper function 👍

bryphe-coder
bryphe-coder approved these changes Feb 21, 2022
View reviewed changes
Copy link
Contributor

@bryphe-coder bryphe-coder left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me! 👍

@kylecarbs kylecarbs enabled auto-merge (squash) February 21, 2022 20:36
@kylecarbs kylecarbs merged commit 8958b64 into main Feb 21, 2022
@kylecarbs kylecarbs deleted the agent branch February 21, 2022 20:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jawnsy jawnsy jawnsy left review comments

@bryphe-coder bryphe-coder bryphe-coder approved these changes

Assignees

@kylecarbs kylecarbs

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kylecarbs @jawnsy @bryphe-coder