Add TrustChallenge MVP for coder-cli to inject certs

Emyrk · Emyrk · commit bc68f30e2fcb · 2021-09-30T22:02:55.000-04:00
Coder-cli can pull the coderd cert using a shared secret for trust
diff --git a/coder-sdk/interface.go b/coder-sdk/interface.go
@@ -257,4 +257,8 @@ type Client interface {
 
 	// ICEServers fetches the list of ICE servers advertised by the deployment.
 	ICEServers(ctx context.Context) ([]webrtc.ICEServer, error)
+
+	// TrustEnvironment
+	// TODO: @emyrk DO NOT USE AT THIS TIME
+	TrustEnvironment(ctx context.Context, id string) (*TrustChallengeResponse, error)
 }
diff --git a/coder-sdk/request.go b/coder-sdk/request.go
@@ -105,23 +105,34 @@ func (c *DefaultClient) request(ctx context.Context, method, path string, in int
 // requestBody is a helper extending the Client.request helper, checking the response code
 // and decoding the response payload.
 func (c *DefaultClient) requestBody(ctx context.Context, method, path string, in, out interface{}, opts ...requestOption) error {
+	_, err := c.requestBodyWithResponse(ctx, method, path, in, out, opts...)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// requestBodyWithResponse is a helper extending the Client.request helper, checking the response code
+// and decoding the response payload. It also returns the original http.Response in case the headers or other
+// response properties need to be analyzed.
+func (c *DefaultClient) requestBodyWithResponse(ctx context.Context, method, path string, in, out interface{}, opts ...requestOption) (*http.Response, error) {
 	resp, err := c.request(ctx, method, path, in, opts...)
 	if err != nil {
-		return xerrors.Errorf("Execute request: %q", err)
+		return nil, xerrors.Errorf("Execute request: %q", err)
 	}
 	defer func() { _ = resp.Body.Close() }() // Best effort, likely connection dropped.
 
 	// Responses in the 100 are handled by the http lib, in the 200 range, we have a success.
 	// Consider anything at or above 300 to be an error.
 	if resp.StatusCode > 299 {
-		return fmt.Errorf("unexpected status code %d: %w", resp.StatusCode, NewHTTPError(resp))
+		return nil, fmt.Errorf("unexpected status code %d: %w", resp.StatusCode, NewHTTPError(resp))
 	}
 
 	// If we expect a payload, process it as json.
 	if out != nil {
 		if err := json.NewDecoder(resp.Body).Decode(&out); err != nil {
-			return xerrors.Errorf("decode response body: %w", err)
+			return nil, xerrors.Errorf("decode response body: %w", err)
 		}
 	}
-	return nil
+	return resp, nil
 }
diff --git a/coder-sdk/workspace.go b/coder-sdk/workspace.go
@@ -2,6 +2,7 @@ package coder
 
 import (
 	"context"
+	"encoding/pem"
 	"fmt"
 	"io"
 	"net/http"
@@ -513,3 +514,34 @@ func (c *DefaultClient) SetPolicyTemplate(ctx context.Context, templateID string
 
 	return &resp, nil
 }
+
+// TrustChallengeResponse returns the tls certs used in the response.
+type TrustChallengeResponse struct {
+	// Certificates are the returned response certificates
+	Certificates [][]byte `json:"-"`
+}
+
+// TrustEnvironment is used to make a secure handshake with a coderd. This is intended to run from within a workspace.
+// If this fails, we are not talking to the coderd that has access to the workspace's shared secret.
+// TODO: @emyrk the trust challenge is not fully fleshed out, and should not be used in production at this time.
+// 		The secure handshake needs to be implemented.
+func (c *DefaultClient) TrustEnvironment(ctx context.Context, id string) (*TrustChallengeResponse, error) {
+	var challenge TrustChallengeResponse
+	//nolint: bodyclose
+	resp, err := c.requestBodyWithResponse(ctx, http.MethodGet, "/api/private/environments/"+id+"/trust-challenge", nil, &challenge)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(resp.TLS.PeerCertificates) > 0 {
+		for _, c := range resp.TLS.PeerCertificates {
+			data := pem.EncodeToMemory(&pem.Block{
+				Type:  "CERTIFICATE",
+				Bytes: c.Raw,
+			})
+			challenge.Certificates = append(challenge.Certificates, data)
+		}
+	}
+
+	return &challenge, nil
+}
diff --git a/internal/cmd/agent.go b/internal/cmd/agent.go
@@ -1,10 +1,16 @@
 package cmd
 
 import (
+	"context"
+	"crypto/tls"
+	"fmt"
+	"net/http"
 	"net/url"
 	"os"
 	"os/signal"
+	"path/filepath"
 	"syscall"
+	"time"
 
 	// We use slog here since agent runs in the background and we can benefit
 	// from structured logging.
@@ -16,6 +22,9 @@ import (
 	"cdr.dev/coder-cli/wsnet"
 )
 
+// coderdCertDir is where the certificates for coderd are written by the coder agent.
+const coderdCertDir = "/var/tmp/coder/certs"
+
 func agentCmd() *cobra.Command {
 	cmd := &cobra.Command{
 		Use:    "agent",
@@ -97,6 +106,12 @@ coder agent start --log-file=/tmp/coder-agent.log
 				}
 			}
 
+			// First inject certs
+			err = writeCoderdCerts(ctx)
+			if err != nil {
+				return xerrors.Errorf("trust certs: %w", err)
+			}
+
 			log.Info(ctx, "starting wsnet listener", slog.F("coder_access_url", u.String()))
 			listener, err := wsnet.Listen(ctx, log, wsnet.ListenEndpoint(u, token), token)
 			if err != nil {
@@ -125,3 +140,62 @@ coder agent start --log-file=/tmp/coder-agent.log
 
 	return cmd
 }
+
+func writeCoderdCerts(ctx context.Context) error {
+	// Inject certs to custom dir and concat with : with existing dir.
+	certs, err := trustCertificate(ctx)
+	if err != nil {
+		return xerrors.Errorf("trust cert: %w", err)
+	}
+
+	err = os.MkdirAll(coderdCertDir, 0666)
+	if err != nil {
+		return xerrors.Errorf("mkdir %s: %w", coderdCertDir, err)
+	}
+
+	certPath := filepath.Join(coderdCertDir, "certs.pem")
+	file, err := os.OpenFile(certPath, os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0666)
+	if err != nil {
+		return xerrors.Errorf("create file %s: %w", certPath, err)
+	}
+
+	for _, cert := range certs {
+		_, _ = fmt.Fprintln(file, string(cert))
+	}
+
+	// Add our directory to the certs to trust
+	certDir := os.Getenv("SSL_CERT_DIR")
+	err = os.Setenv("SSL_CERT_DIR", certDir+":"+coderdCertDir)
+	if err != nil {
+		return xerrors.Errorf("set SSL_CERT_DIR: %w", err)
+	}
+
+	return nil
+}
+
+// trustCertificate will fetch coderd's certificate and write it to disc.
+// It will then extend the certs to trust to include this directory.
+// This only happens if coderd can answer the challenge to prove
+// it has the shared secret.
+func trustCertificate(ctx context.Context) ([][]byte, error) {
+	conf := &tls.Config{InsecureSkipVerify: true}
+	hc := &http.Client{
+		Timeout: time.Second * 3,
+		Transport: &http.Transport{
+			TLSClientConfig: conf,
+		},
+	}
+
+	c, err := newClient(ctx, true, withHTTPClient(hc))
+	if err != nil {
+		return nil, xerrors.Errorf("new client: %w", err)
+	}
+
+	id := os.Getenv("CODER_WORKSPACE_ID")
+	challenge, err := c.TrustEnvironment(ctx, id)
+	if err != nil {
+		return nil, xerrors.Errorf("challenge failed: %w", err)
+	}
+
+	return challenge.Certificates, nil
+}
diff --git a/internal/cmd/auth.go b/internal/cmd/auth.go
@@ -23,7 +23,15 @@ var errNeedLogin = clog.Fatal(
 const tokenEnv = "CODER_TOKEN"
 const urlEnv = "CODER_URL"
 
-func newClient(ctx context.Context, checkVersion bool) (coder.Client, error) {
+type coderOpt func(opt *coder.ClientOptions)
+
+func withHTTPClient(hc *http.Client) coderOpt {
+	return func(opt *coder.ClientOptions) {
+		opt.HTTPClient = hc
+	}
+}
+
+func newClient(ctx context.Context, checkVersion bool, optsF ...coderOpt) (coder.Client, error) {
 	var (
 		err          error
 		sessionToken = os.Getenv(tokenEnv)
@@ -47,10 +55,16 @@ func newClient(ctx context.Context, checkVersion bool) (coder.Client, error) {
 		return nil, xerrors.Errorf("url malformed: %w try running \"coder login\" with a valid URL", err)
 	}
 
-	c, err := coder.NewClient(coder.ClientOptions{
+	clientOpts := &coder.ClientOptions{
 		BaseURL: u,
 		Token:   sessionToken,
-	})
+	}
+
+	for _, f := range optsF {
+		f(clientOpts)
+	}
+
+	c, err := coder.NewClient(*clientOpts)
 	if err != nil {
 		return nil, xerrors.Errorf("failed to create new coder.Client: %w", err)
 	}

Original file line number	Diff line number	Diff line change
`@@ -257,4 +257,8 @@ type Client interface {`
`257`	`257`
`258`	`258`	`// ICEServers fetches the list of ICE servers advertised by the deployment.`
`259`	`259`	`ICEServers(ctx context.Context) ([]webrtc.ICEServer, error)`
	`260`	`+`
	`261`	`+ // TrustEnvironment`
	`262`	`+ // TODO: @emyrk DO NOT USE AT THIS TIME`
	`263`	`+ TrustEnvironment(ctx context.Context, id string) (*TrustChallengeResponse, error)`
`260`	`264`	`}`