coder · deansheather · Sep 13, 2022 · Aug 26, 2022 · Aug 26, 2022 · Aug 29, 2022
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -131,6 +131,17 @@ func New(options *Options) *API {
 			})
 		},
 		httpmw.Prometheus(options.PrometheusRegistry),
+		// handleSubdomain checks if the first subdomain is a valid app url.
+		// If it is, it will serve that application.
+		api.handleSubdomain(
+			// Middleware to impose on the served application.
+			httpmw.RateLimitPerMinute(options.APIRateLimit),
+			// This should extract the application specific API key when we
+			// implement a scoped token.
+			httpmw.ExtractAPIKey(options.Database, oauthConfigs, false),
+			httpmw.ExtractUserParam(api.Database),
+			httpmw.ExtractWorkspaceAndAgentParam(api.Database),
+		),
 	)
 
 	apps := func(r chi.Router) {

diff --git a/coderd/subdomain.go b/coderd/subdomain.go
@@ -0,0 +1,152 @@
+package coderd
+
+import (
+	"fmt"
+	"net/http"
+	"regexp"
+	"strings"
+
+	"github.com/coder/coder/coderd/httpmw"
+
+	"github.com/go-chi/chi/v5"
+
+	"golang.org/x/xerrors"
+)
+
+const (
+	// XForwardedHostHeader is a header used by proxies to indicate the
+	// original host of the request.
+	XForwardedHostHeader = "X-Forwarded-Host"
+)
+
+// ApplicationURL is a parsed application url into it's components
+type ApplicationURL struct {
+	AppName       string
+	WorkspaceName string
+	Agent         string
+	Username      string
+	Path          string
+	Domain        string
+}
+
+func (api *API) handleSubdomain(middlewares ...func(http.Handler) http.Handler) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+			ctx := r.Context()
+			app, err := ParseSubdomainAppURL(r)
+
+			if err != nil {
+				// Subdomain is not a valid application url. Pass through.
+				// TODO: @emyrk we should probably catch invalid subdomains. Meaning
+				// 	an invalid application should not route to the coderd.
+				//	To do this we would need to know the list of valid access urls
+				//	though?
+				next.ServeHTTP(rw, r)
+				return
+			}
+
+			workspaceAgentKey := app.WorkspaceName
+			if app.Agent != "" {
+				workspaceAgentKey += "." + app.Agent
+			}
+			chiCtx := chi.RouteContext(ctx)
+			chiCtx.URLParams.Add("workspace_and_agent", workspaceAgentKey)
+			chiCtx.URLParams.Add("user", app.Username)
+
+			// Use the passed in app middlewares before passing to the proxy app.
+			mws := chi.Middlewares(middlewares)
+			mws.Handler(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+				workspace := httpmw.WorkspaceParam(r)
+				agent := httpmw.WorkspaceAgentParam(r)
+
+				api.proxyWorkspaceApplication(proxyApplication{
+					Workspace: workspace,
+					Agent:     agent,
+					AppName:   app.AppName,
+				}, rw, r)
+			})).ServeHTTP(rw, r.WithContext(ctx))
+		})
+	}
+}
+
+var (
+	nameRegex = `[a-zA-Z0-9]+(?:-[a-zA-Z0-9]+)*`
+	appURL    = regexp.MustCompile(fmt.Sprintf(
+		// {USERNAME}--{WORKSPACE_NAME}}--{{AGENT_NAME}}--{{PORT}}
+		`^(?P<UserName>%[1]s)--(?P<WorkspaceName>%[1]s)(--(?P<AgentName>%[1]s))?--(?P<AppName>%[1]s)$`,
+		nameRegex))
+)
+
+// ParseSubdomainAppURL parses an application from the subdomain of r's Host header.
+// If the application string is not valid, returns a non-nil error.
+//   1) {USERNAME}--{WORKSPACE_NAME}}--{{AGENT_NAME}}--{{PORT/AppName}}
+//  	(eg. http://admin--myenv--main--8080.cdrdeploy.c8s.io)
+func ParseSubdomainAppURL(r *http.Request) (ApplicationURL, error) {
+	host := RequestHost(r)
+	if host == "" {
+		return ApplicationURL{}, xerrors.Errorf("no host header")
+	}
+
+	subdomain, domain, err := SplitSubdomain(host)
+	if err != nil {
+		return ApplicationURL{}, xerrors.Errorf("split host domain: %w", err)
+	}
+
+	matches := appURL.FindAllStringSubmatch(subdomain, -1)
+	if len(matches) == 0 {
+		return ApplicationURL{}, xerrors.Errorf("invalid application url format: %q", subdomain)
+	}
+
+	if len(matches) > 1 {
+		return ApplicationURL{}, xerrors.Errorf("multiple matches (%d) for application url: %q", len(matches), subdomain)
+	}
+	matchGroup := matches[0]
+
+	return ApplicationURL{
+		AppName:       matchGroup[appURL.SubexpIndex("AppName")],
+		WorkspaceName: matchGroup[appURL.SubexpIndex("WorkspaceName")],
+		Agent:         matchGroup[appURL.SubexpIndex("AgentName")],
+		Username:      matchGroup[appURL.SubexpIndex("UserName")],
+		Path:          r.URL.Path,
+		Domain:        domain,
+	}, nil
+}
+
+// RequestHost returns the name of the host from the request.  It prioritizes
+// 'X-Forwarded-Host' over r.Host since most requests are being proxied.
+func RequestHost(r *http.Request) string {
+	host := r.Header.Get(XForwardedHostHeader)
+	if host != "" {
+		return host
+	}
+
+	return r.Host
+}
+
+// SplitSubdomain splits a subdomain from a domain. E.g.:
+//   - "foo.bar.com" becomes "foo", "bar.com"
+//   - "foo.bar.baz.com" becomes "foo", "bar.baz.com"
+//
+// An error is returned if the string doesn't contain a period.
+func SplitSubdomain(hostname string) (subdomain string, domain string, err error) {
+	toks := strings.SplitN(hostname, ".", 2)
+	if len(toks) < 2 {
+		return "", "", xerrors.Errorf("no domain")
+	}
+
+	return toks[0], toks[1], nil
+}
+
+// applicationCookie is a helper function to copy the auth cookie to also
+// support subdomains. Until we support creating authentication cookies that can
+// only do application authentication, we will just reuse the original token.
+// This code should be temporary and be replaced with something that creates
+// a unique session_token.
+func (api *API) applicationCookie(authCookie *http.Cookie) *http.Cookie {
+	appCookie := *authCookie
+	// We only support setting this cookie on the access url subdomains.
+	// This is to ensure we don't accidentally leak the auth cookie to subdomains
+	// on another hostname.
+	appCookie.Domain = "." + api.AccessURL.Hostname()
+	return &appCookie
+}
diff --git a/coderd/subdomain_test.go b/coderd/subdomain_test.go
@@ -0,0 +1,116 @@
+package coderd_test
+
+import (
+	"net/http/httptest"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/coderd"
+)
+
+func TestParseSubdomainAppURL(t *testing.T) {
+	t.Parallel()
+	testCases := []struct {
+		Name          string
+		URL           string
+		Expected      coderd.ApplicationURL
+		ExpectedError string
+	}{
+		{
+			Name:          "Empty",
+			URL:           "https://example.com",
+			Expected:      coderd.ApplicationURL{},
+			ExpectedError: "invalid application url format",
+		},
+		{
+			Name:          "Workspace.Agent+App",
+			URL:           "https://workspace.agent--app.coder.com",
+			Expected:      coderd.ApplicationURL{},
+			ExpectedError: "invalid application url format",
+		},
+		{
+			Name:          "Workspace+App",
+			URL:           "https://workspace--app.coder.com",
+			Expected:      coderd.ApplicationURL{},
+			ExpectedError: "invalid application url format",
+		},
+		// Correct
+		{
+			Name: "User+Workspace+App",
+			URL:  "https://user--workspace--app.coder.com",
+			Expected: coderd.ApplicationURL{
+				AppName:       "app",
+				WorkspaceName: "workspace",
+				Agent:         "",
+				Username:      "user",
+				Path:          "",
+				Domain:        "coder.com",
+			},
+		},
+		{
+			Name: "User+Workspace+Port",
+			URL:  "https://user--workspace--8080.coder.com",
+			Expected: coderd.ApplicationURL{
+				AppName:       "8080",
+				WorkspaceName: "workspace",
+				Agent:         "",
+				Username:      "user",
+				Path:          "",
+				Domain:        "coder.com",
+			},
+		},
+		{
+			Name: "User+Workspace.Agent+App",
+			URL:  "https://user--workspace--agent--app.coder.com",
+			Expected: coderd.ApplicationURL{
+				AppName:       "app",
+				WorkspaceName: "workspace",
+				Agent:         "agent",
+				Username:      "user",
+				Path:          "",
+				Domain:        "coder.com",
+			},
+		},
+		{
+			Name: "User+Workspace.Agent+Port",
+			URL:  "https://user--workspace--agent--8080.coder.com",
+			Expected: coderd.ApplicationURL{
+				AppName:       "8080",
+				WorkspaceName: "workspace",
+				Agent:         "agent",
+				Username:      "user",
+				Path:          "",
+				Domain:        "coder.com",
+			},
+		},
+		{
+			Name: "HyphenatedNames",
+			URL:  "https://admin-user--workspace-thing--agent-thing--app-name.coder.com",
+			Expected: coderd.ApplicationURL{
+				AppName:       "app-name",
+				WorkspaceName: "workspace-thing",
+				Agent:         "agent-thing",
+				Username:      "admin-user",
+				Path:          "",
+				Domain:        "coder.com",
+			},
+		},
+	}
+
+	for _, c := range testCases {
+		c := c
+		t.Run(c.Name, func(t *testing.T) {
+			t.Parallel()
+			r := httptest.NewRequest("GET", c.URL, nil)
+
+			app, err := coderd.ParseSubdomainAppURL(r)
+			if c.ExpectedError == "" {
+				require.NoError(t, err)
+				require.Equal(t, c.Expected, app, "expected app")
+			} else {
+				require.ErrorContains(t, err, c.ExpectedError, "expected error")
+			}
+		})
+	}
+}
diff --git a/coderd/userauth.go b/coderd/userauth.go
@@ -162,6 +162,7 @@ func (api *API) userOAuth2Github(rw http.ResponseWriter, r *http.Request) {
 	}
 
 	http.SetCookie(rw, cookie)
+	http.SetCookie(rw, api.applicationCookie(cookie))
 
 	redirect := state.Redirect
 	if redirect == "" {
@@ -274,6 +275,7 @@ func (api *API) userOIDC(rw http.ResponseWriter, r *http.Request) {
 	}
 
 	http.SetCookie(rw, cookie)
+	http.SetCookie(rw, api.applicationCookie(cookie))
 
 	redirect := state.Redirect
 	if redirect == "" {

diff --git a/coderd/users.go b/coderd/users.go
@@ -796,6 +796,7 @@ func (api *API) postLogin(rw http.ResponseWriter, r *http.Request) {
 	}
 
 	http.SetCookie(rw, cookie)
+	http.SetCookie(rw, api.applicationCookie(cookie))
 
 	httpapi.Write(rw, http.StatusCreated, codersdk.LoginWithPasswordResponse{
 		SessionToken: cookie.Value,
@@ -874,6 +875,7 @@ func (api *API) postLogout(rw http.ResponseWriter, r *http.Request) {
 	}
 
 	http.SetCookie(rw, cookie)
+	http.SetCookie(rw, api.applicationCookie(cookie))
 
 	// Delete the session token from database.
 	apiKey := httpmw.APIKey(r)

diff --git a/coderd/users_test.go b/coderd/users_test.go
@@ -281,9 +281,10 @@ func TestPostLogout(t *testing.T) {
 		require.Equal(t, http.StatusOK, res.StatusCode)
 
 		cookies := res.Cookies()
-		require.Len(t, cookies, 1, "Exactly one cookie should be returned")
+		require.Len(t, cookies, 2, "Exactly two cookies should be returned")
 
-		require.Equal(t, codersdk.SessionTokenKey, cookies[0].Name, "Cookie should be the auth cookie")
+		require.Equal(t, codersdk.SessionTokenKey, cookies[0].Name, "Cookie should be the auth & app cookie")
+		require.Equal(t, codersdk.SessionTokenKey, cookies[1].Name, "Cookie should be the auth & app cookie")
 		require.Equal(t, -1, cookies[0].MaxAge, "Cookie should be set to delete")
 
 		_, err = client.GetAPIKey(ctx, admin.UserID.String(), keyID)