Make token optional when using mTLS

code-asher · code-asher · commit 2e45eb44b704 · 2024-04-22T16:38:37.000-08:00
Closes #394.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,11 @@
 - Various recent connections fixes (details coming soon).
 - IDEs are now sorted by version.
 
+### Changed
+
+- If using a certificate and key, it is assumed that token authentication is not
+  required, and all token prompts are skipped.
+
 ### Added
 
 - New setting for a setup command that will run in the directory of the IDE
diff --git a/gradle.properties b/gradle.properties
@@ -3,7 +3,7 @@
 pluginGroup=com.coder.gateway
 pluginName=coder-gateway
 # SemVer format -> https://semver.org
-pluginVersion=2.11.0
+pluginVersion=2.11.1
 # See https://plugins.jetbrains.com/docs/intellij/build-number-ranges.html
 # for insight into build numbers and IntelliJ Platform versions.
 pluginSinceBuild=233.6745
diff --git a/src/main/kotlin/com/coder/gateway/CoderGatewayConnectionProvider.kt b/src/main/kotlin/com/coder/gateway/CoderGatewayConnectionProvider.kt
@@ -106,7 +106,7 @@ class CoderGatewayConnectionProvider : GatewayConnectionProvider {
                 throw IllegalArgumentException("Query parameter \"$URL\" is missing")
             }
 
-            val (client, username) = authenticate(deploymentURL, parameters.token())
+            val client = authenticate(deploymentURL, parameters.token())
 
             // TODO: If the workspace is missing we could launch the wizard.
             val workspaceName = parameters.workspace() ?: throw IllegalArgumentException("Query parameter \"$WORKSPACE\" is missing")
@@ -189,29 +189,35 @@ class CoderGatewayConnectionProvider : GatewayConnectionProvider {
     }
 
     /**
-     * Return an authenticated Coder CLI and the user's name, asking for the
-     * token as long as it continues to result in an authentication failure.
+     * Return an authenticated Coder CLI, asking for the token as long as it
+     * continues to result in an authentication failure and token authentication
+     * is required.
      */
-    private fun authenticate(deploymentURL: String, queryToken: String?, lastToken: Pair<String, TokenSource>? = null): Pair<CoderRestClient, String> {
-        // Use the token from the query, unless we already tried that.
-        val isRetry = lastToken != null
-        val token = if (!queryToken.isNullOrBlank() && !isRetry)
-            Pair(queryToken, TokenSource.QUERY)
-        else CoderRemoteConnectionHandle.askToken(
-            deploymentURL.toURL(),
-            lastToken,
-            isRetry,
-            useExisting = true,
-            settings,
-        )
-        if (token == null) { // User aborted.
+    private fun authenticate(deploymentURL: String, queryToken: String?, lastToken: Pair<String, TokenSource>? = null): CoderRestClient {
+        val token = if (settings.requireTokenAuth) {
+            // Use the token from the query, unless we already tried that.
+            val isRetry = lastToken != null
+            if (!queryToken.isNullOrBlank() && !isRetry)
+                Pair(queryToken, TokenSource.QUERY)
+            else CoderRemoteConnectionHandle.askToken(
+                deploymentURL.toURL(),
+                lastToken,
+                isRetry,
+                useExisting = true,
+                settings)
+        } else null
+        if (settings.requireTokenAuth && token == null) { // User aborted.
             throw IllegalArgumentException("Unable to connect to $deploymentURL, query parameter \"$TOKEN\" is missing")
         }
-        val client = CoderRestClientService(deploymentURL.toURL(), token.first)
+        val client = CoderRestClientService(deploymentURL.toURL(), token?.first)
         return try {
-            Pair(client, client.me().username)
+            client.authenticate()
+            client
         } catch (ex: AuthenticationResponseException) {
-            authenticate(deploymentURL, queryToken, token)
+            // If doing token auth we can ask and try again.
+            if (settings.requireTokenAuth) {
+                authenticate(deploymentURL, queryToken, token)
+            } else throw ex
         }
     }
 
diff --git a/src/main/kotlin/com/coder/gateway/CoderRemoteConnectionHandle.kt b/src/main/kotlin/com/coder/gateway/CoderRemoteConnectionHandle.kt
@@ -228,6 +228,7 @@ class CoderRemoteConnectionHandle {
                     if (isRetry) "gateway.connector.view.workspaces.token.rejected"
                     else if (tokenSource == TokenSource.CONFIG) "gateway.connector.view.workspaces.token.injected"
                     else if (tokenSource == TokenSource.QUERY) "gateway.connector.view.workspaces.token.query"
+                    else if (tokenSource == TokenSource.LAST_USED) "gateway.connector.view.workspaces.token.last-used"
                     else if (existingToken.isNotBlank()) "gateway.connector.view.workspaces.token.comment"
                     else "gateway.connector.view.workspaces.token.none",
                     url.host,
diff --git a/src/main/kotlin/com/coder/gateway/models/TokenSource.kt b/src/main/kotlin/com/coder/gateway/models/TokenSource.kt
@@ -7,5 +7,6 @@ enum class TokenSource {
     CONFIG,    // Pulled from the Coder CLI config.
     USER,      // Input by the user.
     QUERY,     // From the Gateway link as a query parameter.
+    LAST_USED, // Last used token.
 }
 
diff --git a/src/main/kotlin/com/coder/gateway/settings/CoderSettings.kt b/src/main/kotlin/com/coder/gateway/settings/CoderSettings.kt
@@ -183,12 +183,15 @@ open class CoderSettings(
     }
 
     /**
-     * Return the URL and token from the config, if it exists.
+     * Return the URL and token from the config, if it exists.  Both the url and
+     * session files must exist if using token auth, otherwise only url must
+     * exist.
      */
     fun readConfig(dir: Path): Pair<String?, String?> {
         logger.info("Reading config from $dir")
         return try {
-            Files.readString(dir.resolve("url")) to Files.readString(dir.resolve("session"))
+            val token = if (requireTokenAuth) Files.readString(dir.resolve("session")) else null
+            Files.readString(dir.resolve("url")) to token
         } catch (e: Exception) {
             // SSH has not been configured yet, or using some other authorization mechanism.
             null to null
@@ -246,6 +249,11 @@ open class CoderSettings(
             }
         }
 
+    val requireTokenAuth: Boolean
+        get() {
+            return tls.certPath.isBlank() || tls.keyPath.isBlank()
+        }
+
     /**
      * Return the name of the binary (with extension) for the provided OS and
      * architecture.
diff --git a/src/main/kotlin/com/coder/gateway/views/steps/CoderWorkspacesStepView.kt b/src/main/kotlin/com/coder/gateway/views/steps/CoderWorkspacesStepView.kt
diff --git a/src/main/resources/messages/CoderGatewayBundle.properties b/src/main/resources/messages/CoderGatewayBundle.properties
diff --git a/src/test/kotlin/com/coder/gateway/settings/CoderSettingsTest.kt b/src/test/kotlin/com/coder/gateway/settings/CoderSettingsTest.kt

Original file line number	Diff line number	Diff line change
`@@ -7,5 +7,6 @@ enum class TokenSource {`
`7`	`7`	`CONFIG, // Pulled from the Coder CLI config.`
`8`	`8`	`USER, // Input by the user.`
`9`	`9`	`QUERY, // From the Gateway link as a query parameter.`
	`10`	`+ LAST_USED, // Last used token.`
`10`	`11`	`}`
`11`	`12`