diff --git a/cli/server.go b/cli/server.go
index 98a7739412afa..ea6f4d665f4de 100644
--- a/cli/server.go
+++ b/cli/server.go
@@ -620,6 +620,15 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
return xerrors.Errorf("parse ssh config options %q: %w", vals.SSHConfig.SSHConfigOptions.String(), err)
}
+ // The workspace hostname suffix is always interpreted as implicitly beginning with a single dot, so it is
+ // a config error to explicitly include the dot. This ensures that we always interpret the suffix as a
+ // separate DNS label, and not just an ordinary string suffix. E.g. a suffix of 'coder' will match
+ // 'en.coder' but not 'encoder'.
+ if strings.HasPrefix(vals.WorkspaceHostnameSuffix.String(), ".") {
+ return xerrors.Errorf("you must omit any leading . in workspace hostname suffix: %s",
+ vals.WorkspaceHostnameSuffix.String())
+ }
+
options := &coderd.Options{
AccessURL: vals.AccessURL.Value(),
AppHostname: appHostname,
diff --git a/cli/ssh.go b/cli/ssh.go
index d9c98cd0b48f1..e02443e7032c6 100644
--- a/cli/ssh.go
+++ b/cli/ssh.go
@@ -65,6 +65,7 @@ func (r *RootCmd) ssh() *serpent.Command {
var (
stdio bool
hostPrefix string
+ hostnameSuffix string
forwardAgent bool
forwardGPG bool
identityAgent string
@@ -202,10 +203,14 @@ func (r *RootCmd) ssh() *serpent.Command {
parsedEnv = append(parsedEnv, [2]string{k, v})
}
- workspaceInput := strings.TrimPrefix(inv.Args[0], hostPrefix)
- // convert workspace name format into owner/workspace.agent
- namedWorkspace := normalizeWorkspaceInput(workspaceInput)
- workspace, workspaceAgent, err := getWorkspaceAndAgent(ctx, inv, client, !disableAutostart, namedWorkspace)
+ deploymentSSHConfig := codersdk.SSHConfigResponse{
+ HostnamePrefix: hostPrefix,
+ HostnameSuffix: hostnameSuffix,
+ }
+
+ workspace, workspaceAgent, err := findWorkspaceAndAgentByHostname(
+ ctx, inv, client,
+ inv.Args[0], deploymentSSHConfig, disableAutostart)
if err != nil {
return err
}
@@ -564,6 +569,12 @@ func (r *RootCmd) ssh() *serpent.Command {
Description: "Strip this prefix from the provided hostname to determine the workspace name. This is useful when used as part of an OpenSSH proxy command.",
Value: serpent.StringOf(&hostPrefix),
},
+ {
+ Flag: "hostname-suffix",
+ Env: "CODER_SSH_HOSTNAME_SUFFIX",
+ Description: "Strip this suffix from the provided hostname to determine the workspace name. This is useful when used as part of an OpenSSH proxy command. The suffix must be specified without a leading . character.",
+ Value: serpent.StringOf(&hostnameSuffix),
+ },
{
Flag: "forward-agent",
FlagShorthand: "A",
@@ -656,6 +667,30 @@ func (r *RootCmd) ssh() *serpent.Command {
return cmd
}
+// findWorkspaceAndAgentByHostname parses the hostname from the commandline and finds the workspace and agent it
+// corresponds to, taking into account any name prefixes or suffixes configured (e.g. myworkspace.coder, or
+// vscode-coder--myusername--myworkspace).
+func findWorkspaceAndAgentByHostname(
+ ctx context.Context, inv *serpent.Invocation, client *codersdk.Client,
+ hostname string, config codersdk.SSHConfigResponse, disableAutostart bool,
+) (
+ codersdk.Workspace, codersdk.WorkspaceAgent, error,
+) {
+ // for suffixes, we don't explicitly get the . and must add it. This is to ensure that the suffix is always
+ // interpreted as a dotted label in DNS names, not just any string suffix. That is, a suffix of 'coder' will
+ // match a hostname like 'en.coder', but not 'encoder'.
+ qualifiedSuffix := "." + config.HostnameSuffix
+
+ switch {
+ case config.HostnamePrefix != "" && strings.HasPrefix(hostname, config.HostnamePrefix):
+ hostname = strings.TrimPrefix(hostname, config.HostnamePrefix)
+ case config.HostnameSuffix != "" && strings.HasSuffix(hostname, qualifiedSuffix):
+ hostname = strings.TrimSuffix(hostname, qualifiedSuffix)
+ }
+ hostname = normalizeWorkspaceInput(hostname)
+ return getWorkspaceAndAgent(ctx, inv, client, !disableAutostart, hostname)
+}
+
// watchAndClose ensures closer is called if the context is canceled or
// the workspace reaches the stopped state.
//
diff --git a/cli/ssh_test.go b/cli/ssh_test.go
index 75ad88601e9ae..332fbbe219c46 100644
--- a/cli/ssh_test.go
+++ b/cli/ssh_test.go
@@ -1690,67 +1690,85 @@ func TestSSH(t *testing.T) {
}
})
- t.Run("SSHHostPrefix", func(t *testing.T) {
+ t.Run("SSHHost", func(t *testing.T) {
t.Parallel()
- client, workspace, agentToken := setupWorkspaceForAgent(t)
- _, _ = tGoContext(t, func(ctx context.Context) {
- // Run this async so the SSH command has to wait for
- // the build and agent to connect!
- _ = agenttest.New(t, client.URL, agentToken)
- <-ctx.Done()
- })
- clientOutput, clientInput := io.Pipe()
- serverOutput, serverInput := io.Pipe()
- defer func() {
- for _, c := range []io.Closer{clientOutput, clientInput, serverOutput, serverInput} {
- _ = c.Close()
- }
- }()
+ testCases := []struct {
+ name, hostnameFormat string
+ flags []string
+ }{
+ {"Prefix", "coder.dummy.com--%s--%s", []string{"--ssh-host-prefix", "coder.dummy.com--"}},
+ {"Suffix", "%s--%s.coder", []string{"--hostname-suffix", "coder"}},
+ {"Both", "%s--%s.coder", []string{"--hostname-suffix", "coder", "--ssh-host-prefix", "coder.dummy.com--"}},
+ }
+ for _, tc := range testCases {
+ t.Run(tc.name, func(t *testing.T) {
+ t.Parallel()
- ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
- defer cancel()
+ client, workspace, agentToken := setupWorkspaceForAgent(t)
+ _, _ = tGoContext(t, func(ctx context.Context) {
+ // Run this async so the SSH command has to wait for
+ // the build and agent to connect!
+ _ = agenttest.New(t, client.URL, agentToken)
+ <-ctx.Done()
+ })
- user, err := client.User(ctx, codersdk.Me)
- require.NoError(t, err)
+ clientOutput, clientInput := io.Pipe()
+ serverOutput, serverInput := io.Pipe()
+ defer func() {
+ for _, c := range []io.Closer{clientOutput, clientInput, serverOutput, serverInput} {
+ _ = c.Close()
+ }
+ }()
- inv, root := clitest.New(t, "ssh", "--stdio", "--ssh-host-prefix", "coder.dummy.com--", fmt.Sprintf("coder.dummy.com--%s--%s", user.Username, workspace.Name))
- clitest.SetupConfig(t, client, root)
- inv.Stdin = clientOutput
- inv.Stdout = serverInput
- inv.Stderr = io.Discard
+ ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+ defer cancel()
- cmdDone := tGo(t, func() {
- err := inv.WithContext(ctx).Run()
- assert.NoError(t, err)
- })
+ user, err := client.User(ctx, codersdk.Me)
+ require.NoError(t, err)
- conn, channels, requests, err := ssh.NewClientConn(&stdioConn{
- Reader: serverOutput,
- Writer: clientInput,
- }, "", &ssh.ClientConfig{
- // #nosec
- HostKeyCallback: ssh.InsecureIgnoreHostKey(),
- })
- require.NoError(t, err)
- defer conn.Close()
+ args := []string{"ssh", "--stdio"}
+ args = append(args, tc.flags...)
+ args = append(args, fmt.Sprintf(tc.hostnameFormat, user.Username, workspace.Name))
+ inv, root := clitest.New(t, args...)
+ clitest.SetupConfig(t, client, root)
+ inv.Stdin = clientOutput
+ inv.Stdout = serverInput
+ inv.Stderr = io.Discard
- sshClient := ssh.NewClient(conn, channels, requests)
- session, err := sshClient.NewSession()
- require.NoError(t, err)
- defer session.Close()
+ cmdDone := tGo(t, func() {
+ err := inv.WithContext(ctx).Run()
+ assert.NoError(t, err)
+ })
- command := "sh -c exit"
- if runtime.GOOS == "windows" {
- command = "cmd.exe /c exit"
- }
- err = session.Run(command)
- require.NoError(t, err)
- err = sshClient.Close()
- require.NoError(t, err)
- _ = clientOutput.Close()
+ conn, channels, requests, err := ssh.NewClientConn(&stdioConn{
+ Reader: serverOutput,
+ Writer: clientInput,
+ }, "", &ssh.ClientConfig{
+ // #nosec
+ HostKeyCallback: ssh.InsecureIgnoreHostKey(),
+ })
+ require.NoError(t, err)
+ defer conn.Close()
- <-cmdDone
+ sshClient := ssh.NewClient(conn, channels, requests)
+ session, err := sshClient.NewSession()
+ require.NoError(t, err)
+ defer session.Close()
+
+ command := "sh -c exit"
+ if runtime.GOOS == "windows" {
+ command = "cmd.exe /c exit"
+ }
+ err = session.Run(command)
+ require.NoError(t, err)
+ err = sshClient.Close()
+ require.NoError(t, err)
+ _ = clientOutput.Close()
+
+ <-cmdDone
+ })
+ }
})
}
diff --git a/cli/testdata/coder_ssh_--help.golden b/cli/testdata/coder_ssh_--help.golden
index 3d2f584727cd9..1f7122dd655a2 100644
--- a/cli/testdata/coder_ssh_--help.golden
+++ b/cli/testdata/coder_ssh_--help.golden
@@ -23,6 +23,11 @@ OPTIONS:
locally and will not be started for you. If a GPG agent is already
running in the workspace, it will be attempted to be killed.
+ --hostname-suffix string, $CODER_SSH_HOSTNAME_SUFFIX
+ Strip this suffix from the provided hostname to determine the
+ workspace name. This is useful when used as part of an OpenSSH proxy
+ command. The suffix must be specified without a leading . character.
+
--identity-agent string, $CODER_SSH_IDENTITY_AGENT
Specifies which identity agent to use (overrides $SSH_AUTH_SOCK),
forward agent must also be enabled.
diff --git a/docs/reference/cli/ssh.md b/docs/reference/cli/ssh.md
index 72d63a1f003af..c5bae755c8419 100644
--- a/docs/reference/cli/ssh.md
+++ b/docs/reference/cli/ssh.md
@@ -29,6 +29,15 @@ Specifies whether to emit SSH output over stdin/stdout.
Strip this prefix from the provided hostname to determine the workspace name. This is useful when used as part of an OpenSSH proxy command.
+### --hostname-suffix
+
+| | |
+|-------------|-----------------------------------------|
+| Type | string |
+| Environment | $CODER_SSH_HOSTNAME_SUFFIX |
+
+Strip this suffix from the provided hostname to determine the workspace name. This is useful when used as part of an OpenSSH proxy command. The suffix must be specified without a leading . character.
+
### -A, --forward-agent
| | |
pFad - Phonifier reborn
Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies:
Alternative Proxy
pFad Proxy
pFad v3 Proxy
pFad v4 Proxy