Merge branch 'main' into eap

Author: kylecarbs

.github/workflows/build.yml

@@ -22,7 +22,7 @@ jobs:
           - windows-latest
     runs-on: ${{ matrix.platform }}
     steps:
-      - uses: actions/checkout@v4.1.0
+      - uses: actions/checkout@v4.1.1
 
       - uses: actions/setup-java@v3
         with:
@@ -55,7 +55,7 @@ jobs:
     steps:
       # Check out current repository
       - name: Fetch Sources
-        uses: actions/checkout@v4.1.0
+        uses: actions/checkout@v4.1.1
 
       # Setup Java 11 environment for the next steps
       - name: Setup Java
@@ -110,7 +110,7 @@ jobs:
 
       # Run Qodana inspections
       - name: Qodana - Code Inspection
-        uses: JetBrains/qodana-action@v2023.2.6
+        uses: JetBrains/qodana-action@v2023.2.8
 
       # Prepare plugin archive content for creating artifact
       - name: Prepare Plugin Artifact
@@ -139,7 +139,7 @@ jobs:
 
       # Check out current repository
       - name: Fetch Sources
-        uses: actions/checkout@v4.1.0
+        uses: actions/checkout@v4.1.1
 
       # Remove old release drafts by using the curl request for the available releases with draft flag
       - name: Remove Old Release Drafts

.github/workflows/release.yml

@@ -15,7 +15,7 @@ jobs:
 
       # Check out current repository
       - name: Fetch Sources
-        uses: actions/checkout@v4.1.0
+        uses: actions/checkout@v4.1.1
         with:
           ref: ${{ github.event.release.tag_name }}
 

CHANGELOG.md

@@ -4,6 +4,14 @@
 
 ## Unreleased
 
+## 2.9.1 - 2023-11-06
+
+### Fixed
+
+- Set the `CODER_HEADER_COMMAND` environment variable when executing the CLI with the setting value.
+
+## 2.9.0 - 2023-10-27
+
 ### Added
 
 - Configuration options for mTLS.

build.gradle.kts

@@ -24,7 +24,7 @@ version = properties("pluginVersion")
 dependencies {
     implementation("com.squareup.retrofit2:retrofit:2.9.0")
     // define a BOM and its version
-    implementation(platform("com.squareup.okhttp3:okhttp-bom:4.11.0"))
+    implementation(platform("com.squareup.okhttp3:okhttp-bom:4.12.0"))
     implementation("com.squareup.retrofit2:converter-gson:2.9.0")
     implementation("com.squareup.okhttp3:okhttp")
     implementation("com.squareup.okhttp3:logging-interceptor")

gradle.properties

@@ -3,7 +3,7 @@
 pluginGroup=com.coder.gateway
 pluginName=coder-gateway
 # SemVer format -> https://semver.org
-pluginVersion=2.9.0-eap.0
+pluginVersion=2.9.1-eap.0
 # See https://plugins.jetbrains.com/docs/intellij/build-number-ranges.html
 # for insight into build numbers and IntelliJ Platform versions.
 pluginSinceBuild=233.6745

src/main/kotlin/com/coder/gateway/CoderGatewayConnectionProvider.kt

@@ -140,7 +140,7 @@ class CoderGatewayConnectionProvider : GatewayConnectionProvider {
         if (token == null) { // User aborted.
             throw IllegalArgumentException("Unable to connect to $deploymentURL, $TOKEN is missing")
         }
-        val client = CoderRestClient(deploymentURL, token.first,null, settings)
+        val client = CoderRestClient(deploymentURL, token.first, null, settings)
         return try {
             Pair(client, client.me().username)
         } catch (ex: AuthenticationResponseException) {

src/main/kotlin/com/coder/gateway/sdk/CoderCLIManager.kt

@@ -101,6 +101,12 @@ class CoderCLIManager @JvmOverloads constructor(
     fun downloadCLI(): Boolean {
         val etag = getBinaryETag()
         val conn = remoteBinaryURL.openConnection() as HttpURLConnection
+        if (settings.headerCommand.isNotBlank()) {
+            val headersFromHeaderCommand = CoderRestClient.getHeaders(deploymentURL, settings.headerCommand)
+            for ((key, value) in headersFromHeaderCommand) {
+                conn.setRequestProperty(key, value)
+            }
+        }
         if (etag != null) {
             logger.info("Found existing binary at $localBinaryPath; calculated hash as $etag")
             conn.setRequestProperty("If-None-Match", "\"$etag\"")
@@ -364,6 +370,7 @@ class CoderCLIManager @JvmOverloads constructor(
     private fun exec(vararg args: String): String {
         val stdout = ProcessExecutor()
             .command(localBinaryPath.toString(), *args)
+            .environment("CODER_HEADER_COMMAND", settings.headerCommand)
             .exitValues(0)
             .readOutput(true)
             .execute()

src/main/kotlin/com/coder/gateway/sdk/CoderRestClientService.kt

@@ -19,6 +19,7 @@ import com.google.gson.Gson
 import com.google.gson.GsonBuilder
 import com.intellij.ide.plugins.PluginManagerCore
 import com.intellij.openapi.components.Service
+import com.intellij.openapi.diagnostic.Logger
 import com.intellij.openapi.extensions.PluginId
 import com.intellij.openapi.util.SystemInfo
 import okhttp3.OkHttpClient
@@ -36,7 +37,6 @@ import java.net.URL
 import java.nio.file.Path
 import java.security.KeyFactory
 import java.security.KeyStore
-import java.security.PrivateKey
 import java.security.cert.CertificateException
 import java.security.cert.CertificateFactory
 import java.security.cert.X509Certificate
@@ -47,6 +47,7 @@ import java.util.Base64
 import java.util.Locale
 import java.util.UUID
 import javax.net.ssl.HostnameVerifier
+import javax.net.ssl.KeyManager
 import javax.net.ssl.KeyManagerFactory
 import javax.net.ssl.SNIHostName
 import javax.net.ssl.SSLContext
@@ -251,53 +252,56 @@ class CoderRestClient(
     }
 }
 
-fun coderSocketFactory(settings: CoderSettingsState) : SSLSocketFactory {
-    if (settings.tlsCertPath.isBlank() || settings.tlsKeyPath.isBlank()) {
-        return SSLSocketFactory.getDefault() as SSLSocketFactory
-    }
+fun SSLContextFromPEMs(certPath: String, keyPath: String, caPath: String) : SSLContext {
+    var km: Array<KeyManager>? = null
+    if (certPath.isNotBlank() && keyPath.isNotBlank()) {
+        val certificateFactory = CertificateFactory.getInstance("X.509")
+        val certInputStream = FileInputStream(expandPath(certPath))
+        val certChain = certificateFactory.generateCertificates(certInputStream)
+        certInputStream.close()
+
+        // ideally we would use something like PemReader from BouncyCastle, but
+        // BC is used by the IDE.  This makes using BC very impractical since
+        // type casting will mismatch due to the different class loaders.
+        val privateKeyPem = File(expandPath(keyPath)).readText()
+        val start: Int = privateKeyPem.indexOf("-----BEGIN PRIVATE KEY-----")
+        val end: Int = privateKeyPem.indexOf("-----END PRIVATE KEY-----", start)
+        val pemBytes: ByteArray = Base64.getDecoder().decode(
+            privateKeyPem.substring(start + "-----BEGIN PRIVATE KEY-----".length, end)
+                .replace("\\s+".toRegex(), "")
+        )
+
+        val privateKey = try {
+            val kf = KeyFactory.getInstance("RSA")
+            val keySpec = PKCS8EncodedKeySpec(pemBytes)
+            kf.generatePrivate(keySpec)
+        } catch (e: InvalidKeySpecException) {
+            val kf = KeyFactory.getInstance("EC")
+            val keySpec = PKCS8EncodedKeySpec(pemBytes)
+            kf.generatePrivate(keySpec)
+        }
 
-    val certificateFactory = CertificateFactory.getInstance("X.509")
-    val certInputStream = FileInputStream(expandPath(settings.tlsCertPath))
-    val certChain = certificateFactory.generateCertificates(certInputStream)
-    certInputStream.close()
-
-    // ideally we would use something like PemReader from BouncyCastle, but
-    // BC is used by the IDE.  This makes using BC very impractical since
-    // type casting will mismatch due to the different class loaders.
-    val privateKeyPem = File(expandPath(settings.tlsKeyPath)).readText()
-    val start: Int = privateKeyPem.indexOf("-----BEGIN PRIVATE KEY-----")
-    val end: Int = privateKeyPem.indexOf("-----END PRIVATE KEY-----", start)
-    val pemBytes: ByteArray = Base64.getDecoder().decode(
-        privateKeyPem.substring(start + "-----BEGIN PRIVATE KEY-----".length, end)
-            .replace("\\s+".toRegex(), "")
-    )
-
-    var privateKey : PrivateKey
-    try {
-        val kf = KeyFactory.getInstance("RSA")
-        val keySpec = PKCS8EncodedKeySpec(pemBytes)
-        privateKey = kf.generatePrivate(keySpec)
-    } catch (e: InvalidKeySpecException) {
-        val kf = KeyFactory.getInstance("EC")
-        val keySpec = PKCS8EncodedKeySpec(pemBytes)
-        privateKey = kf.generatePrivate(keySpec)
-    }
-
-    val keyStore = KeyStore.getInstance(KeyStore.getDefaultType())
-    keyStore.load(null)
-    certChain.withIndex().forEach {
-        keyStore.setCertificateEntry("cert${it.index}", it.value as X509Certificate)
-    }
-    keyStore.setKeyEntry("key", privateKey, null, certChain.toTypedArray())
+        val keyStore = KeyStore.getInstance(KeyStore.getDefaultType())
+        keyStore.load(null)
+        certChain.withIndex().forEach {
+            keyStore.setCertificateEntry("cert${it.index}", it.value as X509Certificate)
+        }
+        keyStore.setKeyEntry("key", privateKey, null, certChain.toTypedArray())
 
-    val keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm())
-    keyManagerFactory.init(keyStore, null)
+        val keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm())
+        keyManagerFactory.init(keyStore, null)
+        km = keyManagerFactory.keyManagers
+    }
 
     val sslContext = SSLContext.getInstance("TLS")
 
-    val trustManagers = coderTrustManagers(settings.tlsCAPath)
-    sslContext.init(keyManagerFactory.keyManagers, trustManagers, null)
+    val trustManagers = coderTrustManagers(caPath)
+    sslContext.init(km, trustManagers, null)
+    return sslContext
+}
 
+fun coderSocketFactory(settings: CoderSettingsState) : SSLSocketFactory {
+    val sslContext = SSLContextFromPEMs(settings.tlsCertPath, settings.tlsKeyPath, settings.tlsCAPath)
     if (settings.tlsAlternateHostname.isBlank()) {
         return sslContext.socketFactory
     }
@@ -393,12 +397,11 @@ class AlternateNameSSLSocketFactory(private val delegate: SSLSocketFactory, priv
 }
 
 class CoderHostnameVerifier(private val alternateName: String) : HostnameVerifier {
+    val logger = Logger.getInstance(CoderRestClientService::class.java.simpleName)
     override fun verify(host: String, session: SSLSession): Boolean {
         if (alternateName.isEmpty()) {
-            println("using default hostname verifier, alternateName is  empty")
             return OkHostnameVerifier.verify(host, session)
         }
-        println("Looking for alternate hostname: $alternateName")
         val certs = session.peerCertificates ?: return false
         for (cert in certs) {
             if (cert !is X509Certificate) {
@@ -411,13 +414,12 @@ class CoderHostnameVerifier(private val alternateName: String) : HostnameVerifie
                     continue
                 }
                 val hostname = entry[1] as String
-                println("Found cert hostname: $hostname")
+                logger.debug("Found cert hostname: $hostname")
                 if (hostname.lowercase(Locale.getDefault()) == alternateName) {
                     return true
                 }
             }
         }
-        println("No matching hostname found")
         return false
     }
 }

src/main/resources/messages/CoderGatewayBundle.properties

@@ -93,20 +93,20 @@ gateway.connector.settings.header-command.comment=An external command that \
   outputs additional HTTP headers added to all requests. The command must \
   output each header as `key=value` on its own line. The following \
   environment variables will be available to the process: CODER_URL.
-gateway.connector.settings.tls-cert-path.title=Cert Path:
+gateway.connector.settings.tls-cert-path.title=Cert path:
 gateway.connector.settings.tls-cert-path.comment=Optionally set this to \
   the path of a certificate to use for TLS connections. The certificate \
   should be in X.509 PEM format.
-gateway.connector.settings.tls-key-path.title=Key Path:
+gateway.connector.settings.tls-key-path.title=Key path:
 gateway.connector.settings.tls-key-path.comment=Optionally set this to \
   the path of the private key that corresponds to the above cert path to use \
   for TLS connections. The key should be in X.509 PEM format.
-gateway.connector.settings.tls-ca-path.title=CA Path:
+gateway.connector.settings.tls-ca-path.title=CA path:
 gateway.connector.settings.tls-ca-path.comment=Optionally set this to \
   the path of a file containing certificates for an alternate certificate \
   authority used to verify TLS certs returned by the Coder service. \
   The file should be in X.509 PEM format.
-gateway.connector.settings.tls-alt-name.title=Alt Hostname:
+gateway.connector.settings.tls-alt-name.title=Alt hostname:
 gateway.connector.settings.tls-alt-name.comment=Optionally set this to \
   an alternate hostname used for verifying TLS connections. This is useful \
   when the hostname used to connect to the Coder service does not match the \

src/test/fixtures/tls/chain-intermediate.crt

@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICvjCCAaagAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAwwJVEVT
+VC1yb290MCAXDTIzMTAzMDAyMzY0M1oYDzIxMjMxMDA2MDIzNjQzWjAcMRowGAYD
+VQQDDBFURVNULWludGVybWVkaWF0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAMGD9oILmMRcplGkcNdSZMsBR7C2yoPtL9iRp3V2BKpiRZvQuXHSQsdc
+S0Tpk6vnIWQTLkCjVRawL9BoOzwK3FZQti9iXRMnHuzl0gQGZGiHJZ2P/efWaVvn
+cmH3Cu2oNCVePhgYAMOiipYGQPcjnQ2kUvMLldZ9+WC+EcaD+FA/kaccPX+kOxQg
+qQ0MnPQFfno0F8gylOac+ouKOsXya+jlctgK3dxC73/I+Cdq8xrOJ8lXOYxggleB
+ZRXNWWUhrzomn4rUP9wNBrQzFCGcqIS+QjlACjlyn0gPU//ZGVRZ8gZXoI8pDYuB
+lRyWpt970/ZPFuiyfiasAAAc8gJ3C7cCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zAN
+BgkqhkiG9w0BAQsFAAOCAQEAdHRiLqlYAyGNMPj6wzJt3XmwDbU5yEWor4q+GmA9
+fupirWXeSqKiqngDfvHlQNKgDlm10Kuk7LDVUcAP27Xnv/uFmHIUF+4g/eIjxvog
+RorUD2I9hi0Wyww7E8th/JfnuDX4YbIQrv1r5P4JaCoc0C2NBd1hO1Er2GdNEoXm
+UYoZg6/P5YQkWSLYtLPswb/Hf63DvzG94H6HnFBYlumt/5xYLrfD1Lx8099wZVdR
+qWXSi/tYi0HJGGUynZCvjdUu5En7eDoyWclGHz3stOUkBlz0efz01bxpiGsE/rRG
+Xr6qJt45N0Zktytk5TphoeDAeFB5ZHRRatZsg9CyZGoaIA==
+-----END CERTIFICATE-----