Allow to force usage of pre-defined endpoint #6574
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pkukielka
force-pushed
the
pkukielka/make-overrideServerEndpoint-configurable
branch
from
828ed55 to
159ab90
Compare
pkukielka
force-pushed
the
pkukielka/make-overrideServerEndpoint-configurable
branch
from
159ab90 to
cb8addf
Compare
pkukielka
commented
Jan 9, 2025
| @@ -155,7 +155,7 @@ export const TabsBar = memo<TabsBarProps>(props => { | |||
| authStatus={user.user as AuthenticatedAuthStatus} | |||
| isProUser={isCodyProUser} | |||
| endpointHistory={endpointHistory} | |||
| setView={setView} | |||
umpox
approved these changes
Jan 9, 2025
pkukielka
deleted the
pkukielka/make-overrideServerEndpoint-configurable
branch
pkukielka
added a commit
that referenced
this pull request
Jan 14, 2025
Fixes https://linear.app/sourcegraph/issue/CODY-4642 ## External Authentication Provider Support for Cody This PR introduces support for external authentication providers in Cody, allowing users to integrate with custom authentication proxies and handle complex authentication scenarios. ### Feature Overview This feature requires clients to have reverse proxy and custom sourcegraph instance [configured to use HTTP authentication](https://sourcegraph.com/docs/admin/auth#http-authentication-proxies). The external authentication provider feature allows clients to generate, for a specified endpoint, custom auth headers. Those headers will be attached to every authenticated http request instead of the normal `"Authorization": "token sgp_SOME_TOKEN"` auth header. To generate those custom headers client need to specify command that generates authentication headers for specific endpoints. The command must output a JSON object containing header key-value pairs on stdout. Those endpoints URLs needs to point to [proxies configured by client](https://sourcegraph.com/docs/admin/auth#http-authentication-proxies) which redirects requests to the custom sourcegraph instance. Whole flow looks like this: 1. When Cody attempts to connect to a endpoint which has defined external provider it executes the specified command 2. The command outputs a JSON object containing header key-value pairs on stdout 3. These headers are attached to subsequent authorised requests to the endpoint 4. The proxy server processes these headers and converts them to appropriate `X-Forwarded-User` and/or `X-Forwarded-Email` headers as specified in the [documentation](https://sourcegraph.com/docs/admin/auth#http-authentication-proxies) 5. The Sourcegraph instance authenticates the user based on these forwarded headers ### Configuration Users can configure custom authentication providers in their vscode settings.json using the following structure: ```json "cody.auth.externalProviders": [ { "endpoint": "http://localhost:5555", "executable": { "commandLine": ["echo '{ \"headers\": { \"Authorization\": \"Bearer SomeUser\" } }'"], "shell": "/bin/bash", // Optional: Shell to execute the command with. Default: '/bin/sh' on Unix, process.env.ComSpec on Windows. "environment": { // Optional: Additional environment variables "SOME_ENV": "VALUE" }, "timeout": 5000, // Optional: Timeout in milliseconds "windowsHide": true // Optional: Hide the window on Windows } } ] ``` It can also be configured in IntelliJ using settings editor:  User can define as many external providers as needed. If only one provider is needed and login using this provider should be forced, it [will be possible to accomplish](#6574) using `overrideServerEndpoint`. ### Configuration Options * endpoint: The URL of the proxy server that will handle the authentication * executable: Configuration for the command that generates authentication headers - commandLine: Array of command and arguments to execute - shell: (Optional) Specific shell to use for command execution - environment: (Optional) Additional environment variables for the command - workingDir: (Optional) Working directory for command execution - timeout: (Optional) Command execution timeout - windowsHide: (Optional) Hide window when executing on Windows ### Expected Output Script or executable specified in the configuration have to return valid JSON object which adheres to the schema: ```json { "$schema": "http://json-schema.org/draft-07/schema#", "type": "object", "required": ["headers"], "properties": { "headers": { "type": "object", "additionalProperties": { "type": "string" } }, "expiration": { "type": "number" } } } ``` Where: * `headers` *(Required)* [Map with string keys and values] - headers which will be attached to authenticated requests to the http proxy * `expiration` *(Optional)* [a number] - Epoch Unix Timestamp (UTC) of the headers expiration date; after expiration date headers will be re-generated automatically using configured command ### Testing Locally 1. Start the provided reverse proxy: `python agent/scripts/reverse-proxy.py https://your-sourcegraph-instance.com 5555` You can choose different port or start a few different proxies for different endpoints. 2. Add the proxy configuration to your settings: ```json "cody.auth.externalProviders": [ { "endpoint": "http://localhost:5555", "executable": { "commandLine": ["echo '{ \"Authorization\": \"Bearer TestUser\" }'"], "shell": "/bin/bash" } } ] ``` 3. In Cody sign in to `http://localhost:5555` endpoint 4. Verify that you're authenticated as TestUser. ### Security Considerations 1. Ensure that the proxy server properly validates and sanitizes authentication headers 2. The executable should be secured and have appropriate permissions 3. Consider using HTTPS for the proxy endpoint in production environments ### Missing features 1. Fastpath users custom tokens for authentication, we need to check if and how we can support it with custom auth providers. 2. Cli is currently not supported, but should be trivial to add support for it. ## Test plan 1. Setup local testing environment as described in the `Testing Locally` section. 3. Run a full QA. ## Changelog <!-- OPTIONAL; info at https://www.notion.so/sourcegraph/Writing-a-changelog-entry-dd997f411d524caabf0d8d38a24a878c -->
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes https://linear.app/sourcegraph/issue/CODY-4644/
Can be used by enterprise clients which want to prevent users from logging into wrong endpoints.
Changes
cody.override.serverEndpointis defined in the config does not allow to login using other endpoint, and automatically show only enterprise login screen:Test plan
"cody.override.serverEndpoint": "https://sg02.sourcegraphcloud.com/"Sign InbuttonSwitch Accountoption present (as on screenshot 2).Changelog