Custom Authentication Providers Support for Cody

[pkukielka]

Custom Authentication Provider Support for Cody

This PR introduces support for custom authentication providers in Cody, allowing users to integrate with custom authentication proxies and handle complex authentication scenarios.

Feature Overview

The custom authentication provider feature allows users to configure external executables that generate authentication headers for specific endpoints. This is particularly useful for enterprise setups using HTTP authentication proxies.

Configuration

Users can configure custom authentication providers in their vscode settings.json using the following structure:

"cody.auth.externalProviders": [
    {
        "endpoint": "http://localhost:5555",
        "executable": {
            "commandLine": ["echo '{ \"Authorization\": \"Bearer SomeUser\" }'"],
            "shell": "/bin/bash",       // Optional: Shell to execute the command with. Default: '/bin/sh' on Unix, process.env.ComSpec on Windows.
            "environment": {},          // Optional: Additional environment variables
            "workingDir": "",           // Optional: Working directory for the executable
            "timeout": 5000,            // Optional: Timeout in milliseconds
            "windowsHide": true         // Optional: Hide the window on Windows
        }
    }
]

User can define as many external providers as needed.

TBD: If only one provider is needed and login using this provider should be forced, it will be possible to accomplish using overrideServerEndpoint.

Configuration Options

• endpoint: The URL of the proxy server that will handle the authentication
• executable: Configuration for the command that generates authentication headers
  • commandLine: Array of command and arguments to execute
  • shell: (Optional) Specific shell to use for command execution
  • environment: (Optional) Additional environment variables for the command
  • workingDir: (Optional) Working directory for command execution
  • timeout: (Optional) Command execution timeout
  • windowsHide: (Optional) Hide window when executing on Windows

How It Works

1. When Cody attempts to connect to a configured endpoint, it executes the specified command
2. The command must output a JSON object containing header key-value pairs on stdout
3. These headers are attached to subsequent requests to the endpoint
4. The proxy server processes these headers and converts them to appropriate X-Forwarded-User and/or X-Forwarded-Email headers
5. The Sourcegraph instance authenticates the user based on these forwarded headers

Testing Locally

1. Start the provided reverse proxy:
   python agent/scripts/reverse-proxy.py https://your-sourcegraph-instance.com 5555

2. Add the proxy configuration to your settings:

"cody.auth.externalProviders": [
    {
        "endpoint": "http://localhost:5555",
        "executable": {
            "commandLine": ["echo '{ \"Authorization\": \"Bearer TestUser\" }'"],
            "shell": "/bin/bash"
        }
    }
]

3. Configure Cody to use http://localhost:5555 as the endpoint
4. Verify that you're authenticated as TestUser.

Server Configuration

The Sourcegraph instance and proxy must be configured to accept HTTP authentication proxy headers as described in the Sourcegraph documentation.

Security Considerations

1. Ensure that the proxy server properly validates and sanitizes authentication headers
2. The executable should be secured and have appropriate permissions
3. Consider using HTTPS for the proxy endpoint in production environments

Missing features

1. Fastpath users custom tokens for authentication, we need to check if and how we can support it with custom auth providers.
2. Cli is currently not supported, but should be trivial to add support for it.

Test plan

1. Setup local testing environment as described in the Testing Locally section.
2. Run a full QA.

Changelog