Cherry-picks #15898 and #15927 to backport the fix to #15616#15927 is the fix, but it depends on #15898 because of some earlier work
in the tailscale fork to move everything to `coder/websocket`
When Coder is ran in High Availability mode, each Coder instance has a
lifecycle executor. These lifecycle executors are all trying to do the
same work, and whilst transactions saves us from this causing an issue,
we are still doing extra work that could be prevented.
This PR adds a `TryAcquireLock` call for each attempted workspace
transition, meaning two Coder instances shouldn't duplicate effort.
(cherry picked from commit 50ff06cc3c)
Co-authored-by: Danielle Maywood <danielle@themaywoods.com>
Aims to resolve#15605
There's currently one option valid for the `@Security` tag in
swaggerparser - which fails in the CI if we try to put any other value.
At least one of our endpoints does not accept `CoderSessionToken` as an
option for the authentication and so we need to add new possibilities in
order to keep the documentation up-to-date.
In this PR , I added `ProvisionerKey` which is the way our provisioner
daemon can authenticate to the backend - also modified a bit the code to
simplify other options later.
This one aims to resolve#15604
Created some table tests for the main cases -
also preferred to create two isolated cases for the most complicated
cases in order to keep table tests simple enough.
Give us full coverage on the middleware logic, for both optional and non
optional cases - PSK and ProvisionerKey.
Fixes https://github.com/coder/coder/issues/15437
- Adds support for `coder.serviceAccount.disableCreate` (originally
added to `helm/coder` in https://github.com/coder/coder/pull/14817).
- Adds documentation and examples in `helm/provisioner/README.md` on
deploying multiple provisioners in the same namespace leveraging
`nameOverride`.
If the local IP address is not explicitly set, previously we assumed 127.0.0.1 (that is, IPv4 only localhost). This PR adds support to opportunistically _also_ listen on IPv6 ::1.
Relates to https://github.com/coder/coder/issues/15087 and
https://github.com/coder/coder/issues/15427
- Extracts provisioner job tags from `coder_workspace_tags` on template
version creation using `provisioner/terraform/tfparse` added in
https://github.com/coder/coder/pull/15236
- Drops a WARN log in coderd if no matching provisioners found.
- Also drops a warning message in the CLI if no provisioners are found.
- To support both CLI and UI warnings, added a
`codersdk.MatchedProvisioners` struct to the `TemplateVersion` response
containing details of how many provisioners were around at the time of
the insert.
Co-authored-by: Mathias Fredriksson <mafredri@gmail.com>
Resolve#15126
This PR aims to fetch the provisioned key details when starting a
provisioned daemon - for now in order to access the tags associated to
the provisioned key and display them accordingly in the starting logs.
We do not want to change any other logic inside this PR as it was
already working as expected.
fixes a flake seen on main: https://github.com/coder/coder/actions/runs/11967210463/job/33364072261
the TCP echo server had a waitgroup to ensure that all accepted connections get torn down, but no explicit teardown of the connection. We depended on the tailnet agent closing its side of the connection, which depends on closing the tunneled connection. The tunneled `FIN` could race with tearing down the tunnel itself.
So, this PR adds explicit `t.Cleanup` to close the echo connection. It also removes the waitgroup. The purpose of the waitgroup was to ensure that all goroutines created by the echo listener get shut down, but we have `goleak` for that, which fails much faster than the 20 minutes this test run took.
fixes https://github.com/coder/internal/issues/221
Fixes an issue where two goroutines were sharing the `err` variable, leading to a data race where we'd fail to process the error and then nil-pointer panic.
I ended up refactoring reconnecting PTY stuff into the `reconnectingpty` package, instead of having it on the agent. That `createTailnet` routine had waaay too many deeply nested goroutines, which is I'm sure a big contributor to the bug appearing in the first place.
Allows adding custom static CSP directives to Coder. Niche use case but
makes this easier then creating a reverse proxy that has to replace the
header. We want to preserve our directives, so having an append option
is preferred to a "replace" option via a reverse proxy.
Closes https://github.com/coder/coder/issues/15118
Once a token refresh fails, we remove the `oauth_refresh_token` from the
database. This will prevent the token from hitting the IDP for
subsequent refresh attempts.
Without this change, a bad script can cause a failing token to hit a
remote IDP repeatedly with each `git` operation. With this change, after
the first hit, subsequent hits will fail locally, and never contact the
IDP.
The solution in both cases is to authenticate the external auth link. So
the resolution is the same as before.
This PR is the first step aiming to resolve#15126 -
Creating a new endpoint to return the details associated to a
provisioner key.
This is an authenticated endpoints aiming to be used by the provisioner
daemons - using the provisioner key as authentication method.
This endpoint is not ment to be used with PSK or User Sessions.
Updates `develop.sh` to automatically determine the name of the 'first
org' when pushing the initial template.
Also runs `terraform init` before running `coder templates push` (pet
peeve).
closes: https://github.com/coder/internal/issues/220
Updates docs that talk about what db fields we encrypt. We've recently added `crypto_keys.secret` to the list, but didn't add it to the docs.
Closes#15584.
- The `Collecting Diagnostics` spinner now starts after the workspace
build logs (if any) have finished streaming.
- Removes network interfaces with negative MTUs from `healthsdk`
diagnostics.
- Improves the wording on diagnostics for MTUs below the 'safe' value to
indicate that direct connections may be degraded, or rendered unusable
(i.e. if every packet is dropped).
Resolves https://github.com/coder/coder/issues/15513
Disables notifications when both `$CODER_NOTIFICATIONS_WEBHOOK_ENDPOINT` and `$CODER_EMAIL_SMARTHOST` are unset.
Breaking change: `$CODER_EMAIL_SMARTHOST` is no longer set by default as `localhost:587`, meaning any deployments that make use of this default value will need to add it back.
---------
Co-authored-by: Danny Kopping <danny@coder.com>
Co-authored-by: Mathias Fredriksson <mafredri@gmail.com>
fixes: https://github.com/coder/internal/issues/217
> There are a couple problems:
>
> One is that we assert the RPCs succeed, but if the pipeDialer context is canceled at the end of the test, then these assertions happen after the test is officially complete, which panics and affects other tests.
This converts these to just return the error rather than assert.
> The other is that the retrier is slightly bugged: if the current retry delay is 0 AND the ctx is done, (e.g. after successfully connecting and then gracefully disconnecting), then retrier.Wait(c.ctx) is racy and could return either true or false.
Fixes the phantom redial by explicitly checking the context before dialing. Also, in the test, we assert that the controller is closed before completing the test.
Adds an api endpoint to grab all available sync field options for IDP
sync. This is for autocomplete on idp sync forms. This is required for
organization admins to have some insight into the claim fields available
when configuring group/role sync.
- We were instantiating a cryptokey cache with a vanilla reference to
the database instead of one wrapped by dbcrypt.
- Fixes an issue where failing to instantiate unrelated keycaches does
not fatally error out.
Fixes a test flake on TestTailnet_ForcesWebsockets like:
```
t.go:106: 2024-11-18 07:44:25.939 [debu] w2: dial tcp addr_port="[fd7a:115c:a1e0:46cc:bd8e:400d:1bc6:f6ac]:35565"
t.go:106: 2024-11-18 07:44:25.943 [debu] w1.net.netstack: netstack: could not connect to local server at 127.0.0.1:35565 (or [::1]:35565)%!(EXTRA *net.OpError=dial tcp [::1]:35565: connect: connection refused)
conn_test.go:146:
Error Trace: /Users/spike/repos/coder/tailnet/conn_test.go:146
Error: Received unexpected error:
connect tcp [fd7a:115c:a1e0:46cc:bd8e:400d:1bc6:f6ac]:35565: connection was refused
Test: TestTailnet/ForcesWebSockets
t.go:106: 2024-11-18 07:44:25.945 [info] w1: closing tailnet Conn
t.go:106: 2024-11-18 07:44:25.945 [debu] w1: closing configMaps configLoop
t.go:106: 2024-11-18 07:44:25.945 [debu] w1: closing nodeUpdater updateLoop
t.go:106: 2024-11-18 07:44:25.945 [debu] w1: closed netstack
conn_test.go:135:
Error Trace: /Users/spike/repos/coder/tailnet/conn_test.go:135
/Users/spike/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.22.8.darwin-arm64/src/runtime/asm_arm64.s:1222
Error: Received unexpected error:
connection closed:
github.com/coder/coder/v2/tailnet.init
<autogenerated>:1
Test: TestTailnet/ForcesWebSockets
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x2 addr=0x0 pc=0x1039771dc]
goroutine 2224 [running]:
github.com/coder/coder/v2/tailnet_test.TestTailnet.func3.2()
/Users/spike/repos/coder/tailnet/conn_test.go:136 +0x7c
created by github.com/coder/coder/v2/tailnet_test.TestTailnet.func3 in goroutine 109
/Users/spike/repos/coder/tailnet/conn_test.go:133 +0x7dc
```
Test didn't synchronize listening on the port before dialing it.
It also has a nil pointer deference when the test fails, which causes a bunch of unrelated output. Also fixed.
`coder vpn-daemon run` will instantiate a RPC connection with the
specified pipe handles and communicate with the (yet to be implemented)
parent process.
The tests don't ensure that the tunnel is actually usable yet as the
tunnel functionality isn't implemented, but it does make sure that the
tunnel tries to read from the RPC pipe.
Closes#14735
Related: https://github.com/coder/internal/issues/212
This PR modifies the logic responsible for creating a server in E2E
tests to check if the port is free. Alternatively, we could refactor the
framework to dynamically create server instances, but this solution
might be a cheaper quick win.
Note:
I'll leave it as is now, it might be worth asking somebody with a
frontend skillset to double-check this contribution.
---------
Signed-off-by: Danny Kopping <danny@coder.com>
Co-authored-by: Danny Kopping <danny@coder.com>
Refactors our use of `slogtest` to instantiate a "standard logger" across most of our tests. This standard logger incorporates https://github.com/coder/slog/pull/217 to also ignore database query canceled errors by default, which are a source of low-severity flakes.
Any test that has set non-default `slogtest.Options` is left alone. In particular, `coderdtest` defaults to ignoring all errors. We might consider revisiting that decision now that we have better tools to target the really common flaky Error logs on shutdown.
closes#14730
Adds support for WorkspaceUpdates to the WebsocketDialer. This allows us to dial the new endpoint added in #14847 and connect it up to a `tailnet.Controllers` to connect to all agents over the tailnet.
I refactored the fakeWorkspaceUpdatesProvider to a mock and moved it to `tailnettest` so it could be more easily reused. The Mock is a little more full-featured.
re: #14730
Adds support in `tailnet.Controller` for WorkspaceUpdates.
Also checks configured controllers against the clients returned by the dialer, so that if we connect with a dialer that doesn't support an RPC (for instance the in-memory dialer for ServerTailnet doesn't support WorkspaceUpdates), we throw an error if there is a controller expecting it.
Addresses https://github.com/coder/nexus/issues/35.
This PR:
- Adds a `workspace_modules` table to track modules used by the
Terraform provisioner in provisioner jobs.
- Adds a `module_path` column to the `workspace_resources` table,
allowing to identify which module a resource originates from.
- Starts pushing this new information into telemetry.
For the person reviewing this PR, do not fret about the 1,500 new lines
- ~1,000 of them are auto-generated.
Fixes https://github.com/coder/internal/issues/214#15475 missed that we also write to `rpty` after starting
`rpty.lifecycle()`.
This PR moves the function call right at the end. Hopefully this should
address the data races before we go resorting to mutexes.
Bumps the Tailnet and Agent API version 2.3, and creates some extra controls and machinery around these versions.
What happened is that we accidentally shipped two new API features without bumping the version. `ScriptCompleted` on the Agent API in Coder v2.16 and `RefreshResumeToken` on the Tailnet API in Coder v2.15.
Since we can't easily retroactively bump the versions, we'll roll these changes into API version 2.3 along with the new WorkspaceUpdates RPC, which hasn't been released yet. That means there is some ambiguity in Coder v2.15-v2.17 about exactly what methods are supported on the Tailnet and Agent APIs. This isn't great, but hasn't caused us major issues because
1. RefreshResumeToken is considered optional, and clients just log and move on if the RPC isn't supported.
2. Agents basically never get started talking to a Coderd that is older than they are, since the agent binary is normally downloaded from Coderd at workspace start.
Still it's good to get things squared away in terms of versions for SDK users and possible edge cases around client and server versions.
To mitigate against this thing happening again, this PR also:
1. adds a CODEOWNERS for the API proto packages, so I'll review changes
2. defines interface types for different API versions, and has the agent explicitly use a specific version. That way, if you add a new method, and try to use it in the agent without thinking explicitly about versions, it won't compile.
With the protocol controllers stuff, we've sort of already abstracted the Tailnet API such that the interface type strategy won't work, but I'll work on getting the Controller to be version aware, such that it can check the API version it's getting against the controllers it has -- in a later PR.
re: #14730
Adds support for the workspace updates protocol controller to also program DNS names for each agent.
Right now, we only program names like `myagent.myworkspace.me.coder` and `myworkspace.coder.` (if there is exactly one agent in the workspace). We also want to support `myagent.myworkspace.username.coder.`, but for that we need to update WorkspaceUpdates RPC to also send the workspace owner's username, which will be in a separate PR.
Move claims from a `debug` column to an actual typed column to be used.
This does not functionally change anything, it just adds some Go typing to build
on.
The hardcoded image is an anti-pattern, leading to weird errors if the
`docker` group is absent. We should either provide a better error
in-product or just have a better image.
@matifali - also down to use a Devcontainers universal image instead or
make this a parameter. Let me know what you think the best "default
install" is
re: #14730
Adds a protocol controller for WorkspaceUpdates RPC that takes all the agents we learn about over the RPC, and programs them into the Coordination controller, so that we set up tunnels to all the agents.
Handling DNS is in a PR up the stack, as is actually wiring it up to anything.
- Adds documentation for how to correctly hold --parameter with list(string)
- Adds tests for the aforementioned documented correct finger positions for --parameter list(string)
Adds a `--things` flag to our `multi-select` example prompt command.
```
go run ./cmd/coder exp prompt-example multi-select --things=Code,Bike,Potato=mashed
"Code, Bike, Potato=mashed" are nice choices.
```
Relates to https://github.com/coder/coder/issues/15082
The old implementation of `GetWorkspacesEligibleForTransition` returns
many workspaces that are not actually eligible for transition. This new
implementation reduces this number significantly (at least on our
dogfood instance).
Related to #15309
As we already are doing for agent logs - this PR is enabling the logs
rotation for coderd logs.
Currently keeping the same logic than we had for agent - with 5MB as the
file size for rotation.
- Assert rbac in fake notifications enqueuer
- Move fake notifications enqueuer to separate notificationstest package
- Update dbauthz rbac policy to allow provisionerd and autostart to create and read notification messages
- Update tests as required
Fixes test flakes _a la_
```
t.go:108: 2024-11-05 09:52:37.996 [erro] workspacestats: failed to load template schedule bumping activity, defaulting to bumping by 60min request_id=f14215d2-73dc-47ba-aa81-422c62f257e4 workspace_id=545d73c7-3a62-4466-8c08-b6abb12867b7 template_id=49747428-3abb-40e4-a6b2-03653e9f2506 ...
error= fetch object:
github.com/coder/coder/v2/coderd/database/dbauthz.(*querier).GetTemplateByID.fetch[...].func1
/home/runner/work/coder/coder/coderd/database/dbauthz/dbauthz.go:497
- pq: canceling statement due to user request
*** slogtest: log detected at level ERROR; TEST FAILURE ***
```
seen here on main: https://github.com/coder/coder/actions/runs/11681605747/job/32527006174
Whilst the `networking-troubleshooting` docs page already mentions that
a direct connection can be established over a private network, even if
there are no STUN servers, it's worth this is the case at the end of the
ping output.
This also removes a print statement that was dirtying up the diagnostic
output, and corrects the name of the `--disable-direct-connections`
flag.
Closes https://github.com/coder/coder/issues/12612
The problem in the linked issue was caused due to a mismatch of when the
Web UI tooltip shows up (2 hours before an autostop requirement) and the
leeway in the `autostop_requirement` algorithm (workspace builds must be
1 hour before an autostop requirement to skip them).
Now, restarting your workspace whilst the tooltip is showing will skip
the upcoming autostop requirement.
This also could have been fixed by only showing the tooltip one hour
before the autostop requirement, but it looks like 1 hour was chosen
arbitrarily, and it doesn't hurt to give users more time to skip the
autostop.
Fixes https://github.com/coder/coder/issues/12687
There was a race condition where we would start the rpty lifecycle
before generating the ID, leading to a data race where we would try to
concurrently read and write the struct field.
I noticed a few inaccuracies in this doc, or aspects which could've been
explained a little more. In other cases, I've added some specificity in
service of clarity.
---------
Signed-off-by: Danny Kopping <danny@coder.com>
Co-authored-by: EdwardAngert <17991901+EdwardAngert@users.noreply.github.com>
Closes#14729
Expands the Coordination controller used by the CLI client to allow multiple tunnel destinations (agents). Our current client uses just one, but this unifies the logic so that when we add Coder VPN, 1 is just a special case of "many."
chore of #14729
Refactors the `ServerTailnet` to use `tailnet.Controller` so that we reuse logic around reconnection and handling control messages, instead of reimplementing. This unifies our "client" use of the tailscale API across CLI, coderd, and wsproxy.
Fixes a bug where a file produced by `generateVersionFiles` (as used
when uploading a web UI edited template) produced a file where the
`type` field was unset.
This meant the change in #15410 used the unset type value as the content
header when uploading, causing it to always fail.
This adds index.css to the storybook preview file and references to
#storybook-root element in the tailwind config
---------
Co-authored-by: Spike Curtis <spike@coder.com>
Co-authored-by: BrunoQuaresma <bruno_nonato_quaresma@hotmail.com>
This PR:
- Updates the table in `docs/admin/provisioners.md` to include highlight
multi-org changes
- Updates the instructions for the provisionerd helm chart when using
provisioner keys
---------
Co-authored-by: Ben Potter <ben@coder.com>
refactors `tailnetAPIConnector` to use the `Dialer` interface in `tailnet`, introduced lower in this stack of PRs. This will let us use the same Tailnet API handling code across different things that connect to the Tailnet API (CLI client, coderd, workspace proxies, and soon: Coder VPN).
chore re: #14729
Run logs are currently dropped on the floor when workspacetraffic tests fail.
e.g. https://github.com/coder/coder/runs/32640144785
This prints the logs when we get a failure, like
```
run_test.go:341:
Error Trace: /Users/spike/repos/coder/scaletest/workspacetraffic/run_test.go:341
/Users/spike/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.22.8.darwin-arm64/src/runtime/asm_arm64.s:1222
Error: Received unexpected error:
badness:
github.com/coder/coder/v2/scaletest/workspacetraffic.(*Runner).Run
/Users/spike/repos/coder/scaletest/workspacetraffic/run.go:174
Test: TestRun/App
Messages: RUN LOGS:
2024-11-07 13:04:30.274 [debu] config agent_id=00000000-0000-0000-0000-000000000000 reconnecting_pty_id=95bb480f-cd26-4633-8332-328d44ffa997 height=25 width=80 tick_interval=1s bytes_per_tick=1024
2024-11-07 13:04:30.274 [debu] connect to workspace agent agent_id=00000000-0000-0000-0000-000000000000
2024-11-07 13:04:30.274 [info] sending traffic to workspace app agent_id=00000000-0000-0000-0000-000000000000 app=echo
2024-11-07 13:04:30.276 [debu] reading from agent agent_id=00000000-0000-0000-0000-000000000000
2024-11-07 13:04:30.276 [debu] writing to agent agent_id=00000000-0000-0000-0000-000000000000
2024-11-07 13:04:31.526 [debu] done reading from agent agent_id=00000000-0000-0000-0000-000000000000
2024-11-07 13:04:32.276 [debu] done writing to agent agent_id=00000000-0000-0000-0000-000000000000
END RUN LOGS
```
So, hopefully we can diagnose flakes.
Fixes a race in TestUpdateValidateRichParameters where the parameter is sent prior to the prompt.
Causes errors like: https://github.com/coder/coder/actions/runs/11681622439/job/32527173007
```
ptytest.go:132: 2024-11-05 10:02:18.819: cmd: "bool_parameter"
ptytest.go:167: 2024-11-05 10:02:18.819: cmd: matched "bool_parameter" = "bool_parameter"
update_test.go:440: 2024-11-05 10:02:18.819: cmd: stdin: "cat\r\n"
ptytest.go:132: 2024-11-05 10:02:18.819: cmd: "> Enter a value (default: \"\"): can't validate build parameter \"bool_parameter\": boolean value can be either \"true\" or \"false\""
ptytest.go:167: 2024-11-05 10:02:18.819: cmd: matched "boolean value can be either" = "\n> Enter a value (default: \"\"): can't validate build parameter \"bool_parameter\": boolean value can be either"
update_test.go:440: 2024-11-05 10:02:18.819: cmd: stdin: "\r\n"
ptytest.go:167: 2024-11-05 10:02:18.819: cmd: matched "Enter a value" = " \"true\" or \"false\"\n> Enter a value"
update_test.go:440: 2024-11-05 10:02:18.819: cmd: stdin: "false\r\n"
ptytest.go:132: 2024-11-05 10:02:18.821: cmd: "> Enter a value (default: \"\"): can't validate build parameter \"bool_parameter\": boolean value can be either \"true\" or \"false\""
```
Relates to https://github.com/coder/coder/pull/15416
This PR modifies the provisioner helm chart logic:
- Previously, when both provisionerDaemon.keySecretName and provisionerDaemon.pskSecretName
were both set, we would fail to install the chart. This required users to have an obnoxious workaround
in place where setting provisionerDaemon.pskSecretName="" was required in order to use provisioner
keys. We now check for pskSecretName being set to the default value when keySecretName is also specified,
and switch to provisioner key authentication instead of PSK. The previous workaround is still supported.
- We also had omitted to check for provisionerd.Tags being set along with provisionerDaemon.keySecretName.
This would result in a crashlooping provisioner deployment, as setting both of these configuration options is
not allowed. We now fast-fail the Helm deployment if we detect this scenario.
The current description of "Configure your notification preferences.
Icons on the right of each notification indicate delivery method, either
SMTP or Webhook." doesn't really say what this page is for.
I've adjusted the wording, and also changed the tooltip of the delivery
method icon to be more clear.
Signed-off-by: Danny Kopping <danny@coder.com>
Refers to #14984
Currently, password validation is done backend side and is not explicit
enough so it can be painful to create first users.
We'd like to make this validation easier - but also duplicate it
frontend side to make it smoother.
Flows involved :
- First user set password
- New user set password
- Change password
---------
Co-authored-by: BrunoQuaresma <bruno_nonato_quaresma@hotmail.com>
Closes#15292.
Currently, if the frontend never sees a build job enter 'running', it'll
never end up watching the logs. If we start watching the logs earlier
we're able to catch cases where the job goes `pending` -> `failed`, such
as when the build fails immediately.
Filter is applied in original workspace query. We do not need to join
`workspaces` twice. Use build_number instead of `created_at`
for determining the last build.
Refactors the way clients of the Tailnet API (clients of the API, which include both workspace "agents" and "clients") interact with the API. Introduces the idea of abstract "controllers" for each of the RPCs in the API, and implements a Coordination controller by refactoring from `workspacesdk`.
chore re: #14729
Anyone with authz access to a workspace should be able to read timings
information of its builds.
To do this without `AsSystemContext` would do an extra 4 db calls.
This PR is the first in a series aimed at closing
[#15109](https://github.com/coder/coder/issues/15109).
### Changes
- **Template Database Creation:**
`dbtestutil.Open` now has the ability to create a template database if
none is provided via `DB_FROM`. The template database’s name is derived
from a hash of the migration files, ensuring that it can be reused
across tests and is automatically updated whenever migrations change.
- **Optimized Database Handling:**
Previously, `dbtestutil.Open` would spin up a new container for each
test when `DB_FROM` was unset. Now, it first checks for an active
PostgreSQL instance on `localhost:5432`. If none is found, it creates a
single container that remains available for subsequent tests,
eliminating repeated container startups.
These changes address the long individual test times (10+ seconds)
reported by some users, likely due to the time Docker took to start and
complete migrations.
The failure condition being fixed is `w1` and `w2` could belong
to different users, organizations, and templates and still cause a
serializable failure if run concurrently. This is because the old query
did a `seq scan` on the `workspace_builds` table. Since that is the
table being updated, we really want to prevent that.
So before this would fail for any 2 workspaces. Now it only fails if
`w1` and `w2` are owned by the same user and organization.
Fixes#15312
When we need to `Unlisten()` for an event, instead of immediately removing the event from the `p.queues`, we store a channel to signal any goroutines trying to Subscribe to the same event when we are done. On `Subscribe`, if the channel is present, wait for it before calling `Listen` to ensure the ordering is correct.
Closes#14716Closes#14717
Adds a new user-scoped tailnet API endpoint (`api/v2/tailnet`) with a new RPC stream for receiving updates on workspaces owned by a specific user, as defined in #14716.
When a stream is started, the `WorkspaceUpdatesProvider` will begin listening on the user-scoped pubsub events implemented in #14964. When a relevant event type is seen (such as a workspace state transition), the provider will query the DB for all the workspaces (and agents) owned by the user. This gets compared against the result of the previous query to produce a set of workspace updates.
Workspace updates can be requested for any user ID, however only workspaces the authorised user is permitted to `ActionRead` will have their updates streamed.
Opening a tunnel to an agent requires that the user can perform `ActionSSH` against the workspace containing it.
Second PR for #14716.
Adds a query that, given a user ID, returns all the workspaces they own, that can also be `ActionRead` by the requesting user.
```
type GetWorkspacesAndAgentsByOwnerIDRow struct {
WorkspaceID uuid.UUID `db:"workspace_id" json:"workspace_id"`
WorkspaceName string `db:"workspace_name" json:"workspace_name"`
JobStatus ProvisionerJobStatus `db:"job_status" json:"job_status"`
Transition WorkspaceTransition `db:"transition" json:"transition"`
Agents []AgentIDNamePair `db:"agents" json:"agents"`
}
```
`JobStatus` and `Transition` are set using the latest build/job of the workspace. Deleted workspaces are not included.
We currently send empty payloads to pubsub channels of the form `workspace:<workspace_id>` to notify listeners of updates to workspaces (such as for refreshing the workspace dashboard).
To support https://github.com/coder/coder/issues/14716, we'll instead send `WorkspaceEvent` payloads to pubsub channels of the form `workspace_owner:<owner_id>`. This enables a listener to receive events for all workspaces owned by a user.
This PR replaces the usage of the old channels without modifying any existing behaviors.
```
type WorkspaceEvent struct {
Kind WorkspaceEventKind `json:"kind"`
WorkspaceID uuid.UUID `json:"workspace_id" format:"uuid"`
// AgentID is only set for WorkspaceEventKindAgent* events
// (excluding AgentTimeout)
AgentID *uuid.UUID `json:"agent_id,omitempty" format:"uuid"`
}
```
We've defined `WorkspaceEventKind`s based on how the old channel was used, but it's not yet necessary to inspect the types of any of the events, as the existing listeners are designed to fire off any of them.
```
WorkspaceEventKindStateChange WorkspaceEventKind = "state_change"
WorkspaceEventKindStatsUpdate WorkspaceEventKind = "stats_update"
WorkspaceEventKindMetadataUpdate WorkspaceEventKind = "mtd_update"
WorkspaceEventKindAppHealthUpdate WorkspaceEventKind = "app_health"
WorkspaceEventKindAgentLifecycleUpdate WorkspaceEventKind = "agt_lifecycle_update"
WorkspaceEventKindAgentLogsUpdate WorkspaceEventKind = "agt_logs_update"
WorkspaceEventKindAgentConnectionUpdate WorkspaceEventKind = "agt_connection_update"
WorkspaceEventKindAgentLogsOverflow WorkspaceEventKind = "agt_logs_overflow"
WorkspaceEventKindAgentTimeout WorkspaceEventKind = "agt_timeout"
```
Closes https://github.com/coder/coder/issues/15213
This PR enables sending notifications without requiring the auth system
context, instead using a new auth notifier context.
The subquery on the users table was incorrectly using the username from
the `workspaces` table, not the `users` table.
This passed `sqlc-vet` because the column did exist in the query, it
just was not the correct one.
Part of https://github.com/coder/coder/issues/15176
I originally kept this the same because I wanted to be conservative
about when we start dropping activity, but this is proving to be a
problem when using `coder ssh` with `--usage-app=disabled`. Because the
workspace agent still counts this as a connection (I think it still
should so it's counted somewhere) but not as a SSH / IDE session. This
leads to background ssh tasks that want to be untracked still continuing
to bump activity when it shouldn't. This makes it so we have to have an
explicit session to bump activity.
Closes https://github.com/coder/coder/issues/15154
Log when someone attempts to either
- Request a one-time passcode for an account that doesn't exist
- Attempt to change a password with an invalid one-time passcode and/or
email
---------
Co-authored-by: Mathias Fredriksson <mafredri@gmail.com>
Closes#15212
## Changes made
- Updated logic so that proxy config is only requested when appropriate,
instead of for all users on all deployment pages
- Split up the main context provider for the `/deployment` and
`/organizations` routes, and updated layout logic for
`ManagementSettingsLayout` layout component. This ensures the sidebar is
always visible, even if request errors happen
- Added additional routing safeguards to make sure that even if a user
can view one page in the deployment section, they won't be able to
navigate directly to any arbitrary deployment page
- Updated logic for sidebar navigation to ensure that nav items only
appear when the user truly has permission
- Centralized a lot of the orgs logic into the `useAuthenticated` hook
- Added additional check cases to the `permissions.tsx` file, to give
more granularity, and added missing type-checking
- Extended the API for the `RequirePermissions` component to let it
redirect users anywhere
- Updated some of our testing setup files to ensure that types were
defined correctly
---------
Co-authored-by: McKayla Washburn <mckayla@hey.com>
Previously, `make gen` ran on CI whenever a non-docs change was made.
Based off the problem described in #15252, it sounds like CI should
*always* be running `gen`.
(Because I broke it, currently PR `gen` is getting skipped unless the
`ci` category is updated)
https://github.com/coder/coder/pull/15203 was merged with a failing
`make gen`, as it only updated the docs. This makes it so this can't
happen again.
The capitalization of the Go type used in the auto-generated docs
(`codersdk.OAuth2GithubConfig`) wasn't updated as it would technically
be a breaking change for the sdk.
Before db_metrics were all or nothing. Now `InTx` metrics are always recorded, and query metrics are opt in.
Adds instrumentation & logging around serialization failures in the database.
Related to https://github.com/coder/coder/issues/15087
As part of sniffing the workspace tags from an uploaded file, we need to
be able to handle both zip and tar files. Extracting the functions to
a separate `archive` package will be helpful here.
Working on #15202
The main change is to fetch the user doing the action to verify if it
should be able to change the password if there's no old_password set.
Customers reporting html pages returned to SCIM. Likely a disabled SCIM.
We should just report a more consumable error by the SCIM provider.
Previous behavior was a status code 200 HTML page
- Fixes an issue where building the Docker image failed due to moving
the directory hosting the Dockerfile
- Removed the Palo Alto scanning since our subscription there is set to
expire. Trivy is still running though.
The authz check is Update() on the original template. This is not ideal,
but it follows the existing behavior. We are implicitly granting this
read access since template admins need to be able to see what
users/groups exist to assign.
The go tests that would have checked for the outdated golden files
didn't get run as part of https://github.com/coder/coder/pull/14817
because only `helm/**` files were modified.
fixes https://github.com/coder/internal/issues/114
We need to wait for ServerTailnet goroutines to finish when closing down, otherwise we can race with the shutdown of coderd & the coordinator, which causes errors.
Joins in fields like `username`, `avatar_url`, `organization_name`,
`template_name` to `workspaces` via a **view**.
The view must be maintained moving forward, but this prevents needing to
add RBAC permissions to fetch related workspace fields.
This PR aims to close#14253
We keep the default behavior using the Coder logo if there's no logo
set.
Otherwise we want to use the logo based on the URL set in appearance.
---------
Co-authored-by: defelmnq <yvincent@coder.com>
Fixes https://github.com/coder/coder/issues/12721
If a container in docker is started with `--cgroupns=private` (which is
the default behaviour in docker) then `/proc/1/cgroup` has the following
content:
```
0::/
```
If a container in docker is started with `--cgroupns=host` then
`/proc/1/cgroup` has the following content (hash will vary):
```
0::/docker/aa86ac98959eeedeae0ecb6e0c9ddd8ae8b97a9d0fdccccf7ea7a474f4e0bb1f
```
Currently we are determining if a host is containerized by assuming the
second scenario. This means the existing behaviour of sniffing
`/proc/1/cgroup` is not always sufficient for checking if a host is
containerized.
According to [the cgroups(7)
man-page](https://man7.org/linux/man-pages/man7/cgroups.7.html) there
exists a `cgroup.type` file in a nonroot cgroup. This exists in Linux
versions after `4.14`.
> Linux 4.14 added thread mode for cgroups v2.
> With the addition of thread mode, each nonroot cgroup now contains a
new file, cgroup.type
This means we can check for the existence of
`/sys/fs/cgroup/cgroup.type` to see if we are in a container or not.
In investigating https://github.com/coder/internal/issues/109 I noticed many of the notification tests are still using `time.Sleep` and `require.Eventually`. This is an initial effort to start converting these to Quartz.
One product change is to switch the `notifier` to use a `TickerFunc` instead of a normal Ticker, since it allows the test to assert that a batch process is complete via the Quartz `Mock` clock. This does introduce one slight behavioral change in that the notifier waits the fetch interval before processing its first batch. In practice, this is inconsequential: no one will notice if we send notifications immediately on startup, or just a little later.
But, it does make a difference to some tests, which are fixed up here.
A bunch of notification tests create a whole `coderd`, when all they use is the database and logger. This makes the tests more expensive to run, and pollutes the test logs with a bunch of stuff that doesn't matter (e.g. tailnet).
Fixes https://github.com/coder/internal/issues/93
`bytes.Buffer` is not concurrency-safe.
`cmd` could write to the buffer concurrently while we're reading the
buffer in
```
require.Eventually(t, func() bool {
return bytes.Contains(output.Bytes(), []byte("ERROR: Downloaded agent binary returned unexpected version output"))
}, testutil.WaitShort, testutil.IntervalSlow)
```
Not sure about the `os: process already finished` flake, though.
---------
Signed-off-by: Danny Kopping <danny@coder.com>
- Adds `provisionerDaemon.keySecretName` and
`provisionerDaemon.keySecretKey`
- Omitting `provisionerDaemon.pskSecretName` will now cause the PSK
secret to no longer be created.
- Adds a note in `NOTES.txt` regarding provisioner PSKs.
- Adds validation that either `provisionerDaemon.keySecretName` or
`provisionerDaemon.pskSecretName` is specified, and will fail the
install in this case.
This PR aims to rename `build-option` to `ephemeral-parameters` based on
#10488 conversation.
`build-option` has been renamed `ephemeral-parameter` and can be used to
define a value for an ephemeral parameter in the template.
`build-options` has been renamed `prompt-ephemeral-parameters` and can
be used to prompt the user to put values for the ephemeral parameters in
the template.
---------
Co-authored-by: Mathias Fredriksson <mafredri@gmail.com>
Co-authored-by: EdwardAngert <17991901+EdwardAngert@users.noreply.github.com>
Co-authored-by: defelmnq <yvincent@coder.com>
This PR is a proposal to improve the situation described in #14750
For some precise commands - we would like to be able to use durations
bigger than hours, minutes..
This PR extends the Duration proposed by Go with :
- `d` - a day or 24hours.
- `y` - a year or 365 days.
I also removed the default value for lifetime and instead fetch the
maxLifetime value from codersdk - so by default if no value set we use
the value defined in the config.
Added logging information to output timing information of this for
loop. If we get another failure, this timing information should be
helpful.
I also made the time drift allowed (was 10s) to match the maximum
waiting time of the for loop. It's not perfect, but now the loop should
take max ~15s, and the time comparison will allow 15s leeway.
This PR closes#15065.
As advised by @mtojek, a template's display name may be set to "", which
is not useful in an email notification. We'd like to provide a friendly
name for the template, but it also needs to be identifiable.
As such, we fall back to template.Name in the case that the template's
display name is empty.
Use specific commit SHAs for GitHub actions across various workflows to
enhance reliability and reproducibility. This change ensures that
actions run against a known version, reducing the risk of unexpected
issues due to updates in the third-party action repositories.
This contributes to improving the score in #14879
We run our e2e-tests on a 16-core machine with `--max-workers=1`
Using a standard runner with 2 cores, the machine runs the tests in the
same amount of time while reducing the cost 8 times.
Update: `test-e2e` fails on the 2core-8GB runner, so using a 4-core-16GB runner for that.
This Pull request addresses the more trivial items in
https://github.com/coder/coder/issues/14893.
These were simple formatting changes that I was able to fix despite
limited context.
Some more changes are required for which I will have to dig a bit deeper
into how the template contexts are populated. I'm happy to add those to
this PR or create a subsequent PR.
A test is currently failing because it relies on Sidney Tz.
from the internet :
```
Daylight Saving Time begins at 2 am (AEST) on the first Sunday in October and ends at 3 am (Australian Eastern Daylight Time) on the first Sunday in April.
```
Due to that - there's one hour missing in the tests - and the test `6
days are acceptable` is failing.
Changing to another timezone to fix the situation, it would require a
longer-term solution or making sure it cannot happen anymore.
fixes#14961
Adding the license and updating entitlements is flaky, especially at the start of our `coderdent` testing because, while the actual modifications to the `entitlements.Set` were threadsafe, we could have multiple goroutines reading from the database and writing to the set, so we could end up writing stale data.
This enforces serialization on updates, so that if you modify the database and kick off an update, you know the state of the `Set` is at least as fresh as your database update.
Relates to https://github.com/coder/coder/issues/14232
This implements two endpoints (names subject to change):
- `/api/v2/users/otp/request`
- `/api/v2/users/otp/change-password`
fixes#14715
Configures agents to use an address both in the Tailscale service prefix and the new Coder service prefix. Also modifies the Coordinator auth to allow the new prefix.
Updates `coder/tailscale` to include https://github.com/coder/tailscale/pull/62 which fixes a bug around forwarding TCP connections to localhost. This functionality is tested in the modifications to `TestAgent_Dial`.
re: #14715
This PR introduces the Coder service prefix: `fd60:627a:a42b::/48` and refactors our existing code as calling the Tailscale service prefix explicitly (rather than implicitly).
Removes the unused `Addresses` agent option. All clients today assume they can compute the Agent's IP address based on its UUID, so an agent started with a custom address would break things.
- Adds a `jwtutils` package to be shared amongst the various
packages in the codebase that make use of JWTs. It's intended to help us
standardize on one library instead of some implementations using
`go-jose` and others using `golang-jwt`.
The main reason we're converging on `go-jose` is due to its support for
JWEs, `golang-jwt` also has a repo to handle it but it doesn't look
maintained: https://github.com/golang-jwt/jwe
Bumps [@swc/jest](https://github.com/swc-project/pkgs) from 0.2.24 to
0.2.36.
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/swc-project/pkgs/commits">compare view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps
[@chakra-ui/react](https://github.com/chakra-ui/chakra-ui/tree/HEAD/packages/components/react)
from 2.8.2 to 2.9.3.
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/chakra-ui/chakra-ui/commits/HEAD/packages/components/react">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
We've had some reports about difficulty connecting to workspaces under very challenging networking conditions. This PR adds some advice about minimum network quality when connecting to workspaces with Coder.
## Changes made
- Updated custom avatar components to favor background color by default
- Updated `AvatarData` component to let you manually specify the source
of the text used when images fail to load, and updated the orgs
breadcrumb segment to use it
- Added some logic for handling emoji images better
[//]: # (dependabot-start)
⚠️ **Dependabot is rebasing this PR** ⚠️
Rebasing might not happen immediately, so don't worry if this takes some
time.
Note: if you make any changes to this PR yourself, they will take
precedence over the rebase.
---
[//]: # (dependabot-end)
Bumps
[@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node)
from 20.14.8 to 20.16.10.
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps
[@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node)
from 20.14.8 to 20.16.10.
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps
[@types/lodash](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/lodash)
from 4.14.196 to 4.17.9.
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/lodash">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
- [x] Mention Orgs is beta and add a link to get feedback
- [x] Add docs on new provisioner authentication architecture and
deprecate the old one
- [x] Add/update docs for IdP sync
- [x] Organization Sync
- [x] Group Sync
- [x] Role Sync
- [x] Modify `coder.com` codebase to add `Premium` and `Beta` pill, and
allow multiple pills: https://github.com/coder/coder.com/pull/638
- [x] Replace all mentions of "Enterprise" with "Premium" in docs
- [x] edit: change it to "Licensing"
- [x] Remove the enterprise page and change all links to
coder.com/pricing
- [x] Merge #14786
- [x] Add redirects for coder.com to redirect the `using-organizations`
guide to the new orgs one and /enterprise to /premium
https://github.com/coder/coder.com/pull/645
- [x] Custom roles
- [x] https://github.com/coder/coder/pull/14786
- [x] Remove all mentions of orgs experiment
- [x] Update in-product copy & links to link to the new docs pages
Anything I am missing?
---
[Preview
this](https://coder.com/docs/@orgs-licenses/admin/organizations)
---------
Co-authored-by: Edward Angert <EdwardAngert@users.noreply.github.com>
Co-authored-by: EdwardAngert <17991901+EdwardAngert@users.noreply.github.com>
Co-authored-by: Jaayden Halko <jaayden.halko@gmail.com>
- Adds the database implementation for fetching and caching keys
used for JWT signing. It's been merged into the `keyrotate` pkg and
renamed to `cryptokeys` since they're coupled concepts.
Bumps the react group with 1 update in the /offlinedocs directory:
[@types/react](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react).
Bumps the react group with 2 updates in the /site directory:
[@types/react](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react)
and
[@types/react-dom](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/react-dom).
Updates `@types/react` from 18.3.3 to 18.3.10
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react">compare
view</a></li>
</ul>
</details>
<br />
Updates `@types/react` from 18.2.6 to 18.3.10
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react">compare
view</a></li>
</ul>
</details>
<br />
Updates `@types/react-dom` from 18.2.4 to 18.3.0
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/react-dom">compare
view</a></li>
</ul>
</details>
<br />
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: BrunoQuaresma <bruno_nonato_quaresma@hotmail.com>
Bumps
[@types/lodash](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/lodash)
from 4.17.6 to 4.17.9.
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/lodash">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
I'm seeing flakes like
```
provisionerkeys_test.go:68: 2024-09-30 05:58:44.686: cmd: matched newline = "CREATED AT NAME TAGS "
provisionerkeys_test.go:72: 2024-09-30 05:58:44.686: cmd: matched newline = "2024-09-30T05:58:44Z dont-test-me my=way foo=bar "
provisionerkeys_test.go:74:
Error Trace: /Users/runner/work/coder/coder/enterprise/cli/provisionerkeys_test.go:74
Error: "2024-09-30T05:58:44Z dont-test-me my=way foo=bar " does not contain "foo=bar my=way"
Test: TestProvisionerKeys/CRUD
```
e.g.
https://github.com/coder/coder/actions/runs/11100237276/job/30835714478?pr=14855
Since the tags are a map, we weren't outputting them in a consistent
order on the CLI, leading to flakes.
This sorts the tags by key when converting to a string, for a
consistent, canonical output.
Since its currently not possible to update or delete built-in roles. The
purpose of this PR is to display the built-in roles so that users know
they exist and what permissions each role contains.
<img width="1185" alt="Screenshot 2024-09-26 at 9 18 05 PM"
src="https://github.com/user-attachments/assets/017a51d7-ec98-409c-9c8e-b66ac7abb948">
What this changes:
- Unhides the `--key` flag on provisioner start
- Deprecates and hides `provisionerd` command group in favor of
`provisioner(s)`
- Removes org id from `coder provisioner keys list`
* chore: remove read all provisioners from users
Reading provisioner daemons now extends from org member,
not site wide member.
* update rbac perm test
* add unit test
* feat: begin impl of agent script timings
* feat: add job_id and display_name to script timings
* fix: increment migration number
* fix: rename migrations from 251 to 254
* test: get tests compiling
* fix: appease the linter
* fix: get tests passing again
* fix: drop column from correct table
* test: add fixture for agent script timings
* fix: typo
* fix: use job id used in provisioner job timings
* fix: increment migration number
* test: behaviour of script runner
* test: rewrite test
* test: does exit 1 script break things?
* test: rewrite test again
* fix: revert change
Not sure how this came to be, I do not recall manually changing
these files.
* fix: let code breathe
* fix: wrap errors
* fix: justify nolint
* fix: swap require.Equal argument order
* fix: add mutex operations
* feat: add 'ran_on_start' and 'blocked_login' fields
* fix: update testdata fixture
* fix: refer to agent_id instead of job_id in timings
* fix: JobID -> AgentID in dbauthz_test
* fix: add 'id' to scripts, make timing refer to script id
* fix: fix broken tests and convert bug
* fix: update testdata fixtures
* fix: update testdata fixtures again
* feat: capture stage and if script timed out
* fix: update migration number
* test: add test for script api
* fix: fake db query
* fix: use UTC time
* fix: ensure r.scriptComplete is not nil
* fix: move err check to right after call
* fix: uppercase sql
* fix: use dbtime.Now()
* fix: debug log on r.scriptCompleted being nil
* fix: ensure correct rbac permissions
* chore: remove DisplayName
* fix: get tests passing
* fix: remove space in sql up
* docs: document ExecuteOption
* fix: drop 'RETURNING' from sql
* chore: remove 'display_name' from timing table
* fix: testdata fixture
* fix: put r.scriptCompleted call in goroutine
* fix: track goroutine for test + use separate context for reporting
* fix: appease linter, handle trackCommandGoroutine error
* fix: resolve race condition
* feat: replace timed_out column with status column
* test: update testdata fixture
* fix: apply suggestions from review
* revert: linter changes
* chore: finish draft work for FeatureBadge component
* fix: add visually-hidden helper text for screen readers
* chore: add stories for highlighted state
* fix: update base styles
* chore: remove debug display option
* chore: update Popover to propagate events
* wip: commit progress on FeatureBadge update
* wip: commit more progress
* chore: update tag definitions to satify Biome
* chore: update all colors for preview role
* fix: make sure badge shows as hovered while inside tooltip
* wip: commit progress on adding story for controlled variant
* fix: sort imports
* refactor: change component API to be more obvious/ergonomic
* fix: add biome-ignore comments to more base files
* fix: update import order again
* chore: revert biome-ignore comment
* chore: update body text for tooltip
* chore: update dark preivew role to use sky palette
* chore: update color palettes for light/darkBlue themes
* chore: add beta badge to organizations subheader
* chore: add beta badge to organizations settings page
* chore: beef up font weight for form header
* fix: update text contrast for org menu list
* chore: add beta badge to deployment dropdown
* fix: run biome on imports
* chore: remove API for controlling FeatureBadge hover styling externally
* chore: add xs size for badge
* fix: update font weight for xs feature badges
* chore: add beta badges to all org headers
* fix: turn badges and tooltips into separate concerns
* fix: update hover styling
* docs: update wording on comment
* fix: apply formatting
* chore: rename FeatureBadge to FeatureStageBadge
* refactor: redefine FeatureStageBadge
* chore: update stories
* fix: add blur behavior to popover
* chore: revert theme colors
* chore: create featureStage branding namespace
* fix: make sure cleanup function is set up properly
* docs: update wording on comment for clarity
* refactor: move styles down
* feat: remove user from groups on org membership delete
Groups inherently provide authz access to certain resources. If a
user is removed from an organization, they should be removed
from all their groups in said organization.
* chore: add command for showing colors
* fix: use ANSI color codes instead of RGB
* feat: add '--no-color' flag
* fix: revert colors
* chore: change colors
* fix: update golden files
* fix: replace blue with brightBlue
* fix: drop '> ' for unfocused prompts
* fix: run 'make fmt'
* chore: allow disabling color with env flags
* fix: apply fixes from feedback
* fix: run 'make gen'
* fix: refactor janky code
* fix: re-add public function
* fix: re-add init for non-color tests
* fix: move styles to 'init' that can be
* fix: stop overwriting entire DefaultStyles
* fix: make code and field obey --no-color
* fix: rip out '--no-color' due to race condition
We still support `NO_COLOR` env variable through termenv's
`EnvColorProfile`. The reason for the race condition is that
`DefaultStyles` is a global that we shouldn't mutate after `init`
is called, but we have to mutate it after `init` has ran to have
serpent collect the cli flags and env vars for us.
* fix: apply nit
* fix: simplify code && hide command
* fix: newline shouldn't be themed
* fix: appease the linter
* chore: use legacy "AssignDefault" option for legacy behavior in SCIM (#14696)
* chore: reference legacy assign default option for legacy behavior
AssignDefault is a boolean flag mainly for single org and legacy
deployments. Use this flag to determine SCIM behavior.
---------
Co-authored-by: Steven Masley <Emyrk@users.noreply.github.com>
* chore: move schedule controls to the right side of the screen
* chore: add org display to workspace topbar
* fix: force organizations to be readonly array
* fix update type mismatch for organizations again
* refactor: tuck main loading skeleton for filter into base definition
* refactor: give filter files different names to reduce confusion
* refactor: remove separate base filter skeleton
* fix: update responsive logic for audit table filter
* chore: add organizations option group to workspaces table
* refactor: make prop contracts more explicit
* refactor: centralize the organizations dropdown logic
* fix: update imports and formatting
* fix: update quota querying logic to use new endpoint
* fix: add logic for handling long workspace or org names
* chore: add links for workspaces by org
* chore: expand tooltip styling for org
* chore: expand tooltip styling for owner
* refactor: split off breadcrumbs for readability
* fix: display correct template version name in dropdown
* fix: update overflow styling for breadcrumb segments
* fix: favor org display name
* fix: centralize org display name logic
* fix: make sure skeletons stay synced with org feature toggles
* fix: ensure that mock query cache key and component key are properly synced for storybook
* docs: clean up wording on SearchField comment
* fix: shrink mix width threshold for search field
* chore: add navigation test for workspace details page (#14629)
* chore: add tests for WorkspacePage cross-page navigation
* fix: update story to use mock organizations menu
* chore: move schedule controls to the right side of the screen
* chore: add org display to workspace topbar
* fix: force organizations to be readonly array
* fix update type mismatch for organizations again
* fix: update quota querying logic to use new endpoint
* fix: add logic for handling long workspace or org names
* chore: add links for workspaces by org
* chore: expand tooltip styling for org
* chore: expand tooltip styling for owner
* refactor: split off breadcrumbs for readability
* fix: display correct template version name in dropdown
* fix: update overflow styling for breadcrumb segments
* fix: favor org display name
* fix: centralize org display name logic
* fix: ensure that mock query cache key and component key are properly synced for storybook
Fixes#12560
When gracefully disconnecting from the coordinator, we would send the Disconnect message and then close the dRPC stream. However, closing the dRPC stream can cause the server not to process the Disconnect message, since we use the stream context in a `select` while sending it to the coordinator.
This is a product bug uncovered by the flake, and probably results in us failing graceful disconnect some minority of the time.
Instead, the `remoteCoordination` (and `inMemoryCoordination` for consistency) should send the Disconnect message and then wait for the coordinator to hang up (on some graceful disconnect timer, in the form of a context).
* fix: only allow submitting form if dirty
* test: add test for submit button behaviour
* fix: apply 'make fmt'
* chore: rename 'Submit' to 'Submit and restart'
* test: fix tests
Drops support for v1 of the tailnet API, which was the original coordination protocol where we only sent node updates, never marked them lost or disconnected.
v2 of the tailnet API went GA for CLI clients in Coder 2.8.0, so clients older than that would stop working.
Removes the support for the Agent's "legacy IP" which was a hardcoded IP address all agents used to use, before we introduced "single tailnet". Single tailnet went GA in 2.7.0.
fixes#14365
I bet what's going on is that in `connectToCoordinatorAndFetchResumeToken()` we call `Coordinate()`, send a message on the `Coordinate` client and then close it in rapid succession. We don't wait around for a response from the coordinator, so dRPC is likely aborting the call `Coordinate()` in the backend because the stream is closed before it even gets a chance.
Instead of using the Coordinator to record the peer ID assigned on the API call, we can wrap the resume token provider, since we call that API _and_ wait for a response. This also affords the opportunity to directly assert we get called with the right token.
* feat: add groups column to members page in organizations
* fix: run 'make fmt'
* fix: stop displaying groups member is in for other organisations
* fix: run 'make fmt'
* fix: prefer organization display name for workspaces table
* fix: update story to account for organization name changes
* fix: resolve typo in regex search for test
* feat: initial commit for idp skeleton page
* feat: add optional tooltip icon to settings header
* feat: add help tooltip
* feat: add mock data and update pageview for mock data
* feat: initial stories
* feat: error circle
* feat: cleanup
* feat: update StatusIndicator for outlined variant
* feat: use StatusIndicator instead of Circle
* chore: cleanup
* fix: remove ternaries in css
* fix: updates for PR review comments
* chore: add story for compact empty state
* feat: extract IdpField and improve field spacing
Previously, we were showing the warning regardless of whether a template was using the misconfigured notification method or not. However, we realized this could be too noisy, so we decided to display the warning only when the user has a template configured to use the misconfigured method.
* chore: add organization label to workspace template column
* chore: add test for presence of showOrganizations context value
* fix: organize imports
* fix: expose table row subtitles only to screen readers
Abstracts the Spinner component to control the display of the CircularProgress component. This allows us to make it static during Chromatic tests, making loading tests easier to visualize.
* feat: add resource-action pills to custom roles table
* fix: remove permission from theme and change name to colorRoles
* fix: revert name from colorRoles to roles
* fix: format
* fix: custom role with no permissions
* feat: extract permissions pull list component and add tests
* chore: undo color roles name change
* feat: add experimental pill colors
* fix: format
* chore: update experiment name
* chore: cleanup
Updates the `DeleteOldWorkspaceAgentLogs` to:
- Retain logs for the most recent build regardless of age,
- Delete logs for agents that never connected and were created before
the cutoff for deleting logs while still retaining the logs most recent build.
* chore: implement filters for the organizations query
* chore: implement organization sync and create idpsync package
Organization sync can now be configured to assign users to an org based on oidc claims.
Related to #10576
This PR introduces quartz to coderd/database/dbpurge and updates the following unit tests to make use of Quartz's functionality:
- TestPurge
- TestDeleteOldWorkspaceAgentLogs
Additionally, updates DeleteOldWorkspaceAgentLogs to replace the hard-coded interval with a parameter passed into the query. This aids in testing and brings us a step towards allowing operators to configure the cutoff interval for workspace agent logs.
Fixes#13430.
The test for purging old workspace agent stats from the DB was consistently failing when ran with Postgres towards the end of the month, but not with the in-memory DB.
This was because month intervals are calculated differently for `time.Time` and the `interval` type in Postgres:
```
ethan=# SELECT
'2024-08-30'::DATE AS original_date,
('2024-08-30'::DATE - INTERVAL '6 months') AS sub_date;
original_date | sub_date
---------------+---------------------
2024-08-30 | 2024-02-29 00:00:00
(1 row)
```
Using `func (t Time) AddDate(years int, months int, days int) Time`, where `months` is `-6`:
```
Original: 2024-08-30 00:00:00 +0000 UTC
6 Months Earlier: 2024-03-01 00:00:00 +0000 UTC
```
Since 6 months was chosen arbitrarily, we should be able to change it to 180 days, to remove any ambiguity between the in-memory DB, and the Postgres DB. The alternative solution would involve implementing Postgres' month interval algorithm in Go.
The UI only shows stats as old as 168 days (24 weeks), so a frontend change isn't required for the extra days of stats we lose in some cases.
Before, if a file was not found we would serve the app.
This would cause either the login page or the workspace
page to load (and consequently error because `assets` is
likely not a valid user).
The issue is that if you add a user and then immediately go to give them
permissions, you can add them but they will not show up in the UI. They
also do not show up in the audit log entry.
* chore(docs): add agent api debug docs
* chore(docs): add sections to agent api readme
* chore(docs): link debug manifest to agentsdk.Manifest schema
* chore(docs): add high level overview of agent api debug docs
* chore(docs): link to agent api docs from reference
* chore(docs): fix invalid paths
* chore(docs): use env variable for coder agent debug address
First PR to address #14244.
Adds common potential reasons as to why a direct connection to the workspace agent couldn't be established to `coder ping`:
- If the Coder deployment administrator has blocked direction connections (`CODER_BLOCK_DIRECT`).
- If the client has no STUN servers within it's DERP map.
- If the client or agent appears to be behind a hard NAT, as per Tailscale `netInfo.MappingVariesByDestIP`
Also adds a warning if the client or agent has a network interface below the 'safe' MTU for tailnet. This warning is always displayed at the end of a `coder ping`.
This is accomplished by using the members endpoint instead of the users
endpoint, and to that end the UserAutocomplete component has been
reworked to support either endpoint as separate components with a shared
base.
* Add Storybook for groups page
This ensures it is using the right endpoint for the add member dropdown.
* Add ability to mock react-query errors
- Adds `--use-host-login` to `coder exp scaletest workspace-traffic`
- Modifies getScaletestWorkspaces to conditionally filter workspaces if `CODER_DISABLE_OWNER_WORKSPACE_ACCESS` is set
- Adds a warning if `CODER_DISABLE_OWNER_WORKSPACE_ACCESS` is set and scaletest workspaces are filtered out due to ownership mismatch.
- Modifies `coderdtest.New` to detect cross-test bleed of `CODER_DISABLE_OWNER_WORKSPACE_ACCESS` and fast-fail.
* chore: allow CreateUser to accept multiple organizations
In a multi-org deployment, it makes more sense to allow for multiple
org memberships to be assigned at create. The legacy param will still
be honored.
* Handle sdk deprecation better by maintaining cli functions
* chore: refactor entitlements to be passable as an argument
Previously, all usage of entitlements requires mutex usage on the
api struct directly. This prevents passing the entitlements to
a sub package. It also creates the possibility for misuse.
* chore: implement generalized symmetric difference for set comparison
Going to be used in Organization Sync + maybe group sync. Felt
better to reuse, rather than copy
This PR modifies the gcp-devcontainer example template to include
support for devcontainer caching using the envbuilder provider.
Co-authored-by: Mathias Fredriksson <mafredri@gmail.com>
Co-authored-by: Muhammad Atif Ali <atif@coder.com>
We try to write a cute little summary at the end of the bundle, but that could panic if some of the fields of the bundle were nil. Adds a test that essentially ensures nil values in a bundle, and ensures that it can be handled without losing our towels.
Co-authored-by: Danny Kopping <danny@coder.com>
* chore: scope workspace quotas to organizations
Quotas are now a function of (user_id, organization_id). They are
still sourced from groups. Deprecate the old api endpoint.
Updates the envbuilder-dogfood template to use the envbuilder provider.
Relates to coder/team-coconut#38
Co-authored-by: Mathias Fredriksson <mafredri@gmail.com>
Multi-org enables the possibility of a user having template permissions,
but not workspace create permissions. The unauthorized error should be
returned instead of a 404. This does not leak any information the user
cannot already obtain.
* chore: fixup quotas to only include groups you are a member of
Before all everyone groups were included in the allowance.
* chore: add unit test to execercise the bug
* add unit test to add rows into the everyone group
* fix: avoid deleting peers on graceful close
- Fixes an issue where a coordinator deletes all
its peers on shutdown. This can cause disconnects
whenever a coderd is redeployed.
* - allow group members to read basic Group info
- allow group members to see they are part of the group, but not see that information about other members
- add a GetGroupMembersCountByGroupID SQL query, which allows group members to see members count without revealing other information about the members
- add the group_members_expanded db view
- rewrite group member queries to use the group_members_expanded view
- add the RBAC ResourceGroupMember and add it to relevant roles
- rewrite GetGroupMembersByGroupID permission checks
- make the GroupMember type contain all user fields
- fix type issues coming from replacing User with GroupMember in group member queries
- add the MemberTotalCount field to codersdk.Group
- display `group.total_member_count` instead of `group.members.length` on the account page
* test: add unit test to verify group permission behavior
* Update coderd/database/dbauthz/groupsauth_test.go
---------
Co-authored-by: Cian Johnston <cian@coder.com>
This can happen if you can edit the members, for example, but not the
organization settings. In this case you will see a new summary page
instead of the edit form.
* chore: add fuzzy name search for templates
* chore: implement fuzzy name matching for templates
Templates search query defaults to a fuzzy name match
* fix: only check flag for organization settings
I added checks against the license but actually what we want is for
these views to become the default even when not licensed (once the
experimental flag is removed).
* Move deployment settings header to components
This will let us use it in the org settings pages, for a consistent
look.
* Add premium badge
* Use settings header on org pages
* Add license badges to create org page
I am not sure if there is maybe a better place for this, but maybe this
is good enough.
* Change create org form description text
It says "change", but there is nothing to change yet since this is a new
organization.
* Consistently capitalize org menu items and headings
Also, remove the "organizations" prefix since it seems redundant.
* chore: remove per-org audit links
For now at least, we will have the one audit page at /audit which lets
you filter by organization.
This also removes the need to do per-org audit permission checks.
* Filter audit org dropdown by auditable orgs
Previously all orgs you can list would appear, but you might not be
able to audit all of them.
* feat: initial commit custom roles
* feat: add page to create and edit custom roles
* feat: add assign org role permission
* feat: wip
* feat: cleanup
* fix: role name is disabled when editing the role
* fix: assign role context menu falls back to name when no display_name
* feat: add helper text to let users know that role name is immutable
* fix: format
* feat: - hide custom roles tab if experiment is not enabled
* fix: use custom TableLoader
* fix: fix custom roles text
* fix: use PatchRoleRequest
* fix: use addIcon to create roles
* feat: add cancel and save buttons to top of page
* fix: use nameValidator for name
* chore: cleanup
* feat: add show all permissions checkbox
* fix: update sidebar for roles
* fix: fix format
* fix: custom roles is not needed outside orgs
* fix: fix sidebar stories
* feat: add custom roles page stories
* fix: use organization permissions
* feat: add stories for CreateEditRolePageView
* fix: design improvements for the create edit role form
* feat: add show all resources checkbox to bottom of table
* feat: improve spacing
* fix: apply more specific selector labels to k8s example deployment template
* fix: use immutable ids instead of names for persistent resources in k8s example template as per docs
* chore: implement deleting custom roles
* add trigger to delete role from organization members on delete
* chore: add comments to explain populated field
The initial assumption that branch manipulations should be done by this
script and not pushed to remote manually has proven to get in the way of
the regular release flow.
These are just safety-checks to prevent user error, safe to remove.
Fixes#13648
* s/readAllUsers/viewAllUsers
Other frontend variables use the `view` syntax. Arguably we should
use `read` to match the backend, but `view` does seem more UI-like.
* Check license for organizations
All the checks now require both the experiment and license.
I also renamed the variable canViewOrganizations everywhere for
consistency.
* Allow any auditor to view the audit log
* Use fine-grained permissions on settings page
Since in addition to deployment settings this page now also includes
users, audit logs, groups, and orgs.
Since you might not be able to fetch deployment values, move all the
loaders to the individual pages instead of in the wrapping layout.
* Add stories for organization members page
Needed to break it out into a separate view to do this.
* Add stories for multi-org sidebar
* Remove multi-org check from management settings layout
We only use this layout when multi-org is enabled, so no need to run the
check a second time.
* Add more stories for deployment dropdown
* chore: prevent removing members from the default organization
Until multi-organizations is released outside an experiment, the
experiment should be backwards compatible.
* chore: audit log filter to be skipped if user is owner/admin
Optimize for speed in the case the user can read all audit_logs
* fixup! chore: audit log filter to be skipped if user is owner/admin
* chore: bump the x group with 4 updates
Bumps the x group with 4 updates: [golang.org/x/mod](https://github.com/golang/mod), [golang.org/x/oauth2](https://github.com/golang/oauth2), [golang.org/x/sync](https://github.com/golang/sync) and [golang.org/x/sys](https://github.com/golang/sys).
Updates `golang.org/x/mod` from 0.19.0 to 0.20.0
- [Commits](https://github.com/golang/mod/compare/v0.19.0...v0.20.0)
Updates `golang.org/x/oauth2` from 0.21.0 to 0.22.0
- [Commits](https://github.com/golang/oauth2/compare/v0.21.0...v0.22.0)
Updates `golang.org/x/sync` from 0.7.0 to 0.8.0
- [Commits](https://github.com/golang/sync/compare/v0.7.0...v0.8.0)
Updates `golang.org/x/sys` from 0.22.0 to 0.23.0
- [Commits](https://github.com/golang/sys/compare/v0.22.0...v0.23.0)
---
updated-dependencies:
- dependency-name: golang.org/x/mod
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: x
- dependency-name: golang.org/x/oauth2
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: x
- dependency-name: golang.org/x/sync
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: x
- dependency-name: golang.org/x/sys
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: x
...
Signed-off-by: dependabot[bot] <support@github.com>
* [dependabot skip] Update Nix Flake SRI Hash
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-08-05 14:26:08 +03:00
2593 changed files with 226433 additions and 148296 deletions
if:(github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
@@ -91,7 +93,7 @@ Browse our docs [here](https://coder.com/docs) or visit a specific section below
- [**Workspaces**](https://coder.com/docs/workspaces): Workspaces contain the IDEs, dependencies, and configuration information needed for software development
- [**IDEs**](https://coder.com/docs/ides): Connect your existing editor to a workspace
- [**Administration**](https://coder.com/docs/admin): Learn how to operate Coder
- [**Enterprise**](https://coder.com/docs/enterprise): Learn about our paid features built for large teams
- [**Premium**](https://coder.com/pricing#compare-plans): Learn about our paid features built for large teams
## Support
@@ -111,6 +113,7 @@ We are always working on new integrations. Please feel free to open an issue and
- [**Module Registry**](https://registry.coder.com): Extend development environments with common use-cases
- [**Kubernetes Log Stream**](https://github.com/coder/coder-logstream-kube): Stream Kubernetes Pod events to the Coder startup logs
- [**Self-Hosted VS Code Extension Marketplace**](https://github.com/coder/code-marketplace): A private extension marketplace that works in restricted or airgapped networks integrating with [code-server](https://github.com/coder/code-server).
- [**Setup Coder**](https://github.com/marketplace/actions/setup-coder): An action to setup coder CLI in GitHub workflows.
assert.GreaterOrEqualf(t,expected[i].Value,m.GetGauge().GetValue(),"expected %s to be greater than or equal to %f, got %f",expected[i].Name,expected[i].Value,m.GetGauge().GetValue())
assert.GreaterOrEqualf(t,expected[i].Value,m.GetCounter().GetValue(),"expected %s to be greater than or equal to %f, got %f",expected[i].Name,expected[i].Value,m.GetCounter().GetValue())
Description:"An external command that outputs additional HTTP headers added to all requests. The command must output each header as `key=value` on its own line.",
},
{
Flag:"agent-header",
Env:"CODER_AGENT_HEADER",
Value:serpent.StringArrayOf(&agentHeader),
Description:"Additional HTTP headers added to all requests. Provide as "+`key=value`+". Can be specified multiple times.",
fmt.Sprintf("Client is potentially behind a hard NAT, as multiple endpoints were retrieved from different STUN servers\n %s#endpoint-dependent-nat-hard-nat",d.TroubleshootingURL))
fmt.Sprintf("Agent is potentially behind a hard NAT, as multiple endpoints were retrieved from different STUN servers\n %s#endpoint-dependent-nat-hard-nat",d.TroubleshootingURL))
}
if!d.AgentNetcheck.NetInfo.UDP{
agent=append(agent,
fmt.Sprintf("Agent could not connect to STUN over UDP\n %s#udp-blocked",d.TroubleshootingURL))
}
}
ifd.ClientIPIsAWS{
client=append(client,
fmt.Sprintf("Client IP address is within an AWS range (AWS uses hard NAT)\n %s#endpoint-dependent-nat-hard-nat",d.TroubleshootingURL))
}
ifd.AgentIPIsAWS{
agent=append(agent,
fmt.Sprintf("Agent IP address is within an AWS range (AWS uses hard NAT)\n %s#endpoint-dependent-nat-hard-nat",d.TroubleshootingURL))
`Agent is potentially behind a hard NAT, as multiple endpoints were retrieved from different STUN servers`,
},
},
{
name:"AgentInterfaceWarnings",
diags:cliui.ConnDiags{
ConnInfo:workspacesdk.AgentConnectionInfo{
DERPMap:&tailcfg.DERPMap{},
},
AgentNetcheck:&healthsdk.AgentNetcheckReport{
Interfaces:healthsdk.InterfacesReport{
BaseReport:healthsdk.BaseReport{
Warnings:[]health.Message{
health.Messagef(health.CodeInterfaceSmallMTU,"Network interface eth0 has MTU 1280, (less than 1378), which may degrade the quality of direct connections"),
},
},
},
},
},
want:[]string{
`Network interface eth0 has MTU 1280, (less than 1378), which may degrade the quality of direct connections`,
},
},
{
name:"LocalInterfaceWarnings",
diags:cliui.ConnDiags{
ConnInfo:workspacesdk.AgentConnectionInfo{
DERPMap:&tailcfg.DERPMap{},
},
LocalInterfaces:&healthsdk.InterfacesReport{
BaseReport:healthsdk.BaseReport{
Warnings:[]health.Message{
health.Messagef(health.CodeInterfaceSmallMTU,"Network interface eth1 has MTU 1310, (less than 1378), which may degrade the quality of direct connections"),
},
},
},
},
want:[]string{
`Network interface eth1 has MTU 1310, (less than 1378), which may degrade the quality of direct connections`,
},
},
{
name:"ClientAWSIP",
diags:cliui.ConnDiags{
ConnInfo:workspacesdk.AgentConnectionInfo{
DERPMap:&tailcfg.DERPMap{},
},
ClientIPIsAWS:true,
AgentIPIsAWS:false,
},
want:[]string{
`Client IP address is within an AWS range (AWS uses hard NAT)`,
},
},
{
name:"AgentAWSIP",
diags:cliui.ConnDiags{
ConnInfo:workspacesdk.AgentConnectionInfo{
DERPMap:&tailcfg.DERPMap{},
},
ClientIPIsAWS:false,
AgentIPIsAWS:true,
},
want:[]string{
`Agent IP address is within an AWS range (AWS uses hard NAT)`,
// sshConfigExecEscape quotes the string if it contains spaces, as per
// `man 5 ssh_config`. However, OpenSSH uses exec in the users shell to
// run the command, and as such the formatting/escape requirements
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Cian Johnston
