Commit Graph

2604 Commits

Author SHA1 Message Date
a85a220816 chore: clean up built-in role permissions (#16645) 2025-02-21 14:33:34 -07:00
a376e8dbfe fix: include a link and more useful error details for 403 response codes (#16644)
Currently if a user gets to a page they don't have permission to view
they're greeted with a vague error alert and no actionable items. This
PR adds a link back to _/workspaces_ within the alert as well as more
helpful error details.

Before:
![Screenshot 2025-02-20 at 11 06
06 AM](https://github.com/user-attachments/assets/cea5b86d-673b-482b-ac0b-f132eb518910)

After:
![Screenshot 2025-02-20 at 11 06
19 AM](https://github.com/user-attachments/assets/6bf0e9fd-fc51-4d9a-afbc-fea9f0439aff)
2025-02-21 16:26:07 -05:00
8c5e7007cd feat: support the OAuth2 device flow with GitHub for signing in (#16585)
First PR in a series to address
https://github.com/coder/coder/issues/16230.

Introduces support for logging in via the [GitHub OAuth2 Device
Flow](https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps#device-flow).

It's previously been possible to configure external auth with the device
flow, but it's not been possible to use it for logging in. This PR
builds on the existing support we had to extend it to sign ins.

When a user clicks "sign in with GitHub" when device auth is configured,
they are redirected to the new `/login/device` page, which makes the
flow possible from the client's side. The recording below shows the full
flow.


https://github.com/user-attachments/assets/90c06f1f-e42f-43e9-a128-462270c80fdd

I've also manually tested that it works for converting from
password-based auth to oauth.

Device auth can be enabled by a deployment's admin by setting the
`CODER_OAUTH2_GITHUB_DEVICE_FLOW` env variable or a corresponding config
setting.
2025-02-21 18:42:16 +01:00
fcc9b05d29 fix: return http 204 on test notification (#16651)
This PR changes the API response for `/api/v2/notifications/test`
endpoint to HTTP 204 / No Content.
2025-02-21 13:54:29 +01:00
d50e846747 fix: block vpn tailnet endpoint when --browser-only is set (#16647)
The work on CoderVPN required a new user-scoped `/tailnet` endpoint for
coordinating with multiple workspace agents, and receiving workspace
updates. Much like the `/coordinate` endpoint, this needs to respect the
`CODER_BROWSER_ONLY`/`--browser-only` deployment config value.
2025-02-21 12:21:20 +11:00
44499315ed chore: reduce log volume on server startup (#16608)
Addresses https://github.com/coder/coder/issues/16231.

This PR reduces the volume of logs we print after server startup in
order to surface the web UI URL better.

Here are the logs after the changes a couple of seconds after starting
the server:

<img width="868" alt="Screenshot 2025-02-18 at 16 31 32"
src="https://github.com/user-attachments/assets/786dc4b8-7383-48c8-a5c3-a997c01ca915"
/>

The warning is due to running a development site-less build. It wouldn't
show in a release build.
2025-02-20 16:33:14 +01:00
54b09d9878 fix: show an error banner if the user does not have permission to view the audit page (#16637) 2025-02-20 09:56:57 -05:00
b07b33ec9d feat: add agentapi endpoint to report connections for audit (#16507)
This change adds a new `ReportConnection` endpoint to the `agentapi`.

The protocol version was bumped previously, so it has been omitted here.

This allows the agent to report connection events, for example when the
user connects to the workspace via SSH or VS Code.

Updates #15139
2025-02-20 14:52:01 +02:00
dedc32fb1a fix(coderd): avoid fetching extra parameters for a preset (#16642)
This pull request fixes a bug in presets and adds tests to ensure it
doesn't happen again.
Due to an oversight in refactoring, we returned extra and incorrect
parameters from other presets in the same template version when calling
`/templateversions/{templateversion}/presets`.
2025-02-20 09:58:04 +02:00
9469b78290 fix!: enforce regex for agent names (#16641)
Underscores and double hyphens are now blocked. The regex is almost the
exact same as the `coder_app` `slug` regex, but uppercase characters are
still permitted.
2025-02-20 05:09:26 +00:00
3fddfef879 fix!: enforce agent names be case-insensitive-unique per-workspace (#16614)
Relates to https://github.com/coder/coder-desktop-macos/issues/54

Currently, it's possible to have two agents within the same workspace whose names only differ in capitalization:
This leads to an ambiguity in two cases:
- For CoderVPN, we'd like to allow support to workspaces with a hostname of the form: `agent.workspace.username.coder`.
- Workspace apps (`coder_app`s) currently use subdomains of the form: `<app>--<agent>--<workspace>--<username>(--<suffix>)?`.

Of note is that DNS hosts must be strictly lower case, hence the ambiguity.

This fix is technically a breaking change, but only for the incredibly rare use case where a user has:
- A workspace with two agents
- Those agent names differ only in capitalization.

Those templates & workspaces will now fail to build. This can be fixed by choosing wholly unique names for the agents.
2025-02-20 12:51:25 +11:00
deadac0b91 fix: fix loading states and permissions checks in organization settings (#16465) 2025-02-19 11:48:13 -07:00
d2419c89ac feat: add tool to send a test notification (#16611)
Relates to https://github.com/coder/coder/issues/16463

Adds a CLI command, and API endpoint, to trigger a test notification for
administrators of a deployment.
2025-02-19 13:08:38 +00:00
3a773758a2 feat(coderd/httpapi): add QueryParamParser.JSONStringMap (#16578)
This PR provides a convenience function for parsing a
`map[string]string` from a query parameter.

Context:
https://github.com/coder/coder/pull/16558#discussion_r1956190615
2025-02-18 14:14:30 +00:00
7fd04d4c54 docs: update ssh key description (#16602)
Fixes: https://github.com/coder/coder/issues/15672
2025-02-18 13:06:19 +01:00
d6b9806098 chore: implement oom/ood processing component (#16436)
Implements the processing logic as set out in the OOM/OOD RFC.
2025-02-17 16:56:52 +00:00
b5329ae1cd feat: add workspace agent connect and app open audit types (#16493)
This commit adds new audit resource types for workspace agents and
workspace apps, as well as connect/disconnect and open/close actions.

The idea is that we will log new audit events for connecting to the
agent via SSH/editor.

Likewise, we will log openings of `coder_app`s.

This change also introduces support for filtering by `request_id`.

Updates #15139
2025-02-17 13:02:30 +00:00
7f061b9faf fix(coderd): add stricter authorization for provisioners endpoint (#16587)
References #16558
2025-02-17 14:34:47 +02:00
5ba7ba6bfc fix(coderd): add strict org ID joins for provisioner job metadata (#16588)
References #16558
2025-02-17 14:16:45 +02:00
46e04c68e3 feat(provisioner): add support for presets to coder provisioners (#16574)
This pull request adds support for presets to coder provisioners.
If a template defines presets using a compatible version of the
provider, then this PR will allow those presets to be persisted to the
control plane database for use in workspace creation.
2025-02-17 13:00:44 +02:00
77306f3de1 feat(coderd): add filters and fix template for provisioner daemons (#16558)
This change adds provisioner daemon ID filter to the provisioner daemons
endpoint, and also implements the limiting to 50 results.

Test coverage is greatly improved and template information for jobs
associated to the daemon was also fixed.

Updates #15084
Updates #15192
Related #16532
2025-02-14 17:26:46 +02:00
bc609d0056 feat: integrate agentAPI with resources monitoring logic (#16438)
As part of the new resources monitoring logic - more specifically for
OOM & OOD Notifications , we need to update the AgentAPI , and the
agents logic.

This PR aims to do it, and more specifically :  
We are updating the AgentAPI & TailnetAPI to version 24 to add two new
methods in the AgentAPI :
- One method to fetch the resources monitoring configuration
- One method to push the datapoints for the resources monitoring.

Also, this PR adds a new logic on the agent side, with a routine running
and ticking - fetching the resources usage each time , but also storing
it in a FIFO like queue.

Finally, this PR fixes a problem we had with RBAC logic on the resources
monitoring model, applying the same logic than we have for similar
entities.
2025-02-14 10:28:15 +01:00
db767286b9 chore: change returned response for missing permissions to 403 from 404 (#16562) 2025-02-13 17:05:20 -05:00
e38bd27183 feat(coderd): add support for provisioner job id and tag filter (#16556)
This change adds to new filters to the provisionerjobs endpoint, id
(array) and tags (map).

Updates #15084
Updates #15192
Related #16532
2025-02-13 18:24:27 +02:00
71cbf735e5 feat(coderd): add support for presets to the coder API (#16526)
This pull request builds on the existing migrations and queries to add
support for presets to the coder API.
2025-02-12 14:41:14 +02:00
b3964087c4 fix: handle urls with multiple slashes (#16527)
Fixes: https://github.com/coder/coder/issues/9877

This PR introduces another middleware to rewrite URLs when multiple
slashes are used.
2025-02-12 09:23:28 +01:00
e85da8b02b chore: return template data for provisioner daemons (#16514)
Return template data in provisioner jobs to be displayed in the
provisioners page.
2025-02-11 14:22:34 -03:00
34b46f9205 feat(coderd/database): add support for presets (#16509)
This pull requests adds the necessary migrations and queries to support
presets within the coderd database. Future PRs will build functionality
to the provisioners and the frontend.
2025-02-11 13:55:09 +02:00
4867cbe53d feat(cli): display devcontainers in show command (#16515)
Displays running devcontainers into the `coder show` CLI command.
2025-02-11 09:20:55 +00:00
d0a534e30d chore: prevent authentication of non-unique oidc subjects (#16498)
Any IdP returning an empty field here breaks the assumption of a
unique subject id. This is defined in the OIDC spec.
2025-02-10 09:31:08 -06:00
e9b3561677 refactor: return template_icon and make metadata required (#16496) 2025-02-10 10:00:34 -03:00
31b1ff7d3b feat(agent): add container list handler (#16346)
Fixes https://github.com/coder/coder/issues/16268

- Adds `/api/v2/workspaceagents/:id/containers` coderd endpoint that allows listing containers
visible to the agent. Optional filtering by labels is supported.
- Adds go tools to the `coder-dylib` CI step so we can generate mocks if needed
2025-02-10 11:29:30 +00:00
b04d883348 feat: add provisioner job metadata (#16454)
This change adds metadata to provisioner jobs to help with rendering
related tempaltes and workspaces in the UI.

Updates #15084
2025-02-06 16:19:20 +02:00
a546a85975 fix(coderd): set default provisionerjobs limit to 50 (#16450) 2025-02-05 15:04:35 +00:00
c8ef7eb4f2 fix: log unsuccessful webhook response body as a string (#16439) 2025-02-05 13:22:20 +02:00
dbad69dbd9 chore: add workspace oom/ood notification templates (#16250) 2025-02-04 19:25:18 +00:00
7cbd77fd94 feat: improve resources_monitoring for OOM & OOD monitoring (#16241)
As requested for [this
issue](https://github.com/coder/internal/issues/245) we need to have a
new resource `resources_monitoring` in the agent.

It needs to be parsed from the provisioner and inserted into a new db
table.
2025-02-04 18:45:33 +01:00
a68d11506c chore: track disabled telemetry (#16347)
Addresses https://github.com/coder/nexus/issues/116.

## Core Concept

Send one final telemetry report after the user disables telemetry with
the message that the telemetry was disabled. No other information about
the deployment is sent in this report.

This final report is submitted only if the deployment ever had telemetry
on.

## Changes

1. Refactored how our telemetry is initialized.
2. Introduced the `TelemetryEnabled` telemetry item, which allows to
decide whether a final report should be sent.
3. Added the `RecordTelemetryStatus` telemetry method, which decides
whether a final report should be sent and updates the telemetry item.
4. Added tests to ensure the implementation is correct.
2025-02-03 14:50:55 +01:00
0e2ae10b47 feat: add additional patch routes for group and role idp sync (#16351) 2025-01-31 12:14:24 -07:00
2ace044e0b chore: track the first time html is served in telemetry (#16334)
Addresses https://github.com/coder/nexus/issues/175.

## Changes

- Adds the `telemetry_items` database table. It's a key value store for
telemetry events that don't fit any other database tables.
- Adds a telemetry report when HTML is served for the first time in
`site.go`.
2025-01-31 13:55:46 +01:00
6ea5c6f0ef fix: show user-auth provisioners for all organizations (#16350) 2025-01-30 14:08:27 -07:00
b256b204d0 feat: add endpoint for partial updates to org sync field and assign_default (#16337) 2025-01-30 13:55:17 -07:00
2371153a37 feat: add endpoint for partial updates to org sync mapping (#16316) 2025-01-30 10:52:50 -07:00
f651ab937b chore: add 'email' field to notifications (#16336)
Closes https://github.com/coder/internal/issues/323

This PR adds an `email` field to the `data.owner` payload for workspace
created and workspace manually updated notifications, as well as user
account created/activated/suspended.
2025-01-30 17:44:04 +00:00
9520da338e fix: conform to stricter printf usage in Go 1.24 (#16330) 2025-01-29 18:06:22 +02:00
92d22e296b chore: track usage of organizations in telemetry (#16323)
Addresses https://github.com/coder/internal/issues/317.

## Changes

Requirements are quoted below:

> how many orgs does deployment have

Adds the Organization entity to telemetry.

> ensuring resources are associated with orgs

All resources that reference an org already report the org id to
telemetry. Adds a test to check that.

> whether org sync is configured

Adds the `IDPOrgSync` boolean field to the Deployment entity.

## Implementation of the org sync check

While there's an `OrganizationSyncEnabled` method on the IDPSync
interface, I decided not to use it directly and implemented a
counterpart just for telemetry purposes. It's a compromise I'm not happy
about, but I found that it's a simpler approach than the alternative.
There are multiple reasons:

1. The telemetry package cannot statically access the IDPSync interface
due to a circular import.
2. We can't dynamically pass a reference to the
`OrganizationSyncEnabled` function at the time of instantiating the
telemetry object, because our server initialization logic depends on the
telemetry object being created before the IDPSync object.
3. If we circumvent that problem by passing the reference as an
initially empty pointer, initializing telemetry, then IDPSync, then
updating the pointer to point to `OrganizationSyncEnabled`, we have to
refactor the initialization logic of the telemetry object itself to
avoid a race condition where the first telemetry report is performed
without a valid reference.

I actually implemented that approach in
https://github.com/coder/coder/pull/16307, but realized I'm unable to
fully test it. It changed the initialization order in the server
command, and I wanted to test our CLI with Org Sync configured with a
premium license. As far as I'm aware, we don't have the tooling to do
that. I couldn't figure out a way to start the CLI with a mock license,
and I didn't want to go down further into the refactoring rabbit hole.

So I decided that reimplementing the org sync checking logic is simpler.
2025-01-29 15:54:31 +01:00
b77b5432c6 test(coderd/database/pubsub): ensure db closure on unhappy paths (#16327) 2025-01-29 14:47:38 +00:00
c069563af1 test: fix use of t.Logf where t.Log would suffice (#16328) 2025-01-29 14:35:04 +00:00
1336925c9f feat(flake.nix): switch dogfood dev image to buildNixShellImage from dockerTools (#16223)
Replace Depot build action with Nix for Nix dogfood image builds

The dogfood Nix image is now built using Nix's native container tooling instead of Depot. This change:

- Adds Nix setup steps to the GitHub Actions workflow
- Removes the Dockerfile.nix in favor of a Nix-native container build
- Updates the flake.nix to support building Docker images
- Introduces a hash file to track Nix-related changes
- Updates the vendorHash for Go dependencies

Change-Id: I4e011fe3a19d9a1375fbfd5223c910e59d66a5d9
Signed-off-by: Thomas Kosiewski <tk@coder.com>
2025-01-28 16:38:37 +01:00
76adde91dc fix(provisioner/terraform/tfparse): allow empty values in coder_workspace_tag defaults (#16303)
* chore(docs): update docs re workspace tag default values
* chore(coderdenttest): use random name instead of t.Name() in newExternalProvisionerDaemon
* fix(provisioner/terraform/tfparse): allow empty values in coder_workspace_tag defaults
2025-01-28 09:11:39 +00:00