Commit Graph

90 Commits

Author SHA1 Message Date
7eb2c2ff6d Revert "chore: Implement joins with golang templates (#6429)" (#6560)
This reverts commit 8b125d6c5d.
2023-03-10 10:39:02 -06:00
a8433b18e4 fix: Prevent infinite redirects on oidc errors (#6550)
* fix: Prevent infinite redirects on bad oidc scopes
* Show oidc errors
2023-03-10 10:12:29 -06:00
8b125d6c5d chore: Implement joins with golang templates (#6429)
* feat: Implement view for workspace builds to include rbac info

* Removes the need to fetch the workspace to run an rbac check.
* chore: Use workspace build as RBAC object
* chore: Use golang templates instead of sqlc files
2023-03-10 09:44:38 -06:00
1bdd2abed7 feat: use JWT ticket to avoid DB queries on apps (#6148)
Issue a JWT ticket on the first request with a short expiry that
contains details about which workspace/agent/app combo the ticket is
valid for.
2023-03-07 19:38:11 +00:00
17adfd1134 chore: improve times of ratelimit tests (#6346)
From 5s to 130ms!
2023-02-25 22:01:01 +00:00
f05609b4da chore: format Go more aggressively 2023-02-18 18:32:09 -06:00
f0f39b4892 chore: break down dbauthz.System into smaller roles (#6218)
- rbac: export rbac.Permissions
- dbauthz: move GetDeploymentDAUs, GetTemplateDAUs,
  GetTemplateAverageBuildTime from querier.go to system.go
  and removes auth checks
- dbauthz: remove AsSystem(), add individual roles for
  autostart, provisionerd, add restricted system role for 
  everything else
2023-02-15 16:14:37 +00:00
4cbbd1376d feat: Turn on rbac check caching (#6202)
* chore: Turn on rbac check caching.

Should not affect much unless authz_querier experiment is
enabled
2023-02-15 08:56:07 -06:00
6fb8aff6d0 feat: Add initial AuthzQuerier implementation (#5919)
feat: Add initial AuthzQuerier implementation
- Adds package database/dbauthz that adds a database.Store implementation where each method goes through AuthZ checks
- Implements all database.Store methods on AuthzQuerier
- Updates and fixes unit tests where required
- Updates coderd initialization to use AuthzQuerier if codersdk.ExperimentAuthzQuerier is enabled
2023-02-14 14:27:06 +00:00
6189035e98 feat: Add option to enable hsts header (#6147)
* feat: Add option to enable hsts header
* Update golden files
2023-02-10 10:52:49 -06:00
8dba66c535 chore: Use dbgen in unit test (#6111)
* chore: Use dbgen in unit test

- organizationparam_test
- templateparam_test

* Use dbgen in all unit tests vs insert methods

* fixup! Use dbgen in all unit tests vs insert methods

---------

Co-authored-by: Cian Johnston <cian@coder.com>
2023-02-08 13:47:05 -06:00
cf9abe3a6c feat: add session expiry control flags (#5976)
Adds --session-duration which lets admins customize the default session
expiration for browser sessions.

Adds --disable-session-expiry-refresh which allows admins to prevent
session expiry from being automatically bumped upon the API key being
used.
2023-02-03 17:38:36 +00:00
8b424f03c2 chore: Rename databasefake --> dbfake (#6011) 2023-02-02 19:28:55 -06:00
026b1cd2a4 chore: update to go 1.20 (#5968)
Co-authored-by: Colin Adler <colin1adler@gmail.com>
2023-02-02 12:36:27 -06:00
4a6fc40949 feat: Add database data generator to make fakedbs easier to populate (#5922)
* feat: Add database data generator to make fakedbs easier to populate
2023-01-31 15:10:03 -06:00
7ad87505c8 chore: move agent functions from codersdk into agentsdk (#5903)
* chore: rename `AgentConn` to `WorkspaceAgentConn`

The codersdk was becoming bloated with consts for the workspace
agent that made no sense to a reader. `Tailnet*` is an example
of these consts.

* chore: remove `Get` prefix from *Client functions

* chore: remove `BypassRatelimits` option in `codersdk.Client`

It feels wrong to have this as a direct option because it's so infrequently
needed by API callers. It's better to directly modify headers in the two
places that we actually use it.

* Merge `appearance.go` and `buildinfo.go` into `deployment.go`

* Merge `experiments.go` and `features.go` into `deployment.go`

* Fix `make gen` referencing old type names

* Merge `error.go` into `client.go`

`codersdk.Response` lived in `error.go`, which is wrong.

* chore: refactor workspace agent functions into agentsdk

It was odd conflating the codersdk that clients should use
with functions that only the agent should use. This separates
them into two SDKs that are closely coupled, but separate.

* Merge `insights.go` into `deployment.go`

* Merge `organizationmember.go` into `organizations.go`

* Merge `quota.go` into `workspaces.go`

* Rename `sse.go` to `serversentevents.go`

* Rename `codersdk.WorkspaceAppHostResponse` to `codersdk.AppHostResponse`

* Format `.vscode/settings.json`

* Fix outdated naming in `api.ts`

* Fix app host response

* Fix unsupported type

* Fix imported type
2023-01-29 15:47:24 -06:00
b0a16150a3 chore: Implement standard rbac.Subject to be reused everywhere (#5881)
* chore: Implement standard rbac.Subject to be reused everywhere

An rbac subject is created in multiple spots because of the way we
expand roles, scopes, etc. This difference in use creates a list
of arguments which is unwieldy.

Use of the expander interface lets us conform to a single subject
in every case
2023-01-26 14:42:54 -06:00
b678309fc9 chore: Authz should support non-named roles (#5855)
* chore: Authz should support non-named roles

Named roles are a construct for users to assign/interact with roles.
For authzlayer implementation, we need to create "system" users.
To enforce strict security, we are making specific roles with
the exact required permissions for the system action.
These new roles should not be available to the user. There is a
clear code divide with this implementation that allows a RoleNames
implemenation for users to user, and system users can create their
own implementation
2023-01-25 10:54:16 -06:00
8afdf24d10 chore: Update sqlc to v1.16.0 (#5788)
* chore: Update sqlc to v1.16.0

* chore: Fix cases where types became Null-types

* chore: Set parameter_schemas default_destination_scheme and default_source_scheme to NOT NULL

* chore: Add enum validation to database fake

* chore: Fix all tests that skipping enum values

* fix: Use correct err in providionerdserver audit log failure log
2023-01-23 13:14:47 +02:00
f76ef98a32 chore!: Standardize prometheus time metrics to seconds (#5709)
* chore!: Standardize prometheus time metrics to seconds
* Update prometheus docs
2023-01-13 11:15:25 -06:00
54cc587dad Updated PreconditionFailed status occurences to more appropriate statuses. (#5513) 2023-01-13 08:30:48 -06:00
c0b251ac52 fix: improve error messages when the agent token is invalid (#5423)
I'm not sure why this issue is common, but it seems to be
based on: https://github.com/coder/coder/issues/4551.

This improves the error messages to be unique,
and also fixes a small edge-case bug a user ran into.
2022-12-14 12:24:22 -06:00
ad0dd1be5d fix: Add client certs to OAuth HTTPClient context (#5126) 2022-12-14 16:44:29 +02:00
15f8967a8a feat: tracing improvements (#4988) 2022-11-29 07:22:10 +10:00
90f77a3415 feat: add groups support to the CLI (#4755) 2022-10-27 16:49:35 -05:00
f75a54cd1e feat: Support x-forwarded-for headers for IPs (#4684)
* feat: Support x-forwarded-for headers for IPs

Fixes #4430.

* Fix realip accepting headers

* Fix unused headers
2022-10-23 13:21:49 -05:00
423ac04156 coderd: tighten /login rate limiting (#4432)
* coderd: tighten /login rate limit

* coderd: add Bypass rate limit header
2022-10-20 17:01:23 +00:00
d0b1c36d51 fix: prevent refreshing tokens that don't exist (#4661)
- When logging in with Google OIDC refresh tokens are not
  provided unless explicitly asked for. This PR updates
  the logic to avoid attempting to refresh the token if
  a refresh token does not exist.

  A session should only be dependent on a valid Coder API
  key, the state of its OAuth token (beyond initial authentication)
  should be irrelevant.
2022-10-20 00:25:57 -05:00
d898737d6d feat: app sharing (now open source!) (#4378) 2022-10-15 02:46:38 +10:00
3cb2d52a08 fix: issue with token auth (#4483) 2022-10-11 15:58:28 +00:00
3120c94c22 feat: add template RBAC/groups (#4235) 2022-10-10 15:37:06 -05:00
9bc0d06aa0 fix: Install Terraform once and only log >=500 (#4339)
Fixes #4302.
2022-10-03 15:19:02 -05:00
0a95ba62b1 chore: Deprecate old cookie value (#4336)
Older clis will need to be updated.
Modern clis cannot communicate with <8.15 coderd
2022-10-03 13:04:22 -04:00
ee4b934601 Add Users Last Seen At (#4192) 2022-09-26 15:31:03 +00:00
6deef06ad2 feat: secure and cross-domain subdomain-based proxying (#4136)
Co-authored-by: Kyle Carberry <kyle@carberry.com>
2022-09-22 22:30:32 +00:00
5de6f86959 feat: trace httpapi.{Read,Write} (#4134) 2022-09-21 17:07:00 -05:00
29d804e692 feat: add API key scopes and application_connect scope (#4067) 2022-09-19 17:39:02 +00:00
b340634aaa feat: add rbac tracing (#4093) 2022-09-16 18:32:15 +00:00
9b5ee8f267 feat: Implement (but not enforce) CSRF for FE requests (#3786)
Future work is to enforce CSRF

Co-authored-by: Presley Pizzo <presley@coder.com>
2022-09-13 15:26:46 -04:00
9ab437d6e2 feat: Add serving applications on subdomains and port-based proxying (#3753)
Co-authored-by: Dean Sheather <dean@deansheather.com>
2022-09-14 03:31:33 +10:00
720c9dadcf fix: Remove name from workspace builds (#3937)
Fixes #1561.
2022-09-07 19:49:57 +00:00
ff0aa8d742 feat: add unique ids to all HTTP requests (#3845) 2022-09-02 13:04:29 -05:00
053fe6ff61 feat: add panic recovery middleware (#3687) 2022-08-29 17:00:52 -05:00
6285d65b6a fix: remove (http.Server).ReadHeaderTimeout (#3730)
* fix: remove `(http.Server).ReadHeaderTimeout`

Fixes https://github.com/coder/coder/issues/3710. It caused some race
condition for websockets where the server sent the first message.

* comment why disabled
2022-08-29 12:07:49 -05:00
34d902ebf1 fix: Fix properly selecting workspace apps by agent (#3684) 2022-08-29 08:56:52 -04:00
b0fe9bcdd1 chore: Upgrade to Go 1.19 (#3617)
This is required as part of #3505.
2022-08-21 22:32:53 +00:00
c3eea98db0 fix: use unique ID for linked accounts (#3441)
- move OAuth-related fields off of api_keys into a new user_links table
- restrict users to single form of login
- process updates to user email/usernames for OIDC
- added a login_type column to users
2022-08-17 18:00:53 -05:00
c3f946737c fix: Strip session_token cookie from app proxy requests (#3528)
Fixes coder/security#1.
2022-08-17 17:09:45 +00:00
01dd35f1ba chore: Rename 'admin' to 'owner' (#3498)
Co-authored-by: Colin Adler <colin1adler@gmail.com>
2022-08-15 14:40:19 -05:00
3279504cbe feat: Add active users prometheus metric (#3406)
This  allows deployments using our Prometheus export t determine
the number of active users in the past hour.

The interval is an hour to align with API key last used refresh times.

SSH connections poll to check shutdown time, so this will be accurate
even on long-running connections without dashboard requests.
2022-08-08 10:09:46 -05:00