Commit Graph

496 Commits

Author SHA1 Message Date
f34e6fd92c chore: implement 'use' verb to template object, read has less scope now (#16075)
Template `use` is now a verb.
- Template admins can `use` all templates (org template admins same in
org)
- Members get the `use` perm from the `everyone` group in the
`group_acl`.
2025-01-17 11:55:41 -06:00
f32f7c6862 test(enterprise/coderd): fix ctx init in multiple workspace tests (#16176) 2025-01-17 14:33:58 +00:00
3a81aac318 chore(enterprise/coderd): use filesystem mirror for providers in TestWorkspaceTagsTerraform (#16155)
Fixes https://github.com/coder/internal/issues/266 (hopefully)

Each instance of this test has to download the coder/coder Terraform
provider.
To mitigate this, only download the providers once using a
`filesystem_mirror` (ref:
https://developer.hashicorp.com/terraform/cli/config/config-file#provider-installation)
2025-01-15 20:27:18 +00:00
12991ff43e fix(coderd): change the order of precedence between coder_workspace_tags and request tags (#16119)
This PR switches the order of precedence of workspace tags when posting
a template version.
Previously, user-specified tags in the request could not override those
detected from our parsing of the template file. Now, they can do.

This addresses a customer issue where were attempting to set a workspace
tag via variable.

Note: there is a possible follow-up item here where we could pass in the
workspace tag values from the request into `tfparse` and let it take
those user-specified values into account. This is covered in a separate
test.
2025-01-14 16:43:42 +00:00
071bb26018 feat(coderd): add endpoint to list provisioner daemons (#16028)
Updates #15190
Updates #15084
Supersedes #15940
2025-01-14 16:40:26 +00:00
5e88289493 chore(enterprise/coderd): conditionally disable parallelism on windows (#16072)
Fixes https://github.com/coder/internal/issues/266
2025-01-09 09:14:20 +00:00
6ca1e5973e chore: add api endpoints to get idp field values (#16063)
Supports coder/internal#210
2025-01-08 16:07:02 -05:00
7b88776403 chore(testutil): add testutil.GoleakOptions (#16070)
- Adds `testutil.GoleakOptions` and consolidates existing options to
this location
- Pre-emptively adds required ignore for this Dependabot PR to pass CI
https://github.com/coder/coder/pull/16066
2025-01-08 15:38:37 +00:00
1ab10cf80c fix(provisioner/terraform/tfparse): skip evaluation of unrelated parameters (#16023)
* Improves tfparse test coverage to include more parameter types and values
* Adds tests with unrelated parameters that should be ignored by tfparse
* Modifies tfparse to only attempt evaluation of parameters referenced by coder_workspace_tags
2025-01-03 19:32:17 +00:00
94f5d52fdc chore: adopt markdownlint and markdown-table-formatter for *.md (#15831)
Co-authored-by: Edward Angert <EdwardAngert@users.noreply.github.com>
2025-01-03 13:12:59 +00:00
73ec6b2635 chore: audit log entries for all idp sync changes (#15919) 2025-01-02 15:02:04 -06:00
2c7f8ac65f chore: migrate to coder/websocket 1.8.12 (#15898)
Migrates us to `coder/websocket` v1.8.12 rather than `nhooyr/websocket` on an older version.

Works around https://github.com/coder/websocket/issues/504 by adding an explicit test for `xerrors.Is(err, io.EOF)` where we were previously getting `io.EOF` from the netConn.
2024-12-19 00:51:30 +04:00
91875c2b47 fix: allow users to extend their running workspace's deadline (#15895)
Fixes https://github.com/coder/coder/issues/15515

This change effectively reverts the changes introduced by
https://github.com/coder/coder/pull/13182 (for
https://github.com/coder/coder/issues/13078).

We also rename the `override-stop` command name to `extend` to match the
API endpoint's name (keeping an alias to allow `override-stop` to be used).
2024-12-18 10:58:33 +00:00
dcf51535bb fix(coderd/wsbuilder): correctly evaluate dynamic workspace tag values (#15897)
Relates to https://github.com/coder/coder/issues/15894:

- Adds `coderdenttest.NewExternalProvisionerDaemonTerraform`
- Adds integration-style test coverage for creating a workspace with
`coder_workspace_tags` specified in `main.tf`
- Modifies `coderd/wsbuilder` to fetch template version variables and
  includes them in eval context for evaluating `coder_workspace_tags`
2024-12-17 21:57:03 +00:00
21cc6f77fe docs: move premium and enterprise badges from heading to info in admonition (#15774)
closes https://github.com/coder/coder.com/issues/666


[preview](https://coder.com/docs/@666-unheading-premium/user-guides/workspace-scheduling#autostop-requirement)

---------

Co-authored-by: EdwardAngert <2408959-EdwardAngert@users.noreply.gitlab.com>
Co-authored-by: EdwardAngert <17991901+EdwardAngert@users.noreply.github.com>
2024-12-17 18:20:01 +00:00
d31c2f1fe7 chore: implement SCIM PUT endpoint, protect against missing active (#15829)
Closes https://github.com/coder/coder/issues/15828
2024-12-12 08:11:13 -06:00
b39becba66 feat(site): add a provisioner warning to workspace builds (#15686)
This PR adds warnings about provisioner health to workspace build pages.
It closes https://github.com/coder/coder/issues/15048


![image](https://github.com/user-attachments/assets/fa54d0e8-c51f-427a-8f66-7e5dbbc9baca)

![image](https://github.com/user-attachments/assets/b5169669-ab05-43d5-8553-315a3099b4fd)
2024-12-11 13:38:13 +02:00
40624bf78b fix: update workspace TTL on template TTL change (#15761)
Relates to https://github.com/coder/coder/issues/15390

Currently when a user creates a workspace, their workspace's TTL is
determined by the template's default TTL. If the Coder instance is AGPL,
or if the template has disallowed the user from configuring autostop,
then it is not possible to change the workspace's TTL after creation.
Any changes to the template's default TTL only takes effect on _new_
workspaces.

This PR modifies the behaviour slightly so that on AGPL Coder, or on
enterprise when a template does not allow user's to configure their
workspace's TTL, updating the template's default TTL will also update
any workspace's TTL to match this value.
2024-12-06 11:01:39 +00:00
67553a7bbe chore: fix TestWorkspaceAutobuild/NextStartAtIsValid flake (#15772)
Fixes https://github.com/coder/internal/issues/238

It appears we haven't got quartz piped through to enough of Coder for
the test to work as I had expected. Using the current time should be
sufficient for this test.
2024-12-06 10:41:31 +00:00
e21a301682 fix: make GetWorkspacesEligibleForTransition return even less false positives (#15594)
Relates to https://github.com/coder/coder/issues/15082

Further to https://github.com/coder/coder/pull/15429, this reduces the
amount of false-positives returned by the 'is eligible for autostart'
part of the query. We achieve this by calculating the 'next start at'
time of the workspace, storing it in the database, and using it in our
`GetWorkspacesEligibleForTransition` query.

The prior implementation of the 'is eligible for autostart' query would
return _all_ workspaces that at some point in the future _might_ be
eligible for autostart. This now ensures we only return workspaces that
_should_ be eligible for autostart.

We also now pass `currentTick` instead of `t` to the
`GetWorkspacesEligibleForTransition` query as otherwise we'll have one
round of workspaces that are skipped by `isEligibleForTransition` due to
`currentTick` being a truncated version of `t`.
2024-12-02 21:02:36 +00:00
2b57dcc68c feat(coderd): add matched provisioner daemons information to more places (#15688)
- Refactors `checkProvisioners` into `db2sdk.MatchedProvisioners`
- Adds a separate RBAC subject just for reading provisioner daemons
- Adds matched provisioners information to additional endpoints relating to
  workspace builds and templates
-Updates existing unit tests for above endpoints
-Adds API endpoint for matched provisioners of template dry-run job
-Updates CLI to show warning when creating/starting/stopping/deleting
 workspaces for which no provisoners are available

---------

Co-authored-by: Danny Kopping <danny@coder.com>
2024-12-02 20:54:32 +00:00
8afb10e090 chore: improve validation of Security tag in swaggerparser (#15660)
Aims to resolve #15605 

There's currently one option valid for the `@Security` tag in
swaggerparser - which fails in the CI if we try to put any other value.

At least one of our endpoints does not accept `CoderSessionToken` as an
option for the authentication and so we need to add new possibilities in
order to keep the documentation up-to-date.

In this PR , I added `ProvisionerKey` which is the way our provisioner
daemon can authenticate to the backend - also modified a bit the code to
simplify other options later.
2024-11-26 07:19:43 +01:00
60ddcf5de2 chore: improve testing coverage on ExtractProvisionerDaemonAuthenticated middleware (#15622)
This one aims to resolve #15604 

Created some table tests for the main cases - 
also preferred to create two isolated cases for the most complicated
cases in order to keep table tests simple enough.

Give us full coverage on the middleware logic, for both optional and non
optional cases - PSK and ProvisionerKey.
2024-11-26 04:02:20 +01:00
0896f339c4 refactor(coderd/provisionerdserver): use quartz.Clock instead of TimeNowFn (#15642)
Replace `TimeNowFn` in `provisionerdserver` with `quartz.Clock` as
well as pass `coderd`'s `Clock` to `provisionerdserver`.
2024-11-25 16:25:36 +00:00
b5fbfd727c fix: fix hang in teardown of TestConn_CoordinatorRollingRestart (#15624)
fixes a flake seen on main: https://github.com/coder/coder/actions/runs/11967210463/job/33364072261

the TCP echo server had a waitgroup to ensure that all accepted connections get torn down, but no explicit teardown of the connection. We depended on the tailnet agent closing its side of the connection, which depends on closing the tunneled connection. The tunneled `FIN` could race with tearing down the tunnel itself.

So, this PR adds explicit `t.Cleanup` to close the echo connection. It also removes the waitgroup. The purpose of the waitgroup was to ensure that all goroutines created by the echo listener get shut down, but we have `goleak` for that, which fails much faster than the 20 minutes this test run took.
2024-11-22 11:44:56 +04:00
a518017a88 feat(coderd): add endpoint to fetch provisioner key details (#15505)
This PR is the first step aiming to resolve #15126 - 

Creating a new endpoint to return the details associated to a
provisioner key.

This is an authenticated endpoints aiming to be used by the provisioner
daemons - using the provisioner key as authentication method.

This endpoint is not ment to be used with PSK or User Sessions.
2024-11-20 18:04:47 +01:00
6ed76921dd chore: fix windows postgres tests (#15593)
Patches tests that caused Windows Postgres CI in
https://github.com/coder/coder/pull/15520 to consistently fail.

I tested this by temporarily adding Postgres Windows CI to this PR.
However, I reverted those changes to merge them with
https://github.com/coder/coder/pull/15520. For reference, here's [a
passing CI
run](https://github.com/coder/coder/actions/runs/11918816662/job/33219786238)
from an earlier commit.

**Note:** Although Windows tests now pass, they remain quite flaky. I
recommend running Postgres Windows CI to gather data on these flakes,
but I don’t think it should be a required job just yet.
2024-11-20 13:30:31 +01:00
fbe2fa66f5 chore: add test for coord rolling restart (#14680)
Closes https://github.com/coder/team-coconut/issues/50

---------

Co-authored-by: Ethan Dickson <ethan@coder.com>
2024-11-20 18:04:33 +11:00
c3c23ed3d9 chore: add query to fetch top level idp claim fields (#15525)
Adds an api endpoint to grab all available sync field options for IDP
sync. This is for autocomplete on idp sync forms. This is required for
organization admins to have some insight into the claim fields available
when configuring group/role sync.
2024-11-18 14:31:39 -06:00
5861e516b9 chore: add standard test logger ignoring db canceled (#15556)
Refactors our use of `slogtest` to instantiate a "standard logger" across most of our tests.  This standard logger incorporates https://github.com/coder/slog/pull/217 to also ignore database query canceled errors by default, which are a source of low-severity flakes.

Any test that has set non-default `slogtest.Options` is left alone. In particular, `coderdtest` defaults to ignoring all errors. We might consider revisiting that decision now that we have better tools to target the really common flaky Error logs on shutdown.
2024-11-18 14:09:22 +04:00
968c52bc36 fix: add error that provisionerkeys require the externalprovisioners feature (#15541) 2024-11-15 14:43:32 -07:00
16ade985ae chore: make scim auth header case insensitive for 'bearer' (#15538)
Fixes status codes to return more than 500. The way we were using the
package, it always returned a status code 500
2024-11-15 12:30:11 -06:00
aea6208515 chore: use codersdk return type, not package type (#15539) 2024-11-15 18:01:42 +00:00
814dd6f854 feat(coderd): update API to allow filtering provisioner daemons by tags (#15448)
This PR provides new parameters to an endpoint that will be necessary
for #15048
2024-11-15 11:33:22 +02:00
30e6fbd35c fix(coderd): ensure correct RBAC when enqueueing notifications (#15478)
- Assert rbac in fake notifications enqueuer
- Move fake notifications enqueuer to separate notificationstest package
- Update dbauthz rbac policy to allow provisionerd and autostart to create and read notification messages
- Update tests as required
2024-11-12 12:40:46 +00:00
782214bcd8 chore: move organizatinon sync to runtime configuration (#15431)
Moves the configuration from environment to database backed, to allow
configuring organization sync at runtime.
2024-11-08 08:44:14 -06:00
2d00b50eb6 chore: remove excess join in GetQuotaConsumedForUser query (#15338)
Filter is applied in original workspace query. We do not need to join
`workspaces` twice. Use build_number instead of `created_at`
for determining the last build.
2024-11-05 08:12:56 -06:00
854044e811 chore: fix concurrent CommitQuota transactions for unrelated users/orgs (#15261)
The failure condition being fixed is `w1` and `w2` could belong
to different users, organizations, and templates and still cause a
serializable failure if run concurrently. This is because the old query 
did a `seq scan` on the `workspace_builds` table. Since that is the 
table being updated, we really want to prevent that.

So before this would fail for any 2 workspaces. Now it only fails if
`w1` and `w2` are owned by the same user and organization.
2024-11-01 11:05:49 -04:00
088f21965b feat: add audit logs for dormancy events (#15298) 2024-10-31 17:55:42 -05:00
e03ef62a13 chore: add scim service provider config endpoint (#15235)
Adds a static `/scim/v2/ServiceProviderConfig` endpoint. Our scim
support is static, so the response config is also defined statically.
2024-10-25 18:27:34 -04:00
27f5ff2dd1 chore: correctly document SCIM authentication (#15234) 2024-10-25 12:40:13 -05:00
900e2cd39c chore: implement better 404 for unimplemented scim endpoints (#15232)
Prior to this, html was returned.
2024-10-25 13:23:12 -04:00
487b37b228 feat(enterprise): support bearer tokens in SCIM authentication (#15233) 2024-10-25 11:52:57 -05:00
cd890aa3a0 feat: enable key rotation (#15066)
This PR contains the remaining logic necessary to hook up key rotation
to the product.
2024-10-25 17:14:35 +01:00
ccfffc6911 chore: add tx metrics and logs for serialization errors (#15215)
Before db_metrics were all or nothing. Now `InTx` metrics are always recorded, and query metrics are opt in.


Adds instrumentation & logging around serialization failures in the database.
2024-10-25 12:14:15 -04:00
5bcaa93198 chore(enterprise/coderd/license): fix time-related flake in license expiration warning test (#15228)
Fixes a time-related test flake in enterprise/coderd/license/license_test.go
2024-10-25 12:19:50 +01:00
f258232be9 chore: return json for disabled scim routes (#15222)
Customers reporting html pages returned to SCIM. Likely a disabled SCIM.
We should just report a more consumable error by the SCIM provider.

Previous behavior was a status code 200 HTML page
2024-10-24 16:26:16 -04:00
095c9797c9 feat: notify users on template deprecation (#15195)
Closes https://github.com/coder/coder/issues/15117

Notify users when a template has been deprecated.
2024-10-24 13:12:12 +01:00
163631e79c chore: use system context for fetching template information (#15205)
The authz check is Update() on the original template. This is not ideal,
but it follows the existing behavior. We are implicitly granting this
read access since template admins need to be able to see what
users/groups exist to assign.
2024-10-23 17:03:17 -05:00
343f8ec9ab chore: join owner, template, and org in new workspace view (#15116)
Joins in fields like `username`, `avatar_url`, `organization_name`,
`template_name` to `workspaces` via a **view**. 
The view must be maintained moving forward, but this prevents needing to
add RBAC permissions to fetch related workspace fields.
2024-10-22 09:20:54 -05:00