coder
diff --git a/‎cli/server.go
+2 b/‎cli/server.go
+2
diff --git a/‎cli/testdata/coder_server_--help.golden
+13 b/‎cli/testdata/coder_server_--help.golden
+13
diff --git a/‎cli/testdata/server-config.yaml.golden
+13-3 b/‎cli/testdata/server-config.yaml.golden
+13-3
diff --git a/‎coderd/apidoc/docs.go
+9 b/‎coderd/apidoc/docs.go
+9
diff --git a/‎coderd/apidoc/swagger.json
+9 b/‎coderd/apidoc/swagger.json
+9
diff --git a/‎coderd/coderd.go
+11 b/‎coderd/coderd.go
+11
diff --git a/‎coderd/database/dbauthz/dbauthz.go
+1-1 b/‎coderd/database/dbauthz/dbauthz.go
+1-1
diff --git a/‎coderd/database/dbmem/dbmem.go
+81-10 b/‎coderd/database/dbmem/dbmem.go
+81-10
diff --git a/‎coderd/database/dbpurge/dbpurge.go
+8-3 b/‎coderd/database/dbpurge/dbpurge.go
+8-3
@@ -55,6 +55,7 @@ import (
 
 	"cdr.dev/slog"
 	"cdr.dev/slog/sloggers/sloghuman"
+	"github.com/coder/coder/v2/coderd/entitlements"
 	"github.com/coder/pretty"
 	"github.com/coder/quartz"
 	"github.com/coder/retry"
@@ -605,6 +606,7 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 					SSHConfigOptions: configSSHOptions,
 				},
 				AllowWorkspaceRenames: vals.AllowWorkspaceRenames.Value(),
+				Entitlements:          entitlements.New(),
 				NotificationsEnqueuer: notifications.NewNoopEnqueuer(), // Changed further down if notifications enabled.
 			}
 			if httpServers.TLSConfig != nil {
 
@@ -433,6 +433,11 @@ OIDC OPTIONS:
           groups. This filter is applied after the group mapping and before the
           regex filter.
 
+      --oidc-organization-assign-default bool, $CODER_OIDC_ORGANIZATION_ASSIGN_DEFAULT (default: true)
+          If set to true, users will always be added to the default
+          organization. If organization sync is enabled, then the default org is
+          always added to the user's set of expectedorganizations.
+
       --oidc-auth-url-params struct[map[string]string], $CODER_OIDC_AUTH_URL_PARAMS (default: {"access_type": "offline"})
           OIDC auth URL parameters to pass to the upstream provider.
 
@@ -479,6 +484,14 @@ OIDC OPTIONS:
       --oidc-name-field string, $CODER_OIDC_NAME_FIELD (default: name)
           OIDC claim field to use as the name.
 
+      --oidc-organization-field string, $CODER_OIDC_ORGANIZATION_FIELD
+          This field must be set if using the organization sync feature. Set to
+          the claim to be used for organizations.
+
+      --oidc-organization-mapping struct[map[string][]uuid.UUID], $CODER_OIDC_ORGANIZATION_MAPPING (default: {})
+          A map of OIDC claims and the organizations in Coder it should map to.
+          This is required because organization IDs must be used within Coder.
+
       --oidc-group-regex-filter regexp, $CODER_OIDC_GROUP_REGEX_FILTER (default: .*)
           If provided any group name not matching the regex is ignored. This
           allows for filtering out groups that are not needed. This filter is
 
@@ -319,6 +319,19 @@ oidc:
   # Ignore the userinfo endpoint and only use the ID token for user information.
   # (default: false, type: bool)
   ignoreUserInfo: false
+  # This field must be set if using the organization sync feature. Set to the claim
+  # to be used for organizations.
+  # (default: <unset>, type: string)
+  organizationField: ""
+  # If set to true, users will always be added to the default organization. If
+  # organization sync is enabled, then the default org is always added to the user's
+  # set of expectedorganizations.
+  # (default: true, type: bool)
+  organizationAssignDefault: true
+  # A map of OIDC claims and the organizations in Coder it should map to. This is
+  # required because organization IDs must be used within Coder.
+  # (default: {}, type: struct[map[string][]uuid.UUID])
+  organizationMapping: {}
   # This field must be set if using the group sync feature and the scope name is not
   # 'groups'. Set to the claim to be used for groups.
   # (default: <unset>, type: string)
@@ -529,9 +542,6 @@ notifications:
       # Username to use with PLAIN/LOGIN authentication.
       # (default: <unset>, type: string)
       username: ""
-      # Password to use with PLAIN/LOGIN authentication.
-      # (default: <unset>, type: string)
-      password: ""
       # File from which to load password for use with PLAIN/LOGIN authentication.
       # (default: <unset>, type: string)
       passwordFile: ""
 
@@ -38,6 +38,7 @@ import (
 
 	"cdr.dev/slog"
 	"github.com/coder/coder/v2/coderd/entitlements"
+	"github.com/coder/coder/v2/coderd/idpsync"
 	"github.com/coder/quartz"
 	"github.com/coder/serpent"
 
@@ -243,6 +244,9 @@ type Options struct {
 	WorkspaceUsageTracker *workspacestats.UsageTracker
 	// NotificationsEnqueuer handles enqueueing notifications for delivery by SMTP, webhook, etc.
 	NotificationsEnqueuer notifications.Enqueuer
+
+	// IDPSync holds all configured values for syncing external IDP users into Coder.
+	IDPSync idpsync.IDPSync
 }
 
 // @title Coder API
@@ -270,6 +274,13 @@ func New(options *Options) *API {
 	if options.Entitlements == nil {
 		options.Entitlements = entitlements.New()
 	}
+	if options.IDPSync == nil {
+		options.IDPSync = idpsync.NewAGPLSync(options.Logger, idpsync.SyncSettings{
+			OrganizationField:         options.DeploymentValues.OIDC.OrganizationField.Value(),
+			OrganizationMapping:       options.DeploymentValues.OIDC.OrganizationMapping.Value,
+			OrganizationAssignDefault: options.DeploymentValues.OIDC.OrganizationAssignDefault.Value(),
+		})
+	}
 	if options.NewTicker == nil {
 		options.NewTicker = func(duration time.Duration) (tick <-chan time.Time, done func()) {
 			ticker := time.NewTicker(duration)
 
@@ -243,7 +243,7 @@ var (
 					rbac.ResourceAssignOrgRole.Type:          rbac.ResourceAssignOrgRole.AvailableActions(),
 					rbac.ResourceSystem.Type:                 {policy.WildcardSymbol},
 					rbac.ResourceOrganization.Type:           {policy.ActionCreate, policy.ActionRead},
-					rbac.ResourceOrganizationMember.Type:     {policy.ActionCreate},
+					rbac.ResourceOrganizationMember.Type:     {policy.ActionCreate, policy.ActionDelete, policy.ActionRead},
 					rbac.ResourceProvisionerDaemon.Type:      {policy.ActionCreate, policy.ActionUpdate},
 					rbac.ResourceProvisionerKeys.Type:        {policy.ActionCreate, policy.ActionRead, policy.ActionDelete},
 					rbac.ResourceUser.Type:                   rbac.ResourceUser.AvailableActions(),
 
@@ -1710,19 +1710,90 @@ func (q *FakeQuerier) DeleteOldWorkspaceAgentLogs(_ context.Context, threshold t
 	q.mutex.Lock()
 	defer q.mutex.Unlock()
 
-	var validLogs []database.WorkspaceAgentLog
-	for _, log := range q.workspaceAgentLogs {
-		var toBeDeleted bool
-		for _, agent := range q.workspaceAgents {
-			if agent.ID == log.AgentID && agent.LastConnectedAt.Valid && agent.LastConnectedAt.Time.Before(threshold) {
-				toBeDeleted = true
-				break
-			}
+	/*
+		WITH
+			latest_builds AS (
+				SELECT
+					workspace_id, max(build_number) AS max_build_number
+				FROM
+					workspace_builds
+				GROUP BY
+					workspace_id
+			),
+	*/
+	latestBuilds := make(map[uuid.UUID]int32)
+	for _, wb := range q.workspaceBuilds {
+		if lastBuildNumber, found := latestBuilds[wb.WorkspaceID]; found && lastBuildNumber > wb.BuildNumber {
+			continue
 		}
+		// not found or newer build number
+		latestBuilds[wb.WorkspaceID] = wb.BuildNumber
+	}
 
-		if !toBeDeleted {
-			validLogs = append(validLogs, log)
+	/*
+		old_agents AS (
+			SELECT
+				wa.id
+			FROM
+				workspace_agents AS wa
+			JOIN
+				workspace_resources AS wr
+			ON
+				wa.resource_id = wr.id
+			JOIN
+				workspace_builds AS wb
+			ON
+				wb.job_id = wr.job_id
+			LEFT JOIN
+				latest_builds
+			ON
+				latest_builds.workspace_id = wb.workspace_id
+			AND
+				latest_builds.max_build_number = wb.build_number
+			WHERE
+				-- Filter out the latest builds for each workspace.
+				latest_builds.workspace_id IS NULL
+			AND CASE
+				-- If the last time the agent connected was before @threshold
+				WHEN wa.last_connected_at IS NOT NULL THEN
+					wa.last_connected_at < @threshold :: timestamptz
+				-- The agent never connected, and was created before @threshold
+				ELSE wa.created_at < @threshold :: timestamptz
+			END
+		)
+	*/
+	oldAgents := make(map[uuid.UUID]struct{})
+	for _, wa := range q.workspaceAgents {
+		for _, wr := range q.workspaceResources {
+			if wr.ID != wa.ResourceID {
+				continue
+			}
+			for _, wb := range q.workspaceBuilds {
+				if wb.JobID != wr.JobID {
+					continue
+				}
+				latestBuildNumber, found := latestBuilds[wb.WorkspaceID]
+				if !found {
+					panic("workspaceBuilds got modified somehow while q was locked! This is a bug in dbmem!")
+				}
+				if latestBuildNumber == wb.BuildNumber {
+					continue
+				}
+				if wa.LastConnectedAt.Valid && wa.LastConnectedAt.Time.Before(threshold) || wa.CreatedAt.Before(threshold) {
+					oldAgents[wa.ID] = struct{}{}
+				}
+			}
+		}
+	}
+	/*
+		DELETE FROM workspace_agent_logs WHERE agent_id IN (SELECT id FROM old_agents);
+	*/
+	var validLogs []database.WorkspaceAgentLog
+	for _, log := range q.workspaceAgentLogs {
+		if _, found := oldAgents[log.AgentID]; found {
+			continue
 		}
+		validLogs = append(validLogs, log)
 	}
 	q.workspaceAgentLogs = validLogs
 	return nil
 
@@ -11,6 +11,7 @@ import (
 
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/database/dbauthz"
+	"github.com/coder/coder/v2/coderd/database/dbtime"
 	"github.com/coder/quartz"
 )
 
@@ -30,7 +31,8 @@ func New(ctx context.Context, logger slog.Logger, db database.Store, clk quartz.
 	//nolint:gocritic // The system purges old db records without user input.
 	ctx = dbauthz.AsSystemRestricted(ctx)
 
-	ticker := clk.NewTicker(time.Nanosecond)
+	// Start the ticker with the initial delay.
+	ticker := clk.NewTicker(delay)
 	doTick := func(start time.Time) {
 		defer ticker.Reset(delay)
 		// Start a transaction to grab advisory lock, we don't want to run
@@ -47,7 +49,8 @@ func New(ctx context.Context, logger slog.Logger, db database.Store, clk quartz.
 				return nil
 			}
 
-			if err := tx.DeleteOldWorkspaceAgentLogs(ctx, start.Add(-maxAgentLogAge)); err != nil {
+			deleteOldWorkspaceAgentLogsBefore := start.Add(-maxAgentLogAge)
+			if err := tx.DeleteOldWorkspaceAgentLogs(ctx, deleteOldWorkspaceAgentLogsBefore); err != nil {
 				return xerrors.Errorf("failed to delete old workspace agent logs: %w", err)
 			}
 			if err := tx.DeleteOldWorkspaceAgentStats(ctx); err != nil {
@@ -72,13 +75,15 @@ func New(ctx context.Context, logger slog.Logger, db database.Store, clk quartz.
 	go func() {
 		defer close(closed)
 		defer ticker.Stop()
+		// Force an initial tick.
+		doTick(dbtime.Time(clk.Now()).UTC())
 		for {
 			select {
 			case <-ctx.Done():
 				return
 			case tick := <-ticker.C:
 				ticker.Stop()
-				doTick(tick)
+				doTick(dbtime.Time(tick).UTC())
 			}
 		}
 	}()