coder
diff --git a/‎.golangci.yaml
Lines changed: 3 additions & 0 deletions b/‎.golangci.yaml
Lines changed: 3 additions & 0 deletions
diff --git a/‎cli/errors.go
Lines changed: 2 additions & 1 deletion b/‎cli/errors.go
Lines changed: 2 additions & 1 deletion
diff --git a/‎cli/remoteforward.go
Lines changed: 55 additions & 5 deletions b/‎cli/remoteforward.go
Lines changed: 55 additions & 5 deletions
diff --git a/‎cli/ssh_test.go
Lines changed: 48 additions & 0 deletions b/‎cli/ssh_test.go
Lines changed: 48 additions & 0 deletions
diff --git a/‎coderd/apikey/apikey.go
Lines changed: 1 addition & 0 deletions b/‎coderd/apikey/apikey.go
Lines changed: 1 addition & 0 deletions
diff --git a/‎coderd/audit.go
Lines changed: 3 additions & 0 deletions b/‎coderd/audit.go
Lines changed: 3 additions & 0 deletions
diff --git a/‎coderd/coderdtest/oidctest/helper.go
Lines changed: 8 additions & 5 deletions b/‎coderd/coderdtest/oidctest/helper.go
Lines changed: 8 additions & 5 deletions
diff --git a/‎coderd/database/dbfake/dbfake.go
Lines changed: 2 additions & 0 deletions b/‎coderd/database/dbfake/dbfake.go
Lines changed: 2 additions & 0 deletions
diff --git a/‎coderd/database/dbgen/dbgen.go
Lines changed: 8 additions & 2 deletions b/‎coderd/database/dbgen/dbgen.go
Lines changed: 8 additions & 2 deletions
diff --git a/‎coderd/database/dump.sql
Lines changed: 4 additions & 0 deletions b/‎coderd/database/dump.sql
Lines changed: 4 additions & 0 deletions
diff --git a/‎coderd/database/migrations/000159_workspace_agent_stats_template_id_created_at_user_id_idx.down.sql
Lines changed: 1 addition & 0 deletions b/‎coderd/database/migrations/000159_workspace_agent_stats_template_id_created_at_user_id_idx.down.sql
Lines changed: 1 addition & 0 deletions
diff --git a/‎coderd/database/migrations/000159_workspace_agent_stats_template_id_created_at_user_id_idx.up.sql
Lines changed: 3 additions & 0 deletions b/‎coderd/database/migrations/000159_workspace_agent_stats_template_id_created_at_user_id_idx.up.sql
Lines changed: 3 additions & 0 deletions
diff --git a/‎coderd/externalauth.go
Lines changed: 34 additions & 26 deletions b/‎coderd/externalauth.go
Lines changed: 34 additions & 26 deletions
@@ -10,6 +10,9 @@ linters-settings:
     include:
       # Gradually extend to cover more of the codebase.
       - 'httpmw\.\w+'
+      # We want to enforce all values are specified when inserting or updating
+      # a database row. Ref: #9936
+      - 'github.com/coder/coder/v2/coderd/database\.[^G][^e][^t]\w+Params'
   gocognit:
     min-complexity: 300
 
 
@@ -6,9 +6,10 @@ import (
 	"net/http/httptest"
 	"os"
 
+	"golang.org/x/xerrors"
+
 	"github.com/coder/coder/v2/cli/clibase"
 	"github.com/coder/coder/v2/codersdk"
-	"golang.org/x/xerrors"
 )
 
 func (RootCmd) errorExample() *clibase.Cmd {
 
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"io"
 	"net"
+	"os"
 	"regexp"
 	"strconv"
 
@@ -23,15 +24,24 @@ type cookieAddr struct {
 
 // Format:
 // remote_port:local_address:local_port
-var remoteForwardRegex = regexp.MustCompile(`^(\d+):(.+):(\d+)$`)
+var remoteForwardRegexTCP = regexp.MustCompile(`^(\d+):(.+):(\d+)$`)
 
-func validateRemoteForward(flag string) bool {
-	return remoteForwardRegex.MatchString(flag)
+// remote_socket_path:local_socket_path (both absolute paths)
+var remoteForwardRegexUnixSocket = regexp.MustCompile(`^(\/.+):(\/.+)$`)
+
+func isRemoteForwardTCP(flag string) bool {
+	return remoteForwardRegexTCP.MatchString(flag)
 }
 
-func parseRemoteForward(flag string) (net.Addr, net.Addr, error) {
-	matches := remoteForwardRegex.FindStringSubmatch(flag)
+func isRemoteForwardUnixSocket(flag string) bool {
+	return remoteForwardRegexUnixSocket.MatchString(flag)
+}
+
+func validateRemoteForward(flag string) bool {
+	return isRemoteForwardTCP(flag) || isRemoteForwardUnixSocket(flag)
+}
 
+func parseRemoteForwardTCP(matches []string) (net.Addr, net.Addr, error) {
 	remotePort, err := strconv.Atoi(matches[1])
 	if err != nil {
 		return nil, nil, xerrors.Errorf("remote port is invalid: %w", err)
@@ -57,6 +67,46 @@ func parseRemoteForward(flag string) (net.Addr, net.Addr, error) {
 	return localAddr, remoteAddr, nil
 }
 
+func parseRemoteForwardUnixSocket(matches []string) (net.Addr, net.Addr, error) {
+	remoteSocket := matches[1]
+	localSocket := matches[2]
+
+	fileInfo, err := os.Stat(localSocket)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	if fileInfo.Mode()&os.ModeSocket == 0 {
+		return nil, nil, xerrors.New("File is not a Unix domain socket file")
+	}
+
+	remoteAddr := &net.UnixAddr{
+		Name: remoteSocket,
+		Net:  "unix",
+	}
+
+	localAddr := &net.UnixAddr{
+		Name: localSocket,
+		Net:  "unix",
+	}
+	return localAddr, remoteAddr, nil
+}
+
+func parseRemoteForward(flag string) (net.Addr, net.Addr, error) {
+	tcpMatches := remoteForwardRegexTCP.FindStringSubmatch(flag)
+
+	if len(tcpMatches) > 0 {
+		return parseRemoteForwardTCP(tcpMatches)
+	}
+
+	unixSocketMatches := remoteForwardRegexUnixSocket.FindStringSubmatch(flag)
+	if len(unixSocketMatches) > 0 {
+		return parseRemoteForwardUnixSocket(unixSocketMatches)
+	}
+
+	return nil, nil, xerrors.New("Could not match forward arguments")
+}
+
 // sshRemoteForward starts forwarding connections from a remote listener to a
 // local address via SSH in a goroutine.
 //
 
@@ -428,6 +428,54 @@ func TestSSH(t *testing.T) {
 		<-cmdDone
 	})
 
+	t.Run("RemoteForwardUnixSocket", func(t *testing.T) {
+		if runtime.GOOS == "windows" {
+			t.Skip("Test not supported on windows")
+		}
+
+		t.Parallel()
+
+		client, workspace, agentToken := setupWorkspaceForAgent(t, nil)
+
+		_ = agenttest.New(t, client.URL, agentToken)
+		coderdtest.AwaitWorkspaceAgents(t, client, workspace.ID)
+
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancel()
+
+		tmpdir := tempDirUnixSocket(t)
+		agentSock := filepath.Join(tmpdir, "agent.sock")
+		l, err := net.Listen("unix", agentSock)
+		require.NoError(t, err)
+		defer l.Close()
+
+		inv, root := clitest.New(t,
+			"ssh",
+			workspace.Name,
+			"--remote-forward",
+			"/tmp/test.sock:"+agentSock,
+		)
+		clitest.SetupConfig(t, client, root)
+		pty := ptytest.New(t).Attach(inv)
+		inv.Stderr = pty.Output()
+		cmdDone := tGo(t, func() {
+			err := inv.WithContext(ctx).Run()
+			assert.NoError(t, err, "ssh command failed")
+		})
+
+		// Wait for the prompt or any output really to indicate the command has
+		// started and accepting input on stdin.
+		_ = pty.Peek(ctx, 1)
+
+		// Download the test page
+		pty.WriteLine("ss -xl state listening src /tmp/test.sock | wc -l")
+		pty.ExpectMatch("2")
+
+		// And we're done.
+		pty.WriteLine("exit")
+		<-cmdDone
+	})
+
 	t.Run("FileLogging", func(t *testing.T) {
 		t.Parallel()
 
 
@@ -76,6 +76,7 @@ func Generate(params CreateParams) (database.InsertAPIKeyParams, string, error)
 	return database.InsertAPIKeyParams{
 		ID:              keyID,
 		UserID:          params.UserID,
+		LastUsed:        time.Time{},
 		LifetimeSeconds: params.LifetimeSeconds,
 		IPAddress: pqtype.Inet{
 			IPNet: net.IPNet{
 
@@ -154,6 +154,9 @@ func (api *API) generateFakeAuditLog(rw http.ResponseWriter, r *http.Request) {
 		Diff:             diff,
 		StatusCode:       http.StatusOK,
 		AdditionalFields: params.AdditionalFields,
+		RequestID:        uuid.Nil, // no request ID to attach this to
+		ResourceIcon:     "",
+		OrganizationID:   uuid.New(),
 	})
 	if err != nil {
 		httpapi.InternalServerError(rw, err)
 
@@ -1,6 +1,7 @@
 package oidctest
 
 import (
+	"database/sql"
 	"net/http"
 	"testing"
 	"time"
@@ -69,11 +70,13 @@ func (*LoginHelper) ExpireOauthToken(t *testing.T, db database.Store, user *code
 
 	// Expire the oauth link for the given user.
 	updated, err := db.UpdateUserLink(ctx, database.UpdateUserLinkParams{
-		OAuthAccessToken:  link.OAuthAccessToken,
-		OAuthRefreshToken: link.OAuthRefreshToken,
-		OAuthExpiry:       time.Now().Add(time.Hour * -1),
-		UserID:            link.UserID,
-		LoginType:         link.LoginType,
+		OAuthAccessToken:       link.OAuthAccessToken,
+		OAuthAccessTokenKeyID:  sql.NullString{}, // dbcrypt will update as required
+		OAuthRefreshToken:      link.OAuthRefreshToken,
+		OAuthRefreshTokenKeyID: sql.NullString{}, // dbcrypt will update as required
+		OAuthExpiry:            time.Now().Add(time.Hour * -1),
+		UserID:                 link.UserID,
+		LoginType:              link.LoginType,
 	})
 	require.NoError(t, err, "expire user link")
 
 
@@ -4142,6 +4142,8 @@ func (q *FakeQuerier) InsertAllUsersGroup(ctx context.Context, orgID uuid.UUID)
 		Name:           database.EveryoneGroup,
 		DisplayName:    "",
 		OrganizationID: orgID,
+		AvatarURL:      "",
+		QuotaAllowance: 0,
 	})
 }
 
 
@@ -125,7 +125,7 @@ func APIKey(t testing.TB, db database.Store, seed database.APIKey) (key database
 }
 
 func WorkspaceAgent(t testing.TB, db database.Store, orig database.WorkspaceAgent) database.WorkspaceAgent {
-	workspace, err := db.InsertWorkspaceAgent(genCtx, database.InsertWorkspaceAgentParams{
+	agt, err := db.InsertWorkspaceAgent(genCtx, database.InsertWorkspaceAgentParams{
 		ID:         takeFirst(orig.ID, uuid.New()),
 		CreatedAt:  takeFirst(orig.CreatedAt, dbtime.Now()),
 		UpdatedAt:  takeFirst(orig.UpdatedAt, dbtime.Now()),
@@ -154,9 +154,10 @@ func WorkspaceAgent(t testing.TB, db database.Store, orig database.WorkspaceAgen
 		ConnectionTimeoutSeconds: takeFirst(orig.ConnectionTimeoutSeconds, 3600),
 		TroubleshootingURL:       takeFirst(orig.TroubleshootingURL, "https://example.com"),
 		MOTDFile:                 takeFirst(orig.TroubleshootingURL, ""),
+		DisplayApps:              append([]database.DisplayApp{}, orig.DisplayApps...),
 	})
 	require.NoError(t, err, "insert workspace agent")
-	return workspace
+	return agt
 }
 
 func Workspace(t testing.TB, db database.Store, orig database.Workspace) database.Workspace {
@@ -204,6 +205,7 @@ func WorkspaceBuild(t testing.TB, db database.Store, orig database.WorkspaceBuil
 			JobID:             takeFirst(orig.JobID, uuid.New()),
 			ProvisionerState:  takeFirstSlice(orig.ProvisionerState, []byte{}),
 			Deadline:          takeFirst(orig.Deadline, dbtime.Now().Add(time.Hour)),
+			MaxDeadline:       takeFirst(orig.MaxDeadline, time.Time{}),
 			Reason:            takeFirst(orig.Reason, database.BuildReasonInitiator),
 		})
 		if err != nil {
@@ -348,6 +350,7 @@ func ProvisionerJob(t testing.TB, db database.Store, ps pubsub.Pubsub, orig data
 		Type:           takeFirst(orig.Type, database.ProvisionerJobTypeWorkspaceBuild),
 		Input:          takeFirstSlice(orig.Input, []byte("{}")),
 		Tags:           orig.Tags,
+		TraceMetadata:  pqtype.NullRawMessage{},
 	})
 	require.NoError(t, err, "insert job")
 	if ps != nil {
@@ -359,6 +362,7 @@ func ProvisionerJob(t testing.TB, db database.Store, ps pubsub.Pubsub, orig data
 			StartedAt: orig.StartedAt,
 			Types:     []database.ProvisionerType{database.ProvisionerTypeEcho},
 			Tags:      must(json.Marshal(orig.Tags)),
+			WorkerID:  uuid.NullUUID{},
 		})
 		require.NoError(t, err)
 	}
@@ -460,6 +464,8 @@ func WorkspaceProxy(t testing.TB, db database.Store, orig database.WorkspaceProx
 		TokenHashedSecret: hashedSecret[:],
 		CreatedAt:         takeFirst(orig.CreatedAt, dbtime.Now()),
 		UpdatedAt:         takeFirst(orig.UpdatedAt, dbtime.Now()),
+		DerpEnabled:       takeFirst(orig.DerpEnabled, false),
+		DerpOnly:          takeFirst(orig.DerpEnabled, false),
 	})
 	require.NoError(t, err, "insert proxy")
 
 
@@ -0,0 +1 @@
+DROP INDEX workspace_agent_stats_template_id_created_at_user_id_idx;
@@ -0,0 +1,3 @@
+CREATE INDEX workspace_agent_stats_template_id_created_at_user_id_idx ON workspace_agent_stats USING btree (template_id, created_at DESC, user_id) WHERE connection_count > 0;
+
+COMMENT ON INDEX workspace_agent_stats_template_id_created_at_user_id_idx IS 'Support index for template insights endpoint to build interval reports faster.';
@@ -123,13 +123,15 @@ func (api *API) postExternalAuthDeviceByID(rw http.ResponseWriter, r *http.Reque
 		}
 
 		_, err = api.Database.InsertExternalAuthLink(ctx, database.InsertExternalAuthLinkParams{
-			ProviderID:        config.ID,
-			UserID:            apiKey.UserID,
-			CreatedAt:         dbtime.Now(),
-			UpdatedAt:         dbtime.Now(),
-			OAuthAccessToken:  token.AccessToken,
-			OAuthRefreshToken: token.RefreshToken,
-			OAuthExpiry:       token.Expiry,
+			ProviderID:             config.ID,
+			UserID:                 apiKey.UserID,
+			CreatedAt:              dbtime.Now(),
+			UpdatedAt:              dbtime.Now(),
+			OAuthAccessToken:       token.AccessToken,
+			OAuthAccessTokenKeyID:  sql.NullString{}, // dbcrypt will set as required
+			OAuthRefreshToken:      token.RefreshToken,
+			OAuthRefreshTokenKeyID: sql.NullString{}, // dbcrypt will set as required
+			OAuthExpiry:            token.Expiry,
 		})
 		if err != nil {
 			httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
@@ -140,12 +142,14 @@ func (api *API) postExternalAuthDeviceByID(rw http.ResponseWriter, r *http.Reque
 		}
 	} else {
 		_, err = api.Database.UpdateExternalAuthLink(ctx, database.UpdateExternalAuthLinkParams{
-			ProviderID:        config.ID,
-			UserID:            apiKey.UserID,
-			UpdatedAt:         dbtime.Now(),
-			OAuthAccessToken:  token.AccessToken,
-			OAuthRefreshToken: token.RefreshToken,
-			OAuthExpiry:       token.Expiry,
+			ProviderID:             config.ID,
+			UserID:                 apiKey.UserID,
+			UpdatedAt:              dbtime.Now(),
+			OAuthAccessToken:       token.AccessToken,
+			OAuthAccessTokenKeyID:  sql.NullString{}, // dbcrypt will update as required
+			OAuthRefreshToken:      token.RefreshToken,
+			OAuthRefreshTokenKeyID: sql.NullString{}, // dbcrypt will update as required
+			OAuthExpiry:            token.Expiry,
 		})
 		if err != nil {
 			httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
@@ -211,13 +215,15 @@ func (api *API) externalAuthCallback(externalAuthConfig *externalauth.Config) ht
 			}
 
 			_, err = api.Database.InsertExternalAuthLink(ctx, database.InsertExternalAuthLinkParams{
-				ProviderID:        externalAuthConfig.ID,
-				UserID:            apiKey.UserID,
-				CreatedAt:         dbtime.Now(),
-				UpdatedAt:         dbtime.Now(),
-				OAuthAccessToken:  state.Token.AccessToken,
-				OAuthRefreshToken: state.Token.RefreshToken,
-				OAuthExpiry:       state.Token.Expiry,
+				ProviderID:             externalAuthConfig.ID,
+				UserID:                 apiKey.UserID,
+				CreatedAt:              dbtime.Now(),
+				UpdatedAt:              dbtime.Now(),
+				OAuthAccessToken:       state.Token.AccessToken,
+				OAuthAccessTokenKeyID:  sql.NullString{}, // dbcrypt will set as required
+				OAuthRefreshToken:      state.Token.RefreshToken,
+				OAuthRefreshTokenKeyID: sql.NullString{}, // dbcrypt will set as required
+				OAuthExpiry:            state.Token.Expiry,
 			})
 			if err != nil {
 				httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
@@ -228,12 +234,14 @@ func (api *API) externalAuthCallback(externalAuthConfig *externalauth.Config) ht
 			}
 		} else {
 			_, err = api.Database.UpdateExternalAuthLink(ctx, database.UpdateExternalAuthLinkParams{
-				ProviderID:        externalAuthConfig.ID,
-				UserID:            apiKey.UserID,
-				UpdatedAt:         dbtime.Now(),
-				OAuthAccessToken:  state.Token.AccessToken,
-				OAuthRefreshToken: state.Token.RefreshToken,
-				OAuthExpiry:       state.Token.Expiry,
+				ProviderID:             externalAuthConfig.ID,
+				UserID:                 apiKey.UserID,
+				UpdatedAt:              dbtime.Now(),
+				OAuthAccessToken:       state.Token.AccessToken,
+				OAuthAccessTokenKeyID:  sql.NullString{}, // dbcrypt will update as required
+				OAuthRefreshToken:      state.Token.RefreshToken,
+				OAuthRefreshTokenKeyID: sql.NullString{}, // dbcrypt will update as required
+				OAuthExpiry:            state.Token.Expiry,
 			})
 			if err != nil {
 				httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
Original file line number	Diff line number	Diff line change
`@@ -4142,6 +4142,8 @@ func (q *FakeQuerier) InsertAllUsersGroup(ctx context.Context, orgID uuid.UUID)`
`4142`	`4142`	`Name: database.EveryoneGroup,`
`4143`	`4143`	`DisplayName: "",`
`4144`	`4144`	`OrganizationID: orgID,`
	`4145`	`+ AvatarURL: "",`
	`4146`	`+ QuotaAllowance: 0,`
`4145`	`4147`	`})`
`4146`	`4148`	`}`
`4147`	`4149`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+DROP INDEX workspace_agent_stats_template_id_created_at_user_id_idx;`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+CREATE INDEX workspace_agent_stats_template_id_created_at_user_id_idx ON workspace_agent_stats USING btree (template_id, created_at DESC, user_id) WHERE connection_count > 0;`
	`2`	`+`
	`3`	`+COMMENT ON INDEX workspace_agent_stats_template_id_created_at_user_id_idx IS 'Support index for template insights endpoint to build interval reports faster.';`