coder
diff --git a/‎cli/root.go
Lines changed: 3 additions & 1 deletion b/‎cli/root.go
Lines changed: 3 additions & 1 deletion
diff --git a/‎cli/server.go
Lines changed: 6 additions & 3 deletions b/‎cli/server.go
Lines changed: 6 additions & 3 deletions
diff --git a/‎coderd/audit/request.go
Lines changed: 4 additions & 14 deletions b/‎coderd/audit/request.go
Lines changed: 4 additions & 14 deletions
diff --git a/‎coderd/authorize.go
Lines changed: 1 addition & 1 deletion b/‎coderd/authorize.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/coderd.go
Lines changed: 44 additions & 17 deletions b/‎coderd/coderd.go
Lines changed: 44 additions & 17 deletions
diff --git a/‎coderd/coderd_test.go
Lines changed: 20 additions & 10 deletions b/‎coderd/coderd_test.go
Lines changed: 20 additions & 10 deletions
diff --git a/‎coderd/coderdtest/coderdtest.go
Lines changed: 19 additions & 21 deletions b/‎coderd/coderdtest/coderdtest.go
Lines changed: 19 additions & 21 deletions
@@ -96,7 +96,9 @@ func Core() []*cobra.Command {
 }
 
 func AGPL() []*cobra.Command {
-	all := append(Core(), Server(coderd.New))
+	all := append(Core(), Server(func(_ context.Context, o *coderd.Options) (*coderd.API, error) {
+		return coderd.New(o), nil
+	}))
 	return all
 }
 
 
@@ -70,7 +70,7 @@ import (
 )
 
 // nolint:gocyclo
-func Server(newAPI func(*coderd.Options) *coderd.API) *cobra.Command {
+func Server(newAPI func(context.Context, *coderd.Options) (*coderd.API, error)) *cobra.Command {
 	var (
 		accessURL             string
 		address               string
@@ -506,7 +506,10 @@ func Server(newAPI func(*coderd.Options) *coderd.API) *cobra.Command {
 				), promAddress, "prometheus")()
 			}
 
-			coderAPI := newAPI(options)
+			coderAPI, err := newAPI(ctx, options)
+			if err != nil {
+				return err
+			}
 			defer coderAPI.Close()
 
 			client := codersdk.New(localURL)
@@ -553,7 +556,7 @@ func Server(newAPI func(*coderd.Options) *coderd.API) *cobra.Command {
 				// These errors are typically noise like "TLS: EOF". Vault does similar:
 				// https://github.com/hashicorp/vault/blob/e2490059d0711635e529a4efcbaa1b26998d6e1c/command/server.go#L2714
 				ErrorLog: log.New(io.Discard, "", 0),
-				Handler:  coderAPI.Handler,
+				Handler:  coderAPI.RootHandler,
 				BaseContext: func(_ net.Listener) context.Context {
 					return shutdownConnsCtx
 				},
 
@@ -12,14 +12,13 @@ import (
 
 	"cdr.dev/slog"
 	"github.com/coder/coder/coderd/database"
-	"github.com/coder/coder/coderd/features"
 	"github.com/coder/coder/coderd/httpapi"
 	"github.com/coder/coder/coderd/httpmw"
 )
 
 type RequestParams struct {
-	Features features.Service
-	Log      slog.Logger
+	Audit Auditor
+	Log   slog.Logger
 
 	Request *http.Request
 	Action  database.AuditAction
@@ -102,15 +101,6 @@ func InitRequest[T Auditable](w http.ResponseWriter, p *RequestParams) (*Request
 		params: p,
 	}
 
-	feats := struct {
-		Audit Auditor
-	}{}
-	err := p.Features.Get(&feats)
-	if err != nil {
-		p.Log.Error(p.Request.Context(), "unable to get auditor interface", slog.Error(err))
-		return req, func() {}
-	}
-
 	return req, func() {
 		ctx := context.Background()
 		logCtx := p.Request.Context()
@@ -120,15 +110,15 @@ func InitRequest[T Auditable](w http.ResponseWriter, p *RequestParams) (*Request
 			return
 		}
 
-		diff := Diff(feats.Audit, req.Old, req.New)
+		diff := Diff(p.Audit, req.Old, req.New)
 		diffRaw, _ := json.Marshal(diff)
 
 		ip, err := parseIP(p.Request.RemoteAddr)
 		if err != nil {
 			p.Log.Warn(logCtx, "parse ip", slog.Error(err))
 		}
 
-		err = feats.Audit.Export(ctx, database.AuditLog{
+		err = p.Audit.Export(ctx, database.AuditLog{
 			ID:               uuid.New(),
 			Time:             database.Now(),
 			UserID:           httpmw.APIKey(p.Request).UserID,
 
@@ -42,7 +42,7 @@ type HTTPAuthorizer struct {
 //		return
 //	}
 func (api *API) Authorize(r *http.Request, action rbac.Action, object rbac.Objecter) bool {
-	return api.httpAuth.Authorize(r, action, object)
+	return api.HTTPAuth.Authorize(r, action, object)
 }
 
 // Authorize will return false if the user is not authorized to do the action.
 
@@ -7,6 +7,7 @@ import (
 	"net/url"
 	"path/filepath"
 	"sync"
+	"sync/atomic"
 	"time"
 
 	"github.com/andybalholm/brotli"
@@ -25,9 +26,9 @@ import (
 
 	"cdr.dev/slog"
 	"github.com/coder/coder/buildinfo"
+	"github.com/coder/coder/coderd/audit"
 	"github.com/coder/coder/coderd/awsidentity"
 	"github.com/coder/coder/coderd/database"
-	"github.com/coder/coder/coderd/features"
 	"github.com/coder/coder/coderd/gitsshkey"
 	"github.com/coder/coder/coderd/httpapi"
 	"github.com/coder/coder/coderd/httpmw"
@@ -52,6 +53,7 @@ type Options struct {
 	// CacheDir is used for caching files served by the API.
 	CacheDir string
 
+	Auditor                        audit.Auditor
 	AgentConnectionUpdateFrequency time.Duration
 	AgentInactiveDisconnectTimeout time.Duration
 	// APIRateLimit is the minutely throughput rate limit per user or ip.
@@ -72,8 +74,6 @@ type Options struct {
 	TURNServer           *turnconn.Server
 	TracerProvider       *sdktrace.TracerProvider
 	AutoImportTemplates  []AutoImportTemplate
-	LicenseHandler       http.Handler
-	FeaturesService      features.Service
 
 	TailscaleEnable    bool
 	TailnetCoordinator *tailnet.Coordinator
@@ -85,6 +85,9 @@ type Options struct {
 
 // New constructs a Coder API handler.
 func New(options *Options) *API {
+	if options == nil {
+		options = &Options{}
+	}
 	if options.AgentConnectionUpdateFrequency == 0 {
 		options.AgentConnectionUpdateFrequency = 3 * time.Second
 	}
@@ -110,11 +113,8 @@ func New(options *Options) *API {
 	if options.TailnetCoordinator == nil {
 		options.TailnetCoordinator = tailnet.NewCoordinator()
 	}
-	if options.LicenseHandler == nil {
-		options.LicenseHandler = licenses()
-	}
-	if options.FeaturesService == nil {
-		options.FeaturesService = &featuresService{}
+	if options.Auditor == nil {
+		options.Auditor = audit.NewNop()
 	}
 
 	siteCacheDir := options.CacheDir
@@ -135,14 +135,17 @@ func New(options *Options) *API {
 	r := chi.NewRouter()
 	api := &API{
 		Options:     options,
-		Handler:     r,
+		RootHandler: r,
 		siteHandler: site.Handler(site.FS(), binFS),
-		httpAuth: &HTTPAuthorizer{
+		HTTPAuth: &HTTPAuthorizer{
 			Authorizer: options.Authorizer,
 			Logger:     options.Logger,
 		},
 		metricsCache: metricsCache,
+		Auditor:      atomic.Pointer[audit.Auditor]{},
 	}
+	api.Auditor.Store(&options.Auditor)
+
 	if options.TailscaleEnable {
 		api.workspaceAgentCache = wsconncache.New(api.dialWorkspaceAgentTailnet, 0)
 	} else {
@@ -194,6 +197,8 @@ func New(options *Options) *API {
 	})
 
 	r.Route("/api/v2", func(r chi.Router) {
+		api.APIHandler = r
+
 		r.NotFound(func(rw http.ResponseWriter, r *http.Request) {
 			httpapi.Write(rw, http.StatusNotFound, codersdk.Response{
 				Message: "Route not found.",
@@ -460,12 +465,9 @@ func New(options *Options) *API {
 		})
 		r.Route("/entitlements", func(r chi.Router) {
 			r.Use(apiKeyMiddleware)
-			r.Get("/", api.FeaturesService.EntitlementsAPI)
-		})
-		r.Route("/licenses", func(r chi.Router) {
-			r.Use(apiKeyMiddleware)
-			r.Mount("/", options.LicenseHandler)
+			r.Get("/", entitlements)
 		})
+		r.HandleFunc("/licenses", unsupported)
 	})
 
 	r.NotFound(compressHandler(http.HandlerFunc(api.siteHandler.ServeHTTP)).ServeHTTP)
@@ -477,12 +479,14 @@ type API struct {
 
 	derpServer *derp.Server
 
-	Handler             chi.Router
+	Auditor             atomic.Pointer[audit.Auditor]
+	RootHandler         chi.Router
+	APIHandler          chi.Router
 	siteHandler         http.Handler
 	websocketWaitMutex  sync.Mutex
 	websocketWaitGroup  sync.WaitGroup
 	workspaceAgentCache *wsconncache.Cache
-	httpAuth            *HTTPAuthorizer
+	HTTPAuth            *HTTPAuthorizer
 
 	metricsCache *metricscache.Cache
 }
@@ -517,3 +521,26 @@ func compressHandler(h http.Handler) http.Handler {
 
 	return cmp.Handler(h)
 }
+
+func entitlements(rw http.ResponseWriter, _ *http.Request) {
+	feats := make(map[string]codersdk.Feature)
+	for _, f := range codersdk.FeatureNames {
+		feats[f] = codersdk.Feature{
+			Entitlement: codersdk.EntitlementNotEntitled,
+			Enabled:     false,
+		}
+	}
+	httpapi.Write(rw, http.StatusOK, codersdk.Entitlements{
+		Features:   feats,
+		Warnings:   []string{},
+		HasLicense: false,
+	})
+}
+
+func unsupported(rw http.ResponseWriter, _ *http.Request) {
+	httpapi.Write(rw, http.StatusNotFound, codersdk.Response{
+		Message:     "Unsupported",
+		Detail:      "These endpoints are not supported in AGPL-licensed Coder",
+		Validations: nil,
+	})
+}
@@ -17,6 +17,7 @@ import (
 
 	"github.com/coder/coder/buildinfo"
 	"github.com/coder/coder/coderd/coderdtest"
+	"github.com/coder/coder/codersdk"
 	"github.com/coder/coder/tailnet"
 	"github.com/coder/coder/testutil"
 )
@@ -38,16 +39,6 @@ func TestBuildInfo(t *testing.T) {
 	require.Equal(t, buildinfo.Version(), buildInfo.Version, "version")
 }
 
-// TestAuthorizeAllEndpoints will check `authorize` is called on every endpoint registered.
-func TestAuthorizeAllEndpoints(t *testing.T) {
-	t.Parallel()
-	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
-	defer cancel()
-	a := coderdtest.NewAuthTester(ctx, t, nil)
-	skipRoutes, assertRoute := coderdtest.AGPLRoutes(a)
-	a.Test(ctx, assertRoute, skipRoutes)
-}
-
 func TestDERP(t *testing.T) {
 	t.Parallel()
 	client := coderdtest.New(t, nil)
@@ -124,3 +115,22 @@ func TestDERPLatencyCheck(t *testing.T) {
 	defer res.Body.Close()
 	require.Equal(t, http.StatusOK, res.StatusCode)
 }
+
+func TestEntitlements(t *testing.T) {
+	t.Parallel()
+	t.Run("GET", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, nil)
+		_ = coderdtest.CreateFirstUser(t, client)
+		result, err := client.Entitlements(context.Background())
+		require.NoError(t, err)
+		assert.False(t, result.HasLicense)
+		assert.Empty(t, result.Warnings)
+		for _, f := range codersdk.FeatureNames {
+			require.Contains(t, result.Features, f)
+			fe := result.Features[f]
+			assert.False(t, fe.Enabled)
+			assert.Equal(t, codersdk.EntitlementNotEntitled, fe.Entitlement)
+		}
+	})
+}
@@ -79,7 +79,6 @@ type Options struct {
 
 	// IncludeProvisionerDaemon when true means to start an in-memory provisionerD
 	IncludeProvisionerDaemon    bool
-	APIBuilder                  func(*coderd.Options) *coderd.API
 	MetricsCacheRefreshInterval time.Duration
 	AgentStatsRefreshInterval   time.Duration
 }
@@ -115,10 +114,8 @@ func newWithCloser(t *testing.T, options *Options) (*codersdk.Client, io.Closer)
 	return client, closer
 }
 
-// newWithAPI constructs an in-memory API instance and returns a client to talk to it.
-// Most tests never need a reference to the API, but AuthorizationTest in this module uses it.
-// Do not expose the API or wrath shall descend upon thee.
-func newWithAPI(t *testing.T, options *Options) (*codersdk.Client, io.Closer, *coderd.API) {
+// NewOptions constructs a new set of
+func NewOptions(t *testing.T, options *Options) (*httptest.Server, *coderd.Options) {
 	if options == nil {
 		options = &Options{}
 	}
@@ -139,9 +136,6 @@ func newWithAPI(t *testing.T, options *Options) (*codersdk.Client, io.Closer, *c
 			close(options.AutobuildStats)
 		})
 	}
-	if options.APIBuilder == nil {
-		options.APIBuilder = coderd.New
-	}
 
 	// This can be hotswapped for a live database instance.
 	db := databasefake.New()
@@ -199,13 +193,7 @@ func newWithAPI(t *testing.T, options *Options) (*codersdk.Client, io.Closer, *c
 		_ = turnServer.Close()
 	})
 
-	features := coderd.DisabledImplementations
-	if options.Auditor != nil {
-		features.Auditor = options.Auditor
-	}
-
-	// We set the handler after server creation for the access URL.
-	coderAPI := options.APIBuilder(&coderd.Options{
+	return srv, &coderd.Options{
 		AgentConnectionUpdateFrequency: 150 * time.Millisecond,
 		// Force a long disconnection timeout to ensure
 		// agents are not marked as disconnected during slow tests.
@@ -216,6 +204,7 @@ func newWithAPI(t *testing.T, options *Options) (*codersdk.Client, io.Closer, *c
 		Database:                       db,
 		Pubsub:                         pubsub,
 
+		Auditor:              options.Auditor,
 		AWSCertificates:      options.AWSCertificates,
 		AzureCertificates:    options.AzureCertificates,
 		GithubOAuth2Config:   options.GithubOAuth2Config,
@@ -247,22 +236,31 @@ func newWithAPI(t *testing.T, options *Options) (*codersdk.Client, io.Closer, *c
 		AutoImportTemplates:         options.AutoImportTemplates,
 		MetricsCacheRefreshInterval: options.MetricsCacheRefreshInterval,
 		AgentStatsRefreshInterval:   options.AgentStatsRefreshInterval,
-		FeaturesService:             coderd.NewMockFeaturesService(features),
-	})
+	}
+}
+
+// newWithAPI constructs an in-memory API instance and returns a client to talk to it.
+// Most tests never need a reference to the API, but AuthorizationTest in this module uses it.
+// Do not expose the API or wrath shall descend upon thee.
+func newWithAPI(t *testing.T, options *Options) (*codersdk.Client, io.Closer, *coderd.API) {
+	if options == nil {
+		options = &Options{}
+	}
+	srv, newOptions := NewOptions(t, options)
+	// We set the handler after server creation for the access URL.
+	coderAPI := coderd.New(newOptions)
 	t.Cleanup(func() {
 		_ = coderAPI.Close()
 	})
-	srv.Config.Handler = coderAPI.Handler
-
+	srv.Config.Handler = coderAPI.RootHandler
 	var provisionerCloser io.Closer = nopcloser{}
 	if options.IncludeProvisionerDaemon {
 		provisionerCloser = NewProvisionerDaemon(t, coderAPI)
 	}
 	t.Cleanup(func() {
 		_ = provisionerCloser.Close()
 	})
-
-	return codersdk.New(serverURL), provisionerCloser, coderAPI
+	return codersdk.New(coderAPI.AccessURL), provisionerCloser, coderAPI
 }
 
 // NewProvisionerDaemon launches a provisionerd instance configured to work
Original file line number	Diff line number	Diff line change
`@@ -96,7 +96,9 @@ func Core() []*cobra.Command {`
`96`	`96`	`}`
`97`	`97`
`98`	`98`	`func AGPL() []*cobra.Command {`
`99`		`- all := append(Core(), Server(coderd.New))`
	`99`	`+ all := append(Core(), Server(func(_ context.Context, o coderd.Options) (coderd.API, error) {`
	`100`	`+ return coderd.New(o), nil`
	`101`	`+ }))`
`100`	`102`	`return all`
`101`	`103`	`}`
`102`	`104`
Original file line number	Diff line number	Diff line change
`@@ -42,7 +42,7 @@ type HTTPAuthorizer struct {`
`42`	`42`	`// return`
`43`	`43`	`// }`
`44`	`44`	`func (api API) Authorize(r http.Request, action rbac.Action, object rbac.Objecter) bool {`
`45`		`- return api.httpAuth.Authorize(r, action, object)`
	`45`	`+ return api.HTTPAuth.Authorize(r, action, object)`
`46`	`46`	`}`
`47`	`47`
`48`	`48`	`// Authorize will return false if the user is not authorized to do the action.`