coder
diff --git a/‎agent/agent.go
Lines changed: 9 additions & 0 deletions b/‎agent/agent.go
Lines changed: 9 additions & 0 deletions
diff --git a/‎agent/agent_test.go
Lines changed: 51 additions & 0 deletions b/‎agent/agent_test.go
Lines changed: 51 additions & 0 deletions
diff --git a/‎cli/cliui/cliui.go
Lines changed: 3 additions & 3 deletions b/‎cli/cliui/cliui.go
Lines changed: 3 additions & 3 deletions
diff --git a/‎cli/ssh.go
Lines changed: 6 additions & 3 deletions b/‎cli/ssh.go
Lines changed: 6 additions & 3 deletions
diff --git a/‎coderd/database/dbauthz/querier.go
Lines changed: 61 additions & 4 deletions b/‎coderd/database/dbauthz/querier.go
Lines changed: 61 additions & 4 deletions
diff --git a/‎coderd/database/dbauthz/system.go
Lines changed: 7 additions & 0 deletions b/‎coderd/database/dbauthz/system.go
Lines changed: 7 additions & 0 deletions
diff --git a/‎coderd/database/dbfake/databasefake.go
Lines changed: 41 additions & 0 deletions b/‎coderd/database/dbfake/databasefake.go
Lines changed: 41 additions & 0 deletions
diff --git a/‎coderd/database/modelmethods.go
Lines changed: 7 additions & 0 deletions b/‎coderd/database/modelmethods.go
Lines changed: 7 additions & 0 deletions
diff --git a/‎coderd/database/querier.go
Lines changed: 2 additions & 0 deletions b/‎coderd/database/querier.go
Lines changed: 2 additions & 0 deletions
diff --git a/‎coderd/database/queries.sql.go
Lines changed: 69 additions & 0 deletions b/‎coderd/database/queries.sql.go
Lines changed: 69 additions & 0 deletions
@@ -988,6 +988,7 @@ func (a *agent) init(ctx context.Context) {
 				_ = session.Exit(MagicSessionErrorCode)
 				return
 			}
+			_ = session.Exit(0)
 		},
 		HostSigners: []ssh.Signer{randomSigner},
 		LocalPortForwardingCallback: func(ctx ssh.Context, destinationHost string, destinationPort uint32) bool {
@@ -1240,7 +1241,9 @@ func (a *agent) handleSSHSession(session ssh.Session) (retErr error) {
 		if err != nil {
 			return xerrors.Errorf("start command: %w", err)
 		}
+		var wg sync.WaitGroup
 		defer func() {
+			defer wg.Wait()
 			closeErr := ptty.Close()
 			if closeErr != nil {
 				a.logger.Warn(ctx, "failed to close tty", slog.Error(closeErr))
@@ -1257,10 +1260,16 @@ func (a *agent) handleSSHSession(session ssh.Session) (retErr error) {
 				}
 			}
 		}()
+		// We don't add input copy to wait group because
+		// it won't return until the session is closed.
 		go func() {
 			_, _ = io.Copy(ptty.Input(), session)
 		}()
+		wg.Add(1)
 		go func() {
+			// Ensure data is flushed to session on command exit, if we
+			// close the session too soon, we might lose data.
+			defer wg.Done()
 			_, _ = io.Copy(session, ptty.Output())
 		}()
 		err = process.Wait()
 
@@ -349,6 +349,57 @@ func TestAgent_Session_TTY_Hushlogin(t *testing.T) {
 	require.NotContains(t, stdout.String(), wantNotMOTD, "should not show motd")
 }
 
+func TestAgent_Session_TTY_FastCommandHasOutput(t *testing.T) {
+	t.Parallel()
+	if runtime.GOOS == "windows" {
+		// This might be our implementation, or ConPTY itself.
+		// It's difficult to find extensive tests for it, so
+		// it seems like it could be either.
+		t.Skip("ConPTY appears to be inconsistent on Windows.")
+	}
+
+	// This test is here to prevent regressions where quickly executing
+	// commands (with TTY) don't flush their output to the SSH session.
+	//
+	// See: https://github.com/coder/coder/issues/6656
+	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+	defer cancel()
+	//nolint:dogsled
+	conn, _, _, _, _ := setupAgent(t, agentsdk.Metadata{}, 0)
+	sshClient, err := conn.SSHClient(ctx)
+	require.NoError(t, err)
+	defer sshClient.Close()
+
+	ptty := ptytest.New(t)
+
+	var stdout bytes.Buffer
+	// NOTE(mafredri): Increase iterations to increase chance of failure,
+	//                 assuming bug is present.
+	// Using 1000 iterations is basically a guaranteed failure (but let's
+	// not increase test times needlessly).
+	for i := 0; i < 5; i++ {
+		func() {
+			stdout.Reset()
+
+			session, err := sshClient.NewSession()
+			require.NoError(t, err)
+			defer session.Close()
+			err = session.RequestPty("xterm", 128, 128, ssh.TerminalModes{})
+			require.NoError(t, err)
+
+			session.Stdout = &stdout
+			session.Stderr = ptty.Output()
+			session.Stdin = ptty.Input()
+			err = session.Start("echo wazzup")
+			require.NoError(t, err)
+
+			err = session.Wait()
+			require.NoError(t, err)
+			require.Contains(t, stdout.String(), "wazzup", "should output greeting")
+		}()
+	}
+}
+
 //nolint:paralleltest // This test reserves a port.
 func TestAgent_TCPLocalForwarding(t *testing.T) {
 	random, err := net.Listen("tcp", "127.0.0.1:0")
 
@@ -49,10 +49,10 @@ var Styles = struct {
 	Keyword:       defaultStyles.Keyword,
 	Paragraph:     defaultStyles.Paragraph,
 	Placeholder:   lipgloss.NewStyle().Foreground(lipgloss.AdaptiveColor{Light: "#585858", Dark: "#4d46b3"}),
-	Prompt:        defaultStyles.Prompt.Foreground(lipgloss.AdaptiveColor{Light: "#9B9B9B", Dark: "#5C5C5C"}),
-	FocusedPrompt: defaultStyles.FocusedPrompt.Foreground(lipgloss.Color("#651fff")),
+	Prompt:        defaultStyles.Prompt.Copy().Foreground(lipgloss.AdaptiveColor{Light: "#9B9B9B", Dark: "#5C5C5C"}),
+	FocusedPrompt: defaultStyles.FocusedPrompt.Copy().Foreground(lipgloss.Color("#651fff")),
 	Fuchsia:       defaultStyles.SelectedMenuItem.Copy(),
-	Logo:          defaultStyles.Logo.SetString("Coder"),
+	Logo:          defaultStyles.Logo.Copy().SetString("Coder"),
 	Warn: lipgloss.NewStyle().Foreground(
 		lipgloss.AdaptiveColor{Light: "#04B575", Dark: "#ECFD65"},
 	),
 
@@ -82,10 +82,13 @@ func (r *RootCmd) ssh() *clibase.Cmd {
 				if xerrors.Is(err, context.Canceled) {
 					return cliui.Canceled
 				}
-				if xerrors.Is(err, cliui.AgentStartError) {
-					return xerrors.New("Agent startup script exited with non-zero status, use --no-wait to login anyway.")
+				if !xerrors.Is(err, cliui.AgentStartError) {
+					return xerrors.Errorf("await agent: %w", err)
 				}
-				return xerrors.Errorf("await agent: %w", err)
+
+				// We don't want to fail on a startup script error because it's
+				// natural that the user will want to fix the script and try again.
+				// We don't print the error because cliui.Agent does that for us.
 			}
 
 			conn, err := client.DialWorkspaceAgent(ctx, workspaceAgent.ID, &codersdk.DialWorkspaceAgentOptions{})
 
@@ -88,11 +88,57 @@ func (q *querier) GetAuditLogsOffset(ctx context.Context, arg database.GetAuditL
 }
 
 func (q *querier) GetFileByHashAndCreator(ctx context.Context, arg database.GetFileByHashAndCreatorParams) (database.File, error) {
-	return fetch(q.log, q.auth, q.db.GetFileByHashAndCreator)(ctx, arg)
+	file, err := q.db.GetFileByHashAndCreator(ctx, arg)
+	if err != nil {
+		return database.File{}, err
+	}
+	err = q.authorizeContext(ctx, rbac.ActionRead, file)
+	if err != nil {
+		// Check the user's access to the file's templates.
+		if q.authorizeUpdateFileTemplate(ctx, file) != nil {
+			return database.File{}, err
+		}
+	}
+
+	return file, nil
 }
 
 func (q *querier) GetFileByID(ctx context.Context, id uuid.UUID) (database.File, error) {
-	return fetch(q.log, q.auth, q.db.GetFileByID)(ctx, id)
+	file, err := q.db.GetFileByID(ctx, id)
+	if err != nil {
+		return database.File{}, err
+	}
+	err = q.authorizeContext(ctx, rbac.ActionRead, file)
+	if err != nil {
+		// Check the user's access to the file's templates.
+		if q.authorizeUpdateFileTemplate(ctx, file) != nil {
+			return database.File{}, err
+		}
+	}
+
+	return file, nil
+}
+
+// authorizeReadFile is a hotfix for the fact that file permissions are
+// independent of template permissions. This function checks if the user has
+// update access to any of the file's templates.
+func (q *querier) authorizeUpdateFileTemplate(ctx context.Context, file database.File) error {
+	tpls, err := q.db.GetFileTemplates(ctx, file.ID)
+	if err != nil {
+		return err
+	}
+	// There __should__ only be 1 template per file, but there can be more than
+	// 1, so check them all.
+	for _, tpl := range tpls {
+		// If the user has update access to any template, they have read access to the file.
+		if err := q.authorizeContext(ctx, rbac.ActionUpdate, tpl); err == nil {
+			return nil
+		}
+	}
+
+	return NotAuthorizedError{
+		Err: xerrors.Errorf("not authorized to read file %s", file.ID),
+	}
 }
 
 func (q *querier) InsertFile(ctx context.Context, arg database.InsertFileParams) (database.File, error) {
@@ -859,11 +905,22 @@ func (q *querier) UpdateTemplateScheduleByID(ctx context.Context, arg database.U
 }
 
 func (q *querier) UpdateTemplateVersionByID(ctx context.Context, arg database.UpdateTemplateVersionByIDParams) (database.TemplateVersion, error) {
-	template, err := q.db.GetTemplateByID(ctx, arg.TemplateID.UUID)
+	// An actor is allowed to update the template version if they are authorized to update the template.
+	tv, err := q.db.GetTemplateVersionByID(ctx, arg.ID)
 	if err != nil {
 		return database.TemplateVersion{}, err
 	}
-	if err := q.authorizeContext(ctx, rbac.ActionUpdate, template); err != nil {
+	var obj rbac.Objecter
+	if !tv.TemplateID.Valid {
+		obj = rbac.ResourceTemplate.InOrg(tv.OrganizationID)
+	} else {
+		tpl, err := q.db.GetTemplateByID(ctx, tv.TemplateID.UUID)
+		if err != nil {
+			return database.TemplateVersion{}, err
+		}
+		obj = tpl
+	}
+	if err := q.authorizeContext(ctx, rbac.ActionUpdate, obj); err != nil {
 		return database.TemplateVersion{}, err
 	}
 	return q.db.UpdateTemplateVersionByID(ctx, arg)
 
@@ -10,6 +10,13 @@ import (
 	"github.com/coder/coder/coderd/rbac"
 )
 
+func (q *querier) GetFileTemplates(ctx context.Context, fileID uuid.UUID) ([]database.GetFileTemplatesRow, error) {
+	if err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceSystem); err != nil {
+		return nil, err
+	}
+	return q.db.GetFileTemplates(ctx, fileID)
+}
+
 // GetWorkspaceAppsByAgentIDs
 // The workspace/job is already fetched.
 func (q *querier) GetWorkspaceAppsByAgentIDs(ctx context.Context, ids []uuid.UUID) ([]database.WorkspaceApp, error) {
 
@@ -686,6 +686,47 @@ func (q *fakeQuerier) GetFileByID(_ context.Context, id uuid.UUID) (database.Fil
 	return database.File{}, sql.ErrNoRows
 }
 
+func (q *fakeQuerier) GetFileTemplates(_ context.Context, id uuid.UUID) ([]database.GetFileTemplatesRow, error) {
+	q.mutex.RLock()
+	defer q.mutex.RUnlock()
+
+	rows := make([]database.GetFileTemplatesRow, 0)
+	var file database.File
+	for _, f := range q.files {
+		if f.ID == id {
+			file = f
+			break
+		}
+	}
+	if file.Hash == "" {
+		return rows, nil
+	}
+
+	for _, job := range q.provisionerJobs {
+		if job.FileID == id {
+			for _, version := range q.templateVersions {
+				if version.JobID == job.ID {
+					for _, template := range q.templates {
+						if template.ID == version.TemplateID.UUID {
+							rows = append(rows, database.GetFileTemplatesRow{
+								FileID:                 file.ID,
+								FileCreatedBy:          file.CreatedBy,
+								TemplateID:             template.ID,
+								TemplateOrganizationID: template.OrganizationID,
+								TemplateCreatedBy:      template.CreatedBy,
+								UserACL:                template.UserACL,
+								GroupACL:               template.GroupACL,
+							})
+						}
+					}
+				}
+			}
+		}
+	}
+
+	return rows, nil
+}
+
 func (q *fakeQuerier) GetUserByEmailOrUsername(_ context.Context, arg database.GetUserByEmailOrUsernameParams) (database.User, error) {
 	if err := validateDatabaseType(arg); err != nil {
 		return database.User{}, err
 
@@ -88,6 +88,13 @@ func (t Template) RBACObject() rbac.Object {
 		WithGroupACL(t.GroupACL)
 }
 
+func (t GetFileTemplatesRow) RBACObject() rbac.Object {
+	return rbac.ResourceTemplate.WithID(t.TemplateID).
+		InOrg(t.TemplateOrganizationID).
+		WithACLUserList(t.UserACL).
+		WithGroupACL(t.GroupACL)
+}
+
 func (t Template) DeepCopy() Template {
 	cpy := t
 	cpy.UserACL = maps.Clone(t.UserACL)
Original file line number	Diff line number	Diff line change
`@@ -82,10 +82,13 @@ func (r RootCmd) ssh() clibase.Cmd {`
`82`	`82`	`if xerrors.Is(err, context.Canceled) {`
`83`	`83`	`return cliui.Canceled`
`84`	`84`	`}`
`85`		`- if xerrors.Is(err, cliui.AgentStartError) {`
`86`		`- return xerrors.New("Agent startup script exited with non-zero status, use --no-wait to login anyway.")`
	`85`	`+ if !xerrors.Is(err, cliui.AgentStartError) {`
	`86`	`+ return xerrors.Errorf("await agent: %w", err)`
`87`	`87`	`}`
`88`		`- return xerrors.Errorf("await agent: %w", err)`
	`88`	`+`
	`89`	`+ // We don't want to fail on a startup script error because it's`
	`90`	`+ // natural that the user will want to fix the script and try again.`
	`91`	`+ // We don't print the error because cliui.Agent does that for us.`
`89`	`92`	`}`
`90`	`93`
`91`	`94`	`conn, err := client.DialWorkspaceAgent(ctx, workspaceAgent.ID, &codersdk.DialWorkspaceAgentOptions{})`