coder
diff --git a/‎.git-blame-ignore-revs
Lines changed: 5 additions & 0 deletions b/‎.git-blame-ignore-revs
Lines changed: 5 additions & 0 deletions
diff --git a/‎.github/workflows/release.yaml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/release.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.prettierrc.yaml
Lines changed: 2 additions & 2 deletions b/‎.prettierrc.yaml
Lines changed: 2 additions & 2 deletions
diff --git a/‎.vscode/settings.json
Lines changed: 9 additions & 2 deletions b/‎.vscode/settings.json
Lines changed: 9 additions & 2 deletions
diff --git a/‎buildinfo/boring.go
Lines changed: 7 additions & 0 deletions b/‎buildinfo/boring.go
Lines changed: 7 additions & 0 deletions
diff --git a/‎buildinfo/buildinfo.go
Lines changed: 4 additions & 0 deletions b/‎buildinfo/buildinfo.go
Lines changed: 4 additions & 0 deletions
diff --git a/‎buildinfo/notboring.go
Lines changed: 5 additions & 0 deletions b/‎buildinfo/notboring.go
Lines changed: 5 additions & 0 deletions
diff --git a/‎cli/server.go
Lines changed: 2 additions & 2 deletions b/‎cli/server.go
Lines changed: 2 additions & 2 deletions
diff --git a/‎cli/server_createadminuser.go
Lines changed: 1 addition & 1 deletion b/‎cli/server_createadminuser.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎cli/server_test.go
Lines changed: 26 additions & 0 deletions b/‎cli/server_test.go
Lines changed: 26 additions & 0 deletions
diff --git a/‎cli/testdata/coder_server_--help.golden
Lines changed: 11 additions & 1 deletion b/‎cli/testdata/coder_server_--help.golden
Lines changed: 11 additions & 1 deletion
diff --git a/‎cli/testdata/server-config.yaml.golden
Lines changed: 1 addition & 1 deletion b/‎cli/testdata/server-config.yaml.golden
Lines changed: 1 addition & 1 deletion
diff --git a/‎cli/version.go
Lines changed: 15 additions & 10 deletions b/‎cli/version.go
Lines changed: 15 additions & 10 deletions
diff --git a/‎cli/version_test.go
Lines changed: 2 additions & 1 deletion b/‎cli/version_test.go
Lines changed: 2 additions & 1 deletion
diff --git a/‎coderd/apidoc/docs.go
Lines changed: 6 additions & 0 deletions b/‎coderd/apidoc/docs.go
Lines changed: 6 additions & 0 deletions
diff --git a/‎coderd/apidoc/swagger.json
Lines changed: 6 additions & 0 deletions b/‎coderd/apidoc/swagger.json
Lines changed: 6 additions & 0 deletions
diff --git a/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 35 additions & 0 deletions b/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 35 additions & 0 deletions
@@ -0,0 +1,5 @@
+# If you would like `git blame` to ignore commits from this file, run...
+#   git config blame.ignoreRevsFile .git-blame-ignore-revs
+
+# chore: format code with semicolons when using prettier (#9555)
+988c9af0153561397686c119da9d1336d2433fdd
@@ -357,7 +357,7 @@ jobs:
           cd "$temp_dir"
 
           # Download checksums
-          checksums_url="$(gh release view --repo coder/coder v2.1.4 --json assets \
+          checksums_url="$(gh release view --repo coder/coder "v$coder_version" --json assets \
             | jq -r ".assets | map(.url) | .[]" \
             | grep -e ".checksums.txt\$")"
           wget "$checksums_url" -O checksums.txt
 
@@ -1,9 +1,8 @@
 # This config file is used in conjunction with `.editorconfig` to specify
 # formatting for prettier-supported files. See `.editorconfig` and
-# `site/.editorconfig`for whitespace formatting options.
+# `site/.editorconfig` for whitespace formatting options.
 printWidth: 80
 proseWrap: always
-semi: false
 trailingComma: all
 useTabs: false
 tabWidth: 2
@@ -12,6 +11,7 @@ overrides:
       - README.md
       - docs/api/**/*.md
       - docs/cli/**/*.md
+      - docs/changelogs/*.md
       - .github/**/*.{yaml,yml,toml}
       - scripts/**/*.{yaml,yml,toml}
     options:
 
@@ -190,8 +190,15 @@
     "**/node_modules": true
   },
   "search.exclude": {
-    "scripts/metricsdocgen/metrics": true,
-    "docs/api/*.md": true
+    "**.pb.go": true,
+    "**/*.gen.json": true,
+    "**/testdata/*": true,
+    "**Generated.ts": true,
+    "coderd/apidoc/**": true,
+    "docs/api/*.md": true,
+    "docs/templates/*.md": true,
+    "LICENSE": true,
+    "scripts/metricsdocgen/metrics": true
   },
   // Ensure files always have a newline.
   "files.insertFinalNewline": true,
 
@@ -0,0 +1,7 @@
+//go:build boringcrypto
+
+package buildinfo
+
+import "crypto/boring"
+
+var boringcrypto = boring.Enabled()
@@ -87,6 +87,10 @@ func IsAGPL() bool {
 	return strings.Contains(agpl, "t")
 }
 
+func IsBoringCrypto() bool {
+	return boringcrypto
+}
+
 // ExternalURL returns a URL referencing the current Coder version.
 // For production builds, this will link directly to a release.
 // For development builds, this will link to a commit.
 
@@ -0,0 +1,5 @@
+//go:build !boringcrypto
+
+package buildinfo
+
+var boringcrypto = false
@@ -691,7 +691,7 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 				options.Database = dbfake.New()
 				options.Pubsub = pubsub.NewInMemory()
 			} else {
-				sqlDB, err := connectToPostgres(ctx, logger, sqlDriver, vals.PostgresURL.String())
+				sqlDB, err := ConnectToPostgres(ctx, logger, sqlDriver, vals.PostgresURL.String())
 				if err != nil {
 					return xerrors.Errorf("connect to postgres: %w", err)
 				}
@@ -1953,7 +1953,7 @@ func BuildLogger(inv *clibase.Invocation, cfg *codersdk.DeploymentValues) (slog.
 	}, nil
 }
 
-func connectToPostgres(ctx context.Context, logger slog.Logger, driver string, dbURL string) (*sql.DB, error) {
+func ConnectToPostgres(ctx context.Context, logger slog.Logger, driver string, dbURL string) (*sql.DB, error) {
 	logger.Debug(ctx, "connecting to postgresql")
 
 	// Try to connect for 30 seconds.
 
@@ -63,7 +63,7 @@ func (r *RootCmd) newCreateAdminUserCommand() *clibase.Cmd {
 				newUserDBURL = url
 			}
 
-			sqlDB, err := connectToPostgres(ctx, logger, "postgres", newUserDBURL)
+			sqlDB, err := ConnectToPostgres(ctx, logger, "postgres", newUserDBURL)
 			if err != nil {
 				return xerrors.Errorf("connect to postgres: %w", err)
 			}
 
@@ -34,10 +34,13 @@ import (
 	"go.uber.org/goleak"
 	"gopkg.in/yaml.v3"
 
+	"cdr.dev/slog/sloggers/slogtest"
+
 	"github.com/coder/coder/v2/cli"
 	"github.com/coder/coder/v2/cli/clitest"
 	"github.com/coder/coder/v2/cli/config"
 	"github.com/coder/coder/v2/coderd/coderdtest"
+	"github.com/coder/coder/v2/coderd/database/dbtestutil"
 	"github.com/coder/coder/v2/coderd/database/postgres"
 	"github.com/coder/coder/v2/coderd/telemetry"
 	"github.com/coder/coder/v2/codersdk"
@@ -1657,3 +1660,26 @@ func TestServerYAMLConfig(t *testing.T) {
 
 	require.Equal(t, string(wantByt), string(got))
 }
+
+func TestConnectToPostgres(t *testing.T) {
+	t.Parallel()
+
+	if !dbtestutil.WillUsePostgres() {
+		t.Skip("this test does not make sense without postgres")
+	}
+	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitShort)
+	t.Cleanup(cancel)
+
+	log := slogtest.Make(t, nil)
+
+	dbURL, closeFunc, err := postgres.Open()
+	require.NoError(t, err)
+	t.Cleanup(closeFunc)
+
+	sqlDB, err := cli.ConnectToPostgres(ctx, log, "postgres", dbURL)
+	require.NoError(t, err)
+	t.Cleanup(func() {
+		_ = sqlDB.Close()
+	})
+	require.NoError(t, sqlDB.PingContext(ctx))
+}
@@ -380,7 +380,7 @@ can safely ignore these settings.
           The text to show on the OpenID Connect sign in button.
 
       --oidc-icon-url url, $CODER_OIDC_ICON_URL
-          URL pointing to the icon to use on the OepnID Connect login button.
+          URL pointing to the icon to use on the OpenID Connect login button.
 
 [1mProvisioning Options[0m 
 Tune the behavior of the provisioner, which is responsible for creating,
@@ -458,6 +458,16 @@ These options are only available in the Enterprise Edition.
           An HTTP URL that is accessible by other replicas to relay DERP
           traffic. Required for high availability.
 
+      --external-token-encryption-keys string-array, $CODER_EXTERNAL_TOKEN_ENCRYPTION_KEYS
+          Encrypt OIDC and Git authentication tokens with AES-256-GCM in the
+          database. The value must be a comma-separated list of base64-encoded
+          keys. Each key, when base64-decoded, must be exactly 32 bytes in
+          length. The first key will be used to encrypt new values. Subsequent
+          keys will be used as a fallback when decrypting. During normal
+          operation it is recommended to only set one key unless you are in the
+          process of rotating keys with the `coder server dbcrypt rotate`
+          command.
+
       --scim-auth-header string, $CODER_SCIM_AUTH_HEADER
           Enables SCIM and sets the authentication header for the built-in SCIM
           server. New users are automatically created with OIDC authentication.
 
@@ -323,7 +323,7 @@ oidc:
   # The text to show on the OpenID Connect sign in button.
   # (default: OpenID Connect, type: string)
   signInText: OpenID Connect
-  # URL pointing to the icon to use on the OepnID Connect login button.
+  # URL pointing to the icon to use on the OpenID Connect login button.
   # (default: <unset>, type: url)
   iconURL:
 # Telemetry is critical to our ability to improve Coder. We strip all personal
 
@@ -13,11 +13,12 @@ import (
 // versionInfo wraps the stuff we get from buildinfo so that it's
 // easier to emit in different formats.
 type versionInfo struct {
-	Version     string    `json:"version"`
-	BuildTime   time.Time `json:"build_time"`
-	ExternalURL string    `json:"external_url"`
-	Slim        bool      `json:"slim"`
-	AGPL        bool      `json:"agpl"`
+	Version      string    `json:"version"`
+	BuildTime    time.Time `json:"build_time"`
+	ExternalURL  string    `json:"external_url"`
+	Slim         bool      `json:"slim"`
+	AGPL         bool      `json:"agpl"`
+	BoringCrypto bool      `json:"boring_crypto"`
 }
 
 // String() implements Stringer
@@ -28,6 +29,9 @@ func (vi versionInfo) String() string {
 		_, _ = str.WriteString("(AGPL) ")
 	}
 	_, _ = str.WriteString(vi.Version)
+	if vi.BoringCrypto {
+		_, _ = str.WriteString(" BoringCrypto")
+	}
 
 	if !vi.BuildTime.IsZero() {
 		_, _ = str.WriteString(" " + vi.BuildTime.Format(time.UnixDate))
@@ -45,11 +49,12 @@ func (vi versionInfo) String() string {
 func defaultVersionInfo() *versionInfo {
 	buildTime, _ := buildinfo.Time()
 	return &versionInfo{
-		Version:     buildinfo.Version(),
-		BuildTime:   buildTime,
-		ExternalURL: buildinfo.ExternalURL(),
-		Slim:        buildinfo.IsSlim(),
-		AGPL:        buildinfo.IsAGPL(),
+		Version:      buildinfo.Version(),
+		BuildTime:    buildTime,
+		ExternalURL:  buildinfo.ExternalURL(),
+		Slim:         buildinfo.IsSlim(),
+		AGPL:         buildinfo.IsAGPL(),
+		BoringCrypto: buildinfo.IsBoringCrypto(),
 	}
 }
 
 
@@ -34,7 +34,8 @@ Full build of Coder, supports the [40m [0m[91;40mserver[0m[40m [0m subcomm
   "build_time": "0001-01-01T00:00:00Z",
   "external_url": "https://github.com/coder/coder",
   "slim": false,
-  "agpl": false
+  "agpl": false,
+  "boring_crypto": false
 }
 `
 	for _, tt := range []struct {
 
@@ -838,6 +838,13 @@ func (q *querier) GetAuthorizationUserRoles(ctx context.Context, userID uuid.UUI
 	return q.db.GetAuthorizationUserRoles(ctx, userID)
 }
 
+func (q *querier) GetDBCryptKeys(ctx context.Context) ([]database.DBCryptKey, error) {
+	if err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceSystem); err != nil {
+		return nil, err
+	}
+	return q.db.GetDBCryptKeys(ctx)
+}
+
 func (q *querier) GetDERPMeshKey(ctx context.Context) (string, error) {
 	if err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceSystem); err != nil {
 		return "", err
@@ -914,6 +921,13 @@ func (q *querier) GetGitAuthLink(ctx context.Context, arg database.GetGitAuthLin
 	return fetch(q.log, q.auth, q.db.GetGitAuthLink)(ctx, arg)
 }
 
+func (q *querier) GetGitAuthLinksByUserID(ctx context.Context, userID uuid.UUID) ([]database.GitAuthLink, error) {
+	if err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceSystem); err != nil {
+		return nil, err
+	}
+	return q.db.GetGitAuthLinksByUserID(ctx, userID)
+}
+
 func (q *querier) GetGitSSHKey(ctx context.Context, userID uuid.UUID) (database.GitSSHKey, error) {
 	return fetch(q.log, q.auth, q.db.GetGitSSHKey)(ctx, userID)
 }
@@ -1482,6 +1496,13 @@ func (q *querier) GetUserLinkByUserIDLoginType(ctx context.Context, arg database
 	return q.db.GetUserLinkByUserIDLoginType(ctx, arg)
 }
 
+func (q *querier) GetUserLinksByUserID(ctx context.Context, userID uuid.UUID) ([]database.UserLink, error) {
+	if err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceSystem); err != nil {
+		return nil, err
+	}
+	return q.db.GetUserLinksByUserID(ctx, userID)
+}
+
 func (q *querier) GetUsers(ctx context.Context, arg database.GetUsersParams) ([]database.GetUsersRow, error) {
 	// This does the filtering in SQL.
 	prep, err := prepareSQLFilter(ctx, q.auth, rbac.ActionRead, rbac.ResourceUser.Type)
@@ -1859,6 +1880,13 @@ func (q *querier) InsertAuditLog(ctx context.Context, arg database.InsertAuditLo
 	return insert(q.log, q.auth, rbac.ResourceAuditLog, q.db.InsertAuditLog)(ctx, arg)
 }
 
+func (q *querier) InsertDBCryptKey(ctx context.Context, arg database.InsertDBCryptKeyParams) error {
+	if err := q.authorizeContext(ctx, rbac.ActionCreate, rbac.ResourceSystem); err != nil {
+		return err
+	}
+	return q.db.InsertDBCryptKey(ctx, arg)
+}
+
 func (q *querier) InsertDERPMeshKey(ctx context.Context, value string) error {
 	if err := q.authorizeContext(ctx, rbac.ActionCreate, rbac.ResourceSystem); err != nil {
 		return err
@@ -2167,6 +2195,13 @@ func (q *querier) RegisterWorkspaceProxy(ctx context.Context, arg database.Regis
 	return updateWithReturn(q.log, q.auth, fetch, q.db.RegisterWorkspaceProxy)(ctx, arg)
 }
 
+func (q *querier) RevokeDBCryptKey(ctx context.Context, activeKeyDigest string) error {
+	if err := q.authorizeContext(ctx, rbac.ActionUpdate, rbac.ResourceSystem); err != nil {
+		return err
+	}
+	return q.db.RevokeDBCryptKey(ctx, activeKeyDigest)
+}
+
 func (q *querier) TryAcquireLock(ctx context.Context, id int64) (bool, error) {
 	return q.db.TryAcquireLock(ctx, id)
 }
Original file line number	Diff line number	Diff line change
`@@ -63,7 +63,7 @@ func (r RootCmd) newCreateAdminUserCommand() clibase.Cmd {`
`63`	`63`	`newUserDBURL = url`
`64`	`64`	`}`
`65`	`65`
`66`		`- sqlDB, err := connectToPostgres(ctx, logger, "postgres", newUserDBURL)`
	`66`	`+ sqlDB, err := ConnectToPostgres(ctx, logger, "postgres", newUserDBURL)`
`67`	`67`	`if err != nil {`
`68`	`68`	`return xerrors.Errorf("connect to postgres: %w", err)`
`69`	`69`	`}`
Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,8 @@ Full build of Coder, supports the [40m [0m[91;40mserver[0m[40m [0m subcomm`
`34`	`34`	`"build_time": "0001-01-01T00:00:00Z",`
`35`	`35`	`"external_url": "https://github.com/coder/coder",`
`36`	`36`	`"slim": false,`
`37`		`- "agpl": false`
	`37`	`+ "agpl": false,`
	`38`	`+ "boring_crypto": false`
`38`	`39`	`}`
`39`	`40`	`
`40`	`41`	`for _, tt := range []struct {`