coder
diff --git a/‎cli/agent_test.go
Lines changed: 2 additions & 18 deletions b/‎cli/agent_test.go
Lines changed: 2 additions & 18 deletions
diff --git a/‎cli/configssh_test.go
Lines changed: 1 addition & 17 deletions b/‎cli/configssh_test.go
Lines changed: 1 addition & 17 deletions
diff --git a/‎cli/gitssh_test.go
Lines changed: 3 additions & 18 deletions b/‎cli/gitssh_test.go
Lines changed: 3 additions & 18 deletions
diff --git a/‎cli/portforward_test.go
Lines changed: 3 additions & 18 deletions b/‎cli/portforward_test.go
Lines changed: 3 additions & 18 deletions
diff --git a/‎cli/root.go
Lines changed: 11 additions & 5 deletions b/‎cli/root.go
Lines changed: 11 additions & 5 deletions
diff --git a/‎cli/scaletest.go
Lines changed: 4 additions & 4 deletions b/‎cli/scaletest.go
Lines changed: 4 additions & 4 deletions
diff --git a/‎cli/server.go
Lines changed: 15 additions & 40 deletions b/‎cli/server.go
Lines changed: 15 additions & 40 deletions
diff --git a/‎coderd/apidoc/docs.go
Lines changed: 6 additions & 0 deletions b/‎coderd/apidoc/docs.go
Lines changed: 6 additions & 0 deletions
diff --git a/‎coderd/apidoc/swagger.json
Lines changed: 6 additions & 0 deletions b/‎coderd/apidoc/swagger.json
Lines changed: 6 additions & 0 deletions
diff --git a/‎coderd/coderd.go
Lines changed: 6 additions & 1 deletion b/‎coderd/coderd.go
Lines changed: 6 additions & 1 deletion
diff --git a/‎coderd/database/db.go
Lines changed: 35 additions & 1 deletion b/‎coderd/database/db.go
Lines changed: 35 additions & 1 deletion
@@ -31,24 +31,8 @@ func TestWorkspaceAgent(t *testing.T) {
 		})
 		user := coderdtest.CreateFirstUser(t, client)
 		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
-			Parse: echo.ParseComplete,
-			ProvisionApply: []*proto.Provision_Response{{
-				Type: &proto.Provision_Response_Complete{
-					Complete: &proto.Provision_Complete{
-						Resources: []*proto.Resource{{
-							Name: "somename",
-							Type: "someinstance",
-							Agents: []*proto.Agent{{
-								Id:   uuid.NewString(),
-								Name: "someagent",
-								Auth: &proto.Agent_Token{
-									Token: authToken,
-								},
-							}},
-						}},
-					},
-				},
-			}},
+			Parse:          echo.ParseComplete,
+			ProvisionApply: echo.ProvisionApplyWithAgent(authToken),
 		})
 		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
 		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
 
@@ -94,23 +94,7 @@ func TestConfigSSH(t *testing.T) {
 				},
 			},
 		}},
-		ProvisionApply: []*proto.Provision_Response{{
-			Type: &proto.Provision_Response_Complete{
-				Complete: &proto.Provision_Complete{
-					Resources: []*proto.Resource{{
-						Name: "example",
-						Type: "aws_instance",
-						Agents: []*proto.Agent{{
-							Id:   uuid.NewString(),
-							Name: "example",
-							Auth: &proto.Agent_Token{
-								Token: authToken,
-							},
-						}},
-					}},
-				},
-			},
-		}},
+		ProvisionApply: echo.ProvisionApplyWithAgent(authToken),
 	})
 	coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
 	template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
 
@@ -24,7 +24,6 @@ import (
 	"github.com/coder/coder/coderd/coderdtest"
 	"github.com/coder/coder/codersdk"
 	"github.com/coder/coder/provisioner/echo"
-	"github.com/coder/coder/provisionersdk/proto"
 	"github.com/coder/coder/pty/ptytest"
 	"github.com/coder/coder/testutil"
 )
@@ -48,23 +47,9 @@ func prepareTestGitSSH(ctx context.Context, t *testing.T) (*codersdk.Client, str
 	// setup template
 	agentToken := uuid.NewString()
 	version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
-		Parse:         echo.ParseComplete,
-		ProvisionPlan: echo.ProvisionComplete,
-		ProvisionApply: []*proto.Provision_Response{{
-			Type: &proto.Provision_Response_Complete{
-				Complete: &proto.Provision_Complete{
-					Resources: []*proto.Resource{{
-						Name: "somename",
-						Type: "someinstance",
-						Agents: []*proto.Agent{{
-							Auth: &proto.Agent_Token{
-								Token: agentToken,
-							},
-						}},
-					}},
-				},
-			},
-		}},
+		Parse:          echo.ParseComplete,
+		ProvisionPlan:  echo.ProvisionComplete,
+		ProvisionApply: echo.ProvisionApplyWithAgent(agentToken),
 	})
 	template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
 	coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
 
@@ -17,7 +17,6 @@ import (
 	"github.com/coder/coder/coderd/coderdtest"
 	"github.com/coder/coder/codersdk"
 	"github.com/coder/coder/provisioner/echo"
-	"github.com/coder/coder/provisionersdk/proto"
 	"github.com/coder/coder/pty/ptytest"
 	"github.com/coder/coder/testutil"
 )
@@ -293,23 +292,9 @@ func runAgent(t *testing.T, client *codersdk.Client, userID uuid.UUID) codersdk.
 	// Setup template
 	agentToken := uuid.NewString()
 	version := coderdtest.CreateTemplateVersion(t, client, orgID, &echo.Responses{
-		Parse:         echo.ParseComplete,
-		ProvisionPlan: echo.ProvisionComplete,
-		ProvisionApply: []*proto.Provision_Response{{
-			Type: &proto.Provision_Response_Complete{
-				Complete: &proto.Provision_Complete{
-					Resources: []*proto.Resource{{
-						Name: "somename",
-						Type: "someinstance",
-						Agents: []*proto.Agent{{
-							Auth: &proto.Agent_Token{
-								Token: agentToken,
-							},
-						}},
-					}},
-				},
-			},
-		}},
+		Parse:          echo.ParseComplete,
+		ProvisionPlan:  echo.ProvisionComplete,
+		ProvisionApply: echo.ProvisionApplyWithAgent(agentToken),
 	})
 
 	// Create template and workspace
 
@@ -334,14 +334,14 @@ func createUnauthenticatedClient(cmd *cobra.Command, serverURL *url.URL) (*coder
 	}
 	transport := &headerTransport{
 		transport: http.DefaultTransport,
-		headers:   map[string]string{},
+		header:    http.Header{},
 	}
 	for _, header := range headers {
 		parts := strings.SplitN(header, "=", 2)
 		if len(parts) < 2 {
 			return nil, xerrors.Errorf("split header %q had less than two parts", header)
 		}
-		transport.headers[parts[0]] = parts[1]
+		transport.header.Add(parts[0], parts[1])
 	}
 	client.HTTPClient.Transport = transport
 	return client, nil
@@ -655,12 +655,18 @@ func checkWarnings(cmd *cobra.Command, client *codersdk.Client) error {
 
 type headerTransport struct {
 	transport http.RoundTripper
-	headers   map[string]string
+	header    http.Header
+}
+
+func (h *headerTransport) Header() http.Header {
+	return h.header.Clone()
 }
 
 func (h *headerTransport) RoundTrip(req *http.Request) (*http.Response, error) {
-	for k, v := range h.headers {
-		req.Header.Add(k, v)
+	for k, v := range h.header {
+		for _, vv := range v {
+			req.Header.Add(k, vv)
+		}
 	}
 	return h.transport.RoundTrip(req)
 }
 
@@ -330,8 +330,8 @@ func scaletestCleanup() *cobra.Command {
 			client.HTTPClient = &http.Client{
 				Transport: &headerTransport{
 					transport: http.DefaultTransport,
-					headers: map[string]string{
-						codersdk.BypassRatelimitHeader: "true",
+					header: map[string][]string{
+						codersdk.BypassRatelimitHeader: {"true"},
 					},
 				},
 			}
@@ -515,8 +515,8 @@ It is recommended that all rate limits are disabled on the server before running
 			client.HTTPClient = &http.Client{
 				Transport: &headerTransport{
 					transport: http.DefaultTransport,
-					headers: map[string]string{
-						codersdk.BypassRatelimitHeader: "true",
+					header: map[string][]string{
+						codersdk.BypassRatelimitHeader: {"true"},
 					},
 				},
 			}
 
@@ -85,6 +85,7 @@ import (
 	"github.com/coder/coder/provisionersdk"
 	sdkproto "github.com/coder/coder/provisionersdk/proto"
 	"github.com/coder/coder/tailnet"
+	"github.com/coder/wgtunnel/tunnelsdk"
 )
 
 // ReadGitAuthProvidersFromEnv is provided for compatibility purposes with the
@@ -538,34 +539,25 @@ flags, and YAML configuration. The precedence is as follows:
 				return xerrors.Errorf("configure http client: %w", err)
 			}
 
-			var (
-				ctxTunnel, closeTunnel = context.WithCancel(ctx)
-				tunnel                 *devtunnel.Tunnel
-				tunnelErr              <-chan error
-			)
-			defer closeTunnel()
-
 			// If the access URL is empty, we attempt to run a reverse-proxy
 			// tunnel to make the initial setup really simple.
+			var (
+				tunnel     *tunnelsdk.Tunnel
+				tunnelDone <-chan struct{} = make(chan struct{}, 1)
+			)
 			if cfg.AccessURL.String() == "" {
 				cmd.Printf("Opening tunnel so workspaces can connect to your deployment. For production scenarios, specify an external access URL\n")
-				tunnel, tunnelErr, err = devtunnel.New(ctxTunnel, logger.Named("devtunnel"))
+				tunnel, err = devtunnel.New(ctx, logger.Named("devtunnel"), cfg.WgtunnelHost.String())
 				if err != nil {
 					return xerrors.Errorf("create tunnel: %w", err)
 				}
-				err = cfg.AccessURL.Set(tunnel.URL)
-				if err != nil {
-					return xerrors.Errorf("set access url: %w", err)
-				}
+				defer tunnel.Close()
+				tunnelDone = tunnel.Wait()
+				cfg.AccessURL = clibase.URL(*tunnel.URL)
 
 				if cfg.WildcardAccessURL.String() == "" {
-					u, err := parseURL(tunnel.URL)
-					if err != nil {
-						return xerrors.Errorf("parse tunnel url: %w", err)
-					}
-
 					// Suffixed wildcard access URL.
-					u, err = url.Parse(fmt.Sprintf("*--%s", u.Hostname()))
+					u, err := url.Parse(fmt.Sprintf("*--%s", tunnel.URL.Hostname()))
 					if err != nil {
 						return xerrors.Errorf("parse wildcard url: %w", err)
 					}
@@ -796,6 +788,7 @@ flags, and YAML configuration. The precedence is as follows:
 					AllowSignups:        cfg.OIDC.AllowSignups.Value(),
 					UsernameField:       cfg.OIDC.UsernameField.String(),
 					GroupField:          cfg.OIDC.GroupField.String(),
+					GroupMapping:        cfg.OIDC.GroupMapping.Value,
 					SignInText:          cfg.OIDC.SignInText.String(),
 					IconURL:             cfg.OIDC.IconURL.String(),
 					IgnoreEmailVerified: cfg.OIDC.IgnoreEmailVerified.Value(),
@@ -1089,10 +1082,8 @@ flags, and YAML configuration. The precedence is as follows:
 				_, _ = fmt.Fprintln(cmd.OutOrStdout(), cliui.Styles.Bold.Render(
 					"Interrupt caught, gracefully exiting. Use ctrl+\\ to force quit",
 				))
-			case exitErr = <-tunnelErr:
-				if exitErr == nil {
-					exitErr = xerrors.New("dev tunnel closed unexpectedly")
-				}
+			case <-tunnelDone:
+				exitErr = xerrors.New("dev tunnel closed unexpectedly")
 			case exitErr = <-errCh:
 			}
 			if exitErr != nil && !xerrors.Is(exitErr, context.Canceled) {
@@ -1161,8 +1152,8 @@ flags, and YAML configuration. The precedence is as follows:
 			// Close tunnel after we no longer have in-flight connections.
 			if tunnel != nil {
 				cmd.Println("Waiting for tunnel to close...")
-				closeTunnel()
-				<-tunnelErr
+				_ = tunnel.Close()
+				<-tunnel.Wait()
 				cmd.Println("Done waiting for tunnel")
 			}
 
@@ -1240,22 +1231,6 @@ flags, and YAML configuration. The precedence is as follows:
 	return root
 }
 
-// parseURL parses a string into a URL.
-func parseURL(u string) (*url.URL, error) {
-	hasScheme := strings.HasPrefix(u, "http:") || strings.HasPrefix(u, "https:")
-
-	if !hasScheme {
-		return nil, xerrors.Errorf("URL %q must have a scheme of either http or https", u)
-	}
-
-	parsed, err := url.Parse(u)
-	if err != nil {
-		return nil, err
-	}
-
-	return parsed, nil
-}
-
 // isLocalURL returns true if the hostname of the provided URL appears to
 // resolve to a loopback address.
 func isLocalURL(ctx context.Context, u *url.URL) (bool, error) {
 
@@ -223,7 +223,12 @@ func New(options *Options) *API {
 		options.SSHConfig.HostnamePrefix = "coder."
 	}
 	if options.SetUserGroups == nil {
-		options.SetUserGroups = func(context.Context, database.Store, uuid.UUID, []string) error { return nil }
+		options.SetUserGroups = func(ctx context.Context, _ database.Store, id uuid.UUID, groups []string) error {
+			options.Logger.Warn(ctx, "attempted to assign OIDC groups without enterprise license",
+				slog.F("id", id), slog.F("groups", groups),
+			)
+			return nil
+		}
 	}
 	if options.TemplateScheduleStore == nil {
 		options.TemplateScheduleStore = schedule.NewAGPLTemplateScheduleStore()
 
@@ -67,8 +67,42 @@ func (q *sqlQuerier) Ping(ctx context.Context) (time.Duration, error) {
 	return time.Since(start), err
 }
 
-// InTx performs database operations inside a transaction.
 func (q *sqlQuerier) InTx(function func(Store) error, txOpts *sql.TxOptions) error {
+	_, inTx := q.db.(*sqlx.Tx)
+	isolation := sql.LevelDefault
+	if txOpts != nil {
+		isolation = txOpts.Isolation
+	}
+
+	// If we are not already in a transaction, and we are running in serializable
+	// mode, we need to run the transaction in a retry loop. The caller should be
+	// prepared to allow retries if using serializable mode.
+	// If we are in a transaction already, the parent InTx call will handle the retry.
+	// We do not want to duplicate those retries.
+	if !inTx && isolation == sql.LevelSerializable {
+		// This is an arbitrarily chosen number.
+		const retryAmount = 3
+		var err error
+		attempts := 0
+		for attempts = 0; attempts < retryAmount; attempts++ {
+			err = q.runTx(function, txOpts)
+			if err == nil {
+				// Transaction succeeded.
+				return nil
+			}
+			if err != nil && !IsSerializedError(err) {
+				// We should only retry if the error is a serialization error.
+				return err
+			}
+		}
+		// Transaction kept failing in serializable mode.
+		return xerrors.Errorf("transaction failed after %d attempts: %w", attempts, err)
+	}
+	return q.runTx(function, txOpts)
+}
+
+// InTx performs database operations inside a transaction.
+func (q *sqlQuerier) runTx(function func(Store) error, txOpts *sql.TxOptions) error {
 	if _, ok := q.db.(*sqlx.Tx); ok {
 		// If the current inner "db" is already a transaction, we just reuse it.
 		// We do not need to handle commit/rollback as the outer tx will handle
Original file line number	Diff line number	Diff line change
`@@ -334,14 +334,14 @@ func createUnauthenticatedClient(cmd cobra.Command, serverURL url.URL) (*coder`
`334`	`334`	`}`
`335`	`335`	`transport := &headerTransport{`
`336`	`336`	`transport: http.DefaultTransport,`
`337`		`- headers: map[string]string{},`
	`337`	`+ header: http.Header{},`
`338`	`338`	`}`
`339`	`339`	`for _, header := range headers {`
`340`	`340`	`parts := strings.SplitN(header, "=", 2)`
`341`	`341`	`if len(parts) < 2 {`
`342`	`342`	`return nil, xerrors.Errorf("split header %q had less than two parts", header)`
`343`	`343`	`}`
`344`		`- transport.headers[parts[0]] = parts[1]`
	`344`	`+ transport.header.Add(parts[0], parts[1])`
`345`	`345`	`}`
`346`	`346`	`client.HTTPClient.Transport = transport`
`347`	`347`	`return client, nil`
`@@ -655,12 +655,18 @@ func checkWarnings(cmd cobra.Command, client codersdk.Client) error {`
`655`	`655`
`656`	`656`	`type headerTransport struct {`
`657`	`657`	`transport http.RoundTripper`
`658`		`- headers map[string]string`
	`658`	`+ header http.Header`
	`659`	`+}`
	`660`	`+`
	`661`	`+func (h *headerTransport) Header() http.Header {`
	`662`	`+ return h.header.Clone()`
`659`	`663`	`}`
`660`	`664`
`661`	`665`	`func (h headerTransport) RoundTrip(req http.Request) (*http.Response, error) {`
`662`		`- for k, v := range h.headers {`
`663`		`- req.Header.Add(k, v)`
	`666`	`+ for k, v := range h.header {`
	`667`	`+ for _, vv := range v {`
	`668`	`+ req.Header.Add(k, vv)`
	`669`	`+ }`
`664`	`670`	`}`
`665`	`671`	`return h.transport.RoundTrip(req)`
`666`	`672`	`}`
Original file line number	Diff line number	Diff line change
`@@ -223,7 +223,12 @@ func New(options Options) API {`
`223`	`223`	`options.SSHConfig.HostnamePrefix = "coder."`
`224`	`224`	`}`
`225`	`225`	`if options.SetUserGroups == nil {`
`226`		`- options.SetUserGroups = func(context.Context, database.Store, uuid.UUID, []string) error { return nil }`
	`226`	`+ options.SetUserGroups = func(ctx context.Context, _ database.Store, id uuid.UUID, groups []string) error {`
	`227`	`+ options.Logger.Warn(ctx, "attempted to assign OIDC groups without enterprise license",`
	`228`	`+ slog.F("id", id), slog.F("groups", groups),`
	`229`	`+ )`
	`230`	`+ return nil`
	`231`	`+ }`
`227`	`232`	`}`
`228`	`233`	`if options.TemplateScheduleStore == nil {`
`229`	`234`	`options.TemplateScheduleStore = schedule.NewAGPLTemplateScheduleStore()`