coder
diff --git a/‎coderd/apidoc/docs.go
Lines changed: 7 additions & 2 deletions b/‎coderd/apidoc/docs.go
Lines changed: 7 additions & 2 deletions
diff --git a/‎coderd/apidoc/swagger.json
Lines changed: 7 additions & 2 deletions b/‎coderd/apidoc/swagger.json
Lines changed: 7 additions & 2 deletions
diff --git a/‎coderd/audit.go
Lines changed: 2 additions & 0 deletions b/‎coderd/audit.go
Lines changed: 2 additions & 0 deletions
diff --git a/‎coderd/audit/diff.go
Lines changed: 2 additions & 1 deletion b/‎coderd/audit/diff.go
Lines changed: 2 additions & 1 deletion
diff --git a/‎coderd/audit/request.go
Lines changed: 7 additions & 0 deletions b/‎coderd/audit/request.go
Lines changed: 7 additions & 0 deletions
diff --git a/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 1 addition & 0 deletions b/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 1 addition & 0 deletions
diff --git a/‎coderd/database/dbauthz/querier.go
Lines changed: 9 additions & 5 deletions b/‎coderd/database/dbauthz/querier.go
Lines changed: 9 additions & 5 deletions
diff --git a/‎coderd/database/dbauthz/setup_test.go
Lines changed: 22 additions & 2 deletions b/‎coderd/database/dbauthz/setup_test.go
Lines changed: 22 additions & 2 deletions
diff --git a/‎coderd/database/dump.sql
Lines changed: 2 additions & 1 deletion b/‎coderd/database/dump.sql
Lines changed: 2 additions & 1 deletion
diff --git a/‎coderd/database/migrations/000098_add_resource_type_license.down.sql
Lines changed: 2 additions & 0 deletions b/‎coderd/database/migrations/000098_add_resource_type_license.down.sql
Lines changed: 2 additions & 0 deletions
diff --git a/‎coderd/database/migrations/000098_add_resource_type_license.up.sql
Lines changed: 3 additions & 0 deletions b/‎coderd/database/migrations/000098_add_resource_type_license.up.sql
Lines changed: 3 additions & 0 deletions
diff --git a/‎coderd/database/models.go
Lines changed: 4 additions & 1 deletion b/‎coderd/database/models.go
Lines changed: 4 additions & 1 deletion
diff --git a/‎codersdk/audit.go
Lines changed: 3 additions & 0 deletions b/‎codersdk/audit.go
Lines changed: 3 additions & 0 deletions
diff --git a/‎codersdk/deployment.go
Lines changed: 6 additions & 5 deletions b/‎codersdk/deployment.go
Lines changed: 6 additions & 5 deletions
diff --git a/‎docs/admin/audit-logs.md
Lines changed: 1 addition & 0 deletions b/‎docs/admin/audit-logs.md
Lines changed: 1 addition & 0 deletions
diff --git a/‎docs/api/enterprise.md
Lines changed: 1 addition & 0 deletions b/‎docs/api/enterprise.md
Lines changed: 1 addition & 0 deletions
diff --git a/‎docs/api/schemas.md
Lines changed: 12 additions & 9 deletions b/‎docs/api/schemas.md
Lines changed: 12 additions & 9 deletions
diff --git a/‎enterprise/audit/table.go
Lines changed: 18 additions & 10 deletions b/‎enterprise/audit/table.go
Lines changed: 18 additions & 10 deletions
@@ -456,6 +456,8 @@ func resourceTypeFromString(resourceTypeString string) string {
 		return resourceTypeString
 	case codersdk.ResourceTypeGroup:
 		return resourceTypeString
+	case codersdk.ResourceTypeLicense:
+		return resourceTypeString
 	}
 	return ""
 }
 
@@ -15,7 +15,8 @@ type Auditable interface {
 		database.Workspace |
 		database.GitSSHKey |
 		database.WorkspaceBuild |
-		database.AuditableGroup
+		database.AuditableGroup |
+		database.License
 }
 
 // Map is a map of changed fields in an audited resource. It maps field names to
 
@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"net"
 	"net/http"
+	"strconv"
 
 	"github.com/google/uuid"
 	"github.com/tabbed/pqtype"
@@ -71,6 +72,8 @@ func ResourceTarget[T Auditable](tgt T) string {
 	case database.APIKey:
 		// this isn't used
 		return ""
+	case database.License:
+		return strconv.Itoa(int(typed.ID))
 	default:
 		panic(fmt.Sprintf("unknown resource %T", tgt))
 	}
@@ -94,6 +97,8 @@ func ResourceID[T Auditable](tgt T) uuid.UUID {
 		return typed.Group.ID
 	case database.APIKey:
 		return typed.UserID
+	case database.License:
+		return typed.UUID
 	default:
 		panic(fmt.Sprintf("unknown resource %T", tgt))
 	}
@@ -117,6 +122,8 @@ func ResourceType[T Auditable](tgt T) database.ResourceType {
 		return database.ResourceTypeGroup
 	case database.APIKey:
 		return database.ResourceTypeApiKey
+	case database.License:
+		return database.ResourceTypeLicense
 	default:
 		panic(fmt.Sprintf("unknown resource %T", tgt))
 	}
 
@@ -61,6 +61,7 @@ func logNotAuthorizedError(ctx context.Context, logger slog.Logger, err error) e
 			slog.Error(err),
 		)
 	}
+
 	return NotAuthorizedError{
 		Err: err,
 	}
 
@@ -438,12 +438,16 @@ func (q *querier) canAssignRoles(ctx context.Context, orgID *uuid.UUID, added, r
 		}
 	}
 
-	if len(added) > 0 && q.authorizeContext(ctx, rbac.ActionCreate, roleAssign) != nil {
-		return logNotAuthorizedError(ctx, q.log, xerrors.Errorf("not authorized to assign roles"))
+	if len(added) > 0 {
+		if err := q.authorizeContext(ctx, rbac.ActionCreate, roleAssign); err != nil {
+			return err
+		}
 	}
 
-	if len(removed) > 0 && q.authorizeContext(ctx, rbac.ActionDelete, roleAssign) != nil {
-		return logNotAuthorizedError(ctx, q.log, xerrors.Errorf("not authorized to delete roles"))
+	if len(removed) > 0 {
+		if err := q.authorizeContext(ctx, rbac.ActionDelete, roleAssign); err != nil {
+			return err
+		}
 	}
 
 	for _, roleName := range grantedRoles {
@@ -1244,7 +1248,7 @@ func (q *querier) GetWorkspaceAgentsByResourceIDs(ctx context.Context, ids []uui
 			continue
 		}
 		// Otherwise, we cannot read the workspace, so we cannot read the agent.
-		return nil, logNotAuthorizedError(ctx, q.log, err)
+		return nil, err
 	}
 	return agents, nil
 }
 
@@ -9,11 +9,11 @@ import (
 	"strings"
 	"testing"
 
-	"golang.org/x/xerrors"
-
 	"github.com/google/uuid"
+	"github.com/open-policy-agent/opa/topdown"
 	"github.com/stretchr/testify/require"
 	"github.com/stretchr/testify/suite"
+	"golang.org/x/xerrors"
 
 	"cdr.dev/slog"
 	"github.com/coder/coder/coderd/coderdtest"
@@ -225,6 +225,26 @@ func (s *MethodTestSuite) NotAuthorizedErrorTest(ctx context.Context, az *coderd
 			s.ErrorAs(err, &dbauthz.NotAuthorizedError{}, "error should be NotAuthorizedError")
 		}
 	})
+
+	s.Run("Cancelled", func() {
+		// Pass in a cancelled context
+		ctx, cancel := context.WithCancel(ctx)
+		cancel()
+		az.AlwaysReturn = rbac.ForbiddenWithInternal(&topdown.Error{Code: topdown.CancelErr},
+			rbac.Subject{}, "", rbac.Object{}, nil)
+
+		// If we have assertions, that means the method should FAIL
+		// if RBAC will disallow the request. The returned error should
+		// be expected to be a NotAuthorizedError.
+		resp, err := callMethod(ctx)
+
+		// This is unfortunate, but if we are using `Filter` the error returned will be nil. So filter out
+		// any case where the error is nil and the response is an empty slice.
+		if err != nil || !hasEmptySliceResponse(resp) {
+			s.Errorf(err, "method should an error with cancellation")
+			s.ErrorIsf(err, context.Canceled, "error should match context.Cancelled")
+		}
+	})
 }
 
 func hasEmptySliceResponse(values []reflect.Value) bool {
 
@@ -0,0 +1,2 @@
+-- It's not possible to drop enum values from enum types, so the UP has "IF NOT
+-- EXISTS".
@@ -0,0 +1,3 @@
+ALTER TYPE resource_type
+  ADD VALUE IF NOT EXISTS 'license';
+
@@ -22,6 +22,7 @@ const (
 	ResourceTypeGitSSHKey       ResourceType = "git_ssh_key"
 	ResourceTypeAPIKey          ResourceType = "api_key"
 	ResourceTypeGroup           ResourceType = "group"
+	ResourceTypeLicense         ResourceType = "license"
 )
 
 func (r ResourceType) FriendlyString() string {
@@ -44,6 +45,8 @@ func (r ResourceType) FriendlyString() string {
 		return "api key"
 	case ResourceTypeGroup:
 		return "group"
+	case ResourceTypeLicense:
+		return "license"
 	default:
 		return "unknown"
 	}
 
@@ -81,11 +81,12 @@ type Feature struct {
 }
 
 type Entitlements struct {
-	Features   map[FeatureName]Feature `json:"features"`
-	Warnings   []string                `json:"warnings"`
-	Errors     []string                `json:"errors"`
-	HasLicense bool                    `json:"has_license"`
-	Trial      bool                    `json:"trial"`
+	Features         map[FeatureName]Feature `json:"features"`
+	Warnings         []string                `json:"warnings"`
+	Errors           []string                `json:"errors"`
+	HasLicense       bool                    `json:"has_license"`
+	Trial            bool                    `json:"trial"`
+	RequireTelemetry bool                    `json:"require_telemetry"`
 
 	// DEPRECATED: use Experiments instead.
 	Experimental bool `json:"experimental"`
 
@@ -14,6 +14,7 @@ We track the following resources:
 | APIKey<br><i>write</i>                    | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>created_at</td><td>false</td></tr><tr><td>expires_at</td><td>false</td></tr><tr><td>hashed_secret</td><td>false</td></tr><tr><td>id</td><td>false</td></tr><tr><td>ip_address</td><td>false</td></tr><tr><td>last_used</td><td>false</td></tr><tr><td>lifetime_seconds</td><td>false</td></tr><tr><td>login_type</td><td>false</td></tr><tr><td>scope</td><td>false</td></tr><tr><td>updated_at</td><td>false</td></tr><tr><td>user_id</td><td>false</td></tr></tbody></table>                                                                                                                                                                                                                                                                                                                          |
 | Group<br><i>create, write, delete</i>     | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>avatar_url</td><td>true</td></tr><tr><td>id</td><td>true</td></tr><tr><td>members</td><td>true</td></tr><tr><td>name</td><td>true</td></tr><tr><td>organization_id</td><td>false</td></tr><tr><td>quota_allowance</td><td>true</td></tr></tbody></table>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
 | GitSSHKey<br><i>create</i>                | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>created_at</td><td>false</td></tr><tr><td>private_key</td><td>true</td></tr><tr><td>public_key</td><td>true</td></tr><tr><td>updated_at</td><td>false</td></tr><tr><td>user_id</td><td>true</td></tr></tbody></table>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
+| License<br><i>create, delete</i>          | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>exp</td><td>true</td></tr><tr><td>id</td><td>false</td></tr><tr><td>jwt</td><td>false</td></tr><tr><td>uploaded_at</td><td>true</td></tr><tr><td>uuid</td><td>true</td></tr></tbody></table>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
 | Template<br><i>write, delete</i>          | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>active_version_id</td><td>true</td></tr><tr><td>allow_user_cancel_workspace_jobs</td><td>true</td></tr><tr><td>created_at</td><td>false</td></tr><tr><td>created_by</td><td>true</td></tr><tr><td>default_ttl</td><td>true</td></tr><tr><td>deleted</td><td>false</td></tr><tr><td>description</td><td>true</td></tr><tr><td>display_name</td><td>true</td></tr><tr><td>group_acl</td><td>true</td></tr><tr><td>icon</td><td>true</td></tr><tr><td>id</td><td>true</td></tr><tr><td>is_private</td><td>true</td></tr><tr><td>min_autostart_interval</td><td>true</td></tr><tr><td>name</td><td>true</td></tr><tr><td>organization_id</td><td>false</td></tr><tr><td>provisioner</td><td>true</td></tr><tr><td>updated_at</td><td>false</td></tr><tr><td>user_acl</td><td>true</td></tr></tbody></table> |
 | TemplateVersion<br><i>create, write</i>   | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>created_at</td><td>false</td></tr><tr><td>created_by</td><td>true</td></tr><tr><td>id</td><td>true</td></tr><tr><td>job_id</td><td>false</td></tr><tr><td>name</td><td>true</td></tr><tr><td>organization_id</td><td>false</td></tr><tr><td>readme</td><td>true</td></tr><tr><td>template_id</td><td>true</td></tr><tr><td>updated_at</td><td>false</td></tr></tbody></table>                                                                                                                                                                                                                                                                                                                                                                                                                           |
 | User<br><i>create, write, delete</i>      | <table><thead><tr><th>Field</th><th>Tracked</th></tr></thead><tbody><tr><td>avatar_url</td><td>false</td></tr><tr><td>created_at</td><td>false</td></tr><tr><td>deleted</td><td>true</td></tr><tr><td>email</td><td>true</td></tr><tr><td>hashed_password</td><td>true</td></tr><tr><td>id</td><td>true</td></tr><tr><td>last_seen_at</td><td>false</td></tr><tr><td>login_type</td><td>false</td></tr><tr><td>rbac_roles</td><td>true</td></tr><tr><td>status</td><td>true</td></tr><tr><td>updated_at</td><td>false</td></tr><tr><td>username</td><td>true</td></tr></tbody></table>                                                                                                                                                                                                                                                                                              |
 
@@ -128,6 +128,7 @@ curl -X GET http://coder-server:8080/api/v2/entitlements \
     }
   },
   "has_license": true,
+  "require_telemetry": true,
   "trial": true,
   "warnings": ["string"]
 }
 
@@ -2813,22 +2813,24 @@ CreateParameterRequest is a structure used to create a new parameter value for a
     }
   },
   "has_license": true,
+  "require_telemetry": true,
   "trial": true,
   "warnings": ["string"]
 }
 ```
 
 ### Properties
 
-| Name               | Type                                 | Required | Restrictions | Description                           |
-| ------------------ | ------------------------------------ | -------- | ------------ | ------------------------------------- |
-| `errors`           | array of string                      | false    |              |                                       |
-| `experimental`     | boolean                              | false    |              | Experimental use Experiments instead. |
-| `features`         | object                               | false    |              |                                       |
-| » `[any property]` | [codersdk.Feature](#codersdkfeature) | false    |              |                                       |
-| `has_license`      | boolean                              | false    |              |                                       |
-| `trial`            | boolean                              | false    |              |                                       |
-| `warnings`         | array of string                      | false    |              |                                       |
+| Name                | Type                                 | Required | Restrictions | Description                           |
+| ------------------- | ------------------------------------ | -------- | ------------ | ------------------------------------- |
+| `errors`            | array of string                      | false    |              |                                       |
+| `experimental`      | boolean                              | false    |              | Experimental use Experiments instead. |
+| `features`          | object                               | false    |              |                                       |
+| » `[any property]`  | [codersdk.Feature](#codersdkfeature) | false    |              |                                       |
+| `has_license`       | boolean                              | false    |              |                                       |
+| `require_telemetry` | boolean                              | false    |              |                                       |
+| `trial`             | boolean                              | false    |              |                                       |
+| `warnings`          | array of string                      | false    |              |                                       |
 
 ## codersdk.Experiment
 
@@ -4059,6 +4061,7 @@ Parameter represents a set value for the scope.
 | `git_ssh_key`      |
 | `api_key`          |
 | `group`            |
+| `license`          |
 
 ## codersdk.Response
 
 
@@ -13,16 +13,15 @@ import (
 // AuditableResources map (below) as our documentation - generated in scripts/auditdocgen/main.go -
 // depends upon it.
 var AuditActionMap = map[string][]codersdk.AuditAction{
-	"GitSSHKey":          {codersdk.AuditActionCreate},
-	"OrganizationMember": {},
-	"Organization":       {},
-	"Template":           {codersdk.AuditActionWrite, codersdk.AuditActionDelete},
-	"TemplateVersion":    {codersdk.AuditActionCreate, codersdk.AuditActionWrite},
-	"User":               {codersdk.AuditActionCreate, codersdk.AuditActionWrite, codersdk.AuditActionDelete},
-	"Workspace":          {codersdk.AuditActionCreate, codersdk.AuditActionWrite, codersdk.AuditActionDelete},
-	"WorkspaceBuild":     {codersdk.AuditActionStart, codersdk.AuditActionStop},
-	"Group":              {codersdk.AuditActionCreate, codersdk.AuditActionWrite, codersdk.AuditActionDelete},
-	"APIKey":             {codersdk.AuditActionWrite},
+	"GitSSHKey":       {codersdk.AuditActionCreate},
+	"Template":        {codersdk.AuditActionWrite, codersdk.AuditActionDelete},
+	"TemplateVersion": {codersdk.AuditActionCreate, codersdk.AuditActionWrite},
+	"User":            {codersdk.AuditActionCreate, codersdk.AuditActionWrite, codersdk.AuditActionDelete},
+	"Workspace":       {codersdk.AuditActionCreate, codersdk.AuditActionWrite, codersdk.AuditActionDelete},
+	"WorkspaceBuild":  {codersdk.AuditActionStart, codersdk.AuditActionStop},
+	"Group":           {codersdk.AuditActionCreate, codersdk.AuditActionWrite, codersdk.AuditActionDelete},
+	"APIKey":          {codersdk.AuditActionWrite},
+	"License":         {codersdk.AuditActionCreate, codersdk.AuditActionDelete},
 }
 
 type Action string
@@ -147,6 +146,15 @@ var AuditableResources = auditMap(map[any]map[string]Action{
 		"ip_address":       ActionIgnore,
 		"scope":            ActionIgnore,
 	},
+	// TODO: track an ID here when the below ticket is completed:
+	// https://github.com/coder/coder/pull/6012
+	&database.License{}: {
+		"id":          ActionIgnore,
+		"uploaded_at": ActionTrack,
+		"jwt":         ActionIgnore,
+		"exp":         ActionTrack,
+		"uuid":        ActionTrack,
+	},
 })
 
 // auditMap converts a map of struct pointers to a map of struct names as
Original file line number	Diff line number	Diff line change
`@@ -456,6 +456,8 @@ func resourceTypeFromString(resourceTypeString string) string {`
`456`	`456`	`return resourceTypeString`
`457`	`457`	`case codersdk.ResourceTypeGroup:`
`458`	`458`	`return resourceTypeString`
	`459`	`+ case codersdk.ResourceTypeLicense:`
	`460`	`+ return resourceTypeString`
`459`	`461`	`}`
`460`	`462`	`return ""`
`461`	`463`	`}`
Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,8 @@ type Auditable interface {`
`15`	`15`	`database.Workspace \|`
`16`	`16`	`database.GitSSHKey \|`
`17`	`17`	`database.WorkspaceBuild \|`
`18`		`- database.AuditableGroup`
	`18`	`+ database.AuditableGroup \|`
	`19`	`+ database.License`
`19`	`20`	`}`
`20`	`21`
`21`	`22`	`// Map is a map of changed fields in an audited resource. It maps field names to`
Original file line number	Diff line number	Diff line change
`@@ -61,6 +61,7 @@ func logNotAuthorizedError(ctx context.Context, logger slog.Logger, err error) e`
`61`	`61`	`slog.Error(err),`
`62`	`62`	`)`
`63`	`63`	`}`
	`64`	`+`
`64`	`65`	`return NotAuthorizedError{`
`65`	`66`	`Err: err,`
`66`	`67`	`}`
Original file line number	Diff line number	Diff line change
`@@ -438,12 +438,16 @@ func (q querier) canAssignRoles(ctx context.Context, orgID uuid.UUID, added, r`
`438`	`438`	`}`
`439`	`439`	`}`
`440`	`440`
`441`		`- if len(added) > 0 && q.authorizeContext(ctx, rbac.ActionCreate, roleAssign) != nil {`
`442`		`- return logNotAuthorizedError(ctx, q.log, xerrors.Errorf("not authorized to assign roles"))`
	`441`	`+ if len(added) > 0 {`
	`442`	`+ if err := q.authorizeContext(ctx, rbac.ActionCreate, roleAssign); err != nil {`
	`443`	`+ return err`
	`444`	`+ }`
`443`	`445`	`}`
`444`	`446`
`445`		`- if len(removed) > 0 && q.authorizeContext(ctx, rbac.ActionDelete, roleAssign) != nil {`
`446`		`- return logNotAuthorizedError(ctx, q.log, xerrors.Errorf("not authorized to delete roles"))`
	`447`	`+ if len(removed) > 0 {`
	`448`	`+ if err := q.authorizeContext(ctx, rbac.ActionDelete, roleAssign); err != nil {`
	`449`	`+ return err`
	`450`	`+ }`
`447`	`451`	`}`
`448`	`452`
`449`	`453`	`for _, roleName := range grantedRoles {`
`@@ -1244,7 +1248,7 @@ func (q *querier) GetWorkspaceAgentsByResourceIDs(ctx context.Context, ids []uui`
`1244`	`1248`	`continue`
`1245`	`1249`	`}`
`1246`	`1250`	`// Otherwise, we cannot read the workspace, so we cannot read the agent.`
`1247`		`- return nil, logNotAuthorizedError(ctx, q.log, err)`
	`1251`	`+ return nil, err`
`1248`	`1252`	`}`
`1249`	`1253`	`return agents, nil`
`1250`	`1254`	`}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+-- It's not possible to drop enum values from enum types, so the UP has "IF NOT`
	`2`	`+-- EXISTS".`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+ALTER TYPE resource_type`
	`2`	`+ ADD VALUE IF NOT EXISTS 'license';`
	`3`	`+`
Original file line number	Diff line number	Diff line change
`@@ -128,6 +128,7 @@ curl -X GET http://coder-server:8080/api/v2/entitlements \`
`128`	`128`	`}`
`129`	`129`	`},`
`130`	`130`	`"has_license": true,`
	`131`	`+ "require_telemetry": true,`
`131`	`132`	`"trial": true,`
`132`	`133`	`"warnings": ["string"]`
`133`	`134`	`}`