coder
diff --git a/‎.github/workflows/ci.yaml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/ci.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/contrib.yaml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/contrib.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/docker-base.yaml
Lines changed: 30 additions & 0 deletions b/‎.github/workflows/docker-base.yaml
Lines changed: 30 additions & 0 deletions
diff --git a/‎.github/workflows/release.yaml
Lines changed: 31 additions & 1 deletion b/‎.github/workflows/release.yaml
Lines changed: 31 additions & 1 deletion
diff --git a/‎.github/workflows/security.yaml
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/security.yaml
Lines changed: 2 additions & 2 deletions
diff --git a/‎.vscode/settings.json
Lines changed: 1 addition & 0 deletions b/‎.vscode/settings.json
Lines changed: 1 addition & 0 deletions
diff --git a/‎cli/tokens.go
Lines changed: 4 additions & 17 deletions b/‎cli/tokens.go
Lines changed: 4 additions & 17 deletions
diff --git a/‎coderd/apikey.go
Lines changed: 23 additions & 2 deletions b/‎coderd/apikey.go
Lines changed: 23 additions & 2 deletions
diff --git a/‎coderd/audit.go
Lines changed: 2 additions & 125 deletions b/‎coderd/audit.go
Lines changed: 2 additions & 125 deletions
@@ -41,7 +41,7 @@ jobs:
 
       # Check for any typos!
       - name: Check for typos
-        uses: crate-ci/typos@v1.13.9
+        uses: crate-ci/typos@v1.13.14
         with:
           config: .github/workflows/typos.toml
       - name: Fix the typos
 
@@ -33,7 +33,7 @@ jobs:
     steps:
       - name: cla
         if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
-        uses: contributor-assistant/github-action@v2.2.1
+        uses: contributor-assistant/github-action@v2.3.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           # the below token should have repo scope and must be manually added by you in the repository's secret
 
@@ -53,8 +53,38 @@ jobs:
           project: wl5hnrrkns
           context: base-build-context
           file: scripts/Dockerfile.base
+          platforms: linux/amd64,linux/arm64,linux/arm/v7
           pull: true
           no-cache: true
           push: true
           tags: |
             ghcr.io/coder/coder-base:latest
+
+      - name: Verify that images are pushed properly
+        run: |
+          # retry 10 times with a 5 second delay as the images may not be
+          # available immediately
+          for i in {1..10}; do
+            rc=0
+            raw_manifests=$(docker buildx imagetools inspect --raw ghcr.io/coder/coder-base:latest) || rc=$?
+            if [[ "$rc" -eq 0 ]]; then
+              break
+            fi
+            if [[ "$i" -eq 10 ]]; then
+              echo "Failed to pull manifests after 10 retries"
+              exit 1
+            fi
+            echo "Failed to pull manifests, retrying in 5 seconds"
+            sleep 5
+          done
+
+          manifests=$(
+            echo "$raw_manifests" | \
+              jq -r '.manifests[].platform | .os + "/" + .architecture + (if .variant then "/" + .variant else "" end)'
+          )
+
+          # Verify all 3 platforms are present.
+          set -euxo pipefail
+          echo "$manifests" | grep -q linux/amd64
+          echo "$manifests" | grep -q linux/arm64
+          echo "$manifests" | grep -q linux/arm/v7
@@ -188,12 +188,42 @@ jobs:
           project: wl5hnrrkns
           context: base-build-context
           file: scripts/Dockerfile.base
+          platforms: linux/amd64,linux/arm64,linux/arm/v7
           pull: true
           no-cache: true
           push: true
           tags: |
             ${{ steps.image-base-tag.outputs.tag }}
 
+      - name: Verify that images are pushed properly
+        run: |
+          # retry 10 times with a 5 second delay as the images may not be
+          # available immediately
+          for i in {1..10}; do
+            rc=0
+            raw_manifests=$(docker buildx imagetools inspect --raw "${{ steps.image-base-tag.outputs.tag }}") || rc=$?
+            if [[ "$rc" -eq 0 ]]; then
+              break
+            fi
+            if [[ "$i" -eq 10 ]]; then
+              echo "Failed to pull manifests after 10 retries"
+              exit 1
+            fi
+            echo "Failed to pull manifests, retrying in 5 seconds"
+            sleep 5
+          done
+
+          manifests=$(
+            echo "$raw_manifests" | \
+              jq -r '.manifests[].platform | .os + "/" + .architecture + (if .variant then "/" + .variant else "" end)'
+          )
+
+          # Verify all 3 platforms are present.
+          set -euxo pipefail
+          echo "$manifests" | grep -q linux/amd64
+          echo "$manifests" | grep -q linux/arm64
+          echo "$manifests" | grep -q linux/arm/v7
+
       - name: Build Linux Docker images
         run: |
           set -euxo pipefail
@@ -275,7 +305,7 @@ jobs:
 
       - name: Upload artifacts to actions (if dry-run)
         if: ${{ inputs.dry_run }}
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: release-artifacts
           path: |
 
@@ -116,7 +116,7 @@ jobs:
           echo "image=$(cat "$image_job")" >> $GITHUB_OUTPUT
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5
+        uses: aquasecurity/trivy-action@8bd2f9fbda2109502356ff8a6a89da55b1ead252
         with:
           image-ref: ${{ steps.build.outputs.image }}
           format: sarif
@@ -130,7 +130,7 @@ jobs:
           category: "Trivy"
 
       - name: Upload Trivy scan results as an artifact
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: trivy
           path: trivy-results.sarif
 
@@ -4,6 +4,7 @@
     "agentsdk",
     "apps",
     "ASKPASS",
+    "authcheck",
     "autostop",
     "awsidentity",
     "bodyclose",
 
@@ -6,7 +6,6 @@ import (
 	"strings"
 	"time"
 
-	"github.com/google/uuid"
 	"github.com/spf13/cobra"
 	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"
@@ -99,16 +98,14 @@ type tokenListRow struct {
 	Owner     string    `json:"-" table:"owner"`
 }
 
-func tokenListRowFromToken(token codersdk.APIKey, usersByID map[uuid.UUID]codersdk.User) tokenListRow {
-	user := usersByID[token.UserID]
-
+func tokenListRowFromToken(token codersdk.APIKeyWithOwner) tokenListRow {
 	return tokenListRow{
-		APIKey:    token,
+		APIKey:    token.APIKey,
 		ID:        token.ID,
 		LastUsed:  token.LastUsed,
 		ExpiresAt: token.ExpiresAt,
 		CreatedAt: token.CreatedAt,
-		Owner:     user.Username,
+		Owner:     token.Username,
 	}
 }
 
@@ -150,20 +147,10 @@ func listTokens() *cobra.Command {
 				))
 			}
 
-			userRes, err := client.Users(cmd.Context(), codersdk.UsersRequest{})
-			if err != nil {
-				return err
-			}
-
-			usersByID := map[uuid.UUID]codersdk.User{}
-			for _, user := range userRes.Users {
-				usersByID[user.ID] = user
-			}
-
 			displayTokens = make([]tokenListRow, len(tokens))
 
 			for i, token := range tokens {
-				displayTokens[i] = tokenListRowFromToken(token, usersByID)
+				displayTokens[i] = tokenListRowFromToken(token)
 			}
 
 			out, err := formatter.Format(cmd.Context(), displayTokens)
 
@@ -216,9 +216,30 @@ func (api *API) tokens(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	var apiKeys []codersdk.APIKey
+	var userIds []uuid.UUID
 	for _, key := range keys {
-		apiKeys = append(apiKeys, convertAPIKey(key))
+		userIds = append(userIds, key.UserID)
+	}
+
+	users, _ := api.Database.GetUsersByIDs(ctx, userIds)
+	usersByID := map[uuid.UUID]database.User{}
+	for _, user := range users {
+		usersByID[user.ID] = user
+	}
+
+	var apiKeys []codersdk.APIKeyWithOwner
+	for _, key := range keys {
+		if user, exists := usersByID[key.UserID]; exists {
+			apiKeys = append(apiKeys, codersdk.APIKeyWithOwner{
+				APIKey:   convertAPIKey(key),
+				Username: user.Username,
+			})
+		} else {
+			apiKeys = append(apiKeys, codersdk.APIKeyWithOwner{
+				APIKey:   convertAPIKey(key),
+				Username: "",
+			})
+		}
 	}
 
 	httpapi.Write(ctx, rw, http.StatusOK, apiKeys)
 
@@ -8,8 +8,6 @@ import (
 	"net"
 	"net/http"
 	"net/netip"
-	"net/url"
-	"strings"
 	"time"
 
 	"github.com/google/uuid"
@@ -22,6 +20,7 @@ import (
 	"github.com/coder/coder/coderd/httpapi"
 	"github.com/coder/coder/coderd/httpmw"
 	"github.com/coder/coder/coderd/rbac"
+	"github.com/coder/coder/coderd/searchquery"
 	"github.com/coder/coder/codersdk"
 )
 
@@ -49,7 +48,7 @@ func (api *API) auditLogs(rw http.ResponseWriter, r *http.Request) {
 	}
 
 	queryStr := r.URL.Query().Get("q")
-	filter, errs := auditSearchQuery(queryStr)
+	filter, errs := searchquery.AuditLogs(queryStr)
 	if len(errs) > 0 {
 		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
 			Message:     "Invalid audit search query.",
@@ -373,125 +372,3 @@ func (api *API) auditLogResourceLink(ctx context.Context, alog database.GetAudit
 		return ""
 	}
 }
-
-// auditSearchQuery takes a query string and returns the auditLog filter.
-// It also can return the list of validation errors to return to the api.
-func auditSearchQuery(query string) (database.GetAuditLogsOffsetParams, []codersdk.ValidationError) {
-	searchParams := make(url.Values)
-	if query == "" {
-		// No filter
-		return database.GetAuditLogsOffsetParams{}, nil
-	}
-	query = strings.ToLower(query)
-	// Because we do this in 2 passes, we want to maintain quotes on the first
-	// pass.Further splitting occurs on the second pass and quotes will be
-	// dropped.
-	elements := splitQueryParameterByDelimiter(query, ' ', true)
-	for _, element := range elements {
-		parts := splitQueryParameterByDelimiter(element, ':', false)
-		switch len(parts) {
-		case 1:
-			// No key:value pair.
-			searchParams.Set("resource_type", parts[0])
-		case 2:
-			searchParams.Set(parts[0], parts[1])
-		default:
-			return database.GetAuditLogsOffsetParams{}, []codersdk.ValidationError{
-				{Field: "q", Detail: fmt.Sprintf("Query element %q can only contain 1 ':'", element)},
-			}
-		}
-	}
-
-	// Using the query param parser here just returns consistent errors with
-	// other parsing.
-	parser := httpapi.NewQueryParamParser()
-	const layout = "2006-01-02"
-
-	var (
-		dateFromString    = parser.String(searchParams, "", "date_from")
-		dateToString      = parser.String(searchParams, "", "date_to")
-		parsedDateFrom, _ = time.Parse(layout, dateFromString)
-		parsedDateTo, _   = time.Parse(layout, dateToString)
-	)
-
-	if dateToString != "" {
-		parsedDateTo = parsedDateTo.Add(23*time.Hour + 59*time.Minute + 59*time.Second) // parsedDateTo goes to 23:59
-	}
-
-	if dateToString != "" && parsedDateTo.Before(parsedDateFrom) {
-		return database.GetAuditLogsOffsetParams{}, []codersdk.ValidationError{
-			{Field: "q", Detail: fmt.Sprintf("DateTo value %q cannot be before than DateFrom", parsedDateTo)},
-		}
-	}
-
-	filter := database.GetAuditLogsOffsetParams{
-		ResourceType: resourceTypeFromString(parser.String(searchParams, "", "resource_type")),
-		ResourceID:   parser.UUID(searchParams, uuid.Nil, "resource_id"),
-		Action:       actionFromString(parser.String(searchParams, "", "action")),
-		Username:     parser.String(searchParams, "", "username"),
-		Email:        parser.String(searchParams, "", "email"),
-		DateFrom:     parsedDateFrom,
-		DateTo:       parsedDateTo,
-		BuildReason:  buildReasonFromString(parser.String(searchParams, "", "build_reason")),
-	}
-
-	return filter, parser.Errors
-}
-
-func resourceTypeFromString(resourceTypeString string) string {
-	switch codersdk.ResourceType(resourceTypeString) {
-	case codersdk.ResourceTypeTemplate:
-		return resourceTypeString
-	case codersdk.ResourceTypeTemplateVersion:
-		return resourceTypeString
-	case codersdk.ResourceTypeUser:
-		return resourceTypeString
-	case codersdk.ResourceTypeWorkspace:
-		return resourceTypeString
-	case codersdk.ResourceTypeWorkspaceBuild:
-		return resourceTypeString
-	case codersdk.ResourceTypeGitSSHKey:
-		return resourceTypeString
-	case codersdk.ResourceTypeAPIKey:
-		return resourceTypeString
-	case codersdk.ResourceTypeGroup:
-		return resourceTypeString
-	case codersdk.ResourceTypeLicense:
-		return resourceTypeString
-	}
-	return ""
-}
-
-func actionFromString(actionString string) string {
-	switch codersdk.AuditAction(actionString) {
-	case codersdk.AuditActionCreate:
-		return actionString
-	case codersdk.AuditActionWrite:
-		return actionString
-	case codersdk.AuditActionDelete:
-		return actionString
-	case codersdk.AuditActionStart:
-		return actionString
-	case codersdk.AuditActionStop:
-		return actionString
-	case codersdk.AuditActionLogin:
-		return actionString
-	case codersdk.AuditActionLogout:
-		return actionString
-	default:
-	}
-	return ""
-}
-
-func buildReasonFromString(buildReasonString string) string {
-	switch codersdk.BuildReason(buildReasonString) {
-	case codersdk.BuildReasonInitiator:
-		return buildReasonString
-	case codersdk.BuildReasonAutostart:
-		return buildReasonString
-	case codersdk.BuildReasonAutostop:
-		return buildReasonString
-	default:
-	}
-	return ""
-}