coder
diff --git a/‎.github/actions/setup-go/action.yaml
Lines changed: 1 addition & 1 deletion b/‎.github/actions/setup-go/action.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/ci.yaml
Lines changed: 2 additions & 5 deletions b/‎.github/workflows/ci.yaml
Lines changed: 2 additions & 5 deletions
diff --git a/‎cli/login.go
Lines changed: 7 additions & 0 deletions b/‎cli/login.go
Lines changed: 7 additions & 0 deletions
diff --git a/‎cli/login_test.go
Lines changed: 46 additions & 0 deletions b/‎cli/login_test.go
Lines changed: 46 additions & 0 deletions
diff --git a/‎coderd/audit/diff.go
Lines changed: 2 additions & 1 deletion b/‎coderd/audit/diff.go
Lines changed: 2 additions & 1 deletion
diff --git a/‎coderd/audit/request.go
Lines changed: 8 additions & 0 deletions b/‎coderd/audit/request.go
Lines changed: 8 additions & 0 deletions
diff --git a/‎coderd/coderdtest/coderdtest.go
Lines changed: 44 additions & 0 deletions b/‎coderd/coderdtest/coderdtest.go
Lines changed: 44 additions & 0 deletions
diff --git a/‎coderd/database/dump.sql
Lines changed: 2 additions & 1 deletion b/‎coderd/database/dump.sql
Lines changed: 2 additions & 1 deletion
diff --git a/‎coderd/database/migrations/000220_audit_org_member.down.sql b/‎coderd/database/migrations/000220_audit_org_member.down.sql
diff --git a/‎coderd/database/migrations/000220_audit_org_member.up.sql
Lines changed: 1 addition & 0 deletions b/‎coderd/database/migrations/000220_audit_org_member.up.sql
Lines changed: 1 addition & 0 deletions
@@ -4,7 +4,7 @@ description: |
 inputs:
   version:
     description: "The Go version to use."
-    default: "1.22.3"
+    default: "1.22.4"
 runs:
   using: "composite"
   steps:
 
@@ -254,12 +254,9 @@ jobs:
       - name: Setup Node
         uses: ./.github/actions/setup-node
 
+      # Use default Go version
       - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          # This doesn't need caching. It's super fast anyways!
-          cache: false
-          go-version: 1.21.9
+        uses: ./.github/actions/setup-go
 
       - name: Install shfmt
         run: go install mvdan.cc/sh/v3/cmd/shfmt@v3.7.0
 
@@ -336,6 +336,13 @@ func (r *RootCmd) login() *serpent.Command {
 				return xerrors.Errorf("write server url: %w", err)
 			}
 
+			// If the current organization cannot be fetched, then reset the organization context.
+			// Otherwise, organization cli commands will fail.
+			_, err = CurrentOrganization(r, inv, client)
+			if err != nil {
+				_ = config.Organization().Delete()
+			}
+
 			_, _ = fmt.Fprintf(inv.Stdout, Caret+"Welcome to Coder, %s! You're authenticated.\n", pretty.Sprint(cliui.DefaultStyles.Keyword, resp.Username))
 			return nil
 		},
 
@@ -5,9 +5,11 @@ import (
 	"fmt"
 	"net/http"
 	"net/http/httptest"
+	"os"
 	"runtime"
 	"testing"
 
+	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
@@ -304,4 +306,48 @@ func TestLogin(t *testing.T) {
 		// This **should not be equal** to the token we passed in.
 		require.NotEqual(t, client.SessionToken(), sessionFile)
 	})
+
+	// Login should reset the configured organization if the user is not a member
+	t.Run("ResetOrganization", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, nil)
+		coderdtest.CreateFirstUser(t, client)
+		root, cfg := clitest.New(t, "login", client.URL.String(), "--token", client.SessionToken())
+
+		notRealOrg := uuid.NewString()
+		err := cfg.Organization().Write(notRealOrg)
+		require.NoError(t, err, "write bad org to config")
+
+		err = root.Run()
+		require.NoError(t, err)
+		sessionFile, err := cfg.Session().Read()
+		require.NoError(t, err)
+		require.NotEqual(t, client.SessionToken(), sessionFile)
+
+		// Organization config should be deleted since the org does not exist
+		selected, err := cfg.Organization().Read()
+		require.ErrorIs(t, err, os.ErrNotExist)
+		require.NotEqual(t, selected, notRealOrg)
+	})
+
+	t.Run("KeepOrganizationContext", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, nil)
+		first := coderdtest.CreateFirstUser(t, client)
+		root, cfg := clitest.New(t, "login", client.URL.String(), "--token", client.SessionToken())
+
+		err := cfg.Organization().Write(first.OrganizationID.String())
+		require.NoError(t, err, "write bad org to config")
+
+		err = root.Run()
+		require.NoError(t, err)
+		sessionFile, err := cfg.Session().Read()
+		require.NoError(t, err)
+		require.NotEqual(t, client.SessionToken(), sessionFile)
+
+		// Organization config should be deleted since the org does not exist
+		selected, err := cfg.Organization().Read()
+		require.NoError(t, err)
+		require.Equal(t, selected, first.OrganizationID.String())
+	})
 }
@@ -22,7 +22,8 @@ type Auditable interface {
 		database.HealthSettings |
 		database.OAuth2ProviderApp |
 		database.OAuth2ProviderAppSecret |
-		database.CustomRole
+		database.CustomRole |
+		database.AuditableOrganizationMember
 }
 
 // Map is a map of changed fields in an audited resource. It maps field names to
 
@@ -105,6 +105,8 @@ func ResourceTarget[T Auditable](tgt T) string {
 		return typed.DisplaySecret
 	case database.CustomRole:
 		return typed.Name
+	case database.AuditableOrganizationMember:
+		return typed.Username
 	default:
 		panic(fmt.Sprintf("unknown resource %T for ResourceTarget", tgt))
 	}
@@ -144,6 +146,8 @@ func ResourceID[T Auditable](tgt T) uuid.UUID {
 		return typed.ID
 	case database.CustomRole:
 		return typed.ID
+	case database.AuditableOrganizationMember:
+		return typed.UserID
 	default:
 		panic(fmt.Sprintf("unknown resource %T for ResourceID", tgt))
 	}
@@ -181,6 +185,8 @@ func ResourceType[T Auditable](tgt T) database.ResourceType {
 		return database.ResourceTypeOauth2ProviderAppSecret
 	case database.CustomRole:
 		return database.ResourceTypeCustomRole
+	case database.AuditableOrganizationMember:
+		return database.ResourceTypeOrganizationMember
 	default:
 		panic(fmt.Sprintf("unknown resource %T for ResourceType", typed))
 	}
@@ -219,6 +225,8 @@ func ResourceRequiresOrgID[T Auditable]() bool {
 		return false
 	case database.CustomRole:
 		return true
+	case database.AuditableOrganizationMember:
+		return true
 	default:
 		panic(fmt.Sprintf("unknown resource %T for ResourceRequiresOrgID", tgt))
 	}
 
@@ -600,6 +600,18 @@ func NewTaggedProvisionerDaemon(t testing.TB, coderAPI *coderd.API, name string,
 }
 
 func NewExternalProvisionerDaemon(t testing.TB, client *codersdk.Client, org uuid.UUID, tags map[string]string) io.Closer {
+	t.Helper()
+
+	// Without this check, the provisioner will silently fail.
+	entitlements, err := client.Entitlements(context.Background())
+	if err == nil {
+		feature := entitlements.Features[codersdk.FeatureExternalProvisionerDaemons]
+		if !feature.Enabled || feature.Entitlement != codersdk.EntitlementEntitled {
+			require.NoError(t, xerrors.Errorf("external provisioner daemons require an entitled license"))
+			return nil
+		}
+	}
+
 	echoClient, echoServer := drpc.MemTransportPipe()
 	ctx, cancelFunc := context.WithCancel(context.Background())
 	serveDone := make(chan struct{})
@@ -638,6 +650,7 @@ func NewExternalProvisionerDaemon(t testing.TB, client *codersdk.Client, org uui
 	t.Cleanup(func() {
 		_ = closer.Close()
 	})
+
 	return closer
 }
 
@@ -790,6 +803,37 @@ func createAnotherUserRetry(t testing.TB, client *codersdk.Client, organizationI
 	return other, user
 }
 
+type CreateOrganizationOptions struct {
+	// IncludeProvisionerDaemon will spin up an external provisioner for the organization.
+	// This requires enterprise and the feature 'codersdk.FeatureExternalProvisionerDaemons'
+	IncludeProvisionerDaemon bool
+}
+
+func CreateOrganization(t *testing.T, client *codersdk.Client, opts CreateOrganizationOptions, mutators ...func(*codersdk.CreateOrganizationRequest)) codersdk.Organization {
+	ctx := testutil.Context(t, testutil.WaitMedium)
+	req := codersdk.CreateOrganizationRequest{
+		Name:        strings.ReplaceAll(strings.ToLower(namesgenerator.GetRandomName(0)), "_", "-"),
+		DisplayName: namesgenerator.GetRandomName(1),
+		Description: namesgenerator.GetRandomName(1),
+		Icon:        "",
+	}
+	for _, mutator := range mutators {
+		mutator(&req)
+	}
+
+	org, err := client.CreateOrganization(ctx, req)
+	require.NoError(t, err)
+
+	if opts.IncludeProvisionerDaemon {
+		closer := NewExternalProvisionerDaemon(t, client, org.ID, map[string]string{})
+		t.Cleanup(func() {
+			_ = closer.Close()
+		})
+	}
+
+	return org
+}
+
 // CreateTemplateVersion creates a template import provisioner job
 // with the responses provided. It uses the "echo" provisioner for compatibility
 // with testing.
 
@@ -0,0 +1 @@
+ALTER TYPE resource_type ADD VALUE IF NOT EXISTS 'organization_member';
Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,8 @@ type Auditable interface {`
`22`	`22`	`database.HealthSettings \|`
`23`	`23`	`database.OAuth2ProviderApp \|`
`24`	`24`	`database.OAuth2ProviderAppSecret \|`
`25`		`- database.CustomRole`
	`25`	`+ database.CustomRole \|`
	`26`	`+ database.AuditableOrganizationMember`
`26`	`27`	`}`
`27`	`28`
`28`	`29`	`// Map is a map of changed fields in an audited resource. It maps field names to`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+ALTER TYPE resource_type ADD VALUE IF NOT EXISTS 'organization_member';`