coder
diff --git a/‎.github/actions/setup-go/action.yaml
Lines changed: 1 addition & 1 deletion b/‎.github/actions/setup-go/action.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/ci.yaml
Lines changed: 2 additions & 5 deletions b/‎.github/workflows/ci.yaml
Lines changed: 2 additions & 5 deletions
diff --git a/‎cli/login.go
Lines changed: 7 additions & 0 deletions b/‎cli/login.go
Lines changed: 7 additions & 0 deletions
diff --git a/‎cli/login_test.go
Lines changed: 46 additions & 0 deletions b/‎cli/login_test.go
Lines changed: 46 additions & 0 deletions
diff --git a/‎coderd/audit/diff.go
Lines changed: 2 additions & 1 deletion b/‎coderd/audit/diff.go
Lines changed: 2 additions & 1 deletion
diff --git a/‎coderd/audit/request.go
Lines changed: 8 additions & 0 deletions b/‎coderd/audit/request.go
Lines changed: 8 additions & 0 deletions
diff --git a/‎coderd/coderdtest/coderdtest.go
Lines changed: 44 additions & 0 deletions b/‎coderd/coderdtest/coderdtest.go
Lines changed: 44 additions & 0 deletions
diff --git a/‎coderd/database/dump.sql
Lines changed: 2 additions & 1 deletion b/‎coderd/database/dump.sql
Lines changed: 2 additions & 1 deletion
diff --git a/‎coderd/database/migrations/000220_audit_org_member.down.sql b/‎coderd/database/migrations/000220_audit_org_member.down.sql
diff --git a/‎coderd/database/migrations/000220_audit_org_member.up.sql
Lines changed: 1 addition & 0 deletions b/‎coderd/database/migrations/000220_audit_org_member.up.sql
Lines changed: 1 addition & 0 deletions
diff --git a/‎coderd/database/modelmethods.go
Lines changed: 12 additions & 0 deletions b/‎coderd/database/modelmethods.go
Lines changed: 12 additions & 0 deletions
diff --git a/‎coderd/database/models.go
Lines changed: 4 additions & 1 deletion b/‎coderd/database/models.go
Lines changed: 4 additions & 1 deletion
diff --git a/‎coderd/members.go
Lines changed: 45 additions & 11 deletions b/‎coderd/members.go
Lines changed: 45 additions & 11 deletions
diff --git a/‎codersdk/audit.go
Lines changed: 3 additions & 0 deletions b/‎codersdk/audit.go
Lines changed: 3 additions & 0 deletions
@@ -4,7 +4,7 @@ description: |
 inputs:
   version:
     description: "The Go version to use."
-    default: "1.22.3"
+    default: "1.22.4"
 runs:
   using: "composite"
   steps:
 
@@ -254,12 +254,9 @@ jobs:
       - name: Setup Node
         uses: ./.github/actions/setup-node
 
+      # Use default Go version
       - name: Setup Go
-        uses: actions/setup-go@v5
-        with:
-          # This doesn't need caching. It's super fast anyways!
-          cache: false
-          go-version: 1.21.9
+        uses: ./.github/actions/setup-go
 
       - name: Install shfmt
         run: go install mvdan.cc/sh/v3/cmd/shfmt@v3.7.0
 
@@ -336,6 +336,13 @@ func (r *RootCmd) login() *serpent.Command {
 				return xerrors.Errorf("write server url: %w", err)
 			}
 
+			// If the current organization cannot be fetched, then reset the organization context.
+			// Otherwise, organization cli commands will fail.
+			_, err = CurrentOrganization(r, inv, client)
+			if err != nil {
+				_ = config.Organization().Delete()
+			}
+
 			_, _ = fmt.Fprintf(inv.Stdout, Caret+"Welcome to Coder, %s! You're authenticated.\n", pretty.Sprint(cliui.DefaultStyles.Keyword, resp.Username))
 			return nil
 		},
 
@@ -5,9 +5,11 @@ import (
 	"fmt"
 	"net/http"
 	"net/http/httptest"
+	"os"
 	"runtime"
 	"testing"
 
+	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
@@ -304,4 +306,48 @@ func TestLogin(t *testing.T) {
 		// This **should not be equal** to the token we passed in.
 		require.NotEqual(t, client.SessionToken(), sessionFile)
 	})
+
+	// Login should reset the configured organization if the user is not a member
+	t.Run("ResetOrganization", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, nil)
+		coderdtest.CreateFirstUser(t, client)
+		root, cfg := clitest.New(t, "login", client.URL.String(), "--token", client.SessionToken())
+
+		notRealOrg := uuid.NewString()
+		err := cfg.Organization().Write(notRealOrg)
+		require.NoError(t, err, "write bad org to config")
+
+		err = root.Run()
+		require.NoError(t, err)
+		sessionFile, err := cfg.Session().Read()
+		require.NoError(t, err)
+		require.NotEqual(t, client.SessionToken(), sessionFile)
+
+		// Organization config should be deleted since the org does not exist
+		selected, err := cfg.Organization().Read()
+		require.ErrorIs(t, err, os.ErrNotExist)
+		require.NotEqual(t, selected, notRealOrg)
+	})
+
+	t.Run("KeepOrganizationContext", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, nil)
+		first := coderdtest.CreateFirstUser(t, client)
+		root, cfg := clitest.New(t, "login", client.URL.String(), "--token", client.SessionToken())
+
+		err := cfg.Organization().Write(first.OrganizationID.String())
+		require.NoError(t, err, "write bad org to config")
+
+		err = root.Run()
+		require.NoError(t, err)
+		sessionFile, err := cfg.Session().Read()
+		require.NoError(t, err)
+		require.NotEqual(t, client.SessionToken(), sessionFile)
+
+		// Organization config should be deleted since the org does not exist
+		selected, err := cfg.Organization().Read()
+		require.NoError(t, err)
+		require.Equal(t, selected, first.OrganizationID.String())
+	})
 }
@@ -22,7 +22,8 @@ type Auditable interface {
 		database.HealthSettings |
 		database.OAuth2ProviderApp |
 		database.OAuth2ProviderAppSecret |
-		database.CustomRole
+		database.CustomRole |
+		database.AuditableOrganizationMember
 }
 
 // Map is a map of changed fields in an audited resource. It maps field names to
 
@@ -105,6 +105,8 @@ func ResourceTarget[T Auditable](tgt T) string {
 		return typed.DisplaySecret
 	case database.CustomRole:
 		return typed.Name
+	case database.AuditableOrganizationMember:
+		return typed.Username
 	default:
 		panic(fmt.Sprintf("unknown resource %T for ResourceTarget", tgt))
 	}
@@ -144,6 +146,8 @@ func ResourceID[T Auditable](tgt T) uuid.UUID {
 		return typed.ID
 	case database.CustomRole:
 		return typed.ID
+	case database.AuditableOrganizationMember:
+		return typed.UserID
 	default:
 		panic(fmt.Sprintf("unknown resource %T for ResourceID", tgt))
 	}
@@ -181,6 +185,8 @@ func ResourceType[T Auditable](tgt T) database.ResourceType {
 		return database.ResourceTypeOauth2ProviderAppSecret
 	case database.CustomRole:
 		return database.ResourceTypeCustomRole
+	case database.AuditableOrganizationMember:
+		return database.ResourceTypeOrganizationMember
 	default:
 		panic(fmt.Sprintf("unknown resource %T for ResourceType", typed))
 	}
@@ -219,6 +225,8 @@ func ResourceRequiresOrgID[T Auditable]() bool {
 		return false
 	case database.CustomRole:
 		return true
+	case database.AuditableOrganizationMember:
+		return true
 	default:
 		panic(fmt.Sprintf("unknown resource %T for ResourceRequiresOrgID", tgt))
 	}
 
@@ -600,6 +600,18 @@ func NewTaggedProvisionerDaemon(t testing.TB, coderAPI *coderd.API, name string,
 }
 
 func NewExternalProvisionerDaemon(t testing.TB, client *codersdk.Client, org uuid.UUID, tags map[string]string) io.Closer {
+	t.Helper()
+
+	// Without this check, the provisioner will silently fail.
+	entitlements, err := client.Entitlements(context.Background())
+	if err == nil {
+		feature := entitlements.Features[codersdk.FeatureExternalProvisionerDaemons]
+		if !feature.Enabled || feature.Entitlement != codersdk.EntitlementEntitled {
+			require.NoError(t, xerrors.Errorf("external provisioner daemons require an entitled license"))
+			return nil
+		}
+	}
+
 	echoClient, echoServer := drpc.MemTransportPipe()
 	ctx, cancelFunc := context.WithCancel(context.Background())
 	serveDone := make(chan struct{})
@@ -638,6 +650,7 @@ func NewExternalProvisionerDaemon(t testing.TB, client *codersdk.Client, org uui
 	t.Cleanup(func() {
 		_ = closer.Close()
 	})
+
 	return closer
 }
 
@@ -790,6 +803,37 @@ func createAnotherUserRetry(t testing.TB, client *codersdk.Client, organizationI
 	return other, user
 }
 
+type CreateOrganizationOptions struct {
+	// IncludeProvisionerDaemon will spin up an external provisioner for the organization.
+	// This requires enterprise and the feature 'codersdk.FeatureExternalProvisionerDaemons'
+	IncludeProvisionerDaemon bool
+}
+
+func CreateOrganization(t *testing.T, client *codersdk.Client, opts CreateOrganizationOptions, mutators ...func(*codersdk.CreateOrganizationRequest)) codersdk.Organization {
+	ctx := testutil.Context(t, testutil.WaitMedium)
+	req := codersdk.CreateOrganizationRequest{
+		Name:        strings.ReplaceAll(strings.ToLower(namesgenerator.GetRandomName(0)), "_", "-"),
+		DisplayName: namesgenerator.GetRandomName(1),
+		Description: namesgenerator.GetRandomName(1),
+		Icon:        "",
+	}
+	for _, mutator := range mutators {
+		mutator(&req)
+	}
+
+	org, err := client.CreateOrganization(ctx, req)
+	require.NoError(t, err)
+
+	if opts.IncludeProvisionerDaemon {
+		closer := NewExternalProvisionerDaemon(t, client, org.ID, map[string]string{})
+		t.Cleanup(func() {
+			_ = closer.Close()
+		})
+	}
+
+	return org
+}
+
 // CreateTemplateVersion creates a template import provisioner job
 // with the responses provided. It uses the "echo" provisioner for compatibility
 // with testing.
 
@@ -0,0 +1 @@
+ALTER TYPE resource_type ADD VALUE IF NOT EXISTS 'organization_member';
@@ -60,6 +60,18 @@ func (s WorkspaceAgentStatus) Valid() bool {
 	}
 }
 
+type AuditableOrganizationMember struct {
+	OrganizationMember
+	Username string `json:"username"`
+}
+
+func (m OrganizationMember) Auditable(username string) AuditableOrganizationMember {
+	return AuditableOrganizationMember{
+		OrganizationMember: m,
+		Username:           username,
+	}
+}
+
 type AuditableGroup struct {
 	Group
 	Members []GroupMember `json:"members"`
 
@@ -7,6 +7,7 @@ import (
 	"github.com/google/uuid"
 	"golang.org/x/xerrors"
 
+	"github.com/coder/coder/v2/coderd/audit"
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/database/db2sdk"
 	"github.com/coder/coder/v2/coderd/database/dbtime"
@@ -27,10 +28,19 @@ import (
 // @Router /organizations/{organization}/members/{user} [post]
 func (api *API) postOrganizationMember(rw http.ResponseWriter, r *http.Request) {
 	var (
-		ctx          = r.Context()
-		organization = httpmw.OrganizationParam(r)
-		user         = httpmw.UserParam(r)
+		ctx               = r.Context()
+		organization      = httpmw.OrganizationParam(r)
+		user              = httpmw.UserParam(r)
+		auditor           = api.Auditor.Load()
+		aReq, commitAudit = audit.InitRequest[database.AuditableOrganizationMember](rw, &audit.RequestParams{
+			Audit:   *auditor,
+			Log:     api.Logger,
+			Request: r,
+			Action:  database.AuditActionCreate,
+		})
 	)
+	aReq.Old = database.AuditableOrganizationMember{}
+	defer commitAudit()
 
 	member, err := api.Database.InsertOrganizationMember(ctx, database.InsertOrganizationMemberParams{
 		OrganizationID: organization.ID,
@@ -54,6 +64,7 @@ func (api *API) postOrganizationMember(rw http.ResponseWriter, r *http.Request)
 		return
 	}
 
+	aReq.New = member.Auditable(user.Username)
 	resp, err := convertOrganizationMembers(ctx, api.Database, []database.OrganizationMember{member})
 	if err != nil {
 		httpapi.InternalServerError(rw, err)
@@ -79,10 +90,19 @@ func (api *API) postOrganizationMember(rw http.ResponseWriter, r *http.Request)
 // @Router /organizations/{organization}/members/{user} [delete]
 func (api *API) deleteOrganizationMember(rw http.ResponseWriter, r *http.Request) {
 	var (
-		ctx          = r.Context()
-		organization = httpmw.OrganizationParam(r)
-		member       = httpmw.OrganizationMemberParam(r)
+		ctx               = r.Context()
+		organization      = httpmw.OrganizationParam(r)
+		member            = httpmw.OrganizationMemberParam(r)
+		auditor           = api.Auditor.Load()
+		aReq, commitAudit = audit.InitRequest[database.AuditableOrganizationMember](rw, &audit.RequestParams{
+			Audit:   *auditor,
+			Log:     api.Logger,
+			Request: r,
+			Action:  database.AuditActionDelete,
+		})
 	)
+	aReq.Old = member.OrganizationMember.Auditable(member.Username)
+	defer commitAudit()
 
 	err := api.Database.DeleteOrganizationMember(ctx, database.DeleteOrganizationMemberParams{
 		OrganizationID: organization.ID,
@@ -97,6 +117,7 @@ func (api *API) deleteOrganizationMember(rw http.ResponseWriter, r *http.Request
 		return
 	}
 
+	aReq.New = database.AuditableOrganizationMember{}
 	httpapi.Write(ctx, rw, http.StatusOK, "organization member removed")
 }
 
@@ -149,13 +170,22 @@ func (api *API) listMembers(rw http.ResponseWriter, r *http.Request) {
 // @Router /organizations/{organization}/members/{user}/roles [put]
 func (api *API) putMemberRoles(rw http.ResponseWriter, r *http.Request) {
 	var (
-		ctx          = r.Context()
-		organization = httpmw.OrganizationParam(r)
-		member       = httpmw.OrganizationMemberParam(r)
-		apiKey       = httpmw.APIKey(r)
+		ctx               = r.Context()
+		organization      = httpmw.OrganizationParam(r)
+		member            = httpmw.OrganizationMemberParam(r)
+		apiKey            = httpmw.APIKey(r)
+		auditor           = api.Auditor.Load()
+		aReq, commitAudit = audit.InitRequest[database.AuditableOrganizationMember](rw, &audit.RequestParams{
+			Audit:   *auditor,
+			Log:     api.Logger,
+			Request: r,
+			Action:  database.AuditActionWrite,
+		})
 	)
+	aReq.Old = member.OrganizationMember.Auditable(member.Username)
+	defer commitAudit()
 
-	if apiKey.UserID == member.UserID {
+	if apiKey.UserID == member.OrganizationMember.UserID {
 		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
 			Message: "You cannot change your own organization roles.",
 		})
@@ -182,6 +212,10 @@ func (api *API) putMemberRoles(rw http.ResponseWriter, r *http.Request) {
 		})
 		return
 	}
+	aReq.New = database.AuditableOrganizationMember{
+		OrganizationMember: updatedUser,
+		Username:           member.Username,
+	}
 
 	resp, err := convertOrganizationMembers(ctx, api.Database, []database.OrganizationMember{updatedUser})
 	if err != nil {
 
@@ -31,6 +31,7 @@ const (
 	// nolint:gosec // This is not a secret.
 	ResourceTypeOAuth2ProviderAppSecret ResourceType = "oauth2_provider_app_secret"
 	ResourceTypeCustomRole              ResourceType = "custom_role"
+	ResourceTypeOrganizationMember                   = "organization_member"
 )
 
 func (r ResourceType) FriendlyString() string {
@@ -69,6 +70,8 @@ func (r ResourceType) FriendlyString() string {
 		return "oauth2 app secret"
 	case ResourceTypeCustomRole:
 		return "custom role"
+	case ResourceTypeOrganizationMember:
+		return "organization member"
 	default:
 		return "unknown"
 	}
Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,8 @@ type Auditable interface {`
`22`	`22`	`database.HealthSettings \|`
`23`	`23`	`database.OAuth2ProviderApp \|`
`24`	`24`	`database.OAuth2ProviderAppSecret \|`
`25`		`- database.CustomRole`
	`25`	`+ database.CustomRole \|`
	`26`	`+ database.AuditableOrganizationMember`
`26`	`27`	`}`
`27`	`28`
`28`	`29`	`// Map is a map of changed fields in an audited resource. It maps field names to`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+ALTER TYPE resource_type ADD VALUE IF NOT EXISTS 'organization_member';`