coder
diff --git a/‎cli/server.go
Lines changed: 1 addition & 1 deletion b/‎cli/server.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/apidoc/docs.go
Lines changed: 19 additions & 19 deletions b/‎coderd/apidoc/docs.go
Lines changed: 19 additions & 19 deletions
diff --git a/‎coderd/apidoc/swagger.json
Lines changed: 17 additions & 17 deletions b/‎coderd/apidoc/swagger.json
Lines changed: 17 additions & 17 deletions
diff --git a/‎coderd/coderd.go
Lines changed: 4 additions & 1 deletion b/‎coderd/coderd.go
Lines changed: 4 additions & 1 deletion
diff --git a/‎coderd/coderdtest/coderdtest.go
Lines changed: 3 additions & 1 deletion b/‎coderd/coderdtest/coderdtest.go
Lines changed: 3 additions & 1 deletion
diff --git a/‎coderd/workspaceagents.go
Lines changed: 24 additions & 15 deletions b/‎coderd/workspaceagents.go
Lines changed: 24 additions & 15 deletions
diff --git a/‎coderd/workspaceagents_test.go
Lines changed: 9 additions & 7 deletions b/‎coderd/workspaceagents_test.go
Lines changed: 9 additions & 7 deletions
@@ -733,7 +733,7 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 				return xerrors.Errorf("create workspace updates provider: %w", err)
 			}
 			options.WorkspaceUpdatesProvider = wsUpdates
-			defer wsUpdates.Stop()
+			defer wsUpdates.Close()
 
 			var deploymentID string
 			err = options.Database.InTx(func(tx database.Store) error {
 
@@ -1073,7 +1073,6 @@ func New(options *Options) *API {
 				r.Route("/roles", func(r chi.Router) {
 					r.Get("/", api.AssignableSiteRoles)
 				})
-				r.Get("/me/tailnet", api.tailnet)
 				r.Route("/{user}", func(r chi.Router) {
 					r.Use(httpmw.ExtractUserParam(options.Database))
 					r.Post("/convert-login", api.postConvertLoginType)
@@ -1331,6 +1330,10 @@ func New(options *Options) *API {
 			})
 			r.Get("/dispatch-methods", api.notificationDispatchMethods)
 		})
+		r.Route("/tailnet", func(r chi.Router) {
+			r.Use(apiKeyMiddleware)
+			r.Get("/", api.tailnet)
+		})
 	})
 
 	if options.SwaggerEndpoint {
 
@@ -260,7 +260,9 @@ func NewOptions(t testing.TB, options *Options) (func(http.Handler), context.Can
 		var err error
 		options.WorkspaceUpdatesProvider, err = coderd.NewUpdatesProvider(options.Logger.Named("workspace_updates"), options.Database, options.Pubsub)
 		require.NoError(t, err)
-		t.Cleanup(options.WorkspaceUpdatesProvider.Stop)
+		t.Cleanup(func() {
+			_ = options.WorkspaceUpdatesProvider.Close()
+		})
 	}
 
 	accessControlStore := &atomic.Pointer[dbauthz.AccessControlStore]{}
 
@@ -33,6 +33,7 @@ import (
 	"github.com/coder/coder/v2/coderd/httpapi"
 	"github.com/coder/coder/v2/coderd/httpmw"
 	"github.com/coder/coder/v2/coderd/jwtutils"
+	"github.com/coder/coder/v2/coderd/rbac"
 	"github.com/coder/coder/v2/coderd/rbac/policy"
 	"github.com/coder/coder/v2/coderd/wspubsub"
 	"github.com/coder/coder/v2/codersdk"
@@ -870,7 +871,10 @@ func (api *API) workspaceAgentClientCoordinate(rw http.ResponseWriter, r *http.R
 	go httpapi.Heartbeat(ctx, conn)
 
 	defer conn.Close(websocket.StatusNormalClosure, "")
-	err = api.TailnetClientService.ServeClient(ctx, version, wsNetConn, peerID, workspaceAgent.ID)
+	err = api.TailnetClientService.ServeClient(ctx, version, wsNetConn, tailnet.ServeClientOptions{
+		Peer:  peerID,
+		Agent: &workspaceAgent.ID,
+	})
 	if err != nil && !xerrors.Is(err, io.EOF) && !xerrors.Is(err, context.Canceled) {
 		_ = conn.Close(websocket.StatusInternalError, err.Error())
 		return
@@ -1475,21 +1479,14 @@ func (api *API) workspaceAgentsExternalAuthListen(ctx context.Context, rw http.R
 	}
 }
 
-// @Summary Coordinate multiple workspace agents
-// @ID coordinate-multiple-workspace-agents
+// @Summary User-scoped agent coordination
+// @ID user-scoped-agent-coordination
 // @Security CoderSessionToken
 // @Tags Agents
 // @Success 101
-// @Router /users/me/tailnet [get]
+// @Router /tailnet [get]
 func (api *API) tailnet(rw http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
-	apiKey, ok := httpmw.APIKeyOptional(r)
-	if !ok {
-		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
-			Message: "Cannot use \"me\" without a valid session.",
-		})
-		return
-	}
 
 	version := "2.0"
 	qv := r.URL.Query().Get("version")
@@ -1512,6 +1509,16 @@ func (api *API) tailnet(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	// Used to authorize tunnel requests, and filter workspace update DB queries
+	prepared, err := api.HTTPAuth.AuthorizeSQLFilter(r, policy.ActionRead, rbac.ResourceWorkspace.Type)
+	if err != nil {
+		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
+			Message: "Internal error preparing sql filter.",
+			Detail:  err.Error(),
+		})
+		return
+	}
+
 	api.WebsocketWaitMutex.Lock()
 	api.WebsocketWaitGroup.Add(1)
 	api.WebsocketWaitMutex.Unlock()
@@ -1530,10 +1537,12 @@ func (api *API) tailnet(rw http.ResponseWriter, r *http.Request) {
 	defer conn.Close(websocket.StatusNormalClosure, "")
 
 	go httpapi.Heartbeat(ctx, conn)
-	err = api.TailnetClientService.ServeUserClient(ctx, version, wsNetConn, tailnet.ServeUserClientOptions{
-		PeerID:          peerID,
-		UserID:          apiKey.UserID,
-		UpdatesProvider: api.WorkspaceUpdatesProvider,
+	err = api.TailnetClientService.ServeClient(ctx, version, wsNetConn, tailnet.ServeClientOptions{
+		Peer: peerID,
+		Auth: &tunnelAuthorizer{
+			prep: prepared,
+			db:   api.Database,
+		},
 	})
 	if err != nil && !xerrors.Is(err, io.EOF) && !xerrors.Is(err, context.Canceled) {
 		_ = conn.Close(websocket.StatusInternalError, err.Error())
 
@@ -1943,13 +1943,13 @@ func TestOwnedWorkspacesCoordinate(t *testing.T) {
 	})
 	defer closer.Close()
 	firstUser := coderdtest.CreateFirstUser(t, firstClient)
-	user, _ := coderdtest.CreateAnotherUser(t, firstClient, firstUser.OrganizationID, rbac.RoleTemplateAdmin())
+	member, memberUser := coderdtest.CreateAnotherUser(t, firstClient, firstUser.OrganizationID, rbac.RoleTemplateAdmin())
 
 	// Create a workspace
 	token := uuid.NewString()
-	resources, _ := buildWorkspaceWithAgent(t, user, firstUser.OrganizationID, token)
+	resources, _ := buildWorkspaceWithAgent(t, member, firstUser.OrganizationID, token)
 
-	u, err := user.URL.Parse("/api/v2/users/me/tailnet")
+	u, err := member.URL.Parse("/api/v2/tailnet")
 	require.NoError(t, err)
 	q := u.Query()
 	q.Set("version", "2.0")
@@ -1958,7 +1958,7 @@ func TestOwnedWorkspacesCoordinate(t *testing.T) {
 	//nolint:bodyclose // websocket package closes this for you
 	wsConn, resp, err := websocket.Dial(ctx, u.String(), &websocket.DialOptions{
 		HTTPHeader: http.Header{
-			"Coder-Session-Token": []string{user.SessionToken()},
+			"Coder-Session-Token": []string{member.SessionToken()},
 		},
 	})
 	if err != nil {
@@ -1975,7 +1975,9 @@ func TestOwnedWorkspacesCoordinate(t *testing.T) {
 	)
 	require.NoError(t, err)
 
-	stream, err := rpcClient.WorkspaceUpdates(ctx, &tailnetproto.WorkspaceUpdatesRequest{})
+	stream, err := rpcClient.WorkspaceUpdates(ctx, &tailnetproto.WorkspaceUpdatesRequest{
+		WorkspaceOwnerId: tailnet.UUIDToByteSlice(memberUser.ID),
+	})
 	require.NoError(t, err)
 
 	// Existing workspace
@@ -1995,7 +1997,7 @@ func TestOwnedWorkspacesCoordinate(t *testing.T) {
 
 	// Build a second workspace
 	secondToken := uuid.NewString()
-	secondResources, secondWorkspace := buildWorkspaceWithAgent(t, user, firstUser.OrganizationID, secondToken)
+	secondResources, secondWorkspace := buildWorkspaceWithAgent(t, member, firstUser.OrganizationID, secondToken)
 
 	// Workspace starting
 	update, err = stream.Recv()
@@ -2020,7 +2022,7 @@ func TestOwnedWorkspacesCoordinate(t *testing.T) {
 	require.Len(t, update.DeletedWorkspaces, 0)
 	require.Len(t, update.DeletedAgents, 0)
 
-	_, err = user.CreateWorkspaceBuild(ctx, secondWorkspace.ID, codersdk.CreateWorkspaceBuildRequest{
+	_, err = member.CreateWorkspaceBuild(ctx, secondWorkspace.ID, codersdk.CreateWorkspaceBuildRequest{
 		Transition: codersdk.WorkspaceTransitionDelete,
 	})
 	require.NoError(t, err)
Original file line number	Diff line number	Diff line change
`@@ -733,7 +733,7 @@ func (r RootCmd) Server(newAPI func(context.Context, coderd.Options) (*coderd.`
`733`	`733`	`return xerrors.Errorf("create workspace updates provider: %w", err)`
`734`	`734`	`}`
`735`	`735`	`options.WorkspaceUpdatesProvider = wsUpdates`
`736`		`- defer wsUpdates.Stop()`
	`736`	`+ defer wsUpdates.Close()`
`737`	`737`
`738`	`738`	`var deploymentID string`
`739`	`739`	`err = options.Database.InTx(func(tx database.Store) error {`