coder
diff --git a/‎cli/server.go
Lines changed: 1 addition & 1 deletion b/‎cli/server.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/apidoc/docs.go
Lines changed: 2 additions & 2 deletions b/‎coderd/apidoc/docs.go
Lines changed: 2 additions & 2 deletions
diff --git a/‎coderd/apidoc/swagger.json
Lines changed: 2 additions & 2 deletions b/‎coderd/apidoc/swagger.json
Lines changed: 2 additions & 2 deletions
diff --git a/‎coderd/coderd.go
Lines changed: 1 addition & 1 deletion b/‎coderd/coderd.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/coderdtest/coderdtest.go
Lines changed: 7 additions & 2 deletions b/‎coderd/coderdtest/coderdtest.go
Lines changed: 7 additions & 2 deletions
diff --git a/‎coderd/database/dbfake/dbfake.go
Lines changed: 0 additions & 14 deletions b/‎coderd/database/dbfake/dbfake.go
Lines changed: 0 additions & 14 deletions
diff --git a/‎coderd/workspaceagents.go
Lines changed: 21 additions & 14 deletions b/‎coderd/workspaceagents.go
Lines changed: 21 additions & 14 deletions
diff --git a/‎coderd/workspaceagents_test.go
Lines changed: 31 additions & 29 deletions b/‎coderd/workspaceagents_test.go
Lines changed: 31 additions & 29 deletions
@@ -722,7 +722,7 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 				options.Database = dbmetrics.NewDBMetrics(options.Database, options.Logger, options.PrometheusRegistry)
 			}
 
-			wsUpdates, err := coderd.NewUpdatesProvider(logger.Named("workspace_updates"), options.Database, options.Pubsub)
+			wsUpdates, err := coderd.NewUpdatesProvider(logger.Named("workspace_updates"), options.Pubsub, options.Database, options.Authorizer)
 			if err != nil {
 				return xerrors.Errorf("create workspace updates provider: %w", err)
 			}
 
@@ -1331,7 +1331,7 @@ func New(options *Options) *API {
 		})
 		r.Route("/tailnet", func(r chi.Router) {
 			r.Use(apiKeyMiddleware)
-			r.Get("/", api.tailnet)
+			r.Get("/", api.tailnetRPCConn)
 		})
 	})
 
 
@@ -159,10 +159,10 @@ type Options struct {
 	DatabaseRolluper                   *dbrollup.Rolluper
 	WorkspaceUsageTrackerFlush         chan int
 	WorkspaceUsageTrackerTick          chan time.Time
+	NotificationsEnqueuer              notifications.Enqueuer
 	APIKeyEncryptionCache              cryptokeys.EncryptionKeycache
 	OIDCConvertKeyCache                cryptokeys.SigningKeycache
 	Clock                              quartz.Clock
-	NotificationsEnqueuer              notifications.Enqueuer
 
 	WorkspaceUpdatesProvider tailnet.WorkspaceUpdatesProvider
 }
@@ -258,7 +258,12 @@ func NewOptions(t testing.TB, options *Options) (func(http.Handler), context.Can
 
 	if options.WorkspaceUpdatesProvider == nil {
 		var err error
-		options.WorkspaceUpdatesProvider, err = coderd.NewUpdatesProvider(options.Logger.Named("workspace_updates"), options.Database, options.Pubsub)
+		options.WorkspaceUpdatesProvider, err = coderd.NewUpdatesProvider(
+			options.Logger.Named("workspace_updates"),
+			options.Pubsub,
+			options.Database,
+			options.Authorizer,
+		)
 		require.NoError(t, err)
 		t.Cleanup(func() {
 			_ = options.WorkspaceUpdatesProvider.Close()
 
@@ -105,20 +105,6 @@ func (b WorkspaceBuildBuilder) WithAgent(mutations ...func([]*sdkproto.Agent) []
 		Type:   "aws_instance",
 		Agents: agents,
 	})
-	if b.ps != nil {
-		for _, agent := range agents {
-			uid, err := uuid.Parse(agent.Id)
-			require.NoError(b.t, err)
-			msg, err := json.Marshal(wspubsub.WorkspaceEvent{
-				Kind:        wspubsub.WorkspaceEventKindAgentConnectionUpdate,
-				WorkspaceID: b.ws.ID,
-				AgentID:     &uid,
-			})
-			require.NoError(b.t, err)
-			err = b.ps.Publish(wspubsub.WorkspaceEventChannel(b.ws.OwnerID), msg)
-			require.NoError(b.t, err)
-		}
-	}
 	return b
 }
 
 
@@ -871,9 +871,12 @@ func (api *API) workspaceAgentClientCoordinate(rw http.ResponseWriter, r *http.R
 	go httpapi.Heartbeat(ctx, conn)
 
 	defer conn.Close(websocket.StatusNormalClosure, "")
-	err = api.TailnetClientService.ServeClient(ctx, version, wsNetConn, tailnet.ServeClientOptions{
-		Peer:  peerID,
-		Agent: &workspaceAgent.ID,
+	err = api.TailnetClientService.ServeClient(ctx, version, wsNetConn, tailnet.StreamID{
+		Name: "client",
+		ID:   peerID,
+		Auth: tailnet.ClientCoordinateeAuth{
+			AgentID: workspaceAgent.ID,
+		},
 	})
 	if err != nil && !xerrors.Is(err, io.EOF) && !xerrors.Is(err, context.Canceled) {
 		_ = conn.Close(websocket.StatusInternalError, err.Error())
@@ -891,6 +894,7 @@ func (api *API) handleResumeToken(ctx context.Context, rw http.ResponseWriter, r
 		// case we just want to generate a new peer ID.
 		if xerrors.Is(err, jwtutils.ErrMissingKeyID) {
 			peerID = uuid.New()
+			err = nil
 		} else if err != nil {
 			httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{
 				Message: workspacesdk.CoordinateAPIInvalidResumeToken,
@@ -899,7 +903,7 @@ func (api *API) handleResumeToken(ctx context.Context, rw http.ResponseWriter, r
 					{Field: "resume_token", Detail: workspacesdk.CoordinateAPIInvalidResumeToken},
 				},
 			})
-			return
+			return peerID, err
 		} else {
 			api.Logger.Debug(ctx, "accepted coordinate resume token for peer",
 				slog.F("peer_id", peerID.String()))
@@ -1479,13 +1483,13 @@ func (api *API) workspaceAgentsExternalAuthListen(ctx context.Context, rw http.R
 	}
 }
 
-// @Summary User-scoped agent coordination
-// @ID user-scoped-agent-coordination
+// @Summary User-scoped tailnet RPC connection
+// @ID user-scoped-tailnet-rpc-connection
 // @Security CoderSessionToken
 // @Tags Agents
 // @Success 101
 // @Router /tailnet [get]
-func (api *API) tailnet(rw http.ResponseWriter, r *http.Request) {
+func (api *API) tailnetRPCConn(rw http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 
 	version := "2.0"
@@ -1509,8 +1513,8 @@ func (api *API) tailnet(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	// Used to authorize tunnel requests, and filter workspace update DB queries
-	prepared, err := api.HTTPAuth.AuthorizeSQLFilter(r, policy.ActionRead, rbac.ResourceWorkspace.Type)
+	// Used to authorize tunnel request
+	sshPrep, err := api.HTTPAuth.AuthorizeSQLFilter(r, policy.ActionSSH, rbac.ResourceWorkspace.Type)
 	if err != nil {
 		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
 			Message: "Internal error preparing sql filter.",
@@ -1537,11 +1541,14 @@ func (api *API) tailnet(rw http.ResponseWriter, r *http.Request) {
 	defer conn.Close(websocket.StatusNormalClosure, "")
 
 	go httpapi.Heartbeat(ctx, conn)
-	err = api.TailnetClientService.ServeClient(ctx, version, wsNetConn, tailnet.ServeClientOptions{
-		Peer: peerID,
-		Auth: &tunnelAuthorizer{
-			prep: prepared,
-			db:   api.Database,
+	err = api.TailnetClientService.ServeClient(ctx, version, wsNetConn, tailnet.StreamID{
+		Name: "client",
+		ID:   peerID,
+		Auth: tailnet.ClientUserCoordinateeAuth{
+			Auth: &rbacAuthorizer{
+				sshPrep: sshPrep,
+				db:      api.Database,
+			},
 		},
 	})
 	if err != nil && !xerrors.Is(err, io.EOF) && !xerrors.Is(err, context.Canceled) {
 
@@ -1937,21 +1937,14 @@ func TestOwnedWorkspacesCoordinate(t *testing.T) {
 
 	ctx := testutil.Context(t, testutil.WaitLong)
 	logger := slogtest.Make(t, nil).Leveled(slog.LevelDebug)
-	firstClient, closer, api := coderdtest.NewWithAPI(t, &coderdtest.Options{
-		Coordinator:              tailnet.NewCoordinator(logger),
-		IncludeProvisionerDaemon: true,
-	})
-	t.Cleanup(func() {
-		_ = closer.Close()
+	firstClient, _, api := coderdtest.NewWithAPI(t, &coderdtest.Options{
+		Coordinator: tailnet.NewCoordinator(logger),
 	})
 	firstUser := coderdtest.CreateFirstUser(t, firstClient)
 	member, memberUser := coderdtest.CreateAnotherUser(t, firstClient, firstUser.OrganizationID, rbac.RoleTemplateAdmin())
 
 	// Create a workspace with an agent
-	dbfake.WorkspaceBuild(t, api.Database, database.Workspace{
-		OrganizationID: firstUser.OrganizationID,
-		OwnerID:        memberUser.ID,
-	}).WithAgent().Do()
+	firstWorkspace := buildWorkspaceWithAgent(t, member, firstUser.OrganizationID, memberUser.ID, api.Database, api.Pubsub)
 
 	u, err := member.URL.Parse("/api/v2/tailnet")
 	require.NoError(t, err)
@@ -1984,52 +1977,61 @@ func TestOwnedWorkspacesCoordinate(t *testing.T) {
 	})
 	require.NoError(t, err)
 
-	// Existing workspace
+	// First update will contain the existing workspace and agent
 	update, err := stream.Recv()
 	require.NoError(t, err)
 	require.Len(t, update.UpsertedWorkspaces, 1)
-	require.Equal(t, update.UpsertedWorkspaces[0].Status, tailnetproto.Workspace_RUNNING)
-	wsID := update.UpsertedWorkspaces[0].Id
-
-	// Existing agent
+	require.EqualValues(t, update.UpsertedWorkspaces[0].Id, firstWorkspace.ID)
 	require.Len(t, update.UpsertedAgents, 1)
-	require.Equal(t, update.UpsertedAgents[0].WorkspaceId, wsID)
-
+	require.EqualValues(t, update.UpsertedAgents[0].WorkspaceId, firstWorkspace.ID)
 	require.Len(t, update.DeletedWorkspaces, 0)
 	require.Len(t, update.DeletedAgents, 0)
 
 	// Build a second workspace
-	secondWorkspace := dbfake.WorkspaceBuild(t, api.Database, database.Workspace{
-		OrganizationID: firstUser.OrganizationID,
-		OwnerID:        memberUser.ID,
-	}).WithAgent().Pubsub(api.Pubsub).Do()
+	secondWorkspace := buildWorkspaceWithAgent(t, member, firstUser.OrganizationID, memberUser.ID, api.Database, api.Pubsub)
 
 	// Wait for the second workspace to be running with an agent
 	expectedState := map[uuid.UUID]workspace{
-		secondWorkspace.Workspace.ID: {
+		secondWorkspace.ID: {
 			Status:    tailnetproto.Workspace_RUNNING,
 			NumAgents: 1,
 		},
 	}
 	waitForUpdates(t, ctx, stream, map[uuid.UUID]workspace{}, expectedState)
 
 	// Wait for the workspace and agent to be deleted
-	secondWorkspace.Workspace.Deleted = true
-	dbfake.WorkspaceBuild(t, api.Database, secondWorkspace.Workspace).
+	secondWorkspace.Deleted = true
+	dbfake.WorkspaceBuild(t, api.Database, secondWorkspace).
 		Seed(database.WorkspaceBuild{
 			Transition:  database.WorkspaceTransitionDelete,
 			BuildNumber: 2,
-		}).Pubsub(api.Pubsub).Do()
+		}).Do()
 
-	priorState := expectedState
-	waitForUpdates(t, ctx, stream, priorState, map[uuid.UUID]workspace{
-		secondWorkspace.Workspace.ID: {
+	waitForUpdates(t, ctx, stream, expectedState, map[uuid.UUID]workspace{
+		secondWorkspace.ID: {
 			Status:    tailnetproto.Workspace_DELETED,
 			NumAgents: 0,
 		},
 	})
 }
 
+func buildWorkspaceWithAgent(
+	t *testing.T,
+	client *codersdk.Client,
+	orgID uuid.UUID,
+	ownerID uuid.UUID,
+	db database.Store,
+	ps pubsub.Pubsub,
+) database.WorkspaceTable {
+	r := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
+		OrganizationID: orgID,
+		OwnerID:        ownerID,
+	}).WithAgent().Pubsub(ps).Do()
+	_ = agenttest.New(t, client.URL, r.AgentToken)
+	coderdtest.NewWorkspaceAgentWaiter(t, client, r.Workspace.ID).Wait()
+	return r.Workspace
+}
+
 func requireGetManifest(ctx context.Context, t testing.TB, aAPI agentproto.DRPCAgentClient) agentsdk.Manifest {
 	mp, err := aAPI.GetManifest(ctx, &agentproto.GetManifestRequest{})
 	require.NoError(t, err)
@@ -2134,6 +2136,6 @@ func waitForUpdates(
 			t.Fatal(err)
 		}
 	case <-ctx.Done():
-		t.Fatal("Timeout waiting for desired state")
+		t.Fatal("Timeout waiting for desired state", currentState)
 	}
 }
Original file line number	Diff line number	Diff line change
`@@ -722,7 +722,7 @@ func (r RootCmd) Server(newAPI func(context.Context, coderd.Options) (*coderd.`
`722`	`722`	`options.Database = dbmetrics.NewDBMetrics(options.Database, options.Logger, options.PrometheusRegistry)`
`723`	`723`	`}`
`724`	`724`
`725`		`- wsUpdates, err := coderd.NewUpdatesProvider(logger.Named("workspace_updates"), options.Database, options.Pubsub)`
	`725`	`+ wsUpdates, err := coderd.NewUpdatesProvider(logger.Named("workspace_updates"), options.Pubsub, options.Database, options.Authorizer)`
`726`	`726`	`if err != nil {`
`727`	`727`	`return xerrors.Errorf("create workspace updates provider: %w", err)`
`728`	`728`	`}`