coder
diff --git a/‎.github/workflows/security.yaml
Lines changed: 9 additions & 0 deletions b/‎.github/workflows/security.yaml
Lines changed: 9 additions & 0 deletions
diff --git a/‎agent/agent.go
Lines changed: 3 additions & 3 deletions b/‎agent/agent.go
Lines changed: 3 additions & 3 deletions
diff --git a/‎agent/agentssh/agentssh.go
Lines changed: 26 additions & 9 deletions b/‎agent/agentssh/agentssh.go
Lines changed: 26 additions & 9 deletions
diff --git a/‎coderd/apidoc/docs.go
Lines changed: 2 additions & 4 deletions b/‎coderd/apidoc/docs.go
Lines changed: 2 additions & 4 deletions
diff --git a/‎coderd/apidoc/swagger.json
Lines changed: 2 additions & 6 deletions b/‎coderd/apidoc/swagger.json
Lines changed: 2 additions & 6 deletions
diff --git a/‎coderd/audit.go
Lines changed: 5 additions & 5 deletions b/‎coderd/audit.go
Lines changed: 5 additions & 5 deletions
diff --git a/‎coderd/authorize.go
Lines changed: 1 addition & 1 deletion b/‎coderd/authorize.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/csp.go
Lines changed: 2 additions & 2 deletions b/‎coderd/csp.go
Lines changed: 2 additions & 2 deletions
diff --git a/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 57 additions & 0 deletions b/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 57 additions & 0 deletions
@@ -125,6 +125,15 @@ jobs:
           pcc_pass: ${{ secrets.PRISMA_CLOUD_SECRET_KEY }}
           image_name: ${{ steps.build.outputs.image }}
 
+      - name: Scan image
+        id: sysdig-scan
+        uses: sysdiglabs/scan-action@v3
+        with:
+          image-tag: ${{ steps.build.outputs.image }}
+          sysdig-secure-token: ${{ secrets.SYSDIG_API_TOKEN }}
+          input-type: docker-daemon
+          sysdig-secure-url: https://app.us4.sysdig.com
+
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54
         with:
 
@@ -332,7 +332,7 @@ func (a *agent) reportMetadataLoop(ctx context.Context) {
 			lastCollectedAts[mr.key] = mr.result.CollectedAt
 			err := a.client.PostMetadata(ctx, mr.key, *mr.result)
 			if err != nil {
-				a.logger.Error(ctx, "report metadata", slog.Error(err))
+				a.logger.Error(ctx, "agent failed to report metadata", slog.Error(err))
 			}
 		case <-baseTicker.C:
 		}
@@ -462,7 +462,7 @@ func (a *agent) reportLifecycleLoop(ctx context.Context) {
 				return
 			}
 			// If we fail to report the state we probably shouldn't exit, log only.
-			a.logger.Error(ctx, "post state", slog.Error(err))
+			a.logger.Error(ctx, "agent failed to report the lifecycle state", slog.Error(err))
 		}
 	}
 }
@@ -1365,7 +1365,7 @@ func (a *agent) startReportingConnectionStats(ctx context.Context) {
 		)
 	})
 	if err != nil {
-		a.logger.Error(ctx, "report stats", slog.Error(err))
+		a.logger.Error(ctx, "agent failed to report stats", slog.Error(err))
 	} else {
 		if err = a.trackConnGoroutine(func() {
 			// This is OK because the agent never re-creates the tailnet
 
@@ -180,21 +180,24 @@ func (s *Server) ConnStats() ConnStats {
 }
 
 func (s *Server) sessionHandler(session ssh.Session) {
+	logger := s.logger.With(slog.F("remote_addr", session.RemoteAddr()), slog.F("local_addr", session.LocalAddr()))
+	logger.Info(session.Context(), "handling ssh session")
+	ctx := session.Context()
 	if !s.trackSession(session, true) {
 		// See (*Server).Close() for why we call Close instead of Exit.
 		_ = session.Close()
+		logger.Info(ctx, "unable to accept new session, server is closing")
 		return
 	}
 	defer s.trackSession(session, false)
 
-	ctx := session.Context()
-
 	extraEnv := make([]string, 0)
 	x11, hasX11 := session.X11()
 	if hasX11 {
 		handled := s.x11Handler(session.Context(), x11)
 		if !handled {
 			_ = session.Exit(1)
+			logger.Error(ctx, "x11 handler failed")
 			return
 		}
 		extraEnv = append(extraEnv, fmt.Sprintf("DISPLAY=:%d.0", x11.ScreenNumber))
@@ -206,25 +209,26 @@ func (s *Server) sessionHandler(session ssh.Session) {
 		s.sftpHandler(session)
 		return
 	default:
-		s.logger.Debug(ctx, "unsupported subsystem", slog.F("subsystem", ss))
+		logger.Warn(ctx, "unsupported subsystem", slog.F("subsystem", ss))
 		_ = session.Exit(1)
 		return
 	}
 
 	err := s.sessionStart(session, extraEnv)
 	var exitError *exec.ExitError
 	if xerrors.As(err, &exitError) {
-		s.logger.Warn(ctx, "ssh session returned", slog.Error(exitError))
+		logger.Info(ctx, "ssh session returned", slog.Error(exitError))
 		_ = session.Exit(exitError.ExitCode())
 		return
 	}
 	if err != nil {
-		s.logger.Warn(ctx, "ssh session failed", slog.Error(err))
+		logger.Warn(ctx, "ssh session failed", slog.Error(err))
 		// This exit code is designed to be unlikely to be confused for a legit exit code
 		// from the process.
 		_ = session.Exit(MagicSessionErrorCode)
 		return
 	}
+	logger.Info(ctx, "normal ssh session exit")
 	_ = session.Exit(0)
 }
 
@@ -337,7 +341,7 @@ func (s *Server) startPTYSession(session ptySession, magicTypeLabel string, cmd
 		if manifest != nil {
 			err := showMOTD(session, manifest.MOTDFile)
 			if err != nil {
-				s.logger.Error(ctx, "show MOTD", slog.Error(err))
+				s.logger.Error(ctx, "agent failed to show MOTD", slog.Error(err))
 				s.metrics.sessionErrors.WithLabelValues(magicTypeLabel, "yes", "motd").Add(1)
 			}
 		} else {
@@ -406,7 +410,7 @@ func (s *Server) startPTYSession(session ptySession, magicTypeLabel string, cmd
 	// ExitErrors just mean the command we run returned a non-zero exit code, which is normal
 	// and not something to be concerned about.  But, if it's something else, we should log it.
 	if err != nil && !xerrors.As(err, &exitErr) {
-		s.logger.Warn(ctx, "wait error", slog.Error(err))
+		s.logger.Warn(ctx, "process wait exited with error", slog.Error(err))
 		s.metrics.sessionErrors.WithLabelValues(magicTypeLabel, "yes", "wait").Add(1)
 	}
 	if err != nil {
@@ -565,7 +569,12 @@ func (s *Server) CreateCommand(ctx context.Context, script string, env []string)
 	return cmd, nil
 }
 
-func (s *Server) Serve(l net.Listener) error {
+func (s *Server) Serve(l net.Listener) (retErr error) {
+	s.logger.Info(context.Background(), "started serving listener", slog.F("listen_addr", l.Addr()))
+	defer func() {
+		s.logger.Info(context.Background(), "stopped serving listener",
+			slog.F("listen_addr", l.Addr()), slog.Error(retErr))
+	}()
 	defer l.Close()
 
 	s.trackListener(l, true)
@@ -580,15 +589,23 @@ func (s *Server) Serve(l net.Listener) error {
 }
 
 func (s *Server) handleConn(l net.Listener, c net.Conn) {
+	logger := s.logger.With(
+		slog.F("remote_addr", c.RemoteAddr()),
+		slog.F("local_addr", c.LocalAddr()),
+		slog.F("listen_addr", l.Addr()))
 	defer c.Close()
 
 	if !s.trackConn(l, c, true) {
 		// Server is closed or we no longer want
 		// connections from this listener.
-		s.logger.Debug(context.Background(), "received connection after server closed")
+		logger.Info(context.Background(), "received connection after server closed")
 		return
 	}
 	defer s.trackConn(l, c, false)
+	logger.Info(context.Background(), "started serving connection")
+	defer func() {
+		logger.Info(context.Background(), "stopped serving connection")
+	}()
 
 	s.srv.HandleConn(c)
 }
 
@@ -288,7 +288,7 @@ func (api *API) auditLogIsResourceDeleted(ctx context.Context, alog database.Get
 			if xerrors.Is(err, sql.ErrNoRows) {
 				return true
 			}
-			api.Logger.Error(ctx, "fetch template", slog.Error(err))
+			api.Logger.Error(ctx, "unable to fetch template", slog.Error(err))
 		}
 		return template.Deleted
 	case database.ResourceTypeUser:
@@ -297,7 +297,7 @@ func (api *API) auditLogIsResourceDeleted(ctx context.Context, alog database.Get
 			if xerrors.Is(err, sql.ErrNoRows) {
 				return true
 			}
-			api.Logger.Error(ctx, "fetch user", slog.Error(err))
+			api.Logger.Error(ctx, "unable to fetch user", slog.Error(err))
 		}
 		return user.Deleted
 	case database.ResourceTypeWorkspace:
@@ -306,7 +306,7 @@ func (api *API) auditLogIsResourceDeleted(ctx context.Context, alog database.Get
 			if xerrors.Is(err, sql.ErrNoRows) {
 				return true
 			}
-			api.Logger.Error(ctx, "fetch workspace", slog.Error(err))
+			api.Logger.Error(ctx, "unable to fetch workspace", slog.Error(err))
 		}
 		return workspace.Deleted
 	case database.ResourceTypeWorkspaceBuild:
@@ -315,15 +315,15 @@ func (api *API) auditLogIsResourceDeleted(ctx context.Context, alog database.Get
 			if xerrors.Is(err, sql.ErrNoRows) {
 				return true
 			}
-			api.Logger.Error(ctx, "fetch workspace build", slog.Error(err))
+			api.Logger.Error(ctx, "unable to fetch workspace build", slog.Error(err))
 		}
 		// We use workspace as a proxy for workspace build here
 		workspace, err := api.Database.GetWorkspaceByID(ctx, workspaceBuild.WorkspaceID)
 		if err != nil {
 			if xerrors.Is(err, sql.ErrNoRows) {
 				return true
 			}
-			api.Logger.Error(ctx, "fetch workspace", slog.Error(err))
+			api.Logger.Error(ctx, "unable to fetch workspace", slog.Error(err))
 		}
 		return workspace.Deleted
 	default:
 
@@ -22,7 +22,7 @@ func AuthorizeFilter[O rbac.Objecter](h *HTTPAuthorizer, r *http.Request, action
 	objects, err := rbac.Filter(r.Context(), h.Authorizer, roles.Actor, action, objects)
 	if err != nil {
 		// Log the error as Filter should not be erroring.
-		h.Logger.Error(r.Context(), "filter failed",
+		h.Logger.Error(r.Context(), "authorization filter failed",
 			slog.Error(err),
 			slog.F("user_id", roles.Actor.ID),
 			slog.F("username", roles.ActorName),
 
@@ -31,7 +31,7 @@ func (api *API) logReportCSPViolations(rw http.ResponseWriter, r *http.Request)
 	dec := json.NewDecoder(r.Body)
 	err := dec.Decode(&v)
 	if err != nil {
-		api.Logger.Warn(ctx, "csp violation", slog.Error(err))
+		api.Logger.Warn(ctx, "CSP violation reported", slog.Error(err))
 		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
 			Message: "Failed to read body, invalid json.",
 			Detail:  err.Error(),
@@ -43,7 +43,7 @@ func (api *API) logReportCSPViolations(rw http.ResponseWriter, r *http.Request)
 	for k, v := range v.Report {
 		fields = append(fields, slog.F(k, v))
 	}
-	api.Logger.Debug(ctx, "csp violation", fields...)
+	api.Logger.Debug(ctx, "CSP violation reported", fields...)
 
 	httpapi.Write(ctx, rw, http.StatusOK, "ok")
 }
@@ -707,6 +707,13 @@ func (q *querier) DeleteApplicationConnectAPIKeysByUserID(ctx context.Context, u
 	return q.db.DeleteApplicationConnectAPIKeysByUserID(ctx, userID)
 }
 
+func (q *querier) DeleteCoordinator(ctx context.Context, id uuid.UUID) error {
+	if err := q.authorizeContext(ctx, rbac.ActionDelete, rbac.ResourceTailnetCoordinator); err != nil {
+		return err
+	}
+	return q.db.DeleteCoordinator(ctx, id)
+}
+
 func (q *querier) DeleteGitSSHKey(ctx context.Context, userID uuid.UUID) error {
 	return deleteQ(q.log, q.auth, q.db.GetGitSSHKey, q.db.DeleteGitSSHKey)(ctx, userID)
 }
@@ -772,6 +779,21 @@ func (q *querier) DeleteUserOauthMergeStates(ctx context.Context, userID uuid.UU
 	return q.db.DeleteUserOauthMergeStates(ctx, userID)
 }
 
+
+func (q *querier) DeleteTailnetAgent(ctx context.Context, arg database.DeleteTailnetAgentParams) (database.DeleteTailnetAgentRow, error) {
+	if err := q.authorizeContext(ctx, rbac.ActionUpdate, rbac.ResourceTailnetCoordinator); err != nil {
+		return database.DeleteTailnetAgentRow{}, err
+	}
+	return q.db.DeleteTailnetAgent(ctx, arg)
+}
+
+func (q *querier) DeleteTailnetClient(ctx context.Context, arg database.DeleteTailnetClientParams) (database.DeleteTailnetClientRow, error) {
+	if err := q.authorizeContext(ctx, rbac.ActionDelete, rbac.ResourceTailnetCoordinator); err != nil {
+		return database.DeleteTailnetClientRow{}, err
+	}
+	return q.db.DeleteTailnetClient(ctx, arg)
+}
+
 func (q *querier) GetAPIKeyByID(ctx context.Context, id string) (database.APIKey, error) {
 	return fetch(q.log, q.auth, q.db.GetAPIKeyByID)(ctx, id)
 }
@@ -1144,6 +1166,20 @@ func (q *querier) GetServiceBanner(ctx context.Context) (string, error) {
 	return q.db.GetServiceBanner(ctx)
 }
 
+func (q *querier) GetTailnetAgents(ctx context.Context, id uuid.UUID) ([]database.TailnetAgent, error) {
+	if err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceTailnetCoordinator); err != nil {
+		return nil, err
+	}
+	return q.db.GetTailnetAgents(ctx, id)
+}
+
+func (q *querier) GetTailnetClientsForAgent(ctx context.Context, agentID uuid.UUID) ([]database.TailnetClient, error) {
+	if err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceTailnetCoordinator); err != nil {
+		return nil, err
+	}
+	return q.db.GetTailnetClientsForAgent(ctx, agentID)
+}
+
 // Only used by metrics cache.
 func (q *querier) GetTemplateAverageBuildTime(ctx context.Context, arg database.GetTemplateAverageBuildTimeParams) (database.GetTemplateAverageBuildTimeRow, error) {
 	if err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceSystem); err != nil {
@@ -2545,3 +2581,24 @@ func (q *querier) UpsertServiceBanner(ctx context.Context, value string) error {
 	}
 	return q.db.UpsertServiceBanner(ctx, value)
 }
+
+func (q *querier) UpsertTailnetAgent(ctx context.Context, arg database.UpsertTailnetAgentParams) (database.TailnetAgent, error) {
+	if err := q.authorizeContext(ctx, rbac.ActionUpdate, rbac.ResourceTailnetCoordinator); err != nil {
+		return database.TailnetAgent{}, err
+	}
+	return q.db.UpsertTailnetAgent(ctx, arg)
+}
+
+func (q *querier) UpsertTailnetClient(ctx context.Context, arg database.UpsertTailnetClientParams) (database.TailnetClient, error) {
+	if err := q.authorizeContext(ctx, rbac.ActionUpdate, rbac.ResourceTailnetCoordinator); err != nil {
+		return database.TailnetClient{}, err
+	}
+	return q.db.UpsertTailnetClient(ctx, arg)
+}
+
+func (q *querier) UpsertTailnetCoordinator(ctx context.Context, id uuid.UUID) (database.TailnetCoordinator, error) {
+	if err := q.authorizeContext(ctx, rbac.ActionUpdate, rbac.ResourceTailnetCoordinator); err != nil {
+		return database.TailnetCoordinator{}, err
+	}
+	return q.db.UpsertTailnetCoordinator(ctx, id)
+}
Original file line number	Diff line number	Diff line change
`@@ -332,7 +332,7 @@ func (a *agent) reportMetadataLoop(ctx context.Context) {`
`332`	`332`	`lastCollectedAts[mr.key] = mr.result.CollectedAt`
`333`	`333`	`err := a.client.PostMetadata(ctx, mr.key, *mr.result)`
`334`	`334`	`if err != nil {`
`335`		`- a.logger.Error(ctx, "report metadata", slog.Error(err))`
	`335`	`+ a.logger.Error(ctx, "agent failed to report metadata", slog.Error(err))`
`336`	`336`	`}`
`337`	`337`	`case <-baseTicker.C:`
`338`	`338`	`}`
`@@ -462,7 +462,7 @@ func (a *agent) reportLifecycleLoop(ctx context.Context) {`
`462`	`462`	`return`
`463`	`463`	`}`
`464`	`464`	`// If we fail to report the state we probably shouldn't exit, log only.`
`465`		`- a.logger.Error(ctx, "post state", slog.Error(err))`
	`465`	`+ a.logger.Error(ctx, "agent failed to report the lifecycle state", slog.Error(err))`
`466`	`466`	`}`
`467`	`467`	`}`
`468`	`468`	`}`
`@@ -1365,7 +1365,7 @@ func (a *agent) startReportingConnectionStats(ctx context.Context) {`
`1365`	`1365`	`)`
`1366`	`1366`	`})`
`1367`	`1367`	`if err != nil {`
`1368`		`- a.logger.Error(ctx, "report stats", slog.Error(err))`
	`1368`	`+ a.logger.Error(ctx, "agent failed to report stats", slog.Error(err))`
`1369`	`1369`	`} else {`
`1370`	`1370`	`if err = a.trackConnGoroutine(func() {`
`1371`	`1371`	`// This is OK because the agent never re-creates the tailnet`
Original file line number	Diff line number	Diff line change
`@@ -288,7 +288,7 @@ func (api *API) auditLogIsResourceDeleted(ctx context.Context, alog database.Get`
`288`	`288`	`if xerrors.Is(err, sql.ErrNoRows) {`
`289`	`289`	`return true`
`290`	`290`	`}`
`291`		`- api.Logger.Error(ctx, "fetch template", slog.Error(err))`
	`291`	`+ api.Logger.Error(ctx, "unable to fetch template", slog.Error(err))`
`292`	`292`	`}`
`293`	`293`	`return template.Deleted`
`294`	`294`	`case database.ResourceTypeUser:`
`@@ -297,7 +297,7 @@ func (api *API) auditLogIsResourceDeleted(ctx context.Context, alog database.Get`
`297`	`297`	`if xerrors.Is(err, sql.ErrNoRows) {`
`298`	`298`	`return true`
`299`	`299`	`}`
`300`		`- api.Logger.Error(ctx, "fetch user", slog.Error(err))`
	`300`	`+ api.Logger.Error(ctx, "unable to fetch user", slog.Error(err))`
`301`	`301`	`}`
`302`	`302`	`return user.Deleted`
`303`	`303`	`case database.ResourceTypeWorkspace:`
`@@ -306,7 +306,7 @@ func (api *API) auditLogIsResourceDeleted(ctx context.Context, alog database.Get`
`306`	`306`	`if xerrors.Is(err, sql.ErrNoRows) {`
`307`	`307`	`return true`
`308`	`308`	`}`
`309`		`- api.Logger.Error(ctx, "fetch workspace", slog.Error(err))`
	`309`	`+ api.Logger.Error(ctx, "unable to fetch workspace", slog.Error(err))`
`310`	`310`	`}`
`311`	`311`	`return workspace.Deleted`
`312`	`312`	`case database.ResourceTypeWorkspaceBuild:`
`@@ -315,15 +315,15 @@ func (api *API) auditLogIsResourceDeleted(ctx context.Context, alog database.Get`
`315`	`315`	`if xerrors.Is(err, sql.ErrNoRows) {`
`316`	`316`	`return true`
`317`	`317`	`}`
`318`		`- api.Logger.Error(ctx, "fetch workspace build", slog.Error(err))`
	`318`	`+ api.Logger.Error(ctx, "unable to fetch workspace build", slog.Error(err))`
`319`	`319`	`}`
`320`	`320`	`// We use workspace as a proxy for workspace build here`
`321`	`321`	`workspace, err := api.Database.GetWorkspaceByID(ctx, workspaceBuild.WorkspaceID)`
`322`	`322`	`if err != nil {`
`323`	`323`	`if xerrors.Is(err, sql.ErrNoRows) {`
`324`	`324`	`return true`
`325`	`325`	`}`
`326`		`- api.Logger.Error(ctx, "fetch workspace", slog.Error(err))`
	`326`	`+ api.Logger.Error(ctx, "unable to fetch workspace", slog.Error(err))`
`327`	`327`	`}`
`328`	`328`	`return workspace.Deleted`
`329`	`329`	`default:`