coder
diff --git a/‎.github/actions/setup-go/action.yaml
Lines changed: 11 additions & 10 deletions b/‎.github/actions/setup-go/action.yaml
Lines changed: 11 additions & 10 deletions
diff --git a/‎.github/workflows/ci.yaml
Lines changed: 19 additions & 0 deletions b/‎.github/workflows/ci.yaml
Lines changed: 19 additions & 0 deletions
diff --git a/‎.github/workflows/release.yaml
Lines changed: 2 additions & 0 deletions b/‎.github/workflows/release.yaml
Lines changed: 2 additions & 0 deletions
diff --git a/‎agent/agent.go
Lines changed: 6 additions & 0 deletions b/‎agent/agent.go
Lines changed: 6 additions & 0 deletions
diff --git a/‎agent/agent_test.go
Lines changed: 9 additions & 0 deletions b/‎agent/agent_test.go
Lines changed: 9 additions & 0 deletions
diff --git a/‎coderd/coderdtest/coderdtest.go
Lines changed: 16 additions & 4 deletions b/‎coderd/coderdtest/coderdtest.go
Lines changed: 16 additions & 4 deletions
diff --git a/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 3 additions & 8 deletions b/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 3 additions & 8 deletions
diff --git a/‎coderd/database/dbauthz/dbauthz_test.go
Lines changed: 5 additions & 5 deletions b/‎coderd/database/dbauthz/dbauthz_test.go
Lines changed: 5 additions & 5 deletions
diff --git a/‎coderd/healthcheck/derp.go
Lines changed: 1 addition & 1 deletion b/‎coderd/healthcheck/derp.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/workspaceagents.go
Lines changed: 1 addition & 2 deletions b/‎coderd/workspaceagents.go
Lines changed: 1 addition & 2 deletions
diff --git a/‎coderd/workspaceagents_test.go
Lines changed: 10 additions & 7 deletions b/‎coderd/workspaceagents_test.go
Lines changed: 10 additions & 7 deletions
diff --git a/‎coderd/workspacebuilds.go
Lines changed: 0 additions & 3 deletions b/‎coderd/workspacebuilds.go
Lines changed: 0 additions & 3 deletions
diff --git a/‎coderd/workspaces.go
Lines changed: 4 additions & 1 deletion b/‎coderd/workspaces.go
Lines changed: 4 additions & 1 deletion
diff --git a/‎codersdk/agentsdk/agentsdk.go
Lines changed: 15 additions & 7 deletions b/‎codersdk/agentsdk/agentsdk.go
Lines changed: 15 additions & 7 deletions
@@ -39,24 +39,25 @@ runs:
         path: |
           ${{ env.GOMODCACHE }}
         key: gomodcache-${{ runner.os }}-${{ hashFiles('**/go.sum') }}-${{ github.job }}
-        restore-keys: |
-          gomodcache-${{ runner.os }}-${{ hashFiles('**/go.sum') }}-
-          gomodcache-${{ runner.os }}-
+        # restore-keys aren't used because it causes the cache to grow
+        # infinitely. go.sum changes very infrequently, so rebuilding from
+        # scratch every now and then isn't terrible.
 
     - name: Cache $GOCACHE
       uses: buildjet/cache@v3
       with:
         path: |
           ${{ env.GOCACHE }}
-        # Job name must be included in the key for effective
-        # test cache reuse.
+        # Job name must be included in the key for effective test cache reuse.
         # The key format is intentionally different than GOMODCACHE, because any
-        # time a Go file changes we invalidate this cache, whereas GOMODCACHE
-        # is only invalidated when go.sum changes.
-        key: gocache-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/*.go', 'go.**') }}
+        # time a Go file changes we invalidate this cache, whereas GOMODCACHE is
+        # only invalidated when go.sum changes.
+        # The number in the key is incremented when the cache gets too large,
+        # since this technically grows without bound.
+        key: gocache2-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/*.go', 'go.**') }}
         restore-keys: |
-          gocache-${{ runner.os }}-${{ github.job }}-
-          gocache-${{ runner.os }}-
+          gocache2-${{ runner.os }}-${{ github.job }}-
+          gocache2-${{ runner.os }}-
 
     - name: Install gotestsum
       shell: bash
 
@@ -40,6 +40,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v3
+        with:
+          fetch-depth: 1
       # For pull requests it's not necessary to checkout the code
       - name: check changed files
         uses: dorny/paths-filter@v2
@@ -109,6 +111,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v3
+        with:
+          fetch-depth: 1
 
       - name: Setup Node
         uses: ./.github/actions/setup-node
@@ -162,6 +166,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v3
+        with:
+          fetch-depth: 1
 
       - name: Setup Node
         uses: ./.github/actions/setup-node
@@ -207,6 +213,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v3
+        with:
+          fetch-depth: 1
 
       - name: Setup Node
         uses: ./.github/actions/setup-node
@@ -256,6 +264,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v3
+        with:
+          fetch-depth: 1
 
       - name: Setup Go
         uses: ./.github/actions/setup-go
@@ -323,6 +333,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v3
+        with:
+          fetch-depth: 1
 
       - name: Setup Go
         uses: ./.github/actions/setup-go
@@ -369,6 +381,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v3
+        with:
+          fetch-depth: 1
 
       - name: Setup Go
         uses: ./.github/actions/setup-go
@@ -488,6 +502,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v3
+        with:
+          fetch-depth: 1
 
       - name: Setup Node
         uses: ./.github/actions/setup-node
@@ -516,6 +532,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v3
+        with:
+          fetch-depth: 1
 
       - name: Setup Node
         uses: ./.github/actions/setup-node
@@ -619,6 +637,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v3
         with:
+          # 0 is required here for version.sh to work.
           fetch-depth: 0
 
       - name: Setup Node
 
@@ -407,6 +407,8 @@ jobs:
       - name: Comment on PR
         if: ${{ !inputs.dry_run }}
         run: |
+          # wait 30 seconds
+          Start-Sleep -Seconds 30.0
           # Find the PR that wingetcreate just made.
           $version = "${{ needs.release.outputs.version }}".Trim('v')
           $pr_list = gh pr list --repo microsoft/winget-pkgs --search "author:cdrci Coder.Coder version ${version}" --limit 1 --json number | `
 
@@ -85,6 +85,8 @@ type Client interface {
 
 type Agent interface {
 	HTTPDebug() http.Handler
+	// TailnetConn may be nil.
+	TailnetConn() *tailnet.Conn
 	io.Closer
 }
 
@@ -200,6 +202,10 @@ type agent struct {
 	metrics            *agentMetrics
 }
 
+func (a *agent) TailnetConn() *tailnet.Conn {
+	return a.network
+}
+
 func (a *agent) init(ctx context.Context) {
 	sshSrv, err := agentssh.NewServer(ctx, a.logger.Named("ssh-server"), a.prometheusRegistry, a.filesystem, a.sshMaxTimeout, "")
 	if err != nil {
 
@@ -1818,6 +1818,15 @@ func TestAgent_UpdatedDERP(t *testing.T) {
 	})
 	require.NoError(t, err)
 
+	require.Eventually(t, func() bool {
+		conn := closer.TailnetConn()
+		if conn == nil {
+			return false
+		}
+		regionIDs := conn.DERPMap().RegionIDs()
+		return len(regionIDs) == 1 && regionIDs[0] == 2 && conn.Node().PreferredDERP == 2
+	}, testutil.WaitLong, testutil.IntervalFast)
+
 	// Connect from a second client and make sure it uses the new DERP map.
 	conn2 := newClientConn(newDerpMap)
 	require.Equal(t, []int{2}, conn2.DERPMap().RegionIDs())
 
@@ -303,9 +303,21 @@ func NewOptions(t testing.TB, options *Options) (func(http.Handler), context.Can
 		accessURL = serverURL
 	}
 
-	stunAddr, stunCleanup := stuntest.ServeWithPacketListener(t, nettype.Std{})
-	stunAddr.IP = net.ParseIP("127.0.0.1")
-	t.Cleanup(stunCleanup)
+	// If the STUNAddresses setting is empty or the default, start a STUN
+	// server. Otherwise, use the value as is.
+	var (
+		stunAddresses   []string
+		dvStunAddresses = options.DeploymentValues.DERP.Server.STUNAddresses.Value()
+	)
+	if len(dvStunAddresses) == 0 || (len(dvStunAddresses) == 1 && dvStunAddresses[0] == "stun.l.google.com:19302") {
+		stunAddr, stunCleanup := stuntest.ServeWithPacketListener(t, nettype.Std{})
+		stunAddr.IP = net.ParseIP("127.0.0.1")
+		t.Cleanup(stunCleanup)
+		stunAddresses = []string{stunAddr.String()}
+		options.DeploymentValues.DERP.Server.STUNAddresses = stunAddresses
+	} else if dvStunAddresses[0] != "disable" {
+		stunAddresses = options.DeploymentValues.DERP.Server.STUNAddresses.Value()
+	}
 
 	derpServer := derp.NewServer(key.NewNode(), tailnet.Logger(slogtest.Make(t, nil).Named("derp").Leveled(slog.LevelDebug)))
 	derpServer.SetMeshKey("test-key")
@@ -346,7 +358,7 @@ func NewOptions(t testing.TB, options *Options) (func(http.Handler), context.Can
 	if !options.DeploymentValues.DERP.Server.Enable.Value() {
 		region = nil
 	}
-	derpMap, err := tailnet.NewDERPMap(ctx, region, []string{stunAddr.String()}, "", "", options.DeploymentValues.DERP.Config.BlockDirect.Value())
+	derpMap, err := tailnet.NewDERPMap(ctx, region, stunAddresses, "", "", options.DeploymentValues.DERP.Config.BlockDirect.Value())
 	require.NoError(t, err)
 
 	return func(h http.Handler) {
 
@@ -953,14 +953,9 @@ func (q *querier) GetLatestWorkspaceBuilds(ctx context.Context) ([]database.Work
 }
 
 func (q *querier) GetLatestWorkspaceBuildsByWorkspaceIDs(ctx context.Context, ids []uuid.UUID) ([]database.WorkspaceBuild, error) {
-	// This is not ideal as not all builds will be returned if the workspace cannot be read.
-	// This should probably be handled differently? Maybe join workspace builds with workspace
-	// ownership properties and filter on that.
-	for _, id := range ids {
-		_, err := q.GetWorkspaceByID(ctx, id)
-		if err != nil {
-			return nil, err
-		}
+	// This function is a system function until we implement a join for workspace builds.
+	if err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceSystem); err != nil {
+		return nil, err
 	}
 
 	return q.db.GetLatestWorkspaceBuildsByWorkspaceIDs(ctx, ids)
 
@@ -1024,11 +1024,6 @@ func (s *MethodTestSuite) TestWorkspace() {
 		b := dbgen.WorkspaceBuild(s.T(), db, database.WorkspaceBuild{WorkspaceID: ws.ID})
 		check.Args(ws.ID).Asserts(ws, rbac.ActionRead).Returns(b)
 	}))
-	s.Run("GetLatestWorkspaceBuildsByWorkspaceIDs", s.Subtest(func(db database.Store, check *expects) {
-		ws := dbgen.Workspace(s.T(), db, database.Workspace{})
-		b := dbgen.WorkspaceBuild(s.T(), db, database.WorkspaceBuild{WorkspaceID: ws.ID})
-		check.Args([]uuid.UUID{ws.ID}).Asserts(ws, rbac.ActionRead).Returns(slice.New(b))
-	}))
 	s.Run("GetWorkspaceAgentByID", s.Subtest(func(db database.Store, check *expects) {
 		ws := dbgen.Workspace(s.T(), db, database.Workspace{})
 		build := dbgen.WorkspaceBuild(s.T(), db, database.WorkspaceBuild{WorkspaceID: ws.ID, JobID: uuid.New()})
@@ -1298,6 +1293,11 @@ func (s *MethodTestSuite) TestSystemFunctions() {
 			LoginType: database.LoginTypeGithub,
 		}).Asserts(rbac.ResourceSystem, rbac.ActionUpdate).Returns(l)
 	}))
+	s.Run("GetLatestWorkspaceBuildsByWorkspaceIDs", s.Subtest(func(db database.Store, check *expects) {
+		ws := dbgen.Workspace(s.T(), db, database.Workspace{})
+		b := dbgen.WorkspaceBuild(s.T(), db, database.WorkspaceBuild{WorkspaceID: ws.ID})
+		check.Args([]uuid.UUID{ws.ID}).Asserts(rbac.ResourceSystem, rbac.ActionRead).Returns(slice.New(b))
+	}))
 	s.Run("UpsertDefaultProxy", s.Subtest(func(db database.Store, check *expects) {
 		check.Args(database.UpsertDefaultProxyParams{}).Asserts(rbac.ResourceSystem, rbac.ActionUpdate).Returns()
 	}))
 
@@ -172,7 +172,7 @@ func (r *DERPNodeReport) derpURL() *url.URL {
 	if r.Node.HostName == "" {
 		derpURL.Host = r.Node.IPv4
 	}
-	if r.Node.DERPPort != 0 {
+	if r.Node.DERPPort != 0 && !(r.Node.DERPPort == 443 && derpURL.Scheme == "https") && !(r.Node.DERPPort == 80 && derpURL.Scheme == "http") {
 		derpURL.Host = fmt.Sprintf("%s:%d", derpURL.Host, r.Node.DERPPort)
 	}
 
 
@@ -866,15 +866,14 @@ func (api *API) derpMapUpdates(rw http.ResponseWriter, r *http.Request) {
 			lastDERPMap = derpMap
 		}
 
+		ticker.Reset(api.Options.DERPMapUpdateFrequency)
 		select {
 		case <-ctx.Done():
 			return
 		case <-api.ctx.Done():
 			return
 		case <-ticker.C:
 		}
-
-		ticker.Reset(api.Options.DERPMapUpdateFrequency)
 	}
 }
 
 
@@ -1270,11 +1270,9 @@ func TestWorkspaceAgent_UpdatedDERP(t *testing.T) {
 	defer closer.Close()
 	user := coderdtest.CreateFirstUser(t, client)
 
-	originalDerpMap := api.DERPMap()
-	require.NotNil(t, originalDerpMap)
-
 	// Change the DERP mapper to our custom one.
 	var currentDerpMap atomic.Pointer[tailcfg.DERPMap]
+	originalDerpMap, _ := tailnettest.RunDERPAndSTUN(t)
 	currentDerpMap.Store(originalDerpMap)
 	derpMapFn := func(_ *tailcfg.DERPMap) *tailcfg.DERPMap {
 		return currentDerpMap.Load().Clone()
@@ -1304,10 +1302,8 @@ func TestWorkspaceAgent_UpdatedDERP(t *testing.T) {
 	resources := coderdtest.AwaitWorkspaceAgents(t, client, workspace.ID)
 	agentID := resources[0].Agents[0].ID
 
-	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
-	defer cancel()
-
 	// Connect from a client.
+	ctx := testutil.Context(t, testutil.WaitLong)
 	conn1, err := client.DialWorkspaceAgent(ctx, agentID, &codersdk.DialWorkspaceAgentOptions{
 		Logger: logger.Named("client1"),
 	})
@@ -1328,7 +1324,14 @@ func TestWorkspaceAgent_UpdatedDERP(t *testing.T) {
 	currentDerpMap.Store(newDerpMap)
 
 	// Wait for the agent's DERP map to be updated.
-	// TODO: this
+	require.Eventually(t, func() bool {
+		conn := agentCloser.TailnetConn()
+		if conn == nil {
+			return false
+		}
+		regionIDs := conn.DERPMap().RegionIDs()
+		return len(regionIDs) == 1 && regionIDs[0] == 2 && conn.Node().PreferredDERP == 2
+	}, testutil.WaitLong, testutil.IntervalFast)
 
 	// Wait for the DERP map to be updated on the existing client.
 	require.Eventually(t, func() bool {
 
@@ -635,9 +635,6 @@ type workspaceBuildsData struct {
 
 func (api *API) workspaceBuildsData(ctx context.Context, workspaces []database.Workspace, workspaceBuilds []database.WorkspaceBuild) (workspaceBuildsData, error) {
 	userIDs := make([]uuid.UUID, 0, len(workspaceBuilds))
-	for _, build := range workspaceBuilds {
-		userIDs = append(userIDs, build.InitiatorID)
-	}
 	for _, workspace := range workspaces {
 		userIDs = append(userIDs, workspace.OwnerID)
 	}
 
@@ -17,6 +17,7 @@ import (
 	"cdr.dev/slog"
 	"github.com/coder/coder/coderd/audit"
 	"github.com/coder/coder/coderd/database"
+	"github.com/coder/coder/coderd/database/dbauthz"
 	"github.com/coder/coder/coderd/httpapi"
 	"github.com/coder/coder/coderd/httpmw"
 	"github.com/coder/coder/coderd/rbac"
@@ -1031,7 +1032,9 @@ func (api *API) workspaceData(ctx context.Context, workspaces []database.Workspa
 		return workspaceData{}, xerrors.Errorf("get templates: %w", err)
 	}
 
-	builds, err := api.Database.GetLatestWorkspaceBuildsByWorkspaceIDs(ctx, workspaceIDs)
+	// This query must be run as system restricted to be efficient.
+	// nolint:gocritic
+	builds, err := api.Database.GetLatestWorkspaceBuildsByWorkspaceIDs(dbauthz.AsSystemRestricted(ctx), workspaceIDs)
 	if err != nil && !errors.Is(err, sql.ErrNoRows) {
 		return workspaceData{}, xerrors.Errorf("get workspace builds: %w", err)
 	}
 
@@ -211,18 +211,26 @@ func (c *Client) DERPMapUpdates(ctx context.Context) (<-chan DERPMapUpdate, io.C
 			if err != nil {
 				update.Err = err
 				update.DERPMap = nil
-				return
 			}
-			err = c.rewriteDerpMap(update.DERPMap)
-			if err != nil {
-				update.Err = err
-				update.DERPMap = nil
-				return
+			if update.DERPMap != nil {
+				err = c.rewriteDerpMap(update.DERPMap)
+				if err != nil {
+					update.Err = err
+					update.DERPMap = nil
+				}
 			}
 
 			select {
 			case updates <- update:
 			case <-ctx.Done():
+				// Unblock the caller if they're waiting for an update.
+				select {
+				case updates <- DERPMapUpdate{Err: ctx.Err()}:
+				default:
+				}
+				return
+			}
+			if update.Err != nil {
 				return
 			}
 		}
@@ -231,8 +239,8 @@ func (c *Client) DERPMapUpdates(ctx context.Context) (<-chan DERPMapUpdate, io.C
 	return updates, &closer{
 		closeFunc: func() error {
 			cancelFunc()
-			_ = wsNetConn.Close()
 			<-pingClosed
+			_ = conn.Close(websocket.StatusGoingAway, "Listen closed")
 			<-updatesClosed
 			return nil
 		},
Original file line number	Diff line number	Diff line change
`@@ -172,7 +172,7 @@ func (r DERPNodeReport) derpURL() url.URL {`
`172`	`172`	`if r.Node.HostName == "" {`
`173`	`173`	`derpURL.Host = r.Node.IPv4`
`174`	`174`	`}`
`175`		`- if r.Node.DERPPort != 0 {`
	`175`	`+ if r.Node.DERPPort != 0 && !(r.Node.DERPPort == 443 && derpURL.Scheme == "https") && !(r.Node.DERPPort == 80 && derpURL.Scheme == "http") {`
`176`	`176`	`derpURL.Host = fmt.Sprintf("%s:%d", derpURL.Host, r.Node.DERPPort)`
`177`	`177`	`}`
`178`	`178`
Original file line number	Diff line number	Diff line change
`@@ -866,15 +866,14 @@ func (api API) derpMapUpdates(rw http.ResponseWriter, r http.Request) {`
`866`	`866`	`lastDERPMap = derpMap`
`867`	`867`	`}`
`868`	`868`
	`869`	`+ ticker.Reset(api.Options.DERPMapUpdateFrequency)`
`869`	`870`	`select {`
`870`	`871`	`case <-ctx.Done():`
`871`	`872`	`return`
`872`	`873`	`case <-api.ctx.Done():`
`873`	`874`	`return`
`874`	`875`	`case <-ticker.C:`
`875`	`876`	`}`
`876`		`-`
`877`		`- ticker.Reset(api.Options.DERPMapUpdateFrequency)`
`878`	`877`	`}`
`879`	`878`	`}`
`880`	`879`
Original file line number	Diff line number	Diff line change
`@@ -635,9 +635,6 @@ type workspaceBuildsData struct {`
`635`	`635`
`636`	`636`	`func (api *API) workspaceBuildsData(ctx context.Context, workspaces []database.Workspace, workspaceBuilds []database.WorkspaceBuild) (workspaceBuildsData, error) {`
`637`	`637`	`userIDs := make([]uuid.UUID, 0, len(workspaceBuilds))`
`638`		`- for _, build := range workspaceBuilds {`
`639`		`- userIDs = append(userIDs, build.InitiatorID)`
`640`		`- }`
`641`	`638`	`for _, workspace := range workspaces {`
`642`	`639`	`userIDs = append(userIDs, workspace.OwnerID)`
`643`	`640`	`}`