coder
diff --git a/‎coderd/coderd.go
Lines changed: 1 addition & 0 deletions b/‎coderd/coderd.go
Lines changed: 1 addition & 0 deletions
diff --git a/‎coderd/workspaceagents.go
Lines changed: 26 additions & 20 deletions b/‎coderd/workspaceagents.go
Lines changed: 26 additions & 20 deletions
diff --git a/‎coderd/workspacebuilds.go
Lines changed: 1 addition & 35 deletions b/‎coderd/workspacebuilds.go
Lines changed: 1 addition & 35 deletions
diff --git a/‎coderd/workspaces.go
Lines changed: 77 additions & 0 deletions b/‎coderd/workspaces.go
Lines changed: 77 additions & 0 deletions
diff --git a/‎codersdk/provisionerdaemons.go
Lines changed: 34 additions & 0 deletions b/‎codersdk/provisionerdaemons.go
Lines changed: 34 additions & 0 deletions
diff --git a/‎codersdk/workspaces.go
Lines changed: 2 additions & 0 deletions b/‎codersdk/workspaces.go
Lines changed: 2 additions & 0 deletions
diff --git a/‎codersdk/workspacesdk/connector_internal_test.go
Lines changed: 5 additions & 0 deletions b/‎codersdk/workspacesdk/connector_internal_test.go
Lines changed: 5 additions & 0 deletions
diff --git a/‎enterprise/tailnet/connio.go
Lines changed: 1 addition & 1 deletion b/‎enterprise/tailnet/connio.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎tailnet/convert.go
Lines changed: 28 additions & 0 deletions b/‎tailnet/convert.go
Lines changed: 28 additions & 0 deletions
diff --git a/‎tailnet/coordinator.go
Lines changed: 1 addition & 1 deletion b/‎tailnet/coordinator.go
Lines changed: 1 addition & 1 deletion
@@ -1009,6 +1009,7 @@ func New(options *Options) *API {
 				r.Route("/roles", func(r chi.Router) {
 					r.Get("/", api.AssignableSiteRoles)
 				})
+				r.Get("/me/tailnet", api.tailnet)
 				r.Route("/{user}", func(r chi.Router) {
 					r.Use(httpmw.ExtractUserParam(options.Database))
 					r.Post("/convert-login", api.postConvertLoginType)
 
@@ -846,26 +846,10 @@ func (api *API) workspaceAgentClientCoordinate(rw http.ResponseWriter, r *http.R
 		return
 	}
 
-	// Accept a resume_token query parameter to use the same peer ID.
-	var (
-		peerID      = uuid.New()
-		resumeToken = r.URL.Query().Get("resume_token")
-	)
-	if resumeToken != "" {
-		var err error
-		peerID, err = api.Options.CoordinatorResumeTokenProvider.VerifyResumeToken(resumeToken)
-		if err != nil {
-			httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{
-				Message: workspacesdk.CoordinateAPIInvalidResumeToken,
-				Detail:  err.Error(),
-				Validations: []codersdk.ValidationError{
-					{Field: "resume_token", Detail: workspacesdk.CoordinateAPIInvalidResumeToken},
-				},
-			})
-			return
-		}
-		api.Logger.Debug(ctx, "accepted coordinate resume token for peer",
-			slog.F("peer_id", peerID.String()))
+	peerID, err := api.handleResumeToken(ctx, rw, r)
+	if err != nil {
+		// handleResumeToken has already written the response.
+		return
 	}
 
 	api.WebsocketWaitMutex.Lock()
@@ -895,6 +879,28 @@ func (api *API) workspaceAgentClientCoordinate(rw http.ResponseWriter, r *http.R
 	}
 }
 
+// handleResumeToken accepts a resume_token query parameter to use the same peer ID
+func (api *API) handleResumeToken(ctx context.Context, rw http.ResponseWriter, r *http.Request) (peerID uuid.UUID, err error) {
+	peerID = uuid.New()
+	resumeToken := r.URL.Query().Get("resume_token")
+	if resumeToken != "" {
+		peerID, err = api.Options.CoordinatorResumeTokenProvider.VerifyResumeToken(resumeToken)
+		if err != nil {
+			httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{
+				Message: workspacesdk.CoordinateAPIInvalidResumeToken,
+				Detail:  err.Error(),
+				Validations: []codersdk.ValidationError{
+					{Field: "resume_token", Detail: workspacesdk.CoordinateAPIInvalidResumeToken},
+				},
+			})
+			return peerID, err
+		}
+		api.Logger.Debug(ctx, "accepted coordinate resume token for peer",
+			slog.F("peer_id", peerID.String()))
+	}
+	return peerID, err
+}
+
 // @Summary Post workspace agent log source
 // @ID post-workspace-agent-log-source
 // @Security CoderSessionToken
 
@@ -947,7 +947,7 @@ func (api *API) convertWorkspaceBuild(
 		MaxDeadline:             codersdk.NewNullTime(build.MaxDeadline, !build.MaxDeadline.IsZero()),
 		Reason:                  codersdk.BuildReason(build.Reason),
 		Resources:               apiResources,
-		Status:                  convertWorkspaceStatus(apiJob.Status, transition),
+		Status:                  codersdk.ConvertWorkspaceStatus(apiJob.Status, transition),
 		DailyCost:               build.DailyCost,
 	}, nil
 }
@@ -976,37 +976,3 @@ func convertWorkspaceResource(resource database.WorkspaceResource, agents []code
 		DailyCost:  resource.DailyCost,
 	}
 }
-
-func convertWorkspaceStatus(jobStatus codersdk.ProvisionerJobStatus, transition codersdk.WorkspaceTransition) codersdk.WorkspaceStatus {
-	switch jobStatus {
-	case codersdk.ProvisionerJobPending:
-		return codersdk.WorkspaceStatusPending
-	case codersdk.ProvisionerJobRunning:
-		switch transition {
-		case codersdk.WorkspaceTransitionStart:
-			return codersdk.WorkspaceStatusStarting
-		case codersdk.WorkspaceTransitionStop:
-			return codersdk.WorkspaceStatusStopping
-		case codersdk.WorkspaceTransitionDelete:
-			return codersdk.WorkspaceStatusDeleting
-		}
-	case codersdk.ProvisionerJobSucceeded:
-		switch transition {
-		case codersdk.WorkspaceTransitionStart:
-			return codersdk.WorkspaceStatusRunning
-		case codersdk.WorkspaceTransitionStop:
-			return codersdk.WorkspaceStatusStopped
-		case codersdk.WorkspaceTransitionDelete:
-			return codersdk.WorkspaceStatusDeleted
-		}
-	case codersdk.ProvisionerJobCanceling:
-		return codersdk.WorkspaceStatusCanceling
-	case codersdk.ProvisionerJobCanceled:
-		return codersdk.WorkspaceStatusCanceled
-	case codersdk.ProvisionerJobFailed:
-		return codersdk.WorkspaceStatusFailed
-	}
-
-	// return error status since we should never get here
-	return codersdk.WorkspaceStatusFailed
-}
@@ -6,6 +6,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"io"
 	"net/http"
 	"slices"
 	"strconv"
@@ -15,6 +16,7 @@ import (
 	"github.com/go-chi/chi/v5"
 	"github.com/google/uuid"
 	"golang.org/x/xerrors"
+	"nhooyr.io/websocket"
 
 	"cdr.dev/slog"
 	"github.com/coder/coder/v2/agent/proto"
@@ -36,6 +38,7 @@ import (
 	"github.com/coder/coder/v2/coderd/wsbuilder"
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/codersdk/agentsdk"
+	"github.com/coder/coder/v2/tailnet"
 )
 
 var (
@@ -2068,6 +2071,11 @@ func (api *API) publishWorkspaceUpdate(ctx context.Context, workspaceID uuid.UUI
 		api.Logger.Warn(ctx, "failed to publish workspace update",
 			slog.F("workspace_id", workspaceID), slog.Error(err))
 	}
+	err = api.Pubsub.Publish(codersdk.AllWorkspacesNotifyChannel, []byte(workspaceID.String()))
+	if err != nil {
+		api.Logger.Warn(ctx, "failed to publish all workspaces update",
+			slog.F("workspace_id", workspaceID), slog.Error(err))
+	}
 }
 
 func (api *API) publishWorkspaceAgentLogsUpdate(ctx context.Context, workspaceAgentID uuid.UUID, m agentsdk.LogsNotifyMessage) {
@@ -2080,3 +2088,72 @@ func (api *API) publishWorkspaceAgentLogsUpdate(ctx context.Context, workspaceAg
 		api.Logger.Warn(ctx, "failed to publish workspace agent logs update", slog.F("workspace_agent_id", workspaceAgentID), slog.Error(err))
 	}
 }
+
+// @Summary Coordinate multiple workspace agents
+// @ID coordinate-multiple-workspace-agents
+// @Security CoderSessionToken
+// @Tags Workspaces
+// @Success 101
+// @Router /users/me/tailnet [get]
+func (api *API) tailnet(rw http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	owner := httpmw.UserParam(r)
+	ownerRoles := httpmw.UserAuthorization(r)
+
+	// Check if the actor is allowed to access any workspace owned by the user.
+	if !api.Authorize(r, policy.ActionSSH, rbac.ResourceWorkspace.WithOwner(owner.ID.String())) {
+		httpapi.ResourceNotFound(rw)
+		return
+	}
+
+	version := "1.0"
+	qv := r.URL.Query().Get("version")
+	if qv != "" {
+		version = qv
+	}
+	if err := proto.CurrentVersion.Validate(version); err != nil {
+		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+			Message: "Unknown or unsupported API version",
+			Validations: []codersdk.ValidationError{
+				{Field: "version", Detail: err.Error()},
+			},
+		})
+		return
+	}
+
+	peerID, err := api.handleResumeToken(ctx, rw, r)
+	if err != nil {
+		// handleResumeToken has already written the response.
+		return
+	}
+
+	api.WebsocketWaitMutex.Lock()
+	api.WebsocketWaitGroup.Add(1)
+	api.WebsocketWaitMutex.Unlock()
+	defer api.WebsocketWaitGroup.Done()
+
+	conn, err := websocket.Accept(rw, r, nil)
+	if err != nil {
+		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+			Message: "Failed to accept websocket.",
+			Detail:  err.Error(),
+		})
+		return
+	}
+	ctx, wsNetConn := codersdk.WebsocketNetConn(ctx, conn, websocket.MessageBinary)
+	defer wsNetConn.Close()
+	defer conn.Close(websocket.StatusNormalClosure, "")
+
+	go httpapi.Heartbeat(ctx, conn)
+	err = api.TailnetClientService.ServeUserClient(ctx, version, wsNetConn, tailnet.ServeUserClientOptions{
+		PeerID:   peerID,
+		UserID:   owner.ID,
+		Subject:  &ownerRoles,
+		Authz:    api.Authorizer,
+		Database: api.Database,
+	})
+	if err != nil && !xerrors.Is(err, io.EOF) && !xerrors.Is(err, context.Canceled) {
+		_ = conn.Close(websocket.StatusInternalError, err.Error())
+		return
+	}
+}
@@ -387,3 +387,37 @@ func (c *Client) DeleteProvisionerKey(ctx context.Context, organizationID uuid.U
 	}
 	return nil
 }
+
+func ConvertWorkspaceStatus(jobStatus ProvisionerJobStatus, transition WorkspaceTransition) WorkspaceStatus {
+	switch jobStatus {
+	case ProvisionerJobPending:
+		return WorkspaceStatusPending
+	case ProvisionerJobRunning:
+		switch transition {
+		case WorkspaceTransitionStart:
+			return WorkspaceStatusStarting
+		case WorkspaceTransitionStop:
+			return WorkspaceStatusStopping
+		case WorkspaceTransitionDelete:
+			return WorkspaceStatusDeleting
+		}
+	case ProvisionerJobSucceeded:
+		switch transition {
+		case WorkspaceTransitionStart:
+			return WorkspaceStatusRunning
+		case WorkspaceTransitionStop:
+			return WorkspaceStatusStopped
+		case WorkspaceTransitionDelete:
+			return WorkspaceStatusDeleted
+		}
+	case ProvisionerJobCanceling:
+		return WorkspaceStatusCanceling
+	case ProvisionerJobCanceled:
+		return WorkspaceStatusCanceled
+	case ProvisionerJobFailed:
+		return WorkspaceStatusFailed
+	}
+
+	// return error status since we should never get here
+	return WorkspaceStatusFailed
+}
@@ -661,3 +661,5 @@ func (c *Client) WorkspaceTimings(ctx context.Context, id uuid.UUID) (WorkspaceT
 func WorkspaceNotifyChannel(id uuid.UUID) string {
 	return fmt.Sprintf("workspace:%s", id)
 }
+
+const AllWorkspacesNotifyChannel = "all-workspaces"
@@ -571,6 +571,11 @@ func (f *fakeDRPCClient) RefreshResumeToken(_ context.Context, _ *proto.RefreshR
 	}, nil
 }
 
+// WorkspaceUpdates implements proto.DRPCTailnetClient.
+func (*fakeDRPCClient) WorkspaceUpdates(context.Context, *proto.WorkspaceUpdatesRequest) (proto.DRPCTailnet_WorkspaceUpdatesClient, error) {
+	panic("unimplemented")
+}
+
 type fakeDRPCConn struct{}
 
 var _ drpc.Conn = &fakeDRPCConn{}
 
@@ -133,7 +133,7 @@ var errDisconnect = xerrors.New("graceful disconnect")
 
 func (c *connIO) handleRequest(req *proto.CoordinateRequest) error {
 	c.logger.Debug(c.peerCtx, "got request")
-	err := c.auth.Authorize(req)
+	err := c.auth.Authorize(c.coordCtx, req)
 	if err != nil {
 		c.logger.Warn(c.peerCtx, "unauthorized request", slog.Error(err))
 		return xerrors.Errorf("authorize request: %w", err)
 
@@ -9,6 +9,7 @@ import (
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
 
+	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/tailnet/proto"
 )
 
@@ -270,3 +271,30 @@ func DERPNodeFromProto(node *proto.DERPMap_Region_Node) *tailcfg.DERPNode {
 		CanPort80:        node.CanPort_80,
 	}
 }
+
+func WorkspaceStatusToProto(status codersdk.WorkspaceStatus) proto.Workspace_Status {
+	switch status {
+	case codersdk.WorkspaceStatusCanceled:
+		return proto.Workspace_CANCELED
+	case codersdk.WorkspaceStatusCanceling:
+		return proto.Workspace_CANCELING
+	case codersdk.WorkspaceStatusDeleted:
+		return proto.Workspace_DELETED
+	case codersdk.WorkspaceStatusDeleting:
+		return proto.Workspace_DELETING
+	case codersdk.WorkspaceStatusFailed:
+		return proto.Workspace_FAILED
+	case codersdk.WorkspaceStatusPending:
+		return proto.Workspace_PENDING
+	case codersdk.WorkspaceStatusRunning:
+		return proto.Workspace_RUNNING
+	case codersdk.WorkspaceStatusStarting:
+		return proto.Workspace_STARTING
+	case codersdk.WorkspaceStatusStopped:
+		return proto.Workspace_STOPPED
+	case codersdk.WorkspaceStatusStopping:
+		return proto.Workspace_STOPPING
+	default:
+		return proto.Workspace_UNKNOWN
+	}
+}
@@ -577,7 +577,7 @@ func (c *core) handleRequest(p *peer, req *proto.CoordinateRequest) error {
 		return ErrAlreadyRemoved
 	}
 
-	if err := pr.auth.Authorize(req); err != nil {
+	if err := pr.auth.Authorize(context.Background(), req); err != nil {
 		return xerrors.Errorf("authorize request: %w", err)
 	}
Original file line number	Diff line number	Diff line change
`@@ -661,3 +661,5 @@ func (c *Client) WorkspaceTimings(ctx context.Context, id uuid.UUID) (WorkspaceT`
`661`	`661`	`func WorkspaceNotifyChannel(id uuid.UUID) string {`
`662`	`662`	`return fmt.Sprintf("workspace:%s", id)`
`663`	`663`	`}`
	`664`	`+`
	`665`	`+const AllWorkspacesNotifyChannel = "all-workspaces"`
Original file line number	Diff line number	Diff line change
`@@ -577,7 +577,7 @@ func (c core) handleRequest(p peer, req *proto.CoordinateRequest) error {`
`577`	`577`	`return ErrAlreadyRemoved`
`578`	`578`	`}`
`579`	`579`
`580`		`- if err := pr.auth.Authorize(req); err != nil {`
	`580`	`+ if err := pr.auth.Authorize(context.Background(), req); err != nil {`
`581`	`581`	`return xerrors.Errorf("authorize request: %w", err)`
`582`	`582`	`}`
`583`	`583`