feat(coderd): insert provisioner daemons

johnstcn · johnstcn · commit e1d30f9c453b · 2023-12-15T09:50:38.000Z
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
+	"database/sql"
 	"flag"
 	"fmt"
 	"io"
@@ -49,6 +50,7 @@ import (
 	"github.com/coder/coder/v2/coderd/batchstats"
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/database/dbauthz"
+	"github.com/coder/coder/v2/coderd/database/dbtime"
 	"github.com/coder/coder/v2/coderd/database/pubsub"
 	"github.com/coder/coder/v2/coderd/gitsshkey"
 	"github.com/coder/coder/v2/coderd/healthcheck"
@@ -1168,8 +1170,19 @@ func (api *API) CreateInMemoryProvisionerDaemon(ctx context.Context, name string
 		}
 	}()
 
-	tags := provisionerdserver.Tags{
-		provisionersdk.TagScope: provisionersdk.ScopeOrganization,
+	//nolint:gocritic // in-memory provisioners are owned by system
+	daemon, err := api.Database.UpsertProvisionerDaemon(dbauthz.AsSystemRestricted(ctx), database.UpsertProvisionerDaemonParams{
+		Name:      name,
+		CreatedAt: dbtime.Now(),
+		Provisioners: []database.ProvisionerType{
+			database.ProvisionerTypeEcho, database.ProvisionerTypeTerraform,
+		},
+		Tags:       database.StringMap{provisionersdk.TagScope: provisionersdk.ScopeOrganization},
+		LastSeenAt: sql.NullTime{Time: dbtime.Now(), Valid: true},
+		Version:    buildinfo.Version(),
+	})
+	if err != nil {
+		return nil, xerrors.Errorf("failed to create in-memory provisioner daemon: %w", err)
 	}
 
 	mux := drpcmux.New()
@@ -1180,10 +1193,8 @@ func (api *API) CreateInMemoryProvisionerDaemon(ctx context.Context, name string
 		api.AccessURL,
 		uuid.New(),
 		logger,
-		[]database.ProvisionerType{
-			database.ProvisionerTypeEcho, database.ProvisionerTypeTerraform,
-		},
-		tags,
+		daemon.Provisioners,
+		provisionerdserver.Tags(daemon.Tags),
 		api.Database,
 		api.Pubsub,
 		api.Acquirer,
diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go
@@ -228,6 +228,7 @@ var (
 					rbac.ResourceOrganization.Type:       {rbac.ActionCreate},
 					rbac.ResourceOrganizationMember.Type: {rbac.ActionCreate},
 					rbac.ResourceOrgRoleAssignment.Type:  {rbac.ActionCreate},
+					rbac.ResourceProvisionerDaemon.Type:  {rbac.ActionCreate},
 					rbac.ResourceUser.Type:               {rbac.ActionCreate, rbac.ActionUpdate, rbac.ActionDelete},
 					rbac.ResourceUserData.Type:           {rbac.ActionCreate, rbac.ActionUpdate},
 					rbac.ResourceWorkspace.Type:          {rbac.ActionUpdate},
diff --git a/coderd/rbac/roles.go b/coderd/rbac/roles.go
@@ -155,6 +155,8 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 				// Users cannot do create/update/delete on themselves, but they
 				// can read their own details.
 				ResourceUser.Type: {ActionRead},
+				// Users can create provisioner daemons scoped to themselves.
+				ResourceProvisionerDaemon.Type: {ActionCreate, ActionRead, ActionUpdate},
 			})...,
 		),
 	}.withCachedRegoValue()
diff --git a/codersdk/organizations.go b/codersdk/organizations.go
@@ -164,9 +164,6 @@ func (c *Client) Organization(ctx context.Context, id uuid.UUID) (Organization,
 }
 
 // ProvisionerDaemons returns provisioner daemons available.
-//
-// Deprecated: We no longer track provisioner daemons as they connect.  This function may return historical data
-// but new provisioner daemons will not appear.
 func (c *Client) ProvisionerDaemons(ctx context.Context) ([]ProvisionerDaemon, error) {
 	res, err := c.Request(ctx, http.MethodGet,
 		// TODO: the organization path parameter is currently ignored.
diff --git a/enterprise/cli/provisionerdaemons_test.go b/enterprise/cli/provisionerdaemons_test.go
@@ -4,13 +4,16 @@ import (
 	"context"
 	"testing"
 
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
 	"github.com/coder/coder/v2/cli/clitest"
 	"github.com/coder/coder/v2/coderd/coderdtest"
+	"github.com/coder/coder/v2/coderd/rbac"
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/enterprise/coderd/coderdenttest"
 	"github.com/coder/coder/v2/enterprise/coderd/license"
+	"github.com/coder/coder/v2/provisionersdk"
 	"github.com/coder/coder/v2/pty/ptytest"
 	"github.com/coder/coder/v2/testutil"
 )
@@ -35,6 +38,17 @@ func TestProvisionerDaemon_PSK(t *testing.T) {
 	clitest.Start(t, inv)
 	pty.ExpectMatchContext(ctx, "starting provisioner daemon")
 	pty.ExpectMatchContext(ctx, "matt-daemon")
+
+	var daemons []codersdk.ProvisionerDaemon
+	require.Eventually(t, func() bool {
+		daemons, err = client.ProvisionerDaemons(ctx)
+		if err != nil {
+			return false
+		}
+		return len(daemons) > 0
+	}, testutil.WaitShort, testutil.IntervalSlow)
+	require.Equal(t, "matt-daemon", daemons[0].Name)
+	require.Equal(t, provisionersdk.ScopeOrganization, daemons[0].Tags[provisionersdk.TagScope])
 }
 
 func TestProvisionerDaemon_SessionToken(t *testing.T) {
@@ -49,14 +63,27 @@ func TestProvisionerDaemon_SessionToken(t *testing.T) {
 				},
 			},
 		})
-		anotherClient, _ := coderdtest.CreateAnotherUser(t, client, admin.OrganizationID)
-		inv, conf := newCLI(t, "provisionerd", "start", "--tag", "scope=user")
+		anotherClient, anotherUser := coderdtest.CreateAnotherUser(t, client, admin.OrganizationID)
+		inv, conf := newCLI(t, "provisionerd", "start", "--tag", "scope=user", "--name", "my-daemon")
 		clitest.SetupConfig(t, anotherClient, conf)
 		pty := ptytest.New(t).Attach(inv)
 		ctx, cancel := context.WithTimeout(inv.Context(), testutil.WaitLong)
 		defer cancel()
 		clitest.Start(t, inv)
 		pty.ExpectMatchContext(ctx, "starting provisioner daemon")
+
+		var daemons []codersdk.ProvisionerDaemon
+		var err error
+		require.Eventually(t, func() bool {
+			daemons, err = client.ProvisionerDaemons(ctx)
+			if err != nil {
+				return false
+			}
+			return len(daemons) > 0
+		}, testutil.WaitShort, testutil.IntervalSlow)
+		assert.Equal(t, "my-daemon", daemons[0].Name)
+		assert.Equal(t, provisionersdk.ScopeUser, daemons[0].Tags[provisionersdk.TagScope])
+		assert.Equal(t, anotherUser.ID.String(), daemons[0].Tags[provisionersdk.TagOwner])
 	})
 
 	t.Run("ScopeOrg", func(t *testing.T) {
@@ -69,13 +96,25 @@ func TestProvisionerDaemon_SessionToken(t *testing.T) {
 				},
 			},
 		})
-		anotherClient, _ := coderdtest.CreateAnotherUser(t, client, admin.OrganizationID)
-		inv, conf := newCLI(t, "provisionerd", "start", "--tag", "scope=organization")
+		anotherClient, _ := coderdtest.CreateAnotherUser(t, client, admin.OrganizationID, rbac.RoleTemplateAdmin())
+		inv, conf := newCLI(t, "provisionerd", "start", "--tag", "scope=organization", "--name", "org-daemon")
 		clitest.SetupConfig(t, anotherClient, conf)
 		pty := ptytest.New(t).Attach(inv)
 		ctx, cancel := context.WithTimeout(inv.Context(), testutil.WaitLong)
 		defer cancel()
 		clitest.Start(t, inv)
 		pty.ExpectMatchContext(ctx, "starting provisioner daemon")
+
+		var daemons []codersdk.ProvisionerDaemon
+		var err error
+		require.Eventually(t, func() bool {
+			daemons, err = client.ProvisionerDaemons(ctx)
+			if err != nil {
+				return false
+			}
+			return len(daemons) > 0
+		}, testutil.WaitShort, testutil.IntervalSlow)
+		assert.Equal(t, "org-daemon", daemons[0].Name)
+		assert.Equal(t, provisionersdk.ScopeOrganization, daemons[0].Tags[provisionersdk.TagScope])
 	})
 }
diff --git a/enterprise/coderd/provisionerdaemons.go b/enterprise/coderd/provisionerdaemons.go
@@ -26,6 +26,8 @@ import (
 	"cdr.dev/slog"
 	"github.com/coder/coder/v2/coderd"
 	"github.com/coder/coder/v2/coderd/database"
+	"github.com/coder/coder/v2/coderd/database/dbauthz"
+	"github.com/coder/coder/v2/coderd/database/dbtime"
 	"github.com/coder/coder/v2/coderd/httpapi"
 	"github.com/coder/coder/v2/coderd/httpmw"
 	"github.com/coder/coder/v2/coderd/provisionerdserver"
@@ -191,7 +193,10 @@ func (api *API) provisionerDaemonServe(rw http.ResponseWriter, r *http.Request)
 	if !authorized {
 		api.Logger.Warn(ctx, "unauthorized provisioner daemon serve request", slog.F("tags", tags))
 		httpapi.Write(ctx, rw, http.StatusForbidden,
-			codersdk.Response{Message: "You aren't allowed to create provisioner daemons"})
+			codersdk.Response{
+				Message: fmt.Sprintf("You aren't allowed to create provisioner daemons with scope %q", tags[provisionersdk.TagScope]),
+			},
+		)
 		return
 	}
 	api.Logger.Debug(ctx, "provisioner authorized", slog.F("tags", tags))
@@ -221,6 +226,31 @@ func (api *API) provisionerDaemonServe(rw http.ResponseWriter, r *http.Request)
 		slog.F("tags", tags),
 	)
 
+	authCtx := ctx
+	if r.Header.Get(codersdk.ProvisionerDaemonPSK) != "" {
+		//nolint:gocritic // PSK auth means no actor in request,
+		// so use system restricted.
+		authCtx = dbauthz.AsSystemRestricted(ctx)
+	}
+
+	// Create the daemon in the database.
+	_, err := api.Database.UpsertProvisionerDaemon(authCtx, database.UpsertProvisionerDaemonParams{
+		Name:         name,
+		Provisioners: provisioners,
+		Tags:         tags,
+		CreatedAt:    dbtime.Now(),
+		LastSeenAt:   sql.NullTime{Time: dbtime.Now(), Valid: true},
+		Version:      "", // TODO: provisionerd needs to send version
+	})
+	if err != nil {
+		log.Error(ctx, "create provisioner daemon", slog.Error(err))
+		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
+			Message: "Internal error creating provisioner daemon.",
+			Detail:  err.Error(),
+		})
+		return
+	}
+
 	api.AGPL.WebsocketWaitMutex.Lock()
 	api.AGPL.WebsocketWaitGroup.Add(1)
 	api.AGPL.WebsocketWaitMutex.Unlock()
diff --git a/enterprise/coderd/provisionerdaemons_test.go b/enterprise/coderd/provisionerdaemons_test.go
@@ -7,6 +7,7 @@ import (
 	"testing"
 
 	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
 	"cdr.dev/slog"
@@ -50,6 +51,10 @@ func TestProvisionerDaemonServe(t *testing.T) {
 		})
 		require.NoError(t, err)
 		srv.DRPCConn().Close()
+
+		daemons, err := client.ProvisionerDaemons(ctx) //nolint:gocritic // Test assertion.
+		require.NoError(t, err)
+		require.Len(t, daemons, 1)
 	})
 
 	t.Run("NoLicense", func(t *testing.T) {
@@ -163,6 +168,15 @@ func TestProvisionerDaemonServe(t *testing.T) {
 		file, err := client.Upload(context.Background(), codersdk.ContentTypeTar, bytes.NewReader(data))
 		require.NoError(t, err)
 
+		require.Eventually(t, func() bool {
+			daemons, err := client.ProvisionerDaemons(context.Background())
+			assert.NoError(t, err, "failed to get provisioner daemons")
+			return len(daemons) > 0 &&
+				assert.Equal(t, t.Name(), daemons[0].Name) &&
+				assert.Equal(t, provisionersdk.ScopeUser, daemons[0].Tags[provisionersdk.TagScope]) &&
+				assert.Equal(t, user.UserID.String(), daemons[0].Tags[provisionersdk.TagOwner])
+		}, testutil.WaitShort, testutil.IntervalMedium)
+
 		version, err := client.CreateTemplateVersion(context.Background(), user.OrganizationID, codersdk.CreateTemplateVersionRequest{
 			Name:          "example",
 			StorageMethod: codersdk.ProvisionerStorageMethodFile,
@@ -211,6 +225,12 @@ func TestProvisionerDaemonServe(t *testing.T) {
 		require.NoError(t, err)
 		err = srv.DRPCConn().Close()
 		require.NoError(t, err)
+
+		daemons, err := client.ProvisionerDaemons(ctx) //nolint:gocritic // Test assertion.
+		require.NoError(t, err)
+		if assert.Len(t, daemons, 1) {
+			assert.Equal(t, provisionersdk.ScopeOrganization, daemons[0].Tags[provisionersdk.TagScope])
+		}
 	})
 
 	t.Run("PSK_daily_cost", func(t *testing.T) {
@@ -346,6 +366,10 @@ func TestProvisionerDaemonServe(t *testing.T) {
 		var apiError *codersdk.Error
 		require.ErrorAs(t, err, &apiError)
 		require.Equal(t, http.StatusForbidden, apiError.StatusCode())
+
+		daemons, err := client.ProvisionerDaemons(ctx) //nolint:gocritic // Test assertion.
+		require.NoError(t, err)
+		require.Len(t, daemons, 0)
 	})
 
 	t.Run("NoAuth", func(t *testing.T) {
@@ -376,6 +400,10 @@ func TestProvisionerDaemonServe(t *testing.T) {
 		var apiError *codersdk.Error
 		require.ErrorAs(t, err, &apiError)
 		require.Equal(t, http.StatusForbidden, apiError.StatusCode())
+
+		daemons, err := client.ProvisionerDaemons(ctx) //nolint:gocritic // Test assertion.
+		require.NoError(t, err)
+		require.Len(t, daemons, 0)
 	})
 
 	t.Run("NoPSK", func(t *testing.T) {
@@ -406,5 +434,9 @@ func TestProvisionerDaemonServe(t *testing.T) {
 		var apiError *codersdk.Error
 		require.ErrorAs(t, err, &apiError)
 		require.Equal(t, http.StatusForbidden, apiError.StatusCode())
+
+		daemons, err := client.ProvisionerDaemons(ctx) //nolint:gocritic // Test assertion.
+		require.NoError(t, err)
+		require.Len(t, daemons, 0)
 	})
 }
diff --git a/provisionerd/provisionerd.go b/provisionerd/provisionerd.go
@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"net/http"
 	"reflect"
 	"sync"
 	"time"
@@ -20,6 +21,7 @@ import (
 
 	"cdr.dev/slog"
 	"github.com/coder/coder/v2/coderd/tracing"
+	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/provisionerd/proto"
 	"github.com/coder/coder/v2/provisionerd/runner"
 	sdkproto "github.com/coder/coder/v2/provisionersdk/proto"
@@ -199,6 +201,11 @@ connectLoop:
 			if errors.Is(err, context.Canceled) {
 				return
 			}
+			var sdkErr *codersdk.Error
+			if errors.As(err, &sdkErr) && sdkErr.StatusCode() == http.StatusForbidden {
+				p.opts.Logger.Error(p.closeContext, "failed to dial coderd", slog.Error(err))
+				return
+			}
 			if p.isClosed() {
 				return
 			}

Original file line number	Diff line number	Diff line change
`@@ -164,9 +164,6 @@ func (c *Client) Organization(ctx context.Context, id uuid.UUID) (Organization,`
`164`	`164`	`}`
`165`	`165`
`166`	`166`	`// ProvisionerDaemons returns provisioner daemons available.`
`167`		`-//`
`168`		`-// Deprecated: We no longer track provisioner daemons as they connect. This function may return historical data`
`169`		`-// but new provisioner daemons will not appear.`
`170`	`167`	`func (c *Client) ProvisionerDaemons(ctx context.Context) ([]ProvisionerDaemon, error) {`
`171`	`168`	`res, err := c.Request(ctx, http.MethodGet,`
`172`	`169`	`// TODO: the organization path parameter is currently ignored.`