Merge branch 'main' into bq/prompt-template-variables

BrunoQuaresma · BrunoQuaresma · commit e25b59cc9949 · 2023-04-17T11:20:35.000Z
diff --git a/README.md b/README.md
@@ -84,7 +84,7 @@ coder server --postgres-url <url> --access-url <url>
 
 > <sup>1</sup> For production deployments, set up an external PostgreSQL instance for reliability.
 
-Use `coder --help` to get a list of flags and environment variables. Use our [install guides](https://coder.com/docs/v2/latest/guides) for a full walkthrough.
+Use `coder --help` to get a list of flags and environment variables. Use our [install guides](https://coder.com/docs/v2/latest/install) for a full walkthrough.
 
 ## Documentation
 
diff --git a/cli/cliui/select.go b/cli/cliui/select.go
@@ -70,17 +70,22 @@ type RichSelectOptions struct {
 // RichSelect displays a list of user options including name and description.
 func RichSelect(inv *clibase.Invocation, richOptions RichSelectOptions) (*codersdk.TemplateVersionParameterOption, error) {
 	opts := make([]string, len(richOptions.Options))
+	var defaultOpt string
 	for i, option := range richOptions.Options {
 		line := option.Name
 		if len(option.Description) > 0 {
 			line += ": " + option.Description
 		}
 		opts[i] = line
+
+		if option.Value == richOptions.Default {
+			defaultOpt = line
+		}
 	}
 
 	selected, err := Select(inv, SelectOptions{
 		Options:    opts,
-		Default:    richOptions.Default,
+		Default:    defaultOpt,
 		Size:       richOptions.Size,
 		HideSearch: richOptions.HideSearch,
 	})
diff --git a/cli/tokens.go b/cli/tokens.go
@@ -3,7 +3,6 @@ package cli
 import (
 	"fmt"
 	"os"
-	"strings"
 	"time"
 
 	"golang.org/x/exp/slices"
@@ -67,14 +66,7 @@ func (r *RootCmd) createToken() *clibase.Cmd {
 				return xerrors.Errorf("create tokens: %w", err)
 			}
 
-			cliui.Infof(
-				inv.Stdout,
-				"Here is your token. 🪄\n\n",
-			)
-			cliui.Infof(inv.Stdout, cliui.Styles.Code.Render(strings.TrimSpace(res.Key))+"\n\n")
-			cliui.Infof(inv.Stdout,
-				"You can use this token by setting the --%s CLI flag, the %s environment variable, or the %q HTTP header.", varToken, envSessionToken, codersdk.SessionTokenHeader,
-			)
+			_, _ = fmt.Fprintln(inv.Stdout, res.Key)
 
 			return nil
 		},
diff --git a/cli/tokens_test.go b/cli/tokens_test.go
@@ -4,7 +4,6 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
-	"regexp"
 	"testing"
 
 	"github.com/stretchr/testify/require"
@@ -41,11 +40,7 @@ func TestTokens(t *testing.T) {
 	require.NoError(t, err)
 	res = buf.String()
 	require.NotEmpty(t, res)
-	// find API key in format "XXXXXXXXXX-XXXXXXXXXXXXXXXXXXXXXX"
-	r := regexp.MustCompile("[a-zA-Z0-9]{10}-[a-zA-Z0-9]{22}")
-	require.Regexp(t, r, res)
-	key := r.FindString(res)
-	id := key[:10]
+	id := res[:10]
 
 	inv, root = clitest.New(t, "tokens", "ls")
 	clitest.SetupConfig(t, client, root)
diff --git a/coderd/rbac/authz.go b/coderd/rbac/authz.go
@@ -137,6 +137,10 @@ func Filter[O Objecter](ctx context.Context, auth Authorizer, subject Subject, a
 			err := auth.Authorize(ctx, subject, action, o.RBACObject())
 			if err == nil {
 				filtered = append(filtered, o)
+			} else if !IsUnauthorizedError(err) {
+				// If the error is not the expected "Unauthorized" error, then
+				// it is something unexpected.
+				return nil, err
 			}
 		}
 		return filtered, nil
@@ -155,6 +159,10 @@ func Filter[O Objecter](ctx context.Context, auth Authorizer, subject Subject, a
 		err := prepared.Authorize(ctx, rbacObj)
 		if err == nil {
 			filtered = append(filtered, object)
+		} else if !IsUnauthorizedError(err) {
+			// If the error is not the expected "Unauthorized" error, then
+			// it is something unexpected.
+			return nil, err
 		}
 	}
 
@@ -319,7 +327,8 @@ func (a RegoAuthorizer) authorize(ctx context.Context, subject Subject, action A
 
 	results, err := a.query.Eval(ctx, rego.EvalParsedInput(astV))
 	if err != nil {
-		return ForbiddenWithInternal(xerrors.Errorf("eval rego: %w", err), subject, action, object, results)
+		err = correctCancelError(err)
+		return xerrors.Errorf("evaluate rego: %w", err)
 	}
 
 	if !results.Allowed() {
@@ -430,7 +439,8 @@ EachQueryLoop:
 		// We need to eval each query with the newly known fields.
 		results, err := q.Eval(ctx, rego.EvalParsedInput(parsed))
 		if err != nil {
-			continue EachQueryLoop
+			err = correctCancelError(err)
+			return xerrors.Errorf("eval error: %w", err)
 		}
 
 		// If there are no results, then the query is false. This is because rego
diff --git a/coderd/rbac/authz_internal_test.go b/coderd/rbac/authz_internal_test.go
@@ -30,18 +30,68 @@ func (w fakeObject) RBACObject() Object {
 	}
 }
 
+// objectBomb is a wrapper around an Objecter that calls a function when
+// RBACObject is called.
+type objectBomb struct {
+	Objecter
+	bomb func()
+}
+
+func (o *objectBomb) RBACObject() Object {
+	o.bomb()
+	return o.Objecter.RBACObject()
+}
+
 func TestFilterError(t *testing.T) {
 	t.Parallel()
-	auth := NewAuthorizer(prometheus.NewRegistry())
-	subject := Subject{
-		ID:     uuid.NewString(),
-		Roles:  RoleNames{},
-		Groups: []string{},
-		Scope:  ScopeAll,
-	}
+	_ = objectBomb{}
 
-	_, err := Filter(context.Background(), auth, subject, ActionRead, []Object{ResourceUser, ResourceWorkspace})
-	require.ErrorContains(t, err, "object types must be uniform")
+	t.Run("DifferentResourceTypes", func(t *testing.T) {
+		t.Parallel()
+
+		auth := NewAuthorizer(prometheus.NewRegistry())
+		subject := Subject{
+			ID:     uuid.NewString(),
+			Roles:  RoleNames{},
+			Groups: []string{},
+			Scope:  ScopeAll,
+		}
+
+		_, err := Filter(context.Background(), auth, subject, ActionRead, []Object{ResourceUser, ResourceWorkspace})
+		require.ErrorContains(t, err, "object types must be uniform")
+	})
+
+	t.Run("CancelledContext", func(t *testing.T) {
+		t.Parallel()
+		t.Skipf("This test is racy as rego eval checks the ctx canceled in a go routine. " +
+			"It is a coin flip if the query finishes before the 'cancel' is checked. " +
+			"So sometimes the 'Authorize' call succeeds even if ctx is canceled.")
+
+		auth := NewAuthorizer(prometheus.NewRegistry())
+		subject := Subject{
+			ID: uuid.NewString(),
+			Roles: RoleNames{
+				RoleOwner(),
+			},
+			Groups: []string{},
+			Scope:  ScopeAll,
+		}
+
+		ctx, cancel := context.WithCancel(context.Background())
+		defer cancel()
+		objects := []Objecter{
+			ResourceUser,
+			ResourceUser,
+			&objectBomb{
+				Objecter: ResourceUser,
+				bomb:     cancel,
+			},
+			ResourceUser,
+		}
+
+		_, err := Filter(ctx, auth, subject, ActionRead, objects)
+		require.ErrorIs(t, err, context.Canceled)
+	})
 }
 
 // TestFilter ensures the filter acts the same as an individual authorize.
@@ -170,7 +220,7 @@ func TestFilter(t *testing.T) {
 			localObjects := make([]fakeObject, len(objects))
 			copy(localObjects, objects)
 
-			ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitShort)
+			ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitMedium)
 			defer cancel()
 			auth := NewAuthorizer(prometheus.NewRegistry())
 
diff --git a/coderd/rbac/error.go b/coderd/rbac/error.go
@@ -1,11 +1,14 @@
 package rbac
 
 import (
+	"context"
 	"errors"
 	"flag"
 	"fmt"
 
 	"github.com/open-policy-agent/opa/rego"
+	"github.com/open-policy-agent/opa/topdown"
+	"golang.org/x/xerrors"
 )
 
 const (
@@ -97,3 +100,17 @@ func (*UnauthorizedError) As(target interface{}) bool {
 	}
 	return false
 }
+
+// correctCancelError will return the correct error for a canceled context. This
+// is because rego changes a canceled context to a topdown.CancelErr. This error
+// is not helpful if the code is "canceled". To make the error conform with the
+// rest of our canceled errors, we will convert the error to a context.Canceled
+// error. No good information is lost, as the topdown.CancelErr provides the
+// location of the query that was canceled, which does not matter.
+func correctCancelError(err error) error {
+	e := new(topdown.Error)
+	if xerrors.As(err, &e) || e.Code == topdown.CancelErr {
+		return context.Canceled
+	}
+	return err
+}
diff --git a/docs/admin/appearance.md b/docs/admin/appearance.md
@@ -0,0 +1,39 @@
+# Appearance
+
+## Support Links
+
+Support links let admins adjust the user dropdown menu to include links referring to internal company resources. The menu section replaces the original menu positions: documentation, report a bug to GitHub, or join the Discord server.
+
+![support links](../images/admin/support-links.png)
+
+Custom links can be set in the deployment configuration using the `-c <yamlFile>`
+flag to `coder server`.
+
+```yaml
+supportLinks:
+  - name: "On-call 🔥"
+    target: "http://on-call.example.internal"
+    icon: "bug"
+  - name: "😉 Getting started with Go!"
+    target: "https://go.dev/"
+  - name: "Community"
+    target: "https://github.com/coder/coder"
+    icon: "chat"
+```
+
+## Icons
+
+The link icons are optional, and limited to: `bug`, `chat`, and `docs`.
+
+## Service Banners (enterprise)
+
+Service Banners let admins post important messages to all site users. Only Site Owners may set the service banner.
+
+![service banners](../images/admin/service-banners.png)
+
+You can access the Service Banner settings by navigating to
+`Deployment > Service Banners`.
+
+## Up next
+
+- [Enterprise](../enterprise.md)
diff --git a/docs/admin/service-banners.md b/docs/admin/service-banners.md
diff --git a/docs/enterprise.md b/docs/enterprise.md
@@ -14,7 +14,7 @@ trial](https://coder.com/trial).
 | Cost Control    | [Quotas](./admin/quotas.md)                                                      |     ❌      |     ✅     |
 | Cost Control    | [Max Workspace Autostop](./templates/README.md#configure-max-workspace-autostop) |     ❌      |     ✅     |
 | Deployment      | [High Availability](./admin/high-availability.md)                                |     ❌      |     ✅     |
-| Deployment      | [Service Banners](./admin/service-banners.md)                                    |     ❌      |     ✅     |
+| Deployment      | [Appearance](./admin/appearance.md)                                              |     ❌      |     ✅     |
 | Deployment      | Isolated Terraform Runners                                                       |     ❌      |     ✅     |
 
 > Previous plans to restrict OIDC and Git Auth features in OSS have been removed
diff --git a/docs/images/admin/support-links.png b/docs/images/admin/support-links.png
diff --git a/docs/install/docker.md b/docs/install/docker.md
@@ -88,7 +88,7 @@ an PostgreSQL container and volume.
 
 ### Docker-based workspace is stuck in "Connecting..."
 
-Ensure you have an externally-reachable `CODER_ACCESS_URL` set. See [troubleshooting templates](../templates.md#creating-and-troubleshooting-templates) for more steps.
+Ensure you have an externally-reachable `CODER_ACCESS_URL` set. See [troubleshooting templates](../templates/README.md#troubleshooting-templates) for more steps.
 
 ### Permission denied while trying to connect to the Docker daemon socket
 
diff --git a/docs/manifest.json b/docs/manifest.json
@@ -335,9 +335,9 @@
           "icon_path": "./images/icons/speed.svg"
         },
         {
-          "title": "Service Banners",
-          "description": "Learn how to configure Service Banners",
-          "path": "./admin/service-banners.md",
+          "title": "Appearance",
+          "description": "Learn how to configure the appearance of Coder",
+          "path": "./admin/appearance.md",
           "icon_path": "./images/icons/info.svg",
           "state": "enterprise"
         },
diff --git a/docs/templates/README.md b/docs/templates/README.md
@@ -194,7 +194,7 @@ the Coder server runs an additional [terraform apply](https://www.terraform.io/c
 informing the Coder provider that the workspace has a new transition state.
 
 This template sample has one persistent resource (docker volume) and one
-ephemeral resource (docker image).
+ephemeral resource (docker container).
 
 ```hcl
 data "coder_workspace" "me" {
diff --git a/docs/templates/agent-metadata.md b/docs/templates/agent-metadata.md
@@ -70,7 +70,7 @@ resource "coder_agent" "main" {
 distributions and provides virtual memory, CPU and IO statistics. Running `top`
 produces output that looks like:
 
-```
+```text
 %Cpu(s): 65.8 us,  4.4 sy,  0.0 ni, 29.3 id,  0.3 wa,  0.0 hi,  0.2 si,  0.0 st
 MiB Mem :  16009.0 total,    493.7 free,   4624.8 used,  10890.5 buff/cache
 MiB Swap:      0.0 total,      0.0 free,      0.0 used.  11021.3 avail Mem
@@ -80,7 +80,7 @@ MiB Swap:      0.0 total,      0.0 free,      0.0 used.  11021.3 avail Mem
 distributions and provides virtual memory, CPU and IO statistics. Running `vmstat`
 produces output that looks like:
 
-```
+```text
 procs -----------memory---------- ---swap-- -----io---- -system-- ------cpu-----
 r  b   swpd   free   buff  cache   si   so    bi    bo   in   cs us sy id wa st
 0  0  19580 4781680 12133692 217646944    0    2     4    32    1    0  1  1 98  0  0
@@ -91,8 +91,29 @@ than `vmstat` but often not included in base images. It is easily installed by
 most package managers under the name `dstat`. The output of running `dstat 1 1` looks
 like:
 
-```
+```text
 --total-cpu-usage-- -dsk/total- -net/total- ---paging-- ---system--
 usr sys idl wai stl| read  writ| recv  send|  in   out | int   csw
 1   1  98   0   0|3422k   25M|   0     0 | 153k  904k| 123k  174k
 ```
+
+## DB Write Load
+
+Agent metadata can generate a significant write load and overwhelm your
+database if you're not careful. The approximate writes per second can be
+calculated using the formula:
+
+```text
+(metadata_count * num_running_agents * 2) / metadata_avg_interval
+```
+
+For example, let's say you have
+
+- 10 running agents
+- each with 6 metadata snippets
+- with an average interval of 4 seconds
+
+You can expect `(10 * 6 * 2) / 4` or 30 writes per second.
+
+One of the writes is to the `UNLOGGED` `workspace_agent_metadata` table and
+the other to the `NOTIFY` query that enables live stats streaming in the UI.
diff --git a/helm/templates/coder.yaml b/helm/templates/coder.yaml
@@ -27,6 +27,9 @@ spec:
     metadata:
       labels:
         {{- include "coder.labels" . | nindent 8 }}
+        {{- with .Values.coder.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
       annotations:
         {{- toYaml .Values.coder.podAnnotations | nindent 8  }}
     spec:
diff --git a/helm/values.yaml b/helm/values.yaml
diff --git a/scripts/Dockerfile.base b/scripts/Dockerfile.base
diff --git a/testutil/ci.go b/testutil/ci.go
