coder
diff --git a/‎.github/workflows/security.yaml
+3 b/‎.github/workflows/security.yaml
+3
diff --git a/‎cli/agent.go
+2-2 b/‎cli/agent.go
+2-2
diff --git a/‎cli/cliui/output.go
+21 b/‎cli/cliui/output.go
+21
diff --git a/‎cli/cliui/output_test.go
+3 b/‎cli/cliui/output_test.go
+3
diff --git a/‎cli/root.go
+1-31 b/‎cli/root.go
+1-31
diff --git a/‎cli/server.go
+22-15 b/‎cli/server.go
+22-15
diff --git a/‎cli/server_test.go
+13-7 b/‎cli/server_test.go
+13-7
diff --git a/‎cli/testdata/coder_server_--help.golden
+5-4 b/‎cli/testdata/coder_server_--help.golden
+5-4
diff --git a/‎cli/testdata/coder_version_--help.golden
+5-1 b/‎cli/testdata/coder_version_--help.golden
+5-1
diff --git a/‎cli/version.go
+84 b/‎cli/version.go
+84
@@ -97,6 +97,9 @@ jobs:
           restore-keys: |
             js-${{ runner.os }}-
 
+      - name: Install sqlc
+        run: |
+          curl -sSL https://github.com/kyleconroy/sqlc/releases/download/v1.17.2/sqlc_1.17.2_linux_amd64.tar.gz | sudo tar -C /usr/bin -xz sqlc
       - name: Install yq
         run: go run github.com/mikefarah/yq/v4@v4.30.6
       - name: Install protoc-gen-go
 
@@ -336,8 +336,8 @@ func urlPort(u string) (int, error) {
 		return -1, xerrors.Errorf("invalid url %q: %w", u, err)
 	}
 	if parsed.Port() != "" {
-		port, err := strconv.ParseInt(parsed.Port(), 10, 64)
-		if err == nil && port > 0 {
+		port, err := strconv.ParseUint(parsed.Port(), 10, 16)
+		if err == nil && port > 0 && port < 1<<16 {
 			return int(port), nil
 		}
 	}
 
@@ -3,6 +3,7 @@ package cliui
 import (
 	"context"
 	"encoding/json"
+	"fmt"
 	"reflect"
 	"strings"
 
@@ -171,3 +172,23 @@ func (jsonFormat) Format(_ context.Context, data any) (string, error) {
 
 	return string(outBytes), nil
 }
+
+type textFormat struct{}
+
+var _ OutputFormat = textFormat{}
+
+// TextFormat is a formatter that just outputs unstructured text.
+// It uses fmt.Sprintf under the hood.
+func TextFormat() OutputFormat {
+	return textFormat{}
+}
+
+func (textFormat) ID() string {
+	return "text"
+}
+
+func (textFormat) AttachOptions(_ *clibase.OptionSet) {}
+
+func (textFormat) Format(_ context.Context, data any) (string, error) {
+	return fmt.Sprintf("%s", data), nil
+}
@@ -50,6 +50,9 @@ func Test_OutputFormatter(t *testing.T) {
 		require.Panics(t, func() {
 			cliui.NewOutputFormatter(cliui.JSONFormat())
 		})
+		require.NotPanics(t, func() {
+			cliui.NewOutputFormatter(cliui.JSONFormat(), cliui.TextFormat())
+		})
 	})
 
 	t.Run("NoMissingFormatID", func(t *testing.T) {
 
@@ -82,7 +82,7 @@ func (r *RootCmd) Core() []*clibase.Cmd {
 		r.templates(),
 		r.users(),
 		r.tokens(),
-		r.version(),
+		r.version(defaultVersionInfo),
 
 		// Workspace Commands
 		r.configSSH(),
@@ -370,36 +370,6 @@ func LoggerFromContext(ctx context.Context) (slog.Logger, bool) {
 	return l, ok
 }
 
-// version prints the coder version
-func (*RootCmd) version() *clibase.Cmd {
-	return &clibase.Cmd{
-		Use:   "version",
-		Short: "Show coder version",
-		Handler: func(inv *clibase.Invocation) error {
-			var str strings.Builder
-			_, _ = str.WriteString("Coder ")
-			if buildinfo.IsAGPL() {
-				_, _ = str.WriteString("(AGPL) ")
-			}
-			_, _ = str.WriteString(buildinfo.Version())
-			buildTime, valid := buildinfo.Time()
-			if valid {
-				_, _ = str.WriteString(" " + buildTime.Format(time.UnixDate))
-			}
-			_, _ = str.WriteString("\r\n" + buildinfo.ExternalURL() + "\r\n\r\n")
-
-			if buildinfo.IsSlim() {
-				_, _ = str.WriteString(fmt.Sprintf("Slim build of Coder, does not support the %s subcommand.\n", cliui.Styles.Code.Render("server")))
-			} else {
-				_, _ = str.WriteString(fmt.Sprintf("Full build of Coder, supports the %s subcommand.\n", cliui.Styles.Code.Render("server")))
-			}
-
-			_, _ = fmt.Fprint(inv.Stdout, str.String())
-			return nil
-		},
-	}
-}
-
 func isTest() bool {
 	return flag.Lookup("test.v") != nil
 }
 
@@ -78,6 +78,7 @@ import (
 	"github.com/coder/coder/coderd/tracing"
 	"github.com/coder/coder/coderd/updatecheck"
 	"github.com/coder/coder/coderd/util/slice"
+	"github.com/coder/coder/coderd/workspaceapps"
 	"github.com/coder/coder/codersdk"
 	"github.com/coder/coder/cryptorand"
 	"github.com/coder/coder/provisioner/echo"
@@ -731,6 +732,7 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 					UsernameField:       cfg.OIDC.UsernameField.String(),
 					EmailField:          cfg.OIDC.EmailField.String(),
 					AuthURLParams:       cfg.OIDC.AuthURLParams.Value,
+					IgnoreUserInfo:      cfg.OIDC.IgnoreUserInfo.Value(),
 					GroupField:          cfg.OIDC.GroupField.String(),
 					GroupMapping:        cfg.OIDC.GroupMapping.Value,
 					SignInText:          cfg.OIDC.SignInText.String(),
@@ -780,37 +782,42 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 					}
 				}
 
-				// Read the app signing key from the DB. We store it hex
-				// encoded since the config table uses strings for the value and
-				// we don't want to deal with automatic encoding issues.
-				appSigningKeyStr, err := tx.GetAppSigningKey(ctx)
+				// Read the app signing key from the DB. We store it hex encoded
+				// since the config table uses strings for the value and we
+				// don't want to deal with automatic encoding issues.
+				appSecurityKeyStr, err := tx.GetAppSecurityKey(ctx)
 				if err != nil && !xerrors.Is(err, sql.ErrNoRows) {
 					return xerrors.Errorf("get app signing key: %w", err)
 				}
-				if appSigningKeyStr == "" {
-					// Generate 64 byte secure random string.
-					b := make([]byte, 64)
+				// If the string in the DB is an invalid hex string or the
+				// length is not equal to the current key length, generate a new
+				// one.
+				//
+				// If the key is regenerated, old signed tokens and encrypted
+				// strings will become invalid. New signed app tokens will be
+				// generated automatically on failure. Any workspace app token
+				// smuggling operations in progress may fail, although with a
+				// helpful error.
+				if decoded, err := hex.DecodeString(appSecurityKeyStr); err != nil || len(decoded) != len(workspaceapps.SecurityKey{}) {
+					b := make([]byte, len(workspaceapps.SecurityKey{}))
 					_, err := rand.Read(b)
 					if err != nil {
 						return xerrors.Errorf("generate fresh app signing key: %w", err)
 					}
 
-					appSigningKeyStr = hex.EncodeToString(b)
-					err = tx.InsertAppSigningKey(ctx, appSigningKeyStr)
+					appSecurityKeyStr = hex.EncodeToString(b)
+					err = tx.UpsertAppSecurityKey(ctx, appSecurityKeyStr)
 					if err != nil {
 						return xerrors.Errorf("insert freshly generated app signing key to database: %w", err)
 					}
 				}
 
-				appSigningKey, err := hex.DecodeString(appSigningKeyStr)
+				appSecurityKey, err := workspaceapps.KeyFromString(appSecurityKeyStr)
 				if err != nil {
-					return xerrors.Errorf("decode app signing key from database as hex: %w", err)
-				}
-				if len(appSigningKey) != 64 {
-					return xerrors.Errorf("app signing key must be 64 bytes, key in database is %d bytes", len(appSigningKey))
+					return xerrors.Errorf("decode app signing key from database: %w", err)
 				}
 
-				options.AppSigningKey = appSigningKey
+				options.AppSecurityKey = appSecurityKey
 				return nil
 			}, nil)
 			if err != nil {
 
@@ -668,8 +668,7 @@ func TestServer(t *testing.T) {
 				if c.tlsListener {
 					accessURLParsed, err := url.Parse(c.requestURL)
 					require.NoError(t, err)
-					client := codersdk.New(accessURLParsed)
-					client.HTTPClient = &http.Client{
+					client := &http.Client{
 						CheckRedirect: func(req *http.Request, via []*http.Request) error {
 							return http.ErrUseLastResponse
 						},
@@ -682,11 +681,15 @@ func TestServer(t *testing.T) {
 							},
 						},
 					}
-					defer client.HTTPClient.CloseIdleConnections()
-					_, err = client.HasFirstUser(ctx)
-					if err != nil {
-						require.ErrorContains(t, err, "Invalid application URL")
-					}
+					defer client.CloseIdleConnections()
+
+					req, err := http.NewRequestWithContext(ctx, http.MethodGet, accessURLParsed.String(), nil)
+					require.NoError(t, err)
+					resp, err := client.Do(req)
+					// We don't care much about the response, just that TLS
+					// worked.
+					require.NoError(t, err)
+					defer resp.Body.Close()
 				}
 			})
 		}
@@ -1086,6 +1089,7 @@ func TestServer(t *testing.T) {
 			require.Equal(t, "preferred_username", deploymentConfig.Values.OIDC.UsernameField.Value())
 			require.Equal(t, "email", deploymentConfig.Values.OIDC.EmailField.Value())
 			require.Equal(t, map[string]string{"access_type": "offline"}, deploymentConfig.Values.OIDC.AuthURLParams.Value)
+			require.False(t, deploymentConfig.Values.OIDC.IgnoreUserInfo.Value())
 			require.Empty(t, deploymentConfig.Values.OIDC.GroupField.Value())
 			require.Empty(t, deploymentConfig.Values.OIDC.GroupMapping.Value)
 			require.Equal(t, "OpenID Connect", deploymentConfig.Values.OIDC.SignInText.Value())
@@ -1125,6 +1129,7 @@ func TestServer(t *testing.T) {
 				"--oidc-username-field", "not_preferred_username",
 				"--oidc-email-field", "not_email",
 				"--oidc-auth-url-params", `{"prompt":"consent"}`,
+				"--oidc-ignore-userinfo",
 				"--oidc-group-field", "serious_business_unit",
 				"--oidc-group-mapping", `{"serious_business_unit": "serious_business_unit"}`,
 				"--oidc-sign-in-text", "Sign In With Coder",
@@ -1169,6 +1174,7 @@ func TestServer(t *testing.T) {
 			require.True(t, deploymentConfig.Values.OIDC.IgnoreEmailVerified.Value())
 			require.Equal(t, "not_preferred_username", deploymentConfig.Values.OIDC.UsernameField.Value())
 			require.Equal(t, "not_email", deploymentConfig.Values.OIDC.EmailField.Value())
+			require.True(t, deploymentConfig.Values.OIDC.IgnoreUserInfo.Value())
 			require.Equal(t, map[string]string{"prompt": "consent"}, deploymentConfig.Values.OIDC.AuthURLParams.Value)
 			require.Equal(t, "serious_business_unit", deploymentConfig.Values.OIDC.GroupField.Value())
 			require.Equal(t, map[string]string{"serious_business_unit": "serious_business_unit"}, deploymentConfig.Values.OIDC.GroupMapping.Value)
 
@@ -280,13 +280,17 @@ can safely ignore these settings.
           Change the OIDC default 'groups' claim field. By default, will be
           'groups' if present in the oidc scopes argument.
 
-      --oidc-group-mapping struct[map[string]string], $OIDC_GROUP_MAPPING (default: {})
+      --oidc-group-mapping struct[map[string]string], $CODER_OIDC_GROUP_MAPPING (default: {})
           A map of OIDC group IDs and the group in Coder it should map to. This
           is useful for when OIDC providers only return group IDs.
 
       --oidc-ignore-email-verified bool, $CODER_OIDC_IGNORE_EMAIL_VERIFIED
           Ignore the email_verified claim from the upstream provider.
 
+      --oidc-ignore-userinfo bool, $CODER_OIDC_IGNORE_USERINFO (default: false)
+          Ignore the userinfo endpoint and only use the ID token for user
+          information.
+
       --oidc-issuer-url string, $CODER_OIDC_ISSUER_URL
           Issuer URL to use for Login with OIDC.
 
@@ -353,9 +357,6 @@ telemetrywhen required by your organization's security policy.
 [1mEnterprise Options[0m 
 These options are only available in the Enterprise Edition.
 
-      --audit-logging bool, $CODER_AUDIT_LOGGING (default: true)
-          Specifies whether audit logging is enabled.
-
       --browser-only bool, $CODER_BROWSER_ONLY
           Whether Coder only allows connections to workspaces via the browser.
 
 
@@ -1,6 +1,10 @@
-Usage: coder version
+Usage: coder version [flags]
 
 Show coder version
 
+[1mOptions[0m
+  -o, --output string (default: text)
+          Output format. Available formats: text, json.
+
 ---
 Run `coder --help` for a list of global options.
@@ -0,0 +1,84 @@
+package cli
+
+import (
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/coder/coder/buildinfo"
+	"github.com/coder/coder/cli/clibase"
+	"github.com/coder/coder/cli/cliui"
+)
+
+// versionInfo wraps the stuff we get from buildinfo so that it's
+// easier to emit in different formats.
+type versionInfo struct {
+	Version     string    `json:"version"`
+	BuildTime   time.Time `json:"build_time"`
+	ExternalURL string    `json:"external_url"`
+	Slim        bool      `json:"slim"`
+	AGPL        bool      `json:"agpl"`
+}
+
+// String() implements Stringer
+func (vi versionInfo) String() string {
+	var str strings.Builder
+	_, _ = str.WriteString("Coder ")
+	if vi.AGPL {
+		_, _ = str.WriteString("(AGPL) ")
+	}
+	_, _ = str.WriteString(vi.Version)
+
+	if !vi.BuildTime.IsZero() {
+		_, _ = str.WriteString(" " + vi.BuildTime.Format(time.UnixDate))
+	}
+	_, _ = str.WriteString("\r\n" + vi.ExternalURL + "\r\n\r\n")
+
+	if vi.Slim {
+		_, _ = str.WriteString(fmt.Sprintf("Slim build of Coder, does not support the %s subcommand.", cliui.Styles.Code.Render("server")))
+	} else {
+		_, _ = str.WriteString(fmt.Sprintf("Full build of Coder, supports the %s subcommand.", cliui.Styles.Code.Render("server")))
+	}
+	return str.String()
+}
+
+func defaultVersionInfo() *versionInfo {
+	buildTime, _ := buildinfo.Time()
+	return &versionInfo{
+		Version:     buildinfo.Version(),
+		BuildTime:   buildTime,
+		ExternalURL: buildinfo.ExternalURL(),
+		Slim:        buildinfo.IsSlim(),
+		AGPL:        buildinfo.IsAGPL(),
+	}
+}
+
+// version prints the coder version
+func (*RootCmd) version(versionInfo func() *versionInfo) *clibase.Cmd {
+	var (
+		formatter = cliui.NewOutputFormatter(
+			cliui.TextFormat(),
+			cliui.JSONFormat(),
+		)
+		vi = versionInfo()
+	)
+
+	cmd := &clibase.Cmd{
+		Use:     "version",
+		Short:   "Show coder version",
+		Options: clibase.OptionSet{},
+		Handler: func(inv *clibase.Invocation) error {
+			out, err := formatter.Format(inv.Context(), vi)
+			if err != nil {
+				return err
+			}
+
+			_, err = fmt.Fprintln(inv.Stdout, out)
+			return err
+		},
+	}
+
+	formatter.AttachOptions(&cmd.Options)
+
+	return cmd
+}
Original file line number	Diff line number	Diff line change
`@@ -336,8 +336,8 @@ func urlPort(u string) (int, error) {`
`336`	`336`	`return -1, xerrors.Errorf("invalid url %q: %w", u, err)`
`337`	`337`	`}`
`338`	`338`	`if parsed.Port() != "" {`
`339`		`- port, err := strconv.ParseInt(parsed.Port(), 10, 64)`
`340`		`- if err == nil && port > 0 {`
	`339`	`+ port, err := strconv.ParseUint(parsed.Port(), 10, 16)`
	`340`	`+ if err == nil && port > 0 && port < 1<<16 {`
`341`	`341`	`return int(port), nil`
`342`	`342`	`}`
`343`	`343`	`}`