coder
diff --git a/‎.github/workflows/contrib.yaml
+1-1 b/‎.github/workflows/contrib.yaml
+1-1
diff --git a/‎cli/ssh_test.go
+26-2 b/‎cli/ssh_test.go
+26-2
diff --git a/‎coderd/coderd.go
+73-3 b/‎coderd/coderd.go
+73-3
diff --git a/‎coderd/database/queries.sql.go
+3-1 b/‎coderd/database/queries.sql.go
+3-1
diff --git a/‎coderd/database/queries/insights.sql
+3-1 b/‎coderd/database/queries/insights.sql
+3-1
diff --git a/‎enterprise/coderd/identityprovider/authorize.go renamed to ‎coderd/identityprovider/authorize.go b/‎enterprise/coderd/identityprovider/authorize.go renamed to ‎coderd/identityprovider/authorize.go
diff --git a/‎enterprise/coderd/identityprovider/middleware.go renamed to ‎coderd/identityprovider/middleware.go b/‎enterprise/coderd/identityprovider/middleware.go renamed to ‎coderd/identityprovider/middleware.go
diff --git a/‎enterprise/coderd/identityprovider/revoke.go renamed to ‎coderd/identityprovider/revoke.go b/‎enterprise/coderd/identityprovider/revoke.go renamed to ‎coderd/identityprovider/revoke.go
diff --git a/‎enterprise/coderd/identityprovider/secrets.go renamed to ‎coderd/identityprovider/secrets.go b/‎enterprise/coderd/identityprovider/secrets.go renamed to ‎coderd/identityprovider/secrets.go
diff --git a/‎enterprise/coderd/identityprovider/tokens.go renamed to ‎coderd/identityprovider/tokens.go b/‎enterprise/coderd/identityprovider/tokens.go renamed to ‎coderd/identityprovider/tokens.go
diff --git a/‎enterprise/coderd/oauth2.go renamed to ‎coderd/oauth2.go
+7-18 b/‎enterprise/coderd/oauth2.go renamed to ‎coderd/oauth2.go
+7-18
@@ -34,7 +34,7 @@ jobs:
     steps:
       - name: cla
         if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
-        uses: contributor-assistant/github-action@v2.3.1
+        uses: contributor-assistant/github-action@v2.3.2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           # the below token should have repo scope and must be manually added by you in the repository's secret
 
@@ -117,14 +117,26 @@ func TestSSH(t *testing.T) {
 		clitest.SetupConfig(t, client, root)
 		pty := ptytest.New(t).Attach(inv)
 
-		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitSuperLong)
 		defer cancel()
 
 		cmdDone := tGo(t, func() {
 			err := inv.WithContext(ctx).Run()
 			assert.NoError(t, err)
 		})
 
+		// Delay until workspace is starting, otherwise the agent may be
+		// booted due to outdated build.
+		var err error
+		for {
+			workspace, err = client.Workspace(ctx, workspace.ID)
+			require.NoError(t, err)
+			if workspace.LatestBuild.Transition == codersdk.WorkspaceTransitionStart {
+				break
+			}
+			time.Sleep(testutil.IntervalFast)
+		}
+
 		// When the agent connects, the workspace was started, and we should
 		// have access to the shell.
 		_ = agenttest.New(t, client.URL, authToken)
@@ -365,7 +377,7 @@ func TestSSH(t *testing.T) {
 		workspaceBuild := coderdtest.CreateWorkspaceBuild(t, client, workspace, database.WorkspaceTransitionStop)
 		coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, workspaceBuild.ID)
 
-		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitSuperLong)
 		defer cancel()
 
 		clientStdinR, clientStdinW := io.Pipe()
@@ -461,6 +473,18 @@ func TestSSH(t *testing.T) {
 			assert.NoError(t, err)
 		})
 
+		// Delay until workspace is starting, otherwise the agent may be
+		// booted due to outdated build.
+		var err error
+		for {
+			workspace, err = client.Workspace(ctx, workspace.ID)
+			require.NoError(t, err)
+			if workspace.LatestBuild.Transition == codersdk.WorkspaceTransitionStart {
+				break
+			}
+			time.Sleep(testutil.IntervalFast)
+		}
+
 		// When the agent connects, the workspace was started, and we should
 		// have access to the shell.
 		_ = agenttest.New(t, client.URL, authToken)
 
@@ -689,6 +689,34 @@ func New(options *Options) *API {
 		})
 	}
 
+	// OAuth2 linking routes do not make sense under the /api/v2 path.  These are
+	// for an external application to use Coder as an OAuth2 provider, not for
+	// logging into Coder with an external OAuth2 provider.
+	r.Route("/oauth2", func(r chi.Router) {
+		r.Use(
+			api.oAuth2ProviderMiddleware,
+			// Fetch the app as system because in the /tokens route there will be no
+			// authenticated user.
+			httpmw.AsAuthzSystem(httpmw.ExtractOAuth2ProviderApp(options.Database)),
+		)
+		r.Route("/authorize", func(r chi.Router) {
+			r.Use(apiKeyMiddlewareRedirect)
+			r.Get("/", api.getOAuth2ProviderAppAuthorize())
+		})
+		r.Route("/tokens", func(r chi.Router) {
+			r.Group(func(r chi.Router) {
+				r.Use(apiKeyMiddleware)
+				// DELETE on /tokens is not part of the OAuth2 spec.  It is our own
+				// route used to revoke permissions from an application.  It is here for
+				// parity with POST on /tokens.
+				r.Delete("/", api.deleteOAuth2ProviderAppTokens())
+			})
+			// The POST /tokens endpoint will be called from an unauthorized client so
+			// we cannot require an API key.
+			r.Post("/", api.postOAuth2ProviderAppToken())
+		})
+	})
+
 	r.Route("/api/v2", func(r chi.Router) {
 		api.APIHandler = r
 
@@ -1098,6 +1126,34 @@ func New(options *Options) *API {
 			}
 			r.Method("GET", "/expvar", expvar.Handler()) // contains DERP metrics as well as cmdline and memstats
 		})
+		// Manage OAuth2 applications that can use Coder as an OAuth2 provider.
+		r.Route("/oauth2-provider", func(r chi.Router) {
+			r.Use(
+				apiKeyMiddleware,
+				api.oAuth2ProviderMiddleware,
+			)
+			r.Route("/apps", func(r chi.Router) {
+				r.Get("/", api.oAuth2ProviderApps)
+				r.Post("/", api.postOAuth2ProviderApp)
+
+				r.Route("/{app}", func(r chi.Router) {
+					r.Use(httpmw.ExtractOAuth2ProviderApp(options.Database))
+					r.Get("/", api.oAuth2ProviderApp)
+					r.Put("/", api.putOAuth2ProviderApp)
+					r.Delete("/", api.deleteOAuth2ProviderApp)
+
+					r.Route("/secrets", func(r chi.Router) {
+						r.Get("/", api.oAuth2ProviderAppSecrets)
+						r.Post("/", api.postOAuth2ProviderAppSecret)
+
+						r.Route("/{secretID}", func(r chi.Router) {
+							r.Use(httpmw.ExtractOAuth2ProviderAppSecret(options.Database))
+							r.Delete("/", api.deleteOAuth2ProviderAppSecret)
+						})
+					})
+				})
+			})
+		})
 	})
 
 	if options.SwaggerEndpoint {
@@ -1229,9 +1285,23 @@ func (api *API) Close() error {
 		api.derpCloseFunc()
 	}
 
-	api.WebsocketWaitMutex.Lock()
-	api.WebsocketWaitGroup.Wait()
-	api.WebsocketWaitMutex.Unlock()
+	wsDone := make(chan struct{})
+	timer := time.NewTimer(10 * time.Second)
+	defer timer.Stop()
+	go func() {
+		api.WebsocketWaitMutex.Lock()
+		defer api.WebsocketWaitMutex.Unlock()
+		api.WebsocketWaitGroup.Wait()
+		close(wsDone)
+	}()
+	// This will technically leak the above func if the timer fires, but this is
+	// maintly a last ditch effort to un-stuck coderd on shutdown. This
+	// shouldn't affect tests at all.
+	select {
+	case <-wsDone:
+	case <-timer.C:
+		api.Logger.Warn(api.ctx, "websocket shutdown timed out after 10 seconds")
+	}
 
 	api.dbRolluper.Close()
 	api.metricsCache.Close()
 
@@ -599,7 +599,9 @@ WITH
 		JOIN
 			workspace_agent_stats AS was
 		ON
-			date_trunc('minute', was.created_at) = mb.minute_bucket
+			was.created_at >= (SELECT t FROM latest_start)
+			AND was.created_at < NOW()
+			AND date_trunc('minute', was.created_at) = mb.minute_bucket
 			AND was.template_id = mb.template_id
 			AND was.user_id = mb.user_id
 			AND was.connection_median_latency_ms >= 0
 
@@ -13,11 +13,11 @@ import (
 	"github.com/coder/coder/v2/coderd/database/dbtime"
 	"github.com/coder/coder/v2/coderd/httpapi"
 	"github.com/coder/coder/v2/coderd/httpmw"
+	"github.com/coder/coder/v2/coderd/identityprovider"
 	"github.com/coder/coder/v2/codersdk"
-	"github.com/coder/coder/v2/enterprise/coderd/identityprovider"
 )
 
-func (api *API) oAuth2ProviderMiddleware(next http.Handler) http.Handler {
+func (*API) oAuth2ProviderMiddleware(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 		if !buildinfo.IsDev() {
 			httpapi.Write(r.Context(), rw, http.StatusForbidden, codersdk.Response{
@@ -26,17 +26,6 @@ func (api *API) oAuth2ProviderMiddleware(next http.Handler) http.Handler {
 			return
 		}
 
-		api.entitlementsMu.RLock()
-		entitled := api.entitlements.Features[codersdk.FeatureOAuth2Provider].Entitlement != codersdk.EntitlementNotEntitled
-		api.entitlementsMu.RUnlock()
-
-		if !entitled {
-			httpapi.Write(r.Context(), rw, http.StatusForbidden, codersdk.Response{
-				Message: "OAuth2 provider is an Enterprise feature. Contact sales!",
-			})
-			return
-		}
-
 		next.ServeHTTP(rw, r)
 	})
 }
@@ -111,7 +100,7 @@ func (api *API) oAuth2ProviderApp(rw http.ResponseWriter, r *http.Request) {
 func (api *API) postOAuth2ProviderApp(rw http.ResponseWriter, r *http.Request) {
 	var (
 		ctx               = r.Context()
-		auditor           = api.AGPL.Auditor.Load()
+		auditor           = api.Auditor.Load()
 		aReq, commitAudit = audit.InitRequest[database.OAuth2ProviderApp](rw, &audit.RequestParams{
 			Audit:   *auditor,
 			Log:     api.Logger,
@@ -157,7 +146,7 @@ func (api *API) putOAuth2ProviderApp(rw http.ResponseWriter, r *http.Request) {
 	var (
 		ctx               = r.Context()
 		app               = httpmw.OAuth2ProviderApp(r)
-		auditor           = api.AGPL.Auditor.Load()
+		auditor           = api.Auditor.Load()
 		aReq, commitAudit = audit.InitRequest[database.OAuth2ProviderApp](rw, &audit.RequestParams{
 			Audit:   *auditor,
 			Log:     api.Logger,
@@ -200,7 +189,7 @@ func (api *API) deleteOAuth2ProviderApp(rw http.ResponseWriter, r *http.Request)
 	var (
 		ctx               = r.Context()
 		app               = httpmw.OAuth2ProviderApp(r)
-		auditor           = api.AGPL.Auditor.Load()
+		auditor           = api.Auditor.Load()
 		aReq, commitAudit = audit.InitRequest[database.OAuth2ProviderApp](rw, &audit.RequestParams{
 			Audit:   *auditor,
 			Log:     api.Logger,
@@ -263,7 +252,7 @@ func (api *API) postOAuth2ProviderAppSecret(rw http.ResponseWriter, r *http.Requ
 	var (
 		ctx               = r.Context()
 		app               = httpmw.OAuth2ProviderApp(r)
-		auditor           = api.AGPL.Auditor.Load()
+		auditor           = api.Auditor.Load()
 		aReq, commitAudit = audit.InitRequest[database.OAuth2ProviderAppSecret](rw, &audit.RequestParams{
 			Audit:   *auditor,
 			Log:     api.Logger,
@@ -317,7 +306,7 @@ func (api *API) deleteOAuth2ProviderAppSecret(rw http.ResponseWriter, r *http.Re
 	var (
 		ctx               = r.Context()
 		secret            = httpmw.OAuth2ProviderAppSecret(r)
-		auditor           = api.AGPL.Auditor.Load()
+		auditor           = api.Auditor.Load()
 		aReq, commitAudit = audit.InitRequest[database.OAuth2ProviderAppSecret](rw, &audit.RequestParams{
 			Audit:   *auditor,
 			Log:     api.Logger,