coder
diff --git a/‎.github/workflows/contrib.yaml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/contrib.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎cli/ssh_test.go
Lines changed: 26 additions & 2 deletions b/‎cli/ssh_test.go
Lines changed: 26 additions & 2 deletions
diff --git a/‎coderd/coderd.go
Lines changed: 73 additions & 3 deletions b/‎coderd/coderd.go
Lines changed: 73 additions & 3 deletions
diff --git a/‎coderd/database/queries.sql.go
Lines changed: 3 additions & 1 deletion b/‎coderd/database/queries.sql.go
Lines changed: 3 additions & 1 deletion
diff --git a/‎coderd/database/queries/insights.sql
Lines changed: 3 additions & 1 deletion b/‎coderd/database/queries/insights.sql
Lines changed: 3 additions & 1 deletion
diff --git a/‎enterprise/coderd/identityprovider/authorize.go renamed to ‎coderd/identityprovider/authorize.go b/‎enterprise/coderd/identityprovider/authorize.go renamed to ‎coderd/identityprovider/authorize.go
diff --git a/‎enterprise/coderd/identityprovider/middleware.go renamed to ‎coderd/identityprovider/middleware.go b/‎enterprise/coderd/identityprovider/middleware.go renamed to ‎coderd/identityprovider/middleware.go
diff --git a/‎enterprise/coderd/identityprovider/revoke.go renamed to ‎coderd/identityprovider/revoke.go b/‎enterprise/coderd/identityprovider/revoke.go renamed to ‎coderd/identityprovider/revoke.go
diff --git a/‎enterprise/coderd/identityprovider/secrets.go renamed to ‎coderd/identityprovider/secrets.go b/‎enterprise/coderd/identityprovider/secrets.go renamed to ‎coderd/identityprovider/secrets.go
diff --git a/‎enterprise/coderd/identityprovider/tokens.go renamed to ‎coderd/identityprovider/tokens.go b/‎enterprise/coderd/identityprovider/tokens.go renamed to ‎coderd/identityprovider/tokens.go
@@ -34,7 +34,7 @@ jobs:
     steps:
       - name: cla
         if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
-        uses: contributor-assistant/github-action@v2.3.1
+        uses: contributor-assistant/github-action@v2.3.2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           # the below token should have repo scope and must be manually added by you in the repository's secret
 
@@ -117,14 +117,26 @@ func TestSSH(t *testing.T) {
 		clitest.SetupConfig(t, client, root)
 		pty := ptytest.New(t).Attach(inv)
 
-		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitSuperLong)
 		defer cancel()
 
 		cmdDone := tGo(t, func() {
 			err := inv.WithContext(ctx).Run()
 			assert.NoError(t, err)
 		})
 
+		// Delay until workspace is starting, otherwise the agent may be
+		// booted due to outdated build.
+		var err error
+		for {
+			workspace, err = client.Workspace(ctx, workspace.ID)
+			require.NoError(t, err)
+			if workspace.LatestBuild.Transition == codersdk.WorkspaceTransitionStart {
+				break
+			}
+			time.Sleep(testutil.IntervalFast)
+		}
+
 		// When the agent connects, the workspace was started, and we should
 		// have access to the shell.
 		_ = agenttest.New(t, client.URL, authToken)
@@ -365,7 +377,7 @@ func TestSSH(t *testing.T) {
 		workspaceBuild := coderdtest.CreateWorkspaceBuild(t, client, workspace, database.WorkspaceTransitionStop)
 		coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, workspaceBuild.ID)
 
-		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitSuperLong)
 		defer cancel()
 
 		clientStdinR, clientStdinW := io.Pipe()
@@ -461,6 +473,18 @@ func TestSSH(t *testing.T) {
 			assert.NoError(t, err)
 		})
 
+		// Delay until workspace is starting, otherwise the agent may be
+		// booted due to outdated build.
+		var err error
+		for {
+			workspace, err = client.Workspace(ctx, workspace.ID)
+			require.NoError(t, err)
+			if workspace.LatestBuild.Transition == codersdk.WorkspaceTransitionStart {
+				break
+			}
+			time.Sleep(testutil.IntervalFast)
+		}
+
 		// When the agent connects, the workspace was started, and we should
 		// have access to the shell.
 		_ = agenttest.New(t, client.URL, authToken)
 
@@ -689,6 +689,34 @@ func New(options *Options) *API {
 		})
 	}
 
+	// OAuth2 linking routes do not make sense under the /api/v2 path.  These are
+	// for an external application to use Coder as an OAuth2 provider, not for
+	// logging into Coder with an external OAuth2 provider.
+	r.Route("/oauth2", func(r chi.Router) {
+		r.Use(
+			api.oAuth2ProviderMiddleware,
+			// Fetch the app as system because in the /tokens route there will be no
+			// authenticated user.
+			httpmw.AsAuthzSystem(httpmw.ExtractOAuth2ProviderApp(options.Database)),
+		)
+		r.Route("/authorize", func(r chi.Router) {
+			r.Use(apiKeyMiddlewareRedirect)
+			r.Get("/", api.getOAuth2ProviderAppAuthorize())
+		})
+		r.Route("/tokens", func(r chi.Router) {
+			r.Group(func(r chi.Router) {
+				r.Use(apiKeyMiddleware)
+				// DELETE on /tokens is not part of the OAuth2 spec.  It is our own
+				// route used to revoke permissions from an application.  It is here for
+				// parity with POST on /tokens.
+				r.Delete("/", api.deleteOAuth2ProviderAppTokens())
+			})
+			// The POST /tokens endpoint will be called from an unauthorized client so
+			// we cannot require an API key.
+			r.Post("/", api.postOAuth2ProviderAppToken())
+		})
+	})
+
 	r.Route("/api/v2", func(r chi.Router) {
 		api.APIHandler = r
 
@@ -1098,6 +1126,34 @@ func New(options *Options) *API {
 			}
 			r.Method("GET", "/expvar", expvar.Handler()) // contains DERP metrics as well as cmdline and memstats
 		})
+		// Manage OAuth2 applications that can use Coder as an OAuth2 provider.
+		r.Route("/oauth2-provider", func(r chi.Router) {
+			r.Use(
+				apiKeyMiddleware,
+				api.oAuth2ProviderMiddleware,
+			)
+			r.Route("/apps", func(r chi.Router) {
+				r.Get("/", api.oAuth2ProviderApps)
+				r.Post("/", api.postOAuth2ProviderApp)
+
+				r.Route("/{app}", func(r chi.Router) {
+					r.Use(httpmw.ExtractOAuth2ProviderApp(options.Database))
+					r.Get("/", api.oAuth2ProviderApp)
+					r.Put("/", api.putOAuth2ProviderApp)
+					r.Delete("/", api.deleteOAuth2ProviderApp)
+
+					r.Route("/secrets", func(r chi.Router) {
+						r.Get("/", api.oAuth2ProviderAppSecrets)
+						r.Post("/", api.postOAuth2ProviderAppSecret)
+
+						r.Route("/{secretID}", func(r chi.Router) {
+							r.Use(httpmw.ExtractOAuth2ProviderAppSecret(options.Database))
+							r.Delete("/", api.deleteOAuth2ProviderAppSecret)
+						})
+					})
+				})
+			})
+		})
 	})
 
 	if options.SwaggerEndpoint {
@@ -1229,9 +1285,23 @@ func (api *API) Close() error {
 		api.derpCloseFunc()
 	}
 
-	api.WebsocketWaitMutex.Lock()
-	api.WebsocketWaitGroup.Wait()
-	api.WebsocketWaitMutex.Unlock()
+	wsDone := make(chan struct{})
+	timer := time.NewTimer(10 * time.Second)
+	defer timer.Stop()
+	go func() {
+		api.WebsocketWaitMutex.Lock()
+		defer api.WebsocketWaitMutex.Unlock()
+		api.WebsocketWaitGroup.Wait()
+		close(wsDone)
+	}()
+	// This will technically leak the above func if the timer fires, but this is
+	// maintly a last ditch effort to un-stuck coderd on shutdown. This
+	// shouldn't affect tests at all.
+	select {
+	case <-wsDone:
+	case <-timer.C:
+		api.Logger.Warn(api.ctx, "websocket shutdown timed out after 10 seconds")
+	}
 
 	api.dbRolluper.Close()
 	api.metricsCache.Close()
 
@@ -599,7 +599,9 @@ WITH
 		JOIN
 			workspace_agent_stats AS was
 		ON
-			date_trunc('minute', was.created_at) = mb.minute_bucket
+			was.created_at >= (SELECT t FROM latest_start)
+			AND was.created_at < NOW()
+			AND date_trunc('minute', was.created_at) = mb.minute_bucket
 			AND was.template_id = mb.template_id
 			AND was.user_id = mb.user_id
 			AND was.connection_median_latency_ms >= 0