coder
diff --git a/‎.github/workflows/ci.yaml
Lines changed: 11 additions & 0 deletions b/‎.github/workflows/ci.yaml
Lines changed: 11 additions & 0 deletions
diff --git a/‎.github/workflows/cron-weekly.yaml
Lines changed: 4 additions & 2 deletions b/‎.github/workflows/cron-weekly.yaml
Lines changed: 4 additions & 2 deletions
diff --git a/‎.github/workflows/mlc_config.json
Lines changed: 2 additions & 1 deletion b/‎.github/workflows/mlc_config.json
Lines changed: 2 additions & 1 deletion
diff --git a/‎Makefile
Lines changed: 7 additions & 2 deletions b/‎Makefile
Lines changed: 7 additions & 2 deletions
diff --git a/‎README.md
Lines changed: 1 addition & 1 deletion b/‎README.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎agent/agent.go
Lines changed: 11 additions & 2 deletions b/‎agent/agent.go
Lines changed: 11 additions & 2 deletions
diff --git a/‎agent/agent_test.go
Lines changed: 23 additions & 2 deletions b/‎agent/agent_test.go
Lines changed: 23 additions & 2 deletions
diff --git a/‎agent/agentssh/agentssh.go
Lines changed: 30 additions & 10 deletions b/‎agent/agentssh/agentssh.go
Lines changed: 30 additions & 10 deletions
diff --git a/‎agent/agentssh/agentssh_internal_test.go
Lines changed: 2 additions & 1 deletion b/‎agent/agentssh/agentssh_internal_test.go
Lines changed: 2 additions & 1 deletion
diff --git a/‎agent/agentssh/agentssh_test.go
Lines changed: 4 additions & 2 deletions b/‎agent/agentssh/agentssh_test.go
Lines changed: 4 additions & 2 deletions
@@ -152,6 +152,7 @@ jobs:
 
       - uses: actions/setup-go@v4
         with:
+          cache: false
           go-version: "~1.20"
 
       - name: Echo Go Cache Paths
@@ -252,6 +253,7 @@ jobs:
 
       - uses: actions/setup-go@v4
         with:
+          cache: false
           go-version: "~1.20"
 
       - name: Echo Go Cache Paths
@@ -339,6 +341,7 @@ jobs:
 
       - uses: actions/setup-go@v4
         with:
+          cache: false
           go-version: "~1.20"
 
       - name: Echo Go Cache Paths
@@ -429,6 +432,7 @@ jobs:
 
       - uses: actions/setup-go@v4
         with:
+          cache: false
           go-version: "~1.20"
 
       - name: Echo Go Cache Paths
@@ -558,6 +562,7 @@ jobs:
 
       - uses: actions/setup-go@v4
         with:
+          cache: false
           go-version: "~1.20"
 
       - uses: hashicorp/setup-terraform@v2
@@ -634,6 +639,9 @@ jobs:
       - name: Publish to Chromatic (non-mainline)
         if: github.ref != 'refs/heads/main' && github.repository_owner == 'coder'
         uses: chromaui/action@v1
+        env:
+          NODE_OPTIONS: "--max_old_space_size=4096"
+          STORYBOOK: true
         with:
           buildScriptName: "storybook:build"
           exitOnceUploaded: true
@@ -651,6 +659,9 @@ jobs:
       - name: Publish to Chromatic (mainline)
         if: github.ref == 'refs/heads/main' && github.repository_owner == 'coder'
         uses: chromaui/action@v1
+        env:
+          NODE_OPTIONS: "--max_old_space_size=4096"
+          STORYBOOK: true
         with:
           autoAcceptChanges: true
           buildScriptName: "storybook:build"
 
@@ -1,4 +1,4 @@
-name: Markdown Links Check
+name: Weekly Cron
 # runs every monday at 9 am
 on:
   schedule:
@@ -19,10 +19,12 @@ jobs:
         with:
           use-quiet-mode: "yes"
           use-verbose-mode: "yes"
-          config-file: ".github/workflows/markdown.links.config.json"
+          config-file: ".github/workflows/mlc_config.json"
           folder-path: "docs/"
+          file-path: "./README.md"
 
       - name: Send Slack notification
+        if: failure()
         run: |
           curl -X POST -H 'Content-type: application/json' -d '{"msg":"Broken links found in the documentation. Please check the logs at ${{ env.LOGS_URL }}"}' ${{ secrets.DOCS_LINK_SLACK_WEBHOOK }}
           echo "Sent Slack notification"
 
@@ -18,5 +18,6 @@
     {
       "pattern": "tailscale.com"
     }
-  ]
+  ],
+  "aliveStatusCodes": [200, 0]
 }
@@ -423,6 +423,7 @@ gen: \
 	provisionersdk/proto/provisioner.pb.go \
 	provisionerd/proto/provisionerd.pb.go \
 	site/src/api/typesGenerated.ts \
+	coderd/rbac/object_gen.go \
 	docs/admin/prometheus.md \
 	docs/cli.md \
 	docs/admin/audit-logs.md \
@@ -443,6 +444,7 @@ gen/mark-fresh:
 		provisionersdk/proto/provisioner.pb.go \
 		provisionerd/proto/provisionerd.pb.go \
 		site/src/api/typesGenerated.ts \
+		coderd/rbac/object_gen.go \
 		docs/admin/prometheus.md \
 		docs/cli.md \
 		docs/admin/audit-logs.md \
@@ -495,6 +497,9 @@ site/src/api/typesGenerated.ts: scripts/apitypings/main.go $(shell find ./coders
 	cd site
 	yarn run format:types
 
+coderd/rbac/object_gen.go: scripts/rbacgen/main.go coderd/rbac/object.go
+	go run scripts/rbacgen/main.go ./coderd/rbac > coderd/rbac/object_gen.go
+
 docs/admin/prometheus.md: scripts/metricsdocgen/main.go scripts/metricsdocgen/metrics
 	go run scripts/metricsdocgen/main.go
 	cd site
@@ -505,12 +510,12 @@ docs/cli.md: scripts/clidocgen/main.go $(GO_SRC_FILES) docs/manifest.json
 	cd site
 	yarn run format:write:only ../docs/cli.md ../docs/cli/*.md ../docs/manifest.json
 
-docs/admin/audit-logs.md: scripts/auditdocgen/main.go enterprise/audit/table.go
+docs/admin/audit-logs.md: scripts/auditdocgen/main.go enterprise/audit/table.go coderd/rbac/object_gen.go
 	go run scripts/auditdocgen/main.go
 	cd site
 	yarn run format:write:only ../docs/admin/audit-logs.md
 
-coderd/apidoc/swagger.json: $(shell find ./scripts/apidocgen $(FIND_EXCLUSIONS) -type f) $(wildcard coderd/*.go) $(wildcard enterprise/coderd/*.go) $(wildcard codersdk/*.go) .swaggo docs/manifest.json
+coderd/apidoc/swagger.json: $(shell find ./scripts/apidocgen $(FIND_EXCLUSIONS) -type f) $(wildcard coderd/*.go) $(wildcard enterprise/coderd/*.go) $(wildcard codersdk/*.go) $(wildcard enterprise/wsproxy/wsproxysdk/*.go) coderd/database/querier.go .swaggo docs/manifest.json coderd/rbac/object_gen.go
 	./scripts/apidocgen/generate.sh
 	yarn run --cwd=site format:write:only ../docs/api ../docs/manifest.json ../coderd/apidoc/swagger.json
 
 
@@ -84,7 +84,7 @@ coder server --postgres-url <url> --access-url <url>
 
 > <sup>1</sup> For production deployments, set up an external PostgreSQL instance for reliability.
 
-Use `coder --help` to get a list of flags and environment variables. Use our [install guides](https://coder.com/docs/v2/latest/guides) for a full walkthrough.
+Use `coder --help` to get a list of flags and environment variables. Use our [install guides](https://coder.com/docs/v2/latest/install) for a full walkthrough.
 
 ## Documentation
 
 
@@ -161,7 +161,7 @@ type agent struct {
 }
 
 func (a *agent) init(ctx context.Context) {
-	sshSrv, err := agentssh.NewServer(ctx, a.logger.Named("ssh-server"), a.sshMaxTimeout)
+	sshSrv, err := agentssh.NewServer(ctx, a.logger.Named("ssh-server"), a.filesystem, a.sshMaxTimeout, "")
 	if err != nil {
 		panic(err)
 	}
@@ -1407,5 +1407,14 @@ func expandDirectory(dir string) (string, error) {
 		}
 		dir = filepath.Join(home, dir[1:])
 	}
-	return os.ExpandEnv(dir), nil
+	dir = os.ExpandEnv(dir)
+
+	if !filepath.IsAbs(dir) {
+		home, err := userHomeDir()
+		if err != nil {
+			return "", err
+		}
+		dir = filepath.Join(home, dir)
+	}
+	return dir, nil
 }
@@ -706,12 +706,15 @@ func TestAgent_UnixRemoteForwarding(t *testing.T) {
 
 	// It's possible that the socket is created but the server is not ready to
 	// accept connections yet. We need to retry until we can connect.
+	//
+	// Note that we wait long here because if the tailnet connection has trouble
+	// connecting, it could take 5 seconds or more to reconnect.
 	var conn net.Conn
 	require.Eventually(t, func() bool {
 		var err error
 		conn, err = net.Dial("unix", remoteSocketPath)
 		return err == nil
-	}, testutil.WaitShort, testutil.IntervalFast)
+	}, testutil.WaitLong, testutil.IntervalFast)
 	defer conn.Close()
 	_, err = conn.Write([]byte("test"))
 	require.NoError(t, err)
@@ -1364,6 +1367,22 @@ func TestAgent_Startup(t *testing.T) {
 		require.Equal(t, homeDir, client.getStartup().ExpandedDirectory)
 	})
 
+	t.Run("NotAbsoluteDirectory", func(t *testing.T) {
+		t.Parallel()
+
+		_, client, _, _, _ := setupAgent(t, agentsdk.Manifest{
+			StartupScript:        "true",
+			StartupScriptTimeout: 30 * time.Second,
+			Directory:            "coder/coder",
+		}, 0)
+		assert.Eventually(t, func() bool {
+			return client.getStartup().Version != ""
+		}, testutil.WaitShort, testutil.IntervalFast)
+		homeDir, err := os.UserHomeDir()
+		require.NoError(t, err)
+		require.Equal(t, filepath.Join(homeDir, "coder/coder"), client.getStartup().ExpandedDirectory)
+	})
+
 	t.Run("HomeEnvironmentVariable", func(t *testing.T) {
 		t.Parallel()
 
@@ -1733,7 +1752,9 @@ func setupAgent(t *testing.T, metadata agentsdk.Manifest, ptyTimeout time.Durati
 	t.Cleanup(func() {
 		_ = agentConn.Close()
 	})
-	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitMedium)
+	// Ideally we wouldn't wait too long here, but sometimes the the
+	// networking needs more time to resolve itself.
+	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
 	defer cancel()
 	if !agentConn.AwaitReachable(ctx) {
 		t.Fatal("agent not reachable")
 
@@ -20,6 +20,7 @@ import (
 
 	"github.com/gliderlabs/ssh"
 	"github.com/pkg/sftp"
+	"github.com/spf13/afero"
 	"go.uber.org/atomic"
 	gossh "golang.org/x/crypto/ssh"
 	"golang.org/x/xerrors"
@@ -48,6 +49,7 @@ const (
 
 type Server struct {
 	mu        sync.RWMutex // Protects following.
+	fs        afero.Fs
 	listeners map[net.Listener]struct{}
 	conns     map[net.Conn]struct{}
 	sessions  map[ssh.Session]struct{}
@@ -56,8 +58,9 @@ type Server struct {
 	// a lock on mu but protected by closing.
 	wg sync.WaitGroup
 
-	logger slog.Logger
-	srv    *ssh.Server
+	logger       slog.Logger
+	srv          *ssh.Server
+	x11SocketDir string
 
 	Env        map[string]string
 	AgentToken func() string
@@ -68,7 +71,7 @@ type Server struct {
 	connCountSSHSession atomic.Int64
 }
 
-func NewServer(ctx context.Context, logger slog.Logger, maxTimeout time.Duration) (*Server, error) {
+func NewServer(ctx context.Context, logger slog.Logger, fs afero.Fs, maxTimeout time.Duration, x11SocketDir string) (*Server, error) {
 	// Clients' should ignore the host key when connecting.
 	// The agent needs to authenticate with coderd to SSH,
 	// so SSH authentication doesn't improve security.
@@ -80,15 +83,20 @@ func NewServer(ctx context.Context, logger slog.Logger, maxTimeout time.Duration
 	if err != nil {
 		return nil, err
 	}
+	if x11SocketDir == "" {
+		x11SocketDir = filepath.Join(os.TempDir(), ".X11-unix")
+	}
 
 	forwardHandler := &ssh.ForwardedTCPHandler{}
 	unixForwardHandler := &forwardedUnixHandler{log: logger}
 
 	s := &Server{
-		listeners: make(map[net.Listener]struct{}),
-		conns:     make(map[net.Conn]struct{}),
-		sessions:  make(map[ssh.Session]struct{}),
-		logger:    logger,
+		listeners:    make(map[net.Listener]struct{}),
+		fs:           fs,
+		conns:        make(map[net.Conn]struct{}),
+		sessions:     make(map[ssh.Session]struct{}),
+		logger:       logger,
+		x11SocketDir: x11SocketDir,
 	}
 
 	s.srv = &ssh.Server{
@@ -125,6 +133,7 @@ func NewServer(ctx context.Context, logger slog.Logger, maxTimeout time.Duration
 			"streamlocal-forward@openssh.com":        unixForwardHandler.HandleSSHRequest,
 			"cancel-streamlocal-forward@openssh.com": unixForwardHandler.HandleSSHRequest,
 		},
+		X11Callback: s.x11Callback,
 		ServerConfigCallback: func(ctx ssh.Context) *gossh.ServerConfig {
 			return &gossh.ServerConfig{
 				NoClientAuth: true,
@@ -163,6 +172,17 @@ func (s *Server) sessionHandler(session ssh.Session) {
 
 	ctx := session.Context()
 
+	extraEnv := make([]string, 0)
+	x11, hasX11 := session.X11()
+	if hasX11 {
+		handled := s.x11Handler(session.Context(), x11)
+		if !handled {
+			_ = session.Exit(1)
+			return
+		}
+		extraEnv = append(extraEnv, fmt.Sprintf("DISPLAY=:%d.0", x11.ScreenNumber))
+	}
+
 	switch ss := session.Subsystem(); ss {
 	case "":
 	case "sftp":
@@ -174,7 +194,7 @@ func (s *Server) sessionHandler(session ssh.Session) {
 		return
 	}
 
-	err := s.sessionStart(session)
+	err := s.sessionStart(session, extraEnv)
 	var exitError *exec.ExitError
 	if xerrors.As(err, &exitError) {
 		s.logger.Debug(ctx, "ssh session returned", slog.Error(exitError))
@@ -191,9 +211,9 @@ func (s *Server) sessionHandler(session ssh.Session) {
 	_ = session.Exit(0)
 }
 
-func (s *Server) sessionStart(session ssh.Session) error {
+func (s *Server) sessionStart(session ssh.Session, extraEnv []string) (retErr error) {
 	ctx := session.Context()
-	env := session.Environ()
+	env := append(session.Environ(), extraEnv...)
 	var magicType string
 	for index, kv := range env {
 		if !strings.HasPrefix(kv, MagicSessionTypeEnvironmentVariable) {
 
@@ -11,6 +11,7 @@ import (
 	"testing"
 
 	gliderssh "github.com/gliderlabs/ssh"
+	"github.com/spf13/afero"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
@@ -35,7 +36,7 @@ func Test_sessionStart_orphan(t *testing.T) {
 	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitMedium)
 	defer cancel()
 	logger := slogtest.Make(t, nil)
-	s, err := NewServer(ctx, logger, 0)
+	s, err := NewServer(ctx, logger, afero.NewMemMapFs(), 0, "")
 	require.NoError(t, err)
 
 	// Here we're going to call the handler directly with a faked SSH session
 
@@ -10,6 +10,7 @@ import (
 	"sync"
 	"testing"
 
+	"github.com/spf13/afero"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.uber.org/atomic"
@@ -32,7 +33,7 @@ func TestNewServer_ServeClient(t *testing.T) {
 
 	ctx := context.Background()
 	logger := slogtest.Make(t, nil)
-	s, err := agentssh.NewServer(ctx, logger, 0)
+	s, err := agentssh.NewServer(ctx, logger, afero.NewMemMapFs(), 0, "")
 	require.NoError(t, err)
 
 	// The assumption is that these are set before serving SSH connections.
@@ -50,6 +51,7 @@ func TestNewServer_ServeClient(t *testing.T) {
 	}()
 
 	c := sshClient(t, ln.Addr().String())
+
 	var b bytes.Buffer
 	sess, err := c.NewSession()
 	sess.Stdout = &b
@@ -72,7 +74,7 @@ func TestNewServer_CloseActiveConnections(t *testing.T) {
 
 	ctx := context.Background()
 	logger := slogtest.Make(t, &slogtest.Options{IgnoreErrors: true})
-	s, err := agentssh.NewServer(ctx, logger, 0)
+	s, err := agentssh.NewServer(ctx, logger, afero.NewMemMapFs(), 0, "")
 	require.NoError(t, err)
 
 	// The assumption is that these are set before serving SSH connections.
Original file line number	Diff line number	Diff line change
`@@ -18,5 +18,6 @@`
`18`	`18`	`{`
`19`	`19`	`"pattern": "tailscale.com"`
`20`	`20`	`}`
`21`		`- ]`
	`21`	`+ ],`
	`22`	`+ "aliveStatusCodes": [200, 0]`
`22`	`23`	`}`
Original file line number	Diff line number	Diff line change
`@@ -161,7 +161,7 @@ type agent struct {`
`161`	`161`	`}`
`162`	`162`
`163`	`163`	`func (a *agent) init(ctx context.Context) {`
`164`		`- sshSrv, err := agentssh.NewServer(ctx, a.logger.Named("ssh-server"), a.sshMaxTimeout)`
	`164`	`+ sshSrv, err := agentssh.NewServer(ctx, a.logger.Named("ssh-server"), a.filesystem, a.sshMaxTimeout, "")`
`165`	`165`	`if err != nil {`
`166`	`166`	`panic(err)`
`167`	`167`	`}`
`@@ -1407,5 +1407,14 @@ func expandDirectory(dir string) (string, error) {`
`1407`	`1407`	`}`
`1408`	`1408`	`dir = filepath.Join(home, dir[1:])`
`1409`	`1409`	`}`
`1410`		`- return os.ExpandEnv(dir), nil`
	`1410`	`+ dir = os.ExpandEnv(dir)`
	`1411`	`+`
	`1412`	`+ if !filepath.IsAbs(dir) {`
	`1413`	`+ home, err := userHomeDir()`
	`1414`	`+ if err != nil {`
	`1415`	`+ return "", err`
	`1416`	`+ }`
	`1417`	`+ dir = filepath.Join(home, dir)`
	`1418`	`+ }`
	`1419`	`+ return dir, nil`
`1411`	`1420`	`}`