coder
diff --git a/‎cli/server.go
Lines changed: 26 additions & 1 deletion b/‎cli/server.go
Lines changed: 26 additions & 1 deletion
diff --git a/‎cli/templates.go
Lines changed: 1 addition & 2 deletions b/‎cli/templates.go
Lines changed: 1 addition & 2 deletions
diff --git a/‎cli/templateversionarchive.go
Lines changed: 1 addition & 2 deletions b/‎cli/templateversionarchive.go
Lines changed: 1 addition & 2 deletions
diff --git a/‎cli/templateversions.go
Lines changed: 1 addition & 2 deletions b/‎cli/templateversions.go
Lines changed: 1 addition & 2 deletions
diff --git a/‎cli/user_delete_test.go
Lines changed: 0 additions & 1 deletion b/‎cli/user_delete_test.go
Lines changed: 0 additions & 1 deletion
diff --git a/‎coderd/apidoc/docs.go
Lines changed: 8 additions & 0 deletions b/‎coderd/apidoc/docs.go
Lines changed: 8 additions & 0 deletions
diff --git a/‎coderd/apidoc/swagger.json
Lines changed: 8 additions & 0 deletions b/‎coderd/apidoc/swagger.json
Lines changed: 8 additions & 0 deletions
diff --git a/‎coderd/audit/request.go
Lines changed: 61 additions & 6 deletions b/‎coderd/audit/request.go
Lines changed: 61 additions & 6 deletions
diff --git a/‎coderd/audit/request_test.go
Lines changed: 33 additions & 0 deletions b/‎coderd/audit/request_test.go
Lines changed: 33 additions & 0 deletions
diff --git a/‎coderd/autobuild/lifecycle_executor.go
Lines changed: 16 additions & 3 deletions b/‎coderd/autobuild/lifecycle_executor.go
Lines changed: 16 additions & 3 deletions
@@ -41,6 +41,8 @@ import (
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/collectors"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
+	"go.opentelemetry.io/otel"
+	"go.opentelemetry.io/otel/propagation"
 	"go.opentelemetry.io/otel/trace"
 	"golang.org/x/mod/semver"
 	"golang.org/x/oauth2"
@@ -78,6 +80,7 @@ import (
 	"github.com/coder/coder/v2/coderd/httpmw"
 	"github.com/coder/coder/v2/coderd/oauthpki"
 	"github.com/coder/coder/v2/coderd/prometheusmetrics"
+	"github.com/coder/coder/v2/coderd/prometheusmetrics/insights"
 	"github.com/coder/coder/v2/coderd/schedule"
 	"github.com/coder/coder/v2/coderd/telemetry"
 	"github.com/coder/coder/v2/coderd/tracing"
@@ -198,6 +201,21 @@ func enablePrometheus(
 	}
 	afterCtx(ctx, closeWorkspacesFunc)
 
+	insightsMetricsCollector, err := insights.NewMetricsCollector(options.Database, options.Logger, 0, 0)
+	if err != nil {
+		return nil, xerrors.Errorf("unable to initialize insights metrics collector: %w", err)
+	}
+	err = options.PrometheusRegistry.Register(insightsMetricsCollector)
+	if err != nil {
+		return nil, xerrors.Errorf("unable to register insights metrics collector: %w", err)
+	}
+
+	closeInsightsMetricsCollector, err := insightsMetricsCollector.Run(ctx)
+	if err != nil {
+		return nil, xerrors.Errorf("unable to run insights metrics collector: %w", err)
+	}
+	afterCtx(ctx, closeInsightsMetricsCollector)
+
 	if vals.Prometheus.CollectAgentStats {
 		closeAgentStatsFunc, err := prometheusmetrics.AgentStats(ctx, logger, options.PrometheusRegistry, options.Database, time.Now(), 0)
 		if err != nil {
@@ -938,7 +956,7 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 			autobuildTicker := time.NewTicker(vals.AutobuildPollInterval.Value())
 			defer autobuildTicker.Stop()
 			autobuildExecutor := autobuild.NewExecutor(
-				ctx, options.Database, options.Pubsub, coderAPI.TemplateScheduleStore, &coderAPI.Auditor, logger, autobuildTicker.C)
+				ctx, options.Database, options.Pubsub, coderAPI.TemplateScheduleStore, &coderAPI.Auditor, coderAPI.AccessControlStore, logger, autobuildTicker.C)
 			autobuildExecutor.Run()
 
 			hangDetectorTicker := time.NewTicker(vals.JobHangDetectorInterval.Value())
@@ -2020,6 +2038,13 @@ func ConfigureTraceProvider(
 		sqlDriver      = "postgres"
 	)
 
+	otel.SetTextMapPropagator(
+		propagation.NewCompositeTextMapPropagator(
+			propagation.TraceContext{},
+			propagation.Baggage{},
+		),
+	)
+
 	if cfg.Trace.Enable.Value() || cfg.Trace.DataDog.Value() || cfg.Trace.HoneycombAPIKey != "" {
 		sdkTracerProvider, _closeTracing, err := tracing.TracerProvider(ctx, "coderd", tracing.TracerOpts{
 			Default:   cfg.Trace.Enable.Value(),
 
@@ -6,11 +6,10 @@ import (
 	"github.com/google/uuid"
 	"golang.org/x/xerrors"
 
-	"github.com/coder/pretty"
-
 	"github.com/coder/coder/v2/cli/clibase"
 	"github.com/coder/coder/v2/cli/cliui"
 	"github.com/coder/coder/v2/codersdk"
+	"github.com/coder/pretty"
 )
 
 func (r *RootCmd) templates() *clibase.Cmd {
 
@@ -8,11 +8,10 @@ import (
 
 	"golang.org/x/xerrors"
 
-	"github.com/coder/pretty"
-
 	"github.com/coder/coder/v2/cli/clibase"
 	"github.com/coder/coder/v2/cli/cliui"
 	"github.com/coder/coder/v2/codersdk"
+	"github.com/coder/pretty"
 )
 
 func (r *RootCmd) unarchiveTemplateVersion() *clibase.Cmd {
 
@@ -8,11 +8,10 @@ import (
 	"github.com/google/uuid"
 	"golang.org/x/xerrors"
 
-	"github.com/coder/pretty"
-
 	"github.com/coder/coder/v2/cli/clibase"
 	"github.com/coder/coder/v2/cli/cliui"
 	"github.com/coder/coder/v2/codersdk"
+	"github.com/coder/pretty"
 )
 
 func (r *RootCmd) templateVersions() *clibase.Cmd {
 
@@ -121,7 +121,6 @@ func TestUserDelete(t *testing.T) {
 	// 	pw, err := cryptorand.String(16)
 	// 	require.NoError(t, err)
 
-	// 	fmt.Println(aUser.OrganizationID)
 	// 	toDelete, err := client.CreateUser(ctx, codersdk.CreateUserRequest{
 	// 		Email:          "colin5@coder.com",
 	// 		Username:       "coolin",
 
@@ -11,6 +11,8 @@ import (
 
 	"github.com/google/uuid"
 	"github.com/sqlc-dev/pqtype"
+	"go.opentelemetry.io/otel/baggage"
+	"golang.org/x/xerrors"
 
 	"cdr.dev/slog"
 	"github.com/coder/coder/v2/coderd/database"
@@ -54,6 +56,7 @@ type BuildAuditParams[T Auditable] struct {
 	Status           int
 	Action           database.AuditAction
 	OrganizationID   uuid.UUID
+	IP               string
 	AdditionalFields json.RawMessage
 
 	New T
@@ -248,9 +251,7 @@ func InitRequest[T Auditable](w http.ResponseWriter, p *RequestParams) (*Request
 // WorkspaceBuildAudit creates an audit log for a workspace build.
 // The audit log is committed upon invocation.
 func WorkspaceBuildAudit[T Auditable](ctx context.Context, p *BuildAuditParams[T]) {
-	// As the audit request has not been initiated directly by a user, we omit
-	// certain user details.
-	ip := parseIP("")
+	ip := parseIP(p.IP)
 
 	diff := Diff(p.Audit, p.Old, p.New)
 	var err error
@@ -280,16 +281,70 @@ func WorkspaceBuildAudit[T Auditable](ctx context.Context, p *BuildAuditParams[T
 		RequestID:        p.JobID,
 		AdditionalFields: p.AdditionalFields,
 	}
-	exportErr := p.Audit.Export(ctx, auditLog)
-	if exportErr != nil {
+	err = p.Audit.Export(ctx, auditLog)
+	if err != nil {
 		p.Log.Error(ctx, "export audit log",
 			slog.F("audit_log", auditLog),
 			slog.Error(err),
 		)
-		return
 	}
 }
 
+type WorkspaceBuildBaggage struct {
+	IP string
+}
+
+func (b WorkspaceBuildBaggage) Props() ([]baggage.Property, error) {
+	ipProp, err := baggage.NewKeyValueProperty("ip", b.IP)
+	if err != nil {
+		return nil, xerrors.Errorf("create ip kv property: %w", err)
+	}
+
+	return []baggage.Property{ipProp}, nil
+}
+
+func WorkspaceBuildBaggageFromRequest(r *http.Request) WorkspaceBuildBaggage {
+	return WorkspaceBuildBaggage{IP: r.RemoteAddr}
+}
+
+type Baggage interface {
+	Props() ([]baggage.Property, error)
+}
+
+func BaggageToContext(ctx context.Context, d Baggage) (context.Context, error) {
+	props, err := d.Props()
+	if err != nil {
+		return ctx, xerrors.Errorf("create baggage properties: %w", err)
+	}
+
+	m, err := baggage.NewMember("audit", "baggage", props...)
+	if err != nil {
+		return ctx, xerrors.Errorf("create new baggage member: %w", err)
+	}
+
+	b, err := baggage.New(m)
+	if err != nil {
+		return ctx, xerrors.Errorf("create new baggage carrier: %w", err)
+	}
+
+	return baggage.ContextWithBaggage(ctx, b), nil
+}
+
+func BaggageFromContext(ctx context.Context) WorkspaceBuildBaggage {
+	d := WorkspaceBuildBaggage{}
+	b := baggage.FromContext(ctx)
+	props := b.Member("audit").Properties()
+	for _, prop := range props {
+		switch prop.Key() {
+		case "ip":
+			d.IP, _ = prop.Value()
+		default:
+		}
+	}
+
+	return d
+}
+
 func either[T Auditable, R any](old, new T, fn func(T) R, auditAction database.AuditAction) R {
 	if ResourceID(new) != uuid.Nil {
 		return fn(new)
 
@@ -0,0 +1,33 @@
+package audit_test
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"go.opentelemetry.io/otel/propagation"
+
+	"github.com/coder/coder/v2/coderd/audit"
+)
+
+func TestBaggage(t *testing.T) {
+	t.Parallel()
+	prop := propagation.NewCompositeTextMapPropagator(
+		propagation.TraceContext{},
+		propagation.Baggage{},
+	)
+
+	expected := audit.WorkspaceBuildBaggage{
+		IP: "127.0.0.1",
+	}
+
+	ctx, err := audit.BaggageToContext(context.Background(), expected)
+	require.NoError(t, err)
+
+	carrier := propagation.MapCarrier{}
+	prop.Inject(ctx, carrier)
+	bCtx := prop.Extract(ctx, carrier)
+	got := audit.BaggageFromContext(bCtx)
+
+	require.Equal(t, expected, got)
+}
@@ -32,6 +32,7 @@ type Executor struct {
 	db                    database.Store
 	ps                    pubsub.Pubsub
 	templateScheduleStore *atomic.Pointer[schedule.TemplateScheduleStore]
+	accessControlStore    *atomic.Pointer[dbauthz.AccessControlStore]
 	auditor               *atomic.Pointer[audit.Auditor]
 	log                   slog.Logger
 	tick                  <-chan time.Time
@@ -46,7 +47,7 @@ type Stats struct {
 }
 
 // New returns a new wsactions executor.
-func NewExecutor(ctx context.Context, db database.Store, ps pubsub.Pubsub, tss *atomic.Pointer[schedule.TemplateScheduleStore], auditor *atomic.Pointer[audit.Auditor], log slog.Logger, tick <-chan time.Time) *Executor {
+func NewExecutor(ctx context.Context, db database.Store, ps pubsub.Pubsub, tss *atomic.Pointer[schedule.TemplateScheduleStore], auditor *atomic.Pointer[audit.Auditor], acs *atomic.Pointer[dbauthz.AccessControlStore], log slog.Logger, tick <-chan time.Time) *Executor {
 	le := &Executor{
 		//nolint:gocritic // Autostart has a limited set of permissions.
 		ctx:                   dbauthz.AsAutostart(ctx),
@@ -56,6 +57,7 @@ func NewExecutor(ctx context.Context, db database.Store, ps pubsub.Pubsub, tss *
 		tick:                  tick,
 		log:                   log.Named("autobuild"),
 		auditor:               auditor,
+		accessControlStore:    acs,
 	}
 	return le
 }
@@ -159,6 +161,12 @@ func (e *Executor) runOnce(t time.Time) Stats {
 					return nil
 				}
 
+				template, err := tx.GetTemplateByID(e.ctx, ws.TemplateID)
+				if err != nil {
+					log.Warn(e.ctx, "get template by id", slog.Error(err))
+				}
+				accessControl := (*(e.accessControlStore.Load())).GetTemplateAccessControl(template)
+
 				latestJob, err := tx.GetProvisionerJobByID(e.ctx, latestBuild.JobID)
 				if err != nil {
 					log.Warn(e.ctx, "get last provisioner job for workspace %q: %w", slog.Error(err))
@@ -179,12 +187,13 @@ func (e *Executor) runOnce(t time.Time) Stats {
 						Reason(reason)
 					log.Debug(e.ctx, "auto building workspace", slog.F("transition", nextTransition))
 					if nextTransition == database.WorkspaceTransitionStart &&
-						ws.AutomaticUpdates == database.AutomaticUpdatesAlways {
+						useActiveVersion(accessControl, ws) {
 						log.Debug(e.ctx, "autostarting with active version")
 						builder = builder.ActiveVersion()
 					}
 
-					build, job, err = builder.Build(e.ctx, tx, nil)
+					build, job, err = builder.Build(e.ctx, tx, nil, audit.WorkspaceBuildBaggage{IP: "127.0.0.1"})
+
 					if err != nil {
 						log.Error(e.ctx, "unable to transition workspace",
 							slog.F("transition", nextTransition),
@@ -469,3 +478,7 @@ func auditBuild(ctx context.Context, log slog.Logger, auditor audit.Auditor, par
 		AdditionalFields: raw,
 	})
 }
+
+func useActiveVersion(opts dbauthz.TemplateAccessControl, ws database.Workspace) bool {
+	return opts.RequireActiveVersion || ws.AutomaticUpdates == database.AutomaticUpdatesAlways
+}