coder
diff --git a/‎agent/agentssh/agentssh.go
Lines changed: 5 additions & 1 deletion b/‎agent/agentssh/agentssh.go
Lines changed: 5 additions & 1 deletion
diff --git a/‎cli/restart.go
Lines changed: 1 addition & 1 deletion b/‎cli/restart.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎cli/ssh.go
Lines changed: 19 additions & 4 deletions b/‎cli/ssh.go
Lines changed: 19 additions & 4 deletions
diff --git a/‎cli/ssh_test.go
Lines changed: 65 additions & 0 deletions b/‎cli/ssh_test.go
Lines changed: 65 additions & 0 deletions
diff --git a/‎cli/start.go
Lines changed: 2 additions & 1 deletion b/‎cli/start.go
Lines changed: 2 additions & 1 deletion
diff --git a/‎coderd/agentapi/manifest.go
Lines changed: 6 additions & 4 deletions b/‎coderd/agentapi/manifest.go
Lines changed: 6 additions & 4 deletions
diff --git a/‎coderd/agentapi/manifest_internal_test.go
Lines changed: 2 additions & 3 deletions b/‎coderd/agentapi/manifest_internal_test.go
Lines changed: 2 additions & 3 deletions
diff --git a/‎coderd/database/dbmem/dbmem.go
Lines changed: 17 additions & 0 deletions b/‎coderd/database/dbmem/dbmem.go
Lines changed: 17 additions & 0 deletions
diff --git a/‎coderd/database/modelqueries.go
Lines changed: 2 additions & 1 deletion b/‎coderd/database/modelqueries.go
Lines changed: 2 additions & 1 deletion
diff --git a/‎coderd/database/queries.sql.go
Lines changed: 27 additions & 20 deletions b/‎coderd/database/queries.sql.go
Lines changed: 27 additions & 20 deletions
diff --git a/‎coderd/database/queries/workspaces.sql
Lines changed: 8 additions & 3 deletions b/‎coderd/database/queries/workspaces.sql
Lines changed: 8 additions & 3 deletions
diff --git a/‎coderd/rbac/authz.go
Lines changed: 6 additions & 0 deletions b/‎coderd/rbac/authz.go
Lines changed: 6 additions & 0 deletions
diff --git a/‎coderd/rbac/regosql/configs.go
Lines changed: 14 additions & 0 deletions b/‎coderd/rbac/regosql/configs.go
Lines changed: 14 additions & 0 deletions
@@ -681,7 +681,11 @@ func (s *Server) CreateCommand(ctx context.Context, script string, env []string)
 
 	// This adds the ports dialog to code-server that enables
 	// proxying a port dynamically.
-	cmd.Env = append(cmd.Env, fmt.Sprintf("VSCODE_PROXY_URI=%s", manifest.VSCodePortProxyURI))
+	// If this is empty string, do not set anything. Code-server auto defaults
+	// using its basepath to construct a path based port proxy.
+	if manifest.VSCodePortProxyURI != "" {
+		cmd.Env = append(cmd.Env, fmt.Sprintf("VSCODE_PROXY_URI=%s", manifest.VSCodePortProxyURI))
+	}
 
 	// Hide Coder message on code-server's "Getting Started" page
 	cmd.Env = append(cmd.Env, "CS_DISABLE_GETTING_STARTED_OVERRIDE=true")
 
@@ -64,7 +64,7 @@ func (r *RootCmd) restart() *clibase.Cmd {
 			// It's possible for a workspace build to fail due to the template requiring starting
 			// workspaces with the active version.
 			if cerr, ok := codersdk.AsError(err); ok && cerr.StatusCode() == http.StatusForbidden {
-				_, _ = fmt.Fprintln(inv.Stdout, "Failed to restart with the template version from your last build. Policy may require you to restart with the current active template version.")
+				_, _ = fmt.Fprintln(inv.Stdout, "Unable to restart the workspace with the template version from the last build. Policy may require you to restart with the current active template version.")
 				build, err = startWorkspace(inv, client, workspace, parameterFlags, WorkspaceUpdate)
 				if err != nil {
 					return xerrors.Errorf("start workspace with active template version: %w", err)
 
@@ -6,6 +6,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"net/http"
 	"net/url"
 	"os"
 	"os/exec"
@@ -575,13 +576,27 @@ func getWorkspaceAndAgent(ctx context.Context, inv *clibase.Invocation, client *
 					codersdk.WorkspaceStatusStopped,
 				)
 		}
-		// startWorkspace based on the last build parameters.
+
+		// Start workspace based on the last build parameters.
+		// It's possible for a workspace build to fail due to the template requiring starting
+		// workspaces with the active version.
 		_, _ = fmt.Fprintf(inv.Stderr, "Workspace was stopped, starting workspace to allow connecting to %q...\n", workspace.Name)
-		build, err := startWorkspace(inv, client, workspace, workspaceParameterFlags{}, WorkspaceStart)
+		_, err = startWorkspace(inv, client, workspace, workspaceParameterFlags{}, WorkspaceStart)
+		if cerr, ok := codersdk.AsError(err); ok && cerr.StatusCode() == http.StatusForbidden {
+			_, _ = fmt.Fprintln(inv.Stdout, "Unable to start the workspace with template version from last build. The auto-update policy may require you to restart with the current active template version.")
+			_, err = startWorkspace(inv, client, workspace, workspaceParameterFlags{}, WorkspaceUpdate)
+			if err != nil {
+				return codersdk.Workspace{}, codersdk.WorkspaceAgent{}, xerrors.Errorf("start workspace with active template version: %w", err)
+			}
+		} else if err != nil {
+			return codersdk.Workspace{}, codersdk.WorkspaceAgent{}, xerrors.Errorf("start workspace with current template version: %w", err)
+		}
+
+		// Refresh workspace state so that `outdated`, `build`,`template_*` fields are up-to-date.
+		workspace, err = namedWorkspace(ctx, client, workspaceParts[0])
 		if err != nil {
-			return codersdk.Workspace{}, codersdk.WorkspaceAgent{}, xerrors.Errorf("unable to start workspace: %w", err)
+			return codersdk.Workspace{}, codersdk.WorkspaceAgent{}, err
 		}
-		workspace.LatestBuild = build
 	}
 	if workspace.LatestBuild.Job.CompletedAt == nil {
 		err := cliui.WorkspaceBuild(ctx, inv.Stderr, client, workspace.LatestBuild.ID)
 
@@ -133,6 +133,71 @@ func TestSSH(t *testing.T) {
 		pty.WriteLine("exit")
 		<-cmdDone
 	})
+	t.Run("RequireActiveVersion", func(t *testing.T) {
+		t.Parallel()
+
+		authToken := uuid.NewString()
+		ownerClient := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		owner := coderdtest.CreateFirstUser(t, ownerClient)
+		client, _ := coderdtest.CreateAnotherUser(t, ownerClient, owner.OrganizationID, rbac.RoleMember())
+
+		echoResponses := &echo.Responses{
+			Parse:          echo.ParseComplete,
+			ProvisionPlan:  echo.PlanComplete,
+			ProvisionApply: echo.ProvisionApplyWithAgent(authToken),
+		}
+
+		version := coderdtest.CreateTemplateVersion(t, ownerClient, owner.OrganizationID, echoResponses)
+		coderdtest.AwaitTemplateVersionJobCompleted(t, ownerClient, version.ID)
+		template := coderdtest.CreateTemplate(t, ownerClient, owner.OrganizationID, version.ID)
+
+		workspace := coderdtest.CreateWorkspace(t, client, owner.OrganizationID, template.ID, func(cwr *codersdk.CreateWorkspaceRequest) {
+			cwr.AutomaticUpdates = codersdk.AutomaticUpdatesAlways
+		})
+		coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, workspace.LatestBuild.ID)
+
+		// Stop the workspace
+		workspaceBuild := coderdtest.CreateWorkspaceBuild(t, client, workspace, database.WorkspaceTransitionStop)
+		coderdtest.AwaitWorkspaceBuildJobCompleted(t, client, workspaceBuild.ID)
+
+		// Update template version
+		version = coderdtest.UpdateTemplateVersion(t, ownerClient, owner.OrganizationID, echoResponses, template.ID)
+		coderdtest.AwaitTemplateVersionJobCompleted(t, ownerClient, version.ID)
+		err := ownerClient.UpdateActiveTemplateVersion(context.Background(), template.ID, codersdk.UpdateActiveTemplateVersion{
+			ID: version.ID,
+		})
+		require.NoError(t, err)
+
+		// SSH to the workspace which should auto-update and autostart it
+		inv, root := clitest.New(t, "ssh", workspace.Name)
+		clitest.SetupConfig(t, client, root)
+		pty := ptytest.New(t).Attach(inv)
+
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancel()
+
+		cmdDone := tGo(t, func() {
+			err := inv.WithContext(ctx).Run()
+			assert.NoError(t, err)
+		})
+
+		// When the agent connects, the workspace was started, and we should
+		// have access to the shell.
+		_ = agenttest.New(t, client.URL, authToken)
+		coderdtest.AwaitWorkspaceAgents(t, client, workspace.ID)
+
+		// Shells on Mac, Windows, and Linux all exit shells with the "exit" command.
+		pty.WriteLine("exit")
+		<-cmdDone
+
+		// Double-check if workspace's template version is up-to-date
+		workspace, err = client.Workspace(context.Background(), workspace.ID)
+		require.NoError(t, err)
+		assert.Equal(t, version.ID, workspace.TemplateActiveVersionID)
+		assert.Equal(t, workspace.TemplateActiveVersionID, workspace.LatestBuild.TemplateVersionID)
+		assert.False(t, workspace.Outdated)
+	})
+
 	t.Run("ShowTroubleshootingURLAfterTimeout", func(t *testing.T) {
 		t.Parallel()
 
 
@@ -49,7 +49,7 @@ func (r *RootCmd) start() *clibase.Cmd {
 				// It's possible for a workspace build to fail due to the template requiring starting
 				// workspaces with the active version.
 				if cerr, ok := codersdk.AsError(err); ok && cerr.StatusCode() == http.StatusForbidden {
-					_, _ = fmt.Fprintln(inv.Stdout, "Failed to restart with the template version from your last build. Policy may require you to restart with the current active template version.")
+					_, _ = fmt.Fprintln(inv.Stdout, "Unable to start the workspace with the template version from the last build. Policy may require you to restart with the current active template version.")
 					build, err = startWorkspace(inv, client, workspace, parameterFlags, WorkspaceUpdate)
 					if err != nil {
 						return xerrors.Errorf("start workspace with active template version: %w", err)
@@ -79,6 +79,7 @@ func (r *RootCmd) start() *clibase.Cmd {
 
 func buildWorkspaceStartRequest(inv *clibase.Invocation, client *codersdk.Client, workspace codersdk.Workspace, parameterFlags workspaceParameterFlags, action WorkspaceCLIAction) (codersdk.CreateWorkspaceBuildRequest, error) {
 	version := workspace.LatestBuild.TemplateVersionID
+
 	if workspace.AutomaticUpdates == codersdk.AutomaticUpdatesAlways || action == WorkspaceUpdate {
 		version = workspace.TemplateActiveVersionID
 		if version != workspace.LatestBuild.TemplateVersionID {
 
@@ -150,12 +150,14 @@ func (a *ManifestAPI) GetManifest(ctx context.Context, _ *agentproto.GetManifest
 }
 
 func vscodeProxyURI(app appurl.ApplicationURL, accessURL *url.URL, appHost string) string {
-	// This will handle the ports from the accessURL or appHost.
-	appHost = appurl.SubdomainAppHost(appHost, accessURL)
-	// If there is no appHost, then we want to use the access url as the proxy uri.
+	// Proxying by port only works for subdomains. If subdomain support is not
+	// available, return an empty string.
 	if appHost == "" {
-		appHost = accessURL.Host
+		return ""
 	}
+
+	// This will handle the ports from the accessURL or appHost.
+	appHost = appurl.SubdomainAppHost(appHost, accessURL)
 	// Return the url with a scheme and any wildcards replaced with the app slug.
 	return accessURL.Scheme + "://" + strings.ReplaceAll(appHost, "*", app.String())
 }
 
@@ -35,19 +35,18 @@ func Test_vscodeProxyURI(t *testing.T) {
 		Expected    string
 	}{
 		{
-			// No hostname proxies through the access url.
 			Name:        "NoHostname",
 			AccessURL:   coderAccessURL,
 			AppHostname: "",
 			App:         basicApp,
-			Expected:    coderAccessURL.String(),
+			Expected:    "",
 		},
 		{
 			Name:        "NoHostnameAccessURLPort",
 			AccessURL:   accessURLWithPort,
 			AppHostname: "",
 			App:         basicApp,
-			Expected:    accessURLWithPort.String(),
+			Expected:    "",
 		},
 		{
 			Name:        "Hostname",
 
@@ -7534,6 +7534,23 @@ func (q *FakeQuerier) GetAuthorizedWorkspaces(ctx context.Context, arg database.
 			}
 		}
 
+		if arg.UsingActive.Valid {
+			build, err := q.getLatestWorkspaceBuildByWorkspaceIDNoLock(ctx, workspace.ID)
+			if err != nil {
+				return nil, xerrors.Errorf("get latest build: %w", err)
+			}
+
+			template, err := q.getTemplateByIDNoLock(ctx, workspace.TemplateID)
+			if err != nil {
+				return nil, xerrors.Errorf("get template: %w", err)
+			}
+
+			updated := build.TemplateVersionID == template.ActiveVersionID
+			if arg.UsingActive.Bool != updated {
+				continue
+			}
+		}
+
 		if !arg.Deleted && workspace.Deleted {
 			continue
 		}
 
@@ -198,7 +198,7 @@ type workspaceQuerier interface {
 // This code is copied from `GetWorkspaces` and adds the authorized filter WHERE
 // clause.
 func (q *sqlQuerier) GetAuthorizedWorkspaces(ctx context.Context, arg GetWorkspacesParams, prepared rbac.PreparedAuthorized) ([]GetWorkspacesRow, error) {
-	authorizedFilter, err := prepared.CompileToSQL(ctx, rbac.ConfigWithoutACL())
+	authorizedFilter, err := prepared.CompileToSQL(ctx, rbac.ConfigWorkspaces())
 	if err != nil {
 		return nil, xerrors.Errorf("compile authorized filter: %w", err)
 	}
@@ -225,6 +225,7 @@ func (q *sqlQuerier) GetAuthorizedWorkspaces(ctx context.Context, arg GetWorkspa
 		arg.Dormant,
 		arg.LastUsedBefore,
 		arg.LastUsedAfter,
+		arg.UsingActive,
 		arg.Offset,
 		arg.Limit,
 	)
 
@@ -79,7 +79,7 @@ WHERE
 -- name: GetWorkspaces :many
 SELECT
 	workspaces.*,
-	COALESCE(template_name.template_name, 'unknown') as template_name,
+	COALESCE(template.name, 'unknown') as template_name,
 	latest_build.template_version_id,
 	latest_build.template_version_name,
 	COUNT(*) OVER () as count
@@ -120,12 +120,12 @@ LEFT JOIN LATERAL (
 ) latest_build ON TRUE
 LEFT JOIN LATERAL (
 	SELECT
-		templates.name AS template_name
+		*
 	FROM
 		templates
 	WHERE
 		templates.id = workspaces.template_id
-) template_name ON true
+) template ON true
 WHERE
 	-- Optionally include deleted workspaces
 	workspaces.deleted = @deleted
@@ -259,6 +259,11 @@ WHERE
 				  workspaces.last_used_at >= @last_used_after
 		  ELSE true
 	END
+  	AND CASE
+		  WHEN sqlc.narg('using_active') :: boolean IS NOT NULL THEN
+			  (latest_build.template_version_id = template.active_version_id) = sqlc.narg('using_active') :: boolean
+		  ELSE true
+	END
 	-- Authorize Filter clause will be injected below in GetAuthorizedWorkspaces
 	-- @authorize_filter
 ORDER BY
 
@@ -611,6 +611,12 @@ func ConfigWithoutACL() regosql.ConvertConfig {
 	}
 }
 
+func ConfigWorkspaces() regosql.ConvertConfig {
+	return regosql.ConvertConfig{
+		VariableConverter: regosql.WorkspaceConverter(),
+	}
+}
+
 func Compile(cfg regosql.ConvertConfig, pa *PartialAuthorizer) (AuthorizeFilter, error) {
 	root, err := regosql.ConvertRegoAst(cfg, pa.partialQueries)
 	if err != nil {
 
@@ -53,6 +53,20 @@ func UserConverter() *sqltypes.VariableConverter {
 	return matcher
 }
 
+func WorkspaceConverter() *sqltypes.VariableConverter {
+	matcher := sqltypes.NewVariableConverter().RegisterMatcher(
+		resourceIDMatcher(),
+		sqltypes.StringVarMatcher("workspaces.organization_id :: text", []string{"input", "object", "org_owner"}),
+		userOwnerMatcher(),
+	)
+	matcher.RegisterMatcher(
+		sqltypes.AlwaysFalse(groupACLMatcher(matcher)),
+		sqltypes.AlwaysFalse(userACLMatcher(matcher)),
+	)
+
+	return matcher
+}
+
 // NoACLConverter should be used when the target SQL table does not contain
 // group or user ACL columns.
 func NoACLConverter() *sqltypes.VariableConverter {
Original file line number	Diff line number	Diff line change
`@@ -150,12 +150,14 @@ func (a ManifestAPI) GetManifest(ctx context.Context, _ agentproto.GetManifest`
`150`	`150`	`}`
`151`	`151`
`152`	`152`	`func vscodeProxyURI(app appurl.ApplicationURL, accessURL *url.URL, appHost string) string {`
`153`		`- // This will handle the ports from the accessURL or appHost.`
`154`		`- appHost = appurl.SubdomainAppHost(appHost, accessURL)`
`155`		`- // If there is no appHost, then we want to use the access url as the proxy uri.`
	`153`	`+ // Proxying by port only works for subdomains. If subdomain support is not`
	`154`	`+ // available, return an empty string.`
`156`	`155`	`if appHost == "" {`
`157`		`- appHost = accessURL.Host`
	`156`	`+ return ""`
`158`	`157`	`}`
	`158`	`+`
	`159`	`+ // This will handle the ports from the accessURL or appHost.`
	`160`	`+ appHost = appurl.SubdomainAppHost(appHost, accessURL)`
`159`	`161`	`// Return the url with a scheme and any wildcards replaced with the app slug.`
`160`	`162`	`return accessURL.Scheme + "://" + strings.ReplaceAll(appHost, "*", app.String())`
`161`	`163`	`}`
Original file line number	Diff line number	Diff line change
`@@ -611,6 +611,12 @@ func ConfigWithoutACL() regosql.ConvertConfig {`
`611`	`611`	`}`
`612`	`612`	`}`
`613`	`613`
	`614`	`+func ConfigWorkspaces() regosql.ConvertConfig {`
	`615`	`+ return regosql.ConvertConfig{`
	`616`	`+ VariableConverter: regosql.WorkspaceConverter(),`
	`617`	`+ }`
	`618`	`+}`
	`619`	`+`
`614`	`620`	`func Compile(cfg regosql.ConvertConfig, pa *PartialAuthorizer) (AuthorizeFilter, error) {`
`615`	`621`	`root, err := regosql.ConvertRegoAst(cfg, pa.partialQueries)`
`616`	`622`	`if err != nil {`