coder · spikecurtis · Aug 22, 2022 · Aug 17, 2022 · Aug 18, 2022 · Aug 18, 2022
diff --git a/cli/clitest/clitest.go b/cli/clitest/clitest.go
@@ -21,7 +21,7 @@ import (
 // New creates a CLI instance with a configuration pointed to a
 // temporary testing directory.
 func New(t *testing.T, args ...string) (*cobra.Command, config.Root) {
-	cmd := cli.Root()
+	cmd := cli.Root(cli.AGPLSubcommands())
 	dir := t.TempDir()
 	root := config.Root(dir)
 	cmd.SetArgs(append([]string{"--global-config", dir}, args...))

diff --git a/cli/root.go b/cli/root.go
@@ -20,6 +20,7 @@ import (
 	"github.com/coder/coder/cli/cliflag"
 	"github.com/coder/coder/cli/cliui"
 	"github.com/coder/coder/cli/config"
+	"github.com/coder/coder/coderd"
 	"github.com/coder/coder/codersdk"
 )
 
@@ -58,7 +59,42 @@ func init() {
 	cobra.AddTemplateFuncs(templateFunctions)
 }
 
-func Root() *cobra.Command {
+func CoreSubcommands() []*cobra.Command {
+	return []*cobra.Command{
+		configSSH(),
+		create(),
+		deleteWorkspace(),
+		dotfiles(),
+		gitssh(),
+		list(),
+		login(),
+		logout(),
+		parameters(),
+		portForward(),
+		publickey(),
+		resetPassword(),
+		schedules(),
+		show(),
+		ssh(),
+		start(),
+		state(),
+		stop(),
+		templates(),
+		update(),
+		users(),
+		versionCmd(),
+		wireguardPortForward(),
+		workspaceAgent(),
+		features(),
+	}
+}
+
+func AGPLSubcommands() []*cobra.Command {
+	all := append(CoreSubcommands(), Server(coderd.New))
+	return all
+}
+
+func Root(subcommands []*cobra.Command) *cobra.Command {
 	cmd := &cobra.Command{
 		Use:           "coder",
 		SilenceErrors: true,
@@ -109,34 +145,7 @@ func Root() *cobra.Command {
 		),
 	}
 
-	cmd.AddCommand(
-		configSSH(),
-		create(),
-		deleteWorkspace(),
-		dotfiles(),
-		gitssh(),
-		list(),
-		login(),
-		logout(),
-		parameters(),
-		portForward(),
-		publickey(),
-		resetPassword(),
-		schedules(),
-		server(),
-		show(),
-		ssh(),
-		start(),
-		state(),
-		stop(),
-		templates(),
-		update(),
-		users(),
-		versionCmd(),
-		wireguardPortForward(),
-		workspaceAgent(),
-		features(),
-	)
+	cmd.AddCommand(subcommands...)
 
 	cmd.SetUsageTemplate(usageTemplate())
 

diff --git a/cli/server.go b/cli/server.go
@@ -67,8 +67,10 @@ import (
 	"github.com/coder/coder/provisionersdk/proto"
 )
 
+type CoderServerBuilder func(*coderd.Options) *coderd.API
+
 // nolint:gocyclo
-func server() *cobra.Command {
+func Server(builder CoderServerBuilder) *cobra.Command {
 	var (
 		accessURL             string
 		address               string
@@ -434,7 +436,7 @@ func server() *cobra.Command {
 				), promAddress, "prometheus")()
 			}
 
-			coderAPI := coderd.New(options)
+			coderAPI := builder(options)
 			defer coderAPI.Close()
 
 			client := codersdk.New(localURL)
@@ -885,16 +887,16 @@ func newProvisionerDaemon(ctx context.Context, coderAPI *coderd.API,
 // nolint: revive
 func printLogo(cmd *cobra.Command, spooky bool) {
 	if spooky {
-		_, _ = fmt.Fprintf(cmd.OutOrStdout(), `▄████▄   ▒█████  ▓█████▄ ▓█████  ██▀███  
+		_, _ = fmt.Fprintf(cmd.OutOrStdout(), `▄████▄   ▒█████  ▓█████▄ ▓█████  ██▀███
 ▒██▀ ▀█  ▒██▒  ██▒▒██▀ ██▌▓█   ▀ ▓██ ▒ ██▒
 ▒▓█    ▄ ▒██░  ██▒░██   █▌▒███   ▓██ ░▄█ ▒
-▒▓▓▄ ▄██▒▒██   ██░░▓█▄   ▌▒▓█  ▄ ▒██▀▀█▄  
+▒▓▓▄ ▄██▒▒██   ██░░▓█▄   ▌▒▓█  ▄ ▒██▀▀█▄
 ▒ ▓███▀ ░░ ████▓▒░░▒████▓ ░▒████▒░██▓ ▒██▒
 ░ ░▒ ▒  ░░ ▒░▒░▒░  ▒▒▓  ▒ ░░ ▒░ ░░ ▒▓ ░▒▓░
   ░  ▒     ░ ▒ ▒░  ░ ▒  ▒  ░ ░  ░  ░▒ ░ ▒░
-░        ░ ░ ░ ▒   ░ ░  ░    ░     ░░   ░ 
-░ ░          ░ ░     ░       ░  ░   ░     
-░                  ░                      		
+░        ░ ░ ░ ▒   ░ ░  ░    ░     ░░   ░
+░ ░          ░ ░     ░       ░  ░   ░
+░                  ░
 `)
 		return
 	}

diff --git a/cmd/coder/main.go b/cmd/coder/main.go
@@ -15,7 +15,7 @@ import (
 func main() {
 	rand.Seed(time.Now().UnixMicro())
 
-	cmd, err := cli.Root().ExecuteC()
+	cmd, err := cli.Root(cli.AGPLSubcommands()).ExecuteC()
 	if err != nil {
 		if errors.Is(err, cliui.Canceled) {
 			os.Exit(1)

diff --git a/coderd/authorize.go b/coderd/authorize.go
@@ -27,6 +27,11 @@ func AuthorizeFilter[O rbac.Objecter](api *API, r *http.Request, action rbac.Act
 	return objects, nil
 }
 
+type HTTPAuthorizer struct {
+	Authorizer rbac.Authorizer
+	Logger     slog.Logger
+}
+
 // Authorize will return false if the user is not authorized to do the action.
 // This function will log appropriately, but the caller must return an
 // error to the api client.
@@ -36,14 +41,26 @@ func AuthorizeFilter[O rbac.Objecter](api *API, r *http.Request, action rbac.Act
 //		return
 //	}
 func (api *API) Authorize(r *http.Request, action rbac.Action, object rbac.Objecter) bool {
+	return api.httpAuth.Authorize(r, action, object)
+}
+
+// Authorize will return false if the user is not authorized to do the action.
+// This function will log appropriately, but the caller must return an
+// error to the api client.
+// Eg:
+//	if !h.Authorize(...) {
+//		httpapi.Forbidden(rw)
+//		return
+//	}
+func (h *HTTPAuthorizer) Authorize(r *http.Request, action rbac.Action, object rbac.Objecter) bool {
 	roles := httpmw.AuthorizationUserRoles(r)
-	err := api.Authorizer.ByRoleName(r.Context(), roles.ID.String(), roles.Roles, action, object.RBACObject())
+	err := h.Authorizer.ByRoleName(r.Context(), roles.ID.String(), roles.Roles, action, object.RBACObject())
 	if err != nil {
 		// Log the errors for debugging
 		internalError := new(rbac.UnauthorizedError)
-		logger := api.Logger
+		logger := h.Logger
 		if xerrors.As(err, internalError) {
-			logger = api.Logger.With(slog.F("internal", internalError.Internal()))
+			logger = h.Logger.With(slog.F("internal", internalError.Internal()))
 		}
 		// Log information for debugging. This will be very helpful
 		// in the early days

diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -66,6 +66,7 @@ type Options struct {
 	Telemetry            telemetry.Reporter
 	TURNServer           *turnconn.Server
 	TracerProvider       *sdktrace.TracerProvider
+	LicenseHandler       http.Handler
 }
 
 // New constructs a Coder API handler.
@@ -92,6 +93,9 @@ func New(options *Options) *API {
 	if options.PrometheusRegistry == nil {
 		options.PrometheusRegistry = prometheus.NewRegistry()
 	}
+	if options.LicenseHandler == nil {
+		options.LicenseHandler = Licenses()
+	}
 
 	siteCacheDir := options.CacheDir
 	if siteCacheDir != "" {
@@ -107,6 +111,10 @@ func New(options *Options) *API {
 		Options:     options,
 		Handler:     r,
 		siteHandler: site.Handler(site.FS(), binFS),
+		httpAuth: &HTTPAuthorizer{
+			Authorizer: options.Authorizer,
+			Logger:     options.Logger,
+		},
 	}
 	api.workspaceAgentCache = wsconncache.New(api.dialWorkspaceAgent, 0)
 	oauthConfigs := &httpmw.OAuth2Configs{
@@ -395,6 +403,10 @@ func New(options *Options) *API {
 			r.Use(apiKeyMiddleware)
 			r.Get("/", entitlements)
 		})
+		r.Route("/licenses", func(r chi.Router) {
+			r.Use(apiKeyMiddleware)
+			r.Mount("/", options.LicenseHandler)
+		})
 	})
 
 	r.NotFound(compressHandler(http.HandlerFunc(api.siteHandler.ServeHTTP)).ServeHTTP)
@@ -409,6 +421,7 @@ type API struct {
 	websocketWaitMutex  sync.Mutex
 	websocketWaitGroup  sync.WaitGroup
 	workspaceAgentCache *wsconncache.Cache
+	httpAuth            *HTTPAuthorizer
 }
 
 // Close waits for all WebSocket connections to drain before returning.

diff --git a/coderd/coderdtest/coderdtest.go b/coderd/coderdtest/coderdtest.go
@@ -73,6 +73,7 @@ type Options struct {
 
 	// IncludeProvisionerD when true means to start an in-memory provisionerD
 	IncludeProvisionerD bool
+	APIBuilder          func(*coderd.Options) *coderd.API
 }
 
 // New constructs a codersdk client connected to an in-memory API instance.
@@ -122,6 +123,9 @@ func newWithCloser(t *testing.T, options *Options) (*codersdk.Client, io.Closer)
 			close(options.AutobuildStats)
 		})
 	}
+	if options.APIBuilder == nil {
+		options.APIBuilder = coderd.New
+	}
 
 	// This can be hotswapped for a live database instance.
 	db := databasefake.New()
@@ -177,7 +181,7 @@ func newWithCloser(t *testing.T, options *Options) (*codersdk.Client, io.Closer)
 	})
 
 	// We set the handler after server creation for the access URL.
-	coderAPI := coderd.New(&coderd.Options{
+	coderAPI := options.APIBuilder(&coderd.Options{
 		AgentConnectionUpdateFrequency: 150 * time.Millisecond,
 		// Force a long disconnection timeout to ensure
 		// agents are not marked as disconnected during slow tests.

diff --git a/coderd/database/databasefake/databasefake.go b/coderd/database/databasefake/databasefake.go
@@ -42,6 +42,7 @@ func New() database.Store {
 			workspaceBuilds:                make([]database.WorkspaceBuild, 0),
 			workspaceApps:                  make([]database.WorkspaceApp, 0),
 			workspaces:                     make([]database.Workspace, 0),
+			licenses:                       make([]database.License, 0),
 		},
 	}
 }
@@ -92,8 +93,10 @@ type data struct {
 	workspaceBuilds                []database.WorkspaceBuild
 	workspaceApps                  []database.WorkspaceApp
 	workspaces                     []database.Workspace
+	licenses                       []database.License
 
-	deploymentID string
+	deploymentID  string
+	lastLicenseID int32
 }
 
 // InTx doesn't rollback data properly for in-memory yet.
@@ -2277,6 +2280,22 @@ func (q *fakeQuerier) GetDeploymentID(_ context.Context) (string, error) {
 	return q.deploymentID, nil
 }
 
+func (q *fakeQuerier) InsertLicense(
+	_ context.Context, arg database.InsertLicenseParams) (database.License, error) {
+	q.mutex.RLock()
+	defer q.mutex.RUnlock()
+
+	l := database.License{
+		ID:         q.lastLicenseID + 1,
+		UploadedAt: arg.UploadedAt,
+		Jwt:        arg.Jwt,
+		Exp:        arg.Exp,
+	}
+	q.lastLicenseID = l.ID
+	q.licenses = append(q.licenses, l)
+	return l, nil
+}
+
 func (q *fakeQuerier) GetUserLinkByLinkedID(_ context.Context, id string) (database.UserLink, error) {
 	q.mutex.RLock()
 	defer q.mutex.RUnlock()

diff --git a/coderd/database/dump.sql b/coderd/database/dump.sql
diff --git a/coderd/database/migrations/000037_jwt_licenses.down.sql b/coderd/database/migrations/000037_jwt_licenses.down.sql
@@ -0,0 +1,7 @@
+-- Valid licenses don't fit into old format, so delete all data
+DELETE FROM licenses;
+ALTER TABLE licenses DROP COLUMN jwt;
+ALTER TABLE licenses RENAME COLUMN uploaded_at to created_at;
+ALTER TABLE licenses ADD COLUMN license jsonb NOT NULL;
+ALTER TABLE licenses DROP COLUMN exp;
+
diff --git a/coderd/database/migrations/000037_jwt_licenses.up.sql b/coderd/database/migrations/000037_jwt_licenses.up.sql
@@ -0,0 +1,11 @@
+-- No valid licenses should exist, but to be sure, drop all rows
+DELETE FROM licenses;
+ALTER TABLE licenses DROP COLUMN license;
+ALTER TABLE licenses RENAME COLUMN created_at to uploaded_at;
+ALTER TABLE licenses ADD COLUMN jwt text NOT NULL;
+-- prevent adding the same license more than once
+ALTER TABLE licenses ADD CONSTRAINT licenses_jwt_key UNIQUE (jwt);
+-- exp tracks the claim of the same name in the JWT, and we include it here so that we can easily
+-- query for licenses that have not yet expired.
+ALTER TABLE licenses ADD COLUMN exp timestamp with time zone NOT NULL;
+
diff --git a/coderd/database/models.go b/coderd/database/models.go
diff --git a/coderd/database/querier.go b/coderd/database/querier.go