coder
diff --git a/‎.vscode/settings.json
+11 b/‎.vscode/settings.json
+11
diff --git a/‎agent/conn.go
+1-1 b/‎agent/conn.go
+1-1
diff --git a/‎coderd/coderd.go
+29-9 b/‎coderd/coderd.go
+29-9
diff --git a/‎coderd/coderd_test.go
+14 b/‎coderd/coderd_test.go
+14
diff --git a/‎coderd/coderdtest/coderdtest.go
+1-1 b/‎coderd/coderdtest/coderdtest.go
+1-1
diff --git a/‎coderd/database/databasefake/databasefake.go
+69 b/‎coderd/database/databasefake/databasefake.go
+69
diff --git a/‎coderd/database/dump.sql
+20 b/‎coderd/database/dump.sql
+20
diff --git a/‎coderd/database/migrations/000020_workspace_apps.down.sql
+1 b/‎coderd/database/migrations/000020_workspace_apps.down.sql
+1
diff --git a/‎coderd/database/migrations/000020_workspace_apps.up.sql
+12 b/‎coderd/database/migrations/000020_workspace_apps.up.sql
+12
diff --git a/‎coderd/database/models.go
+11 b/‎coderd/database/models.go
+11
diff --git a/‎coderd/database/querier.go
+4 b/‎coderd/database/querier.go
+4
@@ -1,5 +1,8 @@
 {
   "cSpell.words": [
+    "apps",
+    "awsidentity",
+    "buildinfo",
     "buildname",
     "circbuf",
     "cliflag",
@@ -16,6 +19,7 @@
     "Dsts",
     "fatih",
     "Formik",
+    "gitsshkey",
     "goarch",
     "gographviz",
     "goleak",
@@ -30,6 +34,7 @@
     "incpatch",
     "isatty",
     "Jobf",
+    "Keygen",
     "kirsle",
     "ldflags",
     "manifoldco",
@@ -54,6 +59,7 @@
     "retrier",
     "rpty",
     "sdkproto",
+    "sdktrace",
     "Signup",
     "sourcemapped",
     "stretchr",
@@ -66,13 +72,18 @@
     "tfjson",
     "tfstate",
     "trimprefix",
+    "turnconn",
     "typegen",
     "unconvert",
     "Untar",
     "VMID",
     "weblinks",
     "webrtc",
+    "workspaceagent",
+    "workspaceapp",
+    "workspaceapps",
     "workspacebuilds",
+    "wsconncache",
     "xerrors",
     "xstate",
     "yamux"
 
@@ -102,7 +102,7 @@ func (c *Conn) DialContext(ctx context.Context, network string, addr string) (ne
 	var res dialResponse
 	err = dec.Decode(&res)
 	if err != nil {
-		return nil, xerrors.Errorf("failed to decode initial packet: %w", err)
+		return nil, xerrors.Errorf("decode agent dial response: %w", err)
 	}
 	if res.Error != "" {
 		_ = channel.Close()
 
@@ -27,6 +27,7 @@ import (
 	"github.com/coder/coder/coderd/rbac"
 	"github.com/coder/coder/coderd/tracing"
 	"github.com/coder/coder/coderd/turnconn"
+	"github.com/coder/coder/coderd/wsconncache"
 	"github.com/coder/coder/codersdk"
 	"github.com/coder/coder/site"
 )
@@ -44,14 +45,14 @@ type Options struct {
 	// app. Specific routes may have their own limiters.
 	APIRateLimit         int
 	AWSCertificates      awsidentity.Certificates
+	Authorizer           rbac.Authorizer
 	AzureCertificates    x509.VerifyOptions
 	GoogleTokenValidator *idtoken.Validator
 	GithubOAuth2Config   *GithubOAuth2Config
 	ICEServers           []webrtc.ICEServer
 	SecureAuthCookie     bool
 	SSHKeygenAlgorithm   gitsshkey.Algorithm
 	TURNServer           *turnconn.Server
-	Authorizer           rbac.Authorizer
 	TracerProvider       *sdktrace.TracerProvider
 }
 
@@ -75,9 +76,11 @@ func New(options *Options) *API {
 
 	r := chi.NewRouter()
 	api := &API{
-		Options: options,
-		Handler: r,
+		Options:     options,
+		Handler:     r,
+		siteHandler: site.Handler(site.FS()),
 	}
+	api.workspaceAgentCache = wsconncache.New(api.dialWorkspaceAgent, 0)
 
 	apiKeyMiddleware := httpmw.ExtractAPIKey(options.Database, &httpmw.OAuth2Configs{
 		Github: options.GithubOAuth2Config,
@@ -93,6 +96,20 @@ func New(options *Options) *API {
 		tracing.HTTPMW(api.TracerProvider, "coderd.http"),
 	)
 
+	apps := func(r chi.Router) {
+		r.Use(
+			httpmw.RateLimitPerMinute(options.APIRateLimit),
+			apiKeyMiddleware,
+			httpmw.ExtractUserParam(api.Database),
+		)
+		r.Get("/*", api.workspaceAppsProxyPath)
+	}
+	// %40 is the encoded character of the @ symbol. VS Code Web does
+	// not handle character encoding properly, so it's safe to assume
+	// other applications might not as well.
+	r.Route("/%40{user}/{workspacename}/apps/{workspaceapp}", apps)
+	r.Route("/@{user}/{workspacename}/apps/{workspaceapp}", apps)
+
 	r.Route("/api/v2", func(r chi.Router) {
 		r.NotFound(func(rw http.ResponseWriter, r *http.Request) {
 			httpapi.Write(rw, http.StatusNotFound, httpapi.Response{
@@ -327,24 +344,27 @@ func New(options *Options) *API {
 			r.Get("/state", api.workspaceBuildState)
 		})
 	})
-	r.NotFound(site.Handler(site.FS()).ServeHTTP)
-
+	r.NotFound(api.siteHandler.ServeHTTP)
 	return api
 }
 
 type API struct {
 	*Options
 
-	Handler            chi.Router
-	websocketWaitMutex sync.Mutex
-	websocketWaitGroup sync.WaitGroup
+	Handler             chi.Router
+	siteHandler         http.Handler
+	websocketWaitMutex  sync.Mutex
+	websocketWaitGroup  sync.WaitGroup
+	workspaceAgentCache *wsconncache.Cache
 }
 
 // Close waits for all WebSocket connections to drain before returning.
-func (api *API) Close() {
+func (api *API) Close() error {
 	api.websocketWaitMutex.Lock()
 	api.websocketWaitGroup.Wait()
 	api.websocketWaitMutex.Unlock()
+
+	return api.workspaceAgentCache.Close()
 }
 
 func debugLogRequest(log slog.Logger) func(http.Handler) http.Handler {
 
@@ -74,6 +74,10 @@ func TestAuthorizeAllEndpoints(t *testing.T) {
 						Agents: []*proto.Agent{{
 							Id:   "something",
 							Auth: &proto.Agent_Token{},
+							Apps: []*proto.App{{
+								Name: "app",
+								Url:  "http://localhost:3000",
+							}},
 						}},
 					}},
 				},
@@ -128,6 +132,15 @@ func TestAuthorizeAllEndpoints(t *testing.T) {
 		"GET:/api/v2/users/authmethods": {NoAuthorize: true},
 		"POST:/api/v2/csp/reports":      {NoAuthorize: true},
 
+		"GET:/%40{user}/{workspacename}/apps/{application}/*": {
+			AssertAction: rbac.ActionRead,
+			AssertObject: workspaceRBACObj,
+		},
+		"GET:/@{user}/{workspacename}/apps/{application}/*": {
+			AssertAction: rbac.ActionRead,
+			AssertObject: workspaceRBACObj,
+		},
+
 		// Has it's own auth
 		"GET:/api/v2/users/oauth2/github/callback": {NoAuthorize: true},
 
@@ -368,6 +381,7 @@ func TestAuthorizeAllEndpoints(t *testing.T) {
 			route = strings.ReplaceAll(route, "{template}", template.ID.String())
 			route = strings.ReplaceAll(route, "{hash}", file.Hash)
 			route = strings.ReplaceAll(route, "{workspaceresource}", workspaceResources[0].ID.String())
+			route = strings.ReplaceAll(route, "{workspaceapp}", workspaceResources[0].Agents[0].Apps[0].Name)
 			route = strings.ReplaceAll(route, "{templateversion}", version.ID.String())
 			route = strings.ReplaceAll(route, "{templateversiondryrun}", templateVersionDryRun.ID.String())
 			route = strings.ReplaceAll(route, "{templatename}", template.Name)
 
@@ -173,7 +173,7 @@ func NewWithAPI(t *testing.T, options *Options) (*codersdk.Client, *coderd.API)
 		cancelFunc()
 		_ = turnServer.Close()
 		srv.Close()
-		coderAPI.Close()
+		_ = coderAPI.Close()
 	})
 
 	return codersdk.New(serverURL), coderAPI
 
@@ -35,6 +35,7 @@ func New() database.Store {
 		templateVersions:        make([]database.TemplateVersion, 0),
 		templates:               make([]database.Template, 0),
 		workspaceBuilds:         make([]database.WorkspaceBuild, 0),
+		workspaceApps:           make([]database.WorkspaceApp, 0),
 		workspaces:              make([]database.Workspace, 0),
 	}
 }
@@ -63,6 +64,7 @@ type fakeQuerier struct {
 	templateVersions        []database.TemplateVersion
 	templates               []database.Template
 	workspaceBuilds         []database.WorkspaceBuild
+	workspaceApps           []database.WorkspaceApp
 	workspaces              []database.Workspace
 }
 
@@ -388,6 +390,38 @@ func (q *fakeQuerier) GetWorkspaceByOwnerIDAndName(_ context.Context, arg databa
 	return database.Workspace{}, sql.ErrNoRows
 }
 
+func (q *fakeQuerier) GetWorkspaceAppsByAgentID(_ context.Context, id uuid.UUID) ([]database.WorkspaceApp, error) {
+	q.mutex.RLock()
+	defer q.mutex.RUnlock()
+
+	apps := make([]database.WorkspaceApp, 0)
+	for _, app := range q.workspaceApps {
+		if app.AgentID == id {
+			apps = append(apps, app)
+		}
+	}
+	if len(apps) == 0 {
+		return nil, sql.ErrNoRows
+	}
+	return apps, nil
+}
+
+func (q *fakeQuerier) GetWorkspaceAppsByAgentIDs(_ context.Context, ids []uuid.UUID) ([]database.WorkspaceApp, error) {
+	q.mutex.RLock()
+	defer q.mutex.RUnlock()
+
+	apps := make([]database.WorkspaceApp, 0)
+	for _, app := range q.workspaceApps {
+		for _, id := range ids {
+			if app.AgentID.String() == id.String() {
+				apps = append(apps, app)
+				break
+			}
+		}
+	}
+	return apps, nil
+}
+
 func (q *fakeQuerier) GetWorkspacesAutostart(_ context.Context) ([]database.Workspace, error) {
 	q.mutex.RLock()
 	defer q.mutex.RUnlock()
@@ -1031,6 +1065,22 @@ func (q *fakeQuerier) GetWorkspaceAgentsByResourceIDs(_ context.Context, resourc
 	return workspaceAgents, nil
 }
 
+func (q *fakeQuerier) GetWorkspaceAppByAgentIDAndName(_ context.Context, arg database.GetWorkspaceAppByAgentIDAndNameParams) (database.WorkspaceApp, error) {
+	q.mutex.RLock()
+	defer q.mutex.RUnlock()
+
+	for _, app := range q.workspaceApps {
+		if app.AgentID != arg.AgentID {
+			continue
+		}
+		if app.Name != arg.Name {
+			continue
+		}
+		return app, nil
+	}
+	return database.WorkspaceApp{}, sql.ErrNoRows
+}
+
 func (q *fakeQuerier) GetProvisionerDaemonByID(_ context.Context, id uuid.UUID) (database.ProvisionerDaemon, error) {
 	q.mutex.RLock()
 	defer q.mutex.RUnlock()
@@ -1521,6 +1571,25 @@ func (q *fakeQuerier) InsertWorkspaceBuild(_ context.Context, arg database.Inser
 	return workspaceBuild, nil
 }
 
+func (q *fakeQuerier) InsertWorkspaceApp(_ context.Context, arg database.InsertWorkspaceAppParams) (database.WorkspaceApp, error) {
+	q.mutex.Lock()
+	defer q.mutex.Unlock()
+
+	// nolint:gosimple
+	workspaceApp := database.WorkspaceApp{
+		ID:           arg.ID,
+		AgentID:      arg.AgentID,
+		CreatedAt:    arg.CreatedAt,
+		Name:         arg.Name,
+		Icon:         arg.Icon,
+		Command:      arg.Command,
+		Url:          arg.Url,
+		RelativePath: arg.RelativePath,
+	}
+	q.workspaceApps = append(q.workspaceApps, workspaceApp)
+	return workspaceApp, nil
+}
+
 func (q *fakeQuerier) UpdateAPIKeyByID(_ context.Context, arg database.UpdateAPIKeyByIDParams) error {
 	q.mutex.Lock()
 	defer q.mutex.Unlock()
 
@@ -0,0 +1 @@
+DROP TABLE workspace_apps;
@@ -0,0 +1,12 @@
+CREATE TABLE workspace_apps (
+    id uuid NOT NULL,
+    created_at timestamp with time zone NOT NULL,
+    agent_id uuid NOT NULL REFERENCES workspace_agents (id) ON DELETE CASCADE,
+    name varchar(64) NOT NULL,
+    icon varchar(256) NOT NULL,
+    command varchar(65534),
+    url varchar(65534),
+    relative_path boolean NOT NULL DEFAULT false,
+    PRIMARY KEY (id),
+    UNIQUE(agent_id, name)
+);
Original file line number	Diff line number	Diff line change
`@@ -102,7 +102,7 @@ func (c *Conn) DialContext(ctx context.Context, network string, addr string) (ne`
`102`	`102`	`var res dialResponse`
`103`	`103`	`err = dec.Decode(&res)`
`104`	`104`	`if err != nil {`
`105`		`- return nil, xerrors.Errorf("failed to decode initial packet: %w", err)`
	`105`	`+ return nil, xerrors.Errorf("decode agent dial response: %w", err)`
`106`	`106`	`}`
`107`	`107`	`if res.Error != "" {`
`108`	`108`	`_ = channel.Close()`