coder
diff --git a/‎agent/agent.go
Lines changed: 2 additions & 0 deletions b/‎agent/agent.go
Lines changed: 2 additions & 0 deletions
diff --git a/‎cli/agent.go
Lines changed: 2 additions & 0 deletions b/‎cli/agent.go
Lines changed: 2 additions & 0 deletions
diff --git a/‎cli/root_internal_test.go
Lines changed: 8 additions & 4 deletions b/‎cli/root_internal_test.go
Lines changed: 8 additions & 4 deletions
diff --git a/‎cli/templateedit.go
Lines changed: 2 additions & 2 deletions b/‎cli/templateedit.go
Lines changed: 2 additions & 2 deletions
diff --git a/‎cli/templateedit_test.go
Lines changed: 4 additions & 4 deletions b/‎cli/templateedit_test.go
Lines changed: 4 additions & 4 deletions
diff --git a/‎coderd/coderd.go
Lines changed: 1 addition & 1 deletion b/‎coderd/coderd.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/coderd_test.go
Lines changed: 9 additions & 5 deletions b/‎coderd/coderd_test.go
Lines changed: 9 additions & 5 deletions
diff --git a/‎coderd/database/modelmethods.go
Lines changed: 4 additions & 0 deletions b/‎coderd/database/modelmethods.go
Lines changed: 4 additions & 0 deletions
diff --git a/‎coderd/rbac/builtin.go
Lines changed: 45 additions & 8 deletions b/‎coderd/rbac/builtin.go
Lines changed: 45 additions & 8 deletions
diff --git a/‎coderd/rbac/builtin_internal_test.go
Lines changed: 2 additions & 0 deletions b/‎coderd/rbac/builtin_internal_test.go
Lines changed: 2 additions & 0 deletions
@@ -129,6 +129,7 @@ func (a *agent) run(ctx context.Context) {
 	// An exponential back-off occurs when the connection is failing to dial.
 	// This is to prevent server spam in case of a coderd outage.
 	for retrier := retry.New(50*time.Millisecond, 10*time.Second); retrier.Wait(ctx); {
+		a.logger.Info(ctx, "connecting")
 		metadata, peerListener, err = a.dialer(ctx, a.logger)
 		if err != nil {
 			if errors.Is(err, context.Canceled) {
@@ -255,6 +256,7 @@ func (a *agent) handlePeerConn(ctx context.Context, conn *peer.Conn) {
 }
 
 func (a *agent) init(ctx context.Context) {
+	a.logger.Info(ctx, "generating host key")
 	// Clients' should ignore the host key when connecting.
 	// The agent needs to authenticate with coderd to SSH,
 	// so SSH authentication doesn't improve security.
 
@@ -73,6 +73,7 @@ func workspaceAgent() *cobra.Command {
 				return nil
 			}
 
+			logger.Info(cmd.Context(), "starting agent", slog.F("url", coderURL), slog.F("auth", auth))
 			client := codersdk.New(coderURL)
 
 			if pprofEnabled {
@@ -138,6 +139,7 @@ func workspaceAgent() *cobra.Command {
 			}
 
 			if exchangeToken != nil {
+				logger.Info(cmd.Context(), "exchanging identity token")
 				// Agent's can start before resources are returned from the provisioner
 				// daemon. If there are many resources being provisioned, this time
 				// could be significant. This is arbitrarily set at an hour to prevent
 
@@ -1,10 +1,10 @@
 package cli
 
 import (
-	"os"
 	"testing"
 
 	"github.com/stretchr/testify/require"
+	"go.uber.org/goleak"
 )
 
 func Test_formatExamples(t *testing.T) {
@@ -67,7 +67,11 @@ func Test_formatExamples(t *testing.T) {
 }
 
 func TestMain(m *testing.M) {
-	// Replace with goleak.VerifyTestMain(m) when we enable goleak.
-	os.Exit(m.Run())
-	// goleak.VerifyTestMain(m)
+	goleak.VerifyTestMain(m,
+		// The lumberjack library is used by by agent and seems to leave
+		// goroutines after Close(), fails TestGitSSH tests.
+		// https://github.com/natefinch/lumberjack/pull/100
+		goleak.IgnoreTopFunction("gopkg.in/natefinch/lumberjack%2ev2.(*Logger).millRun"),
+		goleak.IgnoreTopFunction("gopkg.in/natefinch/lumberjack%2ev2.(*Logger).mill.func1"),
+	)
 }
@@ -53,8 +53,8 @@ func templateEdit() *cobra.Command {
 	}
 
 	cmd.Flags().StringVarP(&description, "description", "", "", "Edit the template description")
-	cmd.Flags().DurationVarP(&maxTTL, "max_ttl", "", 0, "Edit the template maximum time before shutdown")
-	cmd.Flags().DurationVarP(&minAutostartInterval, "min_autostart_interval", "", 0, "Edit the template minimum autostart interval")
+	cmd.Flags().DurationVarP(&maxTTL, "max-ttl", "", 0, "Edit the template maximum time before shutdown")
+	cmd.Flags().DurationVarP(&minAutostartInterval, "min-autostart-interval", "", 0, "Edit the template minimum autostart interval")
 	cliui.AllowSkipPrompt(cmd)
 
 	return cmd
 
@@ -38,8 +38,8 @@ func TestTemplateEdit(t *testing.T) {
 			"edit",
 			template.Name,
 			"--description", desc,
-			"--max_ttl", maxTTL.String(),
-			"--min_autostart_interval", minAutostartInterval.String(),
+			"--max-ttl", maxTTL.String(),
+			"--min-autostart-interval", minAutostartInterval.String(),
 		}
 		cmd, root := clitest.New(t, cmdArgs...)
 		clitest.SetupConfig(t, client, root)
@@ -74,8 +74,8 @@ func TestTemplateEdit(t *testing.T) {
 			"edit",
 			template.Name,
 			"--description", template.Description,
-			"--max_ttl", (time.Duration(template.MaxTTLMillis) * time.Millisecond).String(),
-			"--min_autostart_interval", (time.Duration(template.MinAutostartIntervalMillis) * time.Millisecond).String(),
+			"--max-ttl", (time.Duration(template.MaxTTLMillis) * time.Millisecond).String(),
+			"--min-autostart-interval", (time.Duration(template.MinAutostartIntervalMillis) * time.Millisecond).String(),
 		}
 		cmd, root := clitest.New(t, cmdArgs...)
 		clitest.SetupConfig(t, client, root)
 
@@ -340,7 +340,7 @@ func New(options *Options) *API {
 				r.Get("/", api.workspaceAgent)
 				r.Post("/peer", api.postWorkspaceAgentWireguardPeer)
 				r.Get("/dial", api.workspaceAgentDial)
-				r.Get("/turn", api.workspaceAgentTurn)
+				r.Get("/turn", api.userWorkspaceAgentTurn)
 				r.Get("/pty", api.workspaceAgentPTY)
 				r.Get("/iceservers", api.workspaceAgentICEServers)
 				r.Get("/derp", api.derpMap)
 
@@ -220,6 +220,7 @@ func TestAuthorizeAllEndpoints(t *testing.T) {
 
 	// Some quick reused objects
 	workspaceRBACObj := rbac.ResourceWorkspace.InOrg(organization.ID).WithOwner(workspace.OwnerID.String())
+	workspaceExecObj := rbac.ResourceWorkspaceExecution.InOrg(organization.ID).WithOwner(workspace.OwnerID.String())
 
 	// skipRoutes allows skipping routes from being checked.
 	skipRoutes := map[string]string{
@@ -268,7 +269,6 @@ func TestAuthorizeAllEndpoints(t *testing.T) {
 		"GET:/api/v2/workspaceagents/me/wireguardlisten":          {NoAuthorize: true},
 		"POST:/api/v2/workspaceagents/me/keys":                    {NoAuthorize: true},
 		"GET:/api/v2/workspaceagents/{workspaceagent}/iceservers": {NoAuthorize: true},
-		"GET:/api/v2/workspaceagents/{workspaceagent}/turn":       {NoAuthorize: true},
 		"GET:/api/v2/workspaceagents/{workspaceagent}/derp":       {NoAuthorize: true},
 
 		// These endpoints have more assertions. This is good, add more endpoints to assert if you can!
@@ -331,12 +331,16 @@ func TestAuthorizeAllEndpoints(t *testing.T) {
 			AssertObject: workspaceRBACObj,
 		},
 		"GET:/api/v2/workspaceagents/{workspaceagent}/dial": {
-			AssertAction: rbac.ActionUpdate,
-			AssertObject: workspaceRBACObj,
+			AssertAction: rbac.ActionCreate,
+			AssertObject: workspaceExecObj,
+		},
+		"GET:/api/v2/workspaceagents/{workspaceagent}/turn": {
+			AssertAction: rbac.ActionCreate,
+			AssertObject: workspaceExecObj,
 		},
 		"GET:/api/v2/workspaceagents/{workspaceagent}/pty": {
-			AssertAction: rbac.ActionUpdate,
-			AssertObject: workspaceRBACObj,
+			AssertAction: rbac.ActionCreate,
+			AssertObject: workspaceExecObj,
 		},
 		"GET:/api/v2/workspaces/": {
 			StatusCode:   http.StatusOK,
 
@@ -17,6 +17,10 @@ func (w Workspace) RBACObject() rbac.Object {
 	return rbac.ResourceWorkspace.InOrg(w.OrganizationID).WithOwner(w.OwnerID.String())
 }
 
+func (w Workspace) ExecutionRBAC() rbac.Object {
+	return rbac.ResourceWorkspaceExecution.InOrg(w.OrganizationID).WithOwner(w.OwnerID.String())
+}
+
 func (m OrganizationMember) RBACObject() rbac.Object {
 	return rbac.ResourceOrganizationMember.InOrg(m.OrganizationID)
 }
 
@@ -9,9 +9,11 @@ import (
 )
 
 const (
-	admin   string = "admin"
-	member  string = "member"
-	auditor string = "auditor"
+	admin         string = "admin"
+	member        string = "member"
+	templateAdmin string = "template-admin"
+	userAdmin     string = "user-admin"
+	auditor       string = "auditor"
 
 	orgAdmin  string = "organization-admin"
 	orgMember string = "organization-member"
@@ -26,6 +28,14 @@ func RoleAdmin() string {
 	return roleName(admin, "")
 }
 
+func RoleTemplateAdmin() string {
+	return roleName(templateAdmin, "")
+}
+
+func RoleUserAdmin() string {
+	return roleName(userAdmin, "")
+}
+
 func RoleMember() string {
 	return roleName(member, "")
 }
@@ -93,6 +103,31 @@ var (
 			}
 		},
 
+		templateAdmin: func(_ string) Role {
+			return Role{
+				Name:        templateAdmin,
+				DisplayName: "Template Admin",
+				Site: permissions(map[Object][]Action{
+					ResourceTemplate: {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
+					// CRUD all files, even those they did not upload.
+					ResourceFile:      {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
+					ResourceWorkspace: {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
+					// CRUD to provisioner daemons for now.
+					ResourceProvisionerDaemon: {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
+				}),
+			}
+		},
+
+		userAdmin: func(_ string) Role {
+			return Role{
+				Name:        userAdmin,
+				DisplayName: "User Admin",
+				Site: permissions(map[Object][]Action{
+					ResourceUser: {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
+				}),
+			}
+		},
+
 		// orgAdmin returns a role with all actions allows in a given
 		// organization scope.
 		orgAdmin: func(organizationID string) Role {
@@ -153,11 +188,13 @@ var (
 	//	map[actor_role][assign_role]<can_assign>
 	assignRoles = map[string]map[string]bool{
 		admin: {
-			admin:     true,
-			auditor:   true,
-			member:    true,
-			orgAdmin:  true,
-			orgMember: true,
+			admin:         true,
+			auditor:       true,
+			member:        true,
+			orgAdmin:      true,
+			orgMember:     true,
+			templateAdmin: true,
+			userAdmin:     true,
 		},
 		orgAdmin: {
 			orgAdmin:  true,
 
@@ -18,6 +18,8 @@ func TestRoleByName(t *testing.T) {
 		}{
 			{Role: builtInRoles[admin]("")},
 			{Role: builtInRoles[member]("")},
+			{Role: builtInRoles[templateAdmin]("")},
+			{Role: builtInRoles[userAdmin]("")},
 			{Role: builtInRoles[auditor]("")},
 
 			{Role: builtInRoles[orgAdmin](uuid.New().String())},
Original file line number	Diff line number	Diff line change
`@@ -73,6 +73,7 @@ func workspaceAgent() *cobra.Command {`
`73`	`73`	`return nil`
`74`	`74`	`}`
`75`	`75`
	`76`	`+ logger.Info(cmd.Context(), "starting agent", slog.F("url", coderURL), slog.F("auth", auth))`
`76`	`77`	`client := codersdk.New(coderURL)`
`77`	`78`
`78`	`79`	`if pprofEnabled {`
`@@ -138,6 +139,7 @@ func workspaceAgent() *cobra.Command {`
`138`	`139`	`}`
`139`	`140`
`140`	`141`	`if exchangeToken != nil {`
	`142`	`+ logger.Info(cmd.Context(), "exchanging identity token")`
`141`	`143`	`// Agent's can start before resources are returned from the provisioner`
`142`	`144`	`// daemon. If there are many resources being provisioned, this time`
`143`	`145`	`// could be significant. This is arbitrarily set at an hour to prevent`
Original file line number	Diff line number	Diff line change
`@@ -53,8 +53,8 @@ func templateEdit() *cobra.Command {`
`53`	`53`	`}`
`54`	`54`
`55`	`55`	`cmd.Flags().StringVarP(&description, "description", "", "", "Edit the template description")`
`56`		`- cmd.Flags().DurationVarP(&maxTTL, "max_ttl", "", 0, "Edit the template maximum time before shutdown")`
`57`		`- cmd.Flags().DurationVarP(&minAutostartInterval, "min_autostart_interval", "", 0, "Edit the template minimum autostart interval")`
	`56`	`+ cmd.Flags().DurationVarP(&maxTTL, "max-ttl", "", 0, "Edit the template maximum time before shutdown")`
	`57`	`+ cmd.Flags().DurationVarP(&minAutostartInterval, "min-autostart-interval", "", 0, "Edit the template minimum autostart interval")`
`58`	`58`	`cliui.AllowSkipPrompt(cmd)`
`59`	`59`
`60`	`60`	`return cmd`
Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,10 @@ func (w Workspace) RBACObject() rbac.Object {`
`17`	`17`	`return rbac.ResourceWorkspace.InOrg(w.OrganizationID).WithOwner(w.OwnerID.String())`
`18`	`18`	`}`
`19`	`19`
	`20`	`+func (w Workspace) ExecutionRBAC() rbac.Object {`
	`21`	`+ return rbac.ResourceWorkspaceExecution.InOrg(w.OrganizationID).WithOwner(w.OwnerID.String())`
	`22`	`+}`
	`23`	`+`
`20`	`24`	`func (m OrganizationMember) RBACObject() rbac.Object {`
`21`	`25`	`return rbac.ResourceOrganizationMember.InOrg(m.OrganizationID)`
`22`	`26`	`}`