coder
diff --git a/‎.github/workflows/cron-weekly.yaml
Lines changed: 4 additions & 3 deletions b/‎.github/workflows/cron-weekly.yaml
Lines changed: 4 additions & 3 deletions
diff --git a/‎Makefile
Lines changed: 7 additions & 2 deletions b/‎Makefile
Lines changed: 7 additions & 2 deletions
diff --git a/‎cli/scaletest.go
Lines changed: 26 additions & 18 deletions b/‎cli/scaletest.go
Lines changed: 26 additions & 18 deletions
diff --git a/‎cli/server.go
Lines changed: 74 additions & 47 deletions b/‎cli/server.go
Lines changed: 74 additions & 47 deletions
diff --git a/‎cli/server_test.go
Lines changed: 2 additions & 0 deletions b/‎cli/server_test.go
Lines changed: 2 additions & 0 deletions
diff --git a/‎cli/testdata/coder_scaletest_create-workspaces_--help.golden
Lines changed: 3 additions & 0 deletions b/‎cli/testdata/coder_scaletest_create-workspaces_--help.golden
Lines changed: 3 additions & 0 deletions
diff --git a/‎cli/testdata/coder_server_--help.golden
Lines changed: 6 additions & 0 deletions b/‎cli/testdata/coder_server_--help.golden
Lines changed: 6 additions & 0 deletions
diff --git a/‎cli/testdata/server-config.yaml.golden
Lines changed: 6 additions & 0 deletions b/‎cli/testdata/server-config.yaml.golden
Lines changed: 6 additions & 0 deletions
@@ -1,4 +1,4 @@
-name: Markdown Links Check
+name: Weekly Cron
 # runs every monday at 9 am
 on:
   schedule:
@@ -19,12 +19,13 @@ jobs:
         with:
           use-quiet-mode: "yes"
           use-verbose-mode: "yes"
-          config-file: ".github/workflows/markdown.links.config.json"
+          config-file: ".github/workflows/mlc_config.json"
           folder-path: "docs/"
 
       - name: Send Slack notification
+        if: failure()
         run: |
           curl -X POST -H 'Content-type: application/json' -d '{"msg":"Broken links found in the documentation. Please check the logs at ${{ env.LOGS_URL }}"}' ${{ secrets.DOCS_LINK_SLACK_WEBHOOK }}
           echo "Sent Slack notification"
         env:
-          LOGS_URL: ${{ https://github.com/coder/coder/actions/runs/${{ github.run_id }}
+          LOGS_URL: https://github.com/coder/coder/actions/runs/${{ github.run_id }}
@@ -423,6 +423,7 @@ gen: \
 	provisionersdk/proto/provisioner.pb.go \
 	provisionerd/proto/provisionerd.pb.go \
 	site/src/api/typesGenerated.ts \
+	coderd/rbac/object_gen.go \
 	docs/admin/prometheus.md \
 	docs/cli.md \
 	docs/admin/audit-logs.md \
@@ -443,6 +444,7 @@ gen/mark-fresh:
 		provisionersdk/proto/provisioner.pb.go \
 		provisionerd/proto/provisionerd.pb.go \
 		site/src/api/typesGenerated.ts \
+		coderd/rbac/object_gen.go \
 		docs/admin/prometheus.md \
 		docs/cli.md \
 		docs/admin/audit-logs.md \
@@ -495,6 +497,9 @@ site/src/api/typesGenerated.ts: scripts/apitypings/main.go $(shell find ./coders
 	cd site
 	yarn run format:types
 
+coderd/rbac/object_gen.go: scripts/rbacgen/main.go coderd/rbac/object.go
+	go run scripts/rbacgen/main.go ./coderd/rbac > coderd/rbac/object_gen.go
+
 docs/admin/prometheus.md: scripts/metricsdocgen/main.go scripts/metricsdocgen/metrics
 	go run scripts/metricsdocgen/main.go
 	cd site
@@ -505,12 +510,12 @@ docs/cli.md: scripts/clidocgen/main.go $(GO_SRC_FILES) docs/manifest.json
 	cd site
 	yarn run format:write:only ../docs/cli.md ../docs/cli/*.md ../docs/manifest.json
 
-docs/admin/audit-logs.md: scripts/auditdocgen/main.go enterprise/audit/table.go
+docs/admin/audit-logs.md: scripts/auditdocgen/main.go enterprise/audit/table.go coderd/rbac/object_gen.go
 	go run scripts/auditdocgen/main.go
 	cd site
 	yarn run format:write:only ../docs/admin/audit-logs.md
 
-coderd/apidoc/swagger.json: $(shell find ./scripts/apidocgen $(FIND_EXCLUSIONS) -type f) $(wildcard coderd/*.go) $(wildcard enterprise/coderd/*.go) $(wildcard codersdk/*.go) .swaggo docs/manifest.json
+coderd/apidoc/swagger.json: $(shell find ./scripts/apidocgen $(FIND_EXCLUSIONS) -type f) $(wildcard coderd/*.go) $(wildcard enterprise/coderd/*.go) $(wildcard codersdk/*.go) .swaggo docs/manifest.json coderd/rbac/object_gen.go
 	./scripts/apidocgen/generate.sh
 	yarn run --cwd=site format:write:only ../docs/api ../docs/manifest.json ../coderd/apidoc/swagger.json
 
 
@@ -471,7 +471,7 @@ func (r *RootCmd) scaletestCleanup() *clibase.Cmd {
 			}
 
 			cliui.Errorf(inv.Stderr, "Found %d scaletest users\n", len(users))
-			if len(workspaces) != 0 {
+			if len(users) != 0 {
 				cliui.Infof(inv.Stdout, "Deleting scaletest users..."+"\n")
 				harness := harness.NewTestHarness(cleanupStrategy.toStrategy(), harness.ConcurrentExecutionStrategy{})
 
@@ -535,6 +535,8 @@ func (r *RootCmd) scaletestCreateWorkspaces() *clibase.Cmd {
 		connectInterval time.Duration
 		connectTimeout  time.Duration
 
+		useHostUser bool
+
 		tracingFlags    = &scaletestTracingFlags{}
 		strategy        = &scaletestStrategyFlags{}
 		cleanupStrategy = &scaletestStrategyFlags{cleanup: true}
@@ -693,35 +695,37 @@ func (r *RootCmd) scaletestCreateWorkspaces() *clibase.Cmd {
 				const name = "workspacebuild"
 				id := strconv.Itoa(i)
 
-				username, email, err := newScaleTestUser(id)
-				if err != nil {
-					return xerrors.Errorf("create scaletest username and email: %w", err)
-				}
-				workspaceName, err := newScaleTestWorkspace(id)
-				if err != nil {
-					return xerrors.Errorf("create scaletest workspace name: %w", err)
-				}
-
 				config := createworkspaces.Config{
 					User: createworkspaces.UserConfig{
 						// TODO: configurable org
 						OrganizationID: me.OrganizationIDs[0],
-						Username:       username,
-						Email:          email,
 					},
 					Workspace: workspacebuild.Config{
 						OrganizationID: me.OrganizationIDs[0],
 						// UserID is set by the test automatically.
 						Request: codersdk.CreateWorkspaceRequest{
 							TemplateID:      tpl.ID,
-							Name:            workspaceName,
 							ParameterValues: params,
 						},
 						NoWaitForAgents: noWaitForAgents,
 					},
 					NoCleanup: noCleanup,
 				}
 
+				if useHostUser {
+					config.User.SessionToken = client.SessionToken()
+				} else {
+					config.User.Username, config.User.Email, err = newScaleTestUser(id)
+					if err != nil {
+						return xerrors.Errorf("create scaletest username and email: %w", err)
+					}
+				}
+
+				config.Workspace.Request.Name, err = newScaleTestWorkspace(id)
+				if err != nil {
+					return xerrors.Errorf("create scaletest workspace name: %w", err)
+				}
+
 				if runCommand != "" {
 					config.ReconnectingPTY = &reconnectingpty.Config{
 						// AgentID is set by the test automatically.
@@ -927,6 +931,13 @@ func (r *RootCmd) scaletestCreateWorkspaces() *clibase.Cmd {
 			Description: "Timeout for each request to the --connect-url.",
 			Value:       clibase.DurationOf(&connectTimeout),
 		},
+		{
+			Flag:        "use-host-login",
+			Env:         "CODER_SCALETEST_USE_HOST_LOGIN",
+			Default:     "false",
+			Description: "Use the use logged in on the host machine, instead of creating users.",
+			Value:       clibase.BoolOf(&useHostUser),
+		},
 	}
 
 	tracingFlags.attach(&cmd.Options)
@@ -1009,9 +1020,6 @@ func isScaleTestUser(user codersdk.User) bool {
 }
 
 func isScaleTestWorkspace(workspace codersdk.Workspace) bool {
-	if !strings.HasPrefix(workspace.OwnerName, "scaletest-") {
-		return false
-	}
-
-	return strings.HasPrefix(workspace.Name, "scaletest-")
+	return strings.HasPrefix(workspace.OwnerName, "scaletest-") ||
+		strings.HasPrefix(workspace.Name, "scaletest-")
 }
@@ -145,7 +145,7 @@ func ReadGitAuthProvidersFromEnv(environ []string) ([]codersdk.GitAuthConfig, er
 		case "REGEX":
 			provider.Regex = v.Value
 		case "NO_REFRESH":
-			b, err := strconv.ParseBool(key)
+			b, err := strconv.ParseBool(v.Value)
 			if err != nil {
 				return nil, xerrors.Errorf("parse bool: %s", v.Value)
 			}
@@ -165,62 +165,24 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 		opts = cfg.Options()
 	)
 	serverCmd := &clibase.Cmd{
-		Use:        "server",
-		Short:      "Start a Coder server",
-		Options:    opts,
-		Middleware: clibase.RequireNArgs(0),
+		Use:     "server",
+		Short:   "Start a Coder server",
+		Options: opts,
+		Middleware: clibase.Chain(
+			writeConfigMW(cfg),
+			printDeprecatedOptions(),
+			clibase.RequireNArgs(0),
+		),
 		Handler: func(inv *clibase.Invocation) error {
 			// Main command context for managing cancellation of running
 			// services.
 			ctx, cancel := context.WithCancel(inv.Context())
 			defer cancel()
 
-			if cfg.WriteConfig {
-				n, err := opts.MarshalYAML()
-				if err != nil {
-					return xerrors.Errorf("generate yaml: %w", err)
-				}
-				enc := yaml.NewEncoder(inv.Stdout)
-				enc.SetIndent(2)
-				err = enc.Encode(n)
-				if err != nil {
-					return xerrors.Errorf("encode yaml: %w", err)
-				}
-				err = enc.Close()
-				if err != nil {
-					return xerrors.Errorf("close yaml encoder: %w", err)
-				}
-				return nil
-			}
-
 			if cfg.Config != "" {
 				cliui.Warnf(inv.Stderr, "YAML support is experimental and offers no compatibility guarantees.")
 			}
 
-			// Print deprecation warnings.
-			for _, opt := range opts {
-				if opt.UseInstead == nil {
-					continue
-				}
-
-				if opt.Value.String() == opt.Default {
-					continue
-				}
-
-				warnStr := opt.Name + " is deprecated, please use "
-				for i, use := range opt.UseInstead {
-					warnStr += use.Name + " "
-					if i != len(opt.UseInstead)-1 {
-						warnStr += "and "
-					}
-				}
-				warnStr += "instead.\n"
-
-				cliui.Warn(inv.Stderr,
-					warnStr,
-				)
-			}
-
 			go dumpHandler(ctx)
 
 			// Validate bind addresses.
@@ -1222,6 +1184,71 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 	return serverCmd
 }
 
+// printDeprecatedOptions loops through all command options, and prints
+// a warning for usage of deprecated options.
+func printDeprecatedOptions() clibase.MiddlewareFunc {
+	return func(next clibase.HandlerFunc) clibase.HandlerFunc {
+		return func(inv *clibase.Invocation) error {
+			opts := inv.Command.Options
+			// Print deprecation warnings.
+			for _, opt := range opts {
+				if opt.UseInstead == nil {
+					continue
+				}
+
+				if opt.Value.String() == opt.Default {
+					continue
+				}
+
+				warnStr := opt.Name + " is deprecated, please use "
+				for i, use := range opt.UseInstead {
+					warnStr += use.Name + " "
+					if i != len(opt.UseInstead)-1 {
+						warnStr += "and "
+					}
+				}
+				warnStr += "instead.\n"
+
+				cliui.Warn(inv.Stderr,
+					warnStr,
+				)
+			}
+
+			return next(inv)
+		}
+	}
+}
+
+// writeConfigMW will prevent the main command from running if the write-config
+// flag is set. Instead, it will marshal the command options to YAML and write
+// them to stdout.
+func writeConfigMW(cfg *codersdk.DeploymentValues) clibase.MiddlewareFunc {
+	return func(next clibase.HandlerFunc) clibase.HandlerFunc {
+		return func(inv *clibase.Invocation) error {
+			if !cfg.WriteConfig {
+				return next(inv)
+			}
+
+			opts := inv.Command.Options
+			n, err := opts.MarshalYAML()
+			if err != nil {
+				return xerrors.Errorf("generate yaml: %w", err)
+			}
+			enc := yaml.NewEncoder(inv.Stdout)
+			enc.SetIndent(2)
+			err = enc.Encode(n)
+			if err != nil {
+				return xerrors.Errorf("encode yaml: %w", err)
+			}
+			err = enc.Close()
+			if err != nil {
+				return xerrors.Errorf("close yaml encoder: %w", err)
+			}
+			return nil
+		}
+	}
+}
+
 // isLocalURL returns true if the hostname of the provided URL appears to
 // resolve to a loopback address.
 func isLocalURL(ctx context.Context, u *url.URL) (bool, error) {
 
@@ -84,6 +84,7 @@ func TestReadGitAuthProvidersFromEnv(t *testing.T) {
 			"CODER_GITAUTH_1_TOKEN_URL=google.com",
 			"CODER_GITAUTH_1_VALIDATE_URL=bing.com",
 			"CODER_GITAUTH_1_SCOPES=repo:read repo:write",
+			"CODER_GITAUTH_1_NO_REFRESH=true",
 		})
 		require.NoError(t, err)
 		require.Len(t, providers, 2)
@@ -99,6 +100,7 @@ func TestReadGitAuthProvidersFromEnv(t *testing.T) {
 		assert.Equal(t, "google.com", providers[1].TokenURL)
 		assert.Equal(t, "bing.com", providers[1].ValidateURL)
 		assert.Equal(t, []string{"repo:read", "repo:write"}, providers[1].Scopes)
+		assert.Equal(t, true, providers[1].NoRefresh)
 	})
 }
 
 
@@ -116,5 +116,8 @@ It is recommended that all rate limits are disabled on the server before running
           if the server is configured with the exact same tracing configuration
           as the client.
 
+      --use-host-login bool, $CODER_SCALETEST_USE_HOST_LOGIN (default: false)
+          Use the use logged in on the host machine, instead of creating users.
+
 ---
 Run `coder --help` for a list of global options.
@@ -16,6 +16,12 @@ Start a Coder server
           $CACHE_DIRECTORY is set, it will be used for compatibility with
           systemd.
 
+      --disable-owner-workspace-access bool, $CODER_DISABLE_OWNER_WORKSPACE_ACCESS
+          Remove the permission for the 'owner' role to have workspace execution
+          on all workspaces. This prevents the 'owner' from ssh, apps, and
+          terminal access based on the 'owner' role. They still have their user
+          permissions to access their own workspaces.
+
       --disable-path-apps bool, $CODER_DISABLE_PATH_APPS
           Disable workspace apps that are not served from subdomains. Path-based
           apps can make requests to the Coder API and pose a security risk when
 
@@ -315,6 +315,12 @@ agentFallbackTroubleshootingURL: https://coder.com/docs/coder-oss/latest/templat
 # --wildcard-access-url is configured.
 # (default: <unset>, type: bool)
 disablePathApps: false
+# Remove the permission for the 'owner' role to have workspace execution on all
+# workspaces. This prevents the 'owner' from ssh, apps, and terminal access based
+# on the 'owner' role. They still have their user permissions to access their own
+# workspaces.
+# (default: <unset>, type: bool)
+disableOwnerWorkspaceAccess: false
 # These options change the behavior of how clients interact with the Coder.
 # Clients include the coder cli, vs code extension, and the web UI.
 client: