diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index b0c73ff5b2097..0537cc16b7f0c 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -34,7 +34,7 @@ jobs: tailnet-integration: ${{ steps.filter.outputs.tailnet-integration }} steps: - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit @@ -154,7 +154,7 @@ jobs: runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }} steps: - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit @@ -226,7 +226,7 @@ jobs: if: ${{ !cancelled() }} steps: - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit @@ -281,7 +281,7 @@ jobs: timeout-minutes: 7 steps: - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit @@ -327,7 +327,7 @@ jobs: - name: Harden Runner # Harden Runner is only supported on Ubuntu runners. if: runner.os == 'Linux' - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit @@ -418,7 +418,7 @@ jobs: - windows-2022 steps: - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit @@ -594,7 +594,7 @@ jobs: timeout-minutes: 25 steps: - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit @@ -643,7 +643,7 @@ jobs: timeout-minutes: 25 steps: - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit @@ -692,7 +692,7 @@ jobs: timeout-minutes: 25 steps: - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit @@ -751,7 +751,7 @@ jobs: timeout-minutes: 20 steps: - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit @@ -777,7 +777,7 @@ jobs: timeout-minutes: 20 steps: - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit @@ -809,7 +809,7 @@ jobs: name: ${{ matrix.variant.name }} steps: - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit @@ -882,7 +882,7 @@ jobs: if: needs.changes.outputs.site == 'true' || needs.changes.outputs.ci == 'true' steps: - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit @@ -902,7 +902,7 @@ jobs: # the check to pass. This is desired in PRs, but not in mainline. - name: Publish to Chromatic (non-mainline) if: github.ref != 'refs/heads/main' && github.repository_owner == 'coder' - uses: chromaui/action@8536229ee904071f8edce292596f6dbe0da96b9b # v12.1.1 + uses: chromaui/action@c50adf8eaa8c2878af3263499a73077854de39d4 # v12.2.0 env: NODE_OPTIONS: "--max_old_space_size=4096" STORYBOOK: true @@ -934,7 +934,7 @@ jobs: # infinitely "in progress" in mainline unless we re-review each build. - name: Publish to Chromatic (mainline) if: github.ref == 'refs/heads/main' && github.repository_owner == 'coder' - uses: chromaui/action@8536229ee904071f8edce292596f6dbe0da96b9b # v12.1.1 + uses: chromaui/action@c50adf8eaa8c2878af3263499a73077854de39d4 # v12.2.0 env: NODE_OPTIONS: "--max_old_space_size=4096" STORYBOOK: true @@ -962,7 +962,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit @@ -1031,7 +1031,7 @@ jobs: if: always() steps: - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit @@ -1161,7 +1161,7 @@ jobs: IMAGE: ghcr.io/coder/coder-preview:${{ steps.build-docker.outputs.tag }} steps: - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit @@ -1345,7 +1345,7 @@ jobs: id: attest_main if: github.ref == 'refs/heads/main' continue-on-error: true - uses: actions/attest@afd638254319277bb3d7f0a234478733e2e46a73 # v2.3.0 + uses: actions/attest@ce27ba3b4a9a139d9a20a4a07d69fabb52f1e5bc # v2.4.0 with: subject-name: "ghcr.io/coder/coder-preview:main" predicate-type: "https://slsa.dev/provenance/v1" @@ -1382,7 +1382,7 @@ jobs: id: attest_latest if: github.ref == 'refs/heads/main' continue-on-error: true - uses: actions/attest@afd638254319277bb3d7f0a234478733e2e46a73 # v2.3.0 + uses: actions/attest@ce27ba3b4a9a139d9a20a4a07d69fabb52f1e5bc # v2.4.0 with: subject-name: "ghcr.io/coder/coder-preview:latest" predicate-type: "https://slsa.dev/provenance/v1" @@ -1419,7 +1419,7 @@ jobs: id: attest_version if: github.ref == 'refs/heads/main' continue-on-error: true - uses: actions/attest@afd638254319277bb3d7f0a234478733e2e46a73 # v2.3.0 + uses: actions/attest@ce27ba3b4a9a139d9a20a4a07d69fabb52f1e5bc # v2.4.0 with: subject-name: "ghcr.io/coder/coder-preview:${{ steps.build-docker.outputs.tag }}" predicate-type: "https://slsa.dev/provenance/v1" @@ -1507,7 +1507,7 @@ jobs: id-token: write steps: - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit @@ -1526,7 +1526,7 @@ jobs: uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4 - name: Set up Flux CLI - uses: fluxcd/flux2/action@b73c7f7191086ca7629840e680e71873349787f8 # v2.6.1 + uses: fluxcd/flux2/action@a48f81a66c4ca9fbd993233ab99dd03a7cfbe09a # v2.6.2 with: # Keep this and the github action up to date with the version of flux installed in dogfood cluster version: "2.5.1" @@ -1571,7 +1571,7 @@ jobs: if: github.ref == 'refs/heads/main' && !github.event.pull_request.head.repo.fork steps: - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit @@ -1606,7 +1606,7 @@ jobs: if: needs.changes.outputs.db == 'true' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main' steps: - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit diff --git a/.github/workflows/docker-base.yaml b/.github/workflows/docker-base.yaml index b9334a8658f4b..01e24c62d9bf7 100644 --- a/.github/workflows/docker-base.yaml +++ b/.github/workflows/docker-base.yaml @@ -38,7 +38,7 @@ jobs: if: github.repository_owner == 'coder' steps: - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit diff --git a/.github/workflows/docs-ci.yaml b/.github/workflows/docs-ci.yaml index d5f380590941d..3994f8e69d24c 100644 --- a/.github/workflows/docs-ci.yaml +++ b/.github/workflows/docs-ci.yaml @@ -28,7 +28,7 @@ jobs: - name: Setup Node uses: ./.github/actions/setup-node - - uses: tj-actions/changed-files@115870536a85eaf050e369291c7895748ff12aea # v45.0.7 + - uses: tj-actions/changed-files@d52d20fa3f981cb852b861fd8f55308b5fe29637 # v45.0.7 id: changed-files with: files: | diff --git a/.github/workflows/dogfood.yaml b/.github/workflows/dogfood.yaml index 13a27cf2b6251..df73479994516 100644 --- a/.github/workflows/dogfood.yaml +++ b/.github/workflows/dogfood.yaml @@ -27,7 +27,7 @@ jobs: runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-4' || 'ubuntu-latest' }} steps: - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit @@ -114,7 +114,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit diff --git a/.github/workflows/pr-auto-assign.yaml b/.github/workflows/pr-auto-assign.yaml index d0d5ed88160dc..28935d74507e5 100644 --- a/.github/workflows/pr-auto-assign.yaml +++ b/.github/workflows/pr-auto-assign.yaml @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit diff --git a/.github/workflows/pr-cleanup.yaml b/.github/workflows/pr-cleanup.yaml index f931f3179f946..184486a711fbb 100644 --- a/.github/workflows/pr-cleanup.yaml +++ b/.github/workflows/pr-cleanup.yaml @@ -19,7 +19,7 @@ jobs: packages: write steps: - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit diff --git a/.github/workflows/pr-deploy.yaml b/.github/workflows/pr-deploy.yaml index 6429f635b87e2..fe64c47aebc6e 100644 --- a/.github/workflows/pr-deploy.yaml +++ b/.github/workflows/pr-deploy.yaml @@ -39,7 +39,7 @@ jobs: PR_OPEN: ${{ steps.check_pr.outputs.pr_open }} steps: - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit @@ -74,7 +74,7 @@ jobs: runs-on: "ubuntu-latest" steps: - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit @@ -174,7 +174,7 @@ jobs: pull-requests: write # needed for commenting on PRs steps: - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit @@ -218,7 +218,7 @@ jobs: CODER_IMAGE_TAG: ${{ needs.get_info.outputs.CODER_IMAGE_TAG }} steps: - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit @@ -276,7 +276,7 @@ jobs: PR_HOSTNAME: "pr${{ needs.get_info.outputs.PR_NUMBER }}.${{ secrets.PR_DEPLOYMENTS_DOMAIN }}" steps: - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit diff --git a/.github/workflows/release-validation.yaml b/.github/workflows/release-validation.yaml index ccfa555404f9c..1e4e928f32f73 100644 --- a/.github/workflows/release-validation.yaml +++ b/.github/workflows/release-validation.yaml @@ -14,7 +14,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 881cc4c437db6..032961dd2e5c5 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -134,7 +134,7 @@ jobs: version: ${{ steps.version.outputs.version }} steps: - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit @@ -419,7 +419,7 @@ jobs: id: attest_base if: ${{ !inputs.dry_run && steps.image-base-tag.outputs.tag != '' }} continue-on-error: true - uses: actions/attest@afd638254319277bb3d7f0a234478733e2e46a73 # v2.3.0 + uses: actions/attest@ce27ba3b4a9a139d9a20a4a07d69fabb52f1e5bc # v2.4.0 with: subject-name: ${{ steps.image-base-tag.outputs.tag }} predicate-type: "https://slsa.dev/provenance/v1" @@ -533,7 +533,7 @@ jobs: id: attest_main if: ${{ !inputs.dry_run }} continue-on-error: true - uses: actions/attest@afd638254319277bb3d7f0a234478733e2e46a73 # v2.3.0 + uses: actions/attest@ce27ba3b4a9a139d9a20a4a07d69fabb52f1e5bc # v2.4.0 with: subject-name: ${{ steps.build_docker.outputs.multiarch_image }} predicate-type: "https://slsa.dev/provenance/v1" @@ -577,7 +577,7 @@ jobs: id: attest_latest if: ${{ !inputs.dry_run && steps.build_docker.outputs.created_latest_tag == 'true' }} continue-on-error: true - uses: actions/attest@afd638254319277bb3d7f0a234478733e2e46a73 # v2.3.0 + uses: actions/attest@ce27ba3b4a9a139d9a20a4a07d69fabb52f1e5bc # v2.4.0 with: subject-name: ${{ steps.latest_tag.outputs.tag }} predicate-type: "https://slsa.dev/provenance/v1" @@ -737,7 +737,7 @@ jobs: # TODO: skip this if it's not a new release (i.e. a backport). This is # fine right now because it just makes a PR that we can close. - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit @@ -813,7 +813,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit @@ -903,7 +903,7 @@ jobs: if: ${{ !inputs.dry_run }} steps: - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 0272db8573ff5..d773ad74e5adc 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -20,7 +20,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit @@ -47,6 +47,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19 + uses: github/codeql-action/upload-sarif@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0 with: sarif_file: results.sarif diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index 7aea12a1fd51c..be4811e05e813 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -27,7 +27,7 @@ jobs: runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }} steps: - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit @@ -38,7 +38,7 @@ jobs: uses: ./.github/actions/setup-go - name: Initialize CodeQL - uses: github/codeql-action/init@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19 + uses: github/codeql-action/init@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0 with: languages: go, javascript @@ -48,7 +48,7 @@ jobs: rm Makefile - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19 + uses: github/codeql-action/analyze@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0 - name: Send Slack notification on failure if: ${{ failure() }} @@ -67,7 +67,7 @@ jobs: runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }} steps: - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit @@ -150,7 +150,7 @@ jobs: severity: "CRITICAL,HIGH" - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19 + uses: github/codeql-action/upload-sarif@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0 with: sarif_file: trivy-results.sarif category: "Trivy" diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml index e186f11400534..2563367d840e2 100644 --- a/.github/workflows/stale.yaml +++ b/.github/workflows/stale.yaml @@ -18,7 +18,7 @@ jobs: pull-requests: write steps: - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit @@ -96,7 +96,7 @@ jobs: contents: write steps: - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit @@ -118,7 +118,7 @@ jobs: actions: write steps: - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit diff --git a/.github/workflows/weekly-docs.yaml b/.github/workflows/weekly-docs.yaml index 6ee8f9e6b2a15..c4b2a33361657 100644 --- a/.github/workflows/weekly-docs.yaml +++ b/.github/workflows/weekly-docs.yaml @@ -21,7 +21,7 @@ jobs: pull-requests: write # required to post PR review comments by the action steps: - name: Harden Runner - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1 with: egress-policy: audit @@ -29,7 +29,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Check Markdown links - uses: umbrelladocs/action-linkspector@a0567ce1c7c13de4a2358587492ed43cab5d0102 # v1.3.4 + uses: umbrelladocs/action-linkspector@e2ccef58c4b9eb89cd71ee23a8629744bba75aa6 # v1.3.5 id: markdown-link-check # checks all markdown files from /docs including all subfolders with: diff --git a/coderd/authorize.go b/coderd/authorize.go index 802cb5ea15e9b..575bb5e98baf6 100644 --- a/coderd/authorize.go +++ b/coderd/authorize.go @@ -19,7 +19,7 @@ import ( // objects that the user is authorized to perform the given action on. // This is faster than calling Authorize() on each object. func AuthorizeFilter[O rbac.Objecter](h *HTTPAuthorizer, r *http.Request, action policy.Action, objects []O) ([]O, error) { - roles := httpmw.UserAuthorization(r) + roles := httpmw.UserAuthorization(r.Context()) objects, err := rbac.Filter(r.Context(), h.Authorizer, roles, action, objects) if err != nil { // Log the error as Filter should not be erroring. @@ -65,7 +65,7 @@ func (api *API) Authorize(r *http.Request, action policy.Action, object rbac.Obj // return // } func (h *HTTPAuthorizer) Authorize(r *http.Request, action policy.Action, object rbac.Objecter) bool { - roles := httpmw.UserAuthorization(r) + roles := httpmw.UserAuthorization(r.Context()) err := h.Authorizer.Authorize(r.Context(), roles, action, object.RBACObject()) if err != nil { // Log the errors for debugging @@ -97,7 +97,7 @@ func (h *HTTPAuthorizer) Authorize(r *http.Request, action policy.Action, object // call 'Authorize()' on the returned objects. // Note the authorization is only for the given action and object type. func (h *HTTPAuthorizer) AuthorizeSQLFilter(r *http.Request, action policy.Action, objectType string) (rbac.PreparedAuthorized, error) { - roles := httpmw.UserAuthorization(r) + roles := httpmw.UserAuthorization(r.Context()) prepared, err := h.Authorizer.Prepare(r.Context(), roles, action, objectType) if err != nil { return nil, xerrors.Errorf("prepare filter: %w", err) @@ -120,7 +120,7 @@ func (h *HTTPAuthorizer) AuthorizeSQLFilter(r *http.Request, action policy.Actio // @Router /authcheck [post] func (api *API) checkAuthorization(rw http.ResponseWriter, r *http.Request) { ctx := r.Context() - auth := httpmw.UserAuthorization(r) + auth := httpmw.UserAuthorization(r.Context()) var params codersdk.AuthorizationRequest if !httpapi.Read(ctx, rw, r, ¶ms) { diff --git a/coderd/coderd.go b/coderd/coderd.go index 8cc5435542189..24b34ea4db91a 100644 --- a/coderd/coderd.go +++ b/coderd/coderd.go @@ -572,7 +572,7 @@ func New(options *Options) *API { TemplateScheduleStore: options.TemplateScheduleStore, UserQuietHoursScheduleStore: options.UserQuietHoursScheduleStore, AccessControlStore: options.AccessControlStore, - FileCache: files.NewFromStore(options.Database, options.PrometheusRegistry), + FileCache: files.NewFromStore(options.Database, options.PrometheusRegistry, options.Authorizer), Experiments: experiments, WebpushDispatcher: options.WebPushDispatcher, healthCheckGroup: &singleflight.Group[string, *healthsdk.HealthcheckReport]{}, diff --git a/coderd/coderdtest/authorize.go b/coderd/coderdtest/authorize.go index 279405c4e6a21..67551d0e3d2dd 100644 --- a/coderd/coderdtest/authorize.go +++ b/coderd/coderdtest/authorize.go @@ -234,6 +234,10 @@ func (r *RecordingAuthorizer) AssertOutOfOrder(t *testing.T, actor rbac.Subject, // AssertActor asserts in order. If the order of authz calls does not match, // this will fail. func (r *RecordingAuthorizer) AssertActor(t *testing.T, actor rbac.Subject, did ...ActionObjectPair) { + r.AssertActorID(t, actor.ID, did...) +} + +func (r *RecordingAuthorizer) AssertActorID(t *testing.T, id string, did ...ActionObjectPair) { r.Lock() defer r.Unlock() ptr := 0 @@ -242,7 +246,7 @@ func (r *RecordingAuthorizer) AssertActor(t *testing.T, actor rbac.Subject, did // Finished all assertions return } - if call.Actor.ID == actor.ID { + if call.Actor.ID == id { action, object := did[ptr].Action, did[ptr].Object assert.Equalf(t, action, call.Action, "assert action %d", ptr) assert.Equalf(t, object, call.Object, "assert object %d", ptr) diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go index ee11b7ea95edf..52a54df80532a 100644 --- a/coderd/database/dbauthz/dbauthz.go +++ b/coderd/database/dbauthz/dbauthz.go @@ -432,6 +432,25 @@ var ( }), Scope: rbac.ScopeAll, }.WithCachedASTValue() + + subjectFileReader = rbac.Subject{ + Type: rbac.SubjectTypeFileReader, + FriendlyName: "Can Read All Files", + // Arbitrary uuid to have a unique ID for this subject. + ID: rbac.SubjectTypeFileReaderID, + Roles: rbac.Roles([]rbac.Role{ + { + Identifier: rbac.RoleIdentifier{Name: "file-reader"}, + DisplayName: "FileReader", + Site: rbac.Permissions(map[string][]policy.Action{ + rbac.ResourceFile.Type: {policy.ActionRead}, + }), + Org: map[string][]rbac.Permission{}, + User: []rbac.Permission{}, + }, + }), + Scope: rbac.ScopeAll, + }.WithCachedASTValue() ) // AsProvisionerd returns a context with an actor that has permissions required @@ -498,6 +517,10 @@ func AsPrebuildsOrchestrator(ctx context.Context) context.Context { return As(ctx, subjectPrebuildsOrchestrator) } +func AsFileReader(ctx context.Context) context.Context { + return As(ctx, subjectFileReader) +} + var AsRemoveActor = rbac.Subject{ ID: "remove-actor", } diff --git a/coderd/database/dbgen/dbgen.go b/coderd/database/dbgen/dbgen.go index c85db83a2adc9..aabce08b717d7 100644 --- a/coderd/database/dbgen/dbgen.go +++ b/coderd/database/dbgen/dbgen.go @@ -369,6 +369,7 @@ func WorkspaceBuild(t testing.TB, db database.Store, orig database.WorkspaceBuil UUID: uuid.UUID{}, Valid: false, }), + HasAITask: orig.HasAITask, }) if err != nil { return err @@ -943,6 +944,7 @@ func TemplateVersion(t testing.TB, db database.Store, orig database.TemplateVers JobID: takeFirst(orig.JobID, uuid.New()), CreatedBy: takeFirst(orig.CreatedBy, uuid.New()), SourceExampleID: takeFirst(orig.SourceExampleID, sql.NullString{}), + HasAITask: orig.HasAITask, }) if err != nil { return err diff --git a/coderd/database/dbmem/dbmem.go b/coderd/database/dbmem/dbmem.go index eba4b945f06e1..ab2dd923dab47 100644 --- a/coderd/database/dbmem/dbmem.go +++ b/coderd/database/dbmem/dbmem.go @@ -9382,6 +9382,7 @@ func (q *FakeQuerier) InsertTemplateVersion(_ context.Context, arg database.Inse JobID: arg.JobID, CreatedBy: arg.CreatedBy, SourceExampleID: arg.SourceExampleID, + HasAITask: arg.HasAITask, } q.templateVersions = append(q.templateVersions, version) return nil @@ -10061,6 +10062,7 @@ func (q *FakeQuerier) InsertWorkspaceBuild(_ context.Context, arg database.Inser MaxDeadline: arg.MaxDeadline, Reason: arg.Reason, TemplateVersionPresetID: arg.TemplateVersionPresetID, + HasAITask: arg.HasAITask, } q.workspaceBuilds = append(q.workspaceBuilds, workspaceBuild) return nil diff --git a/coderd/database/queries.sql.go b/coderd/database/queries.sql.go index 92c912a55705a..9a814a5b6dff8 100644 --- a/coderd/database/queries.sql.go +++ b/coderd/database/queries.sql.go @@ -11809,10 +11809,11 @@ INSERT INTO readme, job_id, created_by, - source_example_id + source_example_id, + has_ai_task ) VALUES - ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11) + ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12) ` type InsertTemplateVersionParams struct { @@ -11827,6 +11828,7 @@ type InsertTemplateVersionParams struct { JobID uuid.UUID `db:"job_id" json:"job_id"` CreatedBy uuid.UUID `db:"created_by" json:"created_by"` SourceExampleID sql.NullString `db:"source_example_id" json:"source_example_id"` + HasAITask bool `db:"has_ai_task" json:"has_ai_task"` } func (q *sqlQuerier) InsertTemplateVersion(ctx context.Context, arg InsertTemplateVersionParams) error { @@ -11842,6 +11844,7 @@ func (q *sqlQuerier) InsertTemplateVersion(ctx context.Context, arg InsertTempla arg.JobID, arg.CreatedBy, arg.SourceExampleID, + arg.HasAITask, ) return err } @@ -17521,10 +17524,11 @@ INSERT INTO deadline, max_deadline, reason, - template_version_preset_id + template_version_preset_id, + has_ai_task ) VALUES - ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14) + ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15) ` type InsertWorkspaceBuildParams struct { @@ -17542,6 +17546,7 @@ type InsertWorkspaceBuildParams struct { MaxDeadline time.Time `db:"max_deadline" json:"max_deadline"` Reason BuildReason `db:"reason" json:"reason"` TemplateVersionPresetID uuid.NullUUID `db:"template_version_preset_id" json:"template_version_preset_id"` + HasAITask bool `db:"has_ai_task" json:"has_ai_task"` } func (q *sqlQuerier) InsertWorkspaceBuild(ctx context.Context, arg InsertWorkspaceBuildParams) error { @@ -17560,6 +17565,7 @@ func (q *sqlQuerier) InsertWorkspaceBuild(ctx context.Context, arg InsertWorkspa arg.MaxDeadline, arg.Reason, arg.TemplateVersionPresetID, + arg.HasAITask, ) return err } diff --git a/coderd/database/queries/templateversions.sql b/coderd/database/queries/templateversions.sql index 0436a7f9ba3b9..6798d4db5ff6f 100644 --- a/coderd/database/queries/templateversions.sql +++ b/coderd/database/queries/templateversions.sql @@ -88,10 +88,11 @@ INSERT INTO readme, job_id, created_by, - source_example_id + source_example_id, + has_ai_task ) VALUES - ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11); + ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12); -- name: UpdateTemplateVersionByID :exec UPDATE diff --git a/coderd/database/queries/workspacebuilds.sql b/coderd/database/queries/workspacebuilds.sql index 34ef639a1694b..b380e5423c21c 100644 --- a/coderd/database/queries/workspacebuilds.sql +++ b/coderd/database/queries/workspacebuilds.sql @@ -121,10 +121,11 @@ INSERT INTO deadline, max_deadline, reason, - template_version_preset_id + template_version_preset_id, + has_ai_task ) VALUES - ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14); + ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15); -- name: UpdateWorkspaceBuildCostByID :exec UPDATE diff --git a/coderd/files/cache.go b/coderd/files/cache.go index 92b8ea33ed52f..484507d2ac5b0 100644 --- a/coderd/files/cache.go +++ b/coderd/files/cache.go @@ -13,33 +13,41 @@ import ( archivefs "github.com/coder/coder/v2/archive/fs" "github.com/coder/coder/v2/coderd/database" + "github.com/coder/coder/v2/coderd/database/dbauthz" + "github.com/coder/coder/v2/coderd/rbac" + "github.com/coder/coder/v2/coderd/rbac/policy" "github.com/coder/coder/v2/coderd/util/lazy" ) // NewFromStore returns a file cache that will fetch files from the provided // database. -func NewFromStore(store database.Store, registerer prometheus.Registerer) *Cache { - fetch := func(ctx context.Context, fileID uuid.UUID) (cacheEntryValue, error) { - file, err := store.GetFileByID(ctx, fileID) +func NewFromStore(store database.Store, registerer prometheus.Registerer, authz rbac.Authorizer) *Cache { + fetch := func(ctx context.Context, fileID uuid.UUID) (CacheEntryValue, error) { + // Make sure the read does not fail due to authorization issues. + // Authz is checked on the Acquire call, so this is safe. + //nolint:gocritic + file, err := store.GetFileByID(dbauthz.AsFileReader(ctx), fileID) if err != nil { - return cacheEntryValue{}, xerrors.Errorf("failed to read file from database: %w", err) + return CacheEntryValue{}, xerrors.Errorf("failed to read file from database: %w", err) } content := bytes.NewBuffer(file.Data) - return cacheEntryValue{ - FS: archivefs.FromTarReader(content), - size: int64(content.Len()), + return CacheEntryValue{ + Object: file.RBACObject(), + FS: archivefs.FromTarReader(content), + Size: int64(content.Len()), }, nil } - return New(fetch, registerer) + return New(fetch, registerer, authz) } -func New(fetch fetcher, registerer prometheus.Registerer) *Cache { +func New(fetch fetcher, registerer prometheus.Registerer, authz rbac.Authorizer) *Cache { return (&Cache{ lock: sync.Mutex{}, data: make(map[uuid.UUID]*cacheEntry), fetcher: fetch, + authz: authz, }).registerMetrics(registerer) } @@ -101,6 +109,7 @@ type Cache struct { lock sync.Mutex data map[uuid.UUID]*cacheEntry fetcher + authz rbac.Authorizer // metrics cacheMetrics @@ -117,18 +126,19 @@ type cacheMetrics struct { totalCacheSize prometheus.Counter } -type cacheEntryValue struct { +type CacheEntryValue struct { fs.FS - size int64 + Object rbac.Object + Size int64 } type cacheEntry struct { // refCount must only be accessed while the Cache lock is held. refCount int - value *lazy.ValueWithError[cacheEntryValue] + value *lazy.ValueWithError[CacheEntryValue] } -type fetcher func(context.Context, uuid.UUID) (cacheEntryValue, error) +type fetcher func(context.Context, uuid.UUID) (CacheEntryValue, error) // Acquire will load the fs.FS for the given file. It guarantees that parallel // calls for the same fileID will only result in one fetch, and that parallel @@ -146,22 +156,33 @@ func (c *Cache) Acquire(ctx context.Context, fileID uuid.UUID) (fs.FS, error) { c.Release(fileID) return nil, err } + + subject, ok := dbauthz.ActorFromContext(ctx) + if !ok { + return nil, dbauthz.ErrNoActor + } + // Always check the caller can actually read the file. + if err := c.authz.Authorize(ctx, subject, policy.ActionRead, it.Object); err != nil { + c.Release(fileID) + return nil, err + } + return it.FS, err } -func (c *Cache) prepare(ctx context.Context, fileID uuid.UUID) *lazy.ValueWithError[cacheEntryValue] { +func (c *Cache) prepare(ctx context.Context, fileID uuid.UUID) *lazy.ValueWithError[CacheEntryValue] { c.lock.Lock() defer c.lock.Unlock() entry, ok := c.data[fileID] if !ok { - value := lazy.NewWithError(func() (cacheEntryValue, error) { + value := lazy.NewWithError(func() (CacheEntryValue, error) { val, err := c.fetcher(ctx, fileID) // Always add to the cache size the bytes of the file loaded. if err == nil { - c.currentCacheSize.Add(float64(val.size)) - c.totalCacheSize.Add(float64(val.size)) + c.currentCacheSize.Add(float64(val.Size)) + c.totalCacheSize.Add(float64(val.Size)) } return val, err @@ -206,7 +227,7 @@ func (c *Cache) Release(fileID uuid.UUID) { ev, err := entry.value.Load() if err == nil { - c.currentCacheSize.Add(-1 * float64(ev.size)) + c.currentCacheSize.Add(-1 * float64(ev.Size)) } delete(c.data, fileID) diff --git a/coderd/files/cache_internal_test.go b/coderd/files/cache_test.go similarity index 58% rename from coderd/files/cache_internal_test.go rename to coderd/files/cache_test.go index 6ad84185b44b6..469520b4139fe 100644 --- a/coderd/files/cache_internal_test.go +++ b/coderd/files/cache_test.go @@ -1,4 +1,4 @@ -package files +package files_test import ( "context" @@ -12,28 +12,114 @@ import ( "github.com/stretchr/testify/require" "golang.org/x/sync/errgroup" + "cdr.dev/slog/sloggers/slogtest" + "github.com/coder/coder/v2/coderd/coderdtest" "github.com/coder/coder/v2/coderd/coderdtest/promhelp" + "github.com/coder/coder/v2/coderd/database" + "github.com/coder/coder/v2/coderd/database/dbauthz" + "github.com/coder/coder/v2/coderd/database/dbgen" + "github.com/coder/coder/v2/coderd/database/dbtestutil" + "github.com/coder/coder/v2/coderd/files" + "github.com/coder/coder/v2/coderd/rbac" + "github.com/coder/coder/v2/coderd/rbac/policy" "github.com/coder/coder/v2/testutil" ) +// nolint:paralleltest,tparallel // Serially testing is easier +func TestCacheRBAC(t *testing.T) { + t.Parallel() + + db, cache, rec := cacheAuthzSetup(t) + ctx := testutil.Context(t, testutil.WaitMedium) + + file := dbgen.File(t, db, database.File{}) + + nobodyID := uuid.New() + nobody := dbauthz.As(ctx, rbac.Subject{ + ID: nobodyID.String(), + Roles: rbac.Roles{}, + Scope: rbac.ScopeAll, + }) + + userID := uuid.New() + userReader := dbauthz.As(ctx, rbac.Subject{ + ID: userID.String(), + Roles: rbac.Roles{ + must(rbac.RoleByName(rbac.RoleTemplateAdmin())), + }, + Scope: rbac.ScopeAll, + }) + + //nolint:gocritic // Unit testing + cacheReader := dbauthz.AsFileReader(ctx) + + t.Run("NoRolesOpen", func(t *testing.T) { + // Ensure start is clean + require.Equal(t, 0, cache.Count()) + rec.Reset() + + _, err := cache.Acquire(nobody, file.ID) + require.Error(t, err) + require.True(t, rbac.IsUnauthorizedError(err)) + + // Ensure that the cache is empty + require.Equal(t, 0, cache.Count()) + + // Check the assertions + rec.AssertActorID(t, nobodyID.String(), rec.Pair(policy.ActionRead, file)) + rec.AssertActorID(t, rbac.SubjectTypeFileReaderID, rec.Pair(policy.ActionRead, file)) + }) + + t.Run("CacheHasFile", func(t *testing.T) { + rec.Reset() + require.Equal(t, 0, cache.Count()) + + // Read the file with a file reader to put it into the cache. + _, err := cache.Acquire(cacheReader, file.ID) + require.NoError(t, err) + require.Equal(t, 1, cache.Count()) + + // "nobody" should not be able to read the file. + _, err = cache.Acquire(nobody, file.ID) + require.Error(t, err) + require.True(t, rbac.IsUnauthorizedError(err)) + require.Equal(t, 1, cache.Count()) + + // UserReader can + _, err = cache.Acquire(userReader, file.ID) + require.NoError(t, err) + require.Equal(t, 1, cache.Count()) + + cache.Release(file.ID) + cache.Release(file.ID) + require.Equal(t, 0, cache.Count()) + + rec.AssertActorID(t, nobodyID.String(), rec.Pair(policy.ActionRead, file)) + rec.AssertActorID(t, rbac.SubjectTypeFileReaderID, rec.Pair(policy.ActionRead, file)) + rec.AssertActorID(t, userID.String(), rec.Pair(policy.ActionRead, file)) + }) +} + func cachePromMetricName(metric string) string { return "coderd_file_cache_" + metric } func TestConcurrency(t *testing.T) { t.Parallel() + //nolint:gocritic // Unit testing + ctx := dbauthz.AsFileReader(t.Context()) const fileSize = 10 emptyFS := afero.NewIOFS(afero.NewReadOnlyFs(afero.NewMemMapFs())) var fetches atomic.Int64 reg := prometheus.NewRegistry() - c := New(func(_ context.Context, _ uuid.UUID) (cacheEntryValue, error) { + c := files.New(func(_ context.Context, _ uuid.UUID) (files.CacheEntryValue, error) { fetches.Add(1) // Wait long enough before returning to make sure that all of the goroutines // will be waiting in line, ensuring that no one duplicated a fetch. time.Sleep(testutil.IntervalMedium) - return cacheEntryValue{FS: emptyFS, size: fileSize}, nil - }, reg) + return files.CacheEntryValue{FS: emptyFS, Size: fileSize}, nil + }, reg, &coderdtest.FakeAuthorizer{}) batches := 1000 groups := make([]*errgroup.Group, 0, batches) @@ -51,7 +137,7 @@ func TestConcurrency(t *testing.T) { g.Go(func() error { // We don't bother to Release these references because the Cache will be // released at the end of the test anyway. - _, err := c.Acquire(t.Context(), id) + _, err := c.Acquire(ctx, id) return err }) } @@ -74,16 +160,18 @@ func TestConcurrency(t *testing.T) { func TestRelease(t *testing.T) { t.Parallel() + //nolint:gocritic // Unit testing + ctx := dbauthz.AsFileReader(t.Context()) const fileSize = 10 emptyFS := afero.NewIOFS(afero.NewReadOnlyFs(afero.NewMemMapFs())) reg := prometheus.NewRegistry() - c := New(func(_ context.Context, _ uuid.UUID) (cacheEntryValue, error) { - return cacheEntryValue{ + c := files.New(func(_ context.Context, _ uuid.UUID) (files.CacheEntryValue, error) { + return files.CacheEntryValue{ FS: emptyFS, - size: fileSize, + Size: fileSize, }, nil - }, reg) + }, reg, &coderdtest.FakeAuthorizer{}) batches := 100 ids := make([]uuid.UUID, 0, batches) @@ -95,7 +183,7 @@ func TestRelease(t *testing.T) { batchSize := 10 for openedIdx, id := range ids { for batchIdx := range batchSize { - it, err := c.Acquire(t.Context(), id) + it, err := c.Acquire(ctx, id) require.NoError(t, err) require.Equal(t, emptyFS, it) @@ -112,7 +200,7 @@ func TestRelease(t *testing.T) { } // Make sure cache is fully loaded - require.Equal(t, len(c.data), batches) + require.Equal(t, c.Count(), batches) // Now release all of the references for closedIdx, id := range ids { @@ -136,7 +224,7 @@ func TestRelease(t *testing.T) { } // ...and make sure that the cache has emptied itself. - require.Equal(t, len(c.data), 0) + require.Equal(t, c.Count(), 0) // Verify all the counts & metrics are correct. // All existing files are closed @@ -150,3 +238,29 @@ func TestRelease(t *testing.T) { require.Equal(t, batches, promhelp.CounterValue(t, reg, cachePromMetricName("open_files_total"), nil)) require.Equal(t, batches*batchSize, promhelp.CounterValue(t, reg, cachePromMetricName("open_file_refs_total"), nil)) } + +func cacheAuthzSetup(t *testing.T) (database.Store, *files.Cache, *coderdtest.RecordingAuthorizer) { + t.Helper() + + logger := slogtest.Make(t, &slogtest.Options{}) + reg := prometheus.NewRegistry() + + db, _ := dbtestutil.NewDB(t) + authz := rbac.NewAuthorizer(reg) + rec := &coderdtest.RecordingAuthorizer{ + Called: nil, + Wrapped: authz, + } + + // Dbauthz wrap the db + db = dbauthz.New(db, rec, logger, coderdtest.AccessControlStorePointer()) + c := files.NewFromStore(db, reg, rec) + return db, c, rec +} + +func must[T any](t T, err error) T { + if err != nil { + panic(err) + } + return t +} diff --git a/coderd/httpmw/apikey.go b/coderd/httpmw/apikey.go index 4b92848b773e2..a70dc30ec903b 100644 --- a/coderd/httpmw/apikey.go +++ b/coderd/httpmw/apikey.go @@ -47,14 +47,14 @@ func APIKey(r *http.Request) database.APIKey { // UserAuthorizationOptional may return the roles and scope used for // authorization. Depends on the ExtractAPIKey handler. -func UserAuthorizationOptional(r *http.Request) (rbac.Subject, bool) { - return dbauthz.ActorFromContext(r.Context()) +func UserAuthorizationOptional(ctx context.Context) (rbac.Subject, bool) { + return dbauthz.ActorFromContext(ctx) } // UserAuthorization returns the roles and scope used for authorization. Depends // on the ExtractAPIKey handler. -func UserAuthorization(r *http.Request) rbac.Subject { - auth, ok := UserAuthorizationOptional(r) +func UserAuthorization(ctx context.Context) rbac.Subject { + auth, ok := UserAuthorizationOptional(ctx) if !ok { panic("developer error: ExtractAPIKey middleware not provided") } diff --git a/coderd/httpmw/apikey_test.go b/coderd/httpmw/apikey_test.go index 06ee93422bbf9..85f36959476b3 100644 --- a/coderd/httpmw/apikey_test.go +++ b/coderd/httpmw/apikey_test.go @@ -58,7 +58,7 @@ func TestAPIKey(t *testing.T) { assert.NoError(t, err, "actor rego ok") } - auth, ok := httpmw.UserAuthorizationOptional(r) + auth, ok := httpmw.UserAuthorizationOptional(r.Context()) assert.True(t, ok, "httpmw auth ok") if ok { _, err := auth.Roles.Expand() @@ -904,7 +904,7 @@ func TestAPIKey(t *testing.T) { })(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) { assertActorOk(t, r) - auth := httpmw.UserAuthorization(r) + auth := httpmw.UserAuthorization(r.Context()) roles, err := auth.Roles.Expand() assert.NoError(t, err, "expand user roles") @@ -968,7 +968,7 @@ func TestAPIKey(t *testing.T) { RedirectToLogin: false, })(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) { assertActorOk(t, r) - auth := httpmw.UserAuthorization(r) + auth := httpmw.UserAuthorization(r.Context()) roles, err := auth.Roles.Expand() assert.NoError(t, err, "expand user roles") diff --git a/coderd/httpmw/authorize_test.go b/coderd/httpmw/authorize_test.go index 5d04c5afacdb3..3ee9d92742252 100644 --- a/coderd/httpmw/authorize_test.go +++ b/coderd/httpmw/authorize_test.go @@ -125,7 +125,7 @@ func TestExtractUserRoles(t *testing.T) { }), ) rtr.Get("/", func(_ http.ResponseWriter, r *http.Request) { - roles := httpmw.UserAuthorization(r) + roles := httpmw.UserAuthorization(r.Context()) require.Equal(t, user.ID.String(), roles.ID) require.ElementsMatch(t, expRoles, roles.Roles.Names()) }) diff --git a/coderd/httpmw/ratelimit.go b/coderd/httpmw/ratelimit.go index 932373b5bacd9..ad1ecf3d6bbd9 100644 --- a/coderd/httpmw/ratelimit.go +++ b/coderd/httpmw/ratelimit.go @@ -43,7 +43,7 @@ func RateLimit(count int, window time.Duration) func(http.Handler) http.Handler // Allow Owner to bypass rate limiting for load tests // and automation. - auth := UserAuthorization(r) + auth := UserAuthorization(r.Context()) // We avoid using rbac.Authorizer since rego is CPU-intensive // and undermines the DoS-prevention goal of the rate limiter. diff --git a/coderd/identityprovider/middleware.go b/coderd/identityprovider/middleware.go index 1704ab2270f49..632e5a53c0319 100644 --- a/coderd/identityprovider/middleware.go +++ b/coderd/identityprovider/middleware.go @@ -36,7 +36,7 @@ func authorizeMW(accessURL *url.URL) func(next http.Handler) http.Handler { } app := httpmw.OAuth2ProviderApp(r) - ua := httpmw.UserAuthorization(r) + ua := httpmw.UserAuthorization(r.Context()) // url.Parse() allows empty URLs, which is fine because the origin is not // always set by browsers (or other tools like cURL). If the origin does diff --git a/coderd/parameters.go b/coderd/parameters.go index 48cccc27e6727..c88199956392d 100644 --- a/coderd/parameters.go +++ b/coderd/parameters.go @@ -133,7 +133,7 @@ func (api *API) handleDynamicParameters(listen bool, rw http.ResponseWriter, r * // nolint:gocritic // We need to fetch the templates files for the Terraform // evaluator, and the user likely does not have permission. - fileCtx := dbauthz.AsProvisionerd(ctx) + fileCtx := dbauthz.AsFileReader(ctx) fileID, err := api.Database.GetFileIDByTemplateVersionID(fileCtx, templateVersion.ID) if err != nil { httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{ diff --git a/coderd/rbac/authz.go b/coderd/rbac/authz.go index 9e3a0536279ae..a7f77d57ab253 100644 --- a/coderd/rbac/authz.go +++ b/coderd/rbac/authz.go @@ -74,6 +74,11 @@ const ( SubjectTypeSystemRestricted SubjectType = "system_restricted" SubjectTypeNotifier SubjectType = "notifier" SubjectTypeSubAgentAPI SubjectType = "sub_agent_api" + SubjectTypeFileReader SubjectType = "file_reader" +) + +const ( + SubjectTypeFileReaderID = "acbf0be6-6fed-47b6-8c43-962cb5cab994" ) // Subject is a struct that contains all the elements of a subject in an rbac diff --git a/coderd/roles.go b/coderd/roles.go index ed650f41fd6c9..3814cd36d29ad 100644 --- a/coderd/roles.go +++ b/coderd/roles.go @@ -26,7 +26,7 @@ import ( // @Router /users/roles [get] func (api *API) AssignableSiteRoles(rw http.ResponseWriter, r *http.Request) { ctx := r.Context() - actorRoles := httpmw.UserAuthorization(r) + actorRoles := httpmw.UserAuthorization(r.Context()) if !api.Authorize(r, policy.ActionRead, rbac.ResourceAssignRole) { httpapi.Forbidden(rw) return @@ -59,7 +59,7 @@ func (api *API) AssignableSiteRoles(rw http.ResponseWriter, r *http.Request) { func (api *API) assignableOrgRoles(rw http.ResponseWriter, r *http.Request) { ctx := r.Context() organization := httpmw.OrganizationParam(r) - actorRoles := httpmw.UserAuthorization(r) + actorRoles := httpmw.UserAuthorization(r.Context()) if !api.Authorize(r, policy.ActionRead, rbac.ResourceAssignOrgRole.InOrg(organization.ID)) { httpapi.ResourceNotFound(rw) diff --git a/coderd/templateversions.go b/coderd/templateversions.go index d79f86f1f6626..23ce3eaebb4f8 100644 --- a/coderd/templateversions.go +++ b/coderd/templateversions.go @@ -1730,6 +1730,9 @@ func (api *API) postTemplateVersionsByOrganization(rw http.ResponseWriter, r *ht String: req.ExampleID, Valid: req.ExampleID != "", }, + // appease the exhaustruct linter + // TODO: set this to whether the template version defines a `coder_ai_task` tf resource + HasAITask: false, }) if err != nil { if database.IsUniqueViolation(err, database.UniqueTemplateVersionsTemplateIDNameKey) { diff --git a/coderd/users.go b/coderd/users.go index ad1ba8a018743..e2f6fd79c7d75 100644 --- a/coderd/users.go +++ b/coderd/users.go @@ -525,7 +525,7 @@ func (api *API) deleteUser(rw http.ResponseWriter, r *http.Request) { ctx := r.Context() auditor := *api.Auditor.Load() user := httpmw.UserParam(r) - auth := httpmw.UserAuthorization(r) + auth := httpmw.UserAuthorization(r.Context()) aReq, commitAudit := audit.InitRequest[database.User](rw, &audit.RequestParams{ Audit: auditor, Log: api.Logger, diff --git a/coderd/wsbuilder/wsbuilder.go b/coderd/wsbuilder/wsbuilder.go index 201ef0c53a307..8a6d04272830b 100644 --- a/coderd/wsbuilder/wsbuilder.go +++ b/coderd/wsbuilder/wsbuilder.go @@ -425,6 +425,9 @@ func (b *Builder) buildTx(authFunc func(action policy.Action, object rbac.Object UUID: b.templateVersionPresetID, Valid: b.templateVersionPresetID != uuid.Nil, }, + // appease the exhaustruct linter + // TODO: set this to whether the build included a `coder_ai_task` tf resource + HasAITask: false, }) if err != nil { code := http.StatusInternalServerError diff --git a/docs/README.md b/docs/README.md index b5a07021d3670..4848a8a153621 100644 --- a/docs/README.md +++ b/docs/README.md @@ -49,7 +49,7 @@ Remote development offers several benefits for users and administrators, includi - **Increased security** - Centralize source code and other data onto private servers or cloud services instead of local developers' machines. - - Manage users and groups with [SSO](./admin/users/oidc-auth.md) and [Role-based access controlled (RBAC)](./admin/users/groups-roles.md#roles). + - Manage users and groups with [SSO](./admin/users/oidc-auth/index.md) and [Role-based access controlled (RBAC)](./admin/users/groups-roles.md#roles). - **Improved compatibility** diff --git a/docs/admin/external-auth.md b/docs/admin/external-auth/index.md similarity index 96% rename from docs/admin/external-auth.md rename to docs/admin/external-auth/index.md index 0540a5fa92eaa..5d3ade987ee41 100644 --- a/docs/admin/external-auth.md +++ b/docs/admin/external-auth/index.md @@ -65,7 +65,7 @@ Reference the documentation for your chosen provider for more information on how ### Workspace CLI -Use [`external-auth`](../reference/cli/external-auth.md) in the Coder CLI to access a token within the workspace: +Use [`external-auth`](../../reference/cli/external-auth.md) in the Coder CLI to access a token within the workspace: ```shell coder external-auth access-token @@ -255,7 +255,7 @@ Note that the redirect URI must include the value of `CODER_EXTERNAL_AUTH_0_ID` ### JFrog Artifactory -Visit the [JFrog Artifactory](../admin/integrations/jfrog-artifactory.md) guide for instructions on how to set up for JFrog Artifactory. +Visit the [JFrog Artifactory](../../admin/integrations/jfrog-artifactory.md) guide for instructions on how to set up for JFrog Artifactory. ## Self-managed Git providers @@ -293,13 +293,13 @@ CODER_EXTERNAL_AUTH_0_SCOPES="repo:read repo:write write:gpg_key" - Enable fine-grained access to specific repositories or a subset of permissions for security. - ![Register GitHub App](../images/admin/github-app-register.png) + ![Register GitHub App](../../images/admin/github-app-register.png) 1. Adjust the GitHub app permissions. You can use more or fewer permissions than are listed here, this example allows users to clone repositories: - ![Adjust GitHub App Permissions](../images/admin/github-app-permissions.png) + ![Adjust GitHub App Permissions](../../images/admin/github-app-permissions.png) | Name | Permission | Description | |---------------|--------------|--------------------------------------------------------| @@ -312,7 +312,7 @@ CODER_EXTERNAL_AUTH_0_SCOPES="repo:read repo:write write:gpg_key" 1. Install the App for your organization. You may select a subset of repositories to grant access to. - ![Install GitHub App](../images/admin/github-app-install.png) + ![Install GitHub App](../../images/admin/github-app-install.png) ## Multiple External Providers (Premium) diff --git a/docs/admin/infrastructure/architecture.md b/docs/admin/infrastructure/architecture.md index dbac881bddeb8..079d69699a243 100644 --- a/docs/admin/infrastructure/architecture.md +++ b/docs/admin/infrastructure/architecture.md @@ -108,10 +108,10 @@ Users will likely need to pull source code and other artifacts from a git provider. The Coder control plane and workspaces will need network connectivity to the git provider. -- [GitHub Enterprise](../external-auth.md#github-enterprise) -- [GitLab](../external-auth.md#gitlab-self-managed) -- [BitBucket](../external-auth.md#bitbucket-server) -- [Other Providers](../external-auth.md#self-managed-git-providers) +- [GitHub Enterprise](../external-auth/index.md#github-enterprise) +- [GitLab](../external-auth/index.md#gitlab-self-managed) +- [BitBucket](../external-auth/index.md#bitbucket-server) +- [Other Providers](../external-auth/index.md#self-managed-git-providers) ### Artifact Manager (Optional) diff --git a/docs/admin/integrations/jfrog-artifactory.md b/docs/admin/integrations/jfrog-artifactory.md index 13b188094096f..702bce2599266 100644 --- a/docs/admin/integrations/jfrog-artifactory.md +++ b/docs/admin/integrations/jfrog-artifactory.md @@ -26,7 +26,7 @@ two type of modules that automate the JFrog Artifactory and Coder integration. ### JFrog-OAuth This module is usable by JFrog self-hosted (on-premises) Artifactory as it -requires configuring a custom integration. This integration benefits from Coder's [external-auth](../../admin/external-auth.md) feature allows each user to authenticate with Artifactory using an OAuth flow and issues user-scoped tokens to each user. +requires configuring a custom integration. This integration benefits from Coder's [external-auth](../external-auth/index.md) feature allows each user to authenticate with Artifactory using an OAuth flow and issues user-scoped tokens to each user. To set this up, follow these steps: @@ -53,7 +53,7 @@ To set this up, follow these steps: `https://JFROG_URL/ui/admin/configuration/integrations/app-integrations/new` and select the Application Type as the integration you created in step 1 or `Custom Integration` if you are using SaaS instance i.e. example.jfrog.io. -1. Add a new [external authentication](../../admin/external-auth.md) to Coder by setting these +1. Add a new [external authentication](../external-auth/index.md) to Coder by setting these environment variables in a manner consistent with your Coder deployment. Replace `JFROG_URL` with your JFrog Artifactory base URL: ```env diff --git a/docs/admin/integrations/vault.md b/docs/admin/integrations/vault.md index 74229bd6d8a79..012932a557b2f 100644 --- a/docs/admin/integrations/vault.md +++ b/docs/admin/integrations/vault.md @@ -19,7 +19,7 @@ will show you how to use these modules to integrate HashiCorp Vault with Coder. The [`vault-github`](https://registry.coder.com/modules/vault-github) module is a Terraform module that allows you to authenticate with Vault using a GitHub token. This module uses the existing -GitHub [external authentication](../external-auth.md) to get the token and authenticate with Vault. +GitHub [external authentication](../external-auth/index.md) to get the token and authenticate with Vault. To use this module, add the following code to your Terraform configuration. diff --git a/docs/admin/setup/appearance.md b/docs/admin/setup/appearance.md index cc0097ddeafe1..38c85a5439d89 100644 --- a/docs/admin/setup/appearance.md +++ b/docs/admin/setup/appearance.md @@ -41,7 +41,7 @@ users of which network their Coder deployment is on. ## OIDC Login Button Customization -[Use environment variables to customize](../users/oidc-auth.md#oidc-login-customization) +[Use environment variables to customize](../users/oidc-auth/index.md#oidc-login-customization) the text and icon on the OIDC button on the Sign In page. ## Support Links diff --git a/docs/admin/setup/index.md b/docs/admin/setup/index.md index 1a34920e733e8..f72ca5b2f8df1 100644 --- a/docs/admin/setup/index.md +++ b/docs/admin/setup/index.md @@ -148,7 +148,7 @@ integrations with Git providers, such as GitHub, GitLab, and Bitbucket. External authentication can also be used to integrate with external services like JFrog Artifactory and others. -Please refer to the [external authentication](../external-auth.md) section for +Please refer to the [external authentication](../external-auth/index.md) section for more information. ## Up Next diff --git a/docs/admin/templates/extending-templates/icons.md b/docs/admin/templates/extending-templates/icons.md index f7e50641997c0..2b4e2f92ecda9 100644 --- a/docs/admin/templates/extending-templates/icons.md +++ b/docs/admin/templates/extending-templates/icons.md @@ -32,7 +32,7 @@ come bundled with your Coder deployment. } ``` -- [**Authentication Providers**](https://coder.com/docs/admin/external-auth): +- [**Authentication Providers**](../../external-auth/index.md): - Use icons for external authentication providers to make them recognizable. You can set an icon for each provider by setting the diff --git a/docs/admin/templates/open-in-coder.md b/docs/admin/templates/open-in-coder.md index 216b062232da2..a15838c739265 100644 --- a/docs/admin/templates/open-in-coder.md +++ b/docs/admin/templates/open-in-coder.md @@ -15,7 +15,7 @@ approach for "Open in Coder" flows. ### 1. Set up git authentication -See [External Authentication](../external-auth.md) to set up git authentication +See [External Authentication](../external-auth/index.md) to set up Git authentication in your Coder deployment. ### 2. Modify your template to auto-clone repos diff --git a/docs/admin/users/idp-sync.md b/docs/admin/users/idp-sync.md index 47ee36bad65ac..b59431c5f0026 100644 --- a/docs/admin/users/idp-sync.md +++ b/docs/admin/users/idp-sync.md @@ -304,7 +304,7 @@ Visit the Coder UI to confirm these changes: ```env # Depending on your identity provider configuration, you may need to explicitly request a "roles" scope - CODER_OIDC_SCOPES=openid,profile,email,roles + CODER_OIDC_SCOPES=openid,profile,email,offline_access,roles # The following fields are required for role sync: CODER_OIDC_USER_ROLE_FIELD=roles @@ -517,7 +517,7 @@ Steps to troubleshoot. ## Provider-Specific Guides -Below are some details specific to individual OIDC providers. +
### Active Directory Federation Services (ADFS) @@ -577,33 +577,8 @@ Below are some details specific to individual OIDC providers. groups claim field. Use [this answer from Stack Overflow](https://stackoverflow.com/a/55570286) for an example. -### Keycloak - -The `access_type` parameter has two possible values: `online` and `offline`. -By default, the value is set to `offline`. - -This means that when a user authenticates using OIDC, the application requests -offline access to the user's resources, including the ability to refresh access -tokens without requiring the user to reauthenticate. - -To enable the `offline_access` scope which allows for the refresh token -functionality, you need to add it to the list of requested scopes during the -authentication flow. -Including the `offline_access` scope in the requested scopes ensures that the -user is granted the necessary permissions to obtain refresh tokens. - -By combining the `{"access_type":"offline"}` parameter in the OIDC Auth URL with -the `offline_access` scope, you can achieve the desired behavior of obtaining -refresh tokens for offline access to the user's resources. +## Next Steps -### Google - -To ensure Coder receives a refresh token when users authenticate with Google -directly, set the `prompt` to `consent` in the auth URL parameters. Without -this, users will be logged out after 1 hour. - -In your Coder configuration: - -```shell -CODER_OIDC_AUTH_URL_PARAMS='{"access_type": "offline", "prompt": "consent"}' -``` +- [Configure OIDC Refresh Tokens](./oidc-auth/refresh-tokens.md) +- [Organizations](./organizations.md) +- [Groups & Roles](./groups-roles.md) diff --git a/docs/admin/users/index.md b/docs/admin/users/index.md index b7d98b919734c..e86d40a5a1b1f 100644 --- a/docs/admin/users/index.md +++ b/docs/admin/users/index.md @@ -7,7 +7,7 @@ enforces MFA correctly. ## Configuring SSO -- [OpenID Connect](./oidc-auth.md) (e.g. Okta, KeyCloak, PingFederate, Azure AD) +- [OpenID Connect](./oidc-auth/index.md) (e.g. Okta, KeyCloak, PingFederate, Azure AD) - [GitHub](./github-auth.md) (or GitHub Enterprise) ## Groups diff --git a/docs/admin/users/oidc-auth.md b/docs/admin/users/oidc-auth/index.md similarity index 73% rename from docs/admin/users/oidc-auth.md rename to docs/admin/users/oidc-auth/index.md index 1647286554ecf..dd674d21606f5 100644 --- a/docs/admin/users/oidc-auth.md +++ b/docs/admin/users/oidc-auth/index.md @@ -90,7 +90,40 @@ CODER_OIDC_ICON_URL=https://gitea.io/images/gitea.png ``` To change the icon and text above the OpenID Connect button, see application -name and logo url in [appearance](../setup/appearance.md) settings. +name and logo url in [appearance](../../setup/appearance.md) settings. + +## Configure Refresh Tokens + +By default, OIDC access tokens typically expire after a short period. +This is typically after one hour, but varies by provider. + +Without refresh tokens, users will be automatically logged out when their access token expires. + +Follow [Configure OIDC Refresh Tokens](./refresh-tokens.md) for provider-specific steps. + +The general steps to configure persistent user sessions are: + +1. Configure your Coder OIDC settings: + + For most providers, add the `offline_access` scope: + + ```env + CODER_OIDC_SCOPES=openid,profile,email,offline_access + ``` + + For Google, add auth URL parameters (`CODER_OIDC_AUTH_URL_PARAMS`) too: + + ```env + CODER_OIDC_SCOPES=openid,profile,email + CODER_OIDC_AUTH_URL_PARAMS='{"access_type": "offline", "prompt": "consent"}' + ``` + +1. Configure your identity provider to issue refresh tokens. + +1. After configuration, have users log out and back in once to obtain refresh tokens + +> [!IMPORTANT] +> Misconfigured refresh tokens can lead to frequent user authentication prompts. ## Disable Built-in Authentication @@ -109,8 +142,8 @@ CODER_DISABLE_PASSWORD_AUTH=true Coder supports user provisioning and deprovisioning via SCIM 2.0 with header authentication. Upon deactivation, users are -[suspended](./index.md#suspend-a-user) and are not deleted. -[Configure](../setup/index.md) your SCIM application with an auth key and supply +[suspended](../index.md#suspend-a-user) and are not deleted. +[Configure](../../setup/index.md) your SCIM application with an auth key and supply it the Coder server. ```env @@ -127,7 +160,8 @@ CODER_TLS_CLIENT_CERT_FILE=/path/to/cert.pem CODER_TLS_CLIENT_KEY_FILE=/path/to/key.pem ``` -### Next steps +## Next steps -- [Group Sync](./idp-sync.md) -- [Groups & Roles](./groups-roles.md) +- [Group Sync](../idp-sync.md) +- [Groups & Roles](../groups-roles.md) +- [Configure OIDC Refresh Tokens](./refresh-tokens.md) diff --git a/docs/admin/users/oidc-auth/refresh-tokens.md b/docs/admin/users/oidc-auth/refresh-tokens.md new file mode 100644 index 0000000000000..53a114788240e --- /dev/null +++ b/docs/admin/users/oidc-auth/refresh-tokens.md @@ -0,0 +1,198 @@ +# Configure OIDC refresh tokens + +OIDC refresh tokens allow your Coder deployment to maintain user sessions beyond the initial access token expiration. +Without properly configured refresh tokens, users will be automatically logged out when their access token expires. +This is typically after one hour, but varies by provider, and can disrupt the user's workflow. + +> [!IMPORTANT] +> Misconfigured refresh tokens can lead to frequent user authentication prompts. +> +> After the admin enables refresh tokens, all existing users must log out and back in again to obtain a refresh token. + +
+ + + +### Azure AD + +Go to the Azure Portal > **Azure Active Directory** > **App registrations** > Your Coder app and make the following changes: + +1. In the **Authentication** tab: + + - **Platform configuration** > Web + - Ensure **Allow public client flows** is `No` (Coder is confidential) + - **Implicit grant / hybrid flows** can stay unchecked + +1. In the **API permissions** tab: + + - Add the built-in permission `offline_access` under **Microsoft Graph** > **Delegated permissions** + - Keep `openid`, `profile`, and `email` + +1. In the **Certificates & secrets** tab: + + - Verify a Client secret (or certificate) is valid. + Coder uses it to redeem refresh tokens. + +1. In your [Coder configuration](../../../reference/cli/server.md#--oidc-auth-url-params), request the same scopes: + + ```env + CODER_OIDC_SCOPES=openid,profile,email,offline_access + ``` + +1. Restart Coder and have users log out and back again for the changes to take effect. + + Alternatively, you can force a sign-out for all users with the + [sign-out request process](https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc#send-a-sign-out-request). + +1. Azure issues rolling refresh tokens with a default absolute expiration of 90 days and inactivity expiration of 24 hours. + + You can adjust these settings under **Authentication methods** > **Token lifetime** (or use Conditional-Access policies in Entra ID). + +You don't need to configure the 'Expose an API' section for refresh tokens to work. + +Learn more in the [Microsoft Entra documentation](https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc#enable-id-tokens). + +### Google + +To ensure Coder receives a refresh token when users authenticate with Google directly, set the `prompt` to `consent` +in the auth URL parameters (`CODER_OIDC_AUTH_URL_PARAMS`). +Without this, users will be logged out when their access token expires. + +In your [Coder configuration](../../../reference/cli/server.md#--oidc-auth-url-params): + +```env +CODER_OIDC_SCOPES=openid,profile,email +CODER_OIDC_AUTH_URL_PARAMS='{"access_type": "offline", "prompt": "consent"}' +``` + +### Keycloak + +The `access_type` parameter has two possible values: `online` and `offline`. +By default, the value is set to `offline`. + +This means that when a user authenticates using OIDC, the application requests offline access to the user's resources, +including the ability to refresh access tokens without requiring the user to reauthenticate. + +Add the `offline_access` scope to enable refresh tokens in your +[Coder configuration](../../../reference/cli/server.md#--oidc-auth-url-params): + +```env +CODER_OIDC_SCOPES=openid,profile,email,offline_access +CODER_OIDC_AUTH_URL_PARAMS='{"access_type":"offline"}' +``` + +### PingFederate + +1. In PingFederate go to **Applications** > **OAuth Clients** > Your Coder client. + +1. On the **Client** tab: + + - **Grant Types**: Enable `refresh_token` + - **Allowed Scopes**: Add `offline_access` and keep `openid`, `profile`, and `email` + +1. Optionally, in **Token Settings** + + - **Refresh Token Lifetime**: set a value that matches your security policy. Ping's default is 30 days. + - **Idle Timeout**: ensure it's more than or equal to the lifetime of the access token so that refreshes don't fail prematurely. + +1. Save your changes in PingFederate. + +1. In your [Coder configuration](../../../reference/cli/server.md#--oidc-scopes), add the `offline_access` scope: + + ```env + CODER_OIDC_SCOPES=openid,profile,email,offline_access + ``` + +1. Restart your Coder deployment to apply these changes. + +Users must log out and log in once to store their new refresh tokens. +After that, sessions should last until the Ping Federate refresh token expires. + +Learn more in the [PingFederate documentation](https://docs.pingidentity.com/pingfederate/12.2/administrators_reference_guide/pf_configuring_oauth_clients.html). + +
+ +## Confirm refresh token configuration + +To verify refresh tokens are working correctly: + +1. Check that your OIDC configuration includes the required refresh token parameters: + + - `offline_access` scope for most providers + - `"access_type": "offline"` for Google + +1. Verify provider-specific token configuration: + +
+ + ### Azure AD + + Use [jwt.ms](https://jwt.ms) to inspect the `id_token` and ensure the `rt_hash` claim is present. + This shows that a refresh token was issued. + + ### Google + + If users are still being logged out periodically, check your client configuration in Google Cloud Console. + + ### Keycloak + + Review Keycloak sessions for the presence of refresh tokens. + + ### Ping Federate + + - Verify the client sent `offline_access` in the `grantedScopes` portion of the ID token. + - Confirm `refresh_token` appears in the `grant_types` list returned by `/pf-admin-api/v1/oauth/clients/{id}`. + +
+ +1. Verify users can stay logged in beyond the identity provider's access token expiration period (typically 1 hour). + +1. Monitor Coder logs for `failed to renew OIDC token: token has expired` messages. + There should not be any. + +If all verification steps pass successfully, your refresh token configuration is working properly. + +## Troubleshooting OIDC Refresh Tokens + +### Users are logged out too frequently + +**Symptoms**: + +- Users experience session timeouts and must re-authenticate. +- Session timeouts typically occur after the access token expiration period (varies by provider, commonly 1 hour). + +**Causes**: + +- Missing required refresh token configuration: + - `offline_access` scope for most providers + - `"access_type": "offline"` for Google +- Provider not correctly configured to issue refresh tokens. +- User has not logged in since refresh token configuration was added. + +**Solution**: + +- For most providers, add `offline_access` to your `CODER_OIDC_SCOPES` configuration. + - `"access_type": "offline"` for Google +- Configure your identity provider according to the provider-specific instructions above. +- Have users log out and log in again to obtain refresh tokens. + Look for entries containing `failed to renew OIDC token` which might indicate specific provider issues. + +### Refresh tokens don't work after configuration change + +**Symptoms**: + +- Session timeouts continue despite refresh token configuration and users re-authenticating. +- Some users experience frequent logouts. + +**Cause**: + +- Existing user sessions don't have refresh tokens stored. +- Configuration may be incomplete. + +**Solution**: + +- Users must log out and log in again to get refresh tokens stored in the database. +- Verify you've correctly configured your provider as described in the configuration steps above. +- Check Coder logs for specific error messages related to token refresh. + +Users might get logged out again before the new configuration takes effect completely. diff --git a/docs/ai-coder/best-practices.md b/docs/ai-coder/best-practices.md index b9243dc3d2943..124cc7c221ee8 100644 --- a/docs/ai-coder/best-practices.md +++ b/docs/ai-coder/best-practices.md @@ -33,7 +33,7 @@ for development. With AI Agents, this is no exception. development without manual intervention (e.g. repos are cloned, dependencies are built, secrets are added/mocked, etc.). - > Note: [External authentication](../admin/external-auth.md) can be helpful + > Note: [External authentication](../admin/external-auth/index.md) can be helpful > to authenticate with third-party services such as GitHub or JFrog. - Give your agent the proper tools via MCP to interact with your codebase and diff --git a/docs/install/kubernetes.md b/docs/install/kubernetes.md index 1a920f96e1bca..993ab0c243129 100644 --- a/docs/install/kubernetes.md +++ b/docs/install/kubernetes.md @@ -284,13 +284,17 @@ coder: ### Azure -In certain enterprise environments, the -[Azure Application Gateway](https://learn.microsoft.com/en-us/azure/application-gateway/ingress-controller-overview) -was needed. The Application Gateway supports: +Certain enterprise environments require the +[Azure Application Gateway](https://learn.microsoft.com/en-us/azure/application-gateway/ingress-controller-overview). +The Application Gateway supports: - Websocket traffic (required for workspace connections) - TLS termination +Follow our doc on +[how to deploy Coder on Azure with an Application Gateway](./kubernetes/kubernetes-azure-app-gateway.md) +for an example. + ## Troubleshooting You can view Coder's logs by getting the pod name from `kubectl get pods` and diff --git a/docs/install/kubernetes/kubernetes-azure-app-gateway.md b/docs/install/kubernetes/kubernetes-azure-app-gateway.md new file mode 100644 index 0000000000000..99923ca9e2105 --- /dev/null +++ b/docs/install/kubernetes/kubernetes-azure-app-gateway.md @@ -0,0 +1,167 @@ +# Deploy Coder on Azure with an Application Gateway + +In certain enterprise environments, the [Azure Application Gateway](https://learn.microsoft.com/en-us/azure/application-gateway/ingress-controller-overview) is required. + +These steps serve as a proof-of-concept example so that you can get Coder running with Kubernetes on Azure. Your deployment might require a separate Postgres server or signed certificates. + +The Application Gateway supports: + +- Websocket traffic (required for workspace connections) +- TLS termination + +Refer to Microsoft's documentation on how to [enable application gateway ingress controller add-on for an existing AKS cluster with an existing application gateway](https://learn.microsoft.com/en-us/azure/application-gateway/tutorial-ingress-controller-add-on-existing). +The steps here follow the Microsoft tutorial for a Coder deployment. + +## Deploy Coder on Azure with an Application Gateway + +1. Create Azure resource group: + + ```sql + az group create --name myResourceGroup --location eastus + ``` + +1. Create AKS cluster: + + ```sql + az aks create --name myCluster --resource-group myResourceGroup --network-plugin azure --enable-managed-identity --generate-ssh-keys + ``` + +1. Create public IP: + + ```sql + az network public-ip create --name myPublicIp --resource-group myResourceGroup --allocation-method Static --sku Standard + ``` + +1. Create VNet and subnet: + + ```sql + az network vnet create --name myVnet --resource-group myResourceGroup --address-prefix 10.0.0.0/16 --subnet-name mySubnet --subnet-prefix 10.0.0.0/24 + ``` + +1. Create Azure application gateway, attach VNet, subnet and public IP: + + ```sql + az network application-gateway create --name myApplicationGateway --resource-group myResourceGroup --sku Standard_v2 --public-ip-address myPublicIp --vnet-name myVnet --subnet mySubnet --priority 100 + ``` + +1. Get app gateway ID: + + ```sql + appgwId=$(az network application-gateway show --name myApplicationGateway --resource-group myResourceGroup -o tsv --query "id") + ``` + +1. Enable app gateway ingress to AKS cluster: + + ```sql + az aks enable-addons --name myCluster --resource-group myResourceGroup --addon ingress-appgw --appgw-id $appgwId + ``` + +1. Get AKS node resource group: + + ```sql + nodeResourceGroup=$(az aks show --name myCluster --resource-group myResourceGroup -o tsv --query "nodeResourceGroup") + ``` + +1. Get AKS VNet name: + + ```sql + aksVnetName=$(az network vnet list --resource-group $nodeResourceGroup -o tsv --query "[0].name") + ``` + +1. Get AKS VNet ID: + + ```sql + aksVnetId=$(az network vnet show --name $aksVnetName --resource-group $nodeResourceGroup -o tsv --query "id") + ``` + +1. Peer VNet to AKS VNet: + + ```sql + az network vnet peering create --name AppGWtoAKSVnetPeering --resource-group myResourceGroup --vnet-name myVnet --remote-vnet $aksVnetId --allow-vnet-access + ``` + +1. Get app gateway VNet ID: + + ```sql + appGWVnetId=$(az network vnet show --name myVnet --resource-group myResourceGroup -o tsv --query "id") + ``` + +1. Peer AKS VNet to app gateway VNet: + + ```sql + az network vnet peering create --name AKStoAppGWVnetPeering --resource-group $nodeResourceGroup --vnet-name $aksVnetName --remote-vnet $appGWVnetId --allow-vnet-access + ``` + +1. Get AKS credentials: + + ```sql + az aks get-credentials --name myCluster --resource-group myResourceGroup + ``` + +1. Create Coder namespace: + + ```shell + kubectl create ns coder + ``` + +1. Deploy non-production PostgreSQL instance to AKS cluster: + + ```shell + helm repo add bitnami https://charts.bitnami.com/bitnami + helm install coder-db bitnami/postgresql \ + --namespace coder \ + --set auth.username=coder \ + --set auth.password=coder \ + --set auth.database=coder \ + --set persistence.size=10Gi + ``` + +1. Create the PostgreSQL secret: + + ```shell + kubectl create secret generic coder-db-url -n coder --from-literal=url="postgres://coder:coder@coder-db-postgresql.coder.svc.cluster.local:5432/coder?sslmode=disable" + ``` + +1. Deploy Coder to AKS cluster: + + ```shell + helm repo add coder-v2 https://helm.coder.com/v2 + helm install coder coder-v2/coder \ + --namespace coder \ + --values values.yaml \ + --version 2.18.5 + ``` + +1. Clean up Azure resources: + + ```sql + az group delete --name myResourceGroup + az group delete --name MC_myResourceGroup_myCluster_eastus + ``` + +1. Deploy the gateway - this needs clarification + +1. After you deploy the gateway, add the following entries to Helm's `values.yaml` file before you deploy Coder: + + ```yaml + service: + enable: true + type: ClusterIP + sessionAffinity: None + externalTrafficPolicy: Cluster + loadBalancerIP: "" + annotations: {} + httpNodePort: "" + httpsNodePort: "" + + ingress: + enable: true + className: "azure-application-gateway" + host: "" + wildcardHost: "" + annotations: {} + tls: + enable: false + secretName: "" + wildcardSecretName: "" + ``` diff --git a/docs/manifest.json b/docs/manifest.json index e100a561aa40c..2aa9cb0ead9ce 100644 --- a/docs/manifest.json +++ b/docs/manifest.json @@ -91,7 +91,14 @@ "title": "Kubernetes", "description": "Install Coder on Kubernetes", "path": "./install/kubernetes.md", - "icon_path": "./images/icons/kubernetes.svg" + "icon_path": "./images/icons/kubernetes.svg", + "children": [ + { + "title": "Deploy Coder on Azure with an Application Gateway", + "description": "Deploy Coder on Azure with an Application Gateway", + "path": "./install/kubernetes/kubernetes-azure-app-gateway.md" + } + ] }, { "title": "Rancher", @@ -395,7 +402,14 @@ { "title": "OIDC Authentication", "description": "Configure OpenID Connect authentication with identity providers like Okta or Active Directory", - "path": "./admin/users/oidc-auth.md" + "path": "./admin/users/oidc-auth/index.md", + "children": [ + { + "title": "Configure OIDC refresh tokens", + "description": "How to configure OIDC refresh tokens", + "path": "./admin/users/oidc-auth/refresh-tokens.md" + } + ] }, { "title": "GitHub Authentication", @@ -639,7 +653,7 @@ { "title": "External Authentication", "description": "Learn how to configure external authentication", - "path": "./admin/external-auth.md", + "path": "./admin/external-auth/index.md", "icon_path": "./images/icons/plug.svg" }, { @@ -926,6 +940,11 @@ "description": "Federating Coder to Azure", "path": "./tutorials/azure-federation.md" }, + { + "title": "Deploy Coder on Azure with an Application Gateway", + "description": "Deploy Coder on Azure with an Application Gateway", + "path": "./install/kubernetes/kubernetes-azure-app-gateway.md" + }, { "title": "Scanning Workspaces with JFrog Xray", "description": "Integrate Coder with JFrog Xray", diff --git a/docs/tutorials/best-practices/security-best-practices.md b/docs/tutorials/best-practices/security-best-practices.md index c6f6cbe13a5c8..2c9ffbbb111c8 100644 --- a/docs/tutorials/best-practices/security-best-practices.md +++ b/docs/tutorials/best-practices/security-best-practices.md @@ -25,7 +25,7 @@ credentials are stolen. ### User authentication -Configure [OIDC authentication](../../admin/users/oidc-auth.md) against your +Configure [OIDC authentication](../../admin/users/oidc-auth/index.md) against your organization’s Identity Provider (IdP), such as Okta, to allow single-sign on. 1. Enable and require two-factor authentication in your identity provider. diff --git a/docs/tutorials/cloning-git-repositories.md b/docs/tutorials/cloning-git-repositories.md index f67b8a97ca64f..b166ef8dd1552 100644 --- a/docs/tutorials/cloning-git-repositories.md +++ b/docs/tutorials/cloning-git-repositories.md @@ -20,9 +20,9 @@ authorization. This can be achieved by using the Git provider, such as GitHub, as an authentication method. If you don't know how to do that, we have written documentation to help you: -- [GitHub](../admin/external-auth.md#github) -- [GitLab self-managed](../admin/external-auth.md#gitlab-self-managed) -- [Self-managed git providers](../admin/external-auth.md#self-managed-git-providers) +- [GitHub](../admin/external-auth/index.md#github) +- [GitLab self-managed](../admin/external-auth/index.md#gitlab-self-managed) +- [Self-managed git providers](../admin/external-auth/index.md#self-managed-git-providers) With the authentication in place, it is time to set up the template to use the [Git Clone module](https://registry.coder.com/modules/git-clone) from the diff --git a/docs/tutorials/configuring-okta.md b/docs/tutorials/configuring-okta.md index 349c1321b0693..01cfacfb34c80 100644 --- a/docs/tutorials/configuring-okta.md +++ b/docs/tutorials/configuring-okta.md @@ -6,7 +6,7 @@ Steven Masley
-December 13, 2023 +Updated: June, 2025 --- @@ -15,7 +15,7 @@ Sign On (SSO) on Coder. To configure custom claims in Okta to support syncing roles and groups with Coder, you must first have setup an Okta application with -[OIDC working with Coder](../admin/users/oidc-auth.md). +[OIDC working with Coder](../admin/users/oidc-auth/index.md). From here, we will add additional claims for Coder to use for syncing groups and roles. @@ -28,38 +28,39 @@ If the Coder roles & Coder groups can be inferred from Okta has a simple way to send over the groups as a `claim` in the `id_token` payload. -In Okta, go to the application “Sign On” settings page. +In Okta, go to the application **Sign On** settings page. -Applications > Select Application > General > Sign On +**Applications** > **Select Application** > **General** > **Sign On** -In the “OpenID Connect ID Token” section, turn on “Groups Claim Type” and set -the “Claim name” to `groups`. Optionally configure a filter for which groups to -be sent. +In the **OpenID Connect ID Token** section, turn on **Groups Claim Type** and set +the **Claim name** to `groups`. +Optionally, configure a filter for which groups to be sent. > [!IMPORTANT] -> If the user does not belong to any groups, the claim will not be sent. Make -> sure the user authenticating for testing is in at least one group. Defer to -> [troubleshooting](../admin/users/index.md) with issues. +> If the user does not belong to any groups, the claim will not be sent. +> Make sure the user authenticating for testing is in at least one group. ![Okta OpenID Connect ID Token](../images/guides/okta/oidc_id_token.png) -Configure Coder to use these claims for group sync. These claims are present in -the `id_token`. See all configuration options for group sync in the -[docs](https://coder.com/docs/admin/auth#group-sync-enterprise). +Configure Coder to use these claims for group sync. +These claims are present in the `id_token`. +For more group sync configuration options, consult the [IDP sync documentation](../admin/users/idp-sync.md#group-sync). ```bash -# Add the 'groups' scope. -CODER_OIDC_SCOPES=openid,profile,email,groups +# Add the 'groups' scope and include the 'offline_access' scope for refresh tokens +CODER_OIDC_SCOPES=openid,profile,email,offline_access,groups # This name needs to match the "Claim name" in the configuration above. CODER_OIDC_GROUP_FIELD=groups ``` +> [!NOTE] +> The `offline_access` scope is required in Coder v2.23.0+ to prevent hourly session timeouts. + These groups can also be used to configure role syncing based on group -membership. +membership: ```bash -# Requires the "groups" scope -CODER_OIDC_SCOPES=openid,profile,email,groups +CODER_OIDC_SCOPES=openid,profile,email,offline_access,groups # This name needs to match the "Claim name" in the configuration above. CODER_OIDC_USER_ROLE_FIELD=groups # Example configuration to map a group to some roles @@ -69,32 +70,32 @@ CODER_OIDC_USER_ROLE_MAPPING='{"admin-group":["template-admin","user-admin"]}' ## (Easy) Mapping Okta profile attributes If roles or groups cannot be completely inferred from Okta group memberships, -another option is to source them from a user’s attributes. The user attribute -list can be found in “Directory > Profile Editor > User (default)”. +another option is to source them from a user's attributes. +The user attribute list can be found in **Directory** > **Profile Editor** > **User (default)**. -Coder can query an Okta profile for the application from the `/userinfo` OIDC -endpoint. To pass attributes to Coder, create the attribute in your application, +Coder can query an Okta profile for the application from the `/userinfo` OIDC endpoint. +To pass attributes to Coder, create the attribute in your application, then add a mapping from the Okta profile to the application. -“Directory > Profile Editor > {Your Application} > Add Attribute” +**Directory** > **Profile Editor** > {Your Application} > **Add Attribute** -Create the attribute for the roles, groups, or both. **Make sure the attribute -is of type `string array`.** +Create the attribute for the roles, groups, or both. Make sure the attribute +is of type `string array`: ![Okta Add Attribute view](../images/guides/okta/add_attribute.png) -On the “Okta User to {Your Application}” tab, map a `roles` or `groups` -attribute you have configured to the application. +On the **Okta User to {Your Application}** tab, map a `roles` or `groups` +attribute you have configured to the application: ![Okta Add Claim view](../images/guides/okta/add_claim.png) -Configure using these new attributes in Coder. +Configure using these new attributes in Coder: ```bash # This must be set to false. Coder uses this endpoint to grab the attributes. CODER_OIDC_IGNORE_USERINFO=false -# No custom scopes are required. -CODER_OIDC_SCOPES=openid,profile,email +# Include offline_access for refresh tokens +CODER_OIDC_SCOPES=openid,profile,email,offline_access # Configure the group/role field using the attribute name in the application. CODER_OIDC_USER_ROLE_FIELD=approles # See our docs for mapping okta roles to coder roles. @@ -104,56 +105,86 @@ CODER_OIDC_USER_ROLE_MAPPING='{"admin-group":["template-admin","user-admin"]}' # CODER_OIDC_GROUP_FIELD=... ``` +> [!NOTE] +> The `offline_access` scope is required in Coder v2.23.0+ to prevent hourly session timeouts. + ## (Advanced) Custom scopes to retrieve custom claims Okta does not support setting custom scopes and claims in the default -authorization server used by your application. If you require this -functionality, you must create (or modify) an authorization server. +authorization server used by your application. +If you require this functionality, you must create (or modify) an authorization server. -To see your custom authorization servers go to “Security > API”. Note the -`default` authorization server **is not the authorization server your app is -using.** You can configure this default authorization server, or create a new -one specifically for your application. +To see your custom authorization servers go to **Security** > **API**. +Note the `default` authorization server is not the authorization server your app is using. +You can configure this default authorization server, or create a new one specifically for your application. -Authorization servers also give more refined controls over things such as -token/session lifetimes. +Authorization servers also give more refined controls over things such as token/session lifetimes. ![Okta API view](../images/guides/okta/api_view.png) -To get custom claims working, we should map them to a custom scope. Click the -authorization server you wish to use (likely just using the default). +To get custom claims working, map them to a custom scope. +Click the authorization server you wish to use (likely just using the default). -Go to “Scopes”, and “Add Scope”. Feel free to create one for roles, groups, or -both. +Go to **Scopes**, and **Add Scope**. +Feel free to create one for roles, groups, or both: ![Okta Add Scope view](../images/guides/okta/add_scope.png) -Now create the claim to go with the said scope. Go to “Claims”, then “Add -Claim”. Make sure to select **ID Token** for the token type. The **Value** -expression is up to you based on where you are sourcing the role information. -Lastly, configure it to only be a claim with the requested scope. This is so if -other applications exist, we do not send them information they do not care -about. +Create the claim to go with the said scope. +Go to **Claims**, then **Add Claim**. +Make sure to select **ID Token** for the token type. +The **Value** expression is up to you based on where you are sourcing the role information. +Configure it to only be a claim with the requested scope. +This is so if other applications exist, we do not send them information they do not care about: ![Okta Add Claim with Roles view](../images/guides/okta/add_claim_with_roles.png) -Now we have a custom scope + claim configured under an authorization server, we -need to configure coder to use this. +Now we have a custom scope and claim configured under an authorization server. +Configure Coder to use this: ```bash # Grab this value from the Authorization Server > Settings > Issuer # DO NOT USE the application issuer URL. Make sure to use the newly configured # authorization server. CODER_OIDC_ISSUER_URL=https://dev-12222860.okta.com/oauth2/default -# Add the new scope you just configured -CODER_OIDC_SCOPES=openid,profile,email,roles +# Add the new scope you just configured and offline_access for refresh tokens +CODER_OIDC_SCOPES=openid,profile,email,roles,offline_access # Use the claim you just configured CODER_OIDC_USER_ROLE_FIELD=roles # See our docs for mapping okta roles to coder roles. CODER_OIDC_USER_ROLE_MAPPING='{"admin-group":["template-admin","user-admin"]}' ``` -You can use the “Token Preview” page to verify it has been correctly configured +> [!NOTE] +> The `offline_access` scope is required in Coder v2.23.0+ to prevent hourly session timeouts. + +You can use the "Token Preview" page to verify it has been correctly configured and verify the `roles` is in the payload. ![Okta Token Preview](../images/guides/okta/token_preview.png) + +## Troubleshooting + +### Users Are Logged Out Every Hour + +**Symptoms**: Users experience session timeouts approximately every hour and must re-authenticate +**Cause**: Missing `offline_access` scope in `CODER_OIDC_SCOPES` +**Solution**: + +1. Add `offline_access` to your `CODER_OIDC_SCOPES` configuration +1. Restart your Coder deployment +1. All existing users must logout and login once to receive refresh tokens + +### Refresh Tokens Not Working After Configuration Change + +**Symptoms**: Hourly timeouts, even after adding `offline_access` +**Cause**: Existing user sessions don't have refresh tokens stored +**Solution**: Users must logout and login again to get refresh tokens stored in the database + +### Verify Refresh Token Configuration + +To confirm that refresh tokens are working correctly: + +1. Check that `offline_access` is included in your `CODER_OIDC_SCOPES` +1. Verify users can stay logged in beyond Okta's access token lifetime (typically one hour) +1. Monitor Coder logs for any OIDC refresh errors during token renewal diff --git a/docs/tutorials/template-from-scratch.md b/docs/tutorials/template-from-scratch.md index 33e02dabda399..22c4c5392001e 100644 --- a/docs/tutorials/template-from-scratch.md +++ b/docs/tutorials/template-from-scratch.md @@ -171,7 +171,7 @@ resource "coder_agent" "main" { Because Docker is running locally in the Coder server, there is no need to authenticate `coder_agent`. But if your `coder_agent` is running on a remote host, your template will need -[authentication credentials](../admin/external-auth.md). +[authentication credentials](../admin/external-auth/index.md). This template's agent also runs a startup script, sets environment variables, and provides metadata. @@ -181,7 +181,7 @@ and provides metadata. - Installs [code-server](https://coder.com/docs/code-server), a browser-based [VS Code](https://code.visualstudio.com/) app that runs in the workspace. - We'll give users access to code-server through `coder_app`, later. + We'll give users access to code-server through `coder_app` later. - [`env` block](https://registry.terraform.io/providers/coder/coder/latest/docs/resources/agent#env) diff --git a/docs/user-guides/workspace-access/remote-desktops.md b/docs/user-guides/workspace-access/remote-desktops.md index 2fe512b686763..1d5df4e7f8d7f 100644 --- a/docs/user-guides/workspace-access/remote-desktops.md +++ b/docs/user-guides/workspace-access/remote-desktops.md @@ -47,9 +47,30 @@ Or use your favorite RDP client to connect to `localhost:3399`. The default username is `Administrator` and password is `coderRDP!`. -### Coder Desktop URI Handling (Beta) +### RDP with Coder Desktop (Beta) + +[Coder Desktop](../desktop/index.md)'s Coder Connect feature creates a connection to your workspaces in the background. +There is no need for port forwarding when it is enabled. + +Use your favorite RDP client to connect to `.coder` instead of `localhost:3399`. + +> [!NOTE] +> Some versions of Windows, including Windows Server 2022, do not communicate correctly over UDP +> when using Coder Connect because they do not respect the maximum transmission unit (MTU) of the link. +> When this happens the RDP client will appear to connect, but displays a blank screen. +> +> To avoid this error, Coder's [Windows RDP](https://registry.coder.com/modules/windows-rdp) module +> [disables RDP over UDP automatically](https://github.com/coder/registry/blob/b58bfebcf3bcdcde4f06a183f92eb3e01842d270/registry/coder/modules/windows-rdp/powershell-installation-script.tftpl#L22). +> +> To disable RDP over UDP, run the following in PowerShell: +> +> ```powershell +> New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services' -Name "SelectTransport" -Value 1 -PropertyType DWORD -Force +> Restart-Service -Name "TermService" -Force +> ``` + +You can also use a URI handler to directly launch an RDP session. -[Coder Desktop](../desktop) can use a URI handler to directly launch an RDP session without setting up port-forwarding. The URI format is: ```text @@ -81,7 +102,7 @@ resource "coder_app" "rdp-coder-desktop" { ## RDP Web -Our [WebRDP](https://registry.coder.com/modules/windows-rdp) module in the Coder +Our [Windows RDP](https://registry.coder.com/modules/windows-rdp) module in the Coder Registry adds a one-click button to open an RDP session in the browser. This requires just a few lines of Terraform in your template, see the documentation on our registry for setup. diff --git a/dogfood/coder/main.tf b/dogfood/coder/main.tf index af4417b78c04f..2db38c4c29218 100644 --- a/dogfood/coder/main.tf +++ b/dogfood/coder/main.tf @@ -11,6 +11,16 @@ terraform { } } +// This module is a terraform no-op. It contains 5mb worth of files to test +// Coder's behavior dealing with larger modules. This is included to test +// protobuf message size limits and the performance of module loading. +// +// In reality, modules might have accidental bloat from non-terraform files such +// as images & documentation. +module "large-5mb-module" { + source = "git::https://github.com/coder/large-module.git" +} + locals { // These are cluster service addresses mapped to Tailscale nodes. Ask Dean or // Kyle for help. diff --git a/enterprise/coderd/provisionerdaemons.go b/enterprise/coderd/provisionerdaemons.go index 30f4ddd66d91c..c8304952781d1 100644 --- a/enterprise/coderd/provisionerdaemons.go +++ b/enterprise/coderd/provisionerdaemons.go @@ -133,7 +133,7 @@ func (p *provisionerDaemonAuth) authorize(r *http.Request, org database.Organiza tags: tags, }, nil } - ua := httpmw.UserAuthorization(r) + ua := httpmw.UserAuthorization(r.Context()) err = p.authorizer.Authorize(ctx, ua, policy.ActionCreate, rbac.ResourceProvisionerDaemon.InOrg(org.ID)) if err != nil { return provisiionerDaemonAuthResponse{}, xerrors.New("user unauthorized") diff --git a/go.mod b/go.mod index fc95398489971..2661eb9a5494e 100644 --- a/go.mod +++ b/go.mod @@ -118,7 +118,7 @@ require ( github.com/fatih/structtag v1.2.0 github.com/fergusstrange/embedded-postgres v1.31.0 github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa - github.com/gen2brain/beeep v0.0.0-20220402123239-6a3042f4b71a + github.com/gen2brain/beeep v0.11.1 github.com/gliderlabs/ssh v0.3.4 github.com/go-chi/chi/v5 v5.1.0 github.com/go-chi/cors v1.2.1 @@ -309,7 +309,6 @@ require ( github.com/go-playground/universal-translator v0.18.1 // indirect github.com/go-sourcemap/sourcemap v2.1.3+incompatible // indirect github.com/go-test/deep v1.1.0 // indirect - github.com/go-toast/toast v0.0.0-20190211030409-01e6764cf0a4 // indirect github.com/go-viper/mapstructure/v2 v2.2.1 // indirect github.com/gobwas/glob v0.2.3 // indirect github.com/gobwas/httphead v0.1.0 // indirect @@ -382,7 +381,6 @@ require ( github.com/muesli/reflow v0.3.0 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/niklasfasching/go-org v1.7.0 // indirect - github.com/nu7hatch/gouuid v0.0.0-20131221200532-179d4d0c4d8d // indirect github.com/oklog/run v1.1.0 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect github.com/opencontainers/image-spec v1.1.1 // indirect @@ -485,7 +483,7 @@ require ( github.com/coder/preview v0.0.2-0.20250611164554-2e5caa65a54a github.com/fsnotify/fsnotify v1.9.0 github.com/kylecarbs/aisdk-go v0.0.8 - github.com/mark3labs/mcp-go v0.31.0 + github.com/mark3labs/mcp-go v0.32.0 github.com/openai/openai-go v0.1.0-beta.10 google.golang.org/genai v0.7.0 ) @@ -496,6 +494,7 @@ require ( cloud.google.com/go/iam v1.4.1 // indirect cloud.google.com/go/monitoring v1.24.0 // indirect cloud.google.com/go/storage v1.50.0 // indirect + git.sr.ht/~jackmordaunt/go-toast v1.1.2 // indirect github.com/DataDog/datadog-agent/comp/core/tagger/origindetection v0.64.2 // indirect github.com/DataDog/datadog-agent/pkg/version v0.64.2 // indirect github.com/DataDog/dd-trace-go/v2 v2.0.0 // indirect @@ -512,14 +511,19 @@ require ( github.com/dgryski/go-farm v0.0.0-20240924180020-3414d57e47da // indirect github.com/envoyproxy/go-control-plane/envoy v1.32.4 // indirect github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect + github.com/esiqveland/notify v0.13.3 // indirect github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect github.com/hashicorp/go-getter v1.7.8 // indirect github.com/hashicorp/go-safetemp v1.0.0 // indirect + github.com/jackmordaunt/icns/v3 v3.0.1 // indirect github.com/klauspost/cpuid/v2 v2.2.10 // indirect github.com/moby/sys/user v0.4.0 // indirect + github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646 // indirect github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect github.com/puzpuzpuz/xsync/v3 v3.5.1 // indirect github.com/samber/lo v1.50.0 // indirect + github.com/sergeymakinen/go-bmp v1.0.0 // indirect + github.com/sergeymakinen/go-ico v1.0.0-beta.0 // indirect github.com/spiffe/go-spiffe/v2 v2.5.0 // indirect github.com/tidwall/sjson v1.2.5 // indirect github.com/tmaxmax/go-sse v0.10.0 // indirect diff --git a/go.sum b/go.sum index 99032ea069dc3..9ac1a1c89f6ec 100644 --- a/go.sum +++ b/go.sum @@ -621,6 +621,8 @@ filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4 filippo.io/mkcert v1.4.4 h1:8eVbbwfVlaqUM7OwuftKc2nuYOoTDQWqsoXmzoXZdbc= filippo.io/mkcert v1.4.4/go.mod h1:VyvOchVuAye3BoUsPUOOofKygVwLV2KQMVFJNRq+1dA= gioui.org v0.0.0-20210308172011-57750fc8a0a6/go.mod h1:RSH6KIUZ0p2xy5zHDxgAM4zumjgTw83q2ge/PI+yyw8= +git.sr.ht/~jackmordaunt/go-toast v1.1.2 h1:/yrfI55LRt1M7H1vkaw+NaH1+L1CDxrqDltwm5euVuE= +git.sr.ht/~jackmordaunt/go-toast v1.1.2/go.mod h1:jA4OqHKTQ4AFBdwrSnwnskUIIS3HYzlJSgdzCKqfavo= git.sr.ht/~sbinet/gg v0.3.1/go.mod h1:KGYtlADtqsqANL9ueOFkWymvzUvLMQllU5Ixo+8v3pc= github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0= github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E= @@ -1035,6 +1037,8 @@ github.com/envoyproxy/protoc-gen-validate v1.2.1 h1:DEo3O99U8j4hBFwbJfrz9VtgcDfU github.com/envoyproxy/protoc-gen-validate v1.2.1/go.mod h1:d/C80l/jxXLdfEIhX1W2TmLfsJ31lvEjwamM4DxlWXU= github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f h1:Y/CXytFA4m6baUTXGLOoWe4PQhGxaX0KpnayAqC48p4= github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f/go.mod h1:vw97MGsxSvLiUE2X8qFplwetxpGLQrlU1Q9AUEIzCaM= +github.com/esiqveland/notify v0.13.3 h1:QCMw6o1n+6rl+oLUfg8P1IIDSFsDEb2WlXvVvIJbI/o= +github.com/esiqveland/notify v0.13.3/go.mod h1:hesw/IRYTO0x99u1JPweAl4+5mwXJibQVUcP0Iu5ORE= github.com/evanw/esbuild v0.25.3 h1:4JKyUsm/nHDhpxis4IyWXAi8GiyTwG1WdEp6OhGVE8U= github.com/evanw/esbuild v0.25.3/go.mod h1:D2vIQZqV/vIf/VRHtViaUtViZmG7o+kKmlBfVQuRi48= github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= @@ -1067,8 +1071,8 @@ github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ= github.com/gabriel-vasile/mimetype v1.4.8 h1:FfZ3gj38NjllZIeJAmMhr+qKL8Wu+nOoI3GqacKw1NM= github.com/gabriel-vasile/mimetype v1.4.8/go.mod h1:ByKUIKGjh1ODkGM1asKUbQZOLGrPjydw3hYPU2YU9t8= -github.com/gen2brain/beeep v0.0.0-20220402123239-6a3042f4b71a h1:fwNLHrP5Rbg/mGSXCjtPdpbqv2GucVTA/KMi8wEm6mE= -github.com/gen2brain/beeep v0.0.0-20220402123239-6a3042f4b71a/go.mod h1:/WeFVhhxMOGypVKS0w8DUJxUBbHypnWkUVnW7p5c9Pw= +github.com/gen2brain/beeep v0.11.1 h1:EbSIhrQZFDj1K2fzlMpAYlFOzV8YuNe721A58XcCTYI= +github.com/gen2brain/beeep v0.11.1/go.mod h1:jQVvuwnLuwOcdctHn/uyh8horSBNJ8uGb9Cn2W4tvoc= github.com/getkin/kin-openapi v0.131.0 h1:NO2UeHnFKRYhZ8wg6Nyh5Cq7dHk4suQQr72a4pMrDxE= github.com/getkin/kin-openapi v0.131.0/go.mod h1:3OlG51PCYNsPByuiMB0t4fjnNlIDnaEDsjiKUV8nL58= github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk= @@ -1142,8 +1146,6 @@ github.com/go-sql-driver/mysql v1.8.1 h1:LedoTUt/eveggdHS9qUFC1EFSa8bU2+1pZjSRpv github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg= github.com/go-test/deep v1.1.0 h1:WOcxcdHcvdgThNXjw0t76K42FXTU7HpNQWHpA2HHNlg= github.com/go-test/deep v1.1.0/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE= -github.com/go-toast/toast v0.0.0-20190211030409-01e6764cf0a4 h1:qZNfIGkIANxGv/OqtnntR4DfOY2+BgwR60cAcu/i3SE= -github.com/go-toast/toast v0.0.0-20190211030409-01e6764cf0a4/go.mod h1:kW3HQ4UdaAyrUCSSDR4xUzBKW6O2iA4uHhk7AtyYp10= github.com/go-viper/mapstructure/v2 v2.2.1 h1:ZAaOCxANMuZx5RCeg0mBdEZk7DZasvvZIxtHqx8aGss= github.com/go-viper/mapstructure/v2 v2.2.1/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM= github.com/gobuffalo/flect v1.0.3 h1:xeWBM2nui+qnVvNM4S3foBhCAL2XgPU+a7FdpelbTq4= @@ -1409,6 +1411,8 @@ github.com/illarion/gonotify v1.0.1 h1:F1d+0Fgbq/sDWjj/r66ekjDG+IDeecQKUFH4wNwso github.com/illarion/gonotify v1.0.1/go.mod h1:zt5pmDofZpU1f8aqlK0+95eQhoEAn/d4G4B/FjVW4jE= github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2 h1:9K06NfxkBh25x56yVhWWlKFE8YpicaSfHwoV8SFbueA= github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2/go.mod h1:3A9PQ1cunSDF/1rbTq99Ts4pVnycWg+vlPkfeD2NLFI= +github.com/jackmordaunt/icns/v3 v3.0.1 h1:xxot6aNuGrU+lNgxz5I5H0qSeCjNKp8uTXB1j8D4S3o= +github.com/jackmordaunt/icns/v3 v3.0.1/go.mod h1:5sHL59nqTd2ynTnowxB/MDQFhKNqkK8X687uKNygaSQ= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo= github.com/jdkato/prose v1.2.1 h1:Fp3UnJmLVISmlc57BgKUzdjr0lOtjqTZicL3PaYy6cU= @@ -1499,8 +1503,8 @@ github.com/makeworld-the-better-one/dither/v2 v2.4.0 h1:Az/dYXiTcwcRSe59Hzw4RI1r github.com/makeworld-the-better-one/dither/v2 v2.4.0/go.mod h1:VBtN8DXO7SNtyGmLiGA7IsFeKrBkQPze1/iAeM95arc= github.com/marekm4/color-extractor v1.2.1 h1:3Zb2tQsn6bITZ8MBVhc33Qn1k5/SEuZ18mrXGUqIwn0= github.com/marekm4/color-extractor v1.2.1/go.mod h1:90VjmiHI6M8ez9eYUaXLdcKnS+BAOp7w+NpwBdkJmpA= -github.com/mark3labs/mcp-go v0.31.0 h1:4UxSV8aM770OPmTvaVe/b1rA2oZAjBMhGBfUgOGut+4= -github.com/mark3labs/mcp-go v0.31.0/go.mod h1:rXqOudj/djTORU/ThxYx8fqEVj/5pvTuuebQ2RC7uk4= +github.com/mark3labs/mcp-go v0.32.0 h1:fgwmbfL2gbd67obg57OfV2Dnrhs1HtSdlY/i5fn7MU8= +github.com/mark3labs/mcp-go v0.32.0/go.mod h1:rXqOudj/djTORU/ThxYx8fqEVj/5pvTuuebQ2RC7uk4= github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= @@ -1595,8 +1599,6 @@ github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646 h1:zYyBkD/k9seD2A7fsi6 github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646/go.mod h1:jpp1/29i3P1S/RLdc7JQKbRpFeM1dOBd8T9ki5s+AY8= github.com/niklasfasching/go-org v1.7.0 h1:vyMdcMWWTe/XmANk19F4k8XGBYg0GQ/gJGMimOjGMek= github.com/niklasfasching/go-org v1.7.0/go.mod h1:WuVm4d45oePiE0eX25GqTDQIt/qPW1T9DGkRscqLW5o= -github.com/nu7hatch/gouuid v0.0.0-20131221200532-179d4d0c4d8d h1:VhgPp6v9qf9Agr/56bj7Y/xa04UccTW04VP0Qed4vnQ= -github.com/nu7hatch/gouuid v0.0.0-20131221200532-179d4d0c4d8d/go.mod h1:YUTz3bUH2ZwIWBy3CJBeOBEugqcmXREj14T+iG/4k4U= github.com/oasdiff/yaml v0.0.0-20250309154309-f31be36b4037 h1:G7ERwszslrBzRxj//JalHPu/3yz+De2J+4aLtSRlHiY= github.com/oasdiff/yaml v0.0.0-20250309154309-f31be36b4037/go.mod h1:2bpvgLBZEtENV5scfDFEtB/5+1M4hkQhDQrccEJ/qGw= github.com/oasdiff/yaml3 v0.0.0-20250309153720-d2182401db90 h1:bQx3WeLcUWy+RletIKwUIt4x3t8n2SxavmoclizMb8c= @@ -1711,6 +1713,10 @@ github.com/satori/go.uuid v1.2.1-0.20181028125025-b2ce2384e17b h1:gQZ0qzfKHQIybL github.com/satori/go.uuid v1.2.1-0.20181028125025-b2ce2384e17b/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= github.com/secure-systems-lab/go-securesystemslib v0.9.0 h1:rf1HIbL64nUpEIZnjLZ3mcNEL9NBPB0iuVjyxvq3LZc= github.com/secure-systems-lab/go-securesystemslib v0.9.0/go.mod h1:DVHKMcZ+V4/woA/peqr+L0joiRXbPpQ042GgJckkFgw= +github.com/sergeymakinen/go-bmp v1.0.0 h1:SdGTzp9WvCV0A1V0mBeaS7kQAwNLdVJbmHlqNWq0R+M= +github.com/sergeymakinen/go-bmp v1.0.0/go.mod h1:/mxlAQZRLxSvJFNIEGGLBE/m40f3ZnUifpgVDlcUIEY= +github.com/sergeymakinen/go-ico v1.0.0-beta.0 h1:m5qKH7uPKLdrygMWxbamVn+tl2HfiA3K6MFJw4GfZvQ= +github.com/sergeymakinen/go-ico v1.0.0-beta.0/go.mod h1:wQ47mTczswBO5F0NoDt7O0IXgnV4Xy3ojrroMQzyhUk= github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN3Uc8sB6B/s6Z4t2xvBgU1htSHuq8= github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4= github.com/shirou/gopsutil/v4 v4.25.4 h1:cdtFO363VEOOFrUCjZRh4XVJkb548lyF0q0uTeMqYPw= @@ -2247,7 +2253,6 @@ golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220319134239-a9b59b0215f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220328115105-d36c6a25d886/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220502124256-b6088ccd6cba/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= diff --git a/site/src/pages/TemplateSettingsPage/TemplateGeneralSettingsPage/TemplateSettingsForm.tsx b/site/src/pages/TemplateSettingsPage/TemplateGeneralSettingsPage/TemplateSettingsForm.tsx index 8dbe4dcab0290..46ff1e3c92d7c 100644 --- a/site/src/pages/TemplateSettingsPage/TemplateGeneralSettingsPage/TemplateSettingsForm.tsx +++ b/site/src/pages/TemplateSettingsPage/TemplateGeneralSettingsPage/TemplateSettingsForm.tsx @@ -243,11 +243,7 @@ export const TemplateSettingsForm: FC = ({ Show the original workspace creation form and workspace parameters settings form without dynamic parameters or live updates. Recommended if your provisioners aren't updated or - the new form causes issues.{" "} - - Users can always manually switch experiences in the - workspace creation form. - + the dynamic form causes issues.