diff --git a/coderd/apidoc/docs.go b/coderd/apidoc/docs.go
index 0aecfdea8ff5e..7599b42f14f6b 100644
--- a/coderd/apidoc/docs.go
+++ b/coderd/apidoc/docs.go
@@ -2676,6 +2676,110 @@ const docTemplate = `{
}
}
},
+ "/organizations/{organization}/provisionerkeys": {
+ "get": {
+ "security": [
+ {
+ "CoderSessionToken": []
+ }
+ ],
+ "produces": [
+ "application/json"
+ ],
+ "tags": [
+ "Enterprise"
+ ],
+ "summary": "List provisioner key",
+ "operationId": "list-provisioner-key",
+ "parameters": [
+ {
+ "type": "string",
+ "description": "Organization ID",
+ "name": "organization",
+ "in": "path",
+ "required": true
+ }
+ ],
+ "responses": {
+ "200": {
+ "description": "OK",
+ "schema": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/codersdk.ProvisionerKey"
+ }
+ }
+ }
+ }
+ },
+ "post": {
+ "security": [
+ {
+ "CoderSessionToken": []
+ }
+ ],
+ "produces": [
+ "application/json"
+ ],
+ "tags": [
+ "Enterprise"
+ ],
+ "summary": "Create provisioner key",
+ "operationId": "create-provisioner-key",
+ "parameters": [
+ {
+ "type": "string",
+ "description": "Organization ID",
+ "name": "organization",
+ "in": "path",
+ "required": true
+ }
+ ],
+ "responses": {
+ "201": {
+ "description": "Created",
+ "schema": {
+ "$ref": "#/definitions/codersdk.CreateProvisionerKeyResponse"
+ }
+ }
+ }
+ }
+ },
+ "/organizations/{organization}/provisionerkeys/{provisionerkey}": {
+ "delete": {
+ "security": [
+ {
+ "CoderSessionToken": []
+ }
+ ],
+ "tags": [
+ "Enterprise"
+ ],
+ "summary": "Delete provisioner key",
+ "operationId": "delete-provisioner-key",
+ "parameters": [
+ {
+ "type": "string",
+ "description": "Organization ID",
+ "name": "organization",
+ "in": "path",
+ "required": true
+ },
+ {
+ "type": "string",
+ "description": "Provisioner key name",
+ "name": "provisionerkey",
+ "in": "path",
+ "required": true
+ }
+ ],
+ "responses": {
+ "204": {
+ "description": "No Content"
+ }
+ }
+ }
+ },
"/organizations/{organization}/templates": {
"get": {
"security": [
@@ -8609,6 +8713,14 @@ const docTemplate = `{
}
}
},
+ "codersdk.CreateProvisionerKeyResponse": {
+ "type": "object",
+ "properties": {
+ "key": {
+ "type": "string"
+ }
+ }
+ },
"codersdk.CreateTemplateRequest": {
"type": "object",
"required": [
@@ -10762,6 +10874,26 @@ const docTemplate = `{
"ProvisionerJobUnknown"
]
},
+ "codersdk.ProvisionerKey": {
+ "type": "object",
+ "properties": {
+ "created_at": {
+ "type": "string",
+ "format": "date-time"
+ },
+ "id": {
+ "type": "string",
+ "format": "uuid"
+ },
+ "name": {
+ "type": "string"
+ },
+ "organization": {
+ "type": "string",
+ "format": "uuid"
+ }
+ }
+ },
"codersdk.ProvisionerLogLevel": {
"type": "string",
"enum": [
@@ -10897,6 +11029,7 @@ const docTemplate = `{
"organization",
"organization_member",
"provisioner_daemon",
+ "provisioner_keys",
"replicas",
"system",
"tailnet_coordinator",
@@ -10924,6 +11057,7 @@ const docTemplate = `{
"ResourceOrganization",
"ResourceOrganizationMember",
"ResourceProvisionerDaemon",
+ "ResourceProvisionerKeys",
"ResourceReplicas",
"ResourceSystem",
"ResourceTailnetCoordinator",
diff --git a/coderd/apidoc/swagger.json b/coderd/apidoc/swagger.json
index 6d5ac99848dbf..85e57932a445d 100644
--- a/coderd/apidoc/swagger.json
+++ b/coderd/apidoc/swagger.json
@@ -2346,6 +2346,100 @@
}
}
},
+ "/organizations/{organization}/provisionerkeys": {
+ "get": {
+ "security": [
+ {
+ "CoderSessionToken": []
+ }
+ ],
+ "produces": ["application/json"],
+ "tags": ["Enterprise"],
+ "summary": "List provisioner key",
+ "operationId": "list-provisioner-key",
+ "parameters": [
+ {
+ "type": "string",
+ "description": "Organization ID",
+ "name": "organization",
+ "in": "path",
+ "required": true
+ }
+ ],
+ "responses": {
+ "200": {
+ "description": "OK",
+ "schema": {
+ "type": "array",
+ "items": {
+ "$ref": "#/definitions/codersdk.ProvisionerKey"
+ }
+ }
+ }
+ }
+ },
+ "post": {
+ "security": [
+ {
+ "CoderSessionToken": []
+ }
+ ],
+ "produces": ["application/json"],
+ "tags": ["Enterprise"],
+ "summary": "Create provisioner key",
+ "operationId": "create-provisioner-key",
+ "parameters": [
+ {
+ "type": "string",
+ "description": "Organization ID",
+ "name": "organization",
+ "in": "path",
+ "required": true
+ }
+ ],
+ "responses": {
+ "201": {
+ "description": "Created",
+ "schema": {
+ "$ref": "#/definitions/codersdk.CreateProvisionerKeyResponse"
+ }
+ }
+ }
+ }
+ },
+ "/organizations/{organization}/provisionerkeys/{provisionerkey}": {
+ "delete": {
+ "security": [
+ {
+ "CoderSessionToken": []
+ }
+ ],
+ "tags": ["Enterprise"],
+ "summary": "Delete provisioner key",
+ "operationId": "delete-provisioner-key",
+ "parameters": [
+ {
+ "type": "string",
+ "description": "Organization ID",
+ "name": "organization",
+ "in": "path",
+ "required": true
+ },
+ {
+ "type": "string",
+ "description": "Provisioner key name",
+ "name": "provisionerkey",
+ "in": "path",
+ "required": true
+ }
+ ],
+ "responses": {
+ "204": {
+ "description": "No Content"
+ }
+ }
+ }
+ },
"/organizations/{organization}/templates": {
"get": {
"security": [
@@ -7661,6 +7755,14 @@
}
}
},
+ "codersdk.CreateProvisionerKeyResponse": {
+ "type": "object",
+ "properties": {
+ "key": {
+ "type": "string"
+ }
+ }
+ },
"codersdk.CreateTemplateRequest": {
"type": "object",
"required": ["name", "template_version_id"],
@@ -9702,6 +9804,26 @@
"ProvisionerJobUnknown"
]
},
+ "codersdk.ProvisionerKey": {
+ "type": "object",
+ "properties": {
+ "created_at": {
+ "type": "string",
+ "format": "date-time"
+ },
+ "id": {
+ "type": "string",
+ "format": "uuid"
+ },
+ "name": {
+ "type": "string"
+ },
+ "organization": {
+ "type": "string",
+ "format": "uuid"
+ }
+ }
+ },
"codersdk.ProvisionerLogLevel": {
"type": "string",
"enum": ["debug"],
@@ -9819,6 +9941,7 @@
"organization",
"organization_member",
"provisioner_daemon",
+ "provisioner_keys",
"replicas",
"system",
"tailnet_coordinator",
@@ -9846,6 +9969,7 @@
"ResourceOrganization",
"ResourceOrganizationMember",
"ResourceProvisionerDaemon",
+ "ResourceProvisionerKeys",
"ResourceReplicas",
"ResourceSystem",
"ResourceTailnetCoordinator",
diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go
index 85df46dce620c..9f2de9088b5c5 100644
--- a/coderd/database/dbauthz/dbauthz.go
+++ b/coderd/database/dbauthz/dbauthz.go
@@ -1074,6 +1074,10 @@ func (q *querier) DeleteOrganizationMember(ctx context.Context, arg database.Del
}, q.db.DeleteOrganizationMember)(ctx, arg)
}
+func (q *querier) DeleteProvisionerKey(ctx context.Context, id uuid.UUID) error {
+ return deleteQ(q.log, q.auth, q.db.GetProvisionerKeyByID, q.db.DeleteProvisionerKey)(ctx, id)
+}
+
func (q *querier) DeleteReplicasUpdatedBefore(ctx context.Context, updatedAt time.Time) error {
if err := q.authorizeContext(ctx, policy.ActionDelete, rbac.ResourceSystem); err != nil {
return err
@@ -1671,6 +1675,14 @@ func (q *querier) GetProvisionerJobsCreatedAfter(ctx context.Context, createdAt
return q.db.GetProvisionerJobsCreatedAfter(ctx, createdAt)
}
+func (q *querier) GetProvisionerKeyByID(ctx context.Context, id uuid.UUID) (database.ProvisionerKey, error) {
+ return fetch(q.log, q.auth, q.db.GetProvisionerKeyByID)(ctx, id)
+}
+
+func (q *querier) GetProvisionerKeyByName(ctx context.Context, name database.GetProvisionerKeyByNameParams) (database.ProvisionerKey, error) {
+ return fetch(q.log, q.auth, q.db.GetProvisionerKeyByName)(ctx, name)
+}
+
func (q *querier) GetProvisionerLogsAfterID(ctx context.Context, arg database.GetProvisionerLogsAfterIDParams) ([]database.ProvisionerJobLog, error) {
// Authorized read on job lets the actor also read the logs.
_, err := q.GetProvisionerJobByID(ctx, arg.JobID)
@@ -2615,6 +2627,10 @@ func (q *querier) InsertProvisionerJobLogs(ctx context.Context, arg database.Ins
return q.db.InsertProvisionerJobLogs(ctx, arg)
}
+func (q *querier) InsertProvisionerKey(ctx context.Context, arg database.InsertProvisionerKeyParams) (database.ProvisionerKey, error) {
+ return insert(q.log, q.auth, rbac.ResourceProvisionerKeys.InOrg(arg.OrganizationID).WithID(arg.ID), q.db.InsertProvisionerKey)(ctx, arg)
+}
+
func (q *querier) InsertReplica(ctx context.Context, arg database.InsertReplicaParams) (database.Replica, error) {
if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceSystem); err != nil {
return database.Replica{}, err
@@ -2843,6 +2859,10 @@ func (q *querier) InsertWorkspaceResourceMetadata(ctx context.Context, arg datab
return q.db.InsertWorkspaceResourceMetadata(ctx, arg)
}
+func (q *querier) ListProvisionerKeysByOrganization(ctx context.Context, organizationID uuid.UUID) ([]database.ProvisionerKey, error) {
+ return fetchWithPostFilter(q.auth, policy.ActionRead, q.db.ListProvisionerKeysByOrganization)(ctx, organizationID)
+}
+
func (q *querier) ListWorkspaceAgentPortShares(ctx context.Context, workspaceID uuid.UUID) ([]database.WorkspaceAgentPortShare, error) {
workspace, err := q.db.GetWorkspaceByID(ctx, workspaceID)
if err != nil {
diff --git a/coderd/database/dbauthz/dbauthz_test.go b/coderd/database/dbauthz/dbauthz_test.go
index 52d375116e6a3..a7dc07367dd8f 100644
--- a/coderd/database/dbauthz/dbauthz_test.go
+++ b/coderd/database/dbauthz/dbauthz_test.go
@@ -5,6 +5,7 @@ import (
"database/sql"
"encoding/json"
"reflect"
+ "strings"
"testing"
"time"
@@ -1800,6 +1801,58 @@ func (s *MethodTestSuite) TestWorkspacePortSharing() {
}))
}
+func (s *MethodTestSuite) TestProvisionerKeys() {
+ s.Run("InsertProvisionerKey", s.Subtest(func(db database.Store, check *expects) {
+ org := dbgen.Organization(s.T(), db, database.Organization{})
+ pk := database.ProvisionerKey{
+ ID: uuid.New(),
+ CreatedAt: time.Now(),
+ OrganizationID: org.ID,
+ Name: strings.ToLower(coderdtest.RandomName(s.T())),
+ HashedSecret: []byte(coderdtest.RandomName(s.T())),
+ }
+ //nolint:gosimple // casting is not a simplification
+ check.Args(database.InsertProvisionerKeyParams{
+ ID: pk.ID,
+ CreatedAt: pk.CreatedAt,
+ OrganizationID: pk.OrganizationID,
+ Name: pk.Name,
+ HashedSecret: pk.HashedSecret,
+ }).Asserts(pk, policy.ActionCreate).Returns(pk)
+ }))
+ s.Run("GetProvisionerKeyByID", s.Subtest(func(db database.Store, check *expects) {
+ org := dbgen.Organization(s.T(), db, database.Organization{})
+ pk := dbgen.ProvisionerKey(s.T(), db, database.ProvisionerKey{OrganizationID: org.ID})
+ check.Args(pk.ID).Asserts(pk, policy.ActionRead).Returns(pk)
+ }))
+ s.Run("GetProvisionerKeyByName", s.Subtest(func(db database.Store, check *expects) {
+ org := dbgen.Organization(s.T(), db, database.Organization{})
+ pk := dbgen.ProvisionerKey(s.T(), db, database.ProvisionerKey{OrganizationID: org.ID})
+ check.Args(database.GetProvisionerKeyByNameParams{
+ OrganizationID: org.ID,
+ Name: pk.Name,
+ }).Asserts(pk, policy.ActionRead).Returns(pk)
+ }))
+ s.Run("ListProvisionerKeysByOrganization", s.Subtest(func(db database.Store, check *expects) {
+ org := dbgen.Organization(s.T(), db, database.Organization{})
+ pk := dbgen.ProvisionerKey(s.T(), db, database.ProvisionerKey{OrganizationID: org.ID})
+ pks := []database.ProvisionerKey{
+ {
+ ID: pk.ID,
+ CreatedAt: pk.CreatedAt,
+ OrganizationID: pk.OrganizationID,
+ Name: pk.Name,
+ },
+ }
+ check.Args(org.ID).Asserts(pk, policy.ActionRead).Returns(pks)
+ }))
+ s.Run("DeleteProvisionerKey", s.Subtest(func(db database.Store, check *expects) {
+ org := dbgen.Organization(s.T(), db, database.Organization{})
+ pk := dbgen.ProvisionerKey(s.T(), db, database.ProvisionerKey{OrganizationID: org.ID})
+ check.Args(pk.ID).Asserts(pk, policy.ActionDelete).Returns()
+ }))
+}
+
func (s *MethodTestSuite) TestExtraMethods() {
s.Run("GetProvisionerDaemons", s.Subtest(func(db database.Store, check *expects) {
d, err := db.UpsertProvisionerDaemon(context.Background(), database.UpsertProvisionerDaemonParams{
diff --git a/coderd/database/dbgen/dbgen.go b/coderd/database/dbgen/dbgen.go
index d2b66e5d4b6df..29f7b1f2e5a69 100644
--- a/coderd/database/dbgen/dbgen.go
+++ b/coderd/database/dbgen/dbgen.go
@@ -465,6 +465,18 @@ func ProvisionerJob(t testing.TB, db database.Store, ps pubsub.Pubsub, orig data
return job
}
+func ProvisionerKey(t testing.TB, db database.Store, orig database.ProvisionerKey) database.ProvisionerKey {
+ key, err := db.InsertProvisionerKey(genCtx, database.InsertProvisionerKeyParams{
+ ID: takeFirst(orig.ID, uuid.New()),
+ CreatedAt: takeFirst(orig.CreatedAt, dbtime.Now()),
+ OrganizationID: takeFirst(orig.OrganizationID, uuid.New()),
+ Name: takeFirst(orig.Name, namesgenerator.GetRandomName(1)),
+ HashedSecret: orig.HashedSecret,
+ })
+ require.NoError(t, err, "insert provisioner key")
+ return key
+}
+
func WorkspaceApp(t testing.TB, db database.Store, orig database.WorkspaceApp) database.WorkspaceApp {
resource, err := db.InsertWorkspaceApp(genCtx, database.InsertWorkspaceAppParams{
ID: takeFirst(orig.ID, uuid.New()),
diff --git a/coderd/database/dbmem/dbmem.go b/coderd/database/dbmem/dbmem.go
index 9effbe1bb69f2..198b4b4f3b6a9 100644
--- a/coderd/database/dbmem/dbmem.go
+++ b/coderd/database/dbmem/dbmem.go
@@ -168,6 +168,7 @@ type data struct {
provisionerDaemons []database.ProvisionerDaemon
provisionerJobLogs []database.ProvisionerJobLog
provisionerJobs []database.ProvisionerJob
+ provisionerKeys []database.ProvisionerKey
replicas []database.Replica
templateVersions []database.TemplateVersionTable
templateVersionParameters []database.TemplateVersionParameter
@@ -268,6 +269,13 @@ func validateDatabaseType(args interface{}) error {
return nil
}
+func newUniqueConstraintError(uc database.UniqueConstraint) *pq.Error {
+ newErr := *errUniqueConstraint
+ newErr.Constraint = string(uc)
+
+ return &newErr
+}
+
func (*FakeQuerier) Ping(_ context.Context) (time.Duration, error) {
return 0, nil
}
@@ -1734,6 +1742,20 @@ func (q *FakeQuerier) DeleteOrganizationMember(_ context.Context, arg database.D
return nil
}
+func (q *FakeQuerier) DeleteProvisionerKey(_ context.Context, id uuid.UUID) error {
+ q.mutex.Lock()
+ defer q.mutex.Unlock()
+
+ for i, key := range q.provisionerKeys {
+ if key.ID == id {
+ q.provisionerKeys = append(q.provisionerKeys[:i], q.provisionerKeys[i+1:]...)
+ return nil
+ }
+ }
+
+ return sql.ErrNoRows
+}
+
func (q *FakeQuerier) DeleteReplicasUpdatedBefore(_ context.Context, before time.Time) error {
q.mutex.Lock()
defer q.mutex.Unlock()
@@ -3195,6 +3217,32 @@ func (q *FakeQuerier) GetProvisionerJobsCreatedAfter(_ context.Context, after ti
return jobs, nil
}
+func (q *FakeQuerier) GetProvisionerKeyByID(_ context.Context, id uuid.UUID) (database.ProvisionerKey, error) {
+ q.mutex.RLock()
+ defer q.mutex.RUnlock()
+
+ for _, key := range q.provisionerKeys {
+ if key.ID == id {
+ return key, nil
+ }
+ }
+
+ return database.ProvisionerKey{}, sql.ErrNoRows
+}
+
+func (q *FakeQuerier) GetProvisionerKeyByName(_ context.Context, arg database.GetProvisionerKeyByNameParams) (database.ProvisionerKey, error) {
+ q.mutex.RLock()
+ defer q.mutex.RUnlock()
+
+ for _, key := range q.provisionerKeys {
+ if strings.EqualFold(key.Name, arg.Name) && key.OrganizationID == arg.OrganizationID {
+ return key, nil
+ }
+ }
+
+ return database.ProvisionerKey{}, sql.ErrNoRows
+}
+
func (q *FakeQuerier) GetProvisionerLogsAfterID(_ context.Context, arg database.GetProvisionerLogsAfterIDParams) ([]database.ProvisionerJobLog, error) {
if err := validateDatabaseType(arg); err != nil {
return nil, err
@@ -6493,6 +6541,34 @@ func (q *FakeQuerier) InsertProvisionerJobLogs(_ context.Context, arg database.I
return logs, nil
}
+func (q *FakeQuerier) InsertProvisionerKey(_ context.Context, arg database.InsertProvisionerKeyParams) (database.ProvisionerKey, error) {
+ err := validateDatabaseType(arg)
+ if err != nil {
+ return database.ProvisionerKey{}, err
+ }
+
+ q.mutex.Lock()
+ defer q.mutex.Unlock()
+
+ for _, key := range q.provisionerKeys {
+ if key.ID == arg.ID || (key.OrganizationID == arg.OrganizationID && strings.EqualFold(key.Name, arg.Name)) {
+ return database.ProvisionerKey{}, newUniqueConstraintError(database.UniqueProvisionerKeysOrganizationIDNameIndex)
+ }
+ }
+
+ //nolint:gosimple
+ provisionerKey := database.ProvisionerKey{
+ ID: arg.ID,
+ CreatedAt: arg.CreatedAt,
+ OrganizationID: arg.OrganizationID,
+ Name: strings.ToLower(arg.Name),
+ HashedSecret: arg.HashedSecret,
+ }
+ q.provisionerKeys = append(q.provisionerKeys, provisionerKey)
+
+ return provisionerKey, nil
+}
+
func (q *FakeQuerier) InsertReplica(_ context.Context, arg database.InsertReplicaParams) (database.Replica, error) {
if err := validateDatabaseType(arg); err != nil {
return database.Replica{}, err
@@ -7170,6 +7246,26 @@ func (q *FakeQuerier) InsertWorkspaceResourceMetadata(_ context.Context, arg dat
return metadata, nil
}
+func (q *FakeQuerier) ListProvisionerKeysByOrganization(_ context.Context, organizationID uuid.UUID) ([]database.ProvisionerKey, error) {
+ q.mutex.RLock()
+ defer q.mutex.RUnlock()
+
+ keys := make([]database.ProvisionerKey, 0)
+ for _, key := range q.provisionerKeys {
+ if key.OrganizationID == organizationID {
+ keys = append(keys, database.ProvisionerKey{
+ ID: key.ID,
+ CreatedAt: key.CreatedAt,
+ OrganizationID: key.OrganizationID,
+ Name: key.Name,
+ HashedSecret: key.HashedSecret,
+ })
+ }
+ }
+
+ return keys, nil
+}
+
func (q *FakeQuerier) ListWorkspaceAgentPortShares(_ context.Context, workspaceID uuid.UUID) ([]database.WorkspaceAgentPortShare, error) {
q.mutex.Lock()
defer q.mutex.Unlock()
diff --git a/coderd/database/dbmetrics/dbmetrics.go b/coderd/database/dbmetrics/dbmetrics.go
index e705deafaf315..f249a78436153 100644
--- a/coderd/database/dbmetrics/dbmetrics.go
+++ b/coderd/database/dbmetrics/dbmetrics.go
@@ -326,6 +326,13 @@ func (m metricsStore) DeleteOrganizationMember(ctx context.Context, arg database
return r0
}
+func (m metricsStore) DeleteProvisionerKey(ctx context.Context, id uuid.UUID) error {
+ start := time.Now()
+ r0 := m.s.DeleteProvisionerKey(ctx, id)
+ m.queryLatencies.WithLabelValues("DeleteProvisionerKey").Observe(time.Since(start).Seconds())
+ return r0
+}
+
func (m metricsStore) DeleteReplicasUpdatedBefore(ctx context.Context, updatedAt time.Time) error {
start := time.Now()
err := m.s.DeleteReplicasUpdatedBefore(ctx, updatedAt)
@@ -900,6 +907,20 @@ func (m metricsStore) GetProvisionerJobsCreatedAfter(ctx context.Context, create
return jobs, err
}
+func (m metricsStore) GetProvisionerKeyByID(ctx context.Context, id uuid.UUID) (database.ProvisionerKey, error) {
+ start := time.Now()
+ r0, r1 := m.s.GetProvisionerKeyByID(ctx, id)
+ m.queryLatencies.WithLabelValues("GetProvisionerKeyByID").Observe(time.Since(start).Seconds())
+ return r0, r1
+}
+
+func (m metricsStore) GetProvisionerKeyByName(ctx context.Context, name database.GetProvisionerKeyByNameParams) (database.ProvisionerKey, error) {
+ start := time.Now()
+ r0, r1 := m.s.GetProvisionerKeyByName(ctx, name)
+ m.queryLatencies.WithLabelValues("GetProvisionerKeyByName").Observe(time.Since(start).Seconds())
+ return r0, r1
+}
+
func (m metricsStore) GetProvisionerLogsAfterID(ctx context.Context, arg database.GetProvisionerLogsAfterIDParams) ([]database.ProvisionerJobLog, error) {
start := time.Now()
logs, err := m.s.GetProvisionerLogsAfterID(ctx, arg)
@@ -1642,6 +1663,13 @@ func (m metricsStore) InsertProvisionerJobLogs(ctx context.Context, arg database
return logs, err
}
+func (m metricsStore) InsertProvisionerKey(ctx context.Context, arg database.InsertProvisionerKeyParams) (database.ProvisionerKey, error) {
+ start := time.Now()
+ r0, r1 := m.s.InsertProvisionerKey(ctx, arg)
+ m.queryLatencies.WithLabelValues("InsertProvisionerKey").Observe(time.Since(start).Seconds())
+ return r0, r1
+}
+
func (m metricsStore) InsertReplica(ctx context.Context, arg database.InsertReplicaParams) (database.Replica, error) {
start := time.Now()
replica, err := m.s.InsertReplica(ctx, arg)
@@ -1803,6 +1831,13 @@ func (m metricsStore) InsertWorkspaceResourceMetadata(ctx context.Context, arg d
return metadata, err
}
+func (m metricsStore) ListProvisionerKeysByOrganization(ctx context.Context, organizationID uuid.UUID) ([]database.ProvisionerKey, error) {
+ start := time.Now()
+ r0, r1 := m.s.ListProvisionerKeysByOrganization(ctx, organizationID)
+ m.queryLatencies.WithLabelValues("ListProvisionerKeysByOrganization").Observe(time.Since(start).Seconds())
+ return r0, r1
+}
+
func (m metricsStore) ListWorkspaceAgentPortShares(ctx context.Context, workspaceID uuid.UUID) ([]database.WorkspaceAgentPortShare, error) {
start := time.Now()
r0, r1 := m.s.ListWorkspaceAgentPortShares(ctx, workspaceID)
diff --git a/coderd/database/dbmock/dbmock.go b/coderd/database/dbmock/dbmock.go
index b69d982e46cc6..093869e655583 100644
--- a/coderd/database/dbmock/dbmock.go
+++ b/coderd/database/dbmock/dbmock.go
@@ -542,6 +542,20 @@ func (mr *MockStoreMockRecorder) DeleteOrganizationMember(arg0, arg1 any) *gomoc
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteOrganizationMember", reflect.TypeOf((*MockStore)(nil).DeleteOrganizationMember), arg0, arg1)
}
+// DeleteProvisionerKey mocks base method.
+func (m *MockStore) DeleteProvisionerKey(arg0 context.Context, arg1 uuid.UUID) error {
+ m.ctrl.T.Helper()
+ ret := m.ctrl.Call(m, "DeleteProvisionerKey", arg0, arg1)
+ ret0, _ := ret[0].(error)
+ return ret0
+}
+
+// DeleteProvisionerKey indicates an expected call of DeleteProvisionerKey.
+func (mr *MockStoreMockRecorder) DeleteProvisionerKey(arg0, arg1 any) *gomock.Call {
+ mr.mock.ctrl.T.Helper()
+ return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteProvisionerKey", reflect.TypeOf((*MockStore)(nil).DeleteProvisionerKey), arg0, arg1)
+}
+
// DeleteReplicasUpdatedBefore mocks base method.
func (m *MockStore) DeleteReplicasUpdatedBefore(arg0 context.Context, arg1 time.Time) error {
m.ctrl.T.Helper()
@@ -1811,6 +1825,36 @@ func (mr *MockStoreMockRecorder) GetProvisionerJobsCreatedAfter(arg0, arg1 any)
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetProvisionerJobsCreatedAfter", reflect.TypeOf((*MockStore)(nil).GetProvisionerJobsCreatedAfter), arg0, arg1)
}
+// GetProvisionerKeyByID mocks base method.
+func (m *MockStore) GetProvisionerKeyByID(arg0 context.Context, arg1 uuid.UUID) (database.ProvisionerKey, error) {
+ m.ctrl.T.Helper()
+ ret := m.ctrl.Call(m, "GetProvisionerKeyByID", arg0, arg1)
+ ret0, _ := ret[0].(database.ProvisionerKey)
+ ret1, _ := ret[1].(error)
+ return ret0, ret1
+}
+
+// GetProvisionerKeyByID indicates an expected call of GetProvisionerKeyByID.
+func (mr *MockStoreMockRecorder) GetProvisionerKeyByID(arg0, arg1 any) *gomock.Call {
+ mr.mock.ctrl.T.Helper()
+ return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetProvisionerKeyByID", reflect.TypeOf((*MockStore)(nil).GetProvisionerKeyByID), arg0, arg1)
+}
+
+// GetProvisionerKeyByName mocks base method.
+func (m *MockStore) GetProvisionerKeyByName(arg0 context.Context, arg1 database.GetProvisionerKeyByNameParams) (database.ProvisionerKey, error) {
+ m.ctrl.T.Helper()
+ ret := m.ctrl.Call(m, "GetProvisionerKeyByName", arg0, arg1)
+ ret0, _ := ret[0].(database.ProvisionerKey)
+ ret1, _ := ret[1].(error)
+ return ret0, ret1
+}
+
+// GetProvisionerKeyByName indicates an expected call of GetProvisionerKeyByName.
+func (mr *MockStoreMockRecorder) GetProvisionerKeyByName(arg0, arg1 any) *gomock.Call {
+ mr.mock.ctrl.T.Helper()
+ return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetProvisionerKeyByName", reflect.TypeOf((*MockStore)(nil).GetProvisionerKeyByName), arg0, arg1)
+}
+
// GetProvisionerLogsAfterID mocks base method.
func (m *MockStore) GetProvisionerLogsAfterID(arg0 context.Context, arg1 database.GetProvisionerLogsAfterIDParams) ([]database.ProvisionerJobLog, error) {
m.ctrl.T.Helper()
@@ -3441,6 +3485,21 @@ func (mr *MockStoreMockRecorder) InsertProvisionerJobLogs(arg0, arg1 any) *gomoc
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "InsertProvisionerJobLogs", reflect.TypeOf((*MockStore)(nil).InsertProvisionerJobLogs), arg0, arg1)
}
+// InsertProvisionerKey mocks base method.
+func (m *MockStore) InsertProvisionerKey(arg0 context.Context, arg1 database.InsertProvisionerKeyParams) (database.ProvisionerKey, error) {
+ m.ctrl.T.Helper()
+ ret := m.ctrl.Call(m, "InsertProvisionerKey", arg0, arg1)
+ ret0, _ := ret[0].(database.ProvisionerKey)
+ ret1, _ := ret[1].(error)
+ return ret0, ret1
+}
+
+// InsertProvisionerKey indicates an expected call of InsertProvisionerKey.
+func (mr *MockStoreMockRecorder) InsertProvisionerKey(arg0, arg1 any) *gomock.Call {
+ mr.mock.ctrl.T.Helper()
+ return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "InsertProvisionerKey", reflect.TypeOf((*MockStore)(nil).InsertProvisionerKey), arg0, arg1)
+}
+
// InsertReplica mocks base method.
func (m *MockStore) InsertReplica(arg0 context.Context, arg1 database.InsertReplicaParams) (database.Replica, error) {
m.ctrl.T.Helper()
@@ -3778,6 +3837,21 @@ func (mr *MockStoreMockRecorder) InsertWorkspaceResourceMetadata(arg0, arg1 any)
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "InsertWorkspaceResourceMetadata", reflect.TypeOf((*MockStore)(nil).InsertWorkspaceResourceMetadata), arg0, arg1)
}
+// ListProvisionerKeysByOrganization mocks base method.
+func (m *MockStore) ListProvisionerKeysByOrganization(arg0 context.Context, arg1 uuid.UUID) ([]database.ProvisionerKey, error) {
+ m.ctrl.T.Helper()
+ ret := m.ctrl.Call(m, "ListProvisionerKeysByOrganization", arg0, arg1)
+ ret0, _ := ret[0].([]database.ProvisionerKey)
+ ret1, _ := ret[1].(error)
+ return ret0, ret1
+}
+
+// ListProvisionerKeysByOrganization indicates an expected call of ListProvisionerKeysByOrganization.
+func (mr *MockStoreMockRecorder) ListProvisionerKeysByOrganization(arg0, arg1 any) *gomock.Call {
+ mr.mock.ctrl.T.Helper()
+ return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ListProvisionerKeysByOrganization", reflect.TypeOf((*MockStore)(nil).ListProvisionerKeysByOrganization), arg0, arg1)
+}
+
// ListWorkspaceAgentPortShares mocks base method.
func (m *MockStore) ListWorkspaceAgentPortShares(arg0 context.Context, arg1 uuid.UUID) ([]database.WorkspaceAgentPortShare, error) {
m.ctrl.T.Helper()
diff --git a/coderd/database/dump.sql b/coderd/database/dump.sql
index 4f2d21e19b37e..d07519cff7de0 100644
--- a/coderd/database/dump.sql
+++ b/coderd/database/dump.sql
@@ -749,6 +749,14 @@ END) STORED NOT NULL
COMMENT ON COLUMN provisioner_jobs.job_status IS 'Computed column to track the status of the job.';
+CREATE TABLE provisioner_keys (
+ id uuid NOT NULL,
+ created_at timestamp with time zone NOT NULL,
+ organization_id uuid NOT NULL,
+ name character varying(64) NOT NULL,
+ hashed_secret bytea NOT NULL
+);
+
CREATE TABLE replicas (
id uuid NOT NULL,
created_at timestamp with time zone NOT NULL,
@@ -1584,6 +1592,9 @@ ALTER TABLE ONLY provisioner_job_logs
ALTER TABLE ONLY provisioner_jobs
ADD CONSTRAINT provisioner_jobs_pkey PRIMARY KEY (id);
+ALTER TABLE ONLY provisioner_keys
+ ADD CONSTRAINT provisioner_keys_pkey PRIMARY KEY (id);
+
ALTER TABLE ONLY site_configs
ADD CONSTRAINT site_configs_key_key UNIQUE (key);
@@ -1743,6 +1754,8 @@ CREATE INDEX provisioner_job_logs_id_job_id_idx ON provisioner_job_logs USING bt
CREATE INDEX provisioner_jobs_started_at_idx ON provisioner_jobs USING btree (started_at) WHERE (started_at IS NULL);
+CREATE UNIQUE INDEX provisioner_keys_organization_id_name_idx ON provisioner_keys USING btree (organization_id, lower((name)::text));
+
CREATE INDEX template_usage_stats_start_time_idx ON template_usage_stats USING btree (start_time DESC);
COMMENT ON INDEX template_usage_stats_start_time_idx IS 'Index for querying MAX(start_time).';
@@ -1867,6 +1880,9 @@ ALTER TABLE ONLY provisioner_job_logs
ALTER TABLE ONLY provisioner_jobs
ADD CONSTRAINT provisioner_jobs_organization_id_fkey FOREIGN KEY (organization_id) REFERENCES organizations(id) ON DELETE CASCADE;
+ALTER TABLE ONLY provisioner_keys
+ ADD CONSTRAINT provisioner_keys_organization_id_fkey FOREIGN KEY (organization_id) REFERENCES organizations(id) ON DELETE CASCADE;
+
ALTER TABLE ONLY tailnet_agents
ADD CONSTRAINT tailnet_agents_coordinator_id_fkey FOREIGN KEY (coordinator_id) REFERENCES tailnet_coordinators(id) ON DELETE CASCADE;
diff --git a/coderd/database/foreign_key_constraint.go b/coderd/database/foreign_key_constraint.go
index 3a9557a9758dd..6e6eef8862b72 100644
--- a/coderd/database/foreign_key_constraint.go
+++ b/coderd/database/foreign_key_constraint.go
@@ -28,6 +28,7 @@ const (
ForeignKeyProvisionerDaemonsOrganizationID ForeignKeyConstraint = "provisioner_daemons_organization_id_fkey" // ALTER TABLE ONLY provisioner_daemons ADD CONSTRAINT provisioner_daemons_organization_id_fkey FOREIGN KEY (organization_id) REFERENCES organizations(id) ON DELETE CASCADE;
ForeignKeyProvisionerJobLogsJobID ForeignKeyConstraint = "provisioner_job_logs_job_id_fkey" // ALTER TABLE ONLY provisioner_job_logs ADD CONSTRAINT provisioner_job_logs_job_id_fkey FOREIGN KEY (job_id) REFERENCES provisioner_jobs(id) ON DELETE CASCADE;
ForeignKeyProvisionerJobsOrganizationID ForeignKeyConstraint = "provisioner_jobs_organization_id_fkey" // ALTER TABLE ONLY provisioner_jobs ADD CONSTRAINT provisioner_jobs_organization_id_fkey FOREIGN KEY (organization_id) REFERENCES organizations(id) ON DELETE CASCADE;
+ ForeignKeyProvisionerKeysOrganizationID ForeignKeyConstraint = "provisioner_keys_organization_id_fkey" // ALTER TABLE ONLY provisioner_keys ADD CONSTRAINT provisioner_keys_organization_id_fkey FOREIGN KEY (organization_id) REFERENCES organizations(id) ON DELETE CASCADE;
ForeignKeyTailnetAgentsCoordinatorID ForeignKeyConstraint = "tailnet_agents_coordinator_id_fkey" // ALTER TABLE ONLY tailnet_agents ADD CONSTRAINT tailnet_agents_coordinator_id_fkey FOREIGN KEY (coordinator_id) REFERENCES tailnet_coordinators(id) ON DELETE CASCADE;
ForeignKeyTailnetClientSubscriptionsCoordinatorID ForeignKeyConstraint = "tailnet_client_subscriptions_coordinator_id_fkey" // ALTER TABLE ONLY tailnet_client_subscriptions ADD CONSTRAINT tailnet_client_subscriptions_coordinator_id_fkey FOREIGN KEY (coordinator_id) REFERENCES tailnet_coordinators(id) ON DELETE CASCADE;
ForeignKeyTailnetClientsCoordinatorID ForeignKeyConstraint = "tailnet_clients_coordinator_id_fkey" // ALTER TABLE ONLY tailnet_clients ADD CONSTRAINT tailnet_clients_coordinator_id_fkey FOREIGN KEY (coordinator_id) REFERENCES tailnet_coordinators(id) ON DELETE CASCADE;
diff --git a/coderd/database/migrations/000227_provisioner_keys.down.sql b/coderd/database/migrations/000227_provisioner_keys.down.sql
new file mode 100644
index 0000000000000..264b235facff2
--- /dev/null
+++ b/coderd/database/migrations/000227_provisioner_keys.down.sql
@@ -0,0 +1 @@
+DROP TABLE provisioner_keys;
diff --git a/coderd/database/migrations/000227_provisioner_keys.up.sql b/coderd/database/migrations/000227_provisioner_keys.up.sql
new file mode 100644
index 0000000000000..44942f729f19b
--- /dev/null
+++ b/coderd/database/migrations/000227_provisioner_keys.up.sql
@@ -0,0 +1,9 @@
+CREATE TABLE provisioner_keys (
+ id uuid PRIMARY KEY,
+ created_at timestamptz NOT NULL,
+ organization_id uuid NOT NULL REFERENCES organizations (id) ON DELETE CASCADE,
+ name varchar(64) NOT NULL,
+ hashed_secret bytea NOT NULL
+);
+
+CREATE UNIQUE INDEX provisioner_keys_organization_id_name_idx ON provisioner_keys USING btree (organization_id, lower(name));
diff --git a/coderd/database/migrations/testdata/fixtures/000227_provisioner_keys.up.sql b/coderd/database/migrations/testdata/fixtures/000227_provisioner_keys.up.sql
new file mode 100644
index 0000000000000..418e519677518
--- /dev/null
+++ b/coderd/database/migrations/testdata/fixtures/000227_provisioner_keys.up.sql
@@ -0,0 +1,4 @@
+INSERT INTO provisioner_keys
+ (id, created_at, organization_id, name, hashed_secret)
+VALUES
+ ('b90547be-8870-4d68-8184-e8b2242b7c01', '2021-06-01 00:00:00', 'bb640d07-ca8a-4869-b6bc-ae61ebb2fda1', 'qua', '\xDEADBEEF'::bytea);
diff --git a/coderd/database/modelmethods.go b/coderd/database/modelmethods.go
index f8a3fc2c537b1..85d08cbfba8ec 100644
--- a/coderd/database/modelmethods.go
+++ b/coderd/database/modelmethods.go
@@ -212,6 +212,12 @@ func (p ProvisionerDaemon) RBACObject() rbac.Object {
return rbac.ResourceProvisionerDaemon.WithID(p.ID)
}
+func (p ProvisionerKey) RBACObject() rbac.Object {
+ return rbac.ResourceProvisionerKeys.
+ WithID(p.ID).
+ InOrg(p.OrganizationID)
+}
+
func (w WorkspaceProxy) RBACObject() rbac.Object {
return rbac.ResourceWorkspaceProxy.
WithID(w.ID)
diff --git a/coderd/database/models.go b/coderd/database/models.go
index 8ace22909db93..9b35e1c0f79b3 100644
--- a/coderd/database/models.go
+++ b/coderd/database/models.go
@@ -2185,6 +2185,14 @@ type ProvisionerJobLog struct {
ID int64 `db:"id" json:"id"`
}
+type ProvisionerKey struct {
+ ID uuid.UUID `db:"id" json:"id"`
+ CreatedAt time.Time `db:"created_at" json:"created_at"`
+ OrganizationID uuid.UUID `db:"organization_id" json:"organization_id"`
+ Name string `db:"name" json:"name"`
+ HashedSecret []byte `db:"hashed_secret" json:"hashed_secret"`
+}
+
type Replica struct {
ID uuid.UUID `db:"id" json:"id"`
CreatedAt time.Time `db:"created_at" json:"created_at"`
diff --git a/coderd/database/querier.go b/coderd/database/querier.go
index 917db96b207d1..2a8153deec2d1 100644
--- a/coderd/database/querier.go
+++ b/coderd/database/querier.go
@@ -92,6 +92,7 @@ type sqlcQuerier interface {
DeleteOldWorkspaceAgentStats(ctx context.Context) error
DeleteOrganization(ctx context.Context, id uuid.UUID) error
DeleteOrganizationMember(ctx context.Context, arg DeleteOrganizationMemberParams) error
+ DeleteProvisionerKey(ctx context.Context, id uuid.UUID) error
DeleteReplicasUpdatedBefore(ctx context.Context, updatedAt time.Time) error
DeleteTailnetAgent(ctx context.Context, arg DeleteTailnetAgentParams) (DeleteTailnetAgentRow, error)
DeleteTailnetClient(ctx context.Context, arg DeleteTailnetClientParams) (DeleteTailnetClientRow, error)
@@ -184,6 +185,8 @@ type sqlcQuerier interface {
GetProvisionerJobsByIDs(ctx context.Context, ids []uuid.UUID) ([]ProvisionerJob, error)
GetProvisionerJobsByIDsWithQueuePosition(ctx context.Context, ids []uuid.UUID) ([]GetProvisionerJobsByIDsWithQueuePositionRow, error)
GetProvisionerJobsCreatedAfter(ctx context.Context, createdAt time.Time) ([]ProvisionerJob, error)
+ GetProvisionerKeyByID(ctx context.Context, id uuid.UUID) (ProvisionerKey, error)
+ GetProvisionerKeyByName(ctx context.Context, arg GetProvisionerKeyByNameParams) (ProvisionerKey, error)
GetProvisionerLogsAfterID(ctx context.Context, arg GetProvisionerLogsAfterIDParams) ([]ProvisionerJobLog, error)
GetQuotaAllowanceForUser(ctx context.Context, userID uuid.UUID) (int64, error)
GetQuotaConsumedForUser(ctx context.Context, ownerID uuid.UUID) (int64, error)
@@ -346,6 +349,7 @@ type sqlcQuerier interface {
InsertOrganizationMember(ctx context.Context, arg InsertOrganizationMemberParams) (OrganizationMember, error)
InsertProvisionerJob(ctx context.Context, arg InsertProvisionerJobParams) (ProvisionerJob, error)
InsertProvisionerJobLogs(ctx context.Context, arg InsertProvisionerJobLogsParams) ([]ProvisionerJobLog, error)
+ InsertProvisionerKey(ctx context.Context, arg InsertProvisionerKeyParams) (ProvisionerKey, error)
InsertReplica(ctx context.Context, arg InsertReplicaParams) (Replica, error)
InsertTemplate(ctx context.Context, arg InsertTemplateParams) error
InsertTemplateVersion(ctx context.Context, arg InsertTemplateVersionParams) error
@@ -370,6 +374,7 @@ type sqlcQuerier interface {
InsertWorkspaceProxy(ctx context.Context, arg InsertWorkspaceProxyParams) (WorkspaceProxy, error)
InsertWorkspaceResource(ctx context.Context, arg InsertWorkspaceResourceParams) (WorkspaceResource, error)
InsertWorkspaceResourceMetadata(ctx context.Context, arg InsertWorkspaceResourceMetadataParams) ([]WorkspaceResourceMetadatum, error)
+ ListProvisionerKeysByOrganization(ctx context.Context, organizationID uuid.UUID) ([]ProvisionerKey, error)
ListWorkspaceAgentPortShares(ctx context.Context, workspaceID uuid.UUID) ([]WorkspaceAgentPortShare, error)
// Arguments are optional with uuid.Nil to ignore.
// - Use just 'organization_id' to get all members of an org
diff --git a/coderd/database/queries.sql.go b/coderd/database/queries.sql.go
index ee439996e34dd..cd23525773047 100644
--- a/coderd/database/queries.sql.go
+++ b/coderd/database/queries.sql.go
@@ -5455,6 +5455,147 @@ func (q *sqlQuerier) UpdateProvisionerJobWithCompleteByID(ctx context.Context, a
return err
}
+const deleteProvisionerKey = `-- name: DeleteProvisionerKey :exec
+DELETE FROM
+ provisioner_keys
+WHERE
+ id = $1
+`
+
+func (q *sqlQuerier) DeleteProvisionerKey(ctx context.Context, id uuid.UUID) error {
+ _, err := q.db.ExecContext(ctx, deleteProvisionerKey, id)
+ return err
+}
+
+const getProvisionerKeyByID = `-- name: GetProvisionerKeyByID :one
+SELECT
+ id, created_at, organization_id, name, hashed_secret
+FROM
+ provisioner_keys
+WHERE
+ id = $1
+`
+
+func (q *sqlQuerier) GetProvisionerKeyByID(ctx context.Context, id uuid.UUID) (ProvisionerKey, error) {
+ row := q.db.QueryRowContext(ctx, getProvisionerKeyByID, id)
+ var i ProvisionerKey
+ err := row.Scan(
+ &i.ID,
+ &i.CreatedAt,
+ &i.OrganizationID,
+ &i.Name,
+ &i.HashedSecret,
+ )
+ return i, err
+}
+
+const getProvisionerKeyByName = `-- name: GetProvisionerKeyByName :one
+SELECT
+ id, created_at, organization_id, name, hashed_secret
+FROM
+ provisioner_keys
+WHERE
+ organization_id = $1
+AND
+ lower(name) = lower($2)
+`
+
+type GetProvisionerKeyByNameParams struct {
+ OrganizationID uuid.UUID `db:"organization_id" json:"organization_id"`
+ Name string `db:"name" json:"name"`
+}
+
+func (q *sqlQuerier) GetProvisionerKeyByName(ctx context.Context, arg GetProvisionerKeyByNameParams) (ProvisionerKey, error) {
+ row := q.db.QueryRowContext(ctx, getProvisionerKeyByName, arg.OrganizationID, arg.Name)
+ var i ProvisionerKey
+ err := row.Scan(
+ &i.ID,
+ &i.CreatedAt,
+ &i.OrganizationID,
+ &i.Name,
+ &i.HashedSecret,
+ )
+ return i, err
+}
+
+const insertProvisionerKey = `-- name: InsertProvisionerKey :one
+INSERT INTO
+ provisioner_keys (
+ id,
+ created_at,
+ organization_id,
+ name,
+ hashed_secret
+ )
+VALUES
+ ($1, $2, $3, lower($5), $4) RETURNING id, created_at, organization_id, name, hashed_secret
+`
+
+type InsertProvisionerKeyParams struct {
+ ID uuid.UUID `db:"id" json:"id"`
+ CreatedAt time.Time `db:"created_at" json:"created_at"`
+ OrganizationID uuid.UUID `db:"organization_id" json:"organization_id"`
+ HashedSecret []byte `db:"hashed_secret" json:"hashed_secret"`
+ Name string `db:"name" json:"name"`
+}
+
+func (q *sqlQuerier) InsertProvisionerKey(ctx context.Context, arg InsertProvisionerKeyParams) (ProvisionerKey, error) {
+ row := q.db.QueryRowContext(ctx, insertProvisionerKey,
+ arg.ID,
+ arg.CreatedAt,
+ arg.OrganizationID,
+ arg.HashedSecret,
+ arg.Name,
+ )
+ var i ProvisionerKey
+ err := row.Scan(
+ &i.ID,
+ &i.CreatedAt,
+ &i.OrganizationID,
+ &i.Name,
+ &i.HashedSecret,
+ )
+ return i, err
+}
+
+const listProvisionerKeysByOrganization = `-- name: ListProvisionerKeysByOrganization :many
+SELECT
+ id, created_at, organization_id, name, hashed_secret
+FROM
+ provisioner_keys
+WHERE
+ organization_id = $1
+`
+
+func (q *sqlQuerier) ListProvisionerKeysByOrganization(ctx context.Context, organizationID uuid.UUID) ([]ProvisionerKey, error) {
+ rows, err := q.db.QueryContext(ctx, listProvisionerKeysByOrganization, organizationID)
+ if err != nil {
+ return nil, err
+ }
+ defer rows.Close()
+ var items []ProvisionerKey
+ for rows.Next() {
+ var i ProvisionerKey
+ if err := rows.Scan(
+ &i.ID,
+ &i.CreatedAt,
+ &i.OrganizationID,
+ &i.Name,
+ &i.HashedSecret,
+ ); err != nil {
+ return nil, err
+ }
+ items = append(items, i)
+ }
+ if err := rows.Close(); err != nil {
+ return nil, err
+ }
+ if err := rows.Err(); err != nil {
+ return nil, err
+ }
+ return items, nil
+}
+
const getWorkspaceProxies = `-- name: GetWorkspaceProxies :many
SELECT
id, name, display_name, icon, url, wildcard_hostname, created_at, updated_at, deleted, token_hashed_secret, region_id, derp_enabled, derp_only, version
diff --git a/coderd/database/queries/provisionerkeys.sql b/coderd/database/queries/provisionerkeys.sql
new file mode 100644
index 0000000000000..22e714eca350d
--- /dev/null
+++ b/coderd/database/queries/provisionerkeys.sql
@@ -0,0 +1,43 @@
+-- name: InsertProvisionerKey :one
+INSERT INTO
+ provisioner_keys (
+ id,
+ created_at,
+ organization_id,
+ name,
+ hashed_secret
+ )
+VALUES
+ ($1, $2, $3, lower(@name), $4) RETURNING *;
+
+-- name: GetProvisionerKeyByID :one
+SELECT
+ *
+FROM
+ provisioner_keys
+WHERE
+ id = $1;
+
+-- name: GetProvisionerKeyByName :one
+SELECT
+ *
+FROM
+ provisioner_keys
+WHERE
+ organization_id = $1
+AND
+ lower(name) = lower(@name);
+
+-- name: ListProvisionerKeysByOrganization :many
+SELECT
+ *
+FROM
+ provisioner_keys
+WHERE
+ organization_id = $1;
+
+-- name: DeleteProvisionerKey :exec
+DELETE FROM
+ provisioner_keys
+WHERE
+ id = $1;
diff --git a/coderd/database/unique_constraint.go b/coderd/database/unique_constraint.go
index d090af80626b8..aecae02d572ff 100644
--- a/coderd/database/unique_constraint.go
+++ b/coderd/database/unique_constraint.go
@@ -44,6 +44,7 @@ const (
UniqueProvisionerDaemonsPkey UniqueConstraint = "provisioner_daemons_pkey" // ALTER TABLE ONLY provisioner_daemons ADD CONSTRAINT provisioner_daemons_pkey PRIMARY KEY (id);
UniqueProvisionerJobLogsPkey UniqueConstraint = "provisioner_job_logs_pkey" // ALTER TABLE ONLY provisioner_job_logs ADD CONSTRAINT provisioner_job_logs_pkey PRIMARY KEY (id);
UniqueProvisionerJobsPkey UniqueConstraint = "provisioner_jobs_pkey" // ALTER TABLE ONLY provisioner_jobs ADD CONSTRAINT provisioner_jobs_pkey PRIMARY KEY (id);
+ UniqueProvisionerKeysPkey UniqueConstraint = "provisioner_keys_pkey" // ALTER TABLE ONLY provisioner_keys ADD CONSTRAINT provisioner_keys_pkey PRIMARY KEY (id);
UniqueSiteConfigsKeyKey UniqueConstraint = "site_configs_key_key" // ALTER TABLE ONLY site_configs ADD CONSTRAINT site_configs_key_key UNIQUE (key);
UniqueTailnetAgentsPkey UniqueConstraint = "tailnet_agents_pkey" // ALTER TABLE ONLY tailnet_agents ADD CONSTRAINT tailnet_agents_pkey PRIMARY KEY (id, coordinator_id);
UniqueTailnetClientSubscriptionsPkey UniqueConstraint = "tailnet_client_subscriptions_pkey" // ALTER TABLE ONLY tailnet_client_subscriptions ADD CONSTRAINT tailnet_client_subscriptions_pkey PRIMARY KEY (client_id, coordinator_id, agent_id);
@@ -87,6 +88,7 @@ const (
UniqueIndexUsersEmail UniqueConstraint = "idx_users_email" // CREATE UNIQUE INDEX idx_users_email ON users USING btree (email) WHERE (deleted = false);
UniqueIndexUsersUsername UniqueConstraint = "idx_users_username" // CREATE UNIQUE INDEX idx_users_username ON users USING btree (username) WHERE (deleted = false);
UniqueOrganizationsSingleDefaultOrg UniqueConstraint = "organizations_single_default_org" // CREATE UNIQUE INDEX organizations_single_default_org ON organizations USING btree (is_default) WHERE (is_default = true);
+ UniqueProvisionerKeysOrganizationIDNameIndex UniqueConstraint = "provisioner_keys_organization_id_name_idx" // CREATE UNIQUE INDEX provisioner_keys_organization_id_name_idx ON provisioner_keys USING btree (organization_id, lower((name)::text));
UniqueTemplateUsageStatsStartTimeTemplateIDUserIDIndex UniqueConstraint = "template_usage_stats_start_time_template_id_user_id_idx" // CREATE UNIQUE INDEX template_usage_stats_start_time_template_id_user_id_idx ON template_usage_stats USING btree (start_time, template_id, user_id);
UniqueTemplatesOrganizationIDNameIndex UniqueConstraint = "templates_organization_id_name_idx" // CREATE UNIQUE INDEX templates_organization_id_name_idx ON templates USING btree (organization_id, lower((name)::text)) WHERE (deleted = false);
UniqueUserLinksLinkedIDLoginTypeIndex UniqueConstraint = "user_links_linked_id_login_type_idx" // CREATE UNIQUE INDEX user_links_linked_id_login_type_idx ON user_links USING btree (linked_id, login_type) WHERE (linked_id <> ''::text);
diff --git a/coderd/httpmw/provisionerkey.go b/coderd/httpmw/provisionerkey.go
new file mode 100644
index 0000000000000..484200f469422
--- /dev/null
+++ b/coderd/httpmw/provisionerkey.go
@@ -0,0 +1,58 @@
+package httpmw
+
+import (
+ "context"
+ "net/http"
+
+ "github.com/go-chi/chi/v5"
+
+ "github.com/coder/coder/v2/coderd/database"
+ "github.com/coder/coder/v2/coderd/httpapi"
+ "github.com/coder/coder/v2/codersdk"
+)
+
+type provisionerKeyParamContextKey struct{}
+
+// ProvisionerKeyParam returns the user from the ExtractProvisionerKeyParam handler.
+func ProvisionerKeyParam(r *http.Request) database.ProvisionerKey {
+ user, ok := r.Context().Value(provisionerKeyParamContextKey{}).(database.ProvisionerKey)
+ if !ok {
+ panic("developer error: provisioner key parameter middleware not provided")
+ }
+ return user
+}
+
+// ExtractProvisionerKeyParam extracts a provisioner key from a name in the {provisionerKey} URL
+// parameter.
+func ExtractProvisionerKeyParam(db database.Store) func(http.Handler) http.Handler {
+ return func(next http.Handler) http.Handler {
+ return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+ ctx := r.Context()
+ organization := OrganizationParam(r)
+
+ provisionerKeyQuery := chi.URLParam(r, "provisionerkey")
+ if provisionerKeyQuery == "" {
+ httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+ Message: "\"provisionerkey\" must be provided.",
+ })
+ return
+ }
+
+ provisionerKey, err := db.GetProvisionerKeyByName(ctx, database.GetProvisionerKeyByNameParams{
+ OrganizationID: organization.ID,
+ Name: provisionerKeyQuery,
+ })
+ if httpapi.Is404Error(err) {
+ httpapi.ResourceNotFound(rw)
+ return
+ }
+ if err != nil {
+ httpapi.InternalServerError(rw, err)
+ return
+ }
+
+ ctx = context.WithValue(ctx, provisionerKeyParamContextKey{}, provisionerKey)
+ next.ServeHTTP(rw, r.WithContext(ctx))
+ })
+ }
+}
diff --git a/coderd/provisionerkey/provisionerkey.go b/coderd/provisionerkey/provisionerkey.go
new file mode 100644
index 0000000000000..4df23125be2d3
--- /dev/null
+++ b/coderd/provisionerkey/provisionerkey.go
@@ -0,0 +1,31 @@
+package provisionerkey
+
+import (
+ "crypto/sha256"
+ "fmt"
+
+ "github.com/google/uuid"
+ "golang.org/x/xerrors"
+
+ "github.com/coder/coder/v2/coderd/database"
+ "github.com/coder/coder/v2/coderd/database/dbtime"
+ "github.com/coder/coder/v2/cryptorand"
+)
+
+func New(organizationID uuid.UUID, name string) (database.InsertProvisionerKeyParams, string, error) {
+ id := uuid.New()
+ secret, err := cryptorand.HexString(64)
+ if err != nil {
+ return database.InsertProvisionerKeyParams{}, "", xerrors.Errorf("generate token: %w", err)
+ }
+ hashedSecret := sha256.Sum256([]byte(secret))
+ token := fmt.Sprintf("%s:%s", id, secret)
+
+ return database.InsertProvisionerKeyParams{
+ ID: id,
+ CreatedAt: dbtime.Now(),
+ OrganizationID: organizationID,
+ Name: name,
+ HashedSecret: hashedSecret[:],
+ }, token, nil
+}
diff --git a/coderd/rbac/object_gen.go b/coderd/rbac/object_gen.go
index 5b39b846195dd..bc2846da49564 100644
--- a/coderd/rbac/object_gen.go
+++ b/coderd/rbac/object_gen.go
@@ -161,6 +161,15 @@ var (
Type: "provisioner_daemon",
}
+ // ResourceProvisionerKeys
+ // Valid Actions
+ // - "ActionCreate" :: create a provisioner key
+ // - "ActionDelete" :: delete a provisioner key
+ // - "ActionRead" :: read provisioner keys
+ ResourceProvisionerKeys = Object{
+ Type: "provisioner_keys",
+ }
+
// ResourceReplicas
// Valid Actions
// - "ActionRead" :: read replicas
@@ -269,6 +278,7 @@ func AllResources() []Objecter {
ResourceOrganization,
ResourceOrganizationMember,
ResourceProvisionerDaemon,
+ ResourceProvisionerKeys,
ResourceReplicas,
ResourceSystem,
ResourceTailnetCoordinator,
diff --git a/coderd/rbac/policy/policy.go b/coderd/rbac/policy/policy.go
index eec8865d09317..1fe635bec5e61 100644
--- a/coderd/rbac/policy/policy.go
+++ b/coderd/rbac/policy/policy.go
@@ -160,6 +160,13 @@ var RBACPermissions = map[string]PermissionDefinition{
ActionDelete: actDef("delete a provisioner daemon"),
},
},
+ "provisioner_keys": {
+ Actions: map[Action]ActionDefinition{
+ ActionCreate: actDef("create a provisioner key"),
+ ActionRead: actDef("read provisioner keys"),
+ ActionDelete: actDef("delete a provisioner key"),
+ },
+ },
"organization": {
Actions: map[Action]ActionDefinition{
ActionCreate: actDef("create an organization"),
diff --git a/coderd/rbac/roles_test.go b/coderd/rbac/roles_test.go
index c49f161760235..cedb3d8e1af79 100644
--- a/coderd/rbac/roles_test.go
+++ b/coderd/rbac/roles_test.go
@@ -488,6 +488,15 @@ func TestRolePermissions(t *testing.T) {
false: {memberMe, otherOrgAdmin, otherOrgMember, userAdmin},
},
},
+ {
+ Name: "ProvisionerKeys",
+ Actions: []policy.Action{policy.ActionCreate, policy.ActionRead, policy.ActionDelete},
+ Resource: rbac.ResourceProvisionerKeys.InOrg(orgID),
+ AuthorizeMap: map[bool][]authSubject{
+ true: {owner, orgAdmin},
+ false: {otherOrgAdmin, otherOrgMember, memberMe, orgMemberMe, userAdmin, templateAdmin},
+ },
+ },
{
Name: "System",
Actions: crud,
diff --git a/codersdk/deployment.go b/codersdk/deployment.go
index 8cf6681ad5954..23ba5bb7cf16a 100644
--- a/codersdk/deployment.go
+++ b/codersdk/deployment.go
@@ -56,6 +56,7 @@ const (
FeatureAccessControl FeatureName = "access_control"
FeatureControlSharedPorts FeatureName = "control_shared_ports"
FeatureCustomRoles FeatureName = "custom_roles"
+ FeatureMultipleOrganizations FeatureName = "multiple_organizations"
)
// FeatureNames must be kept in-sync with the Feature enum above.
@@ -77,6 +78,7 @@ var FeatureNames = []FeatureName{
FeatureAccessControl,
FeatureControlSharedPorts,
FeatureCustomRoles,
+ FeatureMultipleOrganizations,
}
// Humanize returns the feature name in a human-readable format.
diff --git a/codersdk/provisionerdaemons.go b/codersdk/provisionerdaemons.go
index e26778f940045..605d44d88c071 100644
--- a/codersdk/provisionerdaemons.go
+++ b/codersdk/provisionerdaemons.go
@@ -265,3 +265,72 @@ func (c *Client) ServeProvisionerDaemon(ctx context.Context, req ServeProvisione
}
return proto.NewDRPCProvisionerDaemonClient(drpc.MultiplexedConn(session)), nil
}
+
+type ProvisionerKey struct {
+ ID uuid.UUID `json:"id" format:"uuid"`
+ CreatedAt time.Time `json:"created_at" format:"date-time"`
+ OrganizationID uuid.UUID `json:"organization" format:"uuid"`
+ Name string `json:"name"`
+ // HashedSecret - never include the access token in the API response
+}
+
+type CreateProvisionerKeyRequest struct {
+ Name string `json:"name"`
+}
+
+type CreateProvisionerKeyResponse struct {
+ Key string `json:"key"`
+}
+
+// CreateProvisionerKey creates a new provisioner key for an organization.
+func (c *Client) CreateProvisionerKey(ctx context.Context, organizationID uuid.UUID, req CreateProvisionerKeyRequest) (CreateProvisionerKeyResponse, error) {
+ res, err := c.Request(ctx, http.MethodPost,
+ fmt.Sprintf("/api/v2/organizations/%s/provisionerkeys", organizationID.String()),
+ req,
+ )
+ if err != nil {
+ return CreateProvisionerKeyResponse{}, xerrors.Errorf("make request: %w", err)
+ }
+ defer res.Body.Close()
+
+ if res.StatusCode != http.StatusCreated {
+ return CreateProvisionerKeyResponse{}, ReadBodyAsError(res)
+ }
+ var resp CreateProvisionerKeyResponse
+ return resp, json.NewDecoder(res.Body).Decode(&resp)
+}
+
+// ListProvisionerKeys lists all provisioner keys for an organization.
+func (c *Client) ListProvisionerKeys(ctx context.Context, organizationID uuid.UUID) ([]ProvisionerKey, error) {
+ res, err := c.Request(ctx, http.MethodGet,
+ fmt.Sprintf("/api/v2/organizations/%s/provisionerkeys", organizationID.String()),
+ nil,
+ )
+ if err != nil {
+ return nil, xerrors.Errorf("make request: %w", err)
+ }
+ defer res.Body.Close()
+
+ if res.StatusCode != http.StatusOK {
+ return nil, ReadBodyAsError(res)
+ }
+ var resp []ProvisionerKey
+ return resp, json.NewDecoder(res.Body).Decode(&resp)
+}
+
+// DeleteProvisionerKey deletes a provisioner key.
+func (c *Client) DeleteProvisionerKey(ctx context.Context, organizationID uuid.UUID, name string) error {
+ res, err := c.Request(ctx, http.MethodDelete,
+ fmt.Sprintf("/api/v2/organizations/%s/provisionerkeys/%s", organizationID.String(), name),
+ nil,
+ )
+ if err != nil {
+ return xerrors.Errorf("make request: %w", err)
+ }
+ defer res.Body.Close()
+
+ if res.StatusCode != http.StatusNoContent {
+ return ReadBodyAsError(res)
+ }
+ return nil
+}
diff --git a/codersdk/rbacresources_gen.go b/codersdk/rbacresources_gen.go
index 73d784b449535..573fea66b8c80 100644
--- a/codersdk/rbacresources_gen.go
+++ b/codersdk/rbacresources_gen.go
@@ -21,6 +21,7 @@ const (
ResourceOrganization RBACResource = "organization"
ResourceOrganizationMember RBACResource = "organization_member"
ResourceProvisionerDaemon RBACResource = "provisioner_daemon"
+ ResourceProvisionerKeys RBACResource = "provisioner_keys"
ResourceReplicas RBACResource = "replicas"
ResourceSystem RBACResource = "system"
ResourceTailnetCoordinator RBACResource = "tailnet_coordinator"
@@ -69,6 +70,7 @@ var RBACResourceActions = map[RBACResource][]RBACAction{
ResourceOrganization: {ActionCreate, ActionDelete, ActionRead, ActionUpdate},
ResourceOrganizationMember: {ActionCreate, ActionDelete, ActionRead, ActionUpdate},
ResourceProvisionerDaemon: {ActionCreate, ActionDelete, ActionRead, ActionUpdate},
+ ResourceProvisionerKeys: {ActionCreate, ActionDelete, ActionRead},
ResourceReplicas: {ActionRead},
ResourceSystem: {ActionCreate, ActionDelete, ActionRead, ActionUpdate},
ResourceTailnetCoordinator: {ActionCreate, ActionDelete, ActionRead, ActionUpdate},
diff --git a/docs/api/enterprise.md b/docs/api/enterprise.md
index 63786efac43db..3f6013d46cfb5 100644
--- a/docs/api/enterprise.md
+++ b/docs/api/enterprise.md
@@ -1353,6 +1353,124 @@ curl -X GET http://coder-server:8080/api/v2/organizations/{organization}/provisi
To perform this operation, you must be authenticated. [Learn more](authentication.md).
+## List provisioner key
+
+### Code samples
+
+```shell
+# Example request using curl
+curl -X GET http://coder-server:8080/api/v2/organizations/{organization}/provisionerkeys \
+ -H 'Accept: application/json' \
+ -H 'Coder-Session-Token: API_KEY'
+```
+
+`GET /organizations/{organization}/provisionerkeys`
+
+### Parameters
+
+| Name | In | Type | Required | Description |
+| -------------- | ---- | ------ | -------- | --------------- |
+| `organization` | path | string | true | Organization ID |
+
+### Example responses
+
+> 200 Response
+
+```json
+[
+ {
+ "created_at": "2019-08-24T14:15:22Z",
+ "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
+ "name": "string",
+ "organization": "452c1a86-a0af-475b-b03f-724878b0f387"
+ }
+]
+```
+
+### Responses
+
+| Status | Meaning | Description | Schema |
+| ------ | ------------------------------------------------------- | ----------- | --------------------------------------------------------------------- |
+| 200 | [OK](https://tools.ietf.org/html/rfc7231#section-6.3.1) | OK | array of [codersdk.ProvisionerKey](schemas.md#codersdkprovisionerkey) |
+
+Response Schema
+
+Status Code **200**
+
+| Name | Type | Required | Restrictions | Description |
+| ---------------- | ----------------- | -------- | ------------ | ----------- |
+| `[array item]` | array | false | | |
+| `» created_at` | string(date-time) | false | | |
+| `» id` | string(uuid) | false | | |
+| `» name` | string | false | | |
+| `» organization` | string(uuid) | false | | |
+
+To perform this operation, you must be authenticated. [Learn more](authentication.md).
+
+## Create provisioner key
+
+### Code samples
+
+```shell
+# Example request using curl
+curl -X POST http://coder-server:8080/api/v2/organizations/{organization}/provisionerkeys \
+ -H 'Accept: application/json' \
+ -H 'Coder-Session-Token: API_KEY'
+```
+
+`POST /organizations/{organization}/provisionerkeys`
+
+### Parameters
+
+| Name | In | Type | Required | Description |
+| -------------- | ---- | ------ | -------- | --------------- |
+| `organization` | path | string | true | Organization ID |
+
+### Example responses
+
+> 201 Response
+
+```json
+{
+ "key": "string"
+}
+```
+
+### Responses
+
+| Status | Meaning | Description | Schema |
+| ------ | ------------------------------------------------------------ | ----------- | ---------------------------------------------------------------------------------------- |
+| 201 | [Created](https://tools.ietf.org/html/rfc7231#section-6.3.2) | Created | [codersdk.CreateProvisionerKeyResponse](schemas.md#codersdkcreateprovisionerkeyresponse) |
+
+To perform this operation, you must be authenticated. [Learn more](authentication.md).
+
+## Delete provisioner key
+
+### Code samples
+
+```shell
+# Example request using curl
+curl -X DELETE http://coder-server:8080/api/v2/organizations/{organization}/provisionerkeys/{provisionerkey} \
+ -H 'Coder-Session-Token: API_KEY'
+```
+
+`DELETE /organizations/{organization}/provisionerkeys/{provisionerkey}`
+
+### Parameters
+
+| Name | In | Type | Required | Description |
+| ---------------- | ---- | ------ | -------- | -------------------- |
+| `organization` | path | string | true | Organization ID |
+| `provisionerkey` | path | string | true | Provisioner key name |
+
+### Responses
+
+| Status | Meaning | Description | Schema |
+| ------ | --------------------------------------------------------------- | ----------- | ------ |
+| 204 | [No Content](https://tools.ietf.org/html/rfc7231#section-6.3.5) | No Content | |
+
+To perform this operation, you must be authenticated. [Learn more](authentication.md).
+
## Get active replicas
### Code samples
diff --git a/docs/api/members.md b/docs/api/members.md
index 1a9beae285157..d8dfc6499ee65 100644
--- a/docs/api/members.md
+++ b/docs/api/members.md
@@ -182,6 +182,7 @@ Status Code **200**
| `resource_type` | `organization` |
| `resource_type` | `organization_member` |
| `resource_type` | `provisioner_daemon` |
+| `resource_type` | `provisioner_keys` |
| `resource_type` | `replicas` |
| `resource_type` | `system` |
| `resource_type` | `tailnet_coordinator` |
@@ -304,6 +305,7 @@ Status Code **200**
| `resource_type` | `organization` |
| `resource_type` | `organization_member` |
| `resource_type` | `provisioner_daemon` |
+| `resource_type` | `provisioner_keys` |
| `resource_type` | `replicas` |
| `resource_type` | `system` |
| `resource_type` | `tailnet_coordinator` |
@@ -578,6 +580,7 @@ Status Code **200**
| `resource_type` | `organization` |
| `resource_type` | `organization_member` |
| `resource_type` | `provisioner_daemon` |
+| `resource_type` | `provisioner_keys` |
| `resource_type` | `replicas` |
| `resource_type` | `system` |
| `resource_type` | `tailnet_coordinator` |
diff --git a/docs/api/schemas.md b/docs/api/schemas.md
index a3e745b46fa17..125ca94eb98dd 100644
--- a/docs/api/schemas.md
+++ b/docs/api/schemas.md
@@ -1047,6 +1047,20 @@ AuthorizationObject can represent a "set" of objects, such as: all workspaces in
| `icon` | string | false | | |
| `name` | string | true | | |
+## codersdk.CreateProvisionerKeyResponse
+
+```json
+{
+ "key": "string"
+}
+```
+
+### Properties
+
+| Name | Type | Required | Restrictions | Description |
+| ----- | ------ | -------- | ------------ | ----------- |
+| `key` | string | false | | |
+
## codersdk.CreateTemplateRequest
```json
@@ -3810,6 +3824,26 @@ CreateWorkspaceRequest provides options for creating a new workspace. Only one o
| `failed` |
| `unknown` |
+## codersdk.ProvisionerKey
+
+```json
+{
+ "created_at": "2019-08-24T14:15:22Z",
+ "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
+ "name": "string",
+ "organization": "452c1a86-a0af-475b-b03f-724878b0f387"
+}
+```
+
+### Properties
+
+| Name | Type | Required | Restrictions | Description |
+| -------------- | ------ | -------- | ------------ | ----------- |
+| `created_at` | string | false | | |
+| `id` | string | false | | |
+| `name` | string | false | | |
+| `organization` | string | false | | |
+
## codersdk.ProvisionerLogLevel
```json
@@ -3958,6 +3992,7 @@ CreateWorkspaceRequest provides options for creating a new workspace. Only one o
| `organization` |
| `organization_member` |
| `provisioner_daemon` |
+| `provisioner_keys` |
| `replicas` |
| `system` |
| `tailnet_coordinator` |
diff --git a/enterprise/coderd/coderd.go b/enterprise/coderd/coderd.go
index 89cc82b73f68e..784695a7ac2e3 100644
--- a/enterprise/coderd/coderd.go
+++ b/enterprise/coderd/coderd.go
@@ -205,7 +205,7 @@ func New(ctx context.Context, options *Options) (_ *API, err error) {
})
r.Route("/workspaceproxies", func(r chi.Router) {
r.Use(
- api.moonsEnabledMW,
+ api.RequireFeatureMW(codersdk.FeatureWorkspaceProxy),
)
r.Group(func(r chi.Router) {
r.Use(
@@ -254,6 +254,22 @@ func New(ctx context.Context, options *Options) (_ *API, err error) {
r.Get("/", api.groupByOrganization)
})
})
+ r.Route("/organizations/{organization}/provisionerkeys", func(r chi.Router) {
+ r.Use(
+ apiKeyMiddleware,
+ httpmw.ExtractOrganizationParam(api.Database),
+ api.RequireFeatureMW(codersdk.FeatureMultipleOrganizations),
+ httpmw.RequireExperiment(api.AGPL.Experiments, codersdk.ExperimentMultiOrganization),
+ )
+ r.Get("/", api.provisionerKeys)
+ r.Post("/", api.postProvisionerKey)
+ r.Route("/{provisionerkey}", func(r chi.Router) {
+ r.Use(
+ httpmw.ExtractProvisionerKeyParam(options.Database),
+ )
+ r.Delete("/", api.deleteProvisionerKey)
+ })
+ })
// TODO: provisioner daemons are not scoped to organizations in the database, so placing them
// under an organization route doesn't make sense. In order to allow the /serve endpoint to
// work with a pre-shared key (PSK) without an API key, these routes will simply ignore the
@@ -566,6 +582,7 @@ func (api *API) updateEntitlements(ctx context.Context) error {
codersdk.FeatureUserRoleManagement: true,
codersdk.FeatureAccessControl: true,
codersdk.FeatureControlSharedPorts: true,
+ codersdk.FeatureMultipleOrganizations: true,
})
if err != nil {
return err
@@ -751,6 +768,11 @@ func (api *API) updateEntitlements(ctx context.Context) error {
api.AGPL.CustomRoleHandler.Store(&handler)
}
+ if initial, changed, enabled := featureChanged(codersdk.FeatureMultipleOrganizations); shouldUpdate(initial, changed, enabled) {
+ var handler coderd.CustomRoleHandler = &enterpriseCustomRoleHandler{API: api, Enabled: enabled}
+ api.AGPL.CustomRoleHandler.Store(&handler)
+ }
+
// External token encryption is soft-enforced
featureExternalTokenEncryption := entitlements.Features[codersdk.FeatureExternalTokenEncryption]
featureExternalTokenEncryption.Enabled = len(api.ExternalTokenEncryption) > 0
diff --git a/enterprise/coderd/provisionerkeys.go b/enterprise/coderd/provisionerkeys.go
new file mode 100644
index 0000000000000..9cb66e2b7910d
--- /dev/null
+++ b/enterprise/coderd/provisionerkeys.go
@@ -0,0 +1,149 @@
+package coderd
+
+import (
+ "fmt"
+ "net/http"
+
+ "github.com/coder/coder/v2/coderd/database"
+ "github.com/coder/coder/v2/coderd/httpapi"
+ "github.com/coder/coder/v2/coderd/httpmw"
+ "github.com/coder/coder/v2/coderd/provisionerkey"
+ "github.com/coder/coder/v2/codersdk"
+)
+
+// @Summary Create provisioner key
+// @ID create-provisioner-key
+// @Security CoderSessionToken
+// @Produce json
+// @Tags Enterprise
+// @Param organization path string true "Organization ID"
+// @Success 201 {object} codersdk.CreateProvisionerKeyResponse
+// @Router /organizations/{organization}/provisionerkeys [post]
+func (api *API) postProvisionerKey(rw http.ResponseWriter, r *http.Request) {
+ ctx := r.Context()
+ organization := httpmw.OrganizationParam(r)
+
+ var req codersdk.CreateProvisionerKeyRequest
+ if !httpapi.Read(ctx, rw, r, &req) {
+ return
+ }
+
+ if req.Name == "" {
+ httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+ Message: "Name is required",
+ Validations: []codersdk.ValidationError{
+ {
+ Field: "name",
+ Detail: "Name is required",
+ },
+ },
+ })
+ return
+ }
+
+ if len(req.Name) > 64 {
+ httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+ Message: "Name must be at most 64 characters",
+ Validations: []codersdk.ValidationError{
+ {
+ Field: "name",
+ Detail: "Name must be at most 64 characters",
+ },
+ },
+ })
+ return
+ }
+
+ params, token, err := provisionerkey.New(organization.ID, req.Name)
+ if err != nil {
+ httpapi.InternalServerError(rw, err)
+ return
+ }
+
+ _, err = api.Database.InsertProvisionerKey(ctx, params)
+ if database.IsUniqueViolation(err, database.UniqueProvisionerKeysOrganizationIDNameIndex) {
+ httpapi.Write(ctx, rw, http.StatusConflict, codersdk.Response{
+ Message: fmt.Sprintf("Provisioner key with name '%s' already exists in organization", req.Name),
+ })
+ return
+ }
+ if err != nil {
+ httpapi.InternalServerError(rw, err)
+ return
+ }
+
+ httpapi.Write(ctx, rw, http.StatusCreated, codersdk.CreateProvisionerKeyResponse{
+ Key: token,
+ })
+}
+
+// @Summary List provisioner key
+// @ID list-provisioner-key
+// @Security CoderSessionToken
+// @Produce json
+// @Tags Enterprise
+// @Param organization path string true "Organization ID"
+// @Success 200 {object} []codersdk.ProvisionerKey
+// @Router /organizations/{organization}/provisionerkeys [get]
+func (api *API) provisionerKeys(rw http.ResponseWriter, r *http.Request) {
+ ctx := r.Context()
+ organization := httpmw.OrganizationParam(r)
+
+ pks, err := api.Database.ListProvisionerKeysByOrganization(ctx, organization.ID)
+ if err != nil {
+ httpapi.InternalServerError(rw, err)
+ return
+ }
+
+ httpapi.Write(ctx, rw, http.StatusOK, convertProvisionerKeys(pks))
+}
+
+// @Summary Delete provisioner key
+// @ID delete-provisioner-key
+// @Security CoderSessionToken
+// @Tags Enterprise
+// @Param organization path string true "Organization ID"
+// @Param provisionerkey path string true "Provisioner key name"
+// @Success 204
+// @Router /organizations/{organization}/provisionerkeys/{provisionerkey} [delete]
+func (api *API) deleteProvisionerKey(rw http.ResponseWriter, r *http.Request) {
+ ctx := r.Context()
+ organization := httpmw.OrganizationParam(r)
+ provisionerKey := httpmw.ProvisionerKeyParam(r)
+
+ pk, err := api.Database.GetProvisionerKeyByName(ctx, database.GetProvisionerKeyByNameParams{
+ OrganizationID: organization.ID,
+ Name: provisionerKey.Name,
+ })
+ if err != nil {
+ if httpapi.Is404Error(err) {
+ httpapi.ResourceNotFound(rw)
+ return
+ }
+
+ httpapi.InternalServerError(rw, err)
+ return
+ }
+
+ err = api.Database.DeleteProvisionerKey(ctx, pk.ID)
+ if err != nil {
+ httpapi.InternalServerError(rw, err)
+ return
+ }
+
+ httpapi.Write(ctx, rw, http.StatusNoContent, nil)
+}
+
+func convertProvisionerKeys(dbKeys []database.ProvisionerKey) []codersdk.ProvisionerKey {
+ keys := make([]codersdk.ProvisionerKey, 0, len(dbKeys))
+ for _, dbKey := range dbKeys {
+ keys = append(keys, codersdk.ProvisionerKey{
+ ID: dbKey.ID,
+ CreatedAt: dbKey.CreatedAt,
+ OrganizationID: dbKey.OrganizationID,
+ Name: dbKey.Name,
+ // HashedSecret - never include the access token in the API response
+ })
+ }
+ return keys
+}
diff --git a/enterprise/coderd/provisionerkeys_test.go b/enterprise/coderd/provisionerkeys_test.go
new file mode 100644
index 0000000000000..4c9408e0a27de
--- /dev/null
+++ b/enterprise/coderd/provisionerkeys_test.go
@@ -0,0 +1,108 @@
+package coderd_test
+
+import (
+ "context"
+ "testing"
+
+ "github.com/stretchr/testify/require"
+
+ "github.com/coder/coder/v2/coderd/coderdtest"
+ "github.com/coder/coder/v2/coderd/rbac"
+ "github.com/coder/coder/v2/codersdk"
+ "github.com/coder/coder/v2/enterprise/coderd/coderdenttest"
+ "github.com/coder/coder/v2/enterprise/coderd/license"
+ "github.com/coder/coder/v2/testutil"
+)
+
+func TestProvisionerKeys(t *testing.T) {
+ t.Parallel()
+
+ ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong*10)
+ t.Cleanup(cancel)
+ dv := coderdtest.DeploymentValues(t)
+ dv.Experiments = []string{string(codersdk.ExperimentMultiOrganization)}
+ client, owner := coderdenttest.New(t, &coderdenttest.Options{
+ Options: &coderdtest.Options{
+ DeploymentValues: dv,
+ },
+ LicenseOptions: &coderdenttest.LicenseOptions{
+ Features: license.Features{
+ codersdk.FeatureMultipleOrganizations: 1,
+ },
+ },
+ })
+ orgAdmin, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID, rbac.ScopedRoleOrgAdmin(owner.OrganizationID))
+ member, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)
+ otherOrg := coderdtest.CreateOrganization(t, client, coderdtest.CreateOrganizationOptions{})
+ outsideOrgAdmin, _ := coderdtest.CreateAnotherUser(t, client, otherOrg.ID, rbac.ScopedRoleOrgAdmin(otherOrg.ID))
+
+ // member cannot create a provisioner key
+ _, err := member.CreateProvisionerKey(ctx, otherOrg.ID, codersdk.CreateProvisionerKeyRequest{
+ Name: "key",
+ })
+ require.ErrorContains(t, err, "Resource not found")
+
+ // member cannot list provisioner keys
+ _, err = member.ListProvisionerKeys(ctx, otherOrg.ID)
+ require.ErrorContains(t, err, "Resource not found")
+
+ // member cannot delete a provisioner key
+ err = member.DeleteProvisionerKey(ctx, otherOrg.ID, "key")
+ require.ErrorContains(t, err, "Resource not found")
+
+ // outside org admin cannot create a provisioner key
+ _, err = outsideOrgAdmin.CreateProvisionerKey(ctx, owner.OrganizationID, codersdk.CreateProvisionerKeyRequest{
+ Name: "key",
+ })
+ require.ErrorContains(t, err, "Resource not found")
+
+ // outside org admin cannot list provisioner keys
+ _, err = outsideOrgAdmin.ListProvisionerKeys(ctx, owner.OrganizationID)
+ require.ErrorContains(t, err, "Resource not found")
+
+ // outside org admin cannot delete a provisioner key
+ err = outsideOrgAdmin.DeleteProvisionerKey(ctx, owner.OrganizationID, "key")
+ require.ErrorContains(t, err, "Resource not found")
+
+ // org admin can list provisioner keys and get an empty list
+ keys, err := orgAdmin.ListProvisionerKeys(ctx, owner.OrganizationID)
+ require.NoError(t, err, "org admin list provisioner keys")
+ require.Len(t, keys, 0, "org admin list provisioner keys")
+
+ // org admin can create a provisioner key
+ _, err = orgAdmin.CreateProvisionerKey(ctx, owner.OrganizationID, codersdk.CreateProvisionerKeyRequest{
+ Name: "Key", // case insensitive
+ })
+ require.NoError(t, err, "org admin create provisioner key")
+
+ // org admin can conflict on name creating a provisioner key
+ _, err = orgAdmin.CreateProvisionerKey(ctx, owner.OrganizationID, codersdk.CreateProvisionerKeyRequest{
+ Name: "KEY", // still conflicts
+ })
+ require.ErrorContains(t, err, "already exists in organization")
+
+ // key name cannot be too long
+ _, err = orgAdmin.CreateProvisionerKey(ctx, owner.OrganizationID, codersdk.CreateProvisionerKeyRequest{
+ Name: "Everyone please pass your watermelons to the front of the pool, the storm is approaching.",
+ })
+ require.ErrorContains(t, err, "must be at most 64 characters")
+
+ // key name cannot be empty
+ _, err = orgAdmin.CreateProvisionerKey(ctx, owner.OrganizationID, codersdk.CreateProvisionerKeyRequest{
+ Name: "",
+ })
+ require.ErrorContains(t, err, "is required")
+
+ // org admin can list provisioner keys
+ keys, err = orgAdmin.ListProvisionerKeys(ctx, owner.OrganizationID)
+ require.NoError(t, err, "org admin list provisioner keys")
+ require.Len(t, keys, 1, "org admin list provisioner keys")
+
+ // org admin can delete a provisioner key
+ err = orgAdmin.DeleteProvisionerKey(ctx, owner.OrganizationID, "key") // using lowercase here works
+ require.NoError(t, err, "org admin delete provisioner key")
+
+ // org admin cannot delete a provisioner key that doesn't exist
+ err = orgAdmin.DeleteProvisionerKey(ctx, owner.OrganizationID, "key")
+ require.ErrorContains(t, err, "Resource not found")
+}
diff --git a/enterprise/coderd/templates.go b/enterprise/coderd/templates.go
index d9d5f245fcb41..9531125d7ceb1 100644
--- a/enterprise/coderd/templates.go
+++ b/enterprise/coderd/templates.go
@@ -327,7 +327,7 @@ func convertSDKTemplateRole(role codersdk.TemplateRole) []policy.Action {
return nil
}
-// TODO reduce the duplication across all of these.
+// TODO move to api.RequireFeatureMW when we are OK with changing the behavior.
func (api *API) templateRBACEnabledMW(next http.Handler) http.Handler {
return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
api.entitlementsMu.RLock()
@@ -343,19 +343,21 @@ func (api *API) templateRBACEnabledMW(next http.Handler) http.Handler {
})
}
-func (api *API) moonsEnabledMW(next http.Handler) http.Handler {
- return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
- // Entitlement must be enabled.
- api.entitlementsMu.RLock()
- proxy := api.entitlements.Features[codersdk.FeatureWorkspaceProxy].Enabled
- api.entitlementsMu.RUnlock()
- if !proxy {
- httpapi.Write(r.Context(), rw, http.StatusForbidden, codersdk.Response{
- Message: "External workspace proxies is an Enterprise feature. Contact sales!",
- })
- return
- }
+func (api *API) RequireFeatureMW(feat codersdk.FeatureName) func(http.Handler) http.Handler {
+ return func(next http.Handler) http.Handler {
+ return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+ // Entitlement must be enabled.
+ api.entitlementsMu.RLock()
+ enabled := api.entitlements.Features[feat].Enabled
+ api.entitlementsMu.RUnlock()
+ if !enabled {
+ httpapi.Write(r.Context(), rw, http.StatusForbidden, codersdk.Response{
+ Message: fmt.Sprintf("%s is an Enterprise feature. Contact sales!", feat.Humanize()),
+ })
+ return
+ }
- next.ServeHTTP(rw, r)
- })
+ next.ServeHTTP(rw, r)
+ })
+ }
}
diff --git a/site/src/api/typesGenerated.ts b/site/src/api/typesGenerated.ts
index d4bbc32bba10c..3963c2b4f5a01 100644
--- a/site/src/api/typesGenerated.ts
+++ b/site/src/api/typesGenerated.ts
@@ -233,6 +233,16 @@ export interface CreateOrganizationRequest {
readonly icon?: string;
}
+// From codersdk/provisionerdaemons.go
+export interface CreateProvisionerKeyRequest {
+ readonly name: string;
+}
+
+// From codersdk/provisionerdaemons.go
+export interface CreateProvisionerKeyResponse {
+ readonly key: string;
+}
+
// From codersdk/organizations.go
export interface CreateTemplateRequest {
readonly name: string;
@@ -955,6 +965,14 @@ export interface ProvisionerJobLog {
readonly output: string;
}
+// From codersdk/provisionerdaemons.go
+export interface ProvisionerKey {
+ readonly id: string;
+ readonly created_at: string;
+ readonly organization: string;
+ readonly name: string;
+}
+
// From codersdk/workspaceproxy.go
export interface ProxyHealthReport {
readonly errors: readonly string[];
@@ -2029,6 +2047,7 @@ export type FeatureName =
| "external_token_encryption"
| "high_availability"
| "multiple_external_auth"
+ | "multiple_organizations"
| "scim"
| "template_rbac"
| "user_limit"
@@ -2047,6 +2066,7 @@ export const FeatureNames: FeatureName[] = [
"external_token_encryption",
"high_availability",
"multiple_external_auth",
+ "multiple_organizations",
"scim",
"template_rbac",
"user_limit",
@@ -2206,6 +2226,7 @@ export type RBACResource =
| "organization"
| "organization_member"
| "provisioner_daemon"
+ | "provisioner_keys"
| "replicas"
| "system"
| "tailnet_coordinator"
@@ -2232,6 +2253,7 @@ export const RBACResources: RBACResource[] = [
"organization",
"organization_member",
"provisioner_daemon",
+ "provisioner_keys",
"replicas",
"system",
"tailnet_coordinator",
pFad - Phonifier reborn
Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies:
Alternative Proxy
pFad Proxy
pFad v3 Proxy
pFad v4 Proxy