diff --git a/coderd/audit.go b/coderd/audit.go
index 75b711bf74ec9..4e99cbf1e0b58 100644
--- a/coderd/audit.go
+++ b/coderd/audit.go
@@ -282,10 +282,14 @@ func auditLogDescription(alog database.GetAuditLogsOffsetRow) string {
_, _ = b.WriteString("{user} ")
}
- if alog.AuditLog.StatusCode >= 400 {
+ switch {
+ case alog.AuditLog.StatusCode == int32(http.StatusSeeOther):
+ _, _ = b.WriteString("was redirected attempting to ")
+ _, _ = b.WriteString(string(alog.AuditLog.Action))
+ case alog.AuditLog.StatusCode >= 400:
_, _ = b.WriteString("unsuccessfully attempted to ")
_, _ = b.WriteString(string(alog.AuditLog.Action))
- } else {
+ default:
_, _ = b.WriteString(codersdk.AuditAction(alog.AuditLog.Action).Friendly())
}
diff --git a/coderd/audit/audit.go b/coderd/audit/audit.go
index a965c27a004c6..2a264605c6428 100644
--- a/coderd/audit/audit.go
+++ b/coderd/audit/audit.go
@@ -93,7 +93,7 @@ func (a *MockAuditor) Contains(t testing.TB, expected database.AuditLog) bool {
t.Logf("audit log %d: expected UserID %s, got %s", idx+1, expected.UserID, al.UserID)
continue
}
- if expected.OrganizationID != uuid.Nil && al.UserID != expected.UserID {
+ if expected.OrganizationID != uuid.Nil && al.OrganizationID != expected.OrganizationID {
t.Logf("audit log %d: expected OrganizationID %s, got %s", idx+1, expected.OrganizationID, al.OrganizationID)
continue
}
diff --git a/coderd/audit/request.go b/coderd/audit/request.go
index 1621c91762435..d837d30518805 100644
--- a/coderd/audit/request.go
+++ b/coderd/audit/request.go
@@ -71,6 +71,7 @@ type BackgroundAuditParams[T Auditable] struct {
Action database.AuditAction
OrganizationID uuid.UUID
IP string
+ UserAgent string
// todo: this should automatically marshal an interface{} instead of accepting a raw message.
AdditionalFields json.RawMessage
@@ -422,7 +423,7 @@ func InitRequest[T Auditable](w http.ResponseWriter, p *RequestParams) (*Request
action = req.Action
}
- ip := parseIP(p.Request.RemoteAddr)
+ ip := ParseIP(p.Request.RemoteAddr)
auditLog := database.AuditLog{
ID: uuid.New(),
Time: dbtime.Now(),
@@ -453,7 +454,7 @@ func InitRequest[T Auditable](w http.ResponseWriter, p *RequestParams) (*Request
// BackgroundAudit creates an audit log for a background event.
// The audit log is committed upon invocation.
func BackgroundAudit[T Auditable](ctx context.Context, p *BackgroundAuditParams[T]) {
- ip := parseIP(p.IP)
+ ip := ParseIP(p.IP)
diff := Diff(p.Audit, p.Old, p.New)
var err error
@@ -479,7 +480,7 @@ func BackgroundAudit[T Auditable](ctx context.Context, p *BackgroundAuditParams[
UserID: p.UserID,
OrganizationID: requireOrgID[T](ctx, p.OrganizationID, p.Log),
Ip: ip,
- UserAgent: sql.NullString{},
+ UserAgent: sql.NullString{Valid: p.UserAgent != "", String: p.UserAgent},
ResourceType: either(p.Old, p.New, ResourceType[T], p.Action),
ResourceID: either(p.Old, p.New, ResourceID[T], p.Action),
ResourceTarget: either(p.Old, p.New, ResourceTarget[T], p.Action),
@@ -566,7 +567,7 @@ func either[T Auditable, R any](old, new T, fn func(T) R, auditAction database.A
panic("both old and new are nil")
}
-func parseIP(ipStr string) pqtype.Inet {
+func ParseIP(ipStr string) pqtype.Inet {
ip := net.ParseIP(ipStr)
ipNet := net.IPNet{}
if ip != nil {
diff --git a/coderd/coderd.go b/coderd/coderd.go
index da4e281dbe506..cb90ee6dad3c2 100644
--- a/coderd/coderd.go
+++ b/coderd/coderd.go
@@ -226,6 +226,10 @@ type Options struct {
UpdateAgentMetrics func(ctx context.Context, labels prometheusmetrics.AgentMetricLabels, metrics []*agentproto.Stats_Metric)
StatsBatcher workspacestats.Batcher
+ // WorkspaceAppAuditSessionTimeout allows changing the timeout for audit
+ // sessions. Raising or lowering this value will directly affect the write
+ // load of the audit log table. This is used for testing. Default 1 hour.
+ WorkspaceAppAuditSessionTimeout time.Duration
WorkspaceAppsStatsCollectorOptions workspaceapps.StatsCollectorOptions
// This janky function is used in telemetry to parse fields out of the raw
@@ -534,16 +538,6 @@ func New(options *Options) *API {
Authorizer: options.Authorizer,
Logger: options.Logger,
},
- WorkspaceAppsProvider: workspaceapps.NewDBTokenProvider(
- options.Logger.Named("workspaceapps"),
- options.AccessURL,
- options.Authorizer,
- options.Database,
- options.DeploymentValues,
- oauthConfigs,
- options.AgentInactiveDisconnectTimeout,
- options.AppSigningKeyCache,
- ),
metricsCache: metricsCache,
Auditor: atomic.Pointer[audit.Auditor]{},
TailnetCoordinator: atomic.Pointer[tailnet.Coordinator]{},
@@ -561,6 +555,18 @@ func New(options *Options) *API {
),
dbRolluper: options.DatabaseRolluper,
}
+ api.WorkspaceAppsProvider = workspaceapps.NewDBTokenProvider(
+ options.Logger.Named("workspaceapps"),
+ options.AccessURL,
+ options.Authorizer,
+ &api.Auditor,
+ options.Database,
+ options.DeploymentValues,
+ oauthConfigs,
+ options.AgentInactiveDisconnectTimeout,
+ options.WorkspaceAppAuditSessionTimeout,
+ options.AppSigningKeyCache,
+ )
f := appearance.NewDefaultFetcher(api.DeploymentValues.DocsURL.String())
api.AppearanceFetcher.Store(&f)
diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go
index 9c88e986cbffc..bfe7eb5c7fe85 100644
--- a/coderd/database/dbauthz/dbauthz.go
+++ b/coderd/database/dbauthz/dbauthz.go
@@ -4615,6 +4615,13 @@ func (q *querier) UpsertWorkspaceAgentPortShare(ctx context.Context, arg databas
return q.db.UpsertWorkspaceAgentPortShare(ctx, arg)
}
+func (q *querier) UpsertWorkspaceAppAuditSession(ctx context.Context, arg database.UpsertWorkspaceAppAuditSessionParams) (time.Time, error) {
+ if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceSystem); err != nil {
+ return time.Time{}, err
+ }
+ return q.db.UpsertWorkspaceAppAuditSession(ctx, arg)
+}
+
func (q *querier) GetAuthorizedTemplates(ctx context.Context, arg database.GetTemplatesWithFilterParams, _ rbac.PreparedAuthorized) ([]database.Template, error) {
// TODO Delete this function, all GetTemplates should be authorized. For now just call getTemplates on the authz querier.
return q.GetTemplatesWithFilter(ctx, arg)
diff --git a/coderd/database/dbauthz/dbauthz_test.go b/coderd/database/dbauthz/dbauthz_test.go
index ec8ced783fa0a..2c089d287594b 100644
--- a/coderd/database/dbauthz/dbauthz_test.go
+++ b/coderd/database/dbauthz/dbauthz_test.go
@@ -4065,6 +4065,19 @@ func (s *MethodTestSuite) TestSystemFunctions() {
s.Run("InsertWorkspaceAppStats", s.Subtest(func(db database.Store, check *expects) {
check.Args(database.InsertWorkspaceAppStatsParams{}).Asserts(rbac.ResourceSystem, policy.ActionCreate)
}))
+ s.Run("UpsertWorkspaceAppAuditSession", s.Subtest(func(db database.Store, check *expects) {
+ u := dbgen.User(s.T(), db, database.User{})
+ pj := dbgen.ProvisionerJob(s.T(), db, nil, database.ProvisionerJob{})
+ res := dbgen.WorkspaceResource(s.T(), db, database.WorkspaceResource{JobID: pj.ID})
+ agent := dbgen.WorkspaceAgent(s.T(), db, database.WorkspaceAgent{ResourceID: res.ID})
+ app := dbgen.WorkspaceApp(s.T(), db, database.WorkspaceApp{AgentID: agent.ID})
+ check.Args(database.UpsertWorkspaceAppAuditSessionParams{
+ AgentID: agent.ID,
+ AppID: app.ID,
+ UserID: u.ID,
+ Ip: "127.0.0.1",
+ }).Asserts(rbac.ResourceSystem, policy.ActionUpdate)
+ }))
s.Run("InsertWorkspaceAgentScriptTimings", s.Subtest(func(db database.Store, check *expects) {
dbtestutil.DisableForeignKeysAndTriggers(s.T(), db)
check.Args(database.InsertWorkspaceAgentScriptTimingsParams{
diff --git a/coderd/database/dbmem/dbmem.go b/coderd/database/dbmem/dbmem.go
index 1ece2571f4960..1d65f355783ae 100644
--- a/coderd/database/dbmem/dbmem.go
+++ b/coderd/database/dbmem/dbmem.go
@@ -92,6 +92,7 @@ func New() database.Store {
workspaceAgentLogs: make([]database.WorkspaceAgentLog, 0),
workspaceBuilds: make([]database.WorkspaceBuild, 0),
workspaceApps: make([]database.WorkspaceApp, 0),
+ workspaceAppAuditSessions: make([]database.WorkspaceAppAuditSession, 0),
workspaces: make([]database.WorkspaceTable, 0),
workspaceProxies: make([]database.WorkspaceProxy, 0),
},
@@ -237,6 +238,7 @@ type data struct {
workspaceAgentMemoryResourceMonitors []database.WorkspaceAgentMemoryResourceMonitor
workspaceAgentVolumeResourceMonitors []database.WorkspaceAgentVolumeResourceMonitor
workspaceApps []database.WorkspaceApp
+ workspaceAppAuditSessions []database.WorkspaceAppAuditSession
workspaceAppStatsLastInsertID int64
workspaceAppStats []database.WorkspaceAppStat
workspaceBuilds []database.WorkspaceBuild
@@ -12263,6 +12265,63 @@ func (q *FakeQuerier) UpsertWorkspaceAgentPortShare(_ context.Context, arg datab
return psl, nil
}
+func (q *FakeQuerier) UpsertWorkspaceAppAuditSession(_ context.Context, arg database.UpsertWorkspaceAppAuditSessionParams) (time.Time, error) {
+ err := validateDatabaseType(arg)
+ if err != nil {
+ return time.Time{}, err
+ }
+
+ q.mutex.Lock()
+ defer q.mutex.Unlock()
+
+ for i, s := range q.workspaceAppAuditSessions {
+ if s.AgentID != arg.AgentID {
+ continue
+ }
+ if s.AppID != arg.AppID {
+ continue
+ }
+ if s.UserID != arg.UserID {
+ continue
+ }
+ if s.Ip != arg.Ip {
+ continue
+ }
+ if s.UserAgent != arg.UserAgent {
+ continue
+ }
+ if s.SlugOrPort != arg.SlugOrPort {
+ continue
+ }
+ if s.StatusCode != arg.StatusCode {
+ continue
+ }
+
+ staleTime := dbtime.Now().Add(-(time.Duration(arg.StaleIntervalMS) * time.Millisecond))
+ fresh := s.UpdatedAt.After(staleTime)
+
+ q.workspaceAppAuditSessions[i].UpdatedAt = arg.UpdatedAt
+ if !fresh {
+ q.workspaceAppAuditSessions[i].StartedAt = arg.StartedAt
+ return arg.StartedAt, nil
+ }
+ return s.StartedAt, nil
+ }
+
+ q.workspaceAppAuditSessions = append(q.workspaceAppAuditSessions, database.WorkspaceAppAuditSession{
+ AgentID: arg.AgentID,
+ AppID: arg.AppID,
+ UserID: arg.UserID,
+ Ip: arg.Ip,
+ UserAgent: arg.UserAgent,
+ SlugOrPort: arg.SlugOrPort,
+ StatusCode: arg.StatusCode,
+ StartedAt: arg.StartedAt,
+ UpdatedAt: arg.UpdatedAt,
+ })
+ return arg.StartedAt, nil
+}
+
func (q *FakeQuerier) GetAuthorizedTemplates(ctx context.Context, arg database.GetTemplatesWithFilterParams, prepared rbac.PreparedAuthorized) ([]database.Template, error) {
if err := validateDatabaseType(arg); err != nil {
return nil, err
diff --git a/coderd/database/dbmetrics/querymetrics.go b/coderd/database/dbmetrics/querymetrics.go
index 407d9e48bfcf8..1de852f914497 100644
--- a/coderd/database/dbmetrics/querymetrics.go
+++ b/coderd/database/dbmetrics/querymetrics.go
@@ -2985,6 +2985,13 @@ func (m queryMetricsStore) UpsertWorkspaceAgentPortShare(ctx context.Context, ar
return r0, r1
}
+func (m queryMetricsStore) UpsertWorkspaceAppAuditSession(ctx context.Context, arg database.UpsertWorkspaceAppAuditSessionParams) (time.Time, error) {
+ start := time.Now()
+ r0, r1 := m.s.UpsertWorkspaceAppAuditSession(ctx, arg)
+ m.queryLatencies.WithLabelValues("UpsertWorkspaceAppAuditSession").Observe(time.Since(start).Seconds())
+ return r0, r1
+}
+
func (m queryMetricsStore) GetAuthorizedTemplates(ctx context.Context, arg database.GetTemplatesWithFilterParams, prepared rbac.PreparedAuthorized) ([]database.Template, error) {
start := time.Now()
templates, err := m.s.GetAuthorizedTemplates(ctx, arg, prepared)
diff --git a/coderd/database/dbmock/dbmock.go b/coderd/database/dbmock/dbmock.go
index fbe4d0745fbb0..2f84248661150 100644
--- a/coderd/database/dbmock/dbmock.go
+++ b/coderd/database/dbmock/dbmock.go
@@ -6289,6 +6289,21 @@ func (mr *MockStoreMockRecorder) UpsertWorkspaceAgentPortShare(ctx, arg any) *go
return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpsertWorkspaceAgentPortShare", reflect.TypeOf((*MockStore)(nil).UpsertWorkspaceAgentPortShare), ctx, arg)
}
+// UpsertWorkspaceAppAuditSession mocks base method.
+func (m *MockStore) UpsertWorkspaceAppAuditSession(ctx context.Context, arg database.UpsertWorkspaceAppAuditSessionParams) (time.Time, error) {
+ m.ctrl.T.Helper()
+ ret := m.ctrl.Call(m, "UpsertWorkspaceAppAuditSession", ctx, arg)
+ ret0, _ := ret[0].(time.Time)
+ ret1, _ := ret[1].(error)
+ return ret0, ret1
+}
+
+// UpsertWorkspaceAppAuditSession indicates an expected call of UpsertWorkspaceAppAuditSession.
+func (mr *MockStoreMockRecorder) UpsertWorkspaceAppAuditSession(ctx, arg any) *gomock.Call {
+ mr.mock.ctrl.T.Helper()
+ return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpsertWorkspaceAppAuditSession", reflect.TypeOf((*MockStore)(nil).UpsertWorkspaceAppAuditSession), ctx, arg)
+}
+
// Wrappers mocks base method.
func (m *MockStore) Wrappers() []string {
m.ctrl.T.Helper()
diff --git a/coderd/database/dump.sql b/coderd/database/dump.sql
index 492aaefc12aa5..d3a460e0c2f1b 100644
--- a/coderd/database/dump.sql
+++ b/coderd/database/dump.sql
@@ -1758,6 +1758,38 @@ COMMENT ON COLUMN workspace_agents.ready_at IS 'The time the agent entered the r
COMMENT ON COLUMN workspace_agents.display_order IS 'Specifies the order in which to display agents in user interfaces.';
+CREATE UNLOGGED TABLE workspace_app_audit_sessions (
+ agent_id uuid NOT NULL,
+ app_id uuid NOT NULL,
+ user_id uuid NOT NULL,
+ ip text NOT NULL,
+ user_agent text NOT NULL,
+ slug_or_port text NOT NULL,
+ status_code integer NOT NULL,
+ started_at timestamp with time zone NOT NULL,
+ updated_at timestamp with time zone NOT NULL
+);
+
+COMMENT ON TABLE workspace_app_audit_sessions IS 'Audit sessions for workspace apps, the data in this table is ephemeral and is used to deduplicate audit log entries for workspace apps. While a session is active, the same data will not be logged again. This table does not store historical data.';
+
+COMMENT ON COLUMN workspace_app_audit_sessions.agent_id IS 'The agent that the workspace app or port forward belongs to.';
+
+COMMENT ON COLUMN workspace_app_audit_sessions.app_id IS 'The app that is currently in the workspace app. This is may be uuid.Nil because ports are not associated with an app.';
+
+COMMENT ON COLUMN workspace_app_audit_sessions.user_id IS 'The user that is currently using the workspace app. This is may be uuid.Nil if we cannot determine the user.';
+
+COMMENT ON COLUMN workspace_app_audit_sessions.ip IS 'The IP address of the user that is currently using the workspace app.';
+
+COMMENT ON COLUMN workspace_app_audit_sessions.user_agent IS 'The user agent of the user that is currently using the workspace app.';
+
+COMMENT ON COLUMN workspace_app_audit_sessions.slug_or_port IS 'The slug or port of the workspace app that the user is currently using.';
+
+COMMENT ON COLUMN workspace_app_audit_sessions.status_code IS 'The HTTP status produced by the token authorization. Defaults to 200 if no status is provided.';
+
+COMMENT ON COLUMN workspace_app_audit_sessions.started_at IS 'The time the user started the session.';
+
+COMMENT ON COLUMN workspace_app_audit_sessions.updated_at IS 'The time the session was last updated.';
+
CREATE TABLE workspace_app_stats (
id bigint NOT NULL,
user_id uuid NOT NULL,
@@ -2244,6 +2276,9 @@ ALTER TABLE ONLY workspace_agent_volume_resource_monitors
ALTER TABLE ONLY workspace_agents
ADD CONSTRAINT workspace_agents_pkey PRIMARY KEY (id);
+ALTER TABLE ONLY workspace_app_audit_sessions
+ ADD CONSTRAINT workspace_app_audit_sessions_agent_id_app_id_user_id_ip_use_key UNIQUE (agent_id, app_id, user_id, ip, user_agent, slug_or_port, status_code);
+
ALTER TABLE ONLY workspace_app_stats
ADD CONSTRAINT workspace_app_stats_pkey PRIMARY KEY (id);
@@ -2382,6 +2417,10 @@ CREATE INDEX workspace_agents_auth_token_idx ON workspace_agents USING btree (au
CREATE INDEX workspace_agents_resource_id_idx ON workspace_agents USING btree (resource_id);
+CREATE UNIQUE INDEX workspace_app_audit_sessions_unique_index ON workspace_app_audit_sessions USING btree (agent_id, app_id, user_id, ip, user_agent, slug_or_port, status_code);
+
+COMMENT ON INDEX workspace_app_audit_sessions_unique_index IS 'Unique index to ensure that we do not allow duplicate entries from multiple transactions.';
+
CREATE INDEX workspace_app_stats_workspace_id_idx ON workspace_app_stats USING btree (workspace_id);
CREATE INDEX workspace_modules_created_at_idx ON workspace_modules USING btree (created_at);
@@ -2664,6 +2703,9 @@ ALTER TABLE ONLY workspace_agent_volume_resource_monitors
ALTER TABLE ONLY workspace_agents
ADD CONSTRAINT workspace_agents_resource_id_fkey FOREIGN KEY (resource_id) REFERENCES workspace_resources(id) ON DELETE CASCADE;
+ALTER TABLE ONLY workspace_app_audit_sessions
+ ADD CONSTRAINT workspace_app_audit_sessions_agent_id_fkey FOREIGN KEY (agent_id) REFERENCES workspace_agents(id) ON DELETE CASCADE;
+
ALTER TABLE ONLY workspace_app_stats
ADD CONSTRAINT workspace_app_stats_agent_id_fkey FOREIGN KEY (agent_id) REFERENCES workspace_agents(id);
diff --git a/coderd/database/foreign_key_constraint.go b/coderd/database/foreign_key_constraint.go
index f7044815852cd..410c484ab96a2 100644
--- a/coderd/database/foreign_key_constraint.go
+++ b/coderd/database/foreign_key_constraint.go
@@ -66,6 +66,7 @@ const (
ForeignKeyWorkspaceAgentStartupLogsAgentID ForeignKeyConstraint = "workspace_agent_startup_logs_agent_id_fkey" // ALTER TABLE ONLY workspace_agent_logs ADD CONSTRAINT workspace_agent_startup_logs_agent_id_fkey FOREIGN KEY (agent_id) REFERENCES workspace_agents(id) ON DELETE CASCADE;
ForeignKeyWorkspaceAgentVolumeResourceMonitorsAgentID ForeignKeyConstraint = "workspace_agent_volume_resource_monitors_agent_id_fkey" // ALTER TABLE ONLY workspace_agent_volume_resource_monitors ADD CONSTRAINT workspace_agent_volume_resource_monitors_agent_id_fkey FOREIGN KEY (agent_id) REFERENCES workspace_agents(id) ON DELETE CASCADE;
ForeignKeyWorkspaceAgentsResourceID ForeignKeyConstraint = "workspace_agents_resource_id_fkey" // ALTER TABLE ONLY workspace_agents ADD CONSTRAINT workspace_agents_resource_id_fkey FOREIGN KEY (resource_id) REFERENCES workspace_resources(id) ON DELETE CASCADE;
+ ForeignKeyWorkspaceAppAuditSessionsAgentID ForeignKeyConstraint = "workspace_app_audit_sessions_agent_id_fkey" // ALTER TABLE ONLY workspace_app_audit_sessions ADD CONSTRAINT workspace_app_audit_sessions_agent_id_fkey FOREIGN KEY (agent_id) REFERENCES workspace_agents(id) ON DELETE CASCADE;
ForeignKeyWorkspaceAppStatsAgentID ForeignKeyConstraint = "workspace_app_stats_agent_id_fkey" // ALTER TABLE ONLY workspace_app_stats ADD CONSTRAINT workspace_app_stats_agent_id_fkey FOREIGN KEY (agent_id) REFERENCES workspace_agents(id);
ForeignKeyWorkspaceAppStatsUserID ForeignKeyConstraint = "workspace_app_stats_user_id_fkey" // ALTER TABLE ONLY workspace_app_stats ADD CONSTRAINT workspace_app_stats_user_id_fkey FOREIGN KEY (user_id) REFERENCES users(id);
ForeignKeyWorkspaceAppStatsWorkspaceID ForeignKeyConstraint = "workspace_app_stats_workspace_id_fkey" // ALTER TABLE ONLY workspace_app_stats ADD CONSTRAINT workspace_app_stats_workspace_id_fkey FOREIGN KEY (workspace_id) REFERENCES workspaces(id);
diff --git a/coderd/database/migrations/000301_add_workspace_app_audit_sessions.down.sql b/coderd/database/migrations/000301_add_workspace_app_audit_sessions.down.sql
new file mode 100644
index 0000000000000..f02436336f8dc
--- /dev/null
+++ b/coderd/database/migrations/000301_add_workspace_app_audit_sessions.down.sql
@@ -0,0 +1 @@
+DROP TABLE workspace_app_audit_sessions;
diff --git a/coderd/database/migrations/000301_add_workspace_app_audit_sessions.up.sql b/coderd/database/migrations/000301_add_workspace_app_audit_sessions.up.sql
new file mode 100644
index 0000000000000..a9ffdb4fd6211
--- /dev/null
+++ b/coderd/database/migrations/000301_add_workspace_app_audit_sessions.up.sql
@@ -0,0 +1,33 @@
+-- Keep all unique fields as non-null because `UNIQUE NULLS NOT DISTINCT`
+-- requires PostgreSQL 15+.
+CREATE UNLOGGED TABLE workspace_app_audit_sessions (
+ agent_id UUID NOT NULL,
+ app_id UUID NOT NULL, -- Can be NULL, but must be uuid.Nil.
+ user_id UUID NOT NULL, -- Can be NULL, but must be uuid.Nil.
+ ip TEXT NOT NULL,
+ user_agent TEXT NOT NULL,
+ slug_or_port TEXT NOT NULL,
+ status_code int4 NOT NULL,
+ started_at TIMESTAMP WITH TIME ZONE NOT NULL,
+ updated_at TIMESTAMP WITH TIME ZONE NOT NULL,
+ FOREIGN KEY (agent_id) REFERENCES workspace_agents (id) ON DELETE CASCADE,
+ -- Skip foreign keys that we can't enforce due to NOT NULL constraints.
+ -- FOREIGN KEY (user_id) REFERENCES users (id) ON DELETE CASCADE,
+ -- FOREIGN KEY (app_id) REFERENCES workspace_apps (id) ON DELETE CASCADE,
+ UNIQUE (agent_id, app_id, user_id, ip, user_agent, slug_or_port, status_code)
+);
+
+COMMENT ON TABLE workspace_app_audit_sessions IS 'Audit sessions for workspace apps, the data in this table is ephemeral and is used to deduplicate audit log entries for workspace apps. While a session is active, the same data will not be logged again. This table does not store historical data.';
+COMMENT ON COLUMN workspace_app_audit_sessions.agent_id IS 'The agent that the workspace app or port forward belongs to.';
+COMMENT ON COLUMN workspace_app_audit_sessions.app_id IS 'The app that is currently in the workspace app. This is may be uuid.Nil because ports are not associated with an app.';
+COMMENT ON COLUMN workspace_app_audit_sessions.user_id IS 'The user that is currently using the workspace app. This is may be uuid.Nil if we cannot determine the user.';
+COMMENT ON COLUMN workspace_app_audit_sessions.ip IS 'The IP address of the user that is currently using the workspace app.';
+COMMENT ON COLUMN workspace_app_audit_sessions.user_agent IS 'The user agent of the user that is currently using the workspace app.';
+COMMENT ON COLUMN workspace_app_audit_sessions.slug_or_port IS 'The slug or port of the workspace app that the user is currently using.';
+COMMENT ON COLUMN workspace_app_audit_sessions.status_code IS 'The HTTP status produced by the token authorization. Defaults to 200 if no status is provided.';
+COMMENT ON COLUMN workspace_app_audit_sessions.started_at IS 'The time the user started the session.';
+COMMENT ON COLUMN workspace_app_audit_sessions.updated_at IS 'The time the session was last updated.';
+
+CREATE UNIQUE INDEX workspace_app_audit_sessions_unique_index ON workspace_app_audit_sessions (agent_id, app_id, user_id, ip, user_agent, slug_or_port, status_code);
+
+COMMENT ON INDEX workspace_app_audit_sessions_unique_index IS 'Unique index to ensure that we do not allow duplicate entries from multiple transactions.';
diff --git a/coderd/database/migrations/testdata/fixtures/000301_add_workspace_app_audit_sessions.up.sql b/coderd/database/migrations/testdata/fixtures/000301_add_workspace_app_audit_sessions.up.sql
new file mode 100644
index 0000000000000..bd335ff1cdea3
--- /dev/null
+++ b/coderd/database/migrations/testdata/fixtures/000301_add_workspace_app_audit_sessions.up.sql
@@ -0,0 +1,6 @@
+INSERT INTO workspace_app_audit_sessions
+ (agent_id, app_id, user_id, ip, user_agent, slug_or_port, status_code, started_at, updated_at)
+VALUES
+ ('45e89705-e09d-4850-bcec-f9a937f5d78d', '36b65d0c-042b-4653-863a-655ee739861c', '30095c71-380b-457a-8995-97b8ee6e5307', '127.0.0.1', 'curl', '', 200, '2025-03-04 15:08:38.579772+02', '2025-03-04 15:06:48.755158+02'),
+ ('45e89705-e09d-4850-bcec-f9a937f5d78d', '36b65d0c-042b-4653-863a-655ee739861c', '00000000-0000-0000-0000-000000000000', '127.0.0.1', 'curl', '', 200, '2025-03-04 15:08:44.411389+02', '2025-03-04 15:08:44.411389+02'),
+ ('45e89705-e09d-4850-bcec-f9a937f5d78d', '00000000-0000-0000-0000-000000000000', '00000000-0000-0000-0000-000000000000', '::1', 'curl', 'terminal', 0, '2025-03-04 15:25:55.555306+02', '2025-03-04 15:25:55.555306+02');
diff --git a/coderd/database/models.go b/coderd/database/models.go
index e0064916b0135..0d427c9dde02d 100644
--- a/coderd/database/models.go
+++ b/coderd/database/models.go
@@ -3434,6 +3434,28 @@ type WorkspaceApp struct {
OpenIn WorkspaceAppOpenIn `db:"open_in" json:"open_in"`
}
+// Audit sessions for workspace apps, the data in this table is ephemeral and is used to deduplicate audit log entries for workspace apps. While a session is active, the same data will not be logged again. This table does not store historical data.
+type WorkspaceAppAuditSession struct {
+ // The agent that the workspace app or port forward belongs to.
+ AgentID uuid.UUID `db:"agent_id" json:"agent_id"`
+ // The app that is currently in the workspace app. This is may be uuid.Nil because ports are not associated with an app.
+ AppID uuid.UUID `db:"app_id" json:"app_id"`
+ // The user that is currently using the workspace app. This is may be uuid.Nil if we cannot determine the user.
+ UserID uuid.UUID `db:"user_id" json:"user_id"`
+ // The IP address of the user that is currently using the workspace app.
+ Ip string `db:"ip" json:"ip"`
+ // The user agent of the user that is currently using the workspace app.
+ UserAgent string `db:"user_agent" json:"user_agent"`
+ // The slug or port of the workspace app that the user is currently using.
+ SlugOrPort string `db:"slug_or_port" json:"slug_or_port"`
+ // The HTTP status produced by the token authorization. Defaults to 200 if no status is provided.
+ StatusCode int32 `db:"status_code" json:"status_code"`
+ // The time the user started the session.
+ StartedAt time.Time `db:"started_at" json:"started_at"`
+ // The time the session was last updated.
+ UpdatedAt time.Time `db:"updated_at" json:"updated_at"`
+}
+
// A record of workspace app usage statistics
type WorkspaceAppStat struct {
// The ID of the record
diff --git a/coderd/database/querier.go b/coderd/database/querier.go
index d72469650f0ea..6dbcffac3b625 100644
--- a/coderd/database/querier.go
+++ b/coderd/database/querier.go
@@ -593,6 +593,10 @@ type sqlcQuerier interface {
// combination. The result is stored in the template_usage_stats table.
UpsertTemplateUsageStats(ctx context.Context) error
UpsertWorkspaceAgentPortShare(ctx context.Context, arg UpsertWorkspaceAgentPortShareParams) (WorkspaceAgentPortShare, error)
+ //
+ // Insert a new workspace app audit session or update an existing one, if
+ // started_at is updated, it means the session has been restarted.
+ UpsertWorkspaceAppAuditSession(ctx context.Context, arg UpsertWorkspaceAppAuditSessionParams) (time.Time, error)
}
var _ sqlcQuerier = (*sqlQuerier)(nil)
diff --git a/coderd/database/queries.sql.go b/coderd/database/queries.sql.go
index b394a0b0121ec..b4e2795bc031a 100644
--- a/coderd/database/queries.sql.go
+++ b/coderd/database/queries.sql.go
@@ -14635,6 +14635,79 @@ func (q *sqlQuerier) InsertWorkspaceAgentStats(ctx context.Context, arg InsertWo
return err
}
+const upsertWorkspaceAppAuditSession = `-- name: UpsertWorkspaceAppAuditSession :one
+INSERT INTO
+ workspace_app_audit_sessions (
+ agent_id,
+ app_id,
+ user_id,
+ ip,
+ user_agent,
+ slug_or_port,
+ status_code,
+ started_at,
+ updated_at
+ )
+VALUES
+ (
+ $1,
+ $2,
+ $3,
+ $4,
+ $5,
+ $6,
+ $7,
+ $8,
+ $9
+ )
+ON CONFLICT
+ (agent_id, app_id, user_id, ip, user_agent, slug_or_port, status_code)
+DO
+ UPDATE
+ SET
+ started_at = CASE
+ WHEN workspace_app_audit_sessions.updated_at > NOW() - ($10::bigint || ' ms')::interval
+ THEN workspace_app_audit_sessions.started_at
+ ELSE EXCLUDED.started_at
+ END,
+ updated_at = EXCLUDED.updated_at
+RETURNING
+ started_at
+`
+
+type UpsertWorkspaceAppAuditSessionParams struct {
+ AgentID uuid.UUID `db:"agent_id" json:"agent_id"`
+ AppID uuid.UUID `db:"app_id" json:"app_id"`
+ UserID uuid.UUID `db:"user_id" json:"user_id"`
+ Ip string `db:"ip" json:"ip"`
+ UserAgent string `db:"user_agent" json:"user_agent"`
+ SlugOrPort string `db:"slug_or_port" json:"slug_or_port"`
+ StatusCode int32 `db:"status_code" json:"status_code"`
+ StartedAt time.Time `db:"started_at" json:"started_at"`
+ UpdatedAt time.Time `db:"updated_at" json:"updated_at"`
+ StaleIntervalMS int64 `db:"stale_interval_ms" json:"stale_interval_ms"`
+}
+
+// Insert a new workspace app audit session or update an existing one, if
+// started_at is updated, it means the session has been restarted.
+func (q *sqlQuerier) UpsertWorkspaceAppAuditSession(ctx context.Context, arg UpsertWorkspaceAppAuditSessionParams) (time.Time, error) {
+ row := q.db.QueryRowContext(ctx, upsertWorkspaceAppAuditSession,
+ arg.AgentID,
+ arg.AppID,
+ arg.UserID,
+ arg.Ip,
+ arg.UserAgent,
+ arg.SlugOrPort,
+ arg.StatusCode,
+ arg.StartedAt,
+ arg.UpdatedAt,
+ arg.StaleIntervalMS,
+ )
+ var started_at time.Time
+ err := row.Scan(&started_at)
+ return started_at, err
+}
+
const getWorkspaceAppByAgentIDAndSlug = `-- name: GetWorkspaceAppByAgentIDAndSlug :one
SELECT id, created_at, agent_id, display_name, icon, command, url, healthcheck_url, healthcheck_interval, healthcheck_threshold, health, subdomain, sharing_level, slug, external, display_order, hidden, open_in FROM workspace_apps WHERE agent_id = $1 AND slug = $2
`
diff --git a/coderd/database/queries/workspaceappaudit.sql b/coderd/database/queries/workspaceappaudit.sql
new file mode 100644
index 0000000000000..596032d61343f
--- /dev/null
+++ b/coderd/database/queries/workspaceappaudit.sql
@@ -0,0 +1,41 @@
+-- name: UpsertWorkspaceAppAuditSession :one
+--
+-- Insert a new workspace app audit session or update an existing one, if
+-- started_at is updated, it means the session has been restarted.
+INSERT INTO
+ workspace_app_audit_sessions (
+ agent_id,
+ app_id,
+ user_id,
+ ip,
+ user_agent,
+ slug_or_port,
+ status_code,
+ started_at,
+ updated_at
+ )
+VALUES
+ (
+ $1,
+ $2,
+ $3,
+ $4,
+ $5,
+ $6,
+ $7,
+ $8,
+ $9
+ )
+ON CONFLICT
+ (agent_id, app_id, user_id, ip, user_agent, slug_or_port, status_code)
+DO
+ UPDATE
+ SET
+ started_at = CASE
+ WHEN workspace_app_audit_sessions.updated_at > NOW() - (@stale_interval_ms::bigint || ' ms')::interval
+ THEN workspace_app_audit_sessions.started_at
+ ELSE EXCLUDED.started_at
+ END,
+ updated_at = EXCLUDED.updated_at
+RETURNING
+ started_at;
diff --git a/coderd/database/unique_constraint.go b/coderd/database/unique_constraint.go
index b2c814241d55a..5e12bd9825c8b 100644
--- a/coderd/database/unique_constraint.go
+++ b/coderd/database/unique_constraint.go
@@ -6,107 +6,109 @@ type UniqueConstraint string
// UniqueConstraint enums.
const (
- UniqueAgentStatsPkey UniqueConstraint = "agent_stats_pkey" // ALTER TABLE ONLY workspace_agent_stats ADD CONSTRAINT agent_stats_pkey PRIMARY KEY (id);
- UniqueAPIKeysPkey UniqueConstraint = "api_keys_pkey" // ALTER TABLE ONLY api_keys ADD CONSTRAINT api_keys_pkey PRIMARY KEY (id);
- UniqueAuditLogsPkey UniqueConstraint = "audit_logs_pkey" // ALTER TABLE ONLY audit_logs ADD CONSTRAINT audit_logs_pkey PRIMARY KEY (id);
- UniqueCryptoKeysPkey UniqueConstraint = "crypto_keys_pkey" // ALTER TABLE ONLY crypto_keys ADD CONSTRAINT crypto_keys_pkey PRIMARY KEY (feature, sequence);
- UniqueCustomRolesUniqueKey UniqueConstraint = "custom_roles_unique_key" // ALTER TABLE ONLY custom_roles ADD CONSTRAINT custom_roles_unique_key UNIQUE (name, organization_id);
- UniqueDbcryptKeysActiveKeyDigestKey UniqueConstraint = "dbcrypt_keys_active_key_digest_key" // ALTER TABLE ONLY dbcrypt_keys ADD CONSTRAINT dbcrypt_keys_active_key_digest_key UNIQUE (active_key_digest);
- UniqueDbcryptKeysPkey UniqueConstraint = "dbcrypt_keys_pkey" // ALTER TABLE ONLY dbcrypt_keys ADD CONSTRAINT dbcrypt_keys_pkey PRIMARY KEY (number);
- UniqueDbcryptKeysRevokedKeyDigestKey UniqueConstraint = "dbcrypt_keys_revoked_key_digest_key" // ALTER TABLE ONLY dbcrypt_keys ADD CONSTRAINT dbcrypt_keys_revoked_key_digest_key UNIQUE (revoked_key_digest);
- UniqueFilesHashCreatedByKey UniqueConstraint = "files_hash_created_by_key" // ALTER TABLE ONLY files ADD CONSTRAINT files_hash_created_by_key UNIQUE (hash, created_by);
- UniqueFilesPkey UniqueConstraint = "files_pkey" // ALTER TABLE ONLY files ADD CONSTRAINT files_pkey PRIMARY KEY (id);
- UniqueGitAuthLinksProviderIDUserIDKey UniqueConstraint = "git_auth_links_provider_id_user_id_key" // ALTER TABLE ONLY external_auth_links ADD CONSTRAINT git_auth_links_provider_id_user_id_key UNIQUE (provider_id, user_id);
- UniqueGitSSHKeysPkey UniqueConstraint = "gitsshkeys_pkey" // ALTER TABLE ONLY gitsshkeys ADD CONSTRAINT gitsshkeys_pkey PRIMARY KEY (user_id);
- UniqueGroupMembersUserIDGroupIDKey UniqueConstraint = "group_members_user_id_group_id_key" // ALTER TABLE ONLY group_members ADD CONSTRAINT group_members_user_id_group_id_key UNIQUE (user_id, group_id);
- UniqueGroupsNameOrganizationIDKey UniqueConstraint = "groups_name_organization_id_key" // ALTER TABLE ONLY groups ADD CONSTRAINT groups_name_organization_id_key UNIQUE (name, organization_id);
- UniqueGroupsPkey UniqueConstraint = "groups_pkey" // ALTER TABLE ONLY groups ADD CONSTRAINT groups_pkey PRIMARY KEY (id);
- UniqueInboxNotificationsPkey UniqueConstraint = "inbox_notifications_pkey" // ALTER TABLE ONLY inbox_notifications ADD CONSTRAINT inbox_notifications_pkey PRIMARY KEY (id);
- UniqueJfrogXrayScansPkey UniqueConstraint = "jfrog_xray_scans_pkey" // ALTER TABLE ONLY jfrog_xray_scans ADD CONSTRAINT jfrog_xray_scans_pkey PRIMARY KEY (agent_id, workspace_id);
- UniqueLicensesJWTKey UniqueConstraint = "licenses_jwt_key" // ALTER TABLE ONLY licenses ADD CONSTRAINT licenses_jwt_key UNIQUE (jwt);
- UniqueLicensesPkey UniqueConstraint = "licenses_pkey" // ALTER TABLE ONLY licenses ADD CONSTRAINT licenses_pkey PRIMARY KEY (id);
- UniqueNotificationMessagesPkey UniqueConstraint = "notification_messages_pkey" // ALTER TABLE ONLY notification_messages ADD CONSTRAINT notification_messages_pkey PRIMARY KEY (id);
- UniqueNotificationPreferencesPkey UniqueConstraint = "notification_preferences_pkey" // ALTER TABLE ONLY notification_preferences ADD CONSTRAINT notification_preferences_pkey PRIMARY KEY (user_id, notification_template_id);
- UniqueNotificationReportGeneratorLogsPkey UniqueConstraint = "notification_report_generator_logs_pkey" // ALTER TABLE ONLY notification_report_generator_logs ADD CONSTRAINT notification_report_generator_logs_pkey PRIMARY KEY (notification_template_id);
- UniqueNotificationTemplatesNameKey UniqueConstraint = "notification_templates_name_key" // ALTER TABLE ONLY notification_templates ADD CONSTRAINT notification_templates_name_key UNIQUE (name);
- UniqueNotificationTemplatesPkey UniqueConstraint = "notification_templates_pkey" // ALTER TABLE ONLY notification_templates ADD CONSTRAINT notification_templates_pkey PRIMARY KEY (id);
- UniqueOauth2ProviderAppCodesPkey UniqueConstraint = "oauth2_provider_app_codes_pkey" // ALTER TABLE ONLY oauth2_provider_app_codes ADD CONSTRAINT oauth2_provider_app_codes_pkey PRIMARY KEY (id);
- UniqueOauth2ProviderAppCodesSecretPrefixKey UniqueConstraint = "oauth2_provider_app_codes_secret_prefix_key" // ALTER TABLE ONLY oauth2_provider_app_codes ADD CONSTRAINT oauth2_provider_app_codes_secret_prefix_key UNIQUE (secret_prefix);
- UniqueOauth2ProviderAppSecretsPkey UniqueConstraint = "oauth2_provider_app_secrets_pkey" // ALTER TABLE ONLY oauth2_provider_app_secrets ADD CONSTRAINT oauth2_provider_app_secrets_pkey PRIMARY KEY (id);
- UniqueOauth2ProviderAppSecretsSecretPrefixKey UniqueConstraint = "oauth2_provider_app_secrets_secret_prefix_key" // ALTER TABLE ONLY oauth2_provider_app_secrets ADD CONSTRAINT oauth2_provider_app_secrets_secret_prefix_key UNIQUE (secret_prefix);
- UniqueOauth2ProviderAppTokensHashPrefixKey UniqueConstraint = "oauth2_provider_app_tokens_hash_prefix_key" // ALTER TABLE ONLY oauth2_provider_app_tokens ADD CONSTRAINT oauth2_provider_app_tokens_hash_prefix_key UNIQUE (hash_prefix);
- UniqueOauth2ProviderAppTokensPkey UniqueConstraint = "oauth2_provider_app_tokens_pkey" // ALTER TABLE ONLY oauth2_provider_app_tokens ADD CONSTRAINT oauth2_provider_app_tokens_pkey PRIMARY KEY (id);
- UniqueOauth2ProviderAppsNameKey UniqueConstraint = "oauth2_provider_apps_name_key" // ALTER TABLE ONLY oauth2_provider_apps ADD CONSTRAINT oauth2_provider_apps_name_key UNIQUE (name);
- UniqueOauth2ProviderAppsPkey UniqueConstraint = "oauth2_provider_apps_pkey" // ALTER TABLE ONLY oauth2_provider_apps ADD CONSTRAINT oauth2_provider_apps_pkey PRIMARY KEY (id);
- UniqueOrganizationMembersPkey UniqueConstraint = "organization_members_pkey" // ALTER TABLE ONLY organization_members ADD CONSTRAINT organization_members_pkey PRIMARY KEY (organization_id, user_id);
- UniqueOrganizationsPkey UniqueConstraint = "organizations_pkey" // ALTER TABLE ONLY organizations ADD CONSTRAINT organizations_pkey PRIMARY KEY (id);
- UniqueParameterSchemasJobIDNameKey UniqueConstraint = "parameter_schemas_job_id_name_key" // ALTER TABLE ONLY parameter_schemas ADD CONSTRAINT parameter_schemas_job_id_name_key UNIQUE (job_id, name);
- UniqueParameterSchemasPkey UniqueConstraint = "parameter_schemas_pkey" // ALTER TABLE ONLY parameter_schemas ADD CONSTRAINT parameter_schemas_pkey PRIMARY KEY (id);
- UniqueParameterValuesPkey UniqueConstraint = "parameter_values_pkey" // ALTER TABLE ONLY parameter_values ADD CONSTRAINT parameter_values_pkey PRIMARY KEY (id);
- UniqueParameterValuesScopeIDNameKey UniqueConstraint = "parameter_values_scope_id_name_key" // ALTER TABLE ONLY parameter_values ADD CONSTRAINT parameter_values_scope_id_name_key UNIQUE (scope_id, name);
- UniqueProvisionerDaemonsPkey UniqueConstraint = "provisioner_daemons_pkey" // ALTER TABLE ONLY provisioner_daemons ADD CONSTRAINT provisioner_daemons_pkey PRIMARY KEY (id);
- UniqueProvisionerJobLogsPkey UniqueConstraint = "provisioner_job_logs_pkey" // ALTER TABLE ONLY provisioner_job_logs ADD CONSTRAINT provisioner_job_logs_pkey PRIMARY KEY (id);
- UniqueProvisionerJobsPkey UniqueConstraint = "provisioner_jobs_pkey" // ALTER TABLE ONLY provisioner_jobs ADD CONSTRAINT provisioner_jobs_pkey PRIMARY KEY (id);
- UniqueProvisionerKeysPkey UniqueConstraint = "provisioner_keys_pkey" // ALTER TABLE ONLY provisioner_keys ADD CONSTRAINT provisioner_keys_pkey PRIMARY KEY (id);
- UniqueSiteConfigsKeyKey UniqueConstraint = "site_configs_key_key" // ALTER TABLE ONLY site_configs ADD CONSTRAINT site_configs_key_key UNIQUE (key);
- UniqueTailnetAgentsPkey UniqueConstraint = "tailnet_agents_pkey" // ALTER TABLE ONLY tailnet_agents ADD CONSTRAINT tailnet_agents_pkey PRIMARY KEY (id, coordinator_id);
- UniqueTailnetClientSubscriptionsPkey UniqueConstraint = "tailnet_client_subscriptions_pkey" // ALTER TABLE ONLY tailnet_client_subscriptions ADD CONSTRAINT tailnet_client_subscriptions_pkey PRIMARY KEY (client_id, coordinator_id, agent_id);
- UniqueTailnetClientsPkey UniqueConstraint = "tailnet_clients_pkey" // ALTER TABLE ONLY tailnet_clients ADD CONSTRAINT tailnet_clients_pkey PRIMARY KEY (id, coordinator_id);
- UniqueTailnetCoordinatorsPkey UniqueConstraint = "tailnet_coordinators_pkey" // ALTER TABLE ONLY tailnet_coordinators ADD CONSTRAINT tailnet_coordinators_pkey PRIMARY KEY (id);
- UniqueTailnetPeersPkey UniqueConstraint = "tailnet_peers_pkey" // ALTER TABLE ONLY tailnet_peers ADD CONSTRAINT tailnet_peers_pkey PRIMARY KEY (id, coordinator_id);
- UniqueTailnetTunnelsPkey UniqueConstraint = "tailnet_tunnels_pkey" // ALTER TABLE ONLY tailnet_tunnels ADD CONSTRAINT tailnet_tunnels_pkey PRIMARY KEY (coordinator_id, src_id, dst_id);
- UniqueTelemetryItemsPkey UniqueConstraint = "telemetry_items_pkey" // ALTER TABLE ONLY telemetry_items ADD CONSTRAINT telemetry_items_pkey PRIMARY KEY (key);
- UniqueTemplateUsageStatsPkey UniqueConstraint = "template_usage_stats_pkey" // ALTER TABLE ONLY template_usage_stats ADD CONSTRAINT template_usage_stats_pkey PRIMARY KEY (start_time, template_id, user_id);
- UniqueTemplateVersionParametersTemplateVersionIDNameKey UniqueConstraint = "template_version_parameters_template_version_id_name_key" // ALTER TABLE ONLY template_version_parameters ADD CONSTRAINT template_version_parameters_template_version_id_name_key UNIQUE (template_version_id, name);
- UniqueTemplateVersionPresetParametersPkey UniqueConstraint = "template_version_preset_parameters_pkey" // ALTER TABLE ONLY template_version_preset_parameters ADD CONSTRAINT template_version_preset_parameters_pkey PRIMARY KEY (id);
- UniqueTemplateVersionPresetsPkey UniqueConstraint = "template_version_presets_pkey" // ALTER TABLE ONLY template_version_presets ADD CONSTRAINT template_version_presets_pkey PRIMARY KEY (id);
- UniqueTemplateVersionVariablesTemplateVersionIDNameKey UniqueConstraint = "template_version_variables_template_version_id_name_key" // ALTER TABLE ONLY template_version_variables ADD CONSTRAINT template_version_variables_template_version_id_name_key UNIQUE (template_version_id, name);
- UniqueTemplateVersionWorkspaceTagsTemplateVersionIDKeyKey UniqueConstraint = "template_version_workspace_tags_template_version_id_key_key" // ALTER TABLE ONLY template_version_workspace_tags ADD CONSTRAINT template_version_workspace_tags_template_version_id_key_key UNIQUE (template_version_id, key);
- UniqueTemplateVersionsPkey UniqueConstraint = "template_versions_pkey" // ALTER TABLE ONLY template_versions ADD CONSTRAINT template_versions_pkey PRIMARY KEY (id);
- UniqueTemplateVersionsTemplateIDNameKey UniqueConstraint = "template_versions_template_id_name_key" // ALTER TABLE ONLY template_versions ADD CONSTRAINT template_versions_template_id_name_key UNIQUE (template_id, name);
- UniqueTemplatesPkey UniqueConstraint = "templates_pkey" // ALTER TABLE ONLY templates ADD CONSTRAINT templates_pkey PRIMARY KEY (id);
- UniqueUserConfigsPkey UniqueConstraint = "user_configs_pkey" // ALTER TABLE ONLY user_configs ADD CONSTRAINT user_configs_pkey PRIMARY KEY (user_id, key);
- UniqueUserDeletedPkey UniqueConstraint = "user_deleted_pkey" // ALTER TABLE ONLY user_deleted ADD CONSTRAINT user_deleted_pkey PRIMARY KEY (id);
- UniqueUserLinksPkey UniqueConstraint = "user_links_pkey" // ALTER TABLE ONLY user_links ADD CONSTRAINT user_links_pkey PRIMARY KEY (user_id, login_type);
- UniqueUserStatusChangesPkey UniqueConstraint = "user_status_changes_pkey" // ALTER TABLE ONLY user_status_changes ADD CONSTRAINT user_status_changes_pkey PRIMARY KEY (id);
- UniqueUsersPkey UniqueConstraint = "users_pkey" // ALTER TABLE ONLY users ADD CONSTRAINT users_pkey PRIMARY KEY (id);
- UniqueWorkspaceAgentLogSourcesPkey UniqueConstraint = "workspace_agent_log_sources_pkey" // ALTER TABLE ONLY workspace_agent_log_sources ADD CONSTRAINT workspace_agent_log_sources_pkey PRIMARY KEY (workspace_agent_id, id);
- UniqueWorkspaceAgentMemoryResourceMonitorsPkey UniqueConstraint = "workspace_agent_memory_resource_monitors_pkey" // ALTER TABLE ONLY workspace_agent_memory_resource_monitors ADD CONSTRAINT workspace_agent_memory_resource_monitors_pkey PRIMARY KEY (agent_id);
- UniqueWorkspaceAgentMetadataPkey UniqueConstraint = "workspace_agent_metadata_pkey" // ALTER TABLE ONLY workspace_agent_metadata ADD CONSTRAINT workspace_agent_metadata_pkey PRIMARY KEY (workspace_agent_id, key);
- UniqueWorkspaceAgentPortSharePkey UniqueConstraint = "workspace_agent_port_share_pkey" // ALTER TABLE ONLY workspace_agent_port_share ADD CONSTRAINT workspace_agent_port_share_pkey PRIMARY KEY (workspace_id, agent_name, port);
- UniqueWorkspaceAgentScriptTimingsScriptIDStartedAtKey UniqueConstraint = "workspace_agent_script_timings_script_id_started_at_key" // ALTER TABLE ONLY workspace_agent_script_timings ADD CONSTRAINT workspace_agent_script_timings_script_id_started_at_key UNIQUE (script_id, started_at);
- UniqueWorkspaceAgentScriptsIDKey UniqueConstraint = "workspace_agent_scripts_id_key" // ALTER TABLE ONLY workspace_agent_scripts ADD CONSTRAINT workspace_agent_scripts_id_key UNIQUE (id);
- UniqueWorkspaceAgentStartupLogsPkey UniqueConstraint = "workspace_agent_startup_logs_pkey" // ALTER TABLE ONLY workspace_agent_logs ADD CONSTRAINT workspace_agent_startup_logs_pkey PRIMARY KEY (id);
- UniqueWorkspaceAgentVolumeResourceMonitorsPkey UniqueConstraint = "workspace_agent_volume_resource_monitors_pkey" // ALTER TABLE ONLY workspace_agent_volume_resource_monitors ADD CONSTRAINT workspace_agent_volume_resource_monitors_pkey PRIMARY KEY (agent_id, path);
- UniqueWorkspaceAgentsPkey UniqueConstraint = "workspace_agents_pkey" // ALTER TABLE ONLY workspace_agents ADD CONSTRAINT workspace_agents_pkey PRIMARY KEY (id);
- UniqueWorkspaceAppStatsPkey UniqueConstraint = "workspace_app_stats_pkey" // ALTER TABLE ONLY workspace_app_stats ADD CONSTRAINT workspace_app_stats_pkey PRIMARY KEY (id);
- UniqueWorkspaceAppStatsUserIDAgentIDSessionIDKey UniqueConstraint = "workspace_app_stats_user_id_agent_id_session_id_key" // ALTER TABLE ONLY workspace_app_stats ADD CONSTRAINT workspace_app_stats_user_id_agent_id_session_id_key UNIQUE (user_id, agent_id, session_id);
- UniqueWorkspaceAppsAgentIDSlugIndex UniqueConstraint = "workspace_apps_agent_id_slug_idx" // ALTER TABLE ONLY workspace_apps ADD CONSTRAINT workspace_apps_agent_id_slug_idx UNIQUE (agent_id, slug);
- UniqueWorkspaceAppsPkey UniqueConstraint = "workspace_apps_pkey" // ALTER TABLE ONLY workspace_apps ADD CONSTRAINT workspace_apps_pkey PRIMARY KEY (id);
- UniqueWorkspaceBuildParametersWorkspaceBuildIDNameKey UniqueConstraint = "workspace_build_parameters_workspace_build_id_name_key" // ALTER TABLE ONLY workspace_build_parameters ADD CONSTRAINT workspace_build_parameters_workspace_build_id_name_key UNIQUE (workspace_build_id, name);
- UniqueWorkspaceBuildsJobIDKey UniqueConstraint = "workspace_builds_job_id_key" // ALTER TABLE ONLY workspace_builds ADD CONSTRAINT workspace_builds_job_id_key UNIQUE (job_id);
- UniqueWorkspaceBuildsPkey UniqueConstraint = "workspace_builds_pkey" // ALTER TABLE ONLY workspace_builds ADD CONSTRAINT workspace_builds_pkey PRIMARY KEY (id);
- UniqueWorkspaceBuildsWorkspaceIDBuildNumberKey UniqueConstraint = "workspace_builds_workspace_id_build_number_key" // ALTER TABLE ONLY workspace_builds ADD CONSTRAINT workspace_builds_workspace_id_build_number_key UNIQUE (workspace_id, build_number);
- UniqueWorkspaceProxiesPkey UniqueConstraint = "workspace_proxies_pkey" // ALTER TABLE ONLY workspace_proxies ADD CONSTRAINT workspace_proxies_pkey PRIMARY KEY (id);
- UniqueWorkspaceProxiesRegionIDUnique UniqueConstraint = "workspace_proxies_region_id_unique" // ALTER TABLE ONLY workspace_proxies ADD CONSTRAINT workspace_proxies_region_id_unique UNIQUE (region_id);
- UniqueWorkspaceResourceMetadataName UniqueConstraint = "workspace_resource_metadata_name" // ALTER TABLE ONLY workspace_resource_metadata ADD CONSTRAINT workspace_resource_metadata_name UNIQUE (workspace_resource_id, key);
- UniqueWorkspaceResourceMetadataPkey UniqueConstraint = "workspace_resource_metadata_pkey" // ALTER TABLE ONLY workspace_resource_metadata ADD CONSTRAINT workspace_resource_metadata_pkey PRIMARY KEY (id);
- UniqueWorkspaceResourcesPkey UniqueConstraint = "workspace_resources_pkey" // ALTER TABLE ONLY workspace_resources ADD CONSTRAINT workspace_resources_pkey PRIMARY KEY (id);
- UniqueWorkspacesPkey UniqueConstraint = "workspaces_pkey" // ALTER TABLE ONLY workspaces ADD CONSTRAINT workspaces_pkey PRIMARY KEY (id);
- UniqueIndexAPIKeyName UniqueConstraint = "idx_api_key_name" // CREATE UNIQUE INDEX idx_api_key_name ON api_keys USING btree (user_id, token_name) WHERE (login_type = 'token'::login_type);
- UniqueIndexCustomRolesNameLower UniqueConstraint = "idx_custom_roles_name_lower" // CREATE UNIQUE INDEX idx_custom_roles_name_lower ON custom_roles USING btree (lower(name));
- UniqueIndexOrganizationNameLower UniqueConstraint = "idx_organization_name_lower" // CREATE UNIQUE INDEX idx_organization_name_lower ON organizations USING btree (lower(name)) WHERE (deleted = false);
- UniqueIndexProvisionerDaemonsOrgNameOwnerKey UniqueConstraint = "idx_provisioner_daemons_org_name_owner_key" // CREATE UNIQUE INDEX idx_provisioner_daemons_org_name_owner_key ON provisioner_daemons USING btree (organization_id, name, lower(COALESCE((tags ->> 'owner'::text), ''::text)));
- UniqueIndexUsersEmail UniqueConstraint = "idx_users_email" // CREATE UNIQUE INDEX idx_users_email ON users USING btree (email) WHERE (deleted = false);
- UniqueIndexUsersUsername UniqueConstraint = "idx_users_username" // CREATE UNIQUE INDEX idx_users_username ON users USING btree (username) WHERE (deleted = false);
- UniqueNotificationMessagesDedupeHashIndex UniqueConstraint = "notification_messages_dedupe_hash_idx" // CREATE UNIQUE INDEX notification_messages_dedupe_hash_idx ON notification_messages USING btree (dedupe_hash);
- UniqueOrganizationsSingleDefaultOrg UniqueConstraint = "organizations_single_default_org" // CREATE UNIQUE INDEX organizations_single_default_org ON organizations USING btree (is_default) WHERE (is_default = true);
- UniqueProvisionerKeysOrganizationIDNameIndex UniqueConstraint = "provisioner_keys_organization_id_name_idx" // CREATE UNIQUE INDEX provisioner_keys_organization_id_name_idx ON provisioner_keys USING btree (organization_id, lower((name)::text));
- UniqueTemplateUsageStatsStartTimeTemplateIDUserIDIndex UniqueConstraint = "template_usage_stats_start_time_template_id_user_id_idx" // CREATE UNIQUE INDEX template_usage_stats_start_time_template_id_user_id_idx ON template_usage_stats USING btree (start_time, template_id, user_id);
- UniqueTemplatesOrganizationIDNameIndex UniqueConstraint = "templates_organization_id_name_idx" // CREATE UNIQUE INDEX templates_organization_id_name_idx ON templates USING btree (organization_id, lower((name)::text)) WHERE (deleted = false);
- UniqueUserLinksLinkedIDLoginTypeIndex UniqueConstraint = "user_links_linked_id_login_type_idx" // CREATE UNIQUE INDEX user_links_linked_id_login_type_idx ON user_links USING btree (linked_id, login_type) WHERE (linked_id <> ''::text);
- UniqueUsersEmailLowerIndex UniqueConstraint = "users_email_lower_idx" // CREATE UNIQUE INDEX users_email_lower_idx ON users USING btree (lower(email)) WHERE (deleted = false);
- UniqueUsersUsernameLowerIndex UniqueConstraint = "users_username_lower_idx" // CREATE UNIQUE INDEX users_username_lower_idx ON users USING btree (lower(username)) WHERE (deleted = false);
- UniqueWorkspaceProxiesLowerNameIndex UniqueConstraint = "workspace_proxies_lower_name_idx" // CREATE UNIQUE INDEX workspace_proxies_lower_name_idx ON workspace_proxies USING btree (lower(name)) WHERE (deleted = false);
- UniqueWorkspacesOwnerIDLowerIndex UniqueConstraint = "workspaces_owner_id_lower_idx" // CREATE UNIQUE INDEX workspaces_owner_id_lower_idx ON workspaces USING btree (owner_id, lower((name)::text)) WHERE (deleted = false);
+ UniqueAgentStatsPkey UniqueConstraint = "agent_stats_pkey" // ALTER TABLE ONLY workspace_agent_stats ADD CONSTRAINT agent_stats_pkey PRIMARY KEY (id);
+ UniqueAPIKeysPkey UniqueConstraint = "api_keys_pkey" // ALTER TABLE ONLY api_keys ADD CONSTRAINT api_keys_pkey PRIMARY KEY (id);
+ UniqueAuditLogsPkey UniqueConstraint = "audit_logs_pkey" // ALTER TABLE ONLY audit_logs ADD CONSTRAINT audit_logs_pkey PRIMARY KEY (id);
+ UniqueCryptoKeysPkey UniqueConstraint = "crypto_keys_pkey" // ALTER TABLE ONLY crypto_keys ADD CONSTRAINT crypto_keys_pkey PRIMARY KEY (feature, sequence);
+ UniqueCustomRolesUniqueKey UniqueConstraint = "custom_roles_unique_key" // ALTER TABLE ONLY custom_roles ADD CONSTRAINT custom_roles_unique_key UNIQUE (name, organization_id);
+ UniqueDbcryptKeysActiveKeyDigestKey UniqueConstraint = "dbcrypt_keys_active_key_digest_key" // ALTER TABLE ONLY dbcrypt_keys ADD CONSTRAINT dbcrypt_keys_active_key_digest_key UNIQUE (active_key_digest);
+ UniqueDbcryptKeysPkey UniqueConstraint = "dbcrypt_keys_pkey" // ALTER TABLE ONLY dbcrypt_keys ADD CONSTRAINT dbcrypt_keys_pkey PRIMARY KEY (number);
+ UniqueDbcryptKeysRevokedKeyDigestKey UniqueConstraint = "dbcrypt_keys_revoked_key_digest_key" // ALTER TABLE ONLY dbcrypt_keys ADD CONSTRAINT dbcrypt_keys_revoked_key_digest_key UNIQUE (revoked_key_digest);
+ UniqueFilesHashCreatedByKey UniqueConstraint = "files_hash_created_by_key" // ALTER TABLE ONLY files ADD CONSTRAINT files_hash_created_by_key UNIQUE (hash, created_by);
+ UniqueFilesPkey UniqueConstraint = "files_pkey" // ALTER TABLE ONLY files ADD CONSTRAINT files_pkey PRIMARY KEY (id);
+ UniqueGitAuthLinksProviderIDUserIDKey UniqueConstraint = "git_auth_links_provider_id_user_id_key" // ALTER TABLE ONLY external_auth_links ADD CONSTRAINT git_auth_links_provider_id_user_id_key UNIQUE (provider_id, user_id);
+ UniqueGitSSHKeysPkey UniqueConstraint = "gitsshkeys_pkey" // ALTER TABLE ONLY gitsshkeys ADD CONSTRAINT gitsshkeys_pkey PRIMARY KEY (user_id);
+ UniqueGroupMembersUserIDGroupIDKey UniqueConstraint = "group_members_user_id_group_id_key" // ALTER TABLE ONLY group_members ADD CONSTRAINT group_members_user_id_group_id_key UNIQUE (user_id, group_id);
+ UniqueGroupsNameOrganizationIDKey UniqueConstraint = "groups_name_organization_id_key" // ALTER TABLE ONLY groups ADD CONSTRAINT groups_name_organization_id_key UNIQUE (name, organization_id);
+ UniqueGroupsPkey UniqueConstraint = "groups_pkey" // ALTER TABLE ONLY groups ADD CONSTRAINT groups_pkey PRIMARY KEY (id);
+ UniqueInboxNotificationsPkey UniqueConstraint = "inbox_notifications_pkey" // ALTER TABLE ONLY inbox_notifications ADD CONSTRAINT inbox_notifications_pkey PRIMARY KEY (id);
+ UniqueJfrogXrayScansPkey UniqueConstraint = "jfrog_xray_scans_pkey" // ALTER TABLE ONLY jfrog_xray_scans ADD CONSTRAINT jfrog_xray_scans_pkey PRIMARY KEY (agent_id, workspace_id);
+ UniqueLicensesJWTKey UniqueConstraint = "licenses_jwt_key" // ALTER TABLE ONLY licenses ADD CONSTRAINT licenses_jwt_key UNIQUE (jwt);
+ UniqueLicensesPkey UniqueConstraint = "licenses_pkey" // ALTER TABLE ONLY licenses ADD CONSTRAINT licenses_pkey PRIMARY KEY (id);
+ UniqueNotificationMessagesPkey UniqueConstraint = "notification_messages_pkey" // ALTER TABLE ONLY notification_messages ADD CONSTRAINT notification_messages_pkey PRIMARY KEY (id);
+ UniqueNotificationPreferencesPkey UniqueConstraint = "notification_preferences_pkey" // ALTER TABLE ONLY notification_preferences ADD CONSTRAINT notification_preferences_pkey PRIMARY KEY (user_id, notification_template_id);
+ UniqueNotificationReportGeneratorLogsPkey UniqueConstraint = "notification_report_generator_logs_pkey" // ALTER TABLE ONLY notification_report_generator_logs ADD CONSTRAINT notification_report_generator_logs_pkey PRIMARY KEY (notification_template_id);
+ UniqueNotificationTemplatesNameKey UniqueConstraint = "notification_templates_name_key" // ALTER TABLE ONLY notification_templates ADD CONSTRAINT notification_templates_name_key UNIQUE (name);
+ UniqueNotificationTemplatesPkey UniqueConstraint = "notification_templates_pkey" // ALTER TABLE ONLY notification_templates ADD CONSTRAINT notification_templates_pkey PRIMARY KEY (id);
+ UniqueOauth2ProviderAppCodesPkey UniqueConstraint = "oauth2_provider_app_codes_pkey" // ALTER TABLE ONLY oauth2_provider_app_codes ADD CONSTRAINT oauth2_provider_app_codes_pkey PRIMARY KEY (id);
+ UniqueOauth2ProviderAppCodesSecretPrefixKey UniqueConstraint = "oauth2_provider_app_codes_secret_prefix_key" // ALTER TABLE ONLY oauth2_provider_app_codes ADD CONSTRAINT oauth2_provider_app_codes_secret_prefix_key UNIQUE (secret_prefix);
+ UniqueOauth2ProviderAppSecretsPkey UniqueConstraint = "oauth2_provider_app_secrets_pkey" // ALTER TABLE ONLY oauth2_provider_app_secrets ADD CONSTRAINT oauth2_provider_app_secrets_pkey PRIMARY KEY (id);
+ UniqueOauth2ProviderAppSecretsSecretPrefixKey UniqueConstraint = "oauth2_provider_app_secrets_secret_prefix_key" // ALTER TABLE ONLY oauth2_provider_app_secrets ADD CONSTRAINT oauth2_provider_app_secrets_secret_prefix_key UNIQUE (secret_prefix);
+ UniqueOauth2ProviderAppTokensHashPrefixKey UniqueConstraint = "oauth2_provider_app_tokens_hash_prefix_key" // ALTER TABLE ONLY oauth2_provider_app_tokens ADD CONSTRAINT oauth2_provider_app_tokens_hash_prefix_key UNIQUE (hash_prefix);
+ UniqueOauth2ProviderAppTokensPkey UniqueConstraint = "oauth2_provider_app_tokens_pkey" // ALTER TABLE ONLY oauth2_provider_app_tokens ADD CONSTRAINT oauth2_provider_app_tokens_pkey PRIMARY KEY (id);
+ UniqueOauth2ProviderAppsNameKey UniqueConstraint = "oauth2_provider_apps_name_key" // ALTER TABLE ONLY oauth2_provider_apps ADD CONSTRAINT oauth2_provider_apps_name_key UNIQUE (name);
+ UniqueOauth2ProviderAppsPkey UniqueConstraint = "oauth2_provider_apps_pkey" // ALTER TABLE ONLY oauth2_provider_apps ADD CONSTRAINT oauth2_provider_apps_pkey PRIMARY KEY (id);
+ UniqueOrganizationMembersPkey UniqueConstraint = "organization_members_pkey" // ALTER TABLE ONLY organization_members ADD CONSTRAINT organization_members_pkey PRIMARY KEY (organization_id, user_id);
+ UniqueOrganizationsPkey UniqueConstraint = "organizations_pkey" // ALTER TABLE ONLY organizations ADD CONSTRAINT organizations_pkey PRIMARY KEY (id);
+ UniqueParameterSchemasJobIDNameKey UniqueConstraint = "parameter_schemas_job_id_name_key" // ALTER TABLE ONLY parameter_schemas ADD CONSTRAINT parameter_schemas_job_id_name_key UNIQUE (job_id, name);
+ UniqueParameterSchemasPkey UniqueConstraint = "parameter_schemas_pkey" // ALTER TABLE ONLY parameter_schemas ADD CONSTRAINT parameter_schemas_pkey PRIMARY KEY (id);
+ UniqueParameterValuesPkey UniqueConstraint = "parameter_values_pkey" // ALTER TABLE ONLY parameter_values ADD CONSTRAINT parameter_values_pkey PRIMARY KEY (id);
+ UniqueParameterValuesScopeIDNameKey UniqueConstraint = "parameter_values_scope_id_name_key" // ALTER TABLE ONLY parameter_values ADD CONSTRAINT parameter_values_scope_id_name_key UNIQUE (scope_id, name);
+ UniqueProvisionerDaemonsPkey UniqueConstraint = "provisioner_daemons_pkey" // ALTER TABLE ONLY provisioner_daemons ADD CONSTRAINT provisioner_daemons_pkey PRIMARY KEY (id);
+ UniqueProvisionerJobLogsPkey UniqueConstraint = "provisioner_job_logs_pkey" // ALTER TABLE ONLY provisioner_job_logs ADD CONSTRAINT provisioner_job_logs_pkey PRIMARY KEY (id);
+ UniqueProvisionerJobsPkey UniqueConstraint = "provisioner_jobs_pkey" // ALTER TABLE ONLY provisioner_jobs ADD CONSTRAINT provisioner_jobs_pkey PRIMARY KEY (id);
+ UniqueProvisionerKeysPkey UniqueConstraint = "provisioner_keys_pkey" // ALTER TABLE ONLY provisioner_keys ADD CONSTRAINT provisioner_keys_pkey PRIMARY KEY (id);
+ UniqueSiteConfigsKeyKey UniqueConstraint = "site_configs_key_key" // ALTER TABLE ONLY site_configs ADD CONSTRAINT site_configs_key_key UNIQUE (key);
+ UniqueTailnetAgentsPkey UniqueConstraint = "tailnet_agents_pkey" // ALTER TABLE ONLY tailnet_agents ADD CONSTRAINT tailnet_agents_pkey PRIMARY KEY (id, coordinator_id);
+ UniqueTailnetClientSubscriptionsPkey UniqueConstraint = "tailnet_client_subscriptions_pkey" // ALTER TABLE ONLY tailnet_client_subscriptions ADD CONSTRAINT tailnet_client_subscriptions_pkey PRIMARY KEY (client_id, coordinator_id, agent_id);
+ UniqueTailnetClientsPkey UniqueConstraint = "tailnet_clients_pkey" // ALTER TABLE ONLY tailnet_clients ADD CONSTRAINT tailnet_clients_pkey PRIMARY KEY (id, coordinator_id);
+ UniqueTailnetCoordinatorsPkey UniqueConstraint = "tailnet_coordinators_pkey" // ALTER TABLE ONLY tailnet_coordinators ADD CONSTRAINT tailnet_coordinators_pkey PRIMARY KEY (id);
+ UniqueTailnetPeersPkey UniqueConstraint = "tailnet_peers_pkey" // ALTER TABLE ONLY tailnet_peers ADD CONSTRAINT tailnet_peers_pkey PRIMARY KEY (id, coordinator_id);
+ UniqueTailnetTunnelsPkey UniqueConstraint = "tailnet_tunnels_pkey" // ALTER TABLE ONLY tailnet_tunnels ADD CONSTRAINT tailnet_tunnels_pkey PRIMARY KEY (coordinator_id, src_id, dst_id);
+ UniqueTelemetryItemsPkey UniqueConstraint = "telemetry_items_pkey" // ALTER TABLE ONLY telemetry_items ADD CONSTRAINT telemetry_items_pkey PRIMARY KEY (key);
+ UniqueTemplateUsageStatsPkey UniqueConstraint = "template_usage_stats_pkey" // ALTER TABLE ONLY template_usage_stats ADD CONSTRAINT template_usage_stats_pkey PRIMARY KEY (start_time, template_id, user_id);
+ UniqueTemplateVersionParametersTemplateVersionIDNameKey UniqueConstraint = "template_version_parameters_template_version_id_name_key" // ALTER TABLE ONLY template_version_parameters ADD CONSTRAINT template_version_parameters_template_version_id_name_key UNIQUE (template_version_id, name);
+ UniqueTemplateVersionPresetParametersPkey UniqueConstraint = "template_version_preset_parameters_pkey" // ALTER TABLE ONLY template_version_preset_parameters ADD CONSTRAINT template_version_preset_parameters_pkey PRIMARY KEY (id);
+ UniqueTemplateVersionPresetsPkey UniqueConstraint = "template_version_presets_pkey" // ALTER TABLE ONLY template_version_presets ADD CONSTRAINT template_version_presets_pkey PRIMARY KEY (id);
+ UniqueTemplateVersionVariablesTemplateVersionIDNameKey UniqueConstraint = "template_version_variables_template_version_id_name_key" // ALTER TABLE ONLY template_version_variables ADD CONSTRAINT template_version_variables_template_version_id_name_key UNIQUE (template_version_id, name);
+ UniqueTemplateVersionWorkspaceTagsTemplateVersionIDKeyKey UniqueConstraint = "template_version_workspace_tags_template_version_id_key_key" // ALTER TABLE ONLY template_version_workspace_tags ADD CONSTRAINT template_version_workspace_tags_template_version_id_key_key UNIQUE (template_version_id, key);
+ UniqueTemplateVersionsPkey UniqueConstraint = "template_versions_pkey" // ALTER TABLE ONLY template_versions ADD CONSTRAINT template_versions_pkey PRIMARY KEY (id);
+ UniqueTemplateVersionsTemplateIDNameKey UniqueConstraint = "template_versions_template_id_name_key" // ALTER TABLE ONLY template_versions ADD CONSTRAINT template_versions_template_id_name_key UNIQUE (template_id, name);
+ UniqueTemplatesPkey UniqueConstraint = "templates_pkey" // ALTER TABLE ONLY templates ADD CONSTRAINT templates_pkey PRIMARY KEY (id);
+ UniqueUserConfigsPkey UniqueConstraint = "user_configs_pkey" // ALTER TABLE ONLY user_configs ADD CONSTRAINT user_configs_pkey PRIMARY KEY (user_id, key);
+ UniqueUserDeletedPkey UniqueConstraint = "user_deleted_pkey" // ALTER TABLE ONLY user_deleted ADD CONSTRAINT user_deleted_pkey PRIMARY KEY (id);
+ UniqueUserLinksPkey UniqueConstraint = "user_links_pkey" // ALTER TABLE ONLY user_links ADD CONSTRAINT user_links_pkey PRIMARY KEY (user_id, login_type);
+ UniqueUserStatusChangesPkey UniqueConstraint = "user_status_changes_pkey" // ALTER TABLE ONLY user_status_changes ADD CONSTRAINT user_status_changes_pkey PRIMARY KEY (id);
+ UniqueUsersPkey UniqueConstraint = "users_pkey" // ALTER TABLE ONLY users ADD CONSTRAINT users_pkey PRIMARY KEY (id);
+ UniqueWorkspaceAgentLogSourcesPkey UniqueConstraint = "workspace_agent_log_sources_pkey" // ALTER TABLE ONLY workspace_agent_log_sources ADD CONSTRAINT workspace_agent_log_sources_pkey PRIMARY KEY (workspace_agent_id, id);
+ UniqueWorkspaceAgentMemoryResourceMonitorsPkey UniqueConstraint = "workspace_agent_memory_resource_monitors_pkey" // ALTER TABLE ONLY workspace_agent_memory_resource_monitors ADD CONSTRAINT workspace_agent_memory_resource_monitors_pkey PRIMARY KEY (agent_id);
+ UniqueWorkspaceAgentMetadataPkey UniqueConstraint = "workspace_agent_metadata_pkey" // ALTER TABLE ONLY workspace_agent_metadata ADD CONSTRAINT workspace_agent_metadata_pkey PRIMARY KEY (workspace_agent_id, key);
+ UniqueWorkspaceAgentPortSharePkey UniqueConstraint = "workspace_agent_port_share_pkey" // ALTER TABLE ONLY workspace_agent_port_share ADD CONSTRAINT workspace_agent_port_share_pkey PRIMARY KEY (workspace_id, agent_name, port);
+ UniqueWorkspaceAgentScriptTimingsScriptIDStartedAtKey UniqueConstraint = "workspace_agent_script_timings_script_id_started_at_key" // ALTER TABLE ONLY workspace_agent_script_timings ADD CONSTRAINT workspace_agent_script_timings_script_id_started_at_key UNIQUE (script_id, started_at);
+ UniqueWorkspaceAgentScriptsIDKey UniqueConstraint = "workspace_agent_scripts_id_key" // ALTER TABLE ONLY workspace_agent_scripts ADD CONSTRAINT workspace_agent_scripts_id_key UNIQUE (id);
+ UniqueWorkspaceAgentStartupLogsPkey UniqueConstraint = "workspace_agent_startup_logs_pkey" // ALTER TABLE ONLY workspace_agent_logs ADD CONSTRAINT workspace_agent_startup_logs_pkey PRIMARY KEY (id);
+ UniqueWorkspaceAgentVolumeResourceMonitorsPkey UniqueConstraint = "workspace_agent_volume_resource_monitors_pkey" // ALTER TABLE ONLY workspace_agent_volume_resource_monitors ADD CONSTRAINT workspace_agent_volume_resource_monitors_pkey PRIMARY KEY (agent_id, path);
+ UniqueWorkspaceAgentsPkey UniqueConstraint = "workspace_agents_pkey" // ALTER TABLE ONLY workspace_agents ADD CONSTRAINT workspace_agents_pkey PRIMARY KEY (id);
+ UniqueWorkspaceAppAuditSessionsAgentIDAppIDUserIDIpUseKey UniqueConstraint = "workspace_app_audit_sessions_agent_id_app_id_user_id_ip_use_key" // ALTER TABLE ONLY workspace_app_audit_sessions ADD CONSTRAINT workspace_app_audit_sessions_agent_id_app_id_user_id_ip_use_key UNIQUE (agent_id, app_id, user_id, ip, user_agent, slug_or_port, status_code);
+ UniqueWorkspaceAppStatsPkey UniqueConstraint = "workspace_app_stats_pkey" // ALTER TABLE ONLY workspace_app_stats ADD CONSTRAINT workspace_app_stats_pkey PRIMARY KEY (id);
+ UniqueWorkspaceAppStatsUserIDAgentIDSessionIDKey UniqueConstraint = "workspace_app_stats_user_id_agent_id_session_id_key" // ALTER TABLE ONLY workspace_app_stats ADD CONSTRAINT workspace_app_stats_user_id_agent_id_session_id_key UNIQUE (user_id, agent_id, session_id);
+ UniqueWorkspaceAppsAgentIDSlugIndex UniqueConstraint = "workspace_apps_agent_id_slug_idx" // ALTER TABLE ONLY workspace_apps ADD CONSTRAINT workspace_apps_agent_id_slug_idx UNIQUE (agent_id, slug);
+ UniqueWorkspaceAppsPkey UniqueConstraint = "workspace_apps_pkey" // ALTER TABLE ONLY workspace_apps ADD CONSTRAINT workspace_apps_pkey PRIMARY KEY (id);
+ UniqueWorkspaceBuildParametersWorkspaceBuildIDNameKey UniqueConstraint = "workspace_build_parameters_workspace_build_id_name_key" // ALTER TABLE ONLY workspace_build_parameters ADD CONSTRAINT workspace_build_parameters_workspace_build_id_name_key UNIQUE (workspace_build_id, name);
+ UniqueWorkspaceBuildsJobIDKey UniqueConstraint = "workspace_builds_job_id_key" // ALTER TABLE ONLY workspace_builds ADD CONSTRAINT workspace_builds_job_id_key UNIQUE (job_id);
+ UniqueWorkspaceBuildsPkey UniqueConstraint = "workspace_builds_pkey" // ALTER TABLE ONLY workspace_builds ADD CONSTRAINT workspace_builds_pkey PRIMARY KEY (id);
+ UniqueWorkspaceBuildsWorkspaceIDBuildNumberKey UniqueConstraint = "workspace_builds_workspace_id_build_number_key" // ALTER TABLE ONLY workspace_builds ADD CONSTRAINT workspace_builds_workspace_id_build_number_key UNIQUE (workspace_id, build_number);
+ UniqueWorkspaceProxiesPkey UniqueConstraint = "workspace_proxies_pkey" // ALTER TABLE ONLY workspace_proxies ADD CONSTRAINT workspace_proxies_pkey PRIMARY KEY (id);
+ UniqueWorkspaceProxiesRegionIDUnique UniqueConstraint = "workspace_proxies_region_id_unique" // ALTER TABLE ONLY workspace_proxies ADD CONSTRAINT workspace_proxies_region_id_unique UNIQUE (region_id);
+ UniqueWorkspaceResourceMetadataName UniqueConstraint = "workspace_resource_metadata_name" // ALTER TABLE ONLY workspace_resource_metadata ADD CONSTRAINT workspace_resource_metadata_name UNIQUE (workspace_resource_id, key);
+ UniqueWorkspaceResourceMetadataPkey UniqueConstraint = "workspace_resource_metadata_pkey" // ALTER TABLE ONLY workspace_resource_metadata ADD CONSTRAINT workspace_resource_metadata_pkey PRIMARY KEY (id);
+ UniqueWorkspaceResourcesPkey UniqueConstraint = "workspace_resources_pkey" // ALTER TABLE ONLY workspace_resources ADD CONSTRAINT workspace_resources_pkey PRIMARY KEY (id);
+ UniqueWorkspacesPkey UniqueConstraint = "workspaces_pkey" // ALTER TABLE ONLY workspaces ADD CONSTRAINT workspaces_pkey PRIMARY KEY (id);
+ UniqueIndexAPIKeyName UniqueConstraint = "idx_api_key_name" // CREATE UNIQUE INDEX idx_api_key_name ON api_keys USING btree (user_id, token_name) WHERE (login_type = 'token'::login_type);
+ UniqueIndexCustomRolesNameLower UniqueConstraint = "idx_custom_roles_name_lower" // CREATE UNIQUE INDEX idx_custom_roles_name_lower ON custom_roles USING btree (lower(name));
+ UniqueIndexOrganizationNameLower UniqueConstraint = "idx_organization_name_lower" // CREATE UNIQUE INDEX idx_organization_name_lower ON organizations USING btree (lower(name)) WHERE (deleted = false);
+ UniqueIndexProvisionerDaemonsOrgNameOwnerKey UniqueConstraint = "idx_provisioner_daemons_org_name_owner_key" // CREATE UNIQUE INDEX idx_provisioner_daemons_org_name_owner_key ON provisioner_daemons USING btree (organization_id, name, lower(COALESCE((tags ->> 'owner'::text), ''::text)));
+ UniqueIndexUsersEmail UniqueConstraint = "idx_users_email" // CREATE UNIQUE INDEX idx_users_email ON users USING btree (email) WHERE (deleted = false);
+ UniqueIndexUsersUsername UniqueConstraint = "idx_users_username" // CREATE UNIQUE INDEX idx_users_username ON users USING btree (username) WHERE (deleted = false);
+ UniqueNotificationMessagesDedupeHashIndex UniqueConstraint = "notification_messages_dedupe_hash_idx" // CREATE UNIQUE INDEX notification_messages_dedupe_hash_idx ON notification_messages USING btree (dedupe_hash);
+ UniqueOrganizationsSingleDefaultOrg UniqueConstraint = "organizations_single_default_org" // CREATE UNIQUE INDEX organizations_single_default_org ON organizations USING btree (is_default) WHERE (is_default = true);
+ UniqueProvisionerKeysOrganizationIDNameIndex UniqueConstraint = "provisioner_keys_organization_id_name_idx" // CREATE UNIQUE INDEX provisioner_keys_organization_id_name_idx ON provisioner_keys USING btree (organization_id, lower((name)::text));
+ UniqueTemplateUsageStatsStartTimeTemplateIDUserIDIndex UniqueConstraint = "template_usage_stats_start_time_template_id_user_id_idx" // CREATE UNIQUE INDEX template_usage_stats_start_time_template_id_user_id_idx ON template_usage_stats USING btree (start_time, template_id, user_id);
+ UniqueTemplatesOrganizationIDNameIndex UniqueConstraint = "templates_organization_id_name_idx" // CREATE UNIQUE INDEX templates_organization_id_name_idx ON templates USING btree (organization_id, lower((name)::text)) WHERE (deleted = false);
+ UniqueUserLinksLinkedIDLoginTypeIndex UniqueConstraint = "user_links_linked_id_login_type_idx" // CREATE UNIQUE INDEX user_links_linked_id_login_type_idx ON user_links USING btree (linked_id, login_type) WHERE (linked_id <> ''::text);
+ UniqueUsersEmailLowerIndex UniqueConstraint = "users_email_lower_idx" // CREATE UNIQUE INDEX users_email_lower_idx ON users USING btree (lower(email)) WHERE (deleted = false);
+ UniqueUsersUsernameLowerIndex UniqueConstraint = "users_username_lower_idx" // CREATE UNIQUE INDEX users_username_lower_idx ON users USING btree (lower(username)) WHERE (deleted = false);
+ UniqueWorkspaceAppAuditSessionsUniqueIndex UniqueConstraint = "workspace_app_audit_sessions_unique_index" // CREATE UNIQUE INDEX workspace_app_audit_sessions_unique_index ON workspace_app_audit_sessions USING btree (agent_id, app_id, user_id, ip, user_agent, slug_or_port, status_code);
+ UniqueWorkspaceProxiesLowerNameIndex UniqueConstraint = "workspace_proxies_lower_name_idx" // CREATE UNIQUE INDEX workspace_proxies_lower_name_idx ON workspace_proxies USING btree (lower(name)) WHERE (deleted = false);
+ UniqueWorkspacesOwnerIDLowerIndex UniqueConstraint = "workspaces_owner_id_lower_idx" // CREATE UNIQUE INDEX workspaces_owner_id_lower_idx ON workspaces USING btree (owner_id, lower((name)::text)) WHERE (deleted = false);
)
diff --git a/coderd/tracing/status_writer_test.go b/coderd/tracing/status_writer_test.go
index ba19cd29a915c..6aff7b915ce46 100644
--- a/coderd/tracing/status_writer_test.go
+++ b/coderd/tracing/status_writer_test.go
@@ -116,6 +116,22 @@ func TestStatusWriter(t *testing.T) {
require.Error(t, err)
require.Equal(t, "hijacked", err.Error())
})
+
+ t.Run("Middleware", func(t *testing.T) {
+ t.Parallel()
+
+ var (
+ sw *tracing.StatusWriter
+ rr = httptest.NewRecorder()
+ )
+ tracing.StatusWriterMiddleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ sw = w.(*tracing.StatusWriter)
+ w.WriteHeader(http.StatusNoContent)
+ })).ServeHTTP(rr, httptest.NewRequest("GET", "/", nil))
+
+ require.Equal(t, http.StatusNoContent, rr.Code, "rr status code not set")
+ require.Equal(t, http.StatusNoContent, sw.Status, "sw status code not set")
+ })
}
type hijacker struct {
diff --git a/coderd/workspaceapps/db.go b/coderd/workspaceapps/db.go
index 602983959948d..b26bf4b42a32c 100644
--- a/coderd/workspaceapps/db.go
+++ b/coderd/workspaceapps/db.go
@@ -3,27 +3,32 @@ package workspaceapps
import (
"context"
"database/sql"
+ "encoding/json"
"fmt"
"net/http"
"net/url"
"path"
"slices"
"strings"
+ "sync/atomic"
"time"
- "golang.org/x/xerrors"
-
"github.com/go-jose/go-jose/v4/jwt"
+ "github.com/google/uuid"
+ "golang.org/x/xerrors"
"cdr.dev/slog"
+ "github.com/coder/coder/v2/coderd/audit"
"github.com/coder/coder/v2/coderd/cryptokeys"
"github.com/coder/coder/v2/coderd/database"
"github.com/coder/coder/v2/coderd/database/dbauthz"
+ "github.com/coder/coder/v2/coderd/database/dbtime"
"github.com/coder/coder/v2/coderd/httpapi"
"github.com/coder/coder/v2/coderd/httpmw"
"github.com/coder/coder/v2/coderd/jwtutils"
"github.com/coder/coder/v2/coderd/rbac"
"github.com/coder/coder/v2/coderd/rbac/policy"
+ "github.com/coder/coder/v2/coderd/tracing"
"github.com/coder/coder/v2/codersdk"
)
@@ -33,13 +38,15 @@ type DBTokenProvider struct {
Logger slog.Logger
// DashboardURL is the main dashboard access URL for error pages.
- DashboardURL *url.URL
- Authorizer rbac.Authorizer
- Database database.Store
- DeploymentValues *codersdk.DeploymentValues
- OAuth2Configs *httpmw.OAuth2Configs
- WorkspaceAgentInactiveTimeout time.Duration
- Keycache cryptokeys.SigningKeycache
+ DashboardURL *url.URL
+ Authorizer rbac.Authorizer
+ Auditor *atomic.Pointer[audit.Auditor]
+ Database database.Store
+ DeploymentValues *codersdk.DeploymentValues
+ OAuth2Configs *httpmw.OAuth2Configs
+ WorkspaceAgentInactiveTimeout time.Duration
+ WorkspaceAppAuditSessionTimeout time.Duration
+ Keycache cryptokeys.SigningKeycache
}
var _ SignedTokenProvider = &DBTokenProvider{}
@@ -47,25 +54,32 @@ var _ SignedTokenProvider = &DBTokenProvider{}
func NewDBTokenProvider(log slog.Logger,
accessURL *url.URL,
authz rbac.Authorizer,
+ auditor *atomic.Pointer[audit.Auditor],
db database.Store,
cfg *codersdk.DeploymentValues,
oauth2Cfgs *httpmw.OAuth2Configs,
workspaceAgentInactiveTimeout time.Duration,
+ workspaceAppAuditSessionTimeout time.Duration,
signer cryptokeys.SigningKeycache,
) SignedTokenProvider {
if workspaceAgentInactiveTimeout == 0 {
workspaceAgentInactiveTimeout = 1 * time.Minute
}
+ if workspaceAppAuditSessionTimeout == 0 {
+ workspaceAppAuditSessionTimeout = time.Hour
+ }
return &DBTokenProvider{
- Logger: log,
- DashboardURL: accessURL,
- Authorizer: authz,
- Database: db,
- DeploymentValues: cfg,
- OAuth2Configs: oauth2Cfgs,
- WorkspaceAgentInactiveTimeout: workspaceAgentInactiveTimeout,
- Keycache: signer,
+ Logger: log,
+ DashboardURL: accessURL,
+ Authorizer: authz,
+ Auditor: auditor,
+ Database: db,
+ DeploymentValues: cfg,
+ OAuth2Configs: oauth2Cfgs,
+ WorkspaceAgentInactiveTimeout: workspaceAgentInactiveTimeout,
+ WorkspaceAppAuditSessionTimeout: workspaceAppAuditSessionTimeout,
+ Keycache: signer,
}
}
@@ -81,6 +95,9 @@ func (p *DBTokenProvider) Issue(ctx context.Context, rw http.ResponseWriter, r *
// // permissions.
dangerousSystemCtx := dbauthz.AsSystemRestricted(ctx)
+ aReq, commitAudit := p.auditInitRequest(ctx, rw, r)
+ defer commitAudit()
+
appReq := issueReq.AppRequest.Normalize()
err := appReq.Check()
if err != nil {
@@ -111,6 +128,8 @@ func (p *DBTokenProvider) Issue(ctx context.Context, rw http.ResponseWriter, r *
return nil, "", false
}
+ aReq.apiKey = apiKey // Update audit request.
+
// Lookup workspace app details from DB.
dbReq, err := appReq.getDatabase(dangerousSystemCtx, p.Database)
if xerrors.Is(err, sql.ErrNoRows) {
@@ -123,6 +142,9 @@ func (p *DBTokenProvider) Issue(ctx context.Context, rw http.ResponseWriter, r *
WriteWorkspaceApp500(p.Logger, p.DashboardURL, rw, r, &appReq, err, "get app details from database")
return nil, "", false
}
+
+ aReq.dbReq = dbReq // Update audit request.
+
token.UserID = dbReq.User.ID
token.WorkspaceID = dbReq.Workspace.ID
token.AgentID = dbReq.Agent.ID
@@ -341,3 +363,175 @@ func (p *DBTokenProvider) authorizeRequest(ctx context.Context, roles *rbac.Subj
// No checks were successful.
return false, warnings, nil
}
+
+type auditRequest struct {
+ time time.Time
+ apiKey *database.APIKey
+ dbReq *databaseRequest
+}
+
+// auditInitRequest creates a new audit session and audit log for the given
+// request, if one does not already exist. If an audit session already exists,
+// it will be updated with the current timestamp. A session is used to reduce
+// the number of audit logs created.
+//
+// A session is unique to the agent, app, user and users IP. If any of these
+// values change, a new session and audit log is created.
+func (p *DBTokenProvider) auditInitRequest(ctx context.Context, w http.ResponseWriter, r *http.Request) (aReq *auditRequest, commit func()) {
+ // Get the status writer from the request context so we can figure
+ // out the HTTP status and autocommit the audit log.
+ sw, ok := w.(*tracing.StatusWriter)
+ if !ok {
+ panic("dev error: http.ResponseWriter is not *tracing.StatusWriter")
+ }
+
+ aReq = &auditRequest{
+ time: dbtime.Now(),
+ }
+
+ // Set the commit function on the status writer to create an audit
+ // log, this ensures that the status and response body are available.
+ var committed bool
+ return aReq, func() {
+ if committed {
+ return
+ }
+ committed = true
+
+ if aReq.dbReq == nil {
+ // App doesn't exist, there's information in the Request
+ // struct but we need UUIDs for audit logging.
+ return
+ }
+
+ userID := uuid.Nil
+ if aReq.apiKey != nil {
+ userID = aReq.apiKey.UserID
+ }
+ userAgent := r.UserAgent()
+ ip := r.RemoteAddr
+
+ // Approximation of the status code.
+ statusCode := sw.Status
+ if statusCode == 0 {
+ statusCode = http.StatusOK
+ }
+
+ type additionalFields struct {
+ audit.AdditionalFields
+ SlugOrPort string `json:"slug_or_port,omitempty"`
+ }
+ appInfo := additionalFields{
+ AdditionalFields: audit.AdditionalFields{
+ WorkspaceOwner: aReq.dbReq.Workspace.OwnerUsername,
+ WorkspaceName: aReq.dbReq.Workspace.Name,
+ WorkspaceID: aReq.dbReq.Workspace.ID,
+ },
+ }
+ switch {
+ case aReq.dbReq.AccessMethod == AccessMethodTerminal:
+ appInfo.SlugOrPort = "terminal"
+ case aReq.dbReq.App.ID == uuid.Nil:
+ // If this isn't an app or a terminal, it's a port.
+ appInfo.SlugOrPort = aReq.dbReq.AppSlugOrPort
+ }
+
+ // If we end up logging, ensure relevant fields are set.
+ logger := p.Logger.With(
+ slog.F("workspace_id", aReq.dbReq.Workspace.ID),
+ slog.F("agent_id", aReq.dbReq.Agent.ID),
+ slog.F("app_id", aReq.dbReq.App.ID),
+ slog.F("user_id", userID),
+ slog.F("user_agent", userAgent),
+ slog.F("app_slug_or_port", appInfo.SlugOrPort),
+ slog.F("status_code", statusCode),
+ )
+
+ var startedAt time.Time
+ err := p.Database.InTx(func(tx database.Store) (err error) {
+ // nolint:gocritic // System context is needed to write audit sessions.
+ dangerousSystemCtx := dbauthz.AsSystemRestricted(ctx)
+
+ startedAt, err = tx.UpsertWorkspaceAppAuditSession(dangerousSystemCtx, database.UpsertWorkspaceAppAuditSessionParams{
+ // Config.
+ StaleIntervalMS: p.WorkspaceAppAuditSessionTimeout.Milliseconds(),
+
+ // Data.
+ AgentID: aReq.dbReq.Agent.ID,
+ AppID: aReq.dbReq.App.ID, // Can be unset, in which case uuid.Nil is fine.
+ UserID: userID, // Can be unset, in which case uuid.Nil is fine.
+ Ip: ip,
+ UserAgent: userAgent,
+ SlugOrPort: appInfo.SlugOrPort,
+ StatusCode: int32(statusCode),
+ StartedAt: aReq.time,
+ UpdatedAt: aReq.time,
+ })
+ if err != nil {
+ return xerrors.Errorf("insert workspace app audit session: %w", err)
+ }
+
+ return nil
+ }, nil)
+ if err != nil {
+ logger.Error(ctx, "update workspace app audit session failed", slog.Error(err))
+
+ // Avoid spamming the audit log if deduplication failed, this should
+ // only happen if there are problems communicating with the database.
+ return
+ }
+
+ if !startedAt.Equal(aReq.time) {
+ // If the unique session wasn't renewed, we don't want to log a new
+ // audit event for it.
+ return
+ }
+
+ // Marshal additional fields only if we're writing an audit log entry.
+ appInfoBytes, err := json.Marshal(appInfo)
+ if err != nil {
+ logger.Error(ctx, "marshal additional fields failed", slog.Error(err))
+ }
+
+ // We use the background audit function instead of init request
+ // here because we don't know the resource type ahead of time.
+ // This also allows us to log unauthenticated access.
+ auditor := *p.Auditor.Load()
+ requestID := httpmw.RequestID(r)
+ switch {
+ case aReq.dbReq.App.ID != uuid.Nil:
+ audit.BackgroundAudit(ctx, &audit.BackgroundAuditParams[database.WorkspaceApp]{
+ Audit: auditor,
+ Log: logger,
+
+ Action: database.AuditActionOpen,
+ OrganizationID: aReq.dbReq.Workspace.OrganizationID,
+ UserID: userID,
+ RequestID: requestID,
+ Time: aReq.time,
+ Status: statusCode,
+ IP: ip,
+ UserAgent: userAgent,
+ New: aReq.dbReq.App,
+ AdditionalFields: appInfoBytes,
+ })
+ default:
+ // Web terminal, port app, etc.
+ audit.BackgroundAudit(ctx, &audit.BackgroundAuditParams[database.WorkspaceAgent]{
+ Audit: auditor,
+ Log: logger,
+
+ Action: database.AuditActionOpen,
+ OrganizationID: aReq.dbReq.Workspace.OrganizationID,
+ UserID: userID,
+ RequestID: requestID,
+ Time: aReq.time,
+ Status: statusCode,
+ IP: ip,
+ UserAgent: userAgent,
+ New: aReq.dbReq.Agent,
+ AdditionalFields: appInfoBytes,
+ })
+ }
+ }
+}
diff --git a/coderd/workspaceapps/db_test.go b/coderd/workspaceapps/db_test.go
index bf364f1ce62b3..597d1daadfa54 100644
--- a/coderd/workspaceapps/db_test.go
+++ b/coderd/workspaceapps/db_test.go
@@ -2,6 +2,8 @@ package workspaceapps_test
import (
"context"
+ "database/sql"
+ "encoding/json"
"fmt"
"io"
"net"
@@ -10,6 +12,7 @@ import (
"net/http/httputil"
"net/url"
"strings"
+ "sync/atomic"
"testing"
"time"
@@ -19,9 +22,13 @@ import (
"github.com/stretchr/testify/require"
"github.com/coder/coder/v2/agent/agenttest"
+ "github.com/coder/coder/v2/coderd/audit"
"github.com/coder/coder/v2/coderd/coderdtest"
+ "github.com/coder/coder/v2/coderd/database"
+ "github.com/coder/coder/v2/coderd/database/dbauthz"
"github.com/coder/coder/v2/coderd/httpmw"
"github.com/coder/coder/v2/coderd/jwtutils"
+ "github.com/coder/coder/v2/coderd/tracing"
"github.com/coder/coder/v2/coderd/workspaceapps"
"github.com/coder/coder/v2/coderd/workspaceapps/appurl"
"github.com/coder/coder/v2/codersdk"
@@ -76,6 +83,13 @@ func Test_ResolveRequest(t *testing.T) {
deploymentValues.Dangerous.AllowPathAppSharing = true
deploymentValues.Dangerous.AllowPathAppSiteOwnerAccess = true
+ auditor := audit.NewMock()
+ t.Cleanup(func() {
+ if t.Failed() {
+ return
+ }
+ assert.Len(t, auditor.AuditLogs(), 0, "one or more test cases produced unexpected audit logs, did you replace the auditor or forget to call ResetLogs?")
+ })
client, closer, api := coderdtest.NewWithAPI(t, &coderdtest.Options{
AppHostname: "*.test.coder.com",
DeploymentValues: deploymentValues,
@@ -91,6 +105,7 @@ func Test_ResolveRequest(t *testing.T) {
"CF-Connecting-IP",
},
},
+ Auditor: auditor,
})
t.Cleanup(func() {
_ = closer.Close()
@@ -102,7 +117,7 @@ func Test_ResolveRequest(t *testing.T) {
me, err := client.User(ctx, codersdk.Me)
require.NoError(t, err)
- secondUserClient, _ := coderdtest.CreateAnotherUser(t, client, firstUser.OrganizationID)
+ secondUserClient, secondUser := coderdtest.CreateAnotherUser(t, client, firstUser.OrganizationID)
agentAuthToken := uuid.NewString()
version := coderdtest.CreateTemplateVersion(t, client, firstUser.OrganizationID, &echo.Responses{
@@ -210,11 +225,30 @@ func Test_ResolveRequest(t *testing.T) {
for _, agnt := range resource.Agents {
if agnt.Name == agentName {
agentID = agnt.ID
+ break
}
}
}
require.NotEqual(t, uuid.Nil, agentID)
+ //nolint:gocritic // This is a test, allow dbauthz.AsSystemRestricted.
+ agent, err := api.Database.GetWorkspaceAgentByID(dbauthz.AsSystemRestricted(ctx), agentID)
+ require.NoError(t, err)
+
+ //nolint:gocritic // This is a test, allow dbauthz.AsSystemRestricted.
+ apps, err := api.Database.GetWorkspaceAppsByAgentID(dbauthz.AsSystemRestricted(ctx), agentID)
+ require.NoError(t, err)
+ appsBySlug := make(map[string]database.WorkspaceApp, len(apps))
+ for _, app := range apps {
+ appsBySlug[app.Slug] = app
+ }
+
+ // Reset audit logs so cleanup check can pass.
+ auditor.ResetLogs()
+
+ assertAuditAgent := auditAsserter[database.WorkspaceAgent](workspace)
+ assertAuditApp := auditAsserter[database.WorkspaceApp](workspace)
+
t.Run("OK", func(t *testing.T) {
t.Parallel()
@@ -253,13 +287,19 @@ func Test_ResolveRequest(t *testing.T) {
AppSlugOrPort: app,
}).Normalize()
+ auditor := audit.NewMock()
+ auditableIP := testutil.RandomIPv6(t)
+ auditableUA := "Tidua"
+
t.Log("app", app)
rw := httptest.NewRecorder()
r := httptest.NewRequest("GET", "/app", nil)
r.Header.Set(codersdk.SessionTokenHeader, client.SessionToken())
+ r.RemoteAddr = auditableIP
+ r.Header.Set("User-Agent", auditableUA)
// Try resolving the request without a token.
- token, ok := workspaceapps.ResolveRequest(rw, r, workspaceapps.ResolveRequestOptions{
+ token, ok := workspaceappsResolveRequest(t, auditor, rw, r, workspaceapps.ResolveRequestOptions{
Logger: api.Logger,
SignedTokenProvider: api.WorkspaceAppsProvider,
DashboardURL: api.AccessURL,
@@ -295,6 +335,9 @@ func Test_ResolveRequest(t *testing.T) {
require.Equal(t, codersdk.SignedAppTokenCookie, cookie.Name)
require.Equal(t, req.BasePath, cookie.Path)
+ assertAuditApp(t, rw, r, auditor, appsBySlug[app], me.ID, nil)
+ require.Len(t, auditor.AuditLogs(), 1, "audit log count")
+
var parsedToken workspaceapps.SignedToken
err := jwtutils.Verify(ctx, api.AppSigningKeyCache, cookie.Value, &parsedToken)
require.NoError(t, err)
@@ -307,8 +350,9 @@ func Test_ResolveRequest(t *testing.T) {
rw = httptest.NewRecorder()
r = httptest.NewRequest("GET", "/app", nil)
r.AddCookie(cookie)
+ r.RemoteAddr = auditableIP
- secondToken, ok := workspaceapps.ResolveRequest(rw, r, workspaceapps.ResolveRequestOptions{
+ secondToken, ok := workspaceappsResolveRequest(t, auditor, rw, r, workspaceapps.ResolveRequestOptions{
Logger: api.Logger,
SignedTokenProvider: api.WorkspaceAppsProvider,
DashboardURL: api.AccessURL,
@@ -321,6 +365,7 @@ func Test_ResolveRequest(t *testing.T) {
require.WithinDuration(t, token.Expiry.Time(), secondToken.Expiry.Time(), 2*time.Second)
secondToken.Expiry = token.Expiry
require.Equal(t, token, secondToken)
+ require.Len(t, auditor.AuditLogs(), 1, "no new audit log, FromRequest returned the same token and is not audited")
}
})
}
@@ -339,12 +384,16 @@ func Test_ResolveRequest(t *testing.T) {
AppSlugOrPort: app,
}).Normalize()
+ auditor := audit.NewMock()
+ auditableIP := testutil.RandomIPv6(t)
+
t.Log("app", app)
rw := httptest.NewRecorder()
r := httptest.NewRequest("GET", "/app", nil)
r.Header.Set(codersdk.SessionTokenHeader, secondUserClient.SessionToken())
+ r.RemoteAddr = auditableIP
- token, ok := workspaceapps.ResolveRequest(rw, r, workspaceapps.ResolveRequestOptions{
+ token, ok := workspaceappsResolveRequest(t, auditor, rw, r, workspaceapps.ResolveRequestOptions{
Logger: api.Logger,
SignedTokenProvider: api.WorkspaceAppsProvider,
DashboardURL: api.AccessURL,
@@ -364,6 +413,9 @@ func Test_ResolveRequest(t *testing.T) {
require.True(t, ok)
require.NotNil(t, token)
require.Zero(t, w.StatusCode)
+
+ assertAuditApp(t, rw, r, auditor, appsBySlug[app], secondUser.ID, nil)
+ require.Len(t, auditor.AuditLogs(), 1, "single audit log")
}
})
@@ -380,10 +432,14 @@ func Test_ResolveRequest(t *testing.T) {
AppSlugOrPort: app,
}).Normalize()
+ auditor := audit.NewMock()
+ auditableIP := testutil.RandomIPv6(t)
+
t.Log("app", app)
rw := httptest.NewRecorder()
r := httptest.NewRequest("GET", "/app", nil)
- token, ok := workspaceapps.ResolveRequest(rw, r, workspaceapps.ResolveRequestOptions{
+ r.RemoteAddr = auditableIP
+ token, ok := workspaceappsResolveRequest(t, auditor, rw, r, workspaceapps.ResolveRequestOptions{
Logger: api.Logger,
SignedTokenProvider: api.WorkspaceAppsProvider,
DashboardURL: api.AccessURL,
@@ -397,6 +453,9 @@ func Test_ResolveRequest(t *testing.T) {
require.Nil(t, token)
require.NotZero(t, rw.Code)
require.NotEqual(t, http.StatusOK, rw.Code)
+
+ assertAuditApp(t, rw, r, auditor, appsBySlug[app], uuid.Nil, nil)
+ require.Len(t, auditor.AuditLogs(), 1, "audit log for unauthenticated requests")
} else {
if !assert.True(t, ok) {
dump, err := httputil.DumpResponse(w, true)
@@ -408,6 +467,9 @@ func Test_ResolveRequest(t *testing.T) {
if rw.Code != 0 && rw.Code != http.StatusOK {
t.Fatalf("expected 200 (or unset) response code, got %d", rw.Code)
}
+
+ assertAuditApp(t, rw, r, auditor, appsBySlug[app], uuid.Nil, nil)
+ require.Len(t, auditor.AuditLogs(), 1, "single audit log")
}
_ = w.Body.Close()
}
@@ -419,9 +481,12 @@ func Test_ResolveRequest(t *testing.T) {
req := (workspaceapps.Request{
AccessMethod: "invalid",
}).Normalize()
+ auditor := audit.NewMock()
+ auditableIP := testutil.RandomIPv6(t)
rw := httptest.NewRecorder()
r := httptest.NewRequest("GET", "/app", nil)
- token, ok := workspaceapps.ResolveRequest(rw, r, workspaceapps.ResolveRequestOptions{
+ r.RemoteAddr = auditableIP
+ token, ok := workspaceappsResolveRequest(t, auditor, rw, r, workspaceapps.ResolveRequestOptions{
Logger: api.Logger,
SignedTokenProvider: api.WorkspaceAppsProvider,
DashboardURL: api.AccessURL,
@@ -431,6 +496,7 @@ func Test_ResolveRequest(t *testing.T) {
})
require.False(t, ok)
require.Nil(t, token)
+ require.Len(t, auditor.AuditLogs(), 0, "no audit logs for invalid requests")
})
t.Run("SplitWorkspaceAndAgent", func(t *testing.T) {
@@ -498,11 +564,15 @@ func Test_ResolveRequest(t *testing.T) {
AppSlugOrPort: appNamePublic,
}).Normalize()
+ auditor := audit.NewMock()
+ auditableIP := testutil.RandomIPv6(t)
+
rw := httptest.NewRecorder()
r := httptest.NewRequest("GET", "/app", nil)
r.Header.Set(codersdk.SessionTokenHeader, client.SessionToken())
+ r.RemoteAddr = auditableIP
- token, ok := workspaceapps.ResolveRequest(rw, r, workspaceapps.ResolveRequestOptions{
+ token, ok := workspaceappsResolveRequest(t, auditor, rw, r, workspaceapps.ResolveRequestOptions{
Logger: api.Logger,
SignedTokenProvider: api.WorkspaceAppsProvider,
DashboardURL: api.AccessURL,
@@ -523,8 +593,11 @@ func Test_ResolveRequest(t *testing.T) {
require.Equal(t, token.AgentNameOrID, c.agent)
require.Equal(t, token.WorkspaceID, workspace.ID)
require.Equal(t, token.AgentID, agentID)
+ assertAuditApp(t, rw, r, auditor, appsBySlug[token.AppSlugOrPort], me.ID, nil)
+ require.Len(t, auditor.AuditLogs(), 1, "single audit log")
} else {
require.Nil(t, token)
+ require.Len(t, auditor.AuditLogs(), 0, "no audit logs")
}
_ = w.Body.Close()
})
@@ -566,6 +639,9 @@ func Test_ResolveRequest(t *testing.T) {
AppSlugOrPort: appNameOwner,
}).Normalize()
+ auditor := audit.NewMock()
+ auditableIP := testutil.RandomIPv6(t)
+
rw := httptest.NewRecorder()
r := httptest.NewRequest("GET", "/app", nil)
r.Header.Set(codersdk.SessionTokenHeader, client.SessionToken())
@@ -573,10 +649,11 @@ func Test_ResolveRequest(t *testing.T) {
Name: codersdk.SignedAppTokenCookie,
Value: badTokenStr,
})
+ r.RemoteAddr = auditableIP
// Even though the token is invalid, we should still perform request
// resolution without failure since we'll just ignore the bad token.
- token, ok := workspaceapps.ResolveRequest(rw, r, workspaceapps.ResolveRequestOptions{
+ token, ok := workspaceappsResolveRequest(t, auditor, rw, r, workspaceapps.ResolveRequestOptions{
Logger: api.Logger,
SignedTokenProvider: api.WorkspaceAppsProvider,
DashboardURL: api.AccessURL,
@@ -600,6 +677,9 @@ func Test_ResolveRequest(t *testing.T) {
err = jwtutils.Verify(ctx, api.AppSigningKeyCache, cookies[0].Value, &parsedToken)
require.NoError(t, err)
require.Equal(t, appNameOwner, parsedToken.AppSlugOrPort)
+
+ assertAuditApp(t, rw, r, auditor, appsBySlug[appNameOwner], me.ID, nil)
+ require.Len(t, auditor.AuditLogs(), 1, "single audit log")
})
t.Run("PortPathBlocked", func(t *testing.T) {
@@ -614,11 +694,15 @@ func Test_ResolveRequest(t *testing.T) {
AppSlugOrPort: "8080",
}).Normalize()
+ auditor := audit.NewMock()
+ auditableIP := testutil.RandomIPv6(t)
+
rw := httptest.NewRecorder()
r := httptest.NewRequest("GET", "/app", nil)
r.Header.Set(codersdk.SessionTokenHeader, client.SessionToken())
+ r.RemoteAddr = auditableIP
- token, ok := workspaceapps.ResolveRequest(rw, r, workspaceapps.ResolveRequestOptions{
+ token, ok := workspaceappsResolveRequest(t, auditor, rw, r, workspaceapps.ResolveRequestOptions{
Logger: api.Logger,
SignedTokenProvider: api.WorkspaceAppsProvider,
DashboardURL: api.AccessURL,
@@ -628,6 +712,12 @@ func Test_ResolveRequest(t *testing.T) {
})
require.False(t, ok)
require.Nil(t, token)
+
+ w := rw.Result()
+ _ = w.Body.Close()
+ // TODO(mafredri): Verify this is the correct status code.
+ require.Equal(t, http.StatusInternalServerError, w.StatusCode)
+ require.Len(t, auditor.AuditLogs(), 0, "no audit logs for port path blocked requests")
})
t.Run("PortSubdomain", func(t *testing.T) {
@@ -642,11 +732,15 @@ func Test_ResolveRequest(t *testing.T) {
AppSlugOrPort: "9090",
}).Normalize()
+ auditor := audit.NewMock()
+ auditableIP := testutil.RandomIPv6(t)
+
rw := httptest.NewRecorder()
r := httptest.NewRequest("GET", "/", nil)
r.Header.Set(codersdk.SessionTokenHeader, client.SessionToken())
+ r.RemoteAddr = auditableIP
- token, ok := workspaceapps.ResolveRequest(rw, r, workspaceapps.ResolveRequestOptions{
+ token, ok := workspaceappsResolveRequest(t, auditor, rw, r, workspaceapps.ResolveRequestOptions{
Logger: api.Logger,
SignedTokenProvider: api.WorkspaceAppsProvider,
DashboardURL: api.AccessURL,
@@ -657,6 +751,11 @@ func Test_ResolveRequest(t *testing.T) {
require.True(t, ok)
require.Equal(t, req.AppSlugOrPort, token.AppSlugOrPort)
require.Equal(t, "http://127.0.0.1:9090", token.AppURL)
+
+ assertAuditAgent(t, rw, r, auditor, agent, me.ID, map[string]any{
+ "slug_or_port": "9090",
+ })
+ require.Len(t, auditor.AuditLogs(), 1, "single audit log")
})
t.Run("PortSubdomainHTTPSS", func(t *testing.T) {
@@ -671,11 +770,15 @@ func Test_ResolveRequest(t *testing.T) {
AppSlugOrPort: "9090ss",
}).Normalize()
+ auditor := audit.NewMock()
+ auditableIP := testutil.RandomIPv6(t)
+
rw := httptest.NewRecorder()
r := httptest.NewRequest("GET", "/", nil)
r.Header.Set(codersdk.SessionTokenHeader, client.SessionToken())
+ r.RemoteAddr = auditableIP
- _, ok := workspaceapps.ResolveRequest(rw, r, workspaceapps.ResolveRequestOptions{
+ _, ok := workspaceappsResolveRequest(t, auditor, rw, r, workspaceapps.ResolveRequestOptions{
Logger: api.Logger,
SignedTokenProvider: api.WorkspaceAppsProvider,
DashboardURL: api.AccessURL,
@@ -690,6 +793,8 @@ func Test_ResolveRequest(t *testing.T) {
b, err := io.ReadAll(w.Body)
require.NoError(t, err)
require.Contains(t, string(b), "404 - Application Not Found")
+ require.Equal(t, http.StatusNotFound, w.StatusCode)
+ require.Len(t, auditor.AuditLogs(), 0, "no audit logs for invalid requests")
})
t.Run("SubdomainEndsInS", func(t *testing.T) {
@@ -704,11 +809,15 @@ func Test_ResolveRequest(t *testing.T) {
AppSlugOrPort: appNameEndsInS,
}).Normalize()
+ auditor := audit.NewMock()
+ auditableIP := testutil.RandomIPv6(t)
+
rw := httptest.NewRecorder()
r := httptest.NewRequest("GET", "/", nil)
r.Header.Set(codersdk.SessionTokenHeader, client.SessionToken())
+ r.RemoteAddr = auditableIP
- token, ok := workspaceapps.ResolveRequest(rw, r, workspaceapps.ResolveRequestOptions{
+ token, ok := workspaceappsResolveRequest(t, auditor, rw, r, workspaceapps.ResolveRequestOptions{
Logger: api.Logger,
SignedTokenProvider: api.WorkspaceAppsProvider,
DashboardURL: api.AccessURL,
@@ -718,6 +827,8 @@ func Test_ResolveRequest(t *testing.T) {
})
require.True(t, ok)
require.Equal(t, req.AppSlugOrPort, token.AppSlugOrPort)
+ assertAuditApp(t, rw, r, auditor, appsBySlug[appNameEndsInS], me.ID, nil)
+ require.Len(t, auditor.AuditLogs(), 1, "single audit log")
})
t.Run("Terminal", func(t *testing.T) {
@@ -729,11 +840,15 @@ func Test_ResolveRequest(t *testing.T) {
AgentNameOrID: agentID.String(),
}).Normalize()
+ auditor := audit.NewMock()
+ auditableIP := testutil.RandomIPv6(t)
+
rw := httptest.NewRecorder()
r := httptest.NewRequest("GET", "/app", nil)
r.Header.Set(codersdk.SessionTokenHeader, client.SessionToken())
+ r.RemoteAddr = auditableIP
- token, ok := workspaceapps.ResolveRequest(rw, r, workspaceapps.ResolveRequestOptions{
+ token, ok := workspaceappsResolveRequest(t, auditor, rw, r, workspaceapps.ResolveRequestOptions{
Logger: api.Logger,
SignedTokenProvider: api.WorkspaceAppsProvider,
DashboardURL: api.AccessURL,
@@ -749,6 +864,10 @@ func Test_ResolveRequest(t *testing.T) {
require.Equal(t, req.AgentNameOrID, token.Request.AgentNameOrID)
require.Empty(t, token.AppSlugOrPort)
require.Empty(t, token.AppURL)
+ assertAuditAgent(t, rw, r, auditor, agent, me.ID, map[string]any{
+ "slug_or_port": "terminal",
+ })
+ require.Len(t, auditor.AuditLogs(), 1, "single audit log")
})
t.Run("InsufficientPermissions", func(t *testing.T) {
@@ -763,11 +882,15 @@ func Test_ResolveRequest(t *testing.T) {
AppSlugOrPort: appNameOwner,
}).Normalize()
+ auditor := audit.NewMock()
+ auditableIP := testutil.RandomIPv6(t)
+
rw := httptest.NewRecorder()
r := httptest.NewRequest("GET", "/app", nil)
r.Header.Set(codersdk.SessionTokenHeader, secondUserClient.SessionToken())
+ r.RemoteAddr = auditableIP
- token, ok := workspaceapps.ResolveRequest(rw, r, workspaceapps.ResolveRequestOptions{
+ token, ok := workspaceappsResolveRequest(t, auditor, rw, r, workspaceapps.ResolveRequestOptions{
Logger: api.Logger,
SignedTokenProvider: api.WorkspaceAppsProvider,
DashboardURL: api.AccessURL,
@@ -777,6 +900,8 @@ func Test_ResolveRequest(t *testing.T) {
})
require.False(t, ok)
require.Nil(t, token)
+ assertAuditApp(t, rw, r, auditor, appsBySlug[appNameOwner], secondUser.ID, nil)
+ require.Len(t, auditor.AuditLogs(), 1, "single audit log")
})
t.Run("UserNotFound", func(t *testing.T) {
@@ -790,11 +915,15 @@ func Test_ResolveRequest(t *testing.T) {
AppSlugOrPort: appNameOwner,
}).Normalize()
+ auditor := audit.NewMock()
+ auditableIP := testutil.RandomIPv6(t)
+
rw := httptest.NewRecorder()
r := httptest.NewRequest("GET", "/app", nil)
r.Header.Set(codersdk.SessionTokenHeader, client.SessionToken())
+ r.RemoteAddr = auditableIP
- token, ok := workspaceapps.ResolveRequest(rw, r, workspaceapps.ResolveRequestOptions{
+ token, ok := workspaceappsResolveRequest(t, auditor, rw, r, workspaceapps.ResolveRequestOptions{
Logger: api.Logger,
SignedTokenProvider: api.WorkspaceAppsProvider,
DashboardURL: api.AccessURL,
@@ -804,6 +933,7 @@ func Test_ResolveRequest(t *testing.T) {
})
require.False(t, ok)
require.Nil(t, token)
+ require.Len(t, auditor.AuditLogs(), 0, "no audit logs for user not found")
})
t.Run("RedirectSubdomainAuth", func(t *testing.T) {
@@ -818,12 +948,16 @@ func Test_ResolveRequest(t *testing.T) {
AppSlugOrPort: appNameOwner,
}).Normalize()
+ auditor := audit.NewMock()
+ auditableIP := testutil.RandomIPv6(t)
+
rw := httptest.NewRecorder()
r := httptest.NewRequest("GET", "/some-path", nil)
// Should not be used as the hostname in the redirect URI.
r.Host = "app.com"
+ r.RemoteAddr = auditableIP
- token, ok := workspaceapps.ResolveRequest(rw, r, workspaceapps.ResolveRequestOptions{
+ token, ok := workspaceappsResolveRequest(t, auditor, rw, r, workspaceapps.ResolveRequestOptions{
Logger: api.Logger,
SignedTokenProvider: api.WorkspaceAppsProvider,
DashboardURL: api.AccessURL,
@@ -838,6 +972,10 @@ func Test_ResolveRequest(t *testing.T) {
w := rw.Result()
defer w.Body.Close()
require.Equal(t, http.StatusSeeOther, w.StatusCode)
+ // Note that we don't capture the owner UUID here because the apiKey
+ // check/authorization exits early.
+ assertAuditApp(t, rw, r, auditor, appsBySlug[appNameOwner], uuid.Nil, nil)
+ require.Len(t, auditor.AuditLogs(), 1, "autit log entry for redirect")
loc, err := w.Location()
require.NoError(t, err)
@@ -876,11 +1014,15 @@ func Test_ResolveRequest(t *testing.T) {
AppSlugOrPort: appNameAgentUnhealthy,
}).Normalize()
+ auditor := audit.NewMock()
+ auditableIP := testutil.RandomIPv6(t)
+
rw := httptest.NewRecorder()
r := httptest.NewRequest("GET", "/app", nil)
r.Header.Set(codersdk.SessionTokenHeader, client.SessionToken())
+ r.RemoteAddr = auditableIP
- token, ok := workspaceapps.ResolveRequest(rw, r, workspaceapps.ResolveRequestOptions{
+ token, ok := workspaceappsResolveRequest(t, auditor, rw, r, workspaceapps.ResolveRequestOptions{
Logger: api.Logger,
SignedTokenProvider: api.WorkspaceAppsProvider,
DashboardURL: api.AccessURL,
@@ -894,6 +1036,8 @@ func Test_ResolveRequest(t *testing.T) {
w := rw.Result()
defer w.Body.Close()
require.Equal(t, http.StatusBadGateway, w.StatusCode)
+ assertAuditApp(t, rw, r, auditor, appsBySlug[appNameAgentUnhealthy], me.ID, nil)
+ require.Len(t, auditor.AuditLogs(), 1, "single audit log")
body, err := io.ReadAll(w.Body)
require.NoError(t, err)
@@ -933,11 +1077,15 @@ func Test_ResolveRequest(t *testing.T) {
AppSlugOrPort: appNameInitializing,
}).Normalize()
+ auditor := audit.NewMock()
+ auditableIP := testutil.RandomIPv6(t)
+
rw := httptest.NewRecorder()
r := httptest.NewRequest("GET", "/app", nil)
r.Header.Set(codersdk.SessionTokenHeader, client.SessionToken())
+ r.RemoteAddr = auditableIP
- token, ok := workspaceapps.ResolveRequest(rw, r, workspaceapps.ResolveRequestOptions{
+ token, ok := workspaceappsResolveRequest(t, auditor, rw, r, workspaceapps.ResolveRequestOptions{
Logger: api.Logger,
SignedTokenProvider: api.WorkspaceAppsProvider,
DashboardURL: api.AccessURL,
@@ -947,6 +1095,8 @@ func Test_ResolveRequest(t *testing.T) {
})
require.True(t, ok, "ResolveRequest failed, should pass even though app is initializing")
require.NotNil(t, token)
+ assertAuditApp(t, rw, r, auditor, appsBySlug[token.AppSlugOrPort], me.ID, nil)
+ require.Len(t, auditor.AuditLogs(), 1, "single audit log")
})
// Unhealthy apps are now permitted to connect anyways. This wasn't always
@@ -985,11 +1135,15 @@ func Test_ResolveRequest(t *testing.T) {
AppSlugOrPort: appNameUnhealthy,
}).Normalize()
+ auditor := audit.NewMock()
+ auditableIP := testutil.RandomIPv6(t)
+
rw := httptest.NewRecorder()
r := httptest.NewRequest("GET", "/app", nil)
r.Header.Set(codersdk.SessionTokenHeader, client.SessionToken())
+ r.RemoteAddr = auditableIP
- token, ok := workspaceapps.ResolveRequest(rw, r, workspaceapps.ResolveRequestOptions{
+ token, ok := workspaceappsResolveRequest(t, auditor, rw, r, workspaceapps.ResolveRequestOptions{
Logger: api.Logger,
SignedTokenProvider: api.WorkspaceAppsProvider,
DashboardURL: api.AccessURL,
@@ -999,5 +1153,165 @@ func Test_ResolveRequest(t *testing.T) {
})
require.True(t, ok, "ResolveRequest failed, should pass even though app is unhealthy")
require.NotNil(t, token)
+ assertAuditApp(t, rw, r, auditor, appsBySlug[token.AppSlugOrPort], me.ID, nil)
+ require.Len(t, auditor.AuditLogs(), 1, "single audit log")
})
+
+ t.Run("AuditLogging", func(t *testing.T) {
+ t.Parallel()
+
+ for _, app := range allApps {
+ req := (workspaceapps.Request{
+ AccessMethod: workspaceapps.AccessMethodPath,
+ BasePath: "/app",
+ UsernameOrID: me.Username,
+ WorkspaceNameOrID: workspace.Name,
+ AgentNameOrID: agentName,
+ AppSlugOrPort: app,
+ }).Normalize()
+
+ auditor := audit.NewMock()
+ auditableIP := testutil.RandomIPv6(t)
+
+ t.Log("app", app)
+
+ // First request, new audit log.
+ rw := httptest.NewRecorder()
+ r := httptest.NewRequest("GET", "/app", nil)
+ r.Header.Set(codersdk.SessionTokenHeader, client.SessionToken())
+ r.RemoteAddr = auditableIP
+
+ _, ok := workspaceappsResolveRequest(t, auditor, rw, r, workspaceapps.ResolveRequestOptions{
+ Logger: api.Logger,
+ SignedTokenProvider: api.WorkspaceAppsProvider,
+ DashboardURL: api.AccessURL,
+ PathAppBaseURL: api.AccessURL,
+ AppHostname: api.AppHostname,
+ AppRequest: req,
+ })
+ require.True(t, ok)
+ assertAuditApp(t, rw, r, auditor, appsBySlug[app], me.ID, nil)
+ require.Len(t, auditor.AuditLogs(), 1, "single audit log")
+
+ // Second request, no audit log because the session is active.
+ rw = httptest.NewRecorder()
+ r = httptest.NewRequest("GET", "/app", nil)
+ r.Header.Set(codersdk.SessionTokenHeader, client.SessionToken())
+ r.RemoteAddr = auditableIP
+
+ _, ok = workspaceappsResolveRequest(t, auditor, rw, r, workspaceapps.ResolveRequestOptions{
+ Logger: api.Logger,
+ SignedTokenProvider: api.WorkspaceAppsProvider,
+ DashboardURL: api.AccessURL,
+ PathAppBaseURL: api.AccessURL,
+ AppHostname: api.AppHostname,
+ AppRequest: req,
+ })
+ require.True(t, ok)
+ require.Len(t, auditor.AuditLogs(), 1, "single audit log, previous session active")
+
+ // Third request, session timed out, new audit log.
+ rw = httptest.NewRecorder()
+ r = httptest.NewRequest("GET", "/app", nil)
+ r.Header.Set(codersdk.SessionTokenHeader, client.SessionToken())
+ r.RemoteAddr = auditableIP
+
+ sessionTimeoutTokenProvider := signedTokenProviderWithAuditor(t, api.WorkspaceAppsProvider, auditor, 0)
+ _, ok = workspaceappsResolveRequest(t, nil, rw, r, workspaceapps.ResolveRequestOptions{
+ Logger: api.Logger,
+ SignedTokenProvider: sessionTimeoutTokenProvider,
+ DashboardURL: api.AccessURL,
+ PathAppBaseURL: api.AccessURL,
+ AppHostname: api.AppHostname,
+ AppRequest: req,
+ })
+ require.True(t, ok)
+ assertAuditApp(t, rw, r, auditor, appsBySlug[app], me.ID, nil)
+ require.Len(t, auditor.AuditLogs(), 2, "two audit logs, session timed out")
+
+ // Fourth request, new IP produces new audit log.
+ auditableIP = testutil.RandomIPv6(t)
+ rw = httptest.NewRecorder()
+ r = httptest.NewRequest("GET", "/app", nil)
+ r.Header.Set(codersdk.SessionTokenHeader, client.SessionToken())
+ r.RemoteAddr = auditableIP
+
+ _, ok = workspaceappsResolveRequest(t, auditor, rw, r, workspaceapps.ResolveRequestOptions{
+ Logger: api.Logger,
+ SignedTokenProvider: api.WorkspaceAppsProvider,
+ DashboardURL: api.AccessURL,
+ PathAppBaseURL: api.AccessURL,
+ AppHostname: api.AppHostname,
+ AppRequest: req,
+ })
+ require.True(t, ok)
+ assertAuditApp(t, rw, r, auditor, appsBySlug[app], me.ID, nil)
+ require.Len(t, auditor.AuditLogs(), 3, "three audit logs, new IP")
+ }
+ })
+}
+
+func workspaceappsResolveRequest(t testing.TB, auditor audit.Auditor, w http.ResponseWriter, r *http.Request, opts workspaceapps.ResolveRequestOptions) (token *workspaceapps.SignedToken, ok bool) {
+ t.Helper()
+ if opts.SignedTokenProvider != nil && auditor != nil {
+ opts.SignedTokenProvider = signedTokenProviderWithAuditor(t, opts.SignedTokenProvider, auditor, time.Hour)
+ }
+
+ tracing.StatusWriterMiddleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ httpmw.AttachRequestID(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ token, ok = workspaceapps.ResolveRequest(w, r, opts)
+ })).ServeHTTP(w, r)
+ })).ServeHTTP(w, r)
+
+ return token, ok
+}
+
+func signedTokenProviderWithAuditor(t testing.TB, provider workspaceapps.SignedTokenProvider, auditor audit.Auditor, sessionTimeout time.Duration) workspaceapps.SignedTokenProvider {
+ t.Helper()
+ p, ok := provider.(*workspaceapps.DBTokenProvider)
+ require.True(t, ok, "provider is not a DBTokenProvider")
+
+ shallowCopy := *p
+ shallowCopy.Auditor = &atomic.Pointer[audit.Auditor]{}
+ shallowCopy.Auditor.Store(&auditor)
+ shallowCopy.WorkspaceAppAuditSessionTimeout = sessionTimeout
+ return &shallowCopy
+}
+
+func auditAsserter[T audit.Auditable](workspace codersdk.Workspace) func(t testing.TB, rr *httptest.ResponseRecorder, r *http.Request, auditor *audit.MockAuditor, auditable T, userID uuid.UUID, additionalFields map[string]any) {
+ return func(t testing.TB, rr *httptest.ResponseRecorder, r *http.Request, auditor *audit.MockAuditor, auditable T, userID uuid.UUID, additionalFields map[string]any) {
+ t.Helper()
+
+ resp := rr.Result()
+ defer resp.Body.Close()
+
+ require.True(t, auditor.Contains(t, database.AuditLog{
+ OrganizationID: workspace.OrganizationID,
+ Action: database.AuditActionOpen,
+ ResourceType: audit.ResourceType(auditable),
+ ResourceID: audit.ResourceID(auditable),
+ ResourceTarget: audit.ResourceTarget(auditable),
+ UserID: userID,
+ Ip: audit.ParseIP(r.RemoteAddr),
+ UserAgent: sql.NullString{Valid: r.UserAgent() != "", String: r.UserAgent()},
+ StatusCode: int32(resp.StatusCode), //nolint:gosec
+ }), "audit log")
+
+ // Verify additional fields, assume the last log entry.
+ alog := auditor.AuditLogs()[len(auditor.AuditLogs())-1]
+
+ // Contains does not verify uuid.Nil.
+ if userID == uuid.Nil {
+ require.Equal(t, uuid.Nil, alog.UserID, "unauthenticated user")
+ }
+
+ add := make(map[string]any)
+ if len(alog.AdditionalFields) > 0 {
+ err := json.Unmarshal([]byte(alog.AdditionalFields), &add)
+ require.NoError(t, err, "audit log unmarhsal additional fields")
+ }
+ for k, v := range additionalFields {
+ require.Equal(t, v, add[k], "audit log additional field %s: additional fields: %v", k, add)
+ }
+ }
}
diff --git a/coderd/workspaceapps/request.go b/coderd/workspaceapps/request.go
index 0833ab731fe67..0e6a43cb4cbe4 100644
--- a/coderd/workspaceapps/request.go
+++ b/coderd/workspaceapps/request.go
@@ -195,6 +195,8 @@ type databaseRequest struct {
Workspace database.Workspace
// Agent is the agent that the app is running on.
Agent database.WorkspaceAgent
+ // App is the app that the user is trying to access.
+ App database.WorkspaceApp
// AppURL is the resolved URL to the workspace app. This is only set for non
// terminal requests.
@@ -288,6 +290,7 @@ func (r Request) getDatabase(ctx context.Context, db database.Store) (*databaseR
// in the workspace or not.
var (
agentNameOrID = r.AgentNameOrID
+ app database.WorkspaceApp
appURL string
appSharingLevel database.AppSharingLevel
// First check if it's a port-based URL with an optional "s" suffix for HTTPS.
@@ -353,8 +356,9 @@ func (r Request) getDatabase(ctx context.Context, db database.Store) (*databaseR
appSharingLevel = ps.ShareLevel
}
} else {
- for _, app := range apps {
- if app.Slug == r.AppSlugOrPort {
+ for _, a := range apps {
+ if a.Slug == r.AppSlugOrPort {
+ app = a
if !app.Url.Valid {
return nil, xerrors.Errorf("app URL is not valid")
}
@@ -410,6 +414,7 @@ func (r Request) getDatabase(ctx context.Context, db database.Store) (*databaseR
User: user,
Workspace: workspace,
Agent: agent,
+ App: app,
AppURL: appURLParsed,
AppSharingLevel: appSharingLevel,
}, nil
diff --git a/scripts/dbgen/main.go b/scripts/dbgen/main.go
index 4ec08920e9741..5070b0a42aa15 100644
--- a/scripts/dbgen/main.go
+++ b/scripts/dbgen/main.go
@@ -340,7 +340,7 @@ func orderAndStubDatabaseFunctions(filePath, receiver, structName string, stub f
})
for _, r := range fn.Func.Results.List {
switch typ := r.Type.(type) {
- case *dst.StarExpr, *dst.ArrayType:
+ case *dst.StarExpr, *dst.ArrayType, *dst.SelectorExpr:
returnStmt.Results = append(returnStmt.Results, dst.NewIdent("nil"))
case *dst.Ident:
if typ.Path != "" {
diff --git a/testutil/rand.go b/testutil/rand.go
index b20cb9b0573d1..ddf371a88c7ea 100644
--- a/testutil/rand.go
+++ b/testutil/rand.go
@@ -1,6 +1,8 @@
package testutil
import (
+ "crypto/rand"
+ "fmt"
"testing"
"github.com/stretchr/testify/require"
@@ -15,3 +17,18 @@ func MustRandString(t *testing.T, n int) string {
require.NoError(t, err)
return s
}
+
+// RandomIPv6 returns a random IPv6 address in the 2001:db8::/32 range.
+// 2001:db8::/32 is reserved for documentation and example code.
+func RandomIPv6(t testing.TB) string {
+ t.Helper()
+
+ buf := make([]byte, 16)
+ _, err := rand.Read(buf)
+ require.NoError(t, err, "generate random IPv6 address")
+ return fmt.Sprintf(
+ "2001:db8:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x",
+ buf[0], buf[1], buf[2], buf[3], buf[4], buf[5],
+ buf[6], buf[7], buf[8], buf[9], buf[10], buf[11],
+ )
+}
pFad - Phonifier reborn
Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies:
Alternative Proxy
pFad Proxy
pFad v3 Proxy
pFad v4 Proxy