coder
diff --git a/‎.github/.linkspector.yml
Lines changed: 1 addition & 0 deletions b/‎.github/.linkspector.yml
Lines changed: 1 addition & 0 deletions
diff --git a/‎Makefile
Lines changed: 26 additions & 2 deletions b/‎Makefile
Lines changed: 26 additions & 2 deletions
diff --git a/‎cli/exptest/exptest_scaletest_test.go
Lines changed: 3 additions & 3 deletions b/‎cli/exptest/exptest_scaletest_test.go
Lines changed: 3 additions & 3 deletions
diff --git a/‎cli/ssh_test.go
Lines changed: 90 additions & 87 deletions b/‎cli/ssh_test.go
Lines changed: 90 additions & 87 deletions
diff --git a/‎cli/support_test.go
Lines changed: 5 additions & 1 deletion b/‎cli/support_test.go
Lines changed: 5 additions & 1 deletion
diff --git a/‎cli/testdata/coder_server_--help.golden
Lines changed: 3 additions & 3 deletions b/‎cli/testdata/coder_server_--help.golden
Lines changed: 3 additions & 3 deletions
diff --git a/‎cli/testdata/server-config.yaml.golden
Lines changed: 2 additions & 2 deletions b/‎cli/testdata/server-config.yaml.golden
Lines changed: 2 additions & 2 deletions
diff --git a/‎coderd/autobuild/lifecycle_executor_test.go
Lines changed: 8 additions & 2 deletions b/‎coderd/autobuild/lifecycle_executor_test.go
Lines changed: 8 additions & 2 deletions
diff --git a/‎coderd/database/db2sdk/db2sdk.go
Lines changed: 11 additions & 0 deletions b/‎coderd/database/db2sdk/db2sdk.go
Lines changed: 11 additions & 0 deletions
diff --git a/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 8 additions & 0 deletions b/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 8 additions & 0 deletions
@@ -19,5 +19,6 @@ ignorePatterns:
   - pattern: "code.visualstudio.com"
   - pattern: "www.emacswiki.org"
   - pattern: "linux.die.net/man"
+  - pattern: "www.gnu.org"
 aliveStatusCodes:
   - 200
@@ -864,6 +864,30 @@ test-migrations: test-postgres-docker
 # NOTE: we set --memory to the same size as a GitHub runner.
 test-postgres-docker:
 	docker rm -f test-postgres-docker-${POSTGRES_VERSION} || true
+
+	# Try pulling up to three times to avoid CI flakes.
+	docker pull gcr.io/coder-dev-1/postgres:${POSTGRES_VERSION} || {
+		retries=2
+		for try in $(seq 1 ${retries}); do
+			echo "Failed to pull image, retrying (${try}/${retries})..."
+			sleep 1
+			if docker pull gcr.io/coder-dev-1/postgres:${POSTGRES_VERSION}; then
+				break
+			fi
+		done
+	}
+
+	# Make sure to not overallocate work_mem and max_connections as each
+	# connection will be allowed to use this much memory. Try adjusting
+	# shared_buffers instead, if needed.
+	#
+	# - work_mem=8MB * max_connections=1000 = 8GB
+	# - shared_buffers=2GB + effective_cache_size=1GB = 3GB
+	#
+	# This leaves 5GB for the rest of the system _and_ storing the
+	# database in memory (--tmpfs).
+	#
+	# https://www.postgresql.org/docs/current/runtime-config-resource.html#GUC-WORK-MEM
 	docker run \
 		--env POSTGRES_PASSWORD=postgres \
 		--env POSTGRES_USER=postgres \
@@ -876,9 +900,9 @@ test-postgres-docker:
 		--detach \
 		--memory 16GB \
 		gcr.io/coder-dev-1/postgres:${POSTGRES_VERSION} \
-		-c shared_buffers=1GB \
-		-c work_mem=1GB \
+		-c shared_buffers=2GB \
 		-c effective_cache_size=1GB \
+		-c work_mem=8MB \
 		-c max_connections=1000 \
 		-c fsync=off \
 		-c synchronous_commit=off \
 
@@ -20,9 +20,6 @@ import (
 // can influence other tests in the same package.
 // nolint:paralleltest
 func TestScaleTestWorkspaceTraffic_UseHostLogin(t *testing.T) {
-	ctx, cancelFunc := context.WithTimeout(context.Background(), testutil.WaitMedium)
-	defer cancelFunc()
-
 	log := slogtest.Make(t, &slogtest.Options{IgnoreErrors: true})
 	client := coderdtest.New(t, &coderdtest.Options{
 		Logger:                   &log,
@@ -41,6 +38,9 @@ func TestScaleTestWorkspaceTraffic_UseHostLogin(t *testing.T) {
 		cwr.Name = "scaletest-workspace"
 	})
 
+	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+	defer cancel()
+
 	// Test without --use-host-login first.g
 	inv, root := clitest.New(t, "exp", "scaletest", "workspace-traffic",
 		"--template", tpl.Name,
 
@@ -819,102 +819,105 @@ func TestSSH(t *testing.T) {
 
 		tmpdir := tempDirUnixSocket(t)
 		localSock := filepath.Join(tmpdir, "local.sock")
-		l, err := net.Listen("unix", localSock)
-		require.NoError(t, err)
-		defer l.Close()
 		remoteSock := path.Join(tmpdir, "remote.sock")
 		for i := 0; i < 2; i++ {
-			t.Logf("connect %d of 2", i+1)
-			inv, root := clitest.New(t,
-				"ssh",
-				workspace.Name,
-				"--remote-forward",
-				remoteSock+":"+localSock,
-			)
-			fsn := clitest.NewFakeSignalNotifier(t)
-			inv = inv.WithTestSignalNotifyContext(t, fsn.NotifyContext)
-			inv.Stdout = io.Discard
-			inv.Stderr = io.Discard
-
-			clitest.SetupConfig(t, client, root)
-			cmdDone := tGo(t, func() {
-				err := inv.WithContext(ctx).Run()
-				assert.Error(t, err)
-			})
+			func() { // Function scope for defer.
+				t.Logf("Connect %d/2", i+1)
+
+				inv, root := clitest.New(t,
+					"ssh",
+					workspace.Name,
+					"--remote-forward",
+					remoteSock+":"+localSock,
+				)
+				fsn := clitest.NewFakeSignalNotifier(t)
+				inv = inv.WithTestSignalNotifyContext(t, fsn.NotifyContext)
+				inv.Stdout = io.Discard
+				inv.Stderr = io.Discard
 
-			// accept a single connection
-			msgs := make(chan string, 1)
-			go func() {
-				conn, err := l.Accept()
-				if !assert.NoError(t, err) {
-					return
-				}
-				msg, err := io.ReadAll(conn)
-				if !assert.NoError(t, err) {
-					return
-				}
-				msgs <- string(msg)
-			}()
+				clitest.SetupConfig(t, client, root)
+				cmdDone := tGo(t, func() {
+					err := inv.WithContext(ctx).Run()
+					assert.Error(t, err)
+				})
 
-			// Unfortunately, there is a race in crypto/ssh where it sends the request to forward
-			// unix sockets before it is prepared to receive the response, meaning that even after
-			// the socket exists on the file system, the client might not be ready to accept the
-			// channel.
-			//
-			// https://cs.opensource.google/go/x/crypto/+/master:ssh/streamlocal.go;drc=2fc4c88bf43f0ea5ea305eae2b7af24b2cc93287;l=33
-			//
-			// To work around this, we attempt to send messages in a loop until one succeeds
-			success := make(chan struct{})
-			done := make(chan struct{})
-			go func() {
-				defer close(done)
-				var (
-					conn net.Conn
-					err  error
-				)
-				for {
-					time.Sleep(testutil.IntervalMedium)
-					select {
-					case <-ctx.Done():
-						t.Error("timeout")
-						return
-					case <-success:
+				// accept a single connection
+				msgs := make(chan string, 1)
+				l, err := net.Listen("unix", localSock)
+				require.NoError(t, err)
+				defer l.Close()
+				go func() {
+					conn, err := l.Accept()
+					if !assert.NoError(t, err) {
 						return
-					default:
-						// Ok
 					}
-					conn, err = net.Dial("unix", remoteSock)
-					if err != nil {
-						t.Logf("dial error: %s", err)
-						continue
-					}
-					_, err = conn.Write([]byte("test"))
-					if err != nil {
-						t.Logf("write error: %s", err)
+					msg, err := io.ReadAll(conn)
+					if !assert.NoError(t, err) {
+						return
 					}
-					err = conn.Close()
-					if err != nil {
-						t.Logf("close error: %s", err)
+					msgs <- string(msg)
+				}()
+
+				// Unfortunately, there is a race in crypto/ssh where it sends the request to forward
+				// unix sockets before it is prepared to receive the response, meaning that even after
+				// the socket exists on the file system, the client might not be ready to accept the
+				// channel.
+				//
+				// https://cs.opensource.google/go/x/crypto/+/master:ssh/streamlocal.go;drc=2fc4c88bf43f0ea5ea305eae2b7af24b2cc93287;l=33
+				//
+				// To work around this, we attempt to send messages in a loop until one succeeds
+				success := make(chan struct{})
+				done := make(chan struct{})
+				go func() {
+					defer close(done)
+					var (
+						conn net.Conn
+						err  error
+					)
+					for {
+						time.Sleep(testutil.IntervalMedium)
+						select {
+						case <-ctx.Done():
+							t.Error("timeout")
+							return
+						case <-success:
+							return
+						default:
+							// Ok
+						}
+						conn, err = net.Dial("unix", remoteSock)
+						if err != nil {
+							t.Logf("dial error: %s", err)
+							continue
+						}
+						_, err = conn.Write([]byte("test"))
+						if err != nil {
+							t.Logf("write error: %s", err)
+						}
+						err = conn.Close()
+						if err != nil {
+							t.Logf("close error: %s", err)
+						}
 					}
-				}
-			}()
+				}()
 
-			msg := testutil.RequireRecvCtx(ctx, t, msgs)
-			require.Equal(t, "test", msg)
-			close(success)
-			fsn.Notify()
-			<-cmdDone
-			fsn.AssertStopped()
-			// wait for dial goroutine to complete
-			_ = testutil.RequireRecvCtx(ctx, t, done)
-
-			// wait for the remote socket to get cleaned up before retrying,
-			// because cleaning up the socket happens asynchronously, and we
-			// might connect to an old listener on the agent side.
-			require.Eventually(t, func() bool {
-				_, err = os.Stat(remoteSock)
-				return xerrors.Is(err, os.ErrNotExist)
-			}, testutil.WaitShort, testutil.IntervalFast)
+				msg := testutil.RequireRecvCtx(ctx, t, msgs)
+				require.Equal(t, "test", msg)
+				close(success)
+				fsn.Notify()
+				<-cmdDone
+				fsn.AssertStopped()
+				// wait for dial goroutine to complete
+				_ = testutil.RequireRecvCtx(ctx, t, done)
+
+				// wait for the remote socket to get cleaned up before retrying,
+				// because cleaning up the socket happens asynchronously, and we
+				// might connect to an old listener on the agent side.
+				require.Eventually(t, func() bool {
+					_, err = os.Stat(remoteSock)
+					return xerrors.Is(err, os.ErrNotExist)
+				}, testutil.WaitShort, testutil.IntervalFast)
+			}()
 		}
 	})
 
 
@@ -45,7 +45,7 @@ func TestSupportBundle(t *testing.T) {
 
 	t.Run("Workspace", func(t *testing.T) {
 		t.Parallel()
-		ctx := testutil.Context(t, testutil.WaitShort)
+
 		var dc codersdk.DeploymentConfig
 		secretValue := uuid.NewString()
 		seedSecretDeploymentOptions(t, &dc, secretValue)
@@ -61,6 +61,8 @@ func TestSupportBundle(t *testing.T) {
 			agents[0].Env["SECRET_VALUE"] = secretValue
 			return agents
 		}).Do()
+
+		ctx := testutil.Context(t, testutil.WaitShort)
 		ws, err := client.Workspace(ctx, r.Workspace.ID)
 		require.NoError(t, err)
 		tempDir := t.TempDir()
@@ -72,6 +74,8 @@ func TestSupportBundle(t *testing.T) {
 		defer agt.Close()
 		coderdtest.NewWorkspaceAgentWaiter(t, client, r.Workspace.ID).Wait()
 
+		ctx = testutil.Context(t, testutil.WaitShort) // Reset timeout after waiting for agent.
+
 		// Insert a provisioner job log
 		_, err = db.InsertProvisionerJobLogs(ctx, database.InsertProvisionerJobLogsParams{
 			JobID:     r.Build.JobID,
 
@@ -624,9 +624,9 @@ updating, and deleting workspace resources.
           in queued state for a long time, consider increasing this.
 
 TELEMETRY OPTIONS: 
-Telemetry is critical to our ability to improve Coder. We strip all
-personalinformation before sending data to our servers. Please only disable
-telemetrywhen required by your organization's security policy.
+Telemetry is critical to our ability to improve Coder. We strip all personal
+information before sending data to our servers. Please only disable telemetry
+when required by your organization's security policy.
 
       --telemetry bool, $CODER_TELEMETRY_ENABLE (default: false)
           Whether telemetry is enabled or not. Coder collects anonymized usage
 
@@ -390,8 +390,8 @@ oidc:
   # (default: <unset>, type: bool)
   dangerousSkipIssuerChecks: false
 # Telemetry is critical to our ability to improve Coder. We strip all personal
-# information before sending data to our servers. Please only disable telemetry
-# when required by your organization's security policy.
+#  information before sending data to our servers. Please only disable telemetry
+#  when required by your organization's security policy.
 telemetry:
   # Whether telemetry is enabled or not. Coder collects anonymized usage data to
   # help improve our product.
 
@@ -364,7 +364,6 @@ func TestExecutorAutostartUserSuspended(t *testing.T) {
 	t.Parallel()
 
 	var (
-		ctx     = testutil.Context(t, testutil.WaitShort)
 		sched   = mustSchedule(t, "CRON_TZ=UTC 0 * * * *")
 		tickCh  = make(chan time.Time)
 		statsCh = make(chan autobuild.Stats)
@@ -389,6 +388,8 @@ func TestExecutorAutostartUserSuspended(t *testing.T) {
 	// Given: workspace is stopped, and the user is suspended.
 	workspace = coderdtest.MustTransitionWorkspace(t, userClient, workspace.ID, database.WorkspaceTransitionStart, database.WorkspaceTransitionStop)
 
+	ctx := testutil.Context(t, testutil.WaitShort)
+
 	_, err := client.UpdateUserStatus(ctx, user.ID.String(), codersdk.UserStatusSuspended)
 	require.NoError(t, err, "update user status")
 
@@ -660,7 +661,6 @@ func TestExecuteAutostopSuspendedUser(t *testing.T) {
 	t.Parallel()
 
 	var (
-		ctx     = testutil.Context(t, testutil.WaitShort)
 		tickCh  = make(chan time.Time)
 		statsCh = make(chan autobuild.Stats)
 		client  = coderdtest.New(t, &coderdtest.Options{
@@ -681,6 +681,9 @@ func TestExecuteAutostopSuspendedUser(t *testing.T) {
 	// Given: workspace is running, and the user is suspended.
 	workspace = coderdtest.MustWorkspace(t, userClient, workspace.ID)
 	require.Equal(t, codersdk.WorkspaceStatusRunning, workspace.LatestBuild.Status)
+
+	ctx := testutil.Context(t, testutil.WaitShort)
+
 	_, err := client.UpdateUserStatus(ctx, user.ID.String(), codersdk.UserStatusSuspended)
 	require.NoError(t, err, "update user status")
 
@@ -980,6 +983,9 @@ func TestExecutorRequireActiveVersion(t *testing.T) {
 	activeVersion := coderdtest.CreateTemplateVersion(t, ownerClient, owner.OrganizationID, nil)
 	coderdtest.AwaitTemplateVersionJobCompleted(t, ownerClient, activeVersion.ID)
 	template := coderdtest.CreateTemplate(t, ownerClient, owner.OrganizationID, activeVersion.ID)
+
+	ctx = testutil.Context(t, testutil.WaitShort) // Reset context after setting up the template.
+
 	//nolint We need to set this in the database directly, because the API will return an error
 	// letting you know that this feature requires an enterprise license.
 	err = db.UpdateTemplateAccessControlByID(dbauthz.As(ctx, coderdtest.AuthzUserSubject(me, owner.OrganizationID)), database.UpdateTemplateAccessControlByIDParams{
 
@@ -17,6 +17,7 @@ import (
 
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/rbac"
+	"github.com/coder/coder/v2/coderd/rbac/policy"
 	"github.com/coder/coder/v2/coderd/render"
 	"github.com/coder/coder/v2/coderd/workspaceapps/appurl"
 	"github.com/coder/coder/v2/codersdk"
@@ -694,3 +695,13 @@ func MatchedProvisioners(provisionerDaemons []database.ProvisionerDaemon, now ti
 	}
 	return matched
 }
+
+func TemplateRoleActions(role codersdk.TemplateRole) []policy.Action {
+	switch role {
+	case codersdk.TemplateRoleAdmin:
+		return []policy.Action{policy.WildcardSymbol}
+	case codersdk.TemplateRoleUse:
+		return []policy.Action{policy.ActionRead, policy.ActionUse}
+	}
+	return []policy.Action{}
+}
@@ -3169,6 +3169,14 @@ func (q *querier) InsertUserLink(ctx context.Context, arg database.InsertUserLin
 
 func (q *querier) InsertWorkspace(ctx context.Context, arg database.InsertWorkspaceParams) (database.WorkspaceTable, error) {
 	obj := rbac.ResourceWorkspace.WithOwner(arg.OwnerID.String()).InOrg(arg.OrganizationID)
+	tpl, err := q.GetTemplateByID(ctx, arg.TemplateID)
+	if err != nil {
+		return database.WorkspaceTable{}, xerrors.Errorf("verify template by id: %w", err)
+	}
+	if err := q.authorizeContext(ctx, policy.ActionUse, tpl); err != nil {
+		return database.WorkspaceTable{}, xerrors.Errorf("use template for workspace: %w", err)
+	}
+
 	return insert(q.log, q.auth, obj, q.db.InsertWorkspace)(ctx, arg)
 }