Skip to content

fix: create agent firewall sessions without requiring agent read access#27047

Merged
SasSwart merged 1 commit into
release/2.35from
jjs/cherry-pick-correlation
Jul 7, 2026
Merged

fix: create agent firewall sessions without requiring agent read access#27047
SasSwart merged 1 commit into
release/2.35from
jjs/cherry-pick-correlation

Conversation

@SasSwart

@SasSwart SasSwart commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Overview

Part of the boundary correlation feature. Fixes lazy creation of boundary_sessions rows so it works within the agent's RBAC constraints, and consumes the new ConfinedProcessName field reported by boundary.

Pairs with coder/boundary#206, which adds ConfinedProcessName to ReportBoundaryLogsRequest. This branch bumps the github.com/coder/boundary module to pick up that work.

Problem

ensureSession did a pre-insert existence check via GetBoundarySessionByID. Agents are not permitted to read boundary sessions, so that read path is not viable when the session is created from an agent-reported log batch.

Changes

  • Remove the pre-insert read. ensureSession now inserts directly and treats a primary-key unique violation as success, covering sessions already created by a prior batch, a reconnection, or another coderd replica — without requiring read access.
  • Per-connection guard. Add a mutex-protected ensuredSessions set so repeated log batches on the same connection skip the existence check and insert entirely, touching the database only for the logs. On a transient insert failure the session is left unmarked so the next batch retries.
  • Consume ConfinedProcessName. Pass req.GetConfinedProcessName() through to the session insert.
  • Bump boundary module from v0.9.0 to v0.9.1-0.20260706095856-35ba90f9e8b2.
  • Tests.
  • Add TestReportBoundaryLogsAgentRBAC (coderd/boundary_logs_test.go), an integration test that connects as a real workspace agent, verifies the session and log are persisted under agent RBAC, and asserts the agent subject cannot read boundary sessions — guarding against reintroducing a pre-insert read.
  • Add TestReportBoundaryLogsSessionGuard (session inserted once across two batches, logs inserted per batch) and
    TestReportBoundaryLogsSessionRetriedOnError (insert retried after a transient error).
  • Regenerate agent-firewall CLI docs/golden files and adjust the clidocgen template to render the YAML path when a flag has no long name.

🤖 This PR was opened by Coder Agents on behalf of @SasSwart.

…ss (#26990)

## Overview

Part of the **boundary correlation** feature. Fixes lazy creation of
`boundary_sessions` rows so it works within the agent's RBAC
constraints, and consumes the new `ConfinedProcessName` field reported
by boundary.

Pairs with coder/boundary#206, which adds `ConfinedProcessName` to
`ReportBoundaryLogsRequest`. This branch bumps the
`github.com/coder/boundary` module to pick up that work.

## Problem

`ensureSession` did a pre-insert existence check via
`GetBoundarySessionByID`. Agents are **not permitted to read boundary
sessions**, so that read path is not viable when the session is created
from an agent-reported log batch.

## Changes

- **Remove the pre-insert read.** `ensureSession` now inserts directly
and treats a primary-key unique violation as success, covering sessions
already created by a prior batch, a reconnection, or another coderd
replica — without requiring read access.
- **Per-connection guard.** Add a mutex-protected `ensuredSessions` set
so repeated log batches on the same connection skip the existence check
and insert entirely, touching the database only for the logs. On a
transient insert failure the session is left unmarked so the next batch
retries.
- **Consume `ConfinedProcessName`.** Pass `req.GetConfinedProcessName()`
through to the session insert.
- **Bump boundary module** from `v0.9.0` to
`v0.9.1-0.20260706095856-35ba90f9e8b2`.
- **Tests.**
- Add `TestReportBoundaryLogsAgentRBAC`
(`coderd/boundary_logs_test.go`), an integration test that connects as a
real workspace agent, verifies the session and log are persisted under
agent RBAC, and asserts the agent subject cannot read boundary sessions
— guarding against reintroducing a pre-insert read.
- Add `TestReportBoundaryLogsSessionGuard` (session inserted once across
two batches, logs inserted per batch) and
`TestReportBoundaryLogsSessionRetriedOnError` (insert retried after a
transient error).
- Regenerate `agent-firewall` CLI docs/golden files and adjust the
clidocgen template to render the YAML path when a flag has no long name.

> 🤖 This PR was opened by Coder Agents on behalf of @SasSwart.
@SasSwart SasSwart requested a review from mtojek July 7, 2026 10:45
@SasSwart SasSwart self-assigned this Jul 7, 2026
@SasSwart SasSwart added the cherry-pick/v2.35 Cherry-pick PR targeting release/2.35 label Jul 7, 2026
@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown

Docs preview

📖 View docs preview for docs/reference/cli/agent-firewall.md

@SasSwart SasSwart merged commit 3a09323 into release/2.35 Jul 7, 2026
58 of 59 checks passed
@SasSwart SasSwart deleted the jjs/cherry-pick-correlation branch July 7, 2026 10:59
@github-actions github-actions Bot locked and limited conversation to collaborators Jul 7, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

cherry-pick/v2.35 Cherry-pick PR targeting release/2.35

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants