coder
diff --git a/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 20 additions & 0 deletions b/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 20 additions & 0 deletions
diff --git a/‎coderd/database/dbmetrics/querymetrics.go
Lines changed: 14 additions & 0 deletions b/‎coderd/database/dbmetrics/querymetrics.go
Lines changed: 14 additions & 0 deletions
diff --git a/‎coderd/database/dbmock/dbmock.go
Lines changed: 30 additions & 0 deletions b/‎coderd/database/dbmock/dbmock.go
Lines changed: 30 additions & 0 deletions
diff --git a/‎coderd/database/querier.go
Lines changed: 2 additions & 0 deletions b/‎coderd/database/querier.go
Lines changed: 2 additions & 0 deletions
diff --git a/‎coderd/database/queries.sql.go
Lines changed: 63 additions & 0 deletions b/‎coderd/database/queries.sql.go
Lines changed: 63 additions & 0 deletions
diff --git a/‎coderd/database/queries/groups.sql
Lines changed: 18 additions & 0 deletions b/‎coderd/database/queries/groups.sql
Lines changed: 18 additions & 0 deletions
diff --git a/‎coderd/database/queries/users.sql
Lines changed: 19 additions & 0 deletions b/‎coderd/database/queries/users.sql
Lines changed: 19 additions & 0 deletions
diff --git a/‎coderd/rbac/acl/updatevalidator.go
Lines changed: 108 additions & 0 deletions b/‎coderd/rbac/acl/updatevalidator.go
Lines changed: 108 additions & 0 deletions
@@ -5376,6 +5376,26 @@ func (q *querier) UpsertWorkspaceAppAuditSession(ctx context.Context, arg databa
 	return q.db.UpsertWorkspaceAppAuditSession(ctx, arg)
 }
 
+func (q *querier) ValidateGroupIDs(ctx context.Context, groupIds []uuid.UUID) (database.ValidateGroupIDsRow, error) {
+	// This check is probably overly restrictive, but the "correct" check isn't
+	// necessarily obvious. It's only used as a verification check for ACLs right
+	// now, which are performed as system.
+	if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceSystem); err != nil {
+		return database.ValidateGroupIDsRow{}, err
+	}
+	return q.db.ValidateGroupIDs(ctx, groupIds)
+}
+
+func (q *querier) ValidateUserIDs(ctx context.Context, userIds []uuid.UUID) (database.ValidateUserIDsRow, error) {
+	// This check is probably overly restrictive, but the "correct" check isn't
+	// necessarily obvious. It's only used as a verification check for ACLs right
+	// now, which are performed as system.
+	if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceSystem); err != nil {
+		return database.ValidateUserIDsRow{}, err
+	}
+	return q.db.ValidateUserIDs(ctx, userIds)
+}
+
 func (q *querier) GetAuthorizedTemplates(ctx context.Context, arg database.GetTemplatesWithFilterParams, _ rbac.PreparedAuthorized) ([]database.Template, error) {
 	// TODO Delete this function, all GetTemplates should be authorized. For now just call getTemplates on the authz querier.
 	return q.GetTemplatesWithFilter(ctx, arg)
 
@@ -8,6 +8,24 @@ WHERE
 LIMIT
 	1;
 
+-- name: ValidateGroupIDs :one
+WITH input AS (
+	SELECT
+		unnest(@group_ids::uuid[]) AS id
+)
+SELECT
+	array_agg(input.id)::uuid[] as invalid_group_ids,
+	COUNT(*) = 0 as ok
+FROM
+	-- Preserve rows where there is not a matching left (groups) row for each
+	-- right (input) row...
+	users
+	RIGHT JOIN input ON groups.id = input.id
+WHERE
+	-- ...so that we can retain exactly those rows where an input ID does not
+	-- match an existing group.
+	groups.id IS NOT DISTINCT FROM NULL;
+
 -- name: GetGroupByOrgAndName :one
 SELECT
 	*
 
@@ -25,6 +25,25 @@ WHERE
 LIMIT
 	1;
 
+-- name: ValidateUserIDs :one
+WITH input AS (
+	SELECT
+		unnest(@user_ids::uuid[]) AS id
+)
+SELECT
+	array_agg(input.id)::uuid[] as invalid_user_ids,
+	COUNT(*) = 0 as ok
+FROM
+	-- Preserve rows where there is not a matching left (users) row for each
+	-- right (input) row...
+	users
+	RIGHT JOIN input ON users.id = input.id
+WHERE
+	-- ...so that we can retain exactly those rows where an input ID does not
+	-- match an existing user.
+	users.id IS NOT DISTINCT FROM NULL AND
+	users.deleted = false;
+
 -- name: GetUsersByIDs :many
 -- This shouldn't check for deleted, because it's frequently used
 -- to look up references to actions. eg. a user could build a workspace
 
@@ -0,0 +1,108 @@
+package acl
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/google/uuid"
+
+	"github.com/coder/coder/v2/coderd/database"
+	"github.com/coder/coder/v2/coderd/database/dbauthz"
+	"github.com/coder/coder/v2/codersdk"
+)
+
+type ACLUpdateValidator[Role codersdk.WorkspaceRole | codersdk.TemplateRole] interface {
+	Users() (map[string]Role, string)
+	Groups() (map[string]Role, string)
+	ValidateRole(role Role) error
+}
+
+func Validate[T codersdk.WorkspaceRole | codersdk.TemplateRole](
+	ctx context.Context,
+	db database.Store,
+	v ACLUpdateValidator[T],
+) []codersdk.ValidationError {
+	// nolint:gocritic // Validate requires full read access to users and groups
+	ctx = dbauthz.AsSystemRestricted(ctx)
+	var validErrs []codersdk.ValidationError
+
+	groupPerms, groupsField := v.Groups()
+	groupIDs := make([]uuid.UUID, 0, len(groupPerms))
+	for idStr, role := range groupPerms {
+		// Validate the provided role names
+		if err := v.ValidateRole(role); err != nil {
+			validErrs = append(validErrs, codersdk.ValidationError{
+				Field:  groupsField,
+				Detail: err.Error(),
+			})
+		}
+		// Validate that the IDs are UUIDs
+		id, err := uuid.Parse(idStr)
+		if err != nil {
+			validErrs = append(validErrs, codersdk.ValidationError{
+				Field:  groupsField,
+				Detail: idStr + "is not a valid UUID.",
+			})
+			continue
+		}
+		groupIDs = append(groupIDs, id)
+	}
+
+	// Validate that the groups exist
+	groupValidation, err := db.ValidateGroupIDs(ctx, groupIDs)
+	if err != nil {
+		validErrs = append(validErrs, codersdk.ValidationError{
+			Field:  groupsField,
+			Detail: fmt.Sprintf("failed to validate group IDs: %v", err.Error()),
+		})
+	}
+	if !groupValidation.Ok {
+		for _, id := range groupValidation.InvalidGroupIds {
+			validErrs = append(validErrs, codersdk.ValidationError{
+				Field:  groupsField,
+				Detail: fmt.Sprintf("group with ID %v does not exist", id),
+			})
+		}
+	}
+
+	userPerms, usersField := v.Users()
+	userIDs := make([]uuid.UUID, 0, len(userPerms))
+	for idStr, role := range userPerms {
+		// Validate the provided role names
+		if err := v.ValidateRole(role); err != nil {
+			validErrs = append(validErrs, codersdk.ValidationError{
+				Field:  usersField,
+				Detail: err.Error(),
+			})
+		}
+		// Validate that the IDs are UUIDs
+		id, err := uuid.Parse(idStr)
+		if err != nil {
+			validErrs = append(validErrs, codersdk.ValidationError{
+				Field:  usersField,
+				Detail: idStr + "is not a valid UUID.",
+			})
+			continue
+		}
+		userIDs = append(userIDs, id)
+	}
+
+	// Validate that the groups exist
+	userValidation, err := db.ValidateUserIDs(ctx, userIDs)
+	if err != nil {
+		validErrs = append(validErrs, codersdk.ValidationError{
+			Field:  usersField,
+			Detail: fmt.Sprintf("failed to validate user IDs: %v", err.Error()),
+		})
+	}
+	if !userValidation.Ok {
+		for _, id := range userValidation.InvalidUserIds {
+			validErrs = append(validErrs, codersdk.ValidationError{
+				Field:  usersField,
+				Detail: fmt.Sprintf("user with ID %v does not exist", id),
+			})
+		}
+	}
+
+	return validErrs
+}