chore: fix default template policy actions

Emyrk · Emyrk · commit c66296e3925d · 2025-01-09T11:34:45.000-06:00
diff --git a/coderd/database/db2sdk/db2sdk.go b/coderd/database/db2sdk/db2sdk.go
@@ -17,6 +17,7 @@ import (
 
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/rbac"
+	"github.com/coder/coder/v2/coderd/rbac/policy"
 	"github.com/coder/coder/v2/coderd/render"
 	"github.com/coder/coder/v2/coderd/workspaceapps/appurl"
 	"github.com/coder/coder/v2/codersdk"
@@ -694,3 +695,13 @@ func MatchedProvisioners(provisionerDaemons []database.ProvisionerDaemon, now ti
 	}
 	return matched
 }
+
+func TemplateRoleActions(role codersdk.TemplateRole) []policy.Action {
+	switch role {
+	case codersdk.TemplateRoleAdmin:
+		return []policy.Action{policy.WildcardSymbol}
+	case codersdk.TemplateRoleUse:
+		return []policy.Action{policy.ActionRead, policy.ActionUse}
+	}
+	return []policy.Action{}
+}
diff --git a/coderd/database/dbgen/dbgen.go b/coderd/database/dbgen/dbgen.go
@@ -20,12 +20,13 @@ import (
 	"golang.org/x/xerrors"
 
 	"github.com/coder/coder/v2/coderd/database"
+	"github.com/coder/coder/v2/coderd/database/db2sdk"
 	"github.com/coder/coder/v2/coderd/database/dbauthz"
 	"github.com/coder/coder/v2/coderd/database/dbtime"
 	"github.com/coder/coder/v2/coderd/database/provisionerjobs"
 	"github.com/coder/coder/v2/coderd/database/pubsub"
 	"github.com/coder/coder/v2/coderd/rbac"
-	"github.com/coder/coder/v2/coderd/rbac/policy"
+	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/cryptorand"
 	"github.com/coder/coder/v2/testutil"
 )
@@ -75,7 +76,7 @@ func Template(t testing.TB, db database.Store, seed database.Template) database.
 	if seed.GroupACL == nil {
 		// By default, all users in the organization can read the template.
 		seed.GroupACL = database.TemplateACL{
-			seed.OrganizationID.String(): []policy.Action{policy.ActionRead},
+			seed.OrganizationID.String(): db2sdk.TemplateRoleActions(codersdk.TemplateRoleUse),
 		}
 	}
 	if seed.UserACL == nil {
diff --git a/coderd/templates.go b/coderd/templates.go
@@ -14,6 +14,7 @@ import (
 	"golang.org/x/xerrors"
 
 	"cdr.dev/slog"
+	"github.com/coder/coder/v2/coderd/database/db2sdk"
 
 	"github.com/coder/coder/v2/coderd/audit"
 	"github.com/coder/coder/v2/coderd/database"
@@ -382,7 +383,7 @@ func (api *API) postTemplateByOrganization(rw http.ResponseWriter, r *http.Reque
 	if !createTemplate.DisableEveryoneGroupAccess {
 		// The organization ID is used as the group ID for the everyone group
 		// in this organization.
-		defaultsGroups[organization.ID.String()] = []policy.Action{policy.ActionRead}
+		defaultsGroups[organization.ID.String()] = db2sdk.TemplateRoleActions(codersdk.TemplateRoleUse)
 	}
 	err = api.Database.InTx(func(tx database.Store) error {
 		now := dbtime.Now()
diff --git a/enterprise/coderd/templates.go b/enterprise/coderd/templates.go
@@ -223,7 +223,7 @@ func (api *API) patchTemplateACL(rw http.ResponseWriter, r *http.Request) {
 					delete(template.UserACL, id)
 					continue
 				}
-				template.UserACL[id] = convertSDKTemplateRole(role)
+				template.UserACL[id] = db2sdk.TemplateRoleActions(role)
 			}
 		}
 
@@ -235,7 +235,7 @@ func (api *API) patchTemplateACL(rw http.ResponseWriter, r *http.Request) {
 					delete(template.GroupACL, id)
 					continue
 				}
-				template.GroupACL[id] = convertSDKTemplateRole(role)
+				template.GroupACL[id] = db2sdk.TemplateRoleActions(role)
 			}
 		}
 
@@ -317,7 +317,7 @@ func convertTemplateUsers(tus []database.TemplateUser, orgIDsByUserIDs map[uuid.
 }
 
 func validateTemplateRole(role codersdk.TemplateRole) error {
-	actions := convertSDKTemplateRole(role)
+	actions := db2sdk.TemplateRoleActions(role)
 	if actions == nil && role != codersdk.TemplateRoleDeleted {
 		return xerrors.Errorf("role %q is not a valid Template role", role)
 	}
@@ -336,17 +336,6 @@ func convertToTemplateRole(actions []policy.Action) codersdk.TemplateRole {
 	return ""
 }
 
-func convertSDKTemplateRole(role codersdk.TemplateRole) []policy.Action {
-	switch role {
-	case codersdk.TemplateRoleAdmin:
-		return []policy.Action{policy.WildcardSymbol}
-	case codersdk.TemplateRoleUse:
-		return []policy.Action{policy.ActionRead, policy.ActionUse}
-	}
-
-	return nil
-}
-
 // TODO move to api.RequireFeatureMW when we are OK with changing the behavior.
 func (api *API) templateRBACEnabledMW(next http.Handler) http.Handler {
 	return api.RequireFeatureMW(codersdk.FeatureTemplateRBAC)(next)
diff --git a/enterprise/coderd/workspaces_test.go b/enterprise/coderd/workspaces_test.go
@@ -218,6 +218,8 @@ func TestCreateWorkspace(t *testing.T) {
 		version := coderdtest.CreateTemplateVersion(t, owner, first.OrganizationID, nil)
 		_ = coderdtest.AwaitTemplateVersionJobCompleted(t, owner, version.ID)
 		template := coderdtest.CreateTemplate(t, owner, first.OrganizationID, version.ID)
+
+		//nolint:gocritic // This should be run as the owner user.
 		err := owner.UpdateTemplateACL(ctx, template.ID, codersdk.UpdateTemplateACL{
 			UserPerms: nil,
 			GroupPerms: map[string]codersdk.TemplateRole{

Original file line number	Diff line number	Diff line change
`@@ -223,7 +223,7 @@ func (api API) patchTemplateACL(rw http.ResponseWriter, r http.Request) {`
`223`	`223`	`delete(template.UserACL, id)`
`224`	`224`	`continue`
`225`	`225`	`}`
`226`		`- template.UserACL[id] = convertSDKTemplateRole(role)`
	`226`	`+ template.UserACL[id] = db2sdk.TemplateRoleActions(role)`
`227`	`227`	`}`
`228`	`228`	`}`
`229`	`229`
`@@ -235,7 +235,7 @@ func (api API) patchTemplateACL(rw http.ResponseWriter, r http.Request) {`
`235`	`235`	`delete(template.GroupACL, id)`
`236`	`236`	`continue`
`237`	`237`	`}`
`238`		`- template.GroupACL[id] = convertSDKTemplateRole(role)`
	`238`	`+ template.GroupACL[id] = db2sdk.TemplateRoleActions(role)`
`239`	`239`	`}`
`240`	`240`	`}`
`241`	`241`
`@@ -317,7 +317,7 @@ func convertTemplateUsers(tus []database.TemplateUser, orgIDsByUserIDs map[uuid.`
`317`	`317`	`}`
`318`	`318`
`319`	`319`	`func validateTemplateRole(role codersdk.TemplateRole) error {`
`320`		`- actions := convertSDKTemplateRole(role)`
	`320`	`+ actions := db2sdk.TemplateRoleActions(role)`
`321`	`321`	`if actions == nil && role != codersdk.TemplateRoleDeleted {`
`322`	`322`	`return xerrors.Errorf("role %q is not a valid Template role", role)`
`323`	`323`	`}`
`@@ -336,17 +336,6 @@ func convertToTemplateRole(actions []policy.Action) codersdk.TemplateRole {`
`336`	`336`	`return ""`
`337`	`337`	`}`
`338`	`338`
`339`		`-func convertSDKTemplateRole(role codersdk.TemplateRole) []policy.Action {`
`340`		`- switch role {`
`341`		`- case codersdk.TemplateRoleAdmin:`
`342`		`- return []policy.Action{policy.WildcardSymbol}`
`343`		`- case codersdk.TemplateRoleUse:`
`344`		`- return []policy.Action{policy.ActionRead, policy.ActionUse}`
`345`		`- }`
`346`		`-`
`347`		`- return nil`
`348`		`-}`
`349`		`-`
`350`	`339`	`// TODO move to api.RequireFeatureMW when we are OK with changing the behavior.`
`351`	`340`	`func (api *API) templateRBACEnabledMW(next http.Handler) http.Handler {`
`352`	`341`	`return api.RequireFeatureMW(codersdk.FeatureTemplateRBAC)(next)`