chore: Allow regular users to query for all workspaces

Emyrk · Emyrk · commit 26d34970a8f8 · 2023-04-25T09:46:42.000-05:00
diff --git a/coderd/authorize.go b/coderd/authorize.go
@@ -51,7 +51,7 @@ type HTTPAuthorizer struct {
 //		return
 //	}
 func (api *API) Authorize(r *http.Request, action rbac.Action, object rbac.Objecter) bool {
-	return api.HTTPAuth.Authorize(r, action, object)
+	return api.HTTPAuth.Authorize(r, action, object, true)
 }
 
 // Authorize will return false if the user is not authorized to do the action.
@@ -63,27 +63,33 @@ func (api *API) Authorize(r *http.Request, action rbac.Action, object rbac.Objec
 //		httpapi.Forbidden(rw)
 //		return
 //	}
-func (h *HTTPAuthorizer) Authorize(r *http.Request, action rbac.Action, object rbac.Objecter) bool {
+func (h *HTTPAuthorizer) Authorize(r *http.Request, action rbac.Action, object rbac.Objecter, logUnauthorized bool) bool {
 	roles := httpmw.UserAuthorization(r)
 	err := h.Authorizer.Authorize(r.Context(), roles.Actor, action, object.RBACObject())
 	if err != nil {
-		// Log the errors for debugging
-		internalError := new(rbac.UnauthorizedError)
-		logger := h.Logger
-		if xerrors.As(err, internalError) {
-			logger = h.Logger.With(slog.F("internal", internalError.Internal()))
+		// Sometimes we do not want to log the unauthorized errors.
+		// Example: If an endpoint expects the normal case to return unauthorized
+		// to check a user is not an admin, we do not want to log that since it is
+		// the expected path.
+		if logUnauthorized {
+			// Log the errors for debugging
+			internalError := new(rbac.UnauthorizedError)
+			logger := h.Logger
+			if xerrors.As(err, internalError) {
+				logger = h.Logger.With(slog.F("internal", internalError.Internal()))
+			}
+			// Log information for debugging. This will be very helpful
+			// in the early days
+			logger.Warn(r.Context(), "unauthorized",
+				slog.F("roles", roles.Actor.SafeRoleNames()),
+				slog.F("actor_id", roles.Actor.ID),
+				slog.F("actor_name", roles.ActorName),
+				slog.F("scope", roles.Actor.SafeScopeName()),
+				slog.F("route", r.URL.Path),
+				slog.F("action", action),
+				slog.F("object", object),
+			)
 		}
-		// Log information for debugging. This will be very helpful
-		// in the early days
-		logger.Warn(r.Context(), "unauthorized",
-			slog.F("roles", roles.Actor.SafeRoleNames()),
-			slog.F("actor_id", roles.Actor.ID),
-			slog.F("actor_name", roles.ActorName),
-			slog.F("scope", roles.Actor.SafeScopeName()),
-			slog.F("route", r.URL.Path),
-			slog.F("action", action),
-			slog.F("object", object),
-		)
 
 		return false
 	}
diff --git a/coderd/rbac/object.go b/coderd/rbac/object.go
@@ -36,6 +36,13 @@ var (
 		Type: "workspace_proxy",
 	}
 
+	// ResourceWorkspaceProxyMetaData is a special resource that is used to
+	// allow reading metadata for a given workspace proxy. This metadata should
+	// not be revealed to all users, only administrators of the workspace proxy.
+	ResourceWorkspaceProxyMetaData = Object{
+		Type: "workspace_proxy_data",
+	}
+
 	// ResourceWorkspaceExecution CRUD. Org + User owner
 	//	create = workspace remote execution
 	// 	read = ?
diff --git a/coderd/rbac/roles.go b/coderd/rbac/roles.go
@@ -151,6 +151,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 					ResourceRoleAssignment.Type: {ActionRead},
 					// All users can see the provisioner daemons.
 					ResourceProvisionerDaemon.Type: {ActionRead},
+					ResourceWorkspaceProxy.Type:    {ActionRead},
 				}),
 				Org:  map[string][]Permission{},
 				User: allPermsExcept(),
diff --git a/codersdk/workspaceproxy.go b/codersdk/workspaceproxy.go
@@ -31,6 +31,8 @@ const (
 type WorkspaceProxyStatus struct {
 	Status ProxyHealthStatus `json:"status" table:"status"`
 	// Report provides more information about the health of the workspace proxy.
+	// This is not provided if the user does not have permission to view workspace
+	// proxy metadata.
 	Report    ProxyHealthReport `json:"report,omitempty" table:"report"`
 	CheckedAt time.Time         `json:"checked_at" table:"checked_at" format:"date-time"`
 }
diff --git a/enterprise/coderd/coderd.go b/enterprise/coderd/coderd.go
@@ -93,6 +93,7 @@ func New(ctx context.Context, options *Options) (*API, error) {
 			r.Use(apiKeyMiddleware)
 			r.Post("/", api.reconnectingPTYSignedToken)
 		})
+		// These routes are for administering and managing workspace proxies.
 		r.Route("/workspaceproxies", func(r chi.Router) {
 			r.Use(
 				api.moonsEnabledMW,
@@ -512,5 +513,5 @@ func (api *API) runEntitlementsLoop(ctx context.Context) {
 }
 
 func (api *API) Authorize(r *http.Request, action rbac.Action, object rbac.Objecter) bool {
-	return api.AGPL.HTTPAuth.Authorize(r, action, object)
+	return api.AGPL.HTTPAuth.Authorize(r, action, object, true)
 }
diff --git a/enterprise/coderd/workspaceproxy.go b/enterprise/coderd/workspaceproxy.go
@@ -187,7 +187,7 @@ func (api *API) postWorkspaceProxy(rw http.ResponseWriter, r *http.Request) {
 
 	aReq.New = proxy
 	httpapi.Write(ctx, rw, http.StatusCreated, codersdk.CreateWorkspaceProxyResponse{
-		Proxy: convertProxy(proxy, proxyhealth.ProxyStatus{
+		Proxy: api.convertProxy(r, proxy, proxyhealth.ProxyStatus{
 			Proxy:     proxy,
 			CheckedAt: time.Now(),
 			Status:    proxyhealth.Unregistered,
diff --git a/enterprise/coderd/workspaceproxy_test.go b/enterprise/coderd/workspaceproxy_test.go
@@ -17,6 +17,8 @@ import (
 	"cdr.dev/slog/sloggers/slogtest"
 	"github.com/coder/coder/agent"
 	"github.com/coder/coder/coderd/coderdtest"
+	"github.com/coder/coder/coderd/database"
+	"github.com/coder/coder/coderd/database/dbauthz"
 	"github.com/coder/coder/coderd/database/dbtestutil"
 	"github.com/coder/coder/coderd/workspaceapps"
 	"github.com/coder/coder/codersdk"
@@ -245,6 +247,52 @@ func TestWorkspaceProxyCRUD(t *testing.T) {
 	})
 }
 
+// TestWorkspaceProxyRead ensures regular uses cannot get report information.
+func TestWorkspaceProxyRead(t *testing.T) {
+	t.Parallel()
+
+	dv := coderdtest.DeploymentValues(t)
+	dv.Experiments = []string{
+		string(codersdk.ExperimentMoons),
+		"*",
+	}
+	client, _, api := coderdenttest.NewWithAPI(t, &coderdenttest.Options{
+		Options: &coderdtest.Options{
+			DeploymentValues: dv,
+		},
+	})
+	first := coderdtest.CreateFirstUser(t, client)
+	member, _ := coderdtest.CreateAnotherUser(t, client, first.OrganizationID)
+	_ = coderdenttest.AddLicense(t, client, coderdenttest.LicenseOptions{
+		Features: license.Features{
+			codersdk.FeatureWorkspaceProxy: 1,
+		},
+	})
+
+	ctx := testutil.Context(t, testutil.WaitLong)
+	proxyRes, err := client.CreateWorkspaceProxy(ctx, codersdk.CreateWorkspaceProxyRequest{
+		Name: namesgenerator.GetRandomName(1),
+		Icon: "/emojis/flag.png",
+	})
+	require.NoError(t, err)
+
+	//nolint:gocritic // System func
+	_, err = api.Database.RegisterWorkspaceProxy(dbauthz.AsSystemRestricted(ctx), database.RegisterWorkspaceProxyParams{
+		ID:  proxyRes.Proxy.ID,
+		Url: "http://bad-never-resolves.random",
+	})
+	require.NoError(t, err, "failed to register workspace proxy")
+
+	proxies, err := client.WorkspaceProxies(ctx)
+	require.NoError(t, err, "failed to get workspace proxies")
+	fmt.Println(proxies)
+
+	proxies, err = member.WorkspaceProxies(ctx)
+	require.NoError(t, err, "failed to get workspace proxies")
+	fmt.Println(proxies)
+
+}
+
 func TestIssueSignedAppToken(t *testing.T) {
 	t.Parallel()
 
diff --git a/scripts/develop.sh b/scripts/develop.sh
@@ -185,7 +185,7 @@ fatal() {
 			# Create the proxy
 			proxy_session_token=$("${CODER_DEV_SHIM}" proxy create --name=local-proxy --display-name="Local Proxy" --icon="/emojis/1f4bb.png" --only-token)
 			# Start the proxy
-			start_cmd PROXY "" "${CODER_DEV_SHIM}" proxy server --http-address=localhost:3010 --proxy-session-token="${proxy_session_token}" --primary-access-url=http://localhost:3000
+			start_cmd PROXY "" "${CODER_DEV_SHIM}" proxy server --access-url=http://127.0.0.1:3010 --http-address=127.0.0.1:3010 --proxy-session-token="${proxy_session_token}" --primary-access-url=http://localhost:3000
 		) || echo "Failed to create workspace proxy. No workspace proxy created."
 	fi
 

Original file line number	Diff line number	Diff line change
`@@ -31,6 +31,8 @@ const (`
`31`	`31`	`type WorkspaceProxyStatus struct {`
`32`	`32`	Status ProxyHealthStatus `json:"status" table:"status"`
`33`	`33`	`// Report provides more information about the health of the workspace proxy.`
	`34`	`+ // This is not provided if the user does not have permission to view workspace`
	`35`	`+ // proxy metadata.`
`34`	`36`	Report ProxyHealthReport `json:"report,omitempty" table:"report"`
`35`	`37`	CheckedAt time.Time `json:"checked_at" table:"checked_at" format:"date-time"`
`36`	`38`	`}`
Original file line number	Diff line number	Diff line change
`@@ -93,6 +93,7 @@ func New(ctx context.Context, options Options) (API, error) {`
`93`	`93`	`r.Use(apiKeyMiddleware)`
`94`	`94`	`r.Post("/", api.reconnectingPTYSignedToken)`
`95`	`95`	`})`
	`96`	`+ // These routes are for administering and managing workspace proxies.`
`96`	`97`	`r.Route("/workspaceproxies", func(r chi.Router) {`
`97`	`98`	`r.Use(`
`98`	`99`	`api.moonsEnabledMW,`
`@@ -512,5 +513,5 @@ func (api *API) runEntitlementsLoop(ctx context.Context) {`
`512`	`513`	`}`
`513`	`514`
`514`	`515`	`func (api API) Authorize(r http.Request, action rbac.Action, object rbac.Objecter) bool {`
`515`		`- return api.AGPL.HTTPAuth.Authorize(r, action, object)`
	`516`	`+ return api.AGPL.HTTPAuth.Authorize(r, action, object, true)`
`516`	`517`	`}`