Address spike + mathias + cian comments

ammario · ammario · commit 2c1cbbb814b8 · 2024-01-23T14:33:13.000-06:00
diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go
@@ -1759,9 +1759,7 @@ func (q *querier) GetUserWorkspaceBuildParameters(ctx context.Context, params da
 	if err != nil {
 		return nil, err
 	}
-	// The ability to update the user implies either the user themselves or someone
-	// with complete admin access to the user account.
-	if err := q.authorizeContext(ctx, rbac.ActionUpdate, u.UserDataRBACObject()); err != nil {
+	if err := q.authorizeContext(ctx, rbac.ActionRead, u.UserWorkspaceBuildParametersObject()); err != nil {
 		return nil, err
 	}
 	return q.db.GetUserWorkspaceBuildParameters(ctx, params)
diff --git a/coderd/database/dbmem/dbmem.go b/coderd/database/dbmem/dbmem.go
@@ -3773,15 +3773,48 @@ func (q *FakeQuerier) GetUserWorkspaceBuildParameters(_ context.Context, params
 		userWorkspaceIDs[ws.ID] = struct{}{}
 	}
 
-	userWorkspaceBuildParameters := make([]database.GetUserWorkspaceBuildParametersRow, 0)
+	userWorkspaceBuilds := make(map[uuid.UUID]struct{})
+	for _, wb := range q.workspaceBuilds {
+		if _, ok := userWorkspaceIDs[wb.WorkspaceID]; !ok {
+			continue
+		}
+		userWorkspaceBuilds[wb.ID] = struct{}{}
+	}
+
+	templateVersions := make(map[uuid.UUID]struct{})
+	for _, tv := range q.templateVersions {
+		if tv.TemplateID.UUID != params.TemplateID {
+			continue
+		}
+		templateVersions[tv.ID] = struct{}{}
+	}
+
+	tvps := make(map[string]struct{})
+	for _, tvp := range q.templateVersionParameters {
+		if _, ok := templateVersions[tvp.TemplateVersionID]; !ok {
+			continue
+		}
+
+		if _, ok := tvps[tvp.Name]; !ok && !tvp.Ephemeral {
+			tvps[tvp.Name] = struct{}{}
+		}
+	}
+
+	userWorkspaceBuildParameters := make(map[string]database.GetUserWorkspaceBuildParametersRow)
 	for _, wbp := range q.workspaceBuildParameters {
-		userWorkspaceBuildParameters = append(userWorkspaceBuildParameters, database.GetUserWorkspaceBuildParametersRow{
+		if _, ok := userWorkspaceBuilds[wbp.WorkspaceBuildID]; !ok {
+			continue
+		}
+		if _, ok := tvps[wbp.Name]; !ok {
+			continue
+		}
+		userWorkspaceBuildParameters[wbp.Name] = database.GetUserWorkspaceBuildParametersRow{
 			Name:  wbp.Name,
 			Value: wbp.Value,
-		})
+		}
 	}
 
-	return userWorkspaceBuildParameters, nil
+	return maps.Values(userWorkspaceBuildParameters), nil
 }
 
 func (q *FakeQuerier) GetUsers(_ context.Context, params database.GetUsersParams) ([]database.GetUsersRow, error) {
diff --git a/coderd/database/modelmethods.go b/coderd/database/modelmethods.go
@@ -255,6 +255,10 @@ func (u User) UserDataRBACObject() rbac.Object {
 	return rbac.ResourceUserData.WithID(u.ID).WithOwner(u.ID.String())
 }
 
+func (u User) UserWorkspaceBuildParametersObject() rbac.Object {
+	return rbac.ResourceUserWorkspaceBuildParameters.WithID(u.ID).WithOwner(u.ID.String())
+}
+
 func (u GetUsersRow) RBACObject() rbac.Object {
 	return rbac.ResourceUserObject(u.ID)
 }
diff --git a/coderd/database/queries/workspacebuildparameters.sql b/coderd/database/queries/workspacebuildparameters.sql
@@ -38,6 +38,7 @@ FROM (
         AND wb.transition = 'start'
         AND w.template_id = $2
         AND tvp.ephemeral = false
+        AND tvp.name = wbp.name
 ) sub
 WHERE
     sub.rn = 1
diff --git a/coderd/rbac/object.go b/coderd/rbac/object.go
@@ -148,6 +148,12 @@ var (
 		Type: "user_data",
 	}
 
+	// ResourceUserWorkspaceBuildParameters is the user's workspace build
+	// parameter history.
+	ResourceUserWorkspaceBuildParameters = Object{
+		Type: "user_workspace_build_parameters",
+	}
+
 	// ResourceOrganizationMember is a user's membership in an organization.
 	// Has ONLY an organization owner.
 	//	create/delete  = Create/delete member from org.
diff --git a/coderd/rbac/object_gen.go b/coderd/rbac/object_gen.go
diff --git a/coderd/rbac/roles.go b/coderd/rbac/roles.go
@@ -154,7 +154,8 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 			Permissions(map[string][]Action{
 				// Users cannot do create/update/delete on themselves, but they
 				// can read their own details.
-				ResourceUser.Type: {ActionRead},
+				ResourceUser.Type:                         {ActionRead},
+				ResourceUserWorkspaceBuildParameters.Type: {ActionRead},
 				// Users can create provisioner daemons scoped to themselves.
 				ResourceProvisionerDaemon.Type: {ActionCreate, ActionRead, ActionUpdate},
 			})...,
@@ -209,9 +210,10 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 		Name:        userAdmin,
 		DisplayName: "User Admin",
 		Site: Permissions(map[string][]Action{
-			ResourceRoleAssignment.Type: {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
-			ResourceUser.Type:           {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
-			ResourceUserData.Type:       {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
+			ResourceRoleAssignment.Type:               {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
+			ResourceUser.Type:                         {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
+			ResourceUserData.Type:                     {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
+			ResourceUserWorkspaceBuildParameters.Type: {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
 			// Full perms to manage org members
 			ResourceOrganizationMember.Type: {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
 			ResourceGroup.Type:              {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
diff --git a/coderd/users.go b/coderd/users.go
@@ -581,30 +581,15 @@ func (api *API) userByName(rw http.ResponseWriter, r *http.Request) {
 // @Success 200 {array} codersdk.UserParameter
 // @Router /users/{user}/autofill-parameters [get]
 func (api *API) userAutofillParameters(rw http.ResponseWriter, r *http.Request) {
-	var (
-		apiKey = httpmw.APIKey(r)
-		user   = httpmw.UserParam(r)
-	)
-
-	if apiKey.UserID != user.ID {
-		httpapi.Write(r.Context(), rw, http.StatusForbidden, codersdk.Response{
-			Message: "You are not authorized to view this user's parameters.",
-		})
-		return
-	}
-
-	templateIDStr := r.URL.Query().Get("template_id")
-	if templateIDStr == "" {
-		httpapi.Write(r.Context(), rw, http.StatusBadRequest, codersdk.Response{
-			Message: "template_id is required.",
-		})
-		return
-	}
+	user := httpmw.UserParam(r)
 
-	templateID, err := uuid.Parse(templateIDStr)
-	if err != nil {
+	p := httpapi.NewQueryParamParser().Required("template_id")
+	templateID := p.UUID(r.URL.Query(), uuid.UUID{}, "template_id")
+	p.ErrorExcessParams(r.URL.Query())
+	if len(p.Errors) > 0 {
 		httpapi.Write(r.Context(), rw, http.StatusBadRequest, codersdk.Response{
-			Message: "template_id must be a valid UUID.",
+			Message:     "Invalid query parameters.",
+			Validations: p.Errors,
 		})
 		return
 	}
@@ -616,7 +601,7 @@ func (api *API) userAutofillParameters(rw http.ResponseWriter, r *http.Request)
 			TemplateID: templateID,
 		},
 	)
-	if err != nil {
+	if err != nil && !errors.Is(err, sql.ErrNoRows) {
 		httpapi.Write(r.Context(), rw, http.StatusInternalServerError, codersdk.Response{
 			Message: "Internal error fetching user's parameters.",
 			Detail:  err.Error(),
diff --git a/coderd/users_test.go b/coderd/users_test.go
@@ -1726,11 +1726,11 @@ func TestUserAutofillParameters(t *testing.T) {
 	t.Parallel()
 	t.Run("NotSelf", func(t *testing.T) {
 		t.Parallel()
-		client, _, api := coderdtest.NewWithAPI(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		client1, _, api := coderdtest.NewWithAPI(t, &coderdtest.Options{})
 
-		u1 := coderdtest.CreateFirstUser(t, client)
+		u1 := coderdtest.CreateFirstUser(t, client1)
 
-		_, u2 := coderdtest.CreateAnotherUser(t, client, u1.OrganizationID)
+		client2, u2 := coderdtest.CreateAnotherUser(t, client1, u1.OrganizationID)
 
 		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
 		defer cancel()
@@ -1745,25 +1745,32 @@ func TestUserAutofillParameters(t *testing.T) {
 			Required: true,
 		}).Do()
 
-		_, err := client.UserAutofillParameters(
+		_, err := client2.UserAutofillParameters(
 			ctx,
-			u2.ID.String(),
-			version.Template.ID.String(),
+			u1.UserID.String(),
+			version.Template.ID,
 		)
 
 		var apiErr *codersdk.Error
 		require.ErrorAs(t, err, &apiErr)
-		require.Equal(t, http.StatusForbidden, apiErr.StatusCode())
+		require.Equal(t, http.StatusBadRequest, apiErr.StatusCode())
+
+		// u1 should be able to read u2's parameters as u1 is site admin.
+		_, err = client1.UserAutofillParameters(
+			ctx,
+			u2.ID.String(),
+			version.Template.ID,
+		)
+		require.NoError(t, err)
 	})
 
 	t.Run("FindsParameters", func(t *testing.T) {
 		t.Parallel()
-		client, _, api := coderdtest.NewWithAPI(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		client1, _, api := coderdtest.NewWithAPI(t, &coderdtest.Options{})
 
-		u1 := coderdtest.CreateFirstUser(t, client)
+		u1 := coderdtest.CreateFirstUser(t, client1)
 
-		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
-		defer cancel()
+		client2, u2 := coderdtest.CreateAnotherUser(t, client1, u1.OrganizationID)
 
 		db := api.Database
 
@@ -1773,29 +1780,66 @@ func TestUserAutofillParameters(t *testing.T) {
 		}).Params(database.TemplateVersionParameter{
 			Name:     "param",
 			Required: true,
-		}).Do()
+		},
+			database.TemplateVersionParameter{
+				Name:      "param2",
+				Ephemeral: true,
+			},
+		).Do()
+
+		dbfake.WorkspaceBuild(t, db, database.Workspace{
+			OwnerID:    u2.ID,
+			TemplateID: version.Template.ID,
+		}).Params(
+			database.WorkspaceBuildParameter{
+				Name:  "param",
+				Value: "foo",
+			},
+			database.WorkspaceBuildParameter{
+				Name:  "param2",
+				Value: "bar",
+			},
+		).Do()
 
-		coderdtest.CreateWorkspace(t, client, u1.OrganizationID, version.Template.ID,
-			func(cwr *codersdk.CreateWorkspaceRequest) {
-				cwr.RichParameterValues = []codersdk.WorkspaceBuildParameter{
-					{
-						Name:  "param",
-						Value: "foo",
-					},
-				}
-			})
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancel()
 
-		params, err := client.UserAutofillParameters(
+		// Use client2 since client1 is site admin, so
+		// we don't get good coverage on RBAC working.
+		params, err := client2.UserAutofillParameters(
 			ctx,
-			u1.UserID.String(),
-			version.Template.ID.String(),
+			u2.ID.String(),
+			version.Template.ID,
 		)
 		require.NoError(t, err)
 
 		require.Equal(t, 1, len(params))
 
 		require.Equal(t, "param", params[0].Name)
 		require.Equal(t, "foo", params[0].Value)
+
+		// Verify that latest parameter value is returned.
+		dbfake.WorkspaceBuild(t, db, database.Workspace{
+			OwnerID:    u2.ID,
+			TemplateID: version.Template.ID,
+		}).Params(
+			database.WorkspaceBuildParameter{
+				Name:  "param",
+				Value: "foo_new",
+			},
+		).Do()
+
+		params, err = client2.UserAutofillParameters(
+			ctx,
+			u2.ID.String(),
+			version.Template.ID,
+		)
+		require.NoError(t, err)
+
+		require.Equal(t, 1, len(params))
+
+		require.Equal(t, "param", params[0].Name)
+		require.Equal(t, "foo_new", params[0].Value)
 	})
 }
 
diff --git a/codersdk/rbacresources.go b/codersdk/rbacresources.go
@@ -3,29 +3,30 @@ package codersdk
 type RBACResource string
 
 const (
-	ResourceWorkspace                   RBACResource = "workspace"
-	ResourceWorkspaceProxy              RBACResource = "workspace_proxy"
-	ResourceWorkspaceExecution          RBACResource = "workspace_execution"
-	ResourceWorkspaceApplicationConnect RBACResource = "application_connect"
-	ResourceAuditLog                    RBACResource = "audit_log"
-	ResourceTemplate                    RBACResource = "template"
-	ResourceGroup                       RBACResource = "group"
-	ResourceFile                        RBACResource = "file"
-	ResourceProvisionerDaemon           RBACResource = "provisioner_daemon"
-	ResourceOrganization                RBACResource = "organization"
-	ResourceRoleAssignment              RBACResource = "assign_role"
-	ResourceOrgRoleAssignment           RBACResource = "assign_org_role"
-	ResourceAPIKey                      RBACResource = "api_key"
-	ResourceUser                        RBACResource = "user"
-	ResourceUserData                    RBACResource = "user_data"
-	ResourceOrganizationMember          RBACResource = "organization_member"
-	ResourceLicense                     RBACResource = "license"
-	ResourceDeploymentValues            RBACResource = "deployment_config"
-	ResourceDeploymentStats             RBACResource = "deployment_stats"
-	ResourceReplicas                    RBACResource = "replicas"
-	ResourceDebugInfo                   RBACResource = "debug_info"
-	ResourceSystem                      RBACResource = "system"
-	ResourceTemplateInsights            RBACResource = "template_insights"
+	ResourceWorkspace                    RBACResource = "workspace"
+	ResourceWorkspaceProxy               RBACResource = "workspace_proxy"
+	ResourceWorkspaceExecution           RBACResource = "workspace_execution"
+	ResourceWorkspaceApplicationConnect  RBACResource = "application_connect"
+	ResourceAuditLog                     RBACResource = "audit_log"
+	ResourceTemplate                     RBACResource = "template"
+	ResourceGroup                        RBACResource = "group"
+	ResourceFile                         RBACResource = "file"
+	ResourceProvisionerDaemon            RBACResource = "provisioner_daemon"
+	ResourceOrganization                 RBACResource = "organization"
+	ResourceRoleAssignment               RBACResource = "assign_role"
+	ResourceOrgRoleAssignment            RBACResource = "assign_org_role"
+	ResourceAPIKey                       RBACResource = "api_key"
+	ResourceUser                         RBACResource = "user"
+	ResourceUserData                     RBACResource = "user_data"
+	ResourceUserWorkspaceBuildParameters RBACResource = "user_workspace_build_parameters"
+	ResourceOrganizationMember           RBACResource = "organization_member"
+	ResourceLicense                      RBACResource = "license"
+	ResourceDeploymentValues             RBACResource = "deployment_config"
+	ResourceDeploymentStats              RBACResource = "deployment_stats"
+	ResourceReplicas                     RBACResource = "replicas"
+	ResourceDebugInfo                    RBACResource = "debug_info"
+	ResourceSystem                       RBACResource = "system"
+	ResourceTemplateInsights             RBACResource = "template_insights"
 )
 
 const (
@@ -52,6 +53,7 @@ var (
 		ResourceAPIKey,
 		ResourceUser,
 		ResourceUserData,
+		ResourceUserWorkspaceBuildParameters,
 		ResourceOrganizationMember,
 		ResourceLicense,
 		ResourceDeploymentValues,
diff --git a/codersdk/users.go b/codersdk/users.go
@@ -227,7 +227,7 @@ type UserParameter struct {
 }
 
 // UserAutofillParameters returns all recently used parameters for the given user.
-func (c *Client) UserAutofillParameters(ctx context.Context, user string, templateID string) ([]UserParameter, error) {
+func (c *Client) UserAutofillParameters(ctx context.Context, user string, templateID uuid.UUID) ([]UserParameter, error) {
 	res, err := c.Request(ctx, http.MethodGet, fmt.Sprintf("/api/v2/users/%s/autofill-parameters?template_id=%s", user, templateID), nil)
 	if err != nil {
 		return nil, err
diff --git a/site/src/components/RichParameterInput/RichParameterInput.tsx b/site/src/components/RichParameterInput/RichParameterInput.tsx
diff --git a/site/src/pages/CreateWorkspacePage/CreateWorkspacePage.tsx b/site/src/pages/CreateWorkspacePage/CreateWorkspacePage.tsx

Original file line number	Diff line number	Diff line change
`@@ -1759,9 +1759,7 @@ func (q *querier) GetUserWorkspaceBuildParameters(ctx context.Context, params da`
`1759`	`1759`	`if err != nil {`
`1760`	`1760`	`return nil, err`
`1761`	`1761`	`}`
`1762`		`- // The ability to update the user implies either the user themselves or someone`
`1763`		`- // with complete admin access to the user account.`
`1764`		`- if err := q.authorizeContext(ctx, rbac.ActionUpdate, u.UserDataRBACObject()); err != nil {`
	`1762`	`+ if err := q.authorizeContext(ctx, rbac.ActionRead, u.UserWorkspaceBuildParametersObject()); err != nil {`
`1765`	`1763`	`return nil, err`
`1766`	`1764`	`}`
`1767`	`1765`	`return q.db.GetUserWorkspaceBuildParameters(ctx, params)`
Original file line number	Diff line number	Diff line change
`@@ -255,6 +255,10 @@ func (u User) UserDataRBACObject() rbac.Object {`
`255`	`255`	`return rbac.ResourceUserData.WithID(u.ID).WithOwner(u.ID.String())`
`256`	`256`	`}`
`257`	`257`
	`258`	`+func (u User) UserWorkspaceBuildParametersObject() rbac.Object {`
	`259`	`+ return rbac.ResourceUserWorkspaceBuildParameters.WithID(u.ID).WithOwner(u.ID.String())`
	`260`	`+}`
	`261`	`+`
`258`	`262`	`func (u GetUsersRow) RBACObject() rbac.Object {`
`259`	`263`	`return rbac.ResourceUserObject(u.ID)`
`260`	`264`	`}`
Original file line number	Diff line number	Diff line change
`@@ -227,7 +227,7 @@ type UserParameter struct {`
`227`	`227`	`}`
`228`	`228`
`229`	`229`	`// UserAutofillParameters returns all recently used parameters for the given user.`
`230`		`-func (c *Client) UserAutofillParameters(ctx context.Context, user string, templateID string) ([]UserParameter, error) {`
	`230`	`+func (c *Client) UserAutofillParameters(ctx context.Context, user string, templateID uuid.UUID) ([]UserParameter, error) {`
`231`	`231`	`res, err := c.Request(ctx, http.MethodGet, fmt.Sprintf("/api/v2/users/%s/autofill-parameters?template_id=%s", user, templateID), nil)`
`232`	`232`	`if err != nil {`
`233`	`233`	`return nil, err`