Skip to content

Commit 30338b4

Browse files
EmyrkEmyrk
committed
Protect workspace execution
1 parent 6309ab8 commit 30338b4

File tree

4 files changed

+15
-6
lines changed

4 files changed

+15
-6
lines changed

coderd/database/modelmethods.go

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,10 @@ func (w Workspace) RBACObject() rbac.Object {
1717
return rbac.ResourceWorkspace.InOrg(w.OrganizationID).WithOwner(w.OwnerID.String())
1818
}
1919

20+
func (w Workspace) ExecutionRBAC() rbac.Object {
21+
return rbac.ResourceWorkspaceExecution.InOrg(w.OrganizationID).WithOwner(w.OwnerID.String())
22+
}
23+
2024
func (m OrganizationMember) RBACObject() rbac.Object {
2125
return rbac.ResourceOrganizationMember.InOrg(m.OrganizationID)
2226
}

coderd/roles_test.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -120,7 +120,7 @@ func TestListRoles(t *testing.T) {
120120
require.NoError(t, err, "create org")
121121

122122
const forbidden = "Forbidden"
123-
siteRoles := convertRoles(rbac.RoleAdmin(), "auditor", "template-manager")
123+
siteRoles := convertRoles(rbac.RoleAdmin(), "auditor", "template-admin", "user-admin")
124124
orgRoles := convertRoles(rbac.RoleOrgAdmin(admin.OrganizationID))
125125

126126
testCases := []struct {

coderd/workspaceagents.go

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -70,7 +70,7 @@ func (api *API) workspaceAgentDial(rw http.ResponseWriter, r *http.Request) {
7070

7171
workspaceAgent := httpmw.WorkspaceAgentParam(r)
7272
workspace := httpmw.WorkspaceParam(r)
73-
if !api.Authorize(r, rbac.ActionUpdate, workspace) {
73+
if !api.Authorize(r, rbac.ActionUpdate, workspace.ExecutionRBAC()) {
7474
httpapi.ResourceNotFound(rw)
7575
return
7676
}
@@ -304,6 +304,12 @@ func (api *API) workspaceAgentICEServers(rw http.ResponseWriter, _ *http.Request
304304

305305
// workspaceAgentTurn proxies a WebSocket connection to the TURN server.
306306
func (api *API) workspaceAgentTurn(rw http.ResponseWriter, r *http.Request) {
307+
workspace := httpmw.WorkspaceParam(r)
308+
if !api.Authorize(r, rbac.ActionUpdate, workspace.ExecutionRBAC()) {
309+
httpapi.ResourceNotFound(rw)
310+
return
311+
}
312+
307313
api.websocketWaitMutex.Lock()
308314
api.websocketWaitGroup.Add(1)
309315
api.websocketWaitMutex.Unlock()
@@ -364,7 +370,7 @@ func (api *API) workspaceAgentPTY(rw http.ResponseWriter, r *http.Request) {
364370

365371
workspaceAgent := httpmw.WorkspaceAgentParam(r)
366372
workspace := httpmw.WorkspaceParam(r)
367-
if !api.Authorize(r, rbac.ActionUpdate, workspace) {
373+
if !api.Authorize(r, rbac.ActionUpdate, workspace.ExecutionRBAC()) {
368374
httpapi.ResourceNotFound(rw)
369375
return
370376
}
@@ -478,7 +484,7 @@ func (api *API) postWorkspaceAgentWireguardPeer(rw http.ResponseWriter, r *http.
478484
workspace = httpmw.WorkspaceParam(r)
479485
)
480486

481-
if !api.Authorize(r, rbac.ActionUpdate, workspace) {
487+
if !api.Authorize(r, rbac.ActionUpdate, workspace.ExecutionRBAC()) {
482488
httpapi.ResourceNotFound(rw)
483489
return
484490
}

coderd/workspaceapps.go

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -44,8 +44,7 @@ func (api *API) workspaceAppsProxyPath(rw http.ResponseWriter, r *http.Request)
4444
return
4545
}
4646

47-
if !api.Authorize(r, rbac.ActionCreate,
48-
rbac.ResourceWorkspaceExecution.InOrg(workspace.OrganizationID).WithOwner(workspace.OwnerID.String())) {
47+
if !api.Authorize(r, rbac.ActionCreate, workspace.ExecutionRBAC()) {
4948
httpapi.ResourceNotFound(rw)
5049
return
5150
}

0 commit comments

Comments
 (0)