coder
diff --git a/‎coderd/audit.go
+2 b/‎coderd/audit.go
+2
diff --git a/‎coderd/authorize.go
+80-11 b/‎coderd/authorize.go
+80-11
diff --git a/‎coderd/authorize_test.go
+34-17 b/‎coderd/authorize_test.go
+34-17
diff --git a/‎coderd/coderd.go
+1 b/‎coderd/coderd.go
+1
diff --git a/‎coderd/coderdtest/authorize.go
+9-5 b/‎coderd/coderdtest/authorize.go
+9-5
diff --git a/‎coderd/coderdtest/coderdtest.go
+3-24 b/‎coderd/coderdtest/coderdtest.go
+3-24
@@ -265,6 +265,7 @@ func auditSearchQuery(query string) (database.GetAuditLogsOffsetParams, []coders
 		Username:     parser.String(searchParams, "", "username"),
 		Email:        parser.String(searchParams, "", "email"),
 	}
+
 	return filter, parser.Errors
 }
 
@@ -296,6 +297,7 @@ func actionFromString(actionString string) string {
 		return actionString
 	case codersdk.AuditActionDelete:
 		return actionString
+	default:
 	}
 	return ""
 }
@@ -4,6 +4,8 @@ import (
 	"fmt"
 	"net/http"
 
+	"github.com/google/uuid"
+
 	"golang.org/x/xerrors"
 
 	"cdr.dev/slog"
@@ -18,7 +20,7 @@ import (
 // This is faster than calling Authorize() on each object.
 func AuthorizeFilter[O rbac.Objecter](h *HTTPAuthorizer, r *http.Request, action rbac.Action, objects []O) ([]O, error) {
 	roles := httpmw.UserAuthorization(r)
-	objects, err := rbac.Filter(r.Context(), h.Authorizer, roles.ID.String(), roles.Roles, roles.Scope.ToRBAC(), action, objects)
+	objects, err := rbac.Filter(r.Context(), h.Authorizer, roles.ID.String(), roles.Roles, roles.Scope.ToRBAC(), roles.Groups, action, objects)
 	if err != nil {
 		// Log the error as Filter should not be erroring.
 		h.Logger.Error(r.Context(), "filter failed",
@@ -63,7 +65,7 @@ func (api *API) Authorize(r *http.Request, action rbac.Action, object rbac.Objec
 //	}
 func (h *HTTPAuthorizer) Authorize(r *http.Request, action rbac.Action, object rbac.Objecter) bool {
 	roles := httpmw.UserAuthorization(r)
-	err := h.Authorizer.ByRoleName(r.Context(), roles.ID.String(), roles.Roles, roles.Scope.ToRBAC(), action, object.RBACObject())
+	err := h.Authorizer.ByRoleName(r.Context(), roles.ID.String(), roles.Roles, roles.Scope.ToRBAC(), roles.Groups, action, object.RBACObject())
 	if err != nil {
 		// Log the errors for debugging
 		internalError := new(rbac.UnauthorizedError)
@@ -95,7 +97,7 @@ func (h *HTTPAuthorizer) Authorize(r *http.Request, action rbac.Action, object r
 // Note the authorization is only for the given action and object type.
 func (h *HTTPAuthorizer) AuthorizeSQLFilter(r *http.Request, action rbac.Action, objectType string) (rbac.AuthorizeFilter, error) {
 	roles := httpmw.UserAuthorization(r)
-	prepared, err := h.Authorizer.PrepareByRoleName(r.Context(), roles.ID.String(), roles.Roles, roles.Scope.ToRBAC(), action, objectType)
+	prepared, err := h.Authorizer.PrepareByRoleName(r.Context(), roles.ID.String(), roles.Roles, roles.Scope.ToRBAC(), roles.Groups, action, objectType)
 	if err != nil {
 		return nil, xerrors.Errorf("prepare filter: %w", err)
 	}
@@ -127,6 +129,28 @@ func (api *API) checkAuthorization(rw http.ResponseWriter, r *http.Request) {
 	)
 
 	response := make(codersdk.AuthorizationResponse)
+	// Prevent using too many resources by ID. This prevents database abuse
+	// from this endpoint. This also prevents misuse of this endpoint, as
+	// resource_id should be used for single objects, not for a list of them.
+	var (
+		idFetch  int
+		maxFetch = 10
+	)
+	for _, v := range params.Checks {
+		if v.Object.ResourceID != "" {
+			idFetch++
+		}
+	}
+	if idFetch > maxFetch {
+		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+			Message: fmt.Sprintf(
+				"Endpoint only supports using \"resource_id\" field %d times, found %d usages. Remove %d objects with this field set.",
+				maxFetch, idFetch, idFetch-maxFetch,
+			),
+		})
+		return
+	}
+
 	for k, v := range params.Checks {
 		if v.Object.ResourceType == "" {
 			httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
@@ -135,15 +159,60 @@ func (api *API) checkAuthorization(rw http.ResponseWriter, r *http.Request) {
 			return
 		}
 
-		if v.Object.OwnerID == "me" {
-			v.Object.OwnerID = auth.ID.String()
+		obj := rbac.Object{
+			Owner: v.Object.OwnerID,
+			OrgID: v.Object.OrganizationID,
+			Type:  v.Object.ResourceType,
 		}
-		err := api.Authorizer.ByRoleName(r.Context(), auth.ID.String(), auth.Roles, auth.Scope.ToRBAC(), rbac.Action(v.Action),
-			rbac.Object{
-				Owner: v.Object.OwnerID,
-				OrgID: v.Object.OrganizationID,
-				Type:  v.Object.ResourceType,
-			})
+		if obj.Owner == "me" {
+			obj.Owner = auth.ID.String()
+		}
+
+		// If a resource ID is specified, fetch that specific resource.
+		if v.Object.ResourceID != "" {
+			id, err := uuid.Parse(v.Object.ResourceID)
+			if err != nil {
+				httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+					Message:     fmt.Sprintf("Object %q id is not a valid uuid.", v.Object.ResourceID),
+					Validations: []codersdk.ValidationError{{Field: "resource_id", Detail: err.Error()}},
+				})
+				return
+			}
+
+			var dbObj rbac.Objecter
+			var dbErr error
+			// Only support referencing some resources by ID.
+			switch v.Object.ResourceType {
+			case rbac.ResourceWorkspaceExecution.Type:
+				wrkSpace, err := api.Database.GetWorkspaceByID(ctx, id)
+				if err == nil {
+					dbObj = wrkSpace.ExecutionRBAC()
+				}
+				dbErr = err
+			case rbac.ResourceWorkspace.Type:
+				dbObj, dbErr = api.Database.GetWorkspaceByID(ctx, id)
+			case rbac.ResourceTemplate.Type:
+				dbObj, dbErr = api.Database.GetTemplateByID(ctx, id)
+			case rbac.ResourceUser.Type:
+				dbObj, dbErr = api.Database.GetUserByID(ctx, id)
+			case rbac.ResourceGroup.Type:
+				dbObj, dbErr = api.Database.GetGroupByID(ctx, id)
+			default:
+				httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+					Message:     fmt.Sprintf("Object type %q does not support \"resource_id\" field.", v.Object.ResourceType),
+					Validations: []codersdk.ValidationError{{Field: "resource_type", Detail: err.Error()}},
+				})
+				return
+			}
+			if dbErr != nil {
+				// 404 or unauthorized is false
+				response[k] = false
+				continue
+			}
+			obj = dbObj.RBACObject()
+		}
+
+		err := api.Authorizer.ByRoleName(r.Context(), auth.ID.String(), auth.Roles, auth.Scope.ToRBAC(), auth.Groups, rbac.Action(v.Action), obj)
 		response[k] = err == nil
 	}
 
 
@@ -19,7 +19,9 @@ func TestCheckPermissions(t *testing.T) {
 	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
 	t.Cleanup(cancel)
 
-	adminClient := coderdtest.New(t, nil)
+	adminClient := coderdtest.New(t, &coderdtest.Options{
+		IncludeProvisionerDaemon: true,
+	})
 	// Create adminClient, member, and org adminClient
 	adminUser := coderdtest.CreateFirstUser(t, adminClient)
 	memberClient := coderdtest.CreateAnotherUser(t, adminClient, adminUser.OrganizationID)
@@ -29,12 +31,17 @@ func TestCheckPermissions(t *testing.T) {
 	orgAdminUser, err := orgAdminClient.User(ctx, codersdk.Me)
 	require.NoError(t, err)
 
+	version := coderdtest.CreateTemplateVersion(t, adminClient, adminUser.OrganizationID, nil)
+	coderdtest.AwaitTemplateVersionJob(t, adminClient, version.ID)
+	template := coderdtest.CreateTemplate(t, adminClient, adminUser.OrganizationID, version.ID)
+
 	// With admin, member, and org admin
 	const (
-		readAllUsers      = "read-all-users"
-		readOrgWorkspaces = "read-org-workspaces"
-		readMyself        = "read-myself"
-		readOwnWorkspaces = "read-own-workspaces"
+		readAllUsers           = "read-all-users"
+		readOrgWorkspaces      = "read-org-workspaces"
+		readMyself             = "read-myself"
+		readOwnWorkspaces      = "read-own-workspaces"
+		updateSpecificTemplate = "update-specific-template"
 	)
 	params := map[string]codersdk.AuthorizationCheck{
 		readAllUsers: {
@@ -64,6 +71,13 @@ func TestCheckPermissions(t *testing.T) {
 			},
 			Action: "read",
 		},
+		updateSpecificTemplate: {
+			Object: codersdk.AuthorizationObject{
+				ResourceType: rbac.ResourceTemplate.Type,
+				ResourceID:   template.ID.String(),
+			},
+			Action: "update",
+		},
 	}
 
 	testCases := []struct {
@@ -77,32 +91,35 @@ func TestCheckPermissions(t *testing.T) {
 			Client: adminClient,
 			UserID: adminUser.UserID,
 			Check: map[string]bool{
-				readAllUsers:      true,
-				readMyself:        true,
-				readOwnWorkspaces: true,
-				readOrgWorkspaces: true,
+				readAllUsers:           true,
+				readMyself:             true,
+				readOwnWorkspaces:      true,
+				readOrgWorkspaces:      true,
+				updateSpecificTemplate: true,
 			},
 		},
 		{
 			Name:   "OrgAdmin",
 			Client: orgAdminClient,
 			UserID: orgAdminUser.ID,
 			Check: map[string]bool{
-				readAllUsers:      false,
-				readMyself:        true,
-				readOwnWorkspaces: true,
-				readOrgWorkspaces: true,
+				readAllUsers:           false,
+				readMyself:             true,
+				readOwnWorkspaces:      true,
+				readOrgWorkspaces:      true,
+				updateSpecificTemplate: true,
 			},
 		},
 		{
 			Name:   "Member",
 			Client: memberClient,
 			UserID: memberUser.ID,
 			Check: map[string]bool{
-				readAllUsers:      false,
-				readMyself:        true,
-				readOwnWorkspaces: true,
-				readOrgWorkspaces: false,
+				readAllUsers:           false,
+				readMyself:             true,
+				readOwnWorkspaces:      true,
+				readOrgWorkspaces:      false,
+				updateSpecificTemplate: false,
 			},
 		},
 	}
 
@@ -283,6 +283,7 @@ func New(options *Options) *API {
 			r.Get("/{hash}", api.fileByHash)
 			r.Post("/", api.postFile)
 		})
+
 		r.Route("/provisionerdaemons", func(r chi.Router) {
 			r.Use(
 				apiKeyMiddleware,
 
@@ -499,6 +499,7 @@ func (a *AuthTester) Test(ctx context.Context, assertRoute map[string]RouteCheck
 type authCall struct {
 	SubjectID string
 	Roles     []string
+	Groups    []string
 	Scope     rbac.Scope
 	Action    rbac.Action
 	Object    rbac.Object
@@ -513,29 +514,31 @@ var _ rbac.Authorizer = (*RecordingAuthorizer)(nil)
 
 // ByRoleNameSQL does not record the call. This matches the postgres behavior
 // of not calling Authorize()
-func (r *RecordingAuthorizer) ByRoleNameSQL(_ context.Context, _ string, _ []string, _ rbac.Scope, _ rbac.Action, _ rbac.Object) error {
+func (r *RecordingAuthorizer) ByRoleNameSQL(_ context.Context, _ string, _ []string, _ rbac.Scope, _ []string, _ rbac.Action, _ rbac.Object) error {
 	return r.AlwaysReturn
 }
 
-func (r *RecordingAuthorizer) ByRoleName(_ context.Context, subjectID string, roleNames []string, scope rbac.Scope, action rbac.Action, object rbac.Object) error {
+func (r *RecordingAuthorizer) ByRoleName(_ context.Context, subjectID string, roleNames []string, scope rbac.Scope, groups []string, action rbac.Action, object rbac.Object) error {
 	r.Called = &authCall{
 		SubjectID: subjectID,
 		Roles:     roleNames,
+		Groups:    groups,
 		Scope:     scope,
 		Action:    action,
 		Object:    object,
 	}
 	return r.AlwaysReturn
 }
 
-func (r *RecordingAuthorizer) PrepareByRoleName(_ context.Context, subjectID string, roles []string, scope rbac.Scope, action rbac.Action, _ string) (rbac.PreparedAuthorized, error) {
+func (r *RecordingAuthorizer) PrepareByRoleName(_ context.Context, subjectID string, roles []string, scope rbac.Scope, groups []string, action rbac.Action, _ string) (rbac.PreparedAuthorized, error) {
 	return &fakePreparedAuthorizer{
 		Original:           r,
 		SubjectID:          subjectID,
 		Roles:              roles,
 		Scope:              scope,
 		Action:             action,
 		HardCodedSQLString: "true",
+		Groups:             groups,
 	}, nil
 }
 
@@ -549,12 +552,13 @@ type fakePreparedAuthorizer struct {
 	Roles               []string
 	Scope               rbac.Scope
 	Action              rbac.Action
+	Groups              []string
 	HardCodedSQLString  string
 	HardCodedRegoString string
 }
 
 func (f *fakePreparedAuthorizer) Authorize(ctx context.Context, object rbac.Object) error {
-	return f.Original.ByRoleName(ctx, f.SubjectID, f.Roles, f.Scope, f.Action, object)
+	return f.Original.ByRoleName(ctx, f.SubjectID, f.Roles, f.Scope, f.Groups, f.Action, object)
 }
 
 // Compile returns a compiled version of the authorizer that will work for
@@ -564,7 +568,7 @@ func (f *fakePreparedAuthorizer) Compile() (rbac.AuthorizeFilter, error) {
 }
 
 func (f *fakePreparedAuthorizer) Eval(object rbac.Object) bool {
-	return f.Original.ByRoleNameSQL(context.Background(), f.SubjectID, f.Roles, f.Scope, f.Action, object) == nil
+	return f.Original.ByRoleNameSQL(context.Background(), f.SubjectID, f.Roles, f.Scope, f.Groups, f.Action, object) == nil
 }
 
 func (f fakePreparedAuthorizer) RegoString() string {
 
@@ -9,7 +9,6 @@ import (
 	"crypto/sha256"
 	"crypto/x509"
 	"crypto/x509/pkix"
-	"database/sql"
 	"encoding/base64"
 	"encoding/json"
 	"encoding/pem"
@@ -21,7 +20,6 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"net/url"
-	"os"
 	"strconv"
 	"strings"
 	"testing"
@@ -49,8 +47,7 @@ import (
 	"github.com/coder/coder/coderd/autobuild/executor"
 	"github.com/coder/coder/coderd/awsidentity"
 	"github.com/coder/coder/coderd/database"
-	"github.com/coder/coder/coderd/database/databasefake"
-	"github.com/coder/coder/coderd/database/postgres"
+	"github.com/coder/coder/coderd/database/dbtestutil"
 	"github.com/coder/coder/coderd/gitsshkey"
 	"github.com/coder/coder/coderd/rbac"
 	"github.com/coder/coder/coderd/telemetry"
@@ -139,26 +136,7 @@ func NewOptions(t *testing.T, options *Options) (*httptest.Server, context.Cance
 		})
 	}
 
-	// This can be hotswapped for a live database instance.
-	db := databasefake.New()
-	pubsub := database.NewPubsubInMemory()
-	if os.Getenv("DB") != "" {
-		connectionURL, closePg, err := postgres.Open()
-		require.NoError(t, err)
-		t.Cleanup(closePg)
-		sqlDB, err := sql.Open("postgres", connectionURL)
-		require.NoError(t, err)
-		t.Cleanup(func() {
-			_ = sqlDB.Close()
-		})
-		db = database.New(sqlDB)
-
-		pubsub, err = database.NewPubsub(context.Background(), sqlDB, connectionURL)
-		require.NoError(t, err)
-		t.Cleanup(func() {
-			_ = pubsub.Close()
-		})
-	}
+	db, pubsub := dbtestutil.NewDB(t)
 
 	ctx, cancelFunc := context.WithCancel(context.Background())
 	lifecycleExecutor := executor.New(
@@ -399,6 +377,7 @@ func createAnotherUserRetry(t *testing.T, client *codersdk.Client, organizationI
 // with the responses provided. It uses the "echo" provisioner for compatibility
 // with testing.
 func CreateTemplateVersion(t *testing.T, client *codersdk.Client, organizationID uuid.UUID, res *echo.Responses) codersdk.TemplateVersion {
+	t.Helper()
 	data, err := echo.Tar(res)
 	require.NoError(t, err)
 	file, err := client.Upload(context.Background(), codersdk.ContentTypeTar, data)
Original file line number	Diff line number	Diff line change
`@@ -265,6 +265,7 @@ func auditSearchQuery(query string) (database.GetAuditLogsOffsetParams, []coders`
`265`	`265`	`Username: parser.String(searchParams, "", "username"),`
`266`	`266`	`Email: parser.String(searchParams, "", "email"),`
`267`	`267`	`}`
	`268`	`+`
`268`	`269`	`return filter, parser.Errors`
`269`	`270`	`}`
`270`	`271`
`@@ -296,6 +297,7 @@ func actionFromString(actionString string) string {`
`296`	`297`	`return actionString`
`297`	`298`	`case codersdk.AuditActionDelete:`
`298`	`299`	`return actionString`
	`300`	`+ default:`
`299`	`301`	`}`
`300`	`302`	`return ""`
`301`	`303`	`}`