coder
diff --git a/‎coderd/coderdtest/coderdtest.go
Lines changed: 1 addition & 1 deletion b/‎coderd/coderdtest/coderdtest.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 19 additions & 14 deletions b/‎coderd/database/dbauthz/dbauthz.go
Lines changed: 19 additions & 14 deletions
diff --git a/‎coderd/database/dbauthz/dbauthz_test.go
Lines changed: 18 additions & 7 deletions b/‎coderd/database/dbauthz/dbauthz_test.go
Lines changed: 18 additions & 7 deletions
diff --git a/‎coderd/rbac/authz.go
Lines changed: 17 additions & 0 deletions b/‎coderd/rbac/authz.go
Lines changed: 17 additions & 0 deletions
diff --git a/‎coderd/rbac/authz_test.go
Lines changed: 3 additions & 3 deletions b/‎coderd/rbac/authz_test.go
Lines changed: 3 additions & 3 deletions
diff --git a/‎coderd/rbac/input.json
Lines changed: 111 additions & 36 deletions b/‎coderd/rbac/input.json
Lines changed: 111 additions & 36 deletions
@@ -221,7 +221,7 @@ func NewOptions(t testing.TB, options *Options) (func(http.Handler), context.Can
 	}
 
 	if options.Authorizer == nil {
-		defAuth := rbac.NewCachingAuthorizer(prometheus.NewRegistry())
+		defAuth := rbac.NewStrictCachingAuthorizer(prometheus.NewRegistry())
 		if _, ok := t.(*testing.T); ok {
 			options.Authorizer = &RecordingAuthorizer{
 				Wrapped: defAuth,
 
@@ -168,9 +168,10 @@ var (
 					rbac.ResourceSystem.Type:   {policy.WildcardSymbol},
 					rbac.ResourceTemplate.Type: {policy.ActionRead, policy.ActionUpdate},
 					// Unsure why provisionerd needs update and read personal
-					rbac.ResourceUser.Type:      {policy.ActionRead, policy.ActionReadPersonal, policy.ActionUpdatePersonal},
-					rbac.ResourceWorkspace.Type: {policy.ActionRead, policy.ActionUpdate, policy.ActionDelete, policy.ActionWorkspaceBuild},
-					rbac.ResourceApiKey.Type:    {policy.WildcardSymbol},
+					rbac.ResourceUser.Type:             {policy.ActionRead, policy.ActionReadPersonal, policy.ActionUpdatePersonal},
+					rbac.ResourceWorkspaceDormant.Type: {policy.ActionDelete, policy.ActionRead, policy.ActionUpdate, policy.ActionWorkspaceStop},
+					rbac.ResourceWorkspace.Type:        {policy.ActionDelete, policy.ActionRead, policy.ActionUpdate, policy.ActionWorkspaceStart, policy.ActionWorkspaceStop},
+					rbac.ResourceApiKey.Type:           {policy.WildcardSymbol},
 					// When org scoped provisioner credentials are implemented,
 					// this can be reduced to read a specific org.
 					rbac.ResourceOrganization.Type: {policy.ActionRead},
@@ -191,10 +192,11 @@ var (
 				Name:        "autostart",
 				DisplayName: "Autostart Daemon",
 				Site: rbac.Permissions(map[string][]policy.Action{
-					rbac.ResourceSystem.Type:    {policy.WildcardSymbol},
-					rbac.ResourceTemplate.Type:  {policy.ActionRead, policy.ActionUpdate},
-					rbac.ResourceWorkspace.Type: {policy.ActionRead, policy.ActionUpdate, policy.ActionWorkspaceBuild},
-					rbac.ResourceUser.Type:      {policy.ActionRead},
+					rbac.ResourceSystem.Type:           {policy.WildcardSymbol},
+					rbac.ResourceTemplate.Type:         {policy.ActionRead, policy.ActionUpdate},
+					rbac.ResourceWorkspaceDormant.Type: {policy.ActionDelete, policy.ActionRead, policy.ActionUpdate, policy.ActionWorkspaceStop},
+					rbac.ResourceWorkspace.Type:        {policy.ActionDelete, policy.ActionRead, policy.ActionUpdate, policy.ActionWorkspaceStart, policy.ActionWorkspaceStop},
+					rbac.ResourceUser.Type:             {policy.ActionRead},
 				}),
 				Org:  map[string][]rbac.Permission{},
 				User: []rbac.Permission{},
@@ -232,7 +234,7 @@ var (
 				DisplayName: "Coder",
 				Site: rbac.Permissions(map[string][]policy.Action{
 					rbac.ResourceWildcard.Type:           {policy.ActionRead},
-					rbac.ResourceApiKey.Type:             {policy.ActionCreate, policy.ActionUpdate, policy.ActionDelete},
+					rbac.ResourceApiKey.Type:             rbac.ResourceApiKey.AvailableActions(),
 					rbac.ResourceGroup.Type:              {policy.ActionCreate, policy.ActionUpdate},
 					rbac.ResourceAssignRole.Type:         rbac.ResourceAssignRole.AvailableActions(),
 					rbac.ResourceSystem.Type:             {policy.WildcardSymbol},
@@ -241,7 +243,8 @@ var (
 					rbac.ResourceAssignOrgRole.Type:      {policy.ActionRead, policy.ActionCreate, policy.ActionDelete},
 					rbac.ResourceProvisionerDaemon.Type:  {policy.ActionCreate, policy.ActionUpdate},
 					rbac.ResourceUser.Type:               rbac.ResourceUser.AvailableActions(),
-					rbac.ResourceWorkspace.Type:          {policy.ActionUpdate, policy.ActionDelete, policy.ActionWorkspaceBuild, policy.ActionSSH},
+					rbac.ResourceWorkspaceDormant.Type:   {policy.ActionUpdate, policy.ActionDelete, policy.ActionWorkspaceStop},
+					rbac.ResourceWorkspace.Type:          {policy.ActionUpdate, policy.ActionDelete, policy.ActionWorkspaceStart, policy.ActionWorkspaceStop, policy.ActionSSH},
 					rbac.ResourceWorkspaceProxy.Type:     {policy.ActionCreate, policy.ActionUpdate, policy.ActionDelete},
 				}),
 				Org:  map[string][]rbac.Permission{},
@@ -2531,9 +2534,11 @@ func (q *querier) InsertWorkspaceBuild(ctx context.Context, arg database.InsertW
 		return xerrors.Errorf("get workspace by id: %w", err)
 	}
 
-	var action policy.Action = policy.ActionWorkspaceBuild
+	var action policy.Action = policy.ActionWorkspaceStart
 	if arg.Transition == database.WorkspaceTransitionDelete {
 		action = policy.ActionDelete
+	} else if arg.Transition == database.WorkspaceTransitionStop {
+		action = policy.ActionWorkspaceStop
 	}
 
 	if err = q.authorizeContext(ctx, action, w); err != nil {
@@ -3280,7 +3285,7 @@ func (q *querier) UpsertAppSecurityKey(ctx context.Context, data string) error {
 }
 
 func (q *querier) UpsertApplicationName(ctx context.Context, value string) error {
-	if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceDeploymentConfig); err != nil {
+	if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceDeploymentConfig); err != nil {
 		return err
 	}
 	return q.db.UpsertApplicationName(ctx, value)
@@ -3294,7 +3299,7 @@ func (q *querier) UpsertDefaultProxy(ctx context.Context, arg database.UpsertDef
 }
 
 func (q *querier) UpsertHealthSettings(ctx context.Context, value string) error {
-	if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceDeploymentConfig); err != nil {
+	if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceDeploymentConfig); err != nil {
 		return err
 	}
 	return q.db.UpsertHealthSettings(ctx, value)
@@ -3329,14 +3334,14 @@ func (q *querier) UpsertLastUpdateCheck(ctx context.Context, value string) error
 }
 
 func (q *querier) UpsertLogoURL(ctx context.Context, value string) error {
-	if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceDeploymentConfig); err != nil {
+	if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceDeploymentConfig); err != nil {
 		return err
 	}
 	return q.db.UpsertLogoURL(ctx, value)
 }
 
 func (q *querier) UpsertNotificationBanners(ctx context.Context, value string) error {
-	if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceDeploymentConfig); err != nil {
+	if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceDeploymentConfig); err != nil {
 		return err
 	}
 	return q.db.UpsertNotificationBanners(ctx, value)
 
@@ -526,10 +526,10 @@ func (s *MethodTestSuite) TestLicense() {
 			Asserts(rbac.ResourceLicense, policy.ActionCreate)
 	}))
 	s.Run("UpsertLogoURL", s.Subtest(func(db database.Store, check *expects) {
-		check.Args("value").Asserts(rbac.ResourceDeploymentConfig, policy.ActionCreate)
+		check.Args("value").Asserts(rbac.ResourceDeploymentConfig, policy.ActionUpdate)
 	}))
 	s.Run("UpsertNotificationBanners", s.Subtest(func(db database.Store, check *expects) {
-		check.Args("value").Asserts(rbac.ResourceDeploymentConfig, policy.ActionCreate)
+		check.Args("value").Asserts(rbac.ResourceDeploymentConfig, policy.ActionUpdate)
 	}))
 	s.Run("GetLicenseByID", s.Subtest(func(db database.Store, check *expects) {
 		l, err := db.InsertLicense(context.Background(), database.InsertLicenseParams{
@@ -1432,7 +1432,18 @@ func (s *MethodTestSuite) TestWorkspace() {
 			WorkspaceID: w.ID,
 			Transition:  database.WorkspaceTransitionStart,
 			Reason:      database.BuildReasonInitiator,
-		}).Asserts(w, policy.ActionWorkspaceBuild)
+		}).Asserts(w, policy.ActionWorkspaceStart)
+	}))
+	s.Run("Stop/InsertWorkspaceBuild", s.Subtest(func(db database.Store, check *expects) {
+		t := dbgen.Template(s.T(), db, database.Template{})
+		w := dbgen.Workspace(s.T(), db, database.Workspace{
+			TemplateID: t.ID,
+		})
+		check.Args(database.InsertWorkspaceBuildParams{
+			WorkspaceID: w.ID,
+			Transition:  database.WorkspaceTransitionStop,
+			Reason:      database.BuildReasonInitiator,
+		}).Asserts(w, policy.ActionWorkspaceStop)
 	}))
 	s.Run("Start/RequireActiveVersion/VersionMismatch/InsertWorkspaceBuild", s.Subtest(func(db database.Store, check *expects) {
 		t := dbgen.Template(s.T(), db, database.Template{})
@@ -1454,7 +1465,7 @@ func (s *MethodTestSuite) TestWorkspace() {
 			Reason:            database.BuildReasonInitiator,
 			TemplateVersionID: v.ID,
 		}).Asserts(
-			w, policy.ActionWorkspaceBuild,
+			w, policy.ActionWorkspaceStart,
 			t, policy.ActionUpdate,
 		)
 	}))
@@ -1482,7 +1493,7 @@ func (s *MethodTestSuite) TestWorkspace() {
 			Reason:            database.BuildReasonInitiator,
 			TemplateVersionID: v.ID,
 		}).Asserts(
-			w, policy.ActionWorkspaceBuild,
+			w, policy.ActionWorkspaceStart,
 		)
 	}))
 	s.Run("Delete/InsertWorkspaceBuild", s.Subtest(func(db database.Store, check *expects) {
@@ -2206,13 +2217,13 @@ func (s *MethodTestSuite) TestSystemFunctions() {
 		check.Args().Asserts()
 	}))
 	s.Run("UpsertApplicationName", s.Subtest(func(db database.Store, check *expects) {
-		check.Args("").Asserts(rbac.ResourceDeploymentConfig, policy.ActionCreate)
+		check.Args("").Asserts(rbac.ResourceDeploymentConfig, policy.ActionUpdate)
 	}))
 	s.Run("GetHealthSettings", s.Subtest(func(db database.Store, check *expects) {
 		check.Args().Asserts()
 	}))
 	s.Run("UpsertHealthSettings", s.Subtest(func(db database.Store, check *expects) {
-		check.Args("foo").Asserts(rbac.ResourceDeploymentConfig, policy.ActionCreate)
+		check.Args("foo").Asserts(rbac.ResourceDeploymentConfig, policy.ActionUpdate)
 	}))
 	s.Run("GetDeploymentWorkspaceAgentStats", s.Subtest(func(db database.Store, check *expects) {
 		check.Args(time.Time{}).Asserts()
 
@@ -214,6 +214,10 @@ type RegoAuthorizer struct {
 
 	authorizeHist *prometheus.HistogramVec
 	prepareHist   prometheus.Histogram
+
+	// strict checking also verifies the inputs to the authorizer. Making sure
+	// the action make sense for the input object.
+	strict bool
 }
 
 var _ Authorizer = (*RegoAuthorizer)(nil)
@@ -235,6 +239,13 @@ func NewCachingAuthorizer(registry prometheus.Registerer) Authorizer {
 	return Cacher(NewAuthorizer(registry))
 }
 
+// NewStrictCachingAuthorizer is mainly just for testing.
+func NewStrictCachingAuthorizer(registry prometheus.Registerer) Authorizer {
+	auth := NewAuthorizer(registry)
+	auth.strict = true
+	return Cacher(auth)
+}
+
 func NewAuthorizer(registry prometheus.Registerer) *RegoAuthorizer {
 	queryOnce.Do(func() {
 		var err error
@@ -321,6 +332,12 @@ type authSubject struct {
 // the object.
 // If an error is returned, the authorization is denied.
 func (a RegoAuthorizer) Authorize(ctx context.Context, subject Subject, action policy.Action, object Object) error {
+	if a.strict {
+		if err := object.ValidAction(action); err != nil {
+			return xerrors.Errorf("strict authz check: %w", err)
+		}
+	}
+
 	start := time.Now()
 	ctx, span := tracing.StartSpan(ctx,
 		trace.WithTimestamp(start), // Reuse the time.Now for metric and trace
 
@@ -160,7 +160,7 @@ func BenchmarkRBACAuthorize(b *testing.B) {
 
 	// There is no caching that occurs because a fresh context is used for each
 	// call. And the context needs 'WithCacheCtx' to work.
-	authorizer := rbac.NewCachingAuthorizer(prometheus.NewRegistry())
+	authorizer := rbac.NewStrictCachingAuthorizer(prometheus.NewRegistry())
 	// This benchmarks all the simple cases using just user permissions. Groups
 	// are added as noise, but do not do anything.
 	for _, c := range benchCases {
@@ -187,7 +187,7 @@ func BenchmarkRBACAuthorizeGroups(b *testing.B) {
 		uuid.MustParse("0632b012-49e0-4d70-a5b3-f4398f1dcd52"),
 		uuid.MustParse("70dbaa7a-ea9c-4f68-a781-97b08af8461d"),
 	)
-	authorizer := rbac.NewCachingAuthorizer(prometheus.NewRegistry())
+	authorizer := rbac.NewStrictCachingAuthorizer(prometheus.NewRegistry())
 
 	// Same benchmark cases, but this time groups will be used to match.
 	// Some '*' permissions will still match, but using a fake action reduces
@@ -239,7 +239,7 @@ func BenchmarkRBACFilter(b *testing.B) {
 		uuid.MustParse("70dbaa7a-ea9c-4f68-a781-97b08af8461d"),
 	)
 
-	authorizer := rbac.NewCachingAuthorizer(prometheus.NewRegistry())
+	authorizer := rbac.NewStrictCachingAuthorizer(prometheus.NewRegistry())
 
 	for _, c := range benchCases {
 		b.Run("PrepareOnly-"+c.Name, func(b *testing.B) {
 
@@ -1,46 +1,121 @@
 {
-  "action": "never-match-action",
-  "object": {
-    "id": "9046b041-58ed-47a3-9c3a-de302577875a",
-    "owner": "00000000-0000-0000-0000-000000000000",
-    "org_owner": "bf7b72bd-a2b1-4ef2-962c-1d698e0483f6",
-    "type": "workspace",
-    "acl_user_list": {
-      "f041847d-711b-40da-a89a-ede39f70dc7f": ["create"]
-    },
-    "acl_group_list": {}
+  "action":"delete",
+  "object":{
+    "id":"bf9bba2a-dd6b-4a07-8500-1dac6ddc5171",
+    "owner":"36e3c780-2ae3-443b-ad3c-ceb410a55d12",
+    "org_owner":"19285bb2-022d-41c6-a7f2-8ace10825691",
+    "type":"workspace_dormant",
+    "acl_user_list":null,
+    "acl_group_list":null
   },
-  "subject": {
-    "id": "10d03e62-7703-4df5-a358-4f76577d4e2f",
-    "roles": [
+  "subject":{
+    "FriendlyName":"Provisioner Daemon",
+    "ID":"00000000-0000-0000-0000-000000000000",
+    "Roles":[
       {
-        "name": "owner",
-        "display_name": "Owner",
-        "site": [
+        "name":"provisionerd",
+        "display_name":"Provisioner Daemon",
+        "site":[
           {
-            "negate": false,
-            "resource_type": "*",
-            "action": "*"
+            "negate":false,
+            "resource_type":"api_key",
+            "action":"*"
+          },
+          {
+            "negate":false,
+            "resource_type":"file",
+            "action":"read"
+          },
+          {
+            "negate":false,
+            "resource_type":"group",
+            "action":"read"
+          },
+          {
+            "negate":false,
+            "resource_type":"organization",
+            "action":"read"
+          },
+          {
+            "negate":false,
+            "resource_type":"system",
+            "action":"*"
+          },
+          {
+            "negate":false,
+            "resource_type":"template",
+            "action":"read"
+          },
+          {
+            "negate":false,
+            "resource_type":"template",
+            "action":"update"
+          },
+          {
+            "negate":false,
+            "resource_type":"user",
+            "action":"read_personal"
+          },
+          {
+            "negate":false,
+            "resource_type":"user",
+            "action":"update_personal"
+          },
+          {
+            "negate":false,
+            "resource_type":"user",
+            "action":"read"
+          },
+          {
+            "negate":false,
+            "resource_type":"workspace",
+            "action":"read"
+          },
+          {
+            "negate":false,
+            "resource_type":"workspace",
+            "action":"stop"
+          },
+          {
+            "negate":false,
+            "resource_type":"workspace",
+            "action":"start"
+          },
+          {
+            "negate":false,
+            "resource_type":"workspace",
+            "action":"update"
+          },
+          {
+            "negate":false,
+            "resource_type":"workspace",
+            "action":"delete"
+          },
+          {
+            "negate":false,
+            "resource_type":"workspace_dormant",
+            "action":"read"
+          },
+          {
+            "negate":false,
+            "resource_type":"workspace_dormant",
+            "action":"update"
+          },
+          {
+            "negate":false,
+            "resource_type":"workspace_dormant",
+            "action":"stop"
           }
         ],
-        "org": {},
-        "user": []
+        "org":{
+
+        },
+        "user":[
+
+        ]
       }
     ],
-    "groups": ["b617a647-b5d0-4cbe-9e40-26f89710bf18"],
-    "scope": {
-      "name": "Scope_all",
-      "display_name": "All operations",
-      "site": [
-        {
-          "negate": false,
-          "resource_type": "*",
-          "action": "*"
-        }
-      ],
-      "org": {},
-      "user": [],
-      "allow_list": ["*"]
-    }
+    "Groups":null,
+    "Scope":"all"
   }
 }
Original file line number	Diff line number	Diff line change
`@@ -221,7 +221,7 @@ func NewOptions(t testing.TB, options *Options) (func(http.Handler), context.Can`
`221`	`221`	`}`
`222`	`222`
`223`	`223`	`if options.Authorizer == nil {`
`224`		`- defAuth := rbac.NewCachingAuthorizer(prometheus.NewRegistry())`
	`224`	`+ defAuth := rbac.NewStrictCachingAuthorizer(prometheus.NewRegistry())`
`225`	`225`	`if _, ok := t.(*testing.T); ok {`
`226`	`226`	`options.Authorizer = &RecordingAuthorizer{`
`227`	`227`	`Wrapped: defAuth,`