Skip to content

Commit 4d0fe20

Browse files
DanielleMaywoodDanielleMaywood
authored
chore(coderd/database/dbauthz): update RBAC for InsertWorkspaceApp (#18223)
Instead of using `ResourceSystem` as the resource for `InsertWorkspaceApp`, we instead use the associated workspace (if it exists), with the action `ActionUpdate`.
1 parent 9e1967b commit 4d0fe20

File tree

2 files changed

+28
-3
lines changed

2 files changed

+28
-3
lines changed

coderd/database/dbauthz/dbauthz.go

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3851,9 +3851,19 @@ func (q *querier) InsertWorkspaceAgentStats(ctx context.Context, arg database.In
38513851
}
38523852

38533853
func (q *querier) InsertWorkspaceApp(ctx context.Context, arg database.InsertWorkspaceAppParams) (database.WorkspaceApp, error) {
3854-
if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceSystem); err != nil {
3854+
// NOTE(DanielleMaywood):
3855+
// It is possible for there to exist an agent without a workspace.
3856+
// This means that we want to allow execution to continue if
3857+
// there isn't a workspace found to allow this behavior to continue.
3858+
workspace, err := q.db.GetWorkspaceByAgentID(ctx, arg.AgentID)
3859+
if err != nil && !errors.Is(err, sql.ErrNoRows) {
3860+
return database.WorkspaceApp{}, err
3861+
}
3862+
3863+
if err := q.authorizeContext(ctx, policy.ActionUpdate, workspace); err != nil {
38553864
return database.WorkspaceApp{}, err
38563865
}
3866+
38573867
return q.db.InsertWorkspaceApp(ctx, arg)
38583868
}
38593869

coderd/database/dbauthz/dbauthz_test.go

Lines changed: 17 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4093,13 +4093,28 @@ func (s *MethodTestSuite) TestSystemFunctions() {
40934093
}).Asserts(ws, policy.ActionCreateAgent)
40944094
}))
40954095
s.Run("InsertWorkspaceApp", s.Subtest(func(db database.Store, check *expects) {
4096-
dbtestutil.DisableForeignKeysAndTriggers(s.T(), db)
4096+
_ = dbgen.User(s.T(), db, database.User{})
4097+
u := dbgen.User(s.T(), db, database.User{})
4098+
o := dbgen.Organization(s.T(), db, database.Organization{})
4099+
j := dbgen.ProvisionerJob(s.T(), db, nil, database.ProvisionerJob{Type: database.ProvisionerJobTypeWorkspaceBuild})
4100+
tpl := dbgen.Template(s.T(), db, database.Template{CreatedBy: u.ID, OrganizationID: o.ID})
4101+
tv := dbgen.TemplateVersion(s.T(), db, database.TemplateVersion{
4102+
TemplateID: uuid.NullUUID{UUID: tpl.ID, Valid: true},
4103+
JobID: j.ID,
4104+
OrganizationID: o.ID,
4105+
CreatedBy: u.ID,
4106+
})
4107+
ws := dbgen.Workspace(s.T(), db, database.WorkspaceTable{OwnerID: u.ID, TemplateID: tpl.ID, OrganizationID: o.ID})
4108+
_ = dbgen.WorkspaceBuild(s.T(), db, database.WorkspaceBuild{WorkspaceID: ws.ID, JobID: j.ID, TemplateVersionID: tv.ID})
4109+
res := dbgen.WorkspaceResource(s.T(), db, database.WorkspaceResource{JobID: j.ID})
4110+
agent := dbgen.WorkspaceAgent(s.T(), db, database.WorkspaceAgent{ResourceID: res.ID})
40974111
check.Args(database.InsertWorkspaceAppParams{
40984112
ID: uuid.New(),
4113+
AgentID: agent.ID,
40994114
Health: database.WorkspaceAppHealthDisabled,
41004115
SharingLevel: database.AppSharingLevelOwner,
41014116
OpenIn: database.WorkspaceAppOpenInSlimWindow,
4102-
}).Asserts(rbac.ResourceSystem, policy.ActionCreate)
4117+
}).Asserts(ws, policy.ActionUpdate)
41034118
}))
41044119
s.Run("InsertWorkspaceResourceMetadata", s.Subtest(func(db database.Store, check *expects) {
41054120
check.Args(database.InsertWorkspaceResourceMetadataParams{

0 commit comments

Comments
 (0)