@@ -255,12 +255,6 @@ func (q *querier) GetProvisionerJobByID(ctx context.Context, id uuid.UUID) (data
255255 return job , nil
256256}
257257
258- func (q * querier ) GetProvisionerJobsByIDs (ctx context.Context , ids []uuid.UUID ) ([]database.ProvisionerJob , error ) {
259- // TODO: This is missing authorization and is incorrect. This call is used by telemetry, and by 1 http route.
260- // That http handler should find a better way to fetch these jobs with easier rbac authz.
261- return q .db .GetProvisionerJobsByIDs (ctx , ids )
262- }
263-
264258func (q * querier ) GetProvisionerLogsByIDBetween (ctx context.Context , arg database.GetProvisionerLogsByIDBetweenParams ) ([]database.ProvisionerJobLog , error ) {
265259 // Authorized read on job lets the actor also read the logs.
266260 _ , err := q .GetProvisionerJobByID (ctx , arg .JobID )
@@ -729,35 +723,6 @@ func (q *querier) GetTemplateVersionVariables(ctx context.Context, templateVersi
729723 return q .db .GetTemplateVersionVariables (ctx , templateVersionID )
730724}
731725
732- func (q * querier ) GetTemplateVersionsByIDs (ctx context.Context , ids []uuid.UUID ) ([]database.TemplateVersion , error ) {
733- // TODO: This is so inefficient
734- versions , err := q .db .GetTemplateVersionsByIDs (ctx , ids )
735- if err != nil {
736- return nil , err
737- }
738- checked := make (map [uuid.UUID ]bool )
739- for _ , v := range versions {
740- if _ , ok := checked [v .TemplateID .UUID ]; ok {
741- continue
742- }
743-
744- obj := v .RBACObjectNoTemplate ()
745- template , err := q .db .GetTemplateByID (ctx , v .TemplateID .UUID )
746- if err == nil {
747- obj = v .RBACObject (template )
748- }
749- if err != nil && ! xerrors .Is (err , sql .ErrNoRows ) {
750- return nil , err
751- }
752- if err := q .authorizeContext (ctx , rbac .ActionRead , obj ); err != nil {
753- return nil , err
754- }
755- checked [v .TemplateID .UUID ] = true
756- }
757-
758- return versions , nil
759- }
760-
761726func (q * querier ) GetTemplateVersionsByTemplateID (ctx context.Context , arg database.GetTemplateVersionsByTemplateIDParams ) ([]database.TemplateVersion , error ) {
762727 // An actor can read template versions if they can read the related template.
763728 template , err := q .db .GetTemplateByID (ctx , arg .TemplateID )
@@ -1017,11 +982,6 @@ func (q *querier) GetUsersWithCount(ctx context.Context, arg database.GetUsersPa
1017982 return users , rowUsers [0 ].Count , nil
1018983}
1019984
1020- // TODO: Remove this and use a filter on GetUsers
1021- func (q * querier ) GetUsersByIDs (ctx context.Context , ids []uuid.UUID ) ([]database.User , error ) {
1022- return fetchWithPostFilter (q .auth , q .db .GetUsersByIDs )(ctx , ids )
1023- }
1024-
1025985func (q * querier ) InsertUser (ctx context.Context , arg database.InsertUserParams ) (database.User , error ) {
1026986 // Always check if the assigned roles can actually be assigned by this actor.
1027987 impliedRoles := append ([]string {rbac .RoleMember ()}, arg .RBACRoles ... )
@@ -1226,37 +1186,6 @@ func (q *querier) GetWorkspaceAgentByInstanceID(ctx context.Context, authInstanc
12261186 return agent , nil
12271187}
12281188
1229- // GetWorkspaceAgentsByResourceIDs is an all or nothing call. If the user cannot read
1230- // a single agent, the entire call will fail.
1231- func (q * querier ) GetWorkspaceAgentsByResourceIDs (ctx context.Context , ids []uuid.UUID ) ([]database.WorkspaceAgent , error ) {
1232- if _ , ok := ActorFromContext (ctx ); ! ok {
1233- return nil , NoActorError
1234- }
1235- // TODO: Make this more efficient. This is annoying because all these resources should be owned by the same workspace.
1236- // So the authz check should just be 1 check, but we cannot do that easily here. We should see if all callers can
1237- // instead do something like GetWorkspaceAgentsByWorkspaceID.
1238- agents , err := q .db .GetWorkspaceAgentsByResourceIDs (ctx , ids )
1239- if err != nil {
1240- return nil , err
1241- }
1242-
1243- for _ , a := range agents {
1244- // Check if we can fetch the workspace by the agent ID.
1245- _ , err := q .GetWorkspaceByAgentID (ctx , a .ID )
1246- if err == nil {
1247- continue
1248- }
1249- if errors .Is (err , sql .ErrNoRows ) && ! errors .As (err , & NotAuthorizedError {}) {
1250- // The agent is not tied to a workspace, likely from an orphaned template version.
1251- // Just return it.
1252- continue
1253- }
1254- // Otherwise, we cannot read the workspace, so we cannot read the agent.
1255- return nil , err
1256- }
1257- return agents , nil
1258- }
1259-
12601189func (q * querier ) UpdateWorkspaceAgentLifecycleStateByID (ctx context.Context , arg database.UpdateWorkspaceAgentLifecycleStateByIDParams ) error {
12611190 agent , err := q .db .GetWorkspaceAgentByID (ctx , arg .ID )
12621191 if err != nil {
@@ -1309,20 +1238,6 @@ func (q *querier) GetWorkspaceAppsByAgentID(ctx context.Context, agentID uuid.UU
13091238 return q .db .GetWorkspaceAppsByAgentID (ctx , agentID )
13101239}
13111240
1312- // GetWorkspaceAppsByAgentIDs is an all or nothing call. If the user cannot read a single app, the entire call will fail.
1313- func (q * querier ) GetWorkspaceAppsByAgentIDs (ctx context.Context , ids []uuid.UUID ) ([]database.WorkspaceApp , error ) {
1314- // TODO: This should be reworked. All these apps are likely owned by the same workspace, so we should be able to
1315- // do 1 authz call. We should refactor this to be GetWorkspaceAppsByWorkspaceID.
1316- for _ , id := range ids {
1317- _ , err := q .GetWorkspaceAgentByID (ctx , id )
1318- if err != nil {
1319- return nil , err
1320- }
1321- }
1322-
1323- return q .db .GetWorkspaceAppsByAgentIDs (ctx , ids )
1324- }
1325-
13261241func (q * querier ) GetWorkspaceBuildByID (ctx context.Context , buildID uuid.UUID ) (database.WorkspaceBuild , error ) {
13271242 build , err := q .db .GetWorkspaceBuildByID (ctx , buildID )
13281243 if err != nil {
@@ -1399,21 +1314,6 @@ func (q *querier) GetWorkspaceResourceByID(ctx context.Context, id uuid.UUID) (d
13991314 return resource , nil
14001315}
14011316
1402- // GetWorkspaceResourceMetadataByResourceIDs is an all or nothing call. If a single resource is not authorized, then
1403- // an error is returned.
1404- func (q * querier ) GetWorkspaceResourceMetadataByResourceIDs (ctx context.Context , ids []uuid.UUID ) ([]database.WorkspaceResourceMetadatum , error ) {
1405- // TODO: This is very inefficient. Since all these resources are likely asscoiated with the same workspace.
1406- for _ , id := range ids {
1407- // If we can read the resource, we can read the metadata.
1408- _ , err := q .GetWorkspaceResourceByID (ctx , id )
1409- if err != nil {
1410- return nil , err
1411- }
1412- }
1413-
1414- return q .db .GetWorkspaceResourceMetadataByResourceIDs (ctx , ids )
1415- }
1416-
14171317func (q * querier ) GetWorkspaceResourcesByJobID (ctx context.Context , jobID uuid.UUID ) ([]database.WorkspaceResource , error ) {
14181318 job , err := q .db .GetProvisionerJobByID (ctx , jobID )
14191319 if err != nil {
@@ -1459,21 +1359,6 @@ func (q *querier) GetWorkspaceResourcesByJobID(ctx context.Context, jobID uuid.U
14591359 return q .db .GetWorkspaceResourcesByJobID (ctx , jobID )
14601360}
14611361
1462- // GetWorkspaceResourcesByJobIDs is an all or nothing call. If a single resource is not authorized, then
1463- // an error is returned.
1464- func (q * querier ) GetWorkspaceResourcesByJobIDs (ctx context.Context , ids []uuid.UUID ) ([]database.WorkspaceResource , error ) {
1465- // TODO: This is very inefficient. Since all these resources are likely asscoiated with the same workspace.
1466- for _ , id := range ids {
1467- // If we can read the resource, we can read the metadata.
1468- _ , err := q .GetProvisionerJobByID (ctx , id )
1469- if err != nil {
1470- return nil , err
1471- }
1472- }
1473-
1474- return q .db .GetWorkspaceResourcesByJobIDs (ctx , ids )
1475- }
1476-
14771362func (q * querier ) InsertWorkspace (ctx context.Context , arg database.InsertWorkspaceParams ) (database.Workspace , error ) {
14781363 obj := rbac .ResourceWorkspace .WithOwner (arg .OwnerID .String ()).InOrg (arg .OrganizationID )
14791364 return insert (q .log , q .auth , obj , q .db .InsertWorkspace )(ctx , arg )
@@ -1532,18 +1417,18 @@ func (q *querier) UpdateWorkspaceAgentConnectionByID(ctx context.Context, arg da
15321417 return update (q .log , q .auth , fetch , q .db .UpdateWorkspaceAgentConnectionByID )(ctx , arg )
15331418}
15341419
1535- func (q * querier ) InsertAgentStat (ctx context.Context , arg database.InsertAgentStatParams ) (database.AgentStat , error ) {
1420+ func (q * querier ) InsertWorkspaceAgentStat (ctx context.Context , arg database.InsertWorkspaceAgentStatParams ) (database.WorkspaceAgentStat , error ) {
15361421 // TODO: This is a workspace agent operation. Should users be able to query this?
15371422 // Not really sure what this is for.
15381423 workspace , err := q .db .GetWorkspaceByID (ctx , arg .WorkspaceID )
15391424 if err != nil {
1540- return database.AgentStat {}, err
1425+ return database.WorkspaceAgentStat {}, err
15411426 }
15421427 err = q .authorizeContext (ctx , rbac .ActionUpdate , workspace )
15431428 if err != nil {
1544- return database.AgentStat {}, err
1429+ return database.WorkspaceAgentStat {}, err
15451430 }
1546- return q .db .InsertAgentStat (ctx , arg )
1431+ return q .db .InsertWorkspaceAgentStat (ctx , arg )
15471432}
15481433
15491434func (q * querier ) UpdateWorkspaceAppHealthByID (ctx context.Context , arg database.UpdateWorkspaceAppHealthByIDParams ) error {
0 commit comments