Pass actor to follow logs for subscriber listen

Emyrk · Emyrk · commit 6a7b05364527 · 2023-02-01T11:33:57.000-06:00
Also fix some dry run resource fetching in authzquerier
diff --git a/coderd/authzquery/authz.go b/coderd/authzquery/authz.go
@@ -38,7 +38,7 @@ func authorizedInsertWithReturn[ObjectType any, ArgumentType any,
 
 	return func(ctx context.Context, arg ArgumentType) (empty ObjectType, err error) {
 		// Fetch the rbac subject
-		act, ok := actorFromContext(ctx)
+		act, ok := ActorFromContext(ctx)
 		if !ok {
 			return empty, xerrors.Errorf("no authorization actor in context")
 		}
@@ -123,7 +123,7 @@ func authorizedFetchAndQuery[ObjectType rbac.Objecter, ArgumentType any,
 
 	return func(ctx context.Context, arg ArgumentType) (empty ObjectType, err error) {
 		// Fetch the rbac subject
-		act, ok := actorFromContext(ctx)
+		act, ok := ActorFromContext(ctx)
 		if !ok {
 			return empty, xerrors.Errorf("no authorization actor in context")
 		}
@@ -172,7 +172,7 @@ func authorizedQuery[ArgumentType any, ObjectType rbac.Objecter,
 
 	return func(ctx context.Context, arg ArgumentType) (empty ObjectType, err error) {
 		// Fetch the rbac subject
-		act, ok := actorFromContext(ctx)
+		act, ok := ActorFromContext(ctx)
 		if !ok {
 			return empty, xerrors.Errorf("no authorization actor in context")
 		}
@@ -203,7 +203,7 @@ func authorizedFetchSet[ArgumentType any, ObjectType rbac.Objecter,
 
 	return func(ctx context.Context, arg ArgumentType) (empty []ObjectType, err error) {
 		// Fetch the rbac subject
-		act, ok := actorFromContext(ctx)
+		act, ok := ActorFromContext(ctx)
 		if !ok {
 			return empty, xerrors.Errorf("no authorization actor in context")
 		}
@@ -234,7 +234,7 @@ func authorizedQueryWithRelated[ObjectType any, ArgumentType any, Related rbac.O
 
 	return func(ctx context.Context, arg ArgumentType) (empty ObjectType, err error) {
 		// Fetch the rbac subject
-		act, ok := actorFromContext(ctx)
+		act, ok := ActorFromContext(ctx)
 		if !ok {
 			return empty, xerrors.Errorf("no authorization actor in context")
 		}
@@ -264,7 +264,7 @@ func authorizedQueryWithRelated[ObjectType any, ArgumentType any, Related rbac.O
 // prepareSQLFilter is a helper function that prepares a SQL filter using the
 // given authorization context.
 func prepareSQLFilter(ctx context.Context, authorizer rbac.Authorizer, action rbac.Action, resourceType string) (rbac.PreparedAuthorized, error) {
-	act, ok := actorFromContext(ctx)
+	act, ok := ActorFromContext(ctx)
 	if !ok {
 		return nil, xerrors.Errorf("no authorization actor in context")
 	}
diff --git a/coderd/authzquery/authzquerier.go b/coderd/authzquery/authzquerier.go
@@ -52,7 +52,7 @@ func (q *AuthzQuerier) InTx(function func(querier database.Store) error, txOpts
 
 // authorizeContext is a helper function to authorize an action on an object.
 func (q *AuthzQuerier) authorizeContext(ctx context.Context, action rbac.Action, object rbac.Objecter) error {
-	act, ok := actorFromContext(ctx)
+	act, ok := ActorFromContext(ctx)
 	if !ok {
 		return xerrors.Errorf("no authorization actor in context")
 	}
diff --git a/coderd/authzquery/context.go b/coderd/authzquery/context.go
@@ -53,10 +53,10 @@ func WithWorkspaceAgentTokenContext(ctx context.Context, workspaceID uuid.UUID,
 	})
 }
 
-// actorFromContext returns the authorization subject from the context.
+// ActorFromContext returns the authorization subject from the context.
 // All authentication flows should set the authorization subject in the context.
 // If no actor is present, the function returns false.
-func actorFromContext(ctx context.Context) (rbac.Subject, bool) {
+func ActorFromContext(ctx context.Context) (rbac.Subject, bool) {
 	a, ok := ctx.Value(authContextKey{}).(rbac.Subject)
 	return a, ok
 }
diff --git a/coderd/authzquery/job.go b/coderd/authzquery/job.go
@@ -38,7 +38,7 @@ func (q *AuthzQuerier) UpdateProvisionerJobWithCancelByID(ctx context.Context, a
 		// Would be nice to have a way in the rbac rego to do this.
 		if !template.AllowUserCancelWorkspaceJobs {
 			// Only owners can cancel workspace builds
-			actor, ok := actorFromContext(ctx)
+			actor, ok := ActorFromContext(ctx)
 			if !ok {
 				return xerrors.Errorf("no actor in context")
 			}
diff --git a/coderd/authzquery/organization.go b/coderd/authzquery/organization.go
@@ -85,7 +85,7 @@ func (q *AuthzQuerier) UpdateMemberRoles(ctx context.Context, arg database.Updat
 }
 
 func (q *AuthzQuerier) canAssignRoles(ctx context.Context, orgID *uuid.UUID, added, removed []string) error {
-	actor, ok := actorFromContext(ctx)
+	actor, ok := ActorFromContext(ctx)
 	if !ok {
 		return xerrors.Errorf("no authorization actor in context")
 	}
diff --git a/coderd/authzquery/user.go b/coderd/authzquery/user.go
@@ -76,7 +76,7 @@ func (q *AuthzQuerier) GetUsersWithCount(ctx context.Context, arg database.GetUs
 		return []database.User{}, 0, nil
 	}
 
-	act, ok := actorFromContext(ctx)
+	act, ok := ActorFromContext(ctx)
 	if !ok {
 		return nil, -1, xerrors.Errorf("no authorization actor in context")
 	}
diff --git a/coderd/authzquery/workspace.go b/coderd/authzquery/workspace.go
@@ -258,6 +258,23 @@ func (q *AuthzQuerier) GetWorkspaceResourceMetadataByResourceIDs(ctx context.Con
 func (q *AuthzQuerier) GetWorkspaceResourcesByJobID(ctx context.Context, jobID uuid.UUID) ([]database.WorkspaceResource, error) {
 	build, err := q.database.GetWorkspaceBuildByJobID(ctx, jobID)
 	if err != nil {
+		job, err := q.database.GetProvisionerJobByID(ctx, jobID)
+		if err == nil && job.Type == database.ProvisionerJobTypeTemplateVersionDryRun {
+			// TODO: We should really remove this branch path. It is kinda jank.
+			// This is really annoying, but if a job is a dry run, there is no workspace
+			// for this job. So we need to make up an rbac object for the workspace.
+			tv, err := authorizedTemplateVersionFromJob(ctx, q, job)
+			if err != nil {
+				return nil, err
+			}
+
+			err = q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceWorkspace.InOrg(tv.OrganizationID).WithOwner(job.InitiatorID.String()))
+			if err != nil {
+				return nil, err
+			}
+
+			return q.database.GetWorkspaceResourcesByJobID(ctx, jobID)
+		}
 		return nil, err
 	}
 
diff --git a/coderd/provisionerjobs.go b/coderd/provisionerjobs.go
@@ -16,9 +16,10 @@ import (
 	"nhooyr.io/websocket"
 
 	"cdr.dev/slog"
-
+	"github.com/coder/coder/coderd/authzquery"
 	"github.com/coder/coder/coderd/database"
 	"github.com/coder/coder/coderd/httpapi"
+	"github.com/coder/coder/coderd/rbac"
 	"github.com/coder/coder/codersdk"
 )
 
@@ -32,6 +33,7 @@ import (
 func (api *API) provisionerJobLogs(rw http.ResponseWriter, r *http.Request, job database.ProvisionerJob) {
 	var (
 		ctx       = r.Context()
+		actor, _  = authzquery.ActorFromContext(ctx)
 		logger    = api.Logger.With(slog.F("job_id", job.ID))
 		follow    = r.URL.Query().Has("follow")
 		afterRaw  = r.URL.Query().Get("after")
@@ -49,7 +51,7 @@ func (api *API) provisionerJobLogs(rw http.ResponseWriter, r *http.Request, job
 	// of processed IDs.
 	var bufferedLogs <-chan database.ProvisionerJobLog
 	if follow {
-		bl, closeFollow, err := api.followLogs(job.ID)
+		bl, closeFollow, err := api.followLogs(actor, job.ID)
 		if err != nil {
 			httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
 				Message: "Internal error watching provisioner logs.",
@@ -367,7 +369,7 @@ type provisionerJobLogsMessage struct {
 	EndOfLogs    bool  `json:"end_of_logs,omitempty"`
 }
 
-func (api *API) followLogs(jobID uuid.UUID) (<-chan database.ProvisionerJobLog, func(), error) {
+func (api *API) followLogs(actor rbac.Subject, jobID uuid.UUID) (<-chan database.ProvisionerJobLog, func(), error) {
 	logger := api.Logger.With(slog.F("job_id", jobID))
 
 	var (
@@ -378,6 +380,7 @@ func (api *API) followLogs(jobID uuid.UUID) (<-chan database.ProvisionerJobLog,
 	closeSubscribe, err := api.Pubsub.Subscribe(
 		provisionerJobLogsChannel(jobID),
 		func(ctx context.Context, message []byte) {
+			ctx = authzquery.WithAuthorizeContext(ctx, actor)
 			select {
 			case <-closed:
 				return

Original file line number	Diff line number	Diff line change
`@@ -52,7 +52,7 @@ func (q *AuthzQuerier) InTx(function func(querier database.Store) error, txOpts`
`52`	`52`
`53`	`53`	`// authorizeContext is a helper function to authorize an action on an object.`
`54`	`54`	`func (q *AuthzQuerier) authorizeContext(ctx context.Context, action rbac.Action, object rbac.Objecter) error {`
`55`		`- act, ok := actorFromContext(ctx)`
	`55`	`+ act, ok := ActorFromContext(ctx)`
`56`	`56`	`if !ok {`
`57`	`57`	`return xerrors.Errorf("no authorization actor in context")`
`58`	`58`	`}`
Original file line number	Diff line number	Diff line change
`@@ -53,10 +53,10 @@ func WithWorkspaceAgentTokenContext(ctx context.Context, workspaceID uuid.UUID,`
`53`	`53`	`})`
`54`	`54`	`}`
`55`	`55`
`56`		`-// actorFromContext returns the authorization subject from the context.`
	`56`	`+// ActorFromContext returns the authorization subject from the context.`
`57`	`57`	`// All authentication flows should set the authorization subject in the context.`
`58`	`58`	`// If no actor is present, the function returns false.`
`59`		`-func actorFromContext(ctx context.Context) (rbac.Subject, bool) {`
	`59`	`+func ActorFromContext(ctx context.Context) (rbac.Subject, bool) {`
`60`	`60`	`a, ok := ctx.Value(authContextKey{}).(rbac.Subject)`
`61`	`61`	`return a, ok`
`62`	`62`	`}`
Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,7 @@ func (q *AuthzQuerier) UpdateProvisionerJobWithCancelByID(ctx context.Context, a`
`38`	`38`	`// Would be nice to have a way in the rbac rego to do this.`
`39`	`39`	`if !template.AllowUserCancelWorkspaceJobs {`
`40`	`40`	`// Only owners can cancel workspace builds`
`41`		`- actor, ok := actorFromContext(ctx)`
	`41`	`+ actor, ok := ActorFromContext(ctx)`
`42`	`42`	`if !ok {`
`43`	`43`	`return xerrors.Errorf("no actor in context")`
`44`	`44`	`}`
Original file line number	Diff line number	Diff line change
`@@ -85,7 +85,7 @@ func (q *AuthzQuerier) UpdateMemberRoles(ctx context.Context, arg database.Updat`
`85`	`85`	`}`
`86`	`86`
`87`	`87`	`func (q AuthzQuerier) canAssignRoles(ctx context.Context, orgID uuid.UUID, added, removed []string) error {`
`88`		`- actor, ok := actorFromContext(ctx)`
	`88`	`+ actor, ok := ActorFromContext(ctx)`
`89`	`89`	`if !ok {`
`90`	`90`	`return xerrors.Errorf("no authorization actor in context")`
`91`	`91`	`}`
Original file line number	Diff line number	Diff line change
`@@ -76,7 +76,7 @@ func (q *AuthzQuerier) GetUsersWithCount(ctx context.Context, arg database.GetUs`
`76`	`76`	`return []database.User{}, 0, nil`
`77`	`77`	`}`
`78`	`78`
`79`		`- act, ok := actorFromContext(ctx)`
	`79`	`+ act, ok := ActorFromContext(ctx)`
`80`	`80`	`if !ok {`
`81`	`81`	`return nil, -1, xerrors.Errorf("no authorization actor in context")`
`82`	`82`	`}`