adjust provisioner jobs rbac for owner and template admin only

mafredri · mafredri · commit 765c93a66e28 · 2025-01-16T10:58:50.000Z
diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go
@@ -1978,25 +1978,24 @@ func (q *querier) GetProvisionerJobTimingsByJobID(ctx context.Context, jobID uui
 	return q.db.GetProvisionerJobTimingsByJobID(ctx, jobID)
 }
 
-// TODO: we need to add a provisioner job resource
+// TODO: We have a ProvisionerJobs resource, but it hasn't been checked for this use-case.
 func (q *querier) GetProvisionerJobsByIDs(ctx context.Context, ids []uuid.UUID) ([]database.ProvisionerJob, error) {
 	// if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceSystem); err != nil {
 	// 	return nil, err
 	// }
 	return q.db.GetProvisionerJobsByIDs(ctx, ids)
 }
 
-// TODO: we need to add a provisioner job resource
+// TODO: We have a ProvisionerJobs resource, but it hasn't been checked for this use-case.
 func (q *querier) GetProvisionerJobsByIDsWithQueuePosition(ctx context.Context, ids []uuid.UUID) ([]database.GetProvisionerJobsByIDsWithQueuePositionRow, error) {
 	return q.db.GetProvisionerJobsByIDsWithQueuePosition(ctx, ids)
 }
 
-// TODO: we need to add a provisioner job resource
 func (q *querier) GetProvisionerJobsByOrganizationAndStatusWithQueuePositionAndProvisioner(ctx context.Context, arg database.GetProvisionerJobsByOrganizationAndStatusWithQueuePositionAndProvisionerParams) ([]database.GetProvisionerJobsByOrganizationAndStatusWithQueuePositionAndProvisionerRow, error) {
-	return q.db.GetProvisionerJobsByOrganizationAndStatusWithQueuePositionAndProvisioner(ctx, arg)
+	return fetchWithPostFilter(q.auth, policy.ActionRead, q.db.GetProvisionerJobsByOrganizationAndStatusWithQueuePositionAndProvisioner)(ctx, arg)
 }
 
-// TODO: We need to create a ProvisionerJob resource type
+// TODO: We have a ProvisionerJobs resource, but it hasn't been checked for this use-case.
 func (q *querier) GetProvisionerJobsCreatedAfter(ctx context.Context, createdAt time.Time) ([]database.ProvisionerJob, error) {
 	// if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceSystem); err != nil {
 	// return nil, err
diff --git a/coderd/database/modelmethods.go b/coderd/database/modelmethods.go
@@ -2,7 +2,6 @@ package database
 
 import (
 	"encoding/hex"
-	"encoding/json"
 	"sort"
 	"strconv"
 	"time"
@@ -15,7 +14,6 @@ import (
 	"github.com/coder/coder/v2/coderd/database/dbtime"
 	"github.com/coder/coder/v2/coderd/rbac"
 	"github.com/coder/coder/v2/coderd/rbac/policy"
-	"github.com/coder/coder/v2/codersdk"
 )
 
 type WorkspaceStatus string
@@ -461,25 +459,12 @@ func (g Group) IsEveryone() bool {
 }
 
 func (p ProvisionerJob) RBACObject() rbac.Object {
-	var input codersdk.ProvisionerJobInput
-	_ = json.Unmarshal(p.Input, &input) // Best effort.
-
-	id := uuid.Nil
 	switch p.Type {
-	case ProvisionerJobTypeTemplateVersionImport, ProvisionerJobTypeTemplateVersionDryRun:
-		if input.TemplateVersionID != nil {
-			id = *input.TemplateVersionID
-		}
-		return rbac.ResourceTemplate.
-			WithID(id).
-			InOrg(p.OrganizationID)
-	case ProvisionerJobTypeWorkspaceBuild:
-		if input.WorkspaceBuildID != nil {
-			id = *input.WorkspaceBuildID
-		}
-		return rbac.ResourceWorkspace.
-			WithID(id).
-			InOrg(p.OrganizationID)
+	// Only acceptable for known job types at this time because template
+	// admins may not be allowed to view new types.
+	case ProvisionerJobTypeTemplateVersionImport, ProvisionerJobTypeTemplateVersionDryRun, ProvisionerJobTypeWorkspaceBuild:
+		return rbac.ResourceProvisionerJobs.InOrg(p.OrganizationID)
+
 	default:
 		panic("developer error: unknown provisioner job type " + string(p.Type))
 	}
@@ -538,3 +523,7 @@ func (k CryptoKey) CanVerify(now time.Time) bool {
 	isBeforeDeletion := !k.DeletesAt.Valid || now.Before(k.DeletesAt.Time)
 	return hasSecret && isBeforeDeletion
 }
+
+func (r GetProvisionerJobsByOrganizationAndStatusWithQueuePositionAndProvisionerRow) RBACObject() rbac.Object {
+	return r.ProvisionerJob.RBACObject()
+}
diff --git a/coderd/rbac/roles.go b/coderd/rbac/roles.go
@@ -324,8 +324,6 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 			ResourceWorkspace.Type: {policy.ActionRead},
 			// CRUD to provisioner daemons for now.
 			ResourceProvisionerDaemon.Type: {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
-			// Read to provisioner jobs for now.
-			ResourceProvisionerJobs.Type: {policy.ActionRead},
 			// Needs to read all organizations since
 			ResourceOrganization.Type: {policy.ActionRead},
 			ResourceUser.Type:         {policy.ActionRead},
@@ -424,9 +422,6 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 						ResourceOrganization.Type: {policy.ActionRead},
 						// Can read available roles.
 						ResourceAssignOrgRole.Type: {policy.ActionRead},
-
-						// Users can read provisioner jobs scoped to themselves.
-						ResourceProvisionerJobs.Type: {policy.ActionRead},
 					}),
 				},
 				User: []Permission{
@@ -488,6 +483,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 						ResourceOrganizationMember.Type: {policy.ActionRead},
 						ResourceGroup.Type:              {policy.ActionRead},
 						ResourceGroupMember.Type:        {policy.ActionRead},
+						ResourceProvisionerJobs.Type:    {policy.ActionRead},
 					}),
 				},
 				User: []Permission{},
diff --git a/coderd/rbac/roles_test.go b/coderd/rbac/roles_test.go
@@ -558,8 +558,8 @@ func TestRolePermissions(t *testing.T) {
 			Actions:  []policy.Action{policy.ActionRead},
 			Resource: rbac.ResourceProvisionerJobs.InOrg(orgID),
 			AuthorizeMap: map[bool][]hasAuthSubjects{
-				true:  {owner, templateAdmin, orgTemplateAdmin, orgMemberMe, orgAdmin},
-				false: {setOtherOrg, memberMe, userAdmin, orgUserAdmin, orgAuditor},
+				true:  {owner, orgTemplateAdmin, orgAdmin},
+				false: {setOtherOrg, memberMe, orgMemberMe, templateAdmin, userAdmin, orgUserAdmin, orgAuditor},
 			},
 		},
 		{
