coderd/rbac: update chat rbac

johnstcn · johnstcn · commit 76b949c73feb · 2025-04-30T15:32:56.000+01:00
diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go
@@ -1270,10 +1270,7 @@ func (q *querier) DeleteApplicationConnectAPIKeysByUserID(ctx context.Context, u
 }
 
 func (q *querier) DeleteChat(ctx context.Context, id uuid.UUID) error {
-	if err := q.authorizeContext(ctx, policy.ActionDelete, rbac.ResourceChat.WithID(id)); err != nil {
-		return err
-	}
-	return q.db.DeleteChat(ctx, id)
+	return deleteQ(q.log, q.auth, q.db.GetChatByID, q.db.DeleteChat)(ctx, id)
 }
 
 func (q *querier) DeleteCoordinator(ctx context.Context, id uuid.UUID) error {
@@ -1694,24 +1691,19 @@ func (q *querier) GetAuthorizationUserRoles(ctx context.Context, userID uuid.UUI
 }
 
 func (q *querier) GetChatByID(ctx context.Context, id uuid.UUID) (database.Chat, error) {
-	if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceChat.WithID(id)); err != nil {
-		return database.Chat{}, err
-	}
-	return q.db.GetChatByID(ctx, id)
+	return fetch(q.log, q.auth, q.db.GetChatByID)(ctx, id)
 }
 
 func (q *querier) GetChatMessagesByChatID(ctx context.Context, chatID uuid.UUID) ([]database.ChatMessage, error) {
-	if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceChat.WithID(chatID)); err != nil {
+	c, err := q.GetChatByID(ctx, chatID)
+	if err != nil {
 		return nil, err
 	}
-	return q.db.GetChatMessagesByChatID(ctx, chatID)
+	return q.db.GetChatMessagesByChatID(ctx, c.ID)
 }
 
 func (q *querier) GetChatsByOwnerID(ctx context.Context, ownerID uuid.UUID) ([]database.Chat, error) {
-	if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceChat); err != nil {
-		return nil, err
-	}
-	return q.db.GetChatsByOwnerID(ctx, ownerID)
+	return fetchWithPostFilter(q.auth, policy.ActionRead, q.db.GetChatsByOwnerID)(ctx, ownerID)
 }
 
 func (q *querier) GetCoordinatorResumeTokenSigningKey(ctx context.Context) (string, error) {
@@ -3348,7 +3340,14 @@ func (q *querier) InsertChat(ctx context.Context, arg database.InsertChatParams)
 }
 
 func (q *querier) InsertChatMessages(ctx context.Context, arg database.InsertChatMessagesParams) ([]database.ChatMessage, error) {
-	return insert(q.log, q.auth, rbac.ResourceChat.WithID(arg.ChatID), q.db.InsertChatMessages)(ctx, arg)
+	c, err := q.db.GetChatByID(ctx, arg.ChatID)
+	if err != nil {
+		return nil, err
+	}
+	if err := q.authorizeContext(ctx, policy.ActionUpdate, c); err != nil {
+		return nil, err
+	}
+	return q.db.InsertChatMessages(ctx, arg)
 }
 
 func (q *querier) InsertCryptoKey(ctx context.Context, arg database.InsertCryptoKeyParams) (database.CryptoKey, error) {
@@ -4000,10 +3999,10 @@ func (q *querier) UpdateAPIKeyByID(ctx context.Context, arg database.UpdateAPIKe
 }
 
 func (q *querier) UpdateChatByID(ctx context.Context, arg database.UpdateChatByIDParams) error {
-	if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceChat.WithID(arg.ID)); err != nil {
-		return err
+	fetch := func(ctx context.Context, arg database.UpdateChatByIDParams) (database.Chat, error) {
+		return q.db.GetChatByID(ctx, arg.ID)
 	}
-	return q.db.UpdateChatByID(ctx, arg)
+	return update(q.log, q.auth, fetch, q.db.UpdateChatByID)(ctx, arg)
 }
 
 func (q *querier) UpdateCryptoKeyDeletesAt(ctx context.Context, arg database.UpdateCryptoKeyDeletesAtParams) (database.CryptoKey, error) {
diff --git a/coderd/database/dbauthz/dbauthz_test.go b/coderd/database/dbauthz/dbauthz_test.go
@@ -5307,3 +5307,76 @@ func (s *MethodTestSuite) TestResourcesProvisionerdserver() {
 		}).Asserts(rbac.ResourceWorkspaceAgentDevcontainers, policy.ActionCreate)
 	}))
 }
+
+func (s *MethodTestSuite) TestChat() {
+	createChat := func(t *testing.T, db database.Store) (database.User, database.Chat, database.ChatMessage) {
+		t.Helper()
+
+		usr := dbgen.User(t, db, database.User{})
+		chat := dbgen.Chat(s.T(), db, database.Chat{
+			OwnerID: usr.ID,
+		})
+		msg := dbgen.ChatMessage(s.T(), db, database.ChatMessage{
+			ChatID: chat.ID,
+		})
+
+		return usr, chat, msg
+	}
+
+	s.Run("DeleteChat", s.Subtest(func(db database.Store, check *expects) {
+		_, c, _ := createChat(s.T(), db)
+		check.Args(c.ID).Asserts(c, policy.ActionDelete)
+	}))
+
+	s.Run("GetChatByID", s.Subtest(func(db database.Store, check *expects) {
+		_, c, _ := createChat(s.T(), db)
+		check.Args(c.ID).Asserts(c, policy.ActionRead).Returns(c)
+	}))
+
+	s.Run("GetChatMessagesByChatID", s.Subtest(func(db database.Store, check *expects) {
+		_, c, m := createChat(s.T(), db)
+		check.Args(c.ID).Asserts(c, policy.ActionRead).Returns([]database.ChatMessage{m})
+	}))
+
+	s.Run("GetChatsByOwnerID", s.Subtest(func(db database.Store, check *expects) {
+		u1, u1c1, _ := createChat(s.T(), db)
+		u1c2 := dbgen.Chat(s.T(), db, database.Chat{
+			OwnerID: u1.ID,
+		})
+		_, _, _ = createChat(s.T(), db) // other user's chat
+		check.Args(u1.ID).Asserts(u1c2, policy.ActionRead, u1c1, policy.ActionRead).Returns([]database.Chat{u1c1, u1c2})
+	}))
+
+	s.Run("InsertChat", s.Subtest(func(db database.Store, check *expects) {
+		usr := dbgen.User(s.T(), db, database.User{})
+		check.Args(database.InsertChatParams{
+			OwnerID:   usr.ID,
+			Title:     "test chat",
+			CreatedAt: dbtime.Now(),
+			UpdatedAt: dbtime.Now(),
+		}).Asserts(rbac.ResourceChat.WithOwner(usr.ID.String()), policy.ActionCreate)
+	}))
+
+	s.Run("InsertChatMessages", s.Subtest(func(db database.Store, check *expects) {
+		usr := dbgen.User(s.T(), db, database.User{})
+		chat := dbgen.Chat(s.T(), db, database.Chat{
+			OwnerID: usr.ID,
+		})
+		check.Args(database.InsertChatMessagesParams{
+			ChatID:    chat.ID,
+			CreatedAt: dbtime.Now(),
+			Model:     "test-model",
+			Provider:  "test-provider",
+			Content:   []byte(`[]`),
+		}).Asserts(chat, policy.ActionUpdate)
+	}))
+
+	s.Run("UpdateChatByID", s.Subtest(func(db database.Store, check *expects) {
+		_, c, _ := createChat(s.T(), db)
+		check.Args(database.UpdateChatByIDParams{
+			ID:        c.ID,
+			Title:     "new title",
+			UpdatedAt: dbtime.Now(),
+		}).Asserts(c, policy.ActionUpdate)
+	}))
+}
diff --git a/coderd/database/dbgen/dbgen.go b/coderd/database/dbgen/dbgen.go
@@ -154,6 +154,19 @@ func Chat(t testing.TB, db database.Store, seed database.Chat) database.Chat {
 	return chat
 }
 
+func ChatMessage(t testing.TB, db database.Store, seed database.ChatMessage) database.ChatMessage {
+	msg, err := db.InsertChatMessages(genCtx, database.InsertChatMessagesParams{
+		CreatedAt: takeFirst(seed.CreatedAt, dbtime.Now()),
+		ChatID:    takeFirst(seed.ChatID, uuid.New()),
+		Model:     takeFirst(seed.Model, "train"),
+		Provider:  takeFirst(seed.Provider, "thomas"),
+		Content:   takeFirstSlice(seed.Content, []byte(`[{"text": "Choo choo!"}]`)),
+	})
+	require.NoError(t, err, "insert chat message")
+	require.Len(t, msg, 1, "insert one chat message did not return exactly one message")
+	return msg[0]
+}
+
 func WorkspaceAgentPortShare(t testing.TB, db database.Store, orig database.WorkspaceAgentPortShare) database.WorkspaceAgentPortShare {
 	ps, err := db.UpsertWorkspaceAgentPortShare(genCtx, database.UpsertWorkspaceAgentPortShareParams{
 		WorkspaceID: takeFirst(orig.WorkspaceID, uuid.New()),
diff --git a/coderd/database/dbmem/dbmem.go b/coderd/database/dbmem/dbmem.go
@@ -8487,6 +8487,8 @@ func (q *FakeQuerier) InsertChatMessages(ctx context.Context, arg database.Inser
 			Content:   content,
 		})
 	}
+
+	q.chatMessages = append(q.chatMessages, messages...)
 	return messages, nil
 }
 
diff --git a/coderd/database/modelmethods.go b/coderd/database/modelmethods.go
@@ -568,3 +568,8 @@ func (m WorkspaceAgentVolumeResourceMonitor) Debounce(
 
 	return m.DebouncedUntil, false
 }
+
+func (c Chat) RBACObject() rbac.Object {
+	return rbac.ResourceChat.WithID(c.ID).
+		WithOwner(c.OwnerID.String())
+}
diff --git a/coderd/rbac/roles.go b/coderd/rbac/roles.go
@@ -299,6 +299,8 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 				ResourceOrganizationMember.Type: {policy.ActionRead},
 				// Users can create provisioner daemons scoped to themselves.
 				ResourceProvisionerDaemon.Type: {policy.ActionRead, policy.ActionCreate, policy.ActionRead, policy.ActionUpdate},
+				// Users can create, read, update, and delete their own agentic chat messages.
+				ResourceChat.Type: {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
 			})...,
 		),
 	}.withCachedRegoValue()
diff --git a/coderd/rbac/roles_test.go b/coderd/rbac/roles_test.go
@@ -831,6 +831,37 @@ func TestRolePermissions(t *testing.T) {
 				},
 			},
 		},
+		// Members may read their own chats.
+		{
+			Name:     "CreateReadUpdateDeleteMyChats",
+			Actions:  []policy.Action{policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
+			Resource: rbac.ResourceChat.WithOwner(currentUser.String()),
+			AuthorizeMap: map[bool][]hasAuthSubjects{
+				true: {memberMe, orgMemberMe, owner},
+				false: {
+					userAdmin, orgUserAdmin, templateAdmin,
+					orgAuditor, orgTemplateAdmin,
+					otherOrgMember, otherOrgAuditor, otherOrgUserAdmin, otherOrgTemplateAdmin,
+					orgAdmin, otherOrgAdmin,
+				},
+			},
+		},
+		// Only owners can create, read, update, and delete other users' chats.
+		{
+			Name:     "CreateReadUpdateDeleteOtherUserChats",
+			Actions:  []policy.Action{policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
+			Resource: rbac.ResourceChat.WithOwner(uuid.NewString()), // some other user
+			AuthorizeMap: map[bool][]hasAuthSubjects{
+				true: {owner},
+				false: {
+					memberMe, orgMemberMe,
+					userAdmin, orgUserAdmin, templateAdmin,
+					orgAuditor, orgTemplateAdmin,
+					otherOrgMember, otherOrgAuditor, otherOrgUserAdmin, otherOrgTemplateAdmin,
+					orgAdmin, otherOrgAdmin,
+				},
+			},
+		},
 	}
 
 	// We expect every permission to be tested above.

Original file line number	Diff line number	Diff line change
`@@ -1270,10 +1270,7 @@ func (q *querier) DeleteApplicationConnectAPIKeysByUserID(ctx context.Context, u`
`1270`	`1270`	`}`
`1271`	`1271`
`1272`	`1272`	`func (q *querier) DeleteChat(ctx context.Context, id uuid.UUID) error {`
`1273`		`- if err := q.authorizeContext(ctx, policy.ActionDelete, rbac.ResourceChat.WithID(id)); err != nil {`
`1274`		`- return err`
`1275`		`- }`
`1276`		`- return q.db.DeleteChat(ctx, id)`
	`1273`	`+ return deleteQ(q.log, q.auth, q.db.GetChatByID, q.db.DeleteChat)(ctx, id)`
`1277`	`1274`	`}`
`1278`	`1275`
`1279`	`1276`	`func (q *querier) DeleteCoordinator(ctx context.Context, id uuid.UUID) error {`
`@@ -1694,24 +1691,19 @@ func (q *querier) GetAuthorizationUserRoles(ctx context.Context, userID uuid.UUI`
`1694`	`1691`	`}`
`1695`	`1692`
`1696`	`1693`	`func (q *querier) GetChatByID(ctx context.Context, id uuid.UUID) (database.Chat, error) {`
`1697`		`- if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceChat.WithID(id)); err != nil {`
`1698`		`- return database.Chat{}, err`
`1699`		`- }`
`1700`		`- return q.db.GetChatByID(ctx, id)`
	`1694`	`+ return fetch(q.log, q.auth, q.db.GetChatByID)(ctx, id)`
`1701`	`1695`	`}`
`1702`	`1696`
`1703`	`1697`	`func (q *querier) GetChatMessagesByChatID(ctx context.Context, chatID uuid.UUID) ([]database.ChatMessage, error) {`
`1704`		`- if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceChat.WithID(chatID)); err != nil {`
	`1698`	`+ c, err := q.GetChatByID(ctx, chatID)`
	`1699`	`+ if err != nil {`
`1705`	`1700`	`return nil, err`
`1706`	`1701`	`}`
`1707`		`- return q.db.GetChatMessagesByChatID(ctx, chatID)`
	`1702`	`+ return q.db.GetChatMessagesByChatID(ctx, c.ID)`
`1708`	`1703`	`}`
`1709`	`1704`
`1710`	`1705`	`func (q *querier) GetChatsByOwnerID(ctx context.Context, ownerID uuid.UUID) ([]database.Chat, error) {`
`1711`		`- if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceChat); err != nil {`
`1712`		`- return nil, err`
`1713`		`- }`
`1714`		`- return q.db.GetChatsByOwnerID(ctx, ownerID)`
	`1706`	`+ return fetchWithPostFilter(q.auth, policy.ActionRead, q.db.GetChatsByOwnerID)(ctx, ownerID)`
`1715`	`1707`	`}`
`1716`	`1708`
`1717`	`1709`	`func (q *querier) GetCoordinatorResumeTokenSigningKey(ctx context.Context) (string, error) {`
`@@ -3348,7 +3340,14 @@ func (q *querier) InsertChat(ctx context.Context, arg database.InsertChatParams)`
`3348`	`3340`	`}`
`3349`	`3341`
`3350`	`3342`	`func (q *querier) InsertChatMessages(ctx context.Context, arg database.InsertChatMessagesParams) ([]database.ChatMessage, error) {`
`3351`		`- return insert(q.log, q.auth, rbac.ResourceChat.WithID(arg.ChatID), q.db.InsertChatMessages)(ctx, arg)`
	`3343`	`+ c, err := q.db.GetChatByID(ctx, arg.ChatID)`
	`3344`	`+ if err != nil {`
	`3345`	`+ return nil, err`
	`3346`	`+ }`
	`3347`	`+ if err := q.authorizeContext(ctx, policy.ActionUpdate, c); err != nil {`
	`3348`	`+ return nil, err`
	`3349`	`+ }`
	`3350`	`+ return q.db.InsertChatMessages(ctx, arg)`
`3352`	`3351`	`}`
`3353`	`3352`
`3354`	`3353`	`func (q *querier) InsertCryptoKey(ctx context.Context, arg database.InsertCryptoKeyParams) (database.CryptoKey, error) {`
`@@ -4000,10 +3999,10 @@ func (q *querier) UpdateAPIKeyByID(ctx context.Context, arg database.UpdateAPIKe`
`4000`	`3999`	`}`
`4001`	`4000`
`4002`	`4001`	`func (q *querier) UpdateChatByID(ctx context.Context, arg database.UpdateChatByIDParams) error {`
`4003`		`- if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceChat.WithID(arg.ID)); err != nil {`
`4004`		`- return err`
	`4002`	`+ fetch := func(ctx context.Context, arg database.UpdateChatByIDParams) (database.Chat, error) {`
	`4003`	`+ return q.db.GetChatByID(ctx, arg.ID)`
`4005`	`4004`	`}`
`4006`		`- return q.db.UpdateChatByID(ctx, arg)`
	`4005`	`+ return update(q.log, q.auth, fetch, q.db.UpdateChatByID)(ctx, arg)`
`4007`	`4006`	`}`
`4008`	`4007`
`4009`	`4008`	`func (q *querier) UpdateCryptoKeyDeletesAt(ctx context.Context, arg database.UpdateCryptoKeyDeletesAtParams) (database.CryptoKey, error) {`
Original file line number	Diff line number	Diff line change
`@@ -8487,6 +8487,8 @@ func (q *FakeQuerier) InsertChatMessages(ctx context.Context, arg database.Inser`
`8487`	`8487`	`Content: content,`
`8488`	`8488`	`})`
`8489`	`8489`	`}`
	`8490`	`+`
	`8491`	`+ q.chatMessages = append(q.chatMessages, messages...)`
`8490`	`8492`	`return messages, nil`
`8491`	`8493`	`}`
`8492`	`8494`
Original file line number	Diff line number	Diff line change
`@@ -568,3 +568,8 @@ func (m WorkspaceAgentVolumeResourceMonitor) Debounce(`
`568`	`568`
`569`	`569`	`return m.DebouncedUntil, false`
`570`	`570`	`}`
	`571`	`+`
	`572`	`+func (c Chat) RBACObject() rbac.Object {`
	`573`	`+ return rbac.ResourceChat.WithID(c.ID).`
	`574`	`+ WithOwner(c.OwnerID.String())`
	`575`	`+}`