Add RBAC tests

kylecarbs · kylecarbs · commit 7a1ae1551228 · 2022-06-03T05:08:40.000Z
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -80,6 +80,7 @@
     "weblinks",
     "webrtc",
     "workspaceagent",
+    "workspaceapp",
     "workspaceapps",
     "wsconncache",
     "xerrors",
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -107,8 +107,8 @@ func New(options *Options) *API {
 	// %40 is the encoded character of the @ symbol. VS Code Web does
 	// not handle character encoding properly, so it's safe to assume
 	// other applications might not as well.
-	r.Route("/%40{user}/{workspaceagent}/apps/{application}", apps)
-	r.Route("/@{user}/{workspaceagent}/apps/{application}", apps)
+	r.Route("/%40{user}/{workspacename}/apps/{workspaceapp}", apps)
+	r.Route("/@{user}/{workspacename}/apps/{workspaceapp}", apps)
 
 	r.Route("/api/v2", func(r chi.Router) {
 		r.NotFound(func(rw http.ResponseWriter, r *http.Request) {
diff --git a/coderd/coderd_test.go b/coderd/coderd_test.go
@@ -82,6 +82,10 @@ func TestAuthorizeAllEndpoints(t *testing.T) {
 						Agents: []*proto.Agent{{
 							Id:   "something",
 							Auth: &proto.Agent_Token{},
+							Apps: []*proto.App{{
+								Name: "app",
+								Url:  "http://localhost:3000",
+							}},
 						}},
 					}},
 				},
@@ -128,6 +132,15 @@ func TestAuthorizeAllEndpoints(t *testing.T) {
 		"GET:/api/v2/users/authmethods": {NoAuthorize: true},
 		"POST:/api/v2/csp/reports":      {NoAuthorize: true},
 
+		"GET:/%40{user}/{workspacename}/apps/{application}/*": {
+			AssertAction: rbac.ActionRead,
+			AssertObject: workspaceRBACObj,
+		},
+		"GET:/@{user}/{workspacename}/apps/{application}/*": {
+			AssertAction: rbac.ActionRead,
+			AssertObject: workspaceRBACObj,
+		},
+
 		// Has it's own auth
 		"GET:/api/v2/users/oauth2/github/callback": {NoAuthorize: true},
 
@@ -374,6 +387,7 @@ func TestAuthorizeAllEndpoints(t *testing.T) {
 			route = strings.ReplaceAll(route, "{template}", template.ID.String())
 			route = strings.ReplaceAll(route, "{hash}", file.Hash)
 			route = strings.ReplaceAll(route, "{workspaceresource}", workspaceResources[0].ID.String())
+			route = strings.ReplaceAll(route, "{workspaceapp}", workspaceResources[0].Agents[0].Apps[0].Name)
 			route = strings.ReplaceAll(route, "{templateversion}", version.ID.String())
 			route = strings.ReplaceAll(route, "{templateversiondryrun}", templateVersionDryRun.ID.String())
 			route = strings.ReplaceAll(route, "{templatename}", template.Name)
diff --git a/coderd/workspaceagents.go b/coderd/workspaceagents.go
@@ -403,7 +403,7 @@ func (api *API) workspaceAgentPTY(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 	defer release()
-	ptNetConn, err := agentConn.ReconnectingPTY(reconnect.String(), uint16(height), uint16(width), "")
+	ptNetConn, err := agentConn.ReconnectingPTY(reconnect.String(), uint16(height), uint16(width), r.URL.Query().Get("command"))
 	if err != nil {
 		_ = conn.Close(websocket.StatusInternalError, httpapi.WebsocketCloseSprintf("dial: %s", err))
 		return
diff --git a/coderd/workspaceagents_test.go b/coderd/workspaceagents_test.go
@@ -297,7 +297,7 @@ func TestWorkspaceAgentPTY(t *testing.T) {
 	})
 	resources := coderdtest.AwaitWorkspaceAgents(t, client, workspace.LatestBuild.ID)
 
-	conn, err := client.WorkspaceAgentReconnectingPTY(context.Background(), resources[0].Agents[0].ID, uuid.New(), 80, 80)
+	conn, err := client.WorkspaceAgentReconnectingPTY(context.Background(), resources[0].Agents[0].ID, uuid.New(), 80, 80, "/bin/bash")
 	require.NoError(t, err)
 	defer conn.Close()
 
diff --git a/coderd/workspaceapps.go b/coderd/workspaceapps.go
@@ -15,6 +15,7 @@ import (
 	"github.com/coder/coder/coderd/database"
 	"github.com/coder/coder/coderd/httpapi"
 	"github.com/coder/coder/coderd/httpmw"
+	"github.com/coder/coder/coderd/rbac"
 	"github.com/coder/coder/site"
 )
 
@@ -23,7 +24,7 @@ import (
 func (api *API) workspaceAppsProxyPath(rw http.ResponseWriter, r *http.Request) {
 	user := httpmw.UserParam(r)
 	// This can be in the form of: "<workspace-name>.[workspace-agent]" or "<workspace-name>"
-	workspaceWithAgent := chi.URLParam(r, "workspaceagent")
+	workspaceWithAgent := chi.URLParam(r, "workspacename")
 	workspaceParts := strings.Split(workspaceWithAgent, ".")
 
 	workspace, err := api.Database.GetWorkspaceByOwnerIDAndName(r.Context(), database.GetWorkspaceByOwnerIDAndNameParams{
@@ -42,6 +43,9 @@ func (api *API) workspaceAppsProxyPath(rw http.ResponseWriter, r *http.Request)
 		})
 		return
 	}
+	if !api.Authorize(rw, r, rbac.ActionRead, workspace) {
+		return
+	}
 
 	build, err := api.Database.GetLatestWorkspaceBuildByWorkspaceID(r.Context(), workspace.ID)
 	if err != nil {
@@ -87,7 +91,7 @@ func (api *API) workspaceAppsProxyPath(rw http.ResponseWriter, r *http.Request)
 
 	app, err := api.Database.GetWorkspaceAppByAgentIDAndName(r.Context(), database.GetWorkspaceAppByAgentIDAndNameParams{
 		AgentID: agent.ID,
-		Name:    chi.URLParam(r, "application"),
+		Name:    chi.URLParam(r, "workspaceapp"),
 	})
 	if errors.Is(err, sql.ErrNoRows) {
 		httpapi.Write(rw, http.StatusNotFound, httpapi.Response{
diff --git a/codersdk/workspaceagents.go b/codersdk/workspaceagents.go
@@ -341,8 +341,8 @@ func (c *Client) WorkspaceAgent(ctx context.Context, id uuid.UUID) (WorkspaceAge
 // WorkspaceAgentReconnectingPTY spawns a PTY that reconnects using the token provided.
 // It communicates using `agent.ReconnectingPTYRequest` marshaled as JSON.
 // Responses are PTY output that can be rendered.
-func (c *Client) WorkspaceAgentReconnectingPTY(ctx context.Context, agentID, reconnect uuid.UUID, height, width int) (net.Conn, error) {
-	serverURL, err := c.URL.Parse(fmt.Sprintf("/api/v2/workspaceagents/%s/pty?reconnect=%s&height=%d&width=%d", agentID, reconnect, height, width))
+func (c *Client) WorkspaceAgentReconnectingPTY(ctx context.Context, agentID, reconnect uuid.UUID, height, width int, command string) (net.Conn, error) {
+	serverURL, err := c.URL.Parse(fmt.Sprintf("/api/v2/workspaceagents/%s/pty?reconnect=%s&height=%d&width=%d&command=%s", agentID, reconnect, height, width, command))
 	if err != nil {
 		return nil, xerrors.Errorf("parse url: %w", err)
 	}

Original file line number	Diff line number	Diff line change
`@@ -403,7 +403,7 @@ func (api API) workspaceAgentPTY(rw http.ResponseWriter, r http.Request) {`
`403`	`403`	`return`
`404`	`404`	`}`
`405`	`405`	`defer release()`
`406`		`- ptNetConn, err := agentConn.ReconnectingPTY(reconnect.String(), uint16(height), uint16(width), "")`
	`406`	`+ ptNetConn, err := agentConn.ReconnectingPTY(reconnect.String(), uint16(height), uint16(width), r.URL.Query().Get("command"))`
`407`	`407`	`if err != nil {`
`408`	`408`	`_ = conn.Close(websocket.StatusInternalError, httpapi.WebsocketCloseSprintf("dial: %s", err))`
`409`	`409`	`return`