WIP

mtojek · mtojek · commit 7d0b0c969610 · 2023-03-22T15:16:30.000+01:00
diff --git a/coderd/database/dbauthz/querier.go b/coderd/database/dbauthz/querier.go
@@ -851,11 +851,14 @@ func (q *querier) UpdateTemplateScheduleByID(ctx context.Context, arg database.U
 }
 
 func (q *querier) UpdateTemplateVersionByID(ctx context.Context, arg database.UpdateTemplateVersionByIDParams) (database.TemplateVersion, error) {
-	template, err := q.db.GetTemplateByID(ctx, arg.TemplateID.UUID)
+	// Must do an authorized fetch to prevent leaking template ids this way.
+	tpl, err := q.GetTemplateByID(ctx, arg.TemplateID.UUID)
 	if err != nil {
 		return database.TemplateVersion{}, err
 	}
-	if err := q.authorizeContext(ctx, rbac.ActionUpdate, template); err != nil {
+	// Check the create permission on the template.
+	err = q.authorizeContext(ctx, rbac.ActionUpdate, tpl)
+	if err != nil {
 		return database.TemplateVersion{}, err
 	}
 	return q.db.UpdateTemplateVersionByID(ctx, arg)
diff --git a/coderd/database/dbauthz/querier_test.go b/coderd/database/dbauthz/querier_test.go
@@ -721,6 +721,8 @@ func (s *MethodTestSuite) TestTemplate() {
 		check.Args(database.UpdateTemplateVersionByIDParams{
 			ID:         tv.ID,
 			TemplateID: uuid.NullUUID{UUID: t1.ID, Valid: true},
+			Name:       tv.Name,
+			UpdatedAt:  tv.UpdatedAt,
 		}).Asserts(t1, rbac.ActionUpdate).Returns(tv)
 	}))
 	s.Run("UpdateTemplateVersionDescriptionByJobID", s.Subtest(func(db database.Store, check *expects) {
diff --git a/coderd/templateversions.go b/coderd/templateversions.go
@@ -80,21 +80,46 @@ func (api *API) patchTemplateVersion(rw http.ResponseWriter, r *http.Request) {
 	if !httpapi.Read(ctx, rw, r, &params) {
 		return
 	}
-	if params.Name == "" {
-		params.Name = templateVersion.Name
+
+	updateParams := database.UpdateTemplateVersionByIDParams{
+		ID:         templateVersion.ID,
+		TemplateID: templateVersion.TemplateID,
+		UpdatedAt:  database.Now(),
+		Name:       templateVersion.Name,
 	}
-	templateVersion, err := api.Database.UpdateTemplateVersionByID(ctx, database.UpdateTemplateVersionByIDParams{
-		ID:   templateVersion.ID,
-		Name: params.Name,
-	})
+
+	if params.Name != "" {
+		updateParams.Name = params.Name
+	}
+	// It is not allowed to "patch" the template ID, and reassign it.
+	updatedTemplateVersion, err := api.Database.UpdateTemplateVersionByID(ctx, updateParams)
 	if err != nil {
 		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
 			Message: "Error on patching template version.",
 			Detail:  err.Error(),
 		})
 		return
 	}
-	httpapi.Write(ctx, rw, http.StatusNoContent, templateVersion)
+
+	job, err := api.Database.GetProvisionerJobByID(ctx, templateVersion.JobID)
+	if err != nil {
+		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
+			Message: "Internal error fetching provisioner job.",
+			Detail:  err.Error(),
+		})
+		return
+	}
+
+	user, err := api.Database.GetUserByID(ctx, templateVersion.CreatedBy)
+	if err != nil {
+		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
+			Message: "Internal error on fetching user.",
+			Detail:  err.Error(),
+		})
+		return
+	}
+
+	httpapi.Write(ctx, rw, http.StatusOK, convertTemplateVersion(updatedTemplateVersion, convertProvisionerJob(job), user))
 }
 
 // @Summary Cancel template version by ID
diff --git a/coderd/templateversions_test.go b/coderd/templateversions_test.go
@@ -1342,30 +1342,33 @@ func TestTemplateVersionPatch(t *testing.T) {
 		client := coderdtest.New(t, nil)
 		user := coderdtest.CreateFirstUser(t, client)
 		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
+		coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
 
 		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
 		defer cancel()
 
+		const newName = "new_name"
 		updatedVersion, err := client.UpdateTemplateVersion(ctx, version.ID, codersdk.PatchTemplateVersionRequest{
-			Name: "new name",
+			Name: newName,
 		})
 
 		require.NoError(t, err)
-		require.Equal(t, updatedVersion.Name, "new name")
+		assert.Equal(t, newName, updatedVersion.Name)
+		assert.NotEqual(t, updatedVersion.Name, version.Name)
 	})
 
 	t.Run("Use the same name if a new name is not passed", func(t *testing.T) {
 		t.Parallel()
 		client := coderdtest.New(t, nil)
 		user := coderdtest.CreateFirstUser(t, client)
 		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
+		coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
 
 		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
 		defer cancel()
 
 		updatedVersion, err := client.UpdateTemplateVersion(ctx, version.ID, codersdk.PatchTemplateVersionRequest{})
-
 		require.NoError(t, err)
-		require.Equal(t, updatedVersion.Name, version.Name)
+		assert.Equal(t, version.Name, updatedVersion.Name)
 	})
 }
diff --git a/codersdk/templateversions.go b/codersdk/templateversions.go
@@ -302,7 +302,7 @@ func (c *Client) UpdateTemplateVersion(ctx context.Context, versionID uuid.UUID,
 		return TemplateVersion{}, err
 	}
 	defer res.Body.Close()
-	if res.StatusCode != http.StatusNoContent {
+	if res.StatusCode != http.StatusOK {
 		return TemplateVersion{}, ReadBodyAsError(res)
 	}
 	var version TemplateVersion

Original file line number	Diff line number	Diff line change
`@@ -851,11 +851,14 @@ func (q *querier) UpdateTemplateScheduleByID(ctx context.Context, arg database.U`
`851`	`851`	`}`
`852`	`852`
`853`	`853`	`func (q *querier) UpdateTemplateVersionByID(ctx context.Context, arg database.UpdateTemplateVersionByIDParams) (database.TemplateVersion, error) {`
`854`		`- template, err := q.db.GetTemplateByID(ctx, arg.TemplateID.UUID)`
	`854`	`+ // Must do an authorized fetch to prevent leaking template ids this way.`
	`855`	`+ tpl, err := q.GetTemplateByID(ctx, arg.TemplateID.UUID)`
`855`	`856`	`if err != nil {`
`856`	`857`	`return database.TemplateVersion{}, err`
`857`	`858`	`}`
`858`		`- if err := q.authorizeContext(ctx, rbac.ActionUpdate, template); err != nil {`
	`859`	`+ // Check the create permission on the template.`
	`860`	`+ err = q.authorizeContext(ctx, rbac.ActionUpdate, tpl)`
	`861`	`+ if err != nil {`
`859`	`862`	`return database.TemplateVersion{}, err`
`860`	`863`	`}`
`861`	`864`	`return q.db.UpdateTemplateVersionByID(ctx, arg)`
Original file line number	Diff line number	Diff line change
`@@ -302,7 +302,7 @@ func (c *Client) UpdateTemplateVersion(ctx context.Context, versionID uuid.UUID,`
`302`	`302`	`return TemplateVersion{}, err`
`303`	`303`	`}`
`304`	`304`	`defer res.Body.Close()`
`305`		`- if res.StatusCode != http.StatusNoContent {`
	`305`	`+ if res.StatusCode != http.StatusOK {`
`306`	`306`	`return TemplateVersion{}, ReadBodyAsError(res)`
`307`	`307`	`}`
`308`	`308`	`var version TemplateVersion`