review

ethanndickson · ethanndickson · commit 964bfe979937 · 2024-10-29T10:02:21.000Z
diff --git a/cli/server.go b/cli/server.go
@@ -722,13 +722,6 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 				options.Database = dbmetrics.NewDBMetrics(options.Database, options.Logger, options.PrometheusRegistry)
 			}
 
-			wsUpdates, err := coderd.NewUpdatesProvider(logger.Named("workspace_updates"), options.Pubsub, options.Database, options.Authorizer)
-			if err != nil {
-				return xerrors.Errorf("create workspace updates provider: %w", err)
-			}
-			options.WorkspaceUpdatesProvider = wsUpdates
-			defer wsUpdates.Close()
-
 			var deploymentID string
 			err = options.Database.InTx(func(tx database.Store) error {
 				// This will block until the lock is acquired, and will be
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -495,6 +495,13 @@ func New(options *Options) *API {
 		}
 	}
 
+	if options.WorkspaceUpdatesProvider == nil {
+		options.WorkspaceUpdatesProvider, err = NewUpdatesProvider(options.Logger.Named("workspace_updates"), options.Pubsub, options.Database, options.Authorizer)
+		if err != nil {
+			options.Logger.Critical(ctx, "failed to properly instantiate workspace updates provider", slog.Error(err))
+		}
+	}
+
 	// Start a background process that rotates keys. We intentionally start this after the caches
 	// are created to force initial requests for a key to populate the caches. This helps catch
 	// bugs that may only occur when a key isn't precached in tests and the latency cost is minimal.
@@ -1495,6 +1502,7 @@ func (api *API) Close() error {
 	_ = api.OIDCConvertKeyCache.Close()
 	_ = api.AppSigningKeyCache.Close()
 	_ = api.AppEncryptionKeyCache.Close()
+	_ = api.WorkspaceUpdatesProvider.Close()
 	return nil
 }
 
diff --git a/coderd/workspaceupdates.go b/coderd/workspaceupdates.go
@@ -14,7 +14,6 @@ import (
 	"github.com/coder/coder/v2/coderd/database/dbauthz"
 	"github.com/coder/coder/v2/coderd/database/pubsub"
 	"github.com/coder/coder/v2/coderd/rbac"
-	"github.com/coder/coder/v2/coderd/rbac/policy"
 	"github.com/coder/coder/v2/coderd/util/slice"
 	"github.com/coder/coder/v2/coderd/wspubsub"
 	"github.com/coder/coder/v2/codersdk"
@@ -23,7 +22,8 @@ import (
 )
 
 type UpdatesQuerier interface {
-	GetAuthorizedWorkspacesAndAgentsByOwnerID(ctx context.Context, ownerID uuid.UUID, prep rbac.PreparedAuthorized) ([]database.GetWorkspacesAndAgentsByOwnerIDRow, error)
+	// GetAuthorizedWorkspacesAndAgentsByOwnerID requires a context with an actor set
+	GetWorkspacesAndAgentsByOwnerID(ctx context.Context, ownerID uuid.UUID) ([]database.GetWorkspacesAndAgentsByOwnerIDRow, error)
 	GetWorkspaceByAgentID(ctx context.Context, agentID uuid.UUID) (database.Workspace, error)
 }
 
@@ -45,11 +45,10 @@ type sub struct {
 	ctx      context.Context
 	cancelFn context.CancelFunc
 
-	mu       sync.RWMutex
-	userID   uuid.UUID
-	ch       chan *proto.WorkspaceUpdate
-	prev     workspacesByID
-	readPrep rbac.PreparedAuthorized
+	mu     sync.RWMutex
+	userID uuid.UUID
+	ch     chan *proto.WorkspaceUpdate
+	prev   workspacesByID
 
 	db     UpdatesQuerier
 	ps     pubsub.Pubsub
@@ -76,7 +75,7 @@ func (s *sub) handleEvent(ctx context.Context, event wspubsub.WorkspaceEvent, er
 		}
 	}
 
-	rows, err := s.db.GetAuthorizedWorkspacesAndAgentsByOwnerID(ctx, s.userID, s.readPrep)
+	rows, err := s.db.GetWorkspacesAndAgentsByOwnerID(ctx, s.userID)
 	if err != nil {
 		s.logger.Warn(ctx, "failed to get workspaces and agents by owner ID", slog.Error(err))
 		return
@@ -97,7 +96,7 @@ func (s *sub) handleEvent(ctx context.Context, event wspubsub.WorkspaceEvent, er
 }
 
 func (s *sub) start(ctx context.Context) (err error) {
-	rows, err := s.db.GetAuthorizedWorkspacesAndAgentsByOwnerID(ctx, s.userID, s.readPrep)
+	rows, err := s.db.GetWorkspacesAndAgentsByOwnerID(ctx, s.userID)
 	if err != nil {
 		return xerrors.Errorf("get workspaces and agents by owner ID: %w", err)
 	}
@@ -168,17 +167,17 @@ func (u *updatesProvider) Close() error {
 	return nil
 }
 
+// Subscribe subscribes to workspace updates for a user, for the workspaces
+// that user is authorized to `ActionRead` on. The provided context must have
+// a dbauthz actor set.
 func (u *updatesProvider) Subscribe(ctx context.Context, userID uuid.UUID) (tailnet.Subscription, error) {
 	actor, ok := dbauthz.ActorFromContext(ctx)
 	if !ok {
 		return nil, xerrors.Errorf("actor not found in context")
 	}
-	readPrep, err := u.auth.Prepare(ctx, actor, policy.ActionRead, rbac.ResourceWorkspace.Type)
-	if err != nil {
-		return nil, xerrors.Errorf("prepare read action: %w", err)
-	}
+	ctx, cancel := context.WithCancel(u.ctx)
+	ctx = dbauthz.As(ctx, actor)
 	ch := make(chan *proto.WorkspaceUpdate, 1)
-	ctx, cancel := context.WithCancel(ctx)
 	sub := &sub{
 		ctx:      ctx,
 		cancelFn: cancel,
@@ -188,9 +187,8 @@ func (u *updatesProvider) Subscribe(ctx context.Context, userID uuid.UUID) (tail
 		ps:       u.ps,
 		logger:   u.logger.Named(fmt.Sprintf("workspace_updates_subscriber_%s", userID)),
 		prev:     workspacesByID{},
-		readPrep: readPrep,
 	}
-	err = sub.start(ctx)
+	err := sub.start(ctx)
 	if err != nil {
 		_ = sub.Close()
 		return nil, err
diff --git a/coderd/workspaceupdates_test.go b/coderd/workspaceupdates_test.go
@@ -25,22 +25,23 @@ import (
 
 func TestWorkspaceUpdates(t *testing.T) {
 	t.Parallel()
-	ctx := context.Background()
 
-	ws1ID := uuid.New()
+	ws1ID := uuid.UUID{0x01}
 	ws1IDSlice := tailnet.UUIDToByteSlice(ws1ID)
-	agent1ID := uuid.New()
+	agent1ID := uuid.UUID{0x02}
 	agent1IDSlice := tailnet.UUIDToByteSlice(agent1ID)
-	ws2ID := uuid.New()
+	ws2ID := uuid.UUID{0x03}
 	ws2IDSlice := tailnet.UUIDToByteSlice(ws2ID)
-	ws3ID := uuid.New()
+	ws3ID := uuid.UUID{0x04}
 	ws3IDSlice := tailnet.UUIDToByteSlice(ws3ID)
-	agent2ID := uuid.New()
+	agent2ID := uuid.UUID{0x05}
 	agent2IDSlice := tailnet.UUIDToByteSlice(agent2ID)
-	ws4ID := uuid.New()
+	ws4ID := uuid.UUID{0x06}
 	ws4IDSlice := tailnet.UUIDToByteSlice(ws4ID)
+	agent3ID := uuid.UUID{0x07}
+	agent3IDSlice := tailnet.UUIDToByteSlice(agent3ID)
 
-	ownerID := uuid.New()
+	ownerID := uuid.UUID{0x08}
 	memberRole, err := rbac.RoleByName(rbac.RoleMember())
 	require.NoError(t, err)
 	ownerSubject := rbac.Subject{
@@ -53,9 +54,11 @@ func TestWorkspaceUpdates(t *testing.T) {
 	t.Run("Basic", func(t *testing.T) {
 		t.Parallel()
 
+		ctx := testutil.Context(t, testutil.WaitShort)
+
 		db := &mockWorkspaceStore{
 			orderedRows: []database.GetWorkspacesAndAgentsByOwnerIDRow{
-				// Gains a new agent
+				// Gains agent2
 				{
 					ID:         ws1ID,
 					Name:       "ws1",
@@ -81,6 +84,12 @@ func TestWorkspaceUpdates(t *testing.T) {
 					Name:       "ws3",
 					JobStatus:  database.ProvisionerJobStatusSucceeded,
 					Transition: database.WorkspaceTransitionStop,
+					Agents: []database.AgentIDNamePair{
+						{
+							ID:   agent3ID,
+							Name: "agent3",
+						},
+					},
 				},
 			},
 		}
@@ -97,13 +106,15 @@ func TestWorkspaceUpdates(t *testing.T) {
 
 		sub, err := updateProvider.Subscribe(dbauthz.As(ctx, ownerSubject), ownerID)
 		require.NoError(t, err)
-		ch := sub.Updates()
+		defer sub.Close()
 
-		update, ok := <-ch
-		require.True(t, ok)
+		update := testutil.RequireRecvCtx(ctx, t, sub.Updates())
 		slices.SortFunc(update.UpsertedWorkspaces, func(a, b *proto.Workspace) int {
 			return strings.Compare(a.Name, b.Name)
 		})
+		slices.SortFunc(update.UpsertedAgents, func(a, b *proto.Agent) int {
+			return strings.Compare(a.Name, b.Name)
+		})
 		require.Equal(t, &proto.WorkspaceUpdate{
 			UpsertedWorkspaces: []*proto.Workspace{
 				{
@@ -128,6 +139,11 @@ func TestWorkspaceUpdates(t *testing.T) {
 					Name:        "agent1",
 					WorkspaceId: ws1IDSlice,
 				},
+				{
+					Id:          agent3IDSlice,
+					Name:        "agent3",
+					WorkspaceId: ws3IDSlice,
+				},
 			},
 			DeletedWorkspaces: []*proto.Workspace{},
 			DeletedAgents:     []*proto.Agent{},
@@ -169,8 +185,7 @@ func TestWorkspaceUpdates(t *testing.T) {
 			WorkspaceID: ws1ID,
 		})
 
-		update, ok = <-ch
-		require.True(t, ok)
+		update = testutil.RequireRecvCtx(ctx, t, sub.Updates())
 		slices.SortFunc(update.UpsertedWorkspaces, func(a, b *proto.Workspace) int {
 			return strings.Compare(a.Name, b.Name)
 		})
@@ -203,13 +218,21 @@ func TestWorkspaceUpdates(t *testing.T) {
 					Status: proto.Workspace_STOPPED,
 				},
 			},
-			DeletedAgents: []*proto.Agent{},
+			DeletedAgents: []*proto.Agent{
+				{
+					Id:          agent3IDSlice,
+					Name:        "agent3",
+					WorkspaceId: ws3IDSlice,
+				},
+			},
 		}, update)
 	})
 
 	t.Run("Resubscribe", func(t *testing.T) {
 		t.Parallel()
 
+		ctx := testutil.Context(t, testutil.WaitShort)
+
 		db := &mockWorkspaceStore{
 			orderedRows: []database.GetWorkspacesAndAgentsByOwnerIDRow{
 				{
@@ -290,7 +313,7 @@ type mockWorkspaceStore struct {
 }
 
 // GetAuthorizedWorkspacesAndAgentsByOwnerID implements coderd.UpdatesQuerier.
-func (m *mockWorkspaceStore) GetAuthorizedWorkspacesAndAgentsByOwnerID(context.Context, uuid.UUID, rbac.PreparedAuthorized) ([]database.GetWorkspacesAndAgentsByOwnerIDRow, error) {
+func (m *mockWorkspaceStore) GetWorkspacesAndAgentsByOwnerID(context.Context, uuid.UUID) ([]database.GetWorkspacesAndAgentsByOwnerIDRow, error) {
 	return m.orderedRows, nil
 }
 
diff --git a/enterprise/tailnet/connio.go b/enterprise/tailnet/connio.go
@@ -133,7 +133,7 @@ var errDisconnect = xerrors.New("graceful disconnect")
 
 func (c *connIO) handleRequest(req *proto.CoordinateRequest) error {
 	c.logger.Debug(c.peerCtx, "got request")
-	err := c.auth.Authorize(c.coordCtx, req)
+	err := c.auth.Authorize(c.peerCtx, req)
 	if err != nil {
 		c.logger.Warn(c.peerCtx, "unauthorized request", slog.Error(err))
 		return xerrors.Errorf("authorize request: %w", err)
diff --git a/enterprise/tailnet/pgcoord_test.go b/enterprise/tailnet/pgcoord_test.go
@@ -913,6 +913,42 @@ func TestPGCoordinatorDual_PeerReconnect(t *testing.T) {
 	p2.AssertNeverUpdateKind(p1.ID, proto.CoordinateResponse_PeerUpdate_DISCONNECTED)
 }
 
+// TestPGCoordinatorPropogatedPeerContext tests that the context for a specific peer
+// is propogated through to the `Authorize` method of the coordinatee auth
+func TestPGCoordinatorPropogatedPeerContext(t *testing.T) {
+	t.Parallel()
+
+	if !dbtestutil.WillUsePostgres() {
+		t.Skip("test only with postgres")
+	}
+
+	ctx := testutil.Context(t, testutil.WaitShort)
+	store, ps := dbtestutil.NewDB(t)
+	logger := slogtest.Make(t, nil).Leveled(slog.LevelDebug)
+
+	peerCtx := context.WithValue(ctx, agpltest.FakeSubjectKey{}, struct{}{})
+	peerID := uuid.UUID{0x01}
+	agentID := uuid.UUID{0x02}
+
+	c1, err := tailnet.NewPGCoord(ctx, logger, ps, store)
+	require.NoError(t, err)
+	defer func() {
+		err := c1.Close()
+		require.NoError(t, err)
+	}()
+
+	ch := make(chan struct{})
+	auth := agpltest.FakeCoordinateeAuth{
+		Chan: ch,
+	}
+
+	reqs, _ := c1.Coordinate(peerCtx, peerID, "peer1", auth)
+
+	testutil.RequireSendCtx(ctx, t, reqs, &proto.CoordinateRequest{AddTunnel: &proto.CoordinateRequest_Tunnel{Id: agpl.UUIDToByteSlice(agentID)}})
+
+	_ = testutil.RequireRecvCtx(ctx, t, ch)
+}
+
 func assertEventuallyStatus(ctx context.Context, t *testing.T, store database.Store, agentID uuid.UUID, status database.TailnetStatus) {
 	t.Helper()
 	assert.Eventually(t, func() bool {
diff --git a/tailnet/coordinator_test.go b/tailnet/coordinator_test.go
@@ -529,3 +529,36 @@ func (f *fakeCoordinatee) SetNodeCallback(callback func(*tailnet.Node)) {
 	defer f.Unlock()
 	f.callback = callback
 }
+
+// TestCoordinatorPropogatedPeerContext tests that the context for a specific peer
+// is propogated through to the `Authorize“ method of the coordinatee auth
+func TestCoordinatorPropogatedPeerContext(t *testing.T) {
+	t.Parallel()
+
+	ctx := testutil.Context(t, testutil.WaitShort)
+	logger := slogtest.Make(t, nil).Leveled(slog.LevelDebug)
+
+	peerCtx := context.WithValue(ctx, test.FakeSubjectKey{}, struct{}{})
+	peerCtx, peerCtxCancel := context.WithCancel(peerCtx)
+	peerID := uuid.UUID{0x01}
+	agentID := uuid.UUID{0x02}
+
+	c1 := tailnet.NewCoordinator(logger)
+	t.Cleanup(func() {
+		err := c1.Close()
+		require.NoError(t, err)
+	})
+
+	ch := make(chan struct{})
+	auth := test.FakeCoordinateeAuth{
+		Chan: ch,
+	}
+
+	reqs, _ := c1.Coordinate(peerCtx, peerID, "peer1", auth)
+
+	testutil.RequireSendCtx(ctx, t, reqs, &proto.CoordinateRequest{AddTunnel: &proto.CoordinateRequest_Tunnel{Id: tailnet.UUIDToByteSlice(agentID)}})
+	_ = testutil.RequireRecvCtx(ctx, t, ch)
+	// If we don't cancel the context, the coordinator close will wait until the
+	// peer request loop finishes, which will be after the timeout
+	peerCtxCancel()
+}
diff --git a/tailnet/service.go b/tailnet/service.go
@@ -220,28 +220,15 @@ func (s *DRPCService) WorkspaceUpdates(req *proto.WorkspaceUpdatesRequest, strea
 	defer stream.Close()
 
 	ctx := stream.Context()
-	streamID, ok := ctx.Value(streamIDContextKey{}).(StreamID)
-	if !ok {
-		return xerrors.New("no Stream ID")
-	}
 
 	ownerID, err := uuid.FromBytes(req.WorkspaceOwnerId)
 	if err != nil {
 		return xerrors.Errorf("parse workspace owner ID: %w", err)
 	}
 
-	var sub Subscription
-	switch auth := streamID.Auth.(type) {
-	case ClientUserCoordinateeAuth:
-		sub, err = s.WorkspaceUpdatesProvider.Subscribe(ctx, ownerID)
-		if err != nil {
-			err = xerrors.Errorf("subscribe to workspace updates: %w", err)
-		}
-	default:
-		err = xerrors.Errorf("workspace updates not supported by auth name %T", auth)
-	}
+	sub, err := s.WorkspaceUpdatesProvider.Subscribe(ctx, ownerID)
 	if err != nil {
-		return err
+		return xerrors.Errorf("subscribe to workspace updates: %w", err)
 	}
 	defer sub.Close()
 
diff --git a/tailnet/service_test.go b/tailnet/service_test.go
diff --git a/tailnet/test/peer.go b/tailnet/test/peer.go

Original file line number	Diff line number	Diff line change
`@@ -495,6 +495,13 @@ func New(options Options) API {`
`495`	`495`	`}`
`496`	`496`	`}`
`497`	`497`
	`498`	`+ if options.WorkspaceUpdatesProvider == nil {`
	`499`	`+ options.WorkspaceUpdatesProvider, err = NewUpdatesProvider(options.Logger.Named("workspace_updates"), options.Pubsub, options.Database, options.Authorizer)`
	`500`	`+ if err != nil {`
	`501`	`+ options.Logger.Critical(ctx, "failed to properly instantiate workspace updates provider", slog.Error(err))`
	`502`	`+ }`
	`503`	`+ }`
	`504`	`+`
`498`	`505`	`// Start a background process that rotates keys. We intentionally start this after the caches`
`499`	`506`	`// are created to force initial requests for a key to populate the caches. This helps catch`
`500`	`507`	`// bugs that may only occur when a key isn't precached in tests and the latency cost is minimal.`
`@@ -1495,6 +1502,7 @@ func (api *API) Close() error {`
`1495`	`1502`	`_ = api.OIDCConvertKeyCache.Close()`
`1496`	`1503`	`_ = api.AppSigningKeyCache.Close()`
`1497`	`1504`	`_ = api.AppEncryptionKeyCache.Close()`
	`1505`	`+ _ = api.WorkspaceUpdatesProvider.Close()`
`1498`	`1506`	`return nil`
`1499`	`1507`	`}`
`1500`	`1508`