add required authz system inovcations in enterprise/coderd

johnstcn · johnstcn · commit 970b717ad59f · 2023-03-09T13:47:14.000Z
diff --git a/enterprise/coderd/coderd.go b/enterprise/coderd/coderd.go
@@ -18,6 +18,7 @@ import (
 	"cdr.dev/slog"
 	"github.com/coder/coder/coderd"
 	agplaudit "github.com/coder/coder/coderd/audit"
+	"github.com/coder/coder/coderd/database/dbauthz"
 	"github.com/coder/coder/coderd/httpapi"
 	"github.com/coder/coder/coderd/httpmw"
 	"github.com/coder/coder/coderd/rbac"
@@ -181,7 +182,8 @@ func New(ctx context.Context, options *Options) (*API, error) {
 		ServerName:   options.AccessURL.Hostname(),
 	}
 	var err error
-	api.replicaManager, err = replicasync.New(ctx, options.Logger, options.Database, options.Pubsub, &replicasync.Options{
+	// nolint:gocritic // ReplicaManager needs system permissions.
+	api.replicaManager, err = replicasync.New(dbauthz.AsSystemRestricted(ctx), options.Logger, options.Database, options.Pubsub, &replicasync.Options{
 		ID:           api.AGPL.ID,
 		RelayAddress: options.DERPServerRelayAddress,
 		RegionID:     int32(options.DERPServerRegionID),
diff --git a/enterprise/coderd/license/license.go b/enterprise/coderd/license/license.go
@@ -12,6 +12,7 @@ import (
 	"cdr.dev/slog"
 
 	"github.com/coder/coder/coderd/database"
+	"github.com/coder/coder/coderd/database/dbauthz"
 	"github.com/coder/coder/codersdk"
 )
 
@@ -39,12 +40,14 @@ func Entitlements(
 		}
 	}
 
-	licenses, err := db.GetUnexpiredLicenses(ctx)
+	// nolint:gocritic // Getting unexpired licenses is a system function.
+	licenses, err := db.GetUnexpiredLicenses(dbauthz.AsSystemRestricted(ctx))
 	if err != nil {
 		return entitlements, err
 	}
 
-	activeUserCount, err := db.GetActiveUserCount(ctx)
+	// nolint:gocritic // Getting active user count is a system function.
+	activeUserCount, err := db.GetActiveUserCount(dbauthz.AsSystemRestricted(ctx))
 	if err != nil {
 		return entitlements, xerrors.Errorf("query active user count: %w", err)
 	}
diff --git a/enterprise/coderd/provisionerdaemons_test.go b/enterprise/coderd/provisionerdaemons_test.go
@@ -11,6 +11,7 @@ import (
 
 	"github.com/coder/coder/coderd/coderdtest"
 	"github.com/coder/coder/coderd/provisionerdserver"
+	"github.com/coder/coder/coderd/rbac"
 	"github.com/coder/coder/codersdk"
 	"github.com/coder/coder/enterprise/coderd/coderdenttest"
 	"github.com/coder/coder/enterprise/coderd/license"
@@ -20,6 +21,22 @@ import (
 
 func TestProvisionerDaemonServe(t *testing.T) {
 	t.Parallel()
+	t.Run("OK", func(t *testing.T) {
+		t.Parallel()
+		client := coderdenttest.New(t, nil)
+		user := coderdtest.CreateFirstUser(t, client)
+		coderdenttest.AddLicense(t, client, coderdenttest.LicenseOptions{
+			Features: license.Features{
+				codersdk.FeatureExternalProvisionerDaemons: 1,
+			},
+		})
+		srv, err := client.ServeProvisionerDaemon(context.Background(), user.OrganizationID, []codersdk.ProvisionerType{
+			codersdk.ProvisionerTypeEcho,
+		}, map[string]string{})
+		require.NoError(t, err)
+		srv.DRPCConn().Close()
+	})
+
 	t.Run("NoLicense", func(t *testing.T) {
 		t.Parallel()
 		client := coderdenttest.New(t, nil)
@@ -42,11 +59,16 @@ func TestProvisionerDaemonServe(t *testing.T) {
 				codersdk.FeatureExternalProvisionerDaemons: 1,
 			},
 		})
-		srv, err := client.ServeProvisionerDaemon(context.Background(), user.OrganizationID, []codersdk.ProvisionerType{
+		another, _ := coderdtest.CreateAnotherUser(t, client, user.OrganizationID, rbac.RoleOrgAdmin(user.OrganizationID))
+		_, err := another.ServeProvisionerDaemon(context.Background(), user.OrganizationID, []codersdk.ProvisionerType{
 			codersdk.ProvisionerTypeEcho,
-		}, map[string]string{})
-		require.NoError(t, err)
-		srv.DRPCConn().Close()
+		}, map[string]string{
+			provisionerdserver.TagScope: provisionerdserver.ScopeOrganization,
+		})
+		require.Error(t, err)
+		var apiError *codersdk.Error
+		require.ErrorAs(t, err, &apiError)
+		require.Equal(t, http.StatusForbidden, apiError.StatusCode())
 	})
 
 	t.Run("OrganizationNoPerms", func(t *testing.T) {
diff --git a/enterprise/replicasync/replicasync.go b/enterprise/replicasync/replicasync.go
@@ -19,7 +19,6 @@ import (
 
 	"github.com/coder/coder/buildinfo"
 	"github.com/coder/coder/coderd/database"
-	"github.com/coder/coder/coderd/database/dbauthz"
 )
 
 var PubsubEvent = "replica"
@@ -63,7 +62,7 @@ func New(ctx context.Context, logger slog.Logger, db database.Store, pubsub data
 		return nil, xerrors.Errorf("ping database: %w", err)
 	}
 	// nolint:gocritic // Inserting a replica is a system function.
-	replica, err := db.InsertReplica(dbauthz.AsSystemRestricted(ctx), database.InsertReplicaParams{
+	replica, err := db.InsertReplica(ctx, database.InsertReplicaParams{
 		ID:              options.ID,
 		CreatedAt:       database.Now(),
 		StartedAt:       database.Now(),
@@ -144,7 +143,7 @@ func (m *Manager) loop(ctx context.Context) {
 			return
 		case <-deleteTicker.C:
 			// nolint:gocritic // Deleting a replica is a system function
-			err := m.db.DeleteReplicasUpdatedBefore(dbauthz.AsSystemRestricted(ctx), m.updateInterval())
+			err := m.db.DeleteReplicasUpdatedBefore(ctx, m.updateInterval())
 			if err != nil {
 				m.logger.Warn(ctx, "delete old replicas", slog.Error(err))
 			}
@@ -222,7 +221,7 @@ func (m *Manager) syncReplicas(ctx context.Context) error {
 	// Expect replicas to update once every three times the interval...
 	// If they don't, assume death!
 	// nolint:gocritic // Reading replicas is a system function
-	replicas, err := m.db.GetReplicasUpdatedAfter(dbauthz.AsSystemRestricted(ctx), m.updateInterval())
+	replicas, err := m.db.GetReplicasUpdatedAfter(ctx, m.updateInterval())
 	if err != nil {
 		return xerrors.Errorf("get replicas: %w", err)
 	}
@@ -280,6 +279,7 @@ func (m *Manager) syncReplicas(ctx context.Context) error {
 
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
+	// nolint:gocritic // Updating a replica is a system function.
 	replica, err := m.db.UpdateReplica(ctx, database.UpdateReplicaParams{
 		ID:              m.self.ID,
 		UpdatedAt:       database.Now(),
@@ -371,7 +371,7 @@ func (m *Manager) Close() error {
 	ctx, cancelFunc := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancelFunc()
 	// nolint:gocritic // Updating a replica is a sytsem function.
-	_, err := m.db.UpdateReplica(dbauthz.AsSystemRestricted(ctx), database.UpdateReplicaParams{
+	_, err := m.db.UpdateReplica(ctx, database.UpdateReplicaParams{
 		ID:        m.self.ID,
 		UpdatedAt: database.Now(),
 		StartedAt: m.self.StartedAt,

Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,7 @@ import (`
`12`	`12`	`"cdr.dev/slog"`
`13`	`13`
`14`	`14`	`"github.com/coder/coder/coderd/database"`
	`15`	`+ "github.com/coder/coder/coderd/database/dbauthz"`
`15`	`16`	`"github.com/coder/coder/codersdk"`
`16`	`17`	`)`
`17`	`18`
`@@ -39,12 +40,14 @@ func Entitlements(`
`39`	`40`	`}`
`40`	`41`	`}`
`41`	`42`
`42`		`- licenses, err := db.GetUnexpiredLicenses(ctx)`
	`43`	`+ // nolint:gocritic // Getting unexpired licenses is a system function.`
	`44`	`+ licenses, err := db.GetUnexpiredLicenses(dbauthz.AsSystemRestricted(ctx))`
`43`	`45`	`if err != nil {`
`44`	`46`	`return entitlements, err`
`45`	`47`	`}`
`46`	`48`
`47`		`- activeUserCount, err := db.GetActiveUserCount(ctx)`
	`49`	`+ // nolint:gocritic // Getting active user count is a system function.`
	`50`	`+ activeUserCount, err := db.GetActiveUserCount(dbauthz.AsSystemRestricted(ctx))`
`48`	`51`	`if err != nil {`
`49`	`52`	`return entitlements, xerrors.Errorf("query active user count: %w", err)`
`50`	`53`	`}`