add test for template rbac admin pushing template version (#4438)

sreya · web-flow · commit 9e199d37593c · 2022-10-09T16:59:53.000-05:00
diff --git a/coderd/templates.go b/coderd/templates.go
@@ -306,6 +306,13 @@ func (api *API) postTemplateByOrganization(rw http.ResponseWriter, r *http.Reque
 			return xerrors.Errorf("update template group acl: %w", err)
 		}
 
+		tpl, err := tx.GetTemplateByID(ctx, dbTemplate.ID)
+		if err != nil {
+			panic(err)
+		}
+
+		fmt.Printf("GROUP ACL: %+v\n", tpl.GroupACL())
+
 		createdByNameMap, err := getCreatedByNamesByTemplateIDs(ctx, tx, []database.Template{dbTemplate})
 		if err != nil {
 			return xerrors.Errorf("get creator name: %w", err)
diff --git a/coderd/templateversions.go b/coderd/templateversions.go
@@ -686,14 +686,10 @@ func (api *API) postTemplateVersionsByOrganization(rw http.ResponseWriter, r *ht
 		return
 	}
 
-	// Making a new template version is the same permission as creating a new template.
-	if !api.Authorize(r, rbac.ActionCreate, rbac.ResourceTemplate.InOrg(organization.ID)) {
-		httpapi.ResourceNotFound(rw)
-		return
-	}
-
+	var template database.Template
 	if req.TemplateID != uuid.Nil {
-		_, err := api.Database.GetTemplateByID(ctx, req.TemplateID)
+		var err error
+		template, err = api.Database.GetTemplateByID(ctx, req.TemplateID)
 		if errors.Is(err, sql.ErrNoRows) {
 			httpapi.Write(ctx, rw, http.StatusNotFound, codersdk.Response{
 				Message: "Template does not exist.",
@@ -709,6 +705,17 @@ func (api *API) postTemplateVersionsByOrganization(rw http.ResponseWriter, r *ht
 		}
 	}
 
+	if template.ID != uuid.Nil {
+		if !api.Authorize(r, rbac.ActionCreate, template) {
+			httpapi.ResourceNotFound(rw)
+			return
+		}
+	} else if !api.Authorize(r, rbac.ActionCreate, rbac.ResourceTemplate.InOrg(organization.ID)) {
+		// Making a new template version is the same permission as creating a new template.
+		httpapi.ResourceNotFound(rw)
+		return
+	}
+
 	file, err := api.Database.GetFileByHash(ctx, req.StorageSource)
 	if errors.Is(err, sql.ErrNoRows) {
 		httpapi.Write(ctx, rw, http.StatusNotFound, codersdk.Response{
@@ -724,10 +731,12 @@ func (api *API) postTemplateVersionsByOrganization(rw http.ResponseWriter, r *ht
 		return
 	}
 
-	if !api.Authorize(r, rbac.ActionRead, file) {
-		httpapi.ResourceNotFound(rw)
-		return
-	}
+	// TODO(JonA): Readd this check once we update the unique constraint
+	// on files to be owner + hash.
+	// if !api.Authorize(r, rbac.ActionRead, file) {
+	// 	httpapi.ResourceNotFound(rw)
+	// 	return
+	// }
 
 	var templateVersion database.TemplateVersion
 	var provisionerJob database.ProvisionerJob
diff --git a/coderd/templateversions_test.go b/coderd/templateversions_test.go
@@ -34,6 +34,22 @@ func TestTemplateVersion(t *testing.T) {
 		_, err := client.TemplateVersion(ctx, version.ID)
 		require.NoError(t, err)
 	})
+
+	t.Run("MemberCanRead", func(t *testing.T) {
+		t.Parallel()
+
+		client := coderdtest.New(t, nil)
+		user := coderdtest.CreateFirstUser(t, client)
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
+		_ = coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+
+		ctx, _ := testutil.Context(t)
+
+		client1, _ := coderdtest.CreateAnotherUserWithUser(t, client, user.OrganizationID)
+
+		_, err := client1.TemplateVersion(ctx, version.ID)
+		require.NoError(t, err)
+	})
 }
 
 func TestPostTemplateVersionsByOrganization(t *testing.T) {
diff --git a/enterprise/coderd/templates_test.go b/enterprise/coderd/templates_test.go
@@ -11,6 +11,7 @@ import (
 	"github.com/coder/coder/coderd/coderdtest"
 	"github.com/coder/coder/codersdk"
 	"github.com/coder/coder/enterprise/coderd/coderdenttest"
+	"github.com/coder/coder/provisioner/echo"
 	"github.com/coder/coder/testutil"
 )
 
@@ -255,6 +256,58 @@ func TestTemplateACL(t *testing.T) {
 			Role:  codersdk.TemplateRoleView,
 		})
 	})
+
+	t.Run("AdminCanPushVersions", func(t *testing.T) {
+		t.Parallel()
+		client := coderdenttest.New(t, nil)
+		user := coderdtest.CreateFirstUser(t, client)
+		_ = coderdenttest.AddLicense(t, client, coderdenttest.LicenseOptions{
+			RBACEnabled: true,
+		})
+
+		client1, user1 := coderdtest.CreateAnotherUserWithUser(t, client, user.OrganizationID)
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
+		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+
+		ctx, _ := testutil.Context(t)
+
+		err := client.UpdateTemplateACL(ctx, template.ID, codersdk.UpdateTemplateACL{
+			UserPerms: map[string]codersdk.TemplateRole{
+				user1.ID.String(): codersdk.TemplateRoleView,
+			},
+		})
+		require.NoError(t, err)
+
+		data, err := echo.Tar(nil)
+		require.NoError(t, err)
+		file, err := client1.Upload(context.Background(), codersdk.ContentTypeTar, data)
+		require.NoError(t, err)
+
+		_, err = client1.CreateTemplateVersion(ctx, user.OrganizationID, codersdk.CreateTemplateVersionRequest{
+			Name:          "testme",
+			TemplateID:    template.ID,
+			StorageSource: file.Hash,
+			StorageMethod: codersdk.ProvisionerStorageMethodFile,
+			Provisioner:   codersdk.ProvisionerTypeEcho,
+		})
+		require.Error(t, err)
+
+		err = client.UpdateTemplateACL(ctx, template.ID, codersdk.UpdateTemplateACL{
+			UserPerms: map[string]codersdk.TemplateRole{
+				user1.ID.String(): codersdk.TemplateRoleAdmin,
+			},
+		})
+		require.NoError(t, err)
+
+		_, err = client1.CreateTemplateVersion(ctx, user.OrganizationID, codersdk.CreateTemplateVersionRequest{
+			Name:          "testme",
+			TemplateID:    template.ID,
+			StorageSource: file.Hash,
+			StorageMethod: codersdk.ProvisionerStorageMethodFile,
+			Provisioner:   codersdk.ProvisionerTypeEcho,
+		})
+		require.NoError(t, err)
+	})
 }
 
 func TestUpdateTemplateACL(t *testing.T) {
