coder
diff --git a/‎README.md
Lines changed: 2 additions & 1 deletion b/‎README.md
Lines changed: 2 additions & 1 deletion
diff --git a/‎coderd/coderd.go
Lines changed: 33 additions & 27 deletions b/‎coderd/coderd.go
Lines changed: 33 additions & 27 deletions
diff --git a/‎coderd/coderd_test.go
Lines changed: 15 additions & 6 deletions b/‎coderd/coderd_test.go
Lines changed: 15 additions & 6 deletions
diff --git a/‎coderd/csp.go
Lines changed: 38 additions & 0 deletions b/‎coderd/csp.go
Lines changed: 38 additions & 0 deletions
diff --git a/‎coderd/database/modelmethods.go
Lines changed: 4 additions & 0 deletions b/‎coderd/database/modelmethods.go
Lines changed: 4 additions & 0 deletions
diff --git a/‎coderd/organizations.go
Lines changed: 71 additions & 0 deletions b/‎coderd/organizations.go
Lines changed: 71 additions & 0 deletions
diff --git a/‎coderd/organizations_test.go
Lines changed: 3 additions & 3 deletions b/‎coderd/organizations_test.go
Lines changed: 3 additions & 3 deletions
diff --git a/‎coderd/roles_test.go
Lines changed: 1 addition & 1 deletion b/‎coderd/roles_test.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/templateversions.go
Lines changed: 10 additions & 0 deletions b/‎coderd/templateversions.go
Lines changed: 10 additions & 0 deletions
@@ -10,7 +10,8 @@ Follow](https://img.shields.io/twitter/follow/CoderHQ?label=%40CoderHQ&style=soc
 
 Coder creates remote development machines so you can develop your code from anywhere.
 
-**Coder is in an alpha state.** But, any serious bugs are P1 for us so please report them.
+> **Note**:
+> Coder is in an alpha state, but any serious bugs are P1 for us so please report them.
 
 <p align="center">
   <img src="./docs/images/hero-image.png">
 
@@ -101,7 +101,6 @@ func New(options *Options) *API {
 				Message: "Route not found.",
 			})
 		})
-
 		r.Use(
 			// Specific routes can specify smaller limits.
 			httpmw.RateLimitPerMinute(options.APIRateLimit),
@@ -112,6 +111,9 @@ func New(options *Options) *API {
 				Message: "👋",
 			})
 		})
+		// All CSP errors will be logged
+		r.Post("/csp/reports", api.logReportCSPViolations)
+
 		r.Route("/buildinfo", func(r chi.Router) {
 			r.Get("/", func(rw http.ResponseWriter, r *http.Request) {
 				httpapi.Write(rw, http.StatusOK, codersdk.BuildInfoResponse{
@@ -138,36 +140,41 @@ func New(options *Options) *API {
 			)
 			r.Get("/", api.provisionerDaemons)
 		})
-		r.Route("/organizations/{organization}", func(r chi.Router) {
+		r.Route("/organizations", func(r chi.Router) {
 			r.Use(
 				apiKeyMiddleware,
-				httpmw.ExtractOrganizationParam(options.Database),
 				authRolesMiddleware,
 			)
-			r.Get("/", api.organization)
-			r.Post("/templateversions", api.postTemplateVersionsByOrganization)
-			r.Route("/templates", func(r chi.Router) {
-				r.Post("/", api.postTemplateByOrganization)
-				r.Get("/", api.templatesByOrganization)
-				r.Get("/{templatename}", api.templateByOrganizationAndName)
-			})
-			r.Route("/workspaces", func(r chi.Router) {
-				r.Post("/", api.postWorkspacesByOrganization)
-				r.Get("/", api.workspacesByOrganization)
-				r.Route("/{user}", func(r chi.Router) {
-					r.Use(httpmw.ExtractUserParam(options.Database))
-					r.Get("/{workspacename}", api.workspaceByOwnerAndName)
-					r.Get("/", api.workspacesByOwner)
+			r.Post("/", api.postOrganizations)
+			r.Route("/{organization}", func(r chi.Router) {
+				r.Use(
+					httpmw.ExtractOrganizationParam(options.Database),
+				)
+				r.Get("/", api.organization)
+				r.Post("/templateversions", api.postTemplateVersionsByOrganization)
+				r.Route("/templates", func(r chi.Router) {
+					r.Post("/", api.postTemplateByOrganization)
+					r.Get("/", api.templatesByOrganization)
+					r.Get("/{templatename}", api.templateByOrganizationAndName)
 				})
-			})
-			r.Route("/members", func(r chi.Router) {
-				r.Get("/roles", api.assignableOrgRoles)
-				r.Route("/{user}", func(r chi.Router) {
-					r.Use(
-						httpmw.ExtractUserParam(options.Database),
-						httpmw.ExtractOrganizationMemberParam(options.Database),
-					)
-					r.Put("/roles", api.putMemberRoles)
+				r.Route("/workspaces", func(r chi.Router) {
+					r.Post("/", api.postWorkspacesByOrganization)
+					r.Get("/", api.workspacesByOrganization)
+					r.Route("/{user}", func(r chi.Router) {
+						r.Use(httpmw.ExtractUserParam(options.Database))
+						r.Get("/{workspacename}", api.workspaceByOwnerAndName)
+						r.Get("/", api.workspacesByOwner)
+					})
+				})
+				r.Route("/members", func(r chi.Router) {
+					r.Get("/roles", api.assignableOrgRoles)
+					r.Route("/{user}", func(r chi.Router) {
+						r.Use(
+							httpmw.ExtractUserParam(options.Database),
+							httpmw.ExtractOrganizationMemberParam(options.Database),
+						)
+						r.Put("/roles", api.putMemberRoles)
+					})
 				})
 			})
 		})
@@ -250,7 +257,6 @@ func New(options *Options) *API {
 
 					r.Post("/keys", api.postAPIKey)
 					r.Route("/organizations", func(r chi.Router) {
-						r.Post("/", api.postOrganizationsByUser)
 						r.Get("/", api.organizationsByUser)
 						r.Get("/{organizationname}", api.organizationByUserAndName)
 					})
 
@@ -122,6 +122,7 @@ func TestAuthorizeAllEndpoints(t *testing.T) {
 		"POST:/api/v2/users/first":      {NoAuthorize: true},
 		"POST:/api/v2/users/login":      {NoAuthorize: true},
 		"GET:/api/v2/users/authmethods": {NoAuthorize: true},
+		"POST:/api/v2/csp/reports":      {NoAuthorize: true},
 
 		// Has it's own auth
 		"GET:/api/v2/users/oauth2/github/callback": {NoAuthorize: true},
@@ -141,12 +142,6 @@ func TestAuthorizeAllEndpoints(t *testing.T) {
 		"GET:/api/v2/workspaceagents/{workspaceagent}/pty":        {NoAuthorize: true},
 		"GET:/api/v2/workspaceagents/{workspaceagent}/turn":       {NoAuthorize: true},
 
-		// TODO: @emyrk these need to be fixed by adding authorize calls
-		"POST:/api/v2/organizations/{organization}/workspaces":       {NoAuthorize: true},
-		"POST:/api/v2/users/{user}/organizations":                    {NoAuthorize: true},
-		"GET:/api/v2/workspaces/{workspace}/watch":                   {NoAuthorize: true},
-		"POST:/api/v2/organizations/{organization}/templateversions": {NoAuthorize: true},
-
 		// These endpoints have more assertions. This is good, add more endpoints to assert if you can!
 		"GET:/api/v2/organizations/{organization}":                   {AssertObject: rbac.ResourceOrganization.InOrg(admin.OrganizationID)},
 		"GET:/api/v2/users/{user}/organizations":                     {StatusCode: http.StatusOK, AssertObject: rbac.ResourceOrganization},
@@ -288,11 +283,25 @@ func TestAuthorizeAllEndpoints(t *testing.T) {
 			AssertAction: rbac.ActionRead,
 			AssertObject: rbac.ResourceTemplate.InOrg(template.OrganizationID).WithID(template.ID.String()),
 		},
+		"POST:/api/v2/organizations/{organization}/workspaces": {
+			AssertAction: rbac.ActionCreate,
+			// No ID when creating
+			AssertObject: workspaceRBACObj.WithID(""),
+		},
+		"GET:/api/v2/workspaces/{workspace}/watch": {
+			AssertAction: rbac.ActionRead,
+			AssertObject: workspaceRBACObj,
+		},
+		"POST:/api/v2/users/{user}/organizations/": {
+			AssertAction: rbac.ActionCreate,
+			AssertObject: rbac.ResourceOrganization,
+		},
 
 		// These endpoints need payloads to get to the auth part. Payloads will be required
 		"PUT:/api/v2/users/{user}/roles":                                {StatusCode: http.StatusBadRequest, NoAuthorize: true},
 		"PUT:/api/v2/organizations/{organization}/members/{user}/roles": {NoAuthorize: true},
 		"POST:/api/v2/workspaces/{workspace}/builds":                    {StatusCode: http.StatusBadRequest, NoAuthorize: true},
+		"POST:/api/v2/organizations/{organization}/templateversions":    {StatusCode: http.StatusBadRequest, NoAuthorize: true},
 	}
 
 	for k, v := range assertRoute {
 
@@ -0,0 +1,38 @@
+package coderd
+
+import (
+	"encoding/json"
+	"net/http"
+
+	"github.com/coder/coder/coderd/httpapi"
+
+	"cdr.dev/slog"
+)
+
+type cspViolation struct {
+	Report map[string]interface{} `json:"csp-report"`
+}
+
+// logReportCSPViolations will log all reported csp violations.
+func (api *API) logReportCSPViolations(rw http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	var v cspViolation
+
+	dec := json.NewDecoder(r.Body)
+	err := dec.Decode(&v)
+	if err != nil {
+		api.Logger.Warn(ctx, "csp violation", slog.Error(err))
+		httpapi.Write(rw, http.StatusBadRequest, httpapi.Response{
+			Message: "failed to read body",
+		})
+		return
+	}
+
+	fields := make([]slog.Field, 0, len(v.Report))
+	for k, v := range v.Report {
+		fields = append(fields, slog.F(k, v))
+	}
+	api.Logger.Warn(ctx, "csp violation", fields...)
+
+	httpapi.Write(rw, http.StatusOK, "ok")
+}
@@ -26,3 +26,7 @@ func (o Organization) RBACObject() rbac.Object {
 func (d ProvisionerDaemon) RBACObject() rbac.Object {
 	return rbac.ResourceProvisionerDaemon.WithID(d.ID.String())
 }
+
+func (f File) RBACObject() rbac.Object {
+	return rbac.ResourceFile.WithID(f.Hash).WithOwner(f.CreatedBy.String())
+}
@@ -1,8 +1,14 @@
 package coderd
 
 import (
+	"database/sql"
+	"errors"
+	"fmt"
 	"net/http"
 
+	"github.com/google/uuid"
+	"golang.org/x/xerrors"
+
 	"github.com/coder/coder/coderd/database"
 	"github.com/coder/coder/coderd/httpapi"
 	"github.com/coder/coder/coderd/httpmw"
@@ -22,6 +28,71 @@ func (api *API) organization(rw http.ResponseWriter, r *http.Request) {
 	httpapi.Write(rw, http.StatusOK, convertOrganization(organization))
 }
 
+func (api *API) postOrganizations(rw http.ResponseWriter, r *http.Request) {
+	apiKey := httpmw.APIKey(r)
+	// Create organization uses the organization resource without an OrgID.
+	// This means you need the site wide permission to make a new organization.
+	if !api.Authorize(rw, r, rbac.ActionCreate,
+		rbac.ResourceOrganization) {
+		return
+	}
+
+	var req codersdk.CreateOrganizationRequest
+	if !httpapi.Read(rw, r, &req) {
+		return
+	}
+
+	_, err := api.Database.GetOrganizationByName(r.Context(), req.Name)
+	if err == nil {
+		httpapi.Write(rw, http.StatusConflict, httpapi.Response{
+			Message: "organization already exists with that name",
+		})
+		return
+	}
+	if !errors.Is(err, sql.ErrNoRows) {
+		httpapi.Write(rw, http.StatusInternalServerError, httpapi.Response{
+			Message: fmt.Sprintf("get organization: %s", err.Error()),
+		})
+		return
+	}
+
+	var organization database.Organization
+	err = api.Database.InTx(func(db database.Store) error {
+		organization, err = api.Database.InsertOrganization(r.Context(), database.InsertOrganizationParams{
+			ID:        uuid.New(),
+			Name:      req.Name,
+			CreatedAt: database.Now(),
+			UpdatedAt: database.Now(),
+		})
+		if err != nil {
+			return xerrors.Errorf("create organization: %w", err)
+		}
+		_, err = api.Database.InsertOrganizationMember(r.Context(), database.InsertOrganizationMemberParams{
+			OrganizationID: organization.ID,
+			UserID:         apiKey.UserID,
+			CreatedAt:      database.Now(),
+			UpdatedAt:      database.Now(),
+			Roles: []string{
+				// Also assign member role incase they get demoted from admin
+				rbac.RoleOrgMember(organization.ID),
+				rbac.RoleOrgAdmin(organization.ID),
+			},
+		})
+		if err != nil {
+			return xerrors.Errorf("create organization member: %w", err)
+		}
+		return nil
+	})
+	if err != nil {
+		httpapi.Write(rw, http.StatusInternalServerError, httpapi.Response{
+			Message: err.Error(),
+		})
+		return
+	}
+
+	httpapi.Write(rw, http.StatusCreated, convertOrganization(organization))
+}
+
 // convertOrganization consumes the database representation and outputs an API friendly representation.
 func convertOrganization(organization database.Organization) codersdk.Organization {
 	return codersdk.Organization{
 
@@ -38,7 +38,7 @@ func TestOrganizationByUserAndName(t *testing.T) {
 		client := coderdtest.New(t, nil)
 		first := coderdtest.CreateFirstUser(t, client)
 		other := coderdtest.CreateAnotherUser(t, client, first.OrganizationID)
-		org, err := client.CreateOrganization(context.Background(), codersdk.Me, codersdk.CreateOrganizationRequest{
+		org, err := client.CreateOrganization(context.Background(), codersdk.CreateOrganizationRequest{
 			Name: "another",
 		})
 		require.NoError(t, err)
@@ -67,7 +67,7 @@ func TestPostOrganizationsByUser(t *testing.T) {
 		user := coderdtest.CreateFirstUser(t, client)
 		org, err := client.Organization(context.Background(), user.OrganizationID)
 		require.NoError(t, err)
-		_, err = client.CreateOrganization(context.Background(), codersdk.Me, codersdk.CreateOrganizationRequest{
+		_, err = client.CreateOrganization(context.Background(), codersdk.CreateOrganizationRequest{
 			Name: org.Name,
 		})
 		var apiErr *codersdk.Error
@@ -79,7 +79,7 @@ func TestPostOrganizationsByUser(t *testing.T) {
 		t.Parallel()
 		client := coderdtest.New(t, nil)
 		_ = coderdtest.CreateFirstUser(t, client)
-		_, err := client.CreateOrganization(context.Background(), codersdk.Me, codersdk.CreateOrganizationRequest{
+		_, err := client.CreateOrganization(context.Background(), codersdk.CreateOrganizationRequest{
 			Name: "new",
 		})
 		require.NoError(t, err)
 
@@ -107,7 +107,7 @@ func TestListRoles(t *testing.T) {
 	member := coderdtest.CreateAnotherUser(t, client, admin.OrganizationID)
 	orgAdmin := coderdtest.CreateAnotherUser(t, client, admin.OrganizationID, rbac.RoleOrgAdmin(admin.OrganizationID))
 
-	otherOrg, err := client.CreateOrganization(ctx, admin.UserID.String(), codersdk.CreateOrganizationRequest{
+	otherOrg, err := client.CreateOrganization(ctx, codersdk.CreateOrganizationRequest{
 		Name: "other",
 	})
 	require.NoError(t, err, "create org")
 
@@ -310,6 +310,7 @@ func (api *API) postTemplateVersionsByOrganization(rw http.ResponseWriter, r *ht
 	if !httpapi.Read(rw, r, &req) {
 		return
 	}
+
 	if req.TemplateID != uuid.Nil {
 		_, err := api.Database.GetTemplateByID(r.Context(), req.TemplateID)
 		if errors.Is(err, sql.ErrNoRows) {
@@ -340,6 +341,15 @@ func (api *API) postTemplateVersionsByOrganization(rw http.ResponseWriter, r *ht
 		return
 	}
 
+	// Making a new template version is the same permission as creating a new template.
+	if !api.Authorize(rw, r, rbac.ActionCreate, rbac.ResourceTemplate.InOrg(organization.ID)) {
+		return
+	}
+
+	if !api.Authorize(rw, r, rbac.ActionRead, file) {
+		return
+	}
+
 	var templateVersion database.TemplateVersion
 	var provisionerJob database.ProvisionerJob
 	err = api.Database.InTx(func(db database.Store) error {
Original file line number	Diff line number	Diff line change
`@@ -26,3 +26,7 @@ func (o Organization) RBACObject() rbac.Object {`
`26`	`26`	`func (d ProvisionerDaemon) RBACObject() rbac.Object {`
`27`	`27`	`return rbac.ResourceProvisionerDaemon.WithID(d.ID.String())`
`28`	`28`	`}`
	`29`	`+`
	`30`	`+func (f File) RBACObject() rbac.Object {`
	`31`	`+ return rbac.ResourceFile.WithID(f.Hash).WithOwner(f.CreatedBy.String())`
	`32`	`+}`