coder
diff --git a/‎Makefile
Lines changed: 7 additions & 2 deletions b/‎Makefile
Lines changed: 7 additions & 2 deletions
diff --git a/‎cli/server.go
Lines changed: 1 addition & 1 deletion b/‎cli/server.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎cli/server_test.go
Lines changed: 2 additions & 0 deletions b/‎cli/server_test.go
Lines changed: 2 additions & 0 deletions
diff --git a/‎cli/testdata/coder_server_--help.golden
Lines changed: 6 additions & 0 deletions b/‎cli/testdata/coder_server_--help.golden
Lines changed: 6 additions & 0 deletions
diff --git a/‎cli/testdata/server-config.yaml.golden
Lines changed: 6 additions & 0 deletions b/‎cli/testdata/server-config.yaml.golden
Lines changed: 6 additions & 0 deletions
diff --git a/‎coderd/apidoc/docs.go
Lines changed: 59 additions & 1 deletion b/‎coderd/apidoc/docs.go
Lines changed: 59 additions & 1 deletion
diff --git a/‎coderd/apidoc/swagger.json
Lines changed: 59 additions & 1 deletion b/‎coderd/apidoc/swagger.json
Lines changed: 59 additions & 1 deletion
diff --git a/‎coderd/authorize.go
Lines changed: 2 additions & 2 deletions b/‎coderd/authorize.go
Lines changed: 2 additions & 2 deletions
diff --git a/‎coderd/authorize_test.go
Lines changed: 7 additions & 7 deletions b/‎coderd/authorize_test.go
Lines changed: 7 additions & 7 deletions
diff --git a/‎coderd/autobuild/executor/lifecycle_executor.go
Lines changed: 1 addition & 1 deletion b/‎coderd/autobuild/executor/lifecycle_executor.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/autobuild/executor/lifecycle_executor_test.go
Lines changed: 2 additions & 2 deletions b/‎coderd/autobuild/executor/lifecycle_executor_test.go
Lines changed: 2 additions & 2 deletions
diff --git a/‎coderd/coderd.go
Lines changed: 6 additions & 0 deletions b/‎coderd/coderd.go
Lines changed: 6 additions & 0 deletions
diff --git a/‎coderd/coderdtest/coderdtest.go
Lines changed: 2 additions & 0 deletions b/‎coderd/coderdtest/coderdtest.go
Lines changed: 2 additions & 0 deletions
diff --git a/‎coderd/prometheusmetrics/collector.go
Lines changed: 1 addition & 2 deletions b/‎coderd/prometheusmetrics/collector.go
Lines changed: 1 addition & 2 deletions
@@ -423,6 +423,7 @@ gen: \
 	provisionersdk/proto/provisioner.pb.go \
 	provisionerd/proto/provisionerd.pb.go \
 	site/src/api/typesGenerated.ts \
+	coderd/rbac/object_gen.go \
 	docs/admin/prometheus.md \
 	docs/cli.md \
 	docs/admin/audit-logs.md \
@@ -443,6 +444,7 @@ gen/mark-fresh:
 		provisionersdk/proto/provisioner.pb.go \
 		provisionerd/proto/provisionerd.pb.go \
 		site/src/api/typesGenerated.ts \
+		coderd/rbac/object_gen.go \
 		docs/admin/prometheus.md \
 		docs/cli.md \
 		docs/admin/audit-logs.md \
@@ -495,6 +497,9 @@ site/src/api/typesGenerated.ts: scripts/apitypings/main.go $(shell find ./coders
 	cd site
 	yarn run format:types
 
+coderd/rbac/object_gen.go: scripts/rbacgen/main.go coderd/rbac/object.go
+	go run scripts/rbacgen/main.go ./coderd/rbac > coderd/rbac/object_gen.go
+
 docs/admin/prometheus.md: scripts/metricsdocgen/main.go scripts/metricsdocgen/metrics
 	go run scripts/metricsdocgen/main.go
 	cd site
@@ -505,12 +510,12 @@ docs/cli.md: scripts/clidocgen/main.go $(GO_SRC_FILES) docs/manifest.json
 	cd site
 	yarn run format:write:only ../docs/cli.md ../docs/cli/*.md ../docs/manifest.json
 
-docs/admin/audit-logs.md: scripts/auditdocgen/main.go enterprise/audit/table.go
+docs/admin/audit-logs.md: scripts/auditdocgen/main.go enterprise/audit/table.go coderd/rbac/object_gen.go
 	go run scripts/auditdocgen/main.go
 	cd site
 	yarn run format:write:only ../docs/admin/audit-logs.md
 
-coderd/apidoc/swagger.json: $(shell find ./scripts/apidocgen $(FIND_EXCLUSIONS) -type f) $(wildcard coderd/*.go) $(wildcard enterprise/coderd/*.go) $(wildcard codersdk/*.go) .swaggo docs/manifest.json
+coderd/apidoc/swagger.json: $(shell find ./scripts/apidocgen $(FIND_EXCLUSIONS) -type f) $(wildcard coderd/*.go) $(wildcard enterprise/coderd/*.go) $(wildcard codersdk/*.go) .swaggo docs/manifest.json coderd/rbac/object_gen.go
 	./scripts/apidocgen/generate.sh
 	yarn run --cwd=site format:write:only ../docs/api ../docs/manifest.json ../coderd/apidoc/swagger.json
 
 
@@ -145,7 +145,7 @@ func ReadGitAuthProvidersFromEnv(environ []string) ([]codersdk.GitAuthConfig, er
 		case "REGEX":
 			provider.Regex = v.Value
 		case "NO_REFRESH":
-			b, err := strconv.ParseBool(key)
+			b, err := strconv.ParseBool(v.Value)
 			if err != nil {
 				return nil, xerrors.Errorf("parse bool: %s", v.Value)
 			}
 
@@ -84,6 +84,7 @@ func TestReadGitAuthProvidersFromEnv(t *testing.T) {
 			"CODER_GITAUTH_1_TOKEN_URL=google.com",
 			"CODER_GITAUTH_1_VALIDATE_URL=bing.com",
 			"CODER_GITAUTH_1_SCOPES=repo:read repo:write",
+			"CODER_GITAUTH_1_NO_REFRESH=true",
 		})
 		require.NoError(t, err)
 		require.Len(t, providers, 2)
@@ -99,6 +100,7 @@ func TestReadGitAuthProvidersFromEnv(t *testing.T) {
 		assert.Equal(t, "google.com", providers[1].TokenURL)
 		assert.Equal(t, "bing.com", providers[1].ValidateURL)
 		assert.Equal(t, []string{"repo:read", "repo:write"}, providers[1].Scopes)
+		assert.Equal(t, true, providers[1].NoRefresh)
 	})
 }
 
 
@@ -16,6 +16,12 @@ Start a Coder server
           $CACHE_DIRECTORY is set, it will be used for compatibility with
           systemd.
 
+      --disable-owner-workspace-access bool, $CODER_DISABLE_OWNER_WORKSPACE_ACCESS
+          Remove the permission for the 'owner' role to have workspace execution
+          on all workspaces. This prevents the 'owner' from ssh, apps, and
+          terminal access based on the 'owner' role. They still have their user
+          permissions to access their own workspaces.
+
       --disable-path-apps bool, $CODER_DISABLE_PATH_APPS
           Disable workspace apps that are not served from subdomains. Path-based
           apps can make requests to the Coder API and pose a security risk when
 
@@ -315,6 +315,12 @@ agentFallbackTroubleshootingURL: https://coder.com/docs/coder-oss/latest/templat
 # --wildcard-access-url is configured.
 # (default: <unset>, type: bool)
 disablePathApps: false
+# Remove the permission for the 'owner' role to have workspace execution on all
+# workspaces. This prevents the 'owner' from ssh, apps, and terminal access based
+# on the 'owner' role. They still have their user permissions to access their own
+# workspaces.
+# (default: <unset>, type: bool)
+disableOwnerWorkspaceAccess: false
 # These options change the behavior of how clients interact with the Coder.
 # Clients include the coder cli, vs code extension, and the web UI.
 client:
 
@@ -168,7 +168,7 @@ func (api *API) checkAuthorization(rw http.ResponseWriter, r *http.Request) {
 		obj := rbac.Object{
 			Owner: v.Object.OwnerID,
 			OrgID: v.Object.OrganizationID,
-			Type:  v.Object.ResourceType,
+			Type:  v.Object.ResourceType.String(),
 		}
 		if obj.Owner == "me" {
 			obj.Owner = auth.Actor.ID
@@ -188,7 +188,7 @@ func (api *API) checkAuthorization(rw http.ResponseWriter, r *http.Request) {
 			var dbObj rbac.Objecter
 			var dbErr error
 			// Only support referencing some resources by ID.
-			switch v.Object.ResourceType {
+			switch v.Object.ResourceType.String() {
 			case rbac.ResourceWorkspaceExecution.Type:
 				wrkSpace, err := api.Database.GetWorkspaceByID(ctx, id)
 				if err == nil {
 
@@ -46,34 +46,34 @@ func TestCheckPermissions(t *testing.T) {
 	params := map[string]codersdk.AuthorizationCheck{
 		readAllUsers: {
 			Object: codersdk.AuthorizationObject{
-				ResourceType: "users",
+				ResourceType: codersdk.ResourceUser,
 			},
 			Action: "read",
 		},
 		readMyself: {
 			Object: codersdk.AuthorizationObject{
-				ResourceType: "users",
+				ResourceType: codersdk.ResourceUser,
 				OwnerID:      "me",
 			},
 			Action: "read",
 		},
 		readOwnWorkspaces: {
 			Object: codersdk.AuthorizationObject{
-				ResourceType: "workspaces",
+				ResourceType: codersdk.ResourceWorkspace,
 				OwnerID:      "me",
 			},
 			Action: "read",
 		},
 		readOrgWorkspaces: {
 			Object: codersdk.AuthorizationObject{
-				ResourceType:   "workspaces",
+				ResourceType:   codersdk.ResourceWorkspace,
 				OrganizationID: adminUser.OrganizationID.String(),
 			},
 			Action: "read",
 		},
 		updateSpecificTemplate: {
 			Object: codersdk.AuthorizationObject{
-				ResourceType: rbac.ResourceTemplate.Type,
+				ResourceType: codersdk.ResourceTemplate,
 				ResourceID:   template.ID.String(),
 			},
 			Action: "update",
@@ -103,7 +103,7 @@ func TestCheckPermissions(t *testing.T) {
 			Client: orgAdminClient,
 			UserID: orgAdminUser.ID,
 			Check: map[string]bool{
-				readAllUsers:           false,
+				readAllUsers:           true,
 				readMyself:             true,
 				readOwnWorkspaces:      true,
 				readOrgWorkspaces:      true,
@@ -115,7 +115,7 @@ func TestCheckPermissions(t *testing.T) {
 			Client: memberClient,
 			UserID: memberUser.ID,
 			Check: map[string]bool{
-				readAllUsers:           false,
+				readAllUsers:           true,
 				readMyself:             true,
 				readOwnWorkspaces:      true,
 				readOrgWorkspaces:      false,
 
@@ -308,7 +308,7 @@ func build(ctx context.Context, store database.Store, workspace database.Workspa
 			CreatedAt:         now,
 			UpdatedAt:         now,
 			WorkspaceID:       workspace.ID,
-			TemplateVersionID: template.ActiveVersionID,
+			TemplateVersionID: priorHistory.TemplateVersionID,
 			BuildNumber:       priorBuildNumber + 1,
 			ProvisionerState:  priorHistory.ProvisionerState,
 			InitiatorID:       workspace.OwnerID,
 
@@ -97,14 +97,14 @@ func TestExecutorAutostartTemplateUpdated(t *testing.T) {
 		close(tickCh)
 	}()
 
-	// Then: the workspace is started using the new template version, not the old one.
+	// Then: the workspace should be started using the previous template version, and not the updated version.
 	stats := <-statsCh
 	assert.NoError(t, stats.Error)
 	assert.Len(t, stats.Transitions, 1)
 	assert.Contains(t, stats.Transitions, workspace.ID)
 	assert.Equal(t, database.WorkspaceTransitionStart, stats.Transitions[workspace.ID])
 	ws := coderdtest.MustWorkspace(t, client, workspace.ID)
-	assert.Equal(t, newVersion.ID, ws.LatestBuild.TemplateVersionID, "expected workspace build to be using the new template version")
+	assert.Equal(t, workspace.LatestBuild.TemplateVersionID, ws.LatestBuild.TemplateVersionID, "expected workspace build to be using the old template version")
 }
 
 func TestExecutorAutostartAlreadyRunning(t *testing.T) {
 
@@ -171,6 +171,12 @@ func New(options *Options) *API {
 		options = &Options{}
 	}
 
+	if options.DeploymentValues.DisableOwnerWorkspaceExec {
+		rbac.ReloadBuiltinRoles(&rbac.RoleOptions{
+			NoOwnerWorkspaceExec: true,
+		})
+	}
+
 	if options.Authorizer == nil {
 		options.Authorizer = rbac.NewCachingAuthorizer(options.PrometheusRegistry)
 	}
 
@@ -203,6 +203,8 @@ func NewOptions(t *testing.T, options *Options) (func(http.Handler), context.Can
 	if options.DeploymentValues == nil {
 		options.DeploymentValues = DeploymentValues(t)
 	}
+	// This value is not safe to run in parallel. Force it to be false.
+	options.DeploymentValues.DisableOwnerWorkspaceExec = false
 
 	// If no ratelimits are set, disable all rate limiting for tests.
 	if options.APIRateLimit == 0 {
 
@@ -57,8 +57,7 @@ func (v *CachedGaugeVec) Collect(ch chan<- prometheus.Metric) {
 
 func (v *CachedGaugeVec) WithLabelValues(operation VectorOperation, value float64, labelValues ...string) {
 	switch operation {
-	case VectorOperationAdd:
-	case VectorOperationSet:
+	case VectorOperationAdd, VectorOperationSet:
 	default:
 		panic("unsupported vector operation")
 	}
Original file line number	Diff line number	Diff line change
`@@ -145,7 +145,7 @@ func ReadGitAuthProvidersFromEnv(environ []string) ([]codersdk.GitAuthConfig, er`
`145`	`145`	`case "REGEX":`
`146`	`146`	`provider.Regex = v.Value`
`147`	`147`	`case "NO_REFRESH":`
`148`		`- b, err := strconv.ParseBool(key)`
	`148`	`+ b, err := strconv.ParseBool(v.Value)`
`149`	`149`	`if err != nil {`
`150`	`150`	`return nil, xerrors.Errorf("parse bool: %s", v.Value)`
`151`	`151`	`}`
Original file line number	Diff line number	Diff line change
`@@ -171,6 +171,12 @@ func New(options Options) API {`
`171`	`171`	`options = &Options{}`
`172`	`172`	`}`
`173`	`173`
	`174`	`+ if options.DeploymentValues.DisableOwnerWorkspaceExec {`
	`175`	`+ rbac.ReloadBuiltinRoles(&rbac.RoleOptions{`
	`176`	`+ NoOwnerWorkspaceExec: true,`
	`177`	`+ })`
	`178`	`+ }`
	`179`	`+`
`174`	`180`	`if options.Authorizer == nil {`
`175`	`181`	`options.Authorizer = rbac.NewCachingAuthorizer(options.PrometheusRegistry)`
`176`	`182`	`}`
Original file line number	Diff line number	Diff line change
`@@ -203,6 +203,8 @@ func NewOptions(t testing.T, options Options) (func(http.Handler), context.Can`
`203`	`203`	`if options.DeploymentValues == nil {`
`204`	`204`	`options.DeploymentValues = DeploymentValues(t)`
`205`	`205`	`}`
	`206`	`+ // This value is not safe to run in parallel. Force it to be false.`
	`207`	`+ options.DeploymentValues.DisableOwnerWorkspaceExec = false`
`206`	`208`
`207`	`209`	`// If no ratelimits are set, disable all rate limiting for tests.`
`208`	`210`	`if options.APIRateLimit == 0 {`
Original file line number	Diff line number	Diff line change
`@@ -57,8 +57,7 @@ func (v *CachedGaugeVec) Collect(ch chan<- prometheus.Metric) {`
`57`	`57`
`58`	`58`	`func (v *CachedGaugeVec) WithLabelValues(operation VectorOperation, value float64, labelValues ...string) {`
`59`	`59`	`switch operation {`
`60`		`- case VectorOperationAdd:`
`61`		`- case VectorOperationSet:`
	`60`	`+ case VectorOperationAdd, VectorOperationSet:`
`62`	`61`	`default:`
`63`	`62`	`panic("unsupported vector operation")`
`64`	`63`	`}`