make start/stop workspaces different actions

Emyrk · Emyrk · commit d60f65ac8314 · 2024-05-14T21:58:38.000-05:00
diff --git a/coderd/coderdtest/coderdtest.go b/coderd/coderdtest/coderdtest.go
@@ -221,7 +221,7 @@ func NewOptions(t testing.TB, options *Options) (func(http.Handler), context.Can
 	}
 
 	if options.Authorizer == nil {
-		defAuth := rbac.NewCachingAuthorizer(prometheus.NewRegistry())
+		defAuth := rbac.NewStrictCachingAuthorizer(prometheus.NewRegistry())
 		if _, ok := t.(*testing.T); ok {
 			options.Authorizer = &RecordingAuthorizer{
 				Wrapped: defAuth,
diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go
@@ -169,7 +169,7 @@ var (
 					rbac.ResourceTemplate.Type: {policy.ActionRead, policy.ActionUpdate},
 					// Unsure why provisionerd needs update and read personal
 					rbac.ResourceUser.Type:      {policy.ActionRead, policy.ActionReadPersonal, policy.ActionUpdatePersonal},
-					rbac.ResourceWorkspace.Type: {policy.ActionRead, policy.ActionUpdate, policy.ActionDelete, policy.ActionWorkspaceBuild},
+					rbac.ResourceWorkspace.Type: {policy.ActionRead, policy.ActionUpdate, policy.ActionDelete, policy.ActionWorkspaceStart, policy.ActionWorkspaceStop},
 					rbac.ResourceApiKey.Type:    {policy.WildcardSymbol},
 					// When org scoped provisioner credentials are implemented,
 					// this can be reduced to read a specific org.
@@ -193,7 +193,7 @@ var (
 				Site: rbac.Permissions(map[string][]policy.Action{
 					rbac.ResourceSystem.Type:    {policy.WildcardSymbol},
 					rbac.ResourceTemplate.Type:  {policy.ActionRead, policy.ActionUpdate},
-					rbac.ResourceWorkspace.Type: {policy.ActionRead, policy.ActionUpdate, policy.ActionWorkspaceBuild},
+					rbac.ResourceWorkspace.Type: {policy.ActionRead, policy.ActionUpdate, policy.ActionWorkspaceStart, policy.ActionWorkspaceStop},
 					rbac.ResourceUser.Type:      {policy.ActionRead},
 				}),
 				Org:  map[string][]rbac.Permission{},
@@ -232,7 +232,7 @@ var (
 				DisplayName: "Coder",
 				Site: rbac.Permissions(map[string][]policy.Action{
 					rbac.ResourceWildcard.Type:           {policy.ActionRead},
-					rbac.ResourceApiKey.Type:             {policy.ActionCreate, policy.ActionUpdate, policy.ActionDelete},
+					rbac.ResourceApiKey.Type:             rbac.ResourceApiKey.AvailableActions(),
 					rbac.ResourceGroup.Type:              {policy.ActionCreate, policy.ActionUpdate},
 					rbac.ResourceAssignRole.Type:         rbac.ResourceAssignRole.AvailableActions(),
 					rbac.ResourceSystem.Type:             {policy.WildcardSymbol},
@@ -241,7 +241,7 @@ var (
 					rbac.ResourceAssignOrgRole.Type:      {policy.ActionRead, policy.ActionCreate, policy.ActionDelete},
 					rbac.ResourceProvisionerDaemon.Type:  {policy.ActionCreate, policy.ActionUpdate},
 					rbac.ResourceUser.Type:               rbac.ResourceUser.AvailableActions(),
-					rbac.ResourceWorkspace.Type:          {policy.ActionUpdate, policy.ActionDelete, policy.ActionWorkspaceBuild, policy.ActionSSH},
+					rbac.ResourceWorkspace.Type:          {policy.ActionUpdate, policy.ActionDelete, policy.ActionWorkspaceStart, policy.ActionWorkspaceStop, policy.ActionSSH},
 					rbac.ResourceWorkspaceProxy.Type:     {policy.ActionCreate, policy.ActionUpdate, policy.ActionDelete},
 				}),
 				Org:  map[string][]rbac.Permission{},
@@ -2531,9 +2531,11 @@ func (q *querier) InsertWorkspaceBuild(ctx context.Context, arg database.InsertW
 		return xerrors.Errorf("get workspace by id: %w", err)
 	}
 
-	var action policy.Action = policy.ActionWorkspaceBuild
+	var action policy.Action = policy.ActionWorkspaceStart
 	if arg.Transition == database.WorkspaceTransitionDelete {
 		action = policy.ActionDelete
+	} else if arg.Transition == database.WorkspaceTransitionStop {
+		action = policy.ActionWorkspaceStop
 	}
 
 	if err = q.authorizeContext(ctx, action, w); err != nil {
@@ -3280,7 +3282,7 @@ func (q *querier) UpsertAppSecurityKey(ctx context.Context, data string) error {
 }
 
 func (q *querier) UpsertApplicationName(ctx context.Context, value string) error {
-	if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceDeploymentConfig); err != nil {
+	if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceDeploymentConfig); err != nil {
 		return err
 	}
 	return q.db.UpsertApplicationName(ctx, value)
@@ -3294,7 +3296,7 @@ func (q *querier) UpsertDefaultProxy(ctx context.Context, arg database.UpsertDef
 }
 
 func (q *querier) UpsertHealthSettings(ctx context.Context, value string) error {
-	if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceDeploymentConfig); err != nil {
+	if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceDeploymentConfig); err != nil {
 		return err
 	}
 	return q.db.UpsertHealthSettings(ctx, value)
diff --git a/coderd/database/dbauthz/dbauthz_test.go b/coderd/database/dbauthz/dbauthz_test.go
@@ -1432,7 +1432,18 @@ func (s *MethodTestSuite) TestWorkspace() {
 			WorkspaceID: w.ID,
 			Transition:  database.WorkspaceTransitionStart,
 			Reason:      database.BuildReasonInitiator,
-		}).Asserts(w, policy.ActionWorkspaceBuild)
+		}).Asserts(w, policy.ActionWorkspaceStart)
+	}))
+	s.Run("Stop/InsertWorkspaceBuild", s.Subtest(func(db database.Store, check *expects) {
+		t := dbgen.Template(s.T(), db, database.Template{})
+		w := dbgen.Workspace(s.T(), db, database.Workspace{
+			TemplateID: t.ID,
+		})
+		check.Args(database.InsertWorkspaceBuildParams{
+			WorkspaceID: w.ID,
+			Transition:  database.WorkspaceTransitionStop,
+			Reason:      database.BuildReasonInitiator,
+		}).Asserts(w, policy.ActionWorkspaceStop)
 	}))
 	s.Run("Start/RequireActiveVersion/VersionMismatch/InsertWorkspaceBuild", s.Subtest(func(db database.Store, check *expects) {
 		t := dbgen.Template(s.T(), db, database.Template{})
@@ -1454,7 +1465,7 @@ func (s *MethodTestSuite) TestWorkspace() {
 			Reason:            database.BuildReasonInitiator,
 			TemplateVersionID: v.ID,
 		}).Asserts(
-			w, policy.ActionWorkspaceBuild,
+			w, policy.ActionWorkspaceStart,
 			t, policy.ActionUpdate,
 		)
 	}))
@@ -1482,7 +1493,7 @@ func (s *MethodTestSuite) TestWorkspace() {
 			Reason:            database.BuildReasonInitiator,
 			TemplateVersionID: v.ID,
 		}).Asserts(
-			w, policy.ActionWorkspaceBuild,
+			w, policy.ActionWorkspaceStart,
 		)
 	}))
 	s.Run("Delete/InsertWorkspaceBuild", s.Subtest(func(db database.Store, check *expects) {
diff --git a/coderd/rbac/authz.go b/coderd/rbac/authz.go
@@ -214,6 +214,10 @@ type RegoAuthorizer struct {
 
 	authorizeHist *prometheus.HistogramVec
 	prepareHist   prometheus.Histogram
+
+	// strict checking also verifies the inputs to the authorizer. Making sure
+	// the action make sense for the input object.
+	strict bool
 }
 
 var _ Authorizer = (*RegoAuthorizer)(nil)
@@ -235,6 +239,13 @@ func NewCachingAuthorizer(registry prometheus.Registerer) Authorizer {
 	return Cacher(NewAuthorizer(registry))
 }
 
+// NewStrictCachingAuthorizer is mainly just for testing.
+func NewStrictCachingAuthorizer(registry prometheus.Registerer) Authorizer {
+	auth := NewAuthorizer(registry)
+	auth.strict = true
+	return Cacher(auth)
+}
+
 func NewAuthorizer(registry prometheus.Registerer) *RegoAuthorizer {
 	queryOnce.Do(func() {
 		var err error
@@ -321,6 +332,12 @@ type authSubject struct {
 // the object.
 // If an error is returned, the authorization is denied.
 func (a RegoAuthorizer) Authorize(ctx context.Context, subject Subject, action policy.Action, object Object) error {
+	if a.strict {
+		if err := object.ValidAction(action); err != nil {
+			return xerrors.Errorf("strict authz check: %w", err)
+		}
+	}
+
 	start := time.Now()
 	ctx, span := tracing.StartSpan(ctx,
 		trace.WithTimestamp(start), // Reuse the time.Now for metric and trace
diff --git a/coderd/rbac/authz_test.go b/coderd/rbac/authz_test.go
@@ -160,7 +160,7 @@ func BenchmarkRBACAuthorize(b *testing.B) {
 
 	// There is no caching that occurs because a fresh context is used for each
 	// call. And the context needs 'WithCacheCtx' to work.
-	authorizer := rbac.NewCachingAuthorizer(prometheus.NewRegistry())
+	authorizer := rbac.NewStrictCachingAuthorizer(prometheus.NewRegistry())
 	// This benchmarks all the simple cases using just user permissions. Groups
 	// are added as noise, but do not do anything.
 	for _, c := range benchCases {
@@ -187,7 +187,7 @@ func BenchmarkRBACAuthorizeGroups(b *testing.B) {
 		uuid.MustParse("0632b012-49e0-4d70-a5b3-f4398f1dcd52"),
 		uuid.MustParse("70dbaa7a-ea9c-4f68-a781-97b08af8461d"),
 	)
-	authorizer := rbac.NewCachingAuthorizer(prometheus.NewRegistry())
+	authorizer := rbac.NewStrictCachingAuthorizer(prometheus.NewRegistry())
 
 	// Same benchmark cases, but this time groups will be used to match.
 	// Some '*' permissions will still match, but using a fake action reduces
@@ -239,7 +239,7 @@ func BenchmarkRBACFilter(b *testing.B) {
 		uuid.MustParse("70dbaa7a-ea9c-4f68-a781-97b08af8461d"),
 	)
 
-	authorizer := rbac.NewCachingAuthorizer(prometheus.NewRegistry())
+	authorizer := rbac.NewStrictCachingAuthorizer(prometheus.NewRegistry())
 
 	for _, c := range benchCases {
 		b.Run("PrepareOnly-"+c.Name, func(b *testing.B) {
diff --git a/coderd/rbac/input.json b/coderd/rbac/input.json
@@ -1,46 +1,22 @@
 {
-  "action": "never-match-action",
-  "object": {
-    "id": "9046b041-58ed-47a3-9c3a-de302577875a",
-    "owner": "00000000-0000-0000-0000-000000000000",
-    "org_owner": "bf7b72bd-a2b1-4ef2-962c-1d698e0483f6",
-    "type": "workspace",
-    "acl_user_list": {
-      "f041847d-711b-40da-a89a-ede39f70dc7f": ["create"]
-    },
-    "acl_group_list": {}
+  "action":"build",
+  "object":{
+    "id":"c6ae3dfb-0e55-4eca-b263-8ceaf95ad056",
+    "owner":"76df8ecb-a179-45cc-9a67-acc8b0512ee5",
+    "org_owner":"021dcc96-562b-4a43-8405-0d287b5298df",
+    "type":"workspace_dormant",
+    "acl_user_list":null,
+    "acl_group_list":null
   },
-  "subject": {
-    "id": "10d03e62-7703-4df5-a358-4f76577d4e2f",
-    "roles": [
-      {
-        "name": "owner",
-        "display_name": "Owner",
-        "site": [
-          {
-            "negate": false,
-            "resource_type": "*",
-            "action": "*"
-          }
-        ],
-        "org": {},
-        "user": []
-      }
+  "subject":{
+    "FriendlyName":"testuser",
+    "ID":"76df8ecb-a179-45cc-9a67-acc8b0512ee5",
+    "Roles":[
+      "owner",
+      "member",
+      "organization-member:021dcc96-562b-4a43-8405-0d287b5298df"
     ],
-    "groups": ["b617a647-b5d0-4cbe-9e40-26f89710bf18"],
-    "scope": {
-      "name": "Scope_all",
-      "display_name": "All operations",
-      "site": [
-        {
-          "negate": false,
-          "resource_type": "*",
-          "action": "*"
-        }
-      ],
-      "org": {},
-      "user": [],
-      "allow_list": ["*"]
-    }
+    "Groups":null,
+    "Scope":"all"
   }
 }
diff --git a/coderd/rbac/object.go b/coderd/rbac/object.go
@@ -39,7 +39,7 @@ func (z Object) ValidAction(action policy.Action) error {
 		return fmt.Errorf("invalid type %q", z.Type)
 	}
 	if _, ok := perms.Actions[action]; !ok {
-		return fmt.Errorf("invalid action %q", action)
+		return fmt.Errorf("invalid action %q for type %q", action, z.Type)
 	}
 
 	return nil
diff --git a/coderd/rbac/object_gen.go b/coderd/rbac/object_gen.go
diff --git a/coderd/rbac/policy/policy.go b/coderd/rbac/policy/policy.go
@@ -16,7 +16,8 @@ const (
 	ActionApplicationConnect Action = "application_connect"
 	ActionViewInsights       Action = "view_insights"
 
-	ActionWorkspaceBuild Action = "build"
+	ActionWorkspaceStart Action = "start"
+	ActionWorkspaceStop  Action = "stop"
 
 	ActionAssign Action = "assign"
 
@@ -51,8 +52,10 @@ var workspaceActions = map[Action]ActionDefinition{
 	ActionUpdate: actDef("edit workspace settings (scheduling, permissions, parameters)"),
 	ActionDelete: actDef("delete workspace"),
 
-	// Workspace provisioning
-	ActionWorkspaceBuild: actDef("allows starting, stopping, and updating a workspace"),
+	// Workspace provisioning. Start & stop are different so dormant workspaces can be
+	// stopped, but not stared.
+	ActionWorkspaceStart: actDef("allows starting a workspace"),
+	ActionWorkspaceStop:  actDef("allows stopping a workspace"),
 
 	// Running a workspace
 	ActionSSH:                actDef("ssh into a given workspace"),
@@ -104,12 +107,14 @@ var RBACPermissions = map[string]PermissionDefinition{
 	},
 	"audit_log": {
 		Actions: map[Action]ActionDefinition{
-			ActionRead: actDef("read audit logs"),
+			ActionRead:   actDef("read audit logs"),
+			ActionCreate: actDef("create new audit log entries"),
 		},
 	},
 	"deployment_config": {
 		Actions: map[Action]ActionDefinition{
-			ActionRead: actDef("read deployment config"),
+			ActionRead:   actDef("read deployment config"),
+			ActionUpdate: actDef("updating health information"),
 		},
 	},
 	"deployment_stats": {
@@ -173,7 +178,7 @@ var RBACPermissions = map[string]PermissionDefinition{
 	},
 	"debug_info": {
 		Actions: map[Action]ActionDefinition{
-			ActionUse: actDef("access to debug routes"),
+			ActionRead: actDef("access to debug routes"),
 		},
 	},
 	"system": {
@@ -189,6 +194,7 @@ var RBACPermissions = map[string]PermissionDefinition{
 			ActionCreate: actDef("create an api key"),
 			ActionRead:   actDef("read api key details (secrets are not stored)"),
 			ActionDelete: actDef("delete an api key"),
+			ActionUpdate: actDef("update an api key, eg expires"),
 		},
 	},
 	"tailnet_coordinator": {
diff --git a/coderd/rbac/roles.go b/coderd/rbac/roles.go
@@ -146,7 +146,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 			// This adds back in the Workspace permissions.
 			Permissions(map[string][]policy.Action{
 				ResourceWorkspace.Type:        ownerWorkspaceActions,
-				ResourceWorkspaceDormant.Type: {policy.ActionRead, policy.ActionDelete, policy.ActionCreate, policy.ActionUpdate},
+				ResourceWorkspaceDormant.Type: {policy.ActionRead, policy.ActionDelete, policy.ActionCreate, policy.ActionUpdate, policy.ActionWorkspaceStop},
 			})...),
 		Org:  map[string][]Permission{},
 		User: []Permission{},
@@ -167,7 +167,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 		User: append(allPermsExcept(ResourceWorkspaceDormant, ResourceUser, ResourceOrganizationMember),
 			Permissions(map[string][]policy.Action{
 				// Reduced permission set on dormant workspaces. No build, ssh, or exec
-				ResourceWorkspaceDormant.Type: {policy.ActionRead, policy.ActionDelete, policy.ActionCreate, policy.ActionUpdate},
+				ResourceWorkspaceDormant.Type: {policy.ActionRead, policy.ActionDelete, policy.ActionCreate, policy.ActionUpdate, policy.ActionWorkspaceStop},
 
 				// Users cannot do create/update/delete on themselves, but they
 				// can read their own details.
@@ -272,7 +272,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 				Org: map[string][]Permission{
 					// Org admins should not have workspace exec perms.
 					organizationID: append(allPermsExcept(ResourceWorkspace, ResourceWorkspaceDormant), Permissions(map[string][]policy.Action{
-						ResourceWorkspaceDormant.Type: {policy.ActionRead, policy.ActionDelete, policy.ActionCreate, policy.ActionUpdate},
+						ResourceWorkspaceDormant.Type: {policy.ActionRead, policy.ActionDelete, policy.ActionCreate, policy.ActionUpdate, policy.ActionWorkspaceStop},
 						ResourceWorkspace.Type:        slice.Omit(ResourceWorkspace.AvailableActions(), policy.ActionApplicationConnect, policy.ActionSSH),
 					})...),
 				},
diff --git a/coderd/rbac/roles_test.go b/coderd/rbac/roles_test.go
diff --git a/coderd/roles.go b/coderd/roles.go
diff --git a/support/support.go b/support/support.go

Original file line number	Diff line number	Diff line change
`@@ -221,7 +221,7 @@ func NewOptions(t testing.TB, options *Options) (func(http.Handler), context.Can`
`221`	`221`	`}`
`222`	`222`
`223`	`223`	`if options.Authorizer == nil {`
`224`		`- defAuth := rbac.NewCachingAuthorizer(prometheus.NewRegistry())`
	`224`	`+ defAuth := rbac.NewStrictCachingAuthorizer(prometheus.NewRegistry())`
`225`	`225`	`if _, ok := t.(*testing.T); ok {`
`226`	`226`	`options.Authorizer = &RecordingAuthorizer{`
`227`	`227`	`Wrapped: defAuth,`
Original file line number	Diff line number	Diff line change
`@@ -39,7 +39,7 @@ func (z Object) ValidAction(action policy.Action) error {`
`39`	`39`	`return fmt.Errorf("invalid type %q", z.Type)`
`40`	`40`	`}`
`41`	`41`	`if _, ok := perms.Actions[action]; !ok {`
`42`		`- return fmt.Errorf("invalid action %q", action)`
	`42`	`+ return fmt.Errorf("invalid action %q for type %q", action, z.Type)`
`43`	`43`	`}`
`44`	`44`
`45`	`45`	`return nil`