chore: fixup permission assertions and testing

Emyrk · Emyrk · commit dbdf49f6ec85 · 2025-04-08T11:29:24.000-05:00
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -1148,6 +1148,7 @@ func New(options *Options) *API {
 				})
 				r.Route("/{user}", func(r chi.Router) {
 					r.Group(func(r chi.Router) {
+						r.Use(httpmw.ExtractUserParamOptional(options.Database))
 						// Creating workspaces does not require permissions on the user, only the
 						// organization member. This endpoint should match the authz story of
 						// postWorkspacesByOrganization
diff --git a/coderd/coderdtest/authorize.go b/coderd/coderdtest/authorize.go
@@ -144,8 +144,8 @@ type AuthCalls []AuthCall
 
 type AuthCall struct {
 	rbac.AuthCall
+	Err error
 
-	err      error
 	asserted bool
 	// callers is a small stack trace for debugging.
 	callers []string
@@ -265,7 +265,7 @@ func (r *RecordingAuthorizer) recordAuthorize(subject rbac.Subject, action polic
 			Action: action,
 			Object: object,
 		},
-		err: err,
+		Err: err,
 		callers: []string{
 			// This is a decent stack trace for debugging.
 			// Some dbauthz calls are a bit nested, so we skip a few.
diff --git a/coderd/httpmw/organizationparam.go b/coderd/httpmw/organizationparam.go
@@ -110,61 +110,51 @@ type OrganizationMember struct {
 func ExtractOrganizationMemberParam(db database.Store) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
-			organization := OrganizationParam(r)
-			organizationMember, ok := ExtractOrganizationMemberContext(rw, r, db, organization.ID)
+			ctx := r.Context()
+			// We need to resolve the `{user}` URL parameter so that we can get the userID and
+			// username.  We do this as SystemRestricted since the caller might have permission
+			// to access the OrganizationMember object, but *not* the User object.  So, it is
+			// very important that we do not add the User object to the request context or otherwise
+			// leak it to the API handler.
+			// nolint:gocritic
+			user, ok := ExtractUserContext(dbauthz.AsSystemRestricted(ctx), db, rw, r)
 			if !ok {
 				return
 			}
+			organization := OrganizationParam(r)
 
-			ctx := r.Context()
-			ctx = context.WithValue(ctx, organizationMemberParamContextKey{}, organizationMember)
-			next.ServeHTTP(rw, r.WithContext(ctx))
-		})
-	}
-}
-
-func ExtractOrganizationMemberContext(rw http.ResponseWriter, r *http.Request, db database.Store, orgID uuid.UUID) (OrganizationMember, bool) {
-	ctx := r.Context()
-
-	// We need to resolve the `{user}` URL parameter so that we can get the userID and
-	// username.  We do this as SystemRestricted since the caller might have permission
-	// to access the OrganizationMember object, but *not* the User object.  So, it is
-	// very important that we do not add the User object to the request context or otherwise
-	// leak it to the API handler.
-	// nolint:gocritic
-	user, ok := extractUserContext(dbauthz.AsSystemRestricted(ctx), db, rw, r)
-	if !ok {
-		return OrganizationMember{}, false
-	}
+			organizationMember, err := database.ExpectOne(db.OrganizationMembers(ctx, database.OrganizationMembersParams{
+				OrganizationID: organization.ID,
+				UserID:         user.ID,
+				IncludeSystem:  false,
+			}))
+			if httpapi.Is404Error(err) {
+				httpapi.ResourceNotFound(rw)
+				return
+			}
+			if err != nil {
+				httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
+					Message: "Internal error fetching organization member.",
+					Detail:  err.Error(),
+				})
+				return
+			}
 
-	organizationMember, err := database.ExpectOne(db.OrganizationMembers(ctx, database.OrganizationMembersParams{
-		OrganizationID: orgID,
-		UserID:         user.ID,
-		IncludeSystem:  false,
-	}))
-	if httpapi.Is404Error(err) {
-		httpapi.ResourceNotFound(rw)
-		return OrganizationMember{}, false
-	}
-	if err != nil {
-		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
-			Message: "Internal error fetching organization member.",
-			Detail:  err.Error(),
+			ctx = context.WithValue(ctx, organizationMemberParamContextKey{}, OrganizationMember{
+				OrganizationMember: organizationMember.OrganizationMember,
+				// Here we're making two exceptions to the rule about not leaking data about the user
+				// to the API handler, which is to include the username and avatar URL.
+				// If the caller has permission to read the OrganizationMember, then we're explicitly
+				// saying here that they also have permission to see the member's username and avatar.
+				// This is OK!
+				//
+				// API handlers need this information for audit logging and returning the owner's
+				// username in response to creating a workspace. Additionally, the frontend consumes
+				// the Avatar URL and this allows the FE to avoid an extra request.
+				Username:  user.Username,
+				AvatarURL: user.AvatarURL,
+			})
+			next.ServeHTTP(rw, r.WithContext(ctx))
 		})
-		return OrganizationMember{}, false
 	}
-	return OrganizationMember{
-		OrganizationMember: organizationMember.OrganizationMember,
-		// Here we're making two exceptions to the rule about not leaking data about the user
-		// to the API handler, which is to include the username and avatar URL.
-		// If the caller has permission to read the OrganizationMember, then we're explicitly
-		// saying here that they also have permission to see the member's username and avatar.
-		// This is OK!
-		//
-		// API handlers need this information for audit logging and returning the owner's
-		// username in response to creating a workspace. Additionally, the frontend consumes
-		// the Avatar URL and this allows the FE to avoid an extra request.
-		Username:  user.Username,
-		AvatarURL: user.AvatarURL,
-	}, true
 }
diff --git a/coderd/httpmw/userparam.go b/coderd/httpmw/userparam.go
@@ -31,13 +31,18 @@ func UserParam(r *http.Request) database.User {
 	return user
 }
 
+func UserParamOptional(r *http.Request) (database.User, bool) {
+	user, ok := r.Context().Value(userParamContextKey{}).(database.User)
+	return user, ok
+}
+
 // ExtractUserParam extracts a user from an ID/username in the {user} URL
 // parameter.
 func ExtractUserParam(db database.Store) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 			ctx := r.Context()
-			user, ok := extractUserContext(ctx, db, rw, r)
+			user, ok := ExtractUserContext(ctx, db, rw, r)
 			if !ok {
 				// response already handled
 				return
@@ -48,8 +53,24 @@ func ExtractUserParam(db database.Store) func(http.Handler) http.Handler {
 	}
 }
 
-// extractUserContext queries the database for the parameterized `{user}` from the request URL.
-func extractUserContext(ctx context.Context, db database.Store, rw http.ResponseWriter, r *http.Request) (user database.User, ok bool) {
+// ExtractUserParamOptional does not fail if no user is present.
+func ExtractUserParamOptional(db database.Store) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+			ctx := r.Context()
+
+			user, ok := ExtractUserContext(ctx, db, &noopResponseWriter{}, r)
+			if ok {
+				ctx = context.WithValue(ctx, userParamContextKey{}, user)
+			}
+
+			next.ServeHTTP(rw, r.WithContext(ctx))
+		})
+	}
+}
+
+// ExtractUserContext queries the database for the parameterized `{user}` from the request URL.
+func ExtractUserContext(ctx context.Context, db database.Store, rw http.ResponseWriter, r *http.Request) (user database.User, ok bool) {
 	// userQuery is either a uuid, a username, or 'me'
 	userQuery := chi.URLParam(r, "user")
 	if userQuery == "" {
diff --git a/coderd/workspaces.go b/coderd/workspaces.go
@@ -413,21 +413,64 @@ func (api *API) postUserWorkspaces(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	// No middleware exists to fetch the user from. This endpoint needs to fetch
-	// the organization member, which requires the organization. Which can be
-	// sourced from the template.
+	var owner workspaceOwner
+	// This user fetch is an optimization path for the most common case of creating a
+	// workspace for 'Me'.
 	//
-	// TODO: This code gets called twice for each workspace build request.
-	//   This is inefficient and costs at most 2 extra RTTs to the DB.
-	//   This can be optimized. It exists as it is now for code simplicity.
-	template, ok := requestTemplate(ctx, rw, req, api.Database)
-	if !ok {
-		return
-	}
+	// This is also required to allow `owners` to create workspaces for users
+	// that are not in an organization.
+	user, ok := httpmw.UserParamOptional(r)
+	if ok {
+		owner = workspaceOwner{
+			ID:        user.ID,
+			Username:  user.Username,
+			AvatarURL: user.AvatarURL,
+		}
+	} else {
+		// A workspace can still be created if the caller can read the organization
+		// member. The organization is required, which can be sourced from the
+		// template.
+		//
+		// TODO: This code gets called twice for each workspace build request.
+		//   This is inefficient and costs at most 2 extra RTTs to the DB.
+		//   This can be optimized. It exists as it is now for code simplicity.
+		//   The most common case is to create a workspace for 'Me'. Which does
+		//   not enter this code branch.
+		template, ok := requestTemplate(ctx, rw, req, api.Database)
+		if !ok {
+			return
+		}
 
-	member, ok := httpmw.ExtractOrganizationMemberContext(rw, r, api.Database, template.OrganizationID)
-	if !ok {
-		return
+		// We need to fetch the original user as a system user to fetch the
+		// user_id. 'ExtractUserContext' handles all cases like usernames,
+		// 'Me', etc.
+		// nolint:gocritic // The user_id needs to be fetched. This handles all those cases.
+		user, ok := httpmw.ExtractUserContext(dbauthz.AsSystemRestricted(ctx), api.Database, rw, r)
+		if !ok {
+			return
+		}
+
+		organizationMember, err := database.ExpectOne(api.Database.OrganizationMembers(ctx, database.OrganizationMembersParams{
+			OrganizationID: template.OrganizationID,
+			UserID:         user.ID,
+			IncludeSystem:  false,
+		}))
+		if httpapi.Is404Error(err) {
+			httpapi.ResourceNotFound(rw)
+			return
+		}
+		if err != nil {
+			httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
+				Message: "Internal error fetching organization member.",
+				Detail:  err.Error(),
+			})
+			return
+		}
+		owner = workspaceOwner{
+			ID:        organizationMember.OrganizationMember.UserID,
+			Username:  organizationMember.Username,
+			AvatarURL: organizationMember.AvatarURL,
+		}
 	}
 
 	aReq, commitAudit := audit.InitRequest[database.WorkspaceTable](rw, &audit.RequestParams{
@@ -436,17 +479,11 @@ func (api *API) postUserWorkspaces(rw http.ResponseWriter, r *http.Request) {
 		Request: r,
 		Action:  database.AuditActionCreate,
 		AdditionalFields: audit.AdditionalFields{
-			WorkspaceOwner: member.Username,
+			WorkspaceOwner: owner.Username,
 		},
 	})
 
 	defer commitAudit()
-
-	owner := workspaceOwner{
-		ID:        member.UserID,
-		Username:  member.Username,
-		AvatarURL: member.AvatarURL,
-	}
 	createWorkspace(ctx, aReq, apiKey.UserID, api, owner, req, rw, r)
 }
 
diff --git a/coderd/workspaces_test.go b/coderd/workspaces_test.go
@@ -423,42 +423,6 @@ func TestWorkspace(t *testing.T) {
 		require.ErrorAs(t, err, &apiError)
 		require.Equal(t, http.StatusForbidden, apiError.StatusCode())
 	})
-
-	// Asserting some authz calls when creating a workspace.
-	t.Run("AuthzStory", func(t *testing.T) {
-		t.Parallel()
-		owner, _, api := coderdtest.NewWithAPI(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
-		first := coderdtest.CreateFirstUser(t, owner)
-		authz := coderdtest.AssertRBAC(t, api, owner)
-
-		version := coderdtest.CreateTemplateVersion(t, owner, first.OrganizationID, nil)
-		coderdtest.AwaitTemplateVersionJobCompleted(t, owner, version.ID)
-		template := coderdtest.CreateTemplate(t, owner, first.OrganizationID, version.ID)
-		_, userID := coderdtest.CreateAnotherUser(t, owner, first.OrganizationID)
-
-		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
-		defer cancel()
-
-		// Create a workspace with the current api.
-		authz.Reset() // Reset all previous checks done in setup.
-		_, err := owner.CreateUserWorkspace(ctx, userID.ID.String(), codersdk.CreateWorkspaceRequest{
-			TemplateID: template.ID,
-			Name:       "test-user",
-		})
-		require.NoError(t, err)
-
-		// Assert all authz properties
-		t.Run("OnlyOrganizationAuthzCalls", func(t *testing.T) {
-			// Creating workspaces is an organization action. So organization
-			// permissions should be sufficient to complete the action.
-			for _, call := range authz.AllCalls() {
-				assert.Falsef(t, call.Object.OrgID == "",
-					"call %q for object %q has no organization set. Site authz calls not expected here",
-					call.Action, call.Object.String(),
-				)
-			}
-		})
-	})
 }
 
 func TestResolveAutostart(t *testing.T) {
diff --git a/enterprise/coderd/workspaces_test.go b/enterprise/coderd/workspaces_test.go
