Merge remote-tracking branch 'origin/authzquerier_layer' into authzquerier_layer

johnstcn · johnstcn · commit ef1deb5ebe12 · 2023-02-02T14:19:53.000Z
diff --git a/coderd/authzquery/template.go b/coderd/authzquery/template.go
@@ -155,12 +155,32 @@ func (q *AuthzQuerier) GetTemplateVersionParameters(ctx context.Context, templat
 }
 
 func (q *AuthzQuerier) GetTemplateVersionsByIDs(ctx context.Context, ids []uuid.UUID) ([]database.TemplateVersion, error) {
-	// An actor can read template versions if they can read the related template.
-	// There are multiple template IDs, so we will just check that all templates can be read.
-	if err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceTemplate.All()); err != nil {
+	// TODO: This is so inefficient
+	versions, err := q.database.GetTemplateVersionsByIDs(ctx, ids)
+	if err != nil {
 		return nil, err
 	}
-	return q.database.GetTemplateVersionsByIDs(ctx, ids)
+	checked := make(map[uuid.UUID]bool)
+	for _, v := range versions {
+		if _, ok := checked[v.TemplateID.UUID]; ok {
+			continue
+		}
+
+		obj := v.RBACObjectNoTemplate()
+		template, err := q.database.GetTemplateByID(ctx, v.TemplateID.UUID)
+		if err == nil {
+			obj = v.RBACObject(template)
+		}
+		if err != nil && !xerrors.Is(err, sql.ErrNoRows) {
+			return nil, err
+		}
+		if err := q.authorizeContext(ctx, rbac.ActionRead, obj); err != nil {
+			return nil, err
+		}
+		checked[v.TemplateID.UUID] = true
+	}
+
+	return versions, nil
 }
 
 func (q *AuthzQuerier) GetTemplateVersionsByTemplateID(ctx context.Context, arg database.GetTemplateVersionsByTemplateIDParams) ([]database.TemplateVersion, error) {
diff --git a/coderd/authzquery/user.go b/coderd/authzquery/user.go
@@ -137,10 +137,17 @@ func (q *AuthzQuerier) UpdateUserDeletedByID(ctx context.Context, arg database.U
 }
 
 func (q *AuthzQuerier) UpdateUserHashedPassword(ctx context.Context, arg database.UpdateUserHashedPasswordParams) error {
-	fetch := func(ctx context.Context, arg database.UpdateUserHashedPasswordParams) (database.User, error) {
-		return q.database.GetUserByID(ctx, arg.ID)
+	user, err := q.database.GetUserByID(ctx, arg.ID)
+	if err != nil {
+		return err
+	}
+
+	err = q.authorizeContext(ctx, rbac.ActionUpdate, user.UserDataRBACObject())
+	if err != nil {
+		return err
 	}
-	return authorizedUpdate(q.authorizer, fetch, q.database.UpdateUserHashedPassword)(ctx, arg)
+
+	return q.database.UpdateUserHashedPassword(ctx, arg)
 }
 
 func (q *AuthzQuerier) UpdateUserLastSeenAt(ctx context.Context, arg database.UpdateUserLastSeenAtParams) (database.User, error) {
diff --git a/coderd/database/dbgen/generator.go b/coderd/database/dbgen/generator.go
@@ -66,6 +66,47 @@ func APIKey(t *testing.T, db database.Store, seed database.APIKey) (key database
 	return key, fmt.Sprintf("%s-%s", key.ID, secret)
 }
 
+func WorkspaceAgent(t *testing.T, db database.Store, orig database.WorkspaceAgent) database.WorkspaceAgent {
+	workspace, err := db.InsertWorkspaceAgent(context.Background(), database.InsertWorkspaceAgentParams{
+		ID:         takeFirst(orig.ID, uuid.New()),
+		CreatedAt:  takeFirst(orig.CreatedAt, time.Now()),
+		UpdatedAt:  takeFirst(orig.UpdatedAt, time.Now()),
+		Name:       takeFirst(orig.Name, namesgenerator.GetRandomName(1)),
+		ResourceID: takeFirst(orig.ResourceID, uuid.New()),
+		AuthToken:  takeFirst(orig.AuthToken, uuid.New()),
+		AuthInstanceID: sql.NullString{
+			String: takeFirst(orig.AuthInstanceID.String, ""),
+			Valid:  takeFirst(orig.AuthInstanceID.Valid, false),
+		},
+		Architecture: takeFirst(orig.Architecture, "amd64"),
+		EnvironmentVariables: pqtype.NullRawMessage{
+			RawMessage: takeFirstBytes(orig.EnvironmentVariables.RawMessage, []byte("{}")),
+			Valid:      takeFirst(orig.EnvironmentVariables.Valid, false),
+		},
+		OperatingSystem: takeFirst(orig.OperatingSystem, "linux"),
+		StartupScript: sql.NullString{
+			String: takeFirst(orig.StartupScript.String, ""),
+			Valid:  takeFirst(orig.StartupScript.Valid, false),
+		},
+		Directory: takeFirst(orig.Directory, ""),
+		InstanceMetadata: pqtype.NullRawMessage{
+			RawMessage: takeFirstBytes(orig.ResourceMetadata.RawMessage, []byte("{}")),
+			Valid:      takeFirst(orig.ResourceMetadata.Valid, false),
+		},
+		ResourceMetadata: pqtype.NullRawMessage{
+			RawMessage: takeFirstBytes(orig.ResourceMetadata.RawMessage, []byte("{}")),
+			Valid:      takeFirst(orig.ResourceMetadata.Valid, false),
+		},
+		ConnectionTimeoutSeconds:    takeFirst(orig.ConnectionTimeoutSeconds, 3600),
+		TroubleshootingURL:          takeFirst(orig.TroubleshootingURL, "https://example.com"),
+		MOTDFile:                    takeFirst(orig.TroubleshootingURL, ""),
+		LoginBeforeReady:            takeFirst(orig.LoginBeforeReady, false),
+		StartupScriptTimeoutSeconds: takeFirst(orig.StartupScriptTimeoutSeconds, 3600),
+	})
+	require.NoError(t, err, "insert workspace agent")
+	return workspace
+}
+
 func Workspace(t *testing.T, db database.Store, orig database.Workspace) database.Workspace {
 	workspace, err := db.InsertWorkspace(context.Background(), database.InsertWorkspaceParams{
 		ID:                takeFirst(orig.ID, uuid.New()),
diff --git a/coderd/database/dbgen/generator_test.go b/coderd/database/dbgen/generator_test.go
@@ -70,6 +70,13 @@ func TestGenerator(t *testing.T) {
 		require.Equal(t, exp, must(db.GetWorkspaceByID(context.Background(), exp.ID)))
 	})
 
+	t.Run("WorkspaceAgent", func(t *testing.T) {
+		t.Parallel()
+		db := databasefake.New()
+		exp := dbgen.WorkspaceAgent(t, db, database.WorkspaceAgent{})
+		require.Equal(t, exp, must(db.GetWorkspaceAgentByID(context.Background(), exp.ID)))
+	})
+
 	t.Run("Template", func(t *testing.T) {
 		t.Parallel()
 		db := databasefake.New()
diff --git a/coderd/httpmw/workspaceagent_test.go b/coderd/httpmw/workspaceagent_test.go
@@ -1,7 +1,6 @@
 package httpmw_test
 
 import (
-	"context"
 	"net/http"
 	"net/http/httptest"
 	"testing"
@@ -12,18 +11,18 @@ import (
 
 	"github.com/coder/coder/coderd/database"
 	"github.com/coder/coder/coderd/database/databasefake"
+	"github.com/coder/coder/coderd/database/dbgen"
 	"github.com/coder/coder/coderd/httpmw"
 	"github.com/coder/coder/codersdk"
 )
 
 func TestWorkspaceAgent(t *testing.T) {
 	t.Parallel()
 
-	setup := func(db database.Store) (*http.Request, uuid.UUID) {
-		token := uuid.New()
+	setup := func(db database.Store, token uuid.UUID) *http.Request {
 		r := httptest.NewRequest("GET", "/", nil)
 		r.Header.Set(codersdk.SessionTokenHeader, token.String())
-		return r, token
+		return r
 	}
 
 	t.Run("None", func(t *testing.T) {
@@ -34,7 +33,7 @@ func TestWorkspaceAgent(t *testing.T) {
 			httpmw.ExtractWorkspaceAgent(db),
 		)
 		rtr.Get("/", nil)
-		r, _ := setup(db)
+		r := setup(db, uuid.New())
 		rw := httptest.NewRecorder()
 		rtr.ServeHTTP(rw, r)
 
@@ -46,6 +45,25 @@ func TestWorkspaceAgent(t *testing.T) {
 	t.Run("Found", func(t *testing.T) {
 		t.Parallel()
 		db := databasefake.New()
+
+		var (
+			user      = dbgen.User(t, db, database.User{})
+			workspace = dbgen.Workspace(t, db, database.Workspace{
+				OwnerID: user.ID,
+			})
+			job      = dbgen.ProvisionerJob(t, db, database.ProvisionerJob{})
+			resource = dbgen.WorkspaceResource(t, db, database.WorkspaceResource{
+				JobID: job.ID,
+			})
+			_ = dbgen.WorkspaceBuild(t, db, database.WorkspaceBuild{
+				WorkspaceID: workspace.ID,
+				JobID:       job.ID,
+			})
+			agent = dbgen.WorkspaceAgent(t, db, database.WorkspaceAgent{
+				ResourceID: resource.ID,
+			})
+		)
+
 		rtr := chi.NewRouter()
 		rtr.Use(
 			httpmw.ExtractWorkspaceAgent(db),
@@ -54,13 +72,8 @@ func TestWorkspaceAgent(t *testing.T) {
 			_ = httpmw.WorkspaceAgent(r)
 			rw.WriteHeader(http.StatusOK)
 		})
-		r, token := setup(db)
-		_, err := db.InsertWorkspaceAgent(context.Background(), database.InsertWorkspaceAgentParams{
-			ID:        uuid.New(),
-			AuthToken: token,
-		})
-		require.NoError(t, err)
-		require.NoError(t, err)
+		r := setup(db, agent.AuthToken)
+
 		rw := httptest.NewRecorder()
 		rtr.ServeHTTP(rw, r)
 
diff --git a/coderd/workspaceapps.go b/coderd/workspaceapps.go
@@ -23,6 +23,7 @@ import (
 	jose "gopkg.in/square/go-jose.v2"
 
 	"cdr.dev/slog"
+	"github.com/coder/coder/coderd/authzquery"
 	"github.com/coder/coder/coderd/database"
 	"github.com/coder/coder/coderd/httpapi"
 	"github.com/coder/coder/coderd/httpmw"
@@ -316,7 +317,8 @@ func (api *API) parseWorkspaceApplicationHostname(rw http.ResponseWriter, r *htt
 }
 
 func (api *API) handleWorkspaceAppLogout(rw http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	// TODO: Limit permissions of this system user. Using scope or new role.
+	ctx := authzquery.WithAuthorizeSystemContext(r.Context(), rbac.RolesAdminSystem())
 
 	// Delete the API key and cookie first before attempting to parse/validate
 	// the redirect URI.
diff --git a/enterprise/coderd/coderd_test.go b/enterprise/coderd/coderd_test.go
@@ -6,6 +6,9 @@ import (
 	"testing"
 	"time"
 
+	"github.com/coder/coder/coderd/authzquery"
+	"github.com/coder/coder/coderd/rbac"
+
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.uber.org/goleak"
@@ -100,7 +103,8 @@ func TestEntitlements(t *testing.T) {
 		require.NoError(t, err)
 		require.False(t, entitlements.HasLicense)
 		coderdtest.CreateFirstUser(t, client)
-		_, err = api.Database.InsertLicense(context.Background(), database.InsertLicenseParams{
+		ctx := authzquery.WithAuthorizeSystemContext(context.Background(), rbac.RolesAdminSystem())
+		_, err = api.Database.InsertLicense(ctx, database.InsertLicenseParams{
 			UploadedAt: database.Now(),
 			Exp:        database.Now().AddDate(1, 0, 0),
 			JWT: coderdenttest.GenerateLicense(t, coderdenttest.LicenseOptions{
@@ -128,7 +132,8 @@ func TestEntitlements(t *testing.T) {
 		require.False(t, entitlements.HasLicense)
 		coderdtest.CreateFirstUser(t, client)
 		// Valid
-		_, err = api.Database.InsertLicense(context.Background(), database.InsertLicenseParams{
+		ctx := authzquery.WithAuthorizeSystemContext(context.Background(), rbac.RolesAdminSystem())
+		_, err = api.Database.InsertLicense(ctx, database.InsertLicenseParams{
 			UploadedAt: database.Now(),
 			Exp:        database.Now().AddDate(1, 0, 0),
 			JWT: coderdenttest.GenerateLicense(t, coderdenttest.LicenseOptions{
@@ -139,7 +144,7 @@ func TestEntitlements(t *testing.T) {
 		})
 		require.NoError(t, err)
 		// Expired
-		_, err = api.Database.InsertLicense(context.Background(), database.InsertLicenseParams{
+		_, err = api.Database.InsertLicense(ctx, database.InsertLicenseParams{
 			UploadedAt: database.Now(),
 			Exp:        database.Now().AddDate(-1, 0, 0),
 			JWT: coderdenttest.GenerateLicense(t, coderdenttest.LicenseOptions{
@@ -148,7 +153,7 @@ func TestEntitlements(t *testing.T) {
 		})
 		require.NoError(t, err)
 		// Invalid
-		_, err = api.Database.InsertLicense(context.Background(), database.InsertLicenseParams{
+		_, err = api.Database.InsertLicense(ctx, database.InsertLicenseParams{
 			UploadedAt: database.Now(),
 			Exp:        database.Now().AddDate(1, 0, 0),
 			JWT:        "invalid",

Original file line number	Diff line number	Diff line change
`@@ -137,10 +137,17 @@ func (q *AuthzQuerier) UpdateUserDeletedByID(ctx context.Context, arg database.U`
`137`	`137`	`}`
`138`	`138`
`139`	`139`	`func (q *AuthzQuerier) UpdateUserHashedPassword(ctx context.Context, arg database.UpdateUserHashedPasswordParams) error {`
`140`		`- fetch := func(ctx context.Context, arg database.UpdateUserHashedPasswordParams) (database.User, error) {`
`141`		`- return q.database.GetUserByID(ctx, arg.ID)`
	`140`	`+ user, err := q.database.GetUserByID(ctx, arg.ID)`
	`141`	`+ if err != nil {`
	`142`	`+ return err`
	`143`	`+ }`
	`144`	`+`
	`145`	`+ err = q.authorizeContext(ctx, rbac.ActionUpdate, user.UserDataRBACObject())`
	`146`	`+ if err != nil {`
	`147`	`+ return err`
`142`	`148`	`}`
`143`		`- return authorizedUpdate(q.authorizer, fetch, q.database.UpdateUserHashedPassword)(ctx, arg)`
	`149`	`+`
	`150`	`+ return q.database.UpdateUserHashedPassword(ctx, arg)`
`144`	`151`	`}`
`145`	`152`
`146`	`153`	`func (q *AuthzQuerier) UpdateUserLastSeenAt(ctx context.Context, arg database.UpdateUserLastSeenAtParams) (database.User, error) {`