Skip to content

chore(coderd/database/dbauthz): update RBAC for InsertWorkspaceApp #18223

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 4, 2025
Merged

chore(coderd/database/dbauthz): update RBAC for InsertWorkspaceApp #18223

merged 2 commits into from
Jun 4, 2025

Conversation

DanielleMaywood
Copy link
Contributor

@DanielleMaywood DanielleMaywood commented Jun 4, 2025
edited
Loading

Closes #18210

Instead of using ResourceSystem as the resource for
InsertWorkspaceApp, we instead use the associated workspace (if it
exists), with the action ActionUpdate.

@DanielleMaywood
chore(coderd/database/dbauthz): update RBAC for InsertWorkspaceApp
2799228 
Instead of using `ResourceSystem` as the resource for
`InsertWorkspaceApp`, we instead use the associated workspace (if it
exists), with the action `ActionCreateAgent`. The decision to use this
action is because everywhere where `InsertWorkspaceApp` is called is
also where `InsertWorkspaceAgent` is called. I don't think adding an
extra action makes sense, and adding an extra resource also doesn't make
sense.
@DanielleMaywood DanielleMaywood marked this pull request as ready for review June 4, 2025 09:37
@DanielleMaywood DanielleMaywood requested review from johnstcn and Emyrk June 4, 2025 09:37
@DanielleMaywood DanielleMaywood mentioned this pull request Jun 4, 2025
Merged
johnstcn
johnstcn reviewed Jun 4, 2025
View reviewed changes
coderd/database/dbauthz/dbauthz.go
Comment on lines +3858 to +3861
workspace, err := q.db.GetWorkspaceByAgentID(ctx, arg.AgentID)
if err != nil && !errors.Is(err, sql.ErrNoRows) {
return database.WorkspaceApp{}, err
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doesn't this mean you can insert a workspace app for a non-existent agent ID?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you used a non-existent Agent ID, you would get past this check, correct. However, the agent_id field on the app is both NOT NULL and has a foreign key mapping to a workspace agent so the insertion would always fail.

If you think we should tweak the logic slightly to ensure there is a valid agent then I'm happy to make that change 👍.

https://github.com/coder/coder/blob/9995a098d5f0816128d00f5ec01767bba0b76164/coderd/database/dump.sql#L2035
https://github.com/coder/coder/blob/9995a098d5f0816128d00f5ec01767bba0b76164/coderd/database/dump.sql#L3060-L3061

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's fair 👍 We could add an extra check for an agent with the given ID, but it does introduce an extra DB lookup. I'm not sure the extra round-trip gives us anything here.

@DanielleMaywood DanielleMaywood enabled auto-merge (squash) June 4, 2025 11:12
@DanielleMaywood DanielleMaywood merged commit 4d0fe20 into main Jun 4, 2025
38 checks passed
@DanielleMaywood DanielleMaywood deleted the dm-dbauthz-workspace-apps branch June 4, 2025 11:22
@github-actions github-actions bot locked and limited conversation to collaborators Jun 4, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@johnstcn johnstcn johnstcn approved these changes

@Emyrk Emyrk Awaiting requested review from Emyrk

Assignees

@DanielleMaywood DanielleMaywood

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Replace rbac.ResourceSystem usage in dbauthz.InsertWorkspaceApp
2 participants
@DanielleMaywood @johnstcn