Skip to content

feat: allow TemplateAdmin to delete prebuilds via auth layer #18333

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 10 commits into
base: main
Choose a base branch
from

Conversation

ssncferreira
Copy link
Contributor

@ssncferreira ssncferreira commented Jun 11, 2025

Description

This PR adds support for deleting prebuilt workspaces via the authorization layer. It introduces special-case handling to ensure that prebuilt_workspace permissions are evaluated when attempting to delete a prebuilt workspace, falling back to the standard workspace resource as needed.

Prebuilt workspaces are a subset of workspaces, identified by having owner_id set to PREBUILD_SYSTEM_USER.
This means:

  • A user with prebuilt_workspace.delete permission is allowed to delete only prebuilt workspaces.
  • A user with workspace.delete permission can delete both normal and prebuilt workspaces.

⚠️ This implementation is scoped to deletion operations only. No other operations are currently supported for the prebuilt_workspace resource.

To delete a workspace, users must have the following permissions:

  • workspace.read: to read the current workspace state
  • update: to modify workspace metadata and related resources during deletion (e.g., updating the deleted field in the database)
  • delete: to perform the actual deletion of the workspace

Changes

  • Introduced authorizeWorkspace() helper to handle prebuilt workspace authorization logic.
  • Ensured both prebuilt_workspace and workspace permissions are checked.
  • Added comments to clarify the current behavior and limitations.
  • Moved SystemUserID constant from the prebuilds package to the database package PrebuildsSystemUserID to resolve an import cycle (commit f24e4ab).

@ssncferreira ssncferreira changed the title feat: POC for allowing TemplateAdmin to delete prebuild workspaces via auth layer feat: poc to allow TemplateAdmin to delete prebuilds via auth layer Jun 11, 2025
@ssncferreira ssncferreira force-pushed the ssncferreira/poc-prebuild-rbac-authz branch 2 times, most recently from e05480d to db80b4d Compare June 11, 2025 19:37
@ssncferreira ssncferreira force-pushed the ssncferreira/poc-prebuild-rbac-authz branch from db80b4d to 2ba15c5 Compare June 11, 2025 19:38
@ssncferreira ssncferreira changed the title feat: poc to allow TemplateAdmin to delete prebuilds via auth layer feat: allow TemplateAdmin to delete prebuilds via auth layer in POC Jun 12, 2025
@ssncferreira ssncferreira changed the title feat: allow TemplateAdmin to delete prebuilds via auth layer in POC feat: allow TemplateAdmin to delete prebuilds via auth layer (POC) Jun 12, 2025
Comment on lines 498 to 502
runningWorkspaces, err := db.GetRunningPrebuiltWorkspaces(ctx)
require.NoError(t, err)

prebuiltWorkspace, err := db.GetWorkspaceByID(ctx, runningWorkspaces[0].ID)
require.NoError(t, err)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should also require there to be at least one running workspace. This may need to be done in a testutil.Eventually(ctx) to avoid potential flakiness.

@ssncferreira ssncferreira marked this pull request as ready for review June 18, 2025 09:06
@ssncferreira ssncferreira changed the title feat: allow TemplateAdmin to delete prebuilds via auth layer (POC) feat: allow TemplateAdmin to delete prebuilds via auth layer Jun 18, 2025
@ssncferreira ssncferreira requested a review from Emyrk June 18, 2025 18:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants