coder · Emyrk · May 31, 2022 · May 27, 2022 · May 27, 2022 · May 27, 2022
diff --git a/cli/server.go b/cli/server.go
@@ -68,8 +68,10 @@ func server() *cobra.Command {
 		pprofAddress          string
 		cacheDir              string
 		dev                   bool
-		devUserEmail          string
-		devUserPassword       string
+		devFirstEmail         string
+		devFirstPassword      string
+		devMemberEmail        string
+		devMemberPassword     string
 		postgresURL           string
 		// provisionerDaemonCount is a uint8 to ensure a number > 0.
 		provisionerDaemonCount           uint8
@@ -330,18 +332,30 @@ func server() *cobra.Command {
 			config := createConfig(cmd)
 
 			if dev {
-				if devUserPassword == "" {
-					devUserPassword, err = cryptorand.String(10)
+				if devFirstPassword == "" {
+					devFirstPassword, err = cryptorand.String(10)
 					if err != nil {
 						return xerrors.Errorf("generate random admin password for dev: %w", err)
 					}
 				}
-				err = createFirstUser(cmd, client, config, devUserEmail, devUserPassword)
+				if devMemberPassword == "" {
+					devMemberPassword, err = cryptorand.String(10)
+					if err != nil {
+						return xerrors.Errorf("generate random member password for dev: %w", err)
+					}
+				}
+
+				// Create first user with 1 additional user as a member of the same org.
+				err = createFirstUser(cmd, client, config, devFirstEmail, devFirstPassword, extraUsers{
+					Username: "member",
+					Email:    devMemberEmail,
+					Password: devMemberPassword,
+				})
 				if err != nil {
 					return xerrors.Errorf("create first user: %w", err)
 				}
-				_, _ = fmt.Fprintf(cmd.ErrOrStderr(), "email: %s\n", devUserEmail)
-				_, _ = fmt.Fprintf(cmd.ErrOrStderr(), "password: %s\n", devUserPassword)
+				_, _ = fmt.Fprintf(cmd.ErrOrStderr(), "email: %s\n", devFirstEmail)
+				_, _ = fmt.Fprintf(cmd.ErrOrStderr(), "password: %s\n", devFirstPassword)
 				_, _ = fmt.Fprintln(cmd.ErrOrStderr())
 
 				_, _ = fmt.Fprintf(cmd.ErrOrStderr(), cliui.Styles.Wrap.Render(`Started in dev mode. All data is in-memory! `+cliui.Styles.Bold.Render("Do not use in production")+`. Press `+
@@ -474,8 +488,10 @@ func server() *cobra.Command {
 	// systemd uses the CACHE_DIRECTORY environment variable!
 	cliflag.StringVarP(root.Flags(), &cacheDir, "cache-dir", "", "CACHE_DIRECTORY", filepath.Join(os.TempDir(), "coder-cache"), "Specifies a directory to cache binaries for provision operations.")
 	cliflag.BoolVarP(root.Flags(), &dev, "dev", "", "CODER_DEV_MODE", false, "Serve Coder in dev mode for tinkering")
-	cliflag.StringVarP(root.Flags(), &devUserEmail, "dev-admin-email", "", "CODER_DEV_ADMIN_EMAIL", "admin@coder.com", "Specifies the admin email to be used in dev mode (--dev)")
-	cliflag.StringVarP(root.Flags(), &devUserPassword, "dev-admin-password", "", "CODER_DEV_ADMIN_PASSWORD", "", "Specifies the admin password to be used in dev mode (--dev) instead of a randomly generated one")
+	cliflag.StringVarP(root.Flags(), &devFirstEmail, "dev-admin-email", "", "CODER_DEV_ADMIN_EMAIL", "admin@coder.com", "Specifies the admin email to be used in dev mode (--dev)")
+	cliflag.StringVarP(root.Flags(), &devFirstPassword, "dev-admin-password", "", "CODER_DEV_ADMIN_PASSWORD", "", "Specifies the admin password to be used in dev mode (--dev) instead of a randomly generated one")
+	cliflag.StringVarP(root.Flags(), &devMemberEmail, "dev-member-email", "", "CODER_DEV_MEMBER_EMAIL", "member@coder.com", "Specifies the member email to be used in dev mode (--dev)")
+	cliflag.StringVarP(root.Flags(), &devMemberPassword, "dev-member-password", "", "CODER_DEV_MEMBER_PASSWORD", "", "Specifies the member password to be used in dev mode (--dev) instead of a randomly generated one")
 	cliflag.StringVarP(root.Flags(), &postgresURL, "postgres-url", "", "CODER_PG_CONNECTION_URL", "", "URL of a PostgreSQL database to connect to")
 	cliflag.Uint8VarP(root.Flags(), &provisionerDaemonCount, "provisioner-daemons", "", "CODER_PROVISIONER_DAEMONS", 3, "The amount of provisioner daemons to create on start.")
 	cliflag.StringVarP(root.Flags(), &oauth2GithubClientID, "oauth2-github-client-id", "", "CODER_OAUTH2_GITHUB_CLIENT_ID", "",
@@ -518,14 +534,20 @@ func server() *cobra.Command {
 	return root
 }
 
-func createFirstUser(cmd *cobra.Command, client *codersdk.Client, cfg config.Root, email, password string) error {
+type extraUsers struct {
+	Username string
+	Email    string
+	Password string
+}
+
+func createFirstUser(cmd *cobra.Command, client *codersdk.Client, cfg config.Root, email, password string, users ...extraUsers) error {
 	if email == "" {
 		return xerrors.New("email is empty")
 	}
 	if password == "" {
 		return xerrors.New("password is empty")
 	}
-	_, err := client.CreateFirstUser(cmd.Context(), codersdk.CreateFirstUserRequest{
+	first, err := client.CreateFirstUser(cmd.Context(), codersdk.CreateFirstUserRequest{
 		Email:            email,
 		Username:         "developer",
 		Password:         password,
@@ -551,6 +573,18 @@ func createFirstUser(cmd *cobra.Command, client *codersdk.Client, cfg config.Roo
 	if err != nil {
 		return xerrors.Errorf("write session token: %w", err)
 	}
+
+	for _, user := range users {
+		_, err := client.CreateUser(cmd.Context(), codersdk.CreateUserRequest{
+			Email:          user.Email,
+			Username:       user.Username,
+			Password:       user.Password,
+			OrganizationID: first.OrganizationID,
+		})
+		if err != nil {
+			return xerrors.Errorf("create extra user %q: %w", user.Email, err)
+		}
+	}
 	return nil
 }
 

diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -82,8 +82,6 @@ func New(options *Options) *API {
 	apiKeyMiddleware := httpmw.ExtractAPIKey(options.Database, &httpmw.OAuth2Configs{
 		Github: options.GithubOAuth2Config,
 	})
-	// TODO: @emyrk we should just move this into 'ExtractAPIKey'.
-	authRolesMiddleware := httpmw.ExtractUserRoles(options.Database)
 
 	r.Use(
 		func(next http.Handler) http.Handler {
@@ -125,7 +123,6 @@ func New(options *Options) *API {
 		r.Route("/files", func(r chi.Router) {
 			r.Use(
 				apiKeyMiddleware,
-				authRolesMiddleware,
 				// This number is arbitrary, but reading/writing
 				// file content is expensive so it should be small.
 				httpmw.RateLimitPerMinute(12),
@@ -136,15 +133,13 @@ func New(options *Options) *API {
 		r.Route("/provisionerdaemons", func(r chi.Router) {
 			r.Use(
 				apiKeyMiddleware,
-				authRolesMiddleware,
 			)
 			r.Get("/", api.provisionerDaemons)
 		})
 		r.Route("/organizations/{organization}", func(r chi.Router) {
 			r.Use(
 				apiKeyMiddleware,
 				httpmw.ExtractOrganizationParam(options.Database),
-				authRolesMiddleware,
 			)
 			r.Get("/", api.organization)
 			r.Post("/templateversions", api.postTemplateVersionsByOrganization)
@@ -174,7 +169,7 @@ func New(options *Options) *API {
 			})
 		})
 		r.Route("/parameters/{scope}/{id}", func(r chi.Router) {
-			r.Use(apiKeyMiddleware, authRolesMiddleware)
+			r.Use(apiKeyMiddleware)
 			r.Post("/", api.postParameter)
 			r.Get("/", api.parameters)
 			r.Route("/{name}", func(r chi.Router) {
@@ -184,7 +179,6 @@ func New(options *Options) *API {
 		r.Route("/templates/{template}", func(r chi.Router) {
 			r.Use(
 				apiKeyMiddleware,
-				authRolesMiddleware,
 				httpmw.ExtractTemplateParam(options.Database),
 			)
 
@@ -199,7 +193,6 @@ func New(options *Options) *API {
 		r.Route("/templateversions/{templateversion}", func(r chi.Router) {
 			r.Use(
 				apiKeyMiddleware,
-				authRolesMiddleware,
 				httpmw.ExtractTemplateVersionParam(options.Database),
 			)
 
@@ -225,7 +218,6 @@ func New(options *Options) *API {
 			r.Group(func(r chi.Router) {
 				r.Use(
 					apiKeyMiddleware,
-					authRolesMiddleware,
 				)
 				r.Post("/", api.postUser)
 				r.Get("/", api.users)
@@ -288,7 +280,6 @@ func New(options *Options) *API {
 		r.Route("/workspaceresources/{workspaceresource}", func(r chi.Router) {
 			r.Use(
 				apiKeyMiddleware,
-				authRolesMiddleware,
 				httpmw.ExtractWorkspaceResourceParam(options.Database),
 				httpmw.ExtractWorkspaceParam(options.Database),
 			)
@@ -297,7 +288,6 @@ func New(options *Options) *API {
 		r.Route("/workspaces", func(r chi.Router) {
 			r.Use(
 				apiKeyMiddleware,
-				authRolesMiddleware,
 			)
 			r.Get("/", api.workspaces)
 			r.Route("/{workspace}", func(r chi.Router) {
@@ -323,7 +313,6 @@ func New(options *Options) *API {
 		r.Route("/workspacebuilds/{workspacebuild}", func(r chi.Router) {
 			r.Use(
 				apiKeyMiddleware,
-				authRolesMiddleware,
 				httpmw.ExtractWorkspaceBuildParam(options.Database),
 				httpmw.ExtractWorkspaceParam(options.Database),
 			)

diff --git a/coderd/database/databasefake/databasefake.go b/coderd/database/databasefake/databasefake.go
@@ -287,6 +287,7 @@ func (q *fakeQuerier) GetAllUserRoles(_ context.Context, userID uuid.UUID) (data
 	return database.GetAllUserRolesRow{
 		ID:       userID,
 		Username: user.Username,
+		Status:   user.Status,
 		Roles:    roles,
 	}, nil
 }

diff --git a/coderd/database/queries.sql.go b/coderd/database/queries.sql.go
diff --git a/coderd/database/queries/users.sql b/coderd/database/queries/users.sql
@@ -135,7 +135,9 @@ WHERE
 -- name: GetAllUserRoles :one
 SELECT
     -- username is returned just to help for logging purposes
-	id, username, array_cat(users.rbac_roles, organization_members.roles) :: text[] AS roles
+    -- status is used to enforce 'suspended' users, as all roles are ignored
+    --	when suspended.
+	id, username, status, array_cat(users.rbac_roles, organization_members.roles) :: text[] AS roles
 FROM
 	users
 LEFT JOIN organization_members

diff --git a/coderd/httpmw/apikey.go b/coderd/httpmw/apikey.go
@@ -175,7 +175,27 @@ func ExtractAPIKey(db database.Store, oauth *OAuth2Configs) func(http.Handler) h
 				}
 			}
 
-			ctx := context.WithValue(r.Context(), apiKeyContextKey{}, key)
+			// If the key is valid, we also fetch the user roles and status.
+			// The roles are used for RBAC authorize checks, and the status
+			// is to block 'suspended' users from accessing the platform.
+			roles, err := db.GetAllUserRoles(r.Context(), key.UserID)
+			if err != nil {
+				httpapi.Write(rw, http.StatusUnauthorized, httpapi.Response{
+					Message: "roles not found",
+				})
+				return
+			}
+
+			if roles.Status != database.UserStatusActive {
+				httpapi.Write(rw, http.StatusUnauthorized, httpapi.Response{
+					Message: fmt.Sprintf("user is not active (status = %q), contact an admin to reactivate your account", roles.Status),
+				})
+				return
+			}
+
+			ctx := r.Context()
+			ctx = context.WithValue(ctx, apiKeyContextKey{}, key)
+			ctx = context.WithValue(ctx, userRolesKey{}, roles)
 			next.ServeHTTP(rw, r.WithContext(ctx))
 		})
 	}