Skip to content

feat: add owner_oidc_access_token to coder_workspace data source #6042

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Mar 17, 2023
Merged

feat: add owner_oidc_access_token to coder_workspace data source #6042

merged 2 commits into from
Mar 17, 2023

Conversation

kylecarbs
Copy link
Member

@kylecarbs kylecarbs self-assigned this Feb 5, 2023
deansheather
deansheather reviewed Feb 6, 2023
View reviewed changes
Copy link
Member

@deansheather deansheather left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This needs to be configurable via a flag. I think it should be disabled by default personally, but at the very least it needs to be the other way around IMO.

provisionersdk/proto/provisioner.proto Outdated
@@ -201,6 +201,7 @@ message Provision {
string workspace_id = 5;
string workspace_owner_id = 6;
string workspace_owner_email = 7;
string workspace_owner_oidc_access_token = 8;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tabs vs spaces

@kylecarbs
Copy link
Member Author

@deansheather why does this need to be configurable via a flag?

@deansheather
Copy link
Member

To prevent template admins from reading OIDC secrets without deployment approval. It seems dangerous to allow anyone with write access to templates to push an update that starts reading OIDC tokens and doing nefarious things with them.

We have a similar feature in v1 and it's disabled by default for this reason

@kylecarbs
Copy link
Member Author

Hmm, fair. I suppose this would permit any template author to gain access to users inside of Coder, so it could be real bad. Some additional thought is needed on how we do it... 🤔

@bpmct
Copy link
Member

bpmct commented Feb 8, 2023
edited
Loading

Can we make it disabled by default?

@github-actions
Copy link

This Pull Request is becoming stale. In order to minimize WIP, prevent merge conflicts and keep the tracker readable, I'm going close to this PR in 3 days if there isn't more activity.

@github-actions github-actions bot added the stale This issue is like stale bread. label Feb 16, 2023
@github-actions github-actions bot closed this Feb 19, 2023
@bpmct
Copy link
Member

bpmct commented Mar 17, 2023
edited
Loading

We'll need to rethink our template authorship experience since the Template Admin role is already quite risky, as we have documented here.

Because of this, we'll just move forward with it on by default

@bpmct bpmct reopened this Mar 17, 2023
@kylecarbs kylecarbs force-pushed the provisionoidc branch 2 times, most recently from 6ac4c51 to 43dfe91 Compare March 17, 2023 20:09
@kylecarbs kylecarbs removed the stale This issue is like stale bread. label Mar 17, 2023
@kylecarbs kylecarbs merged commit c3fb1b3 into main Mar 17, 2023
@kylecarbs kylecarbs deleted the provisionoidc branch March 17, 2023 20:25
@github-actions github-actions bot locked and limited conversation to collaborators Mar 17, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@deansheather deansheather deansheather left review comments

@bpmct bpmct bpmct approved these changes

Assignees

@kylecarbs kylecarbs

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kylecarbs @deansheather @bpmct