From b33e7f61e63e49e5b83c7754b15ae32441229e77 Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Thu, 13 Apr 2023 10:31:53 -0500 Subject: [PATCH 1/5] chore: Rbac errors should be returned, and not hidden behind 404 SqlErrNoRows was hiding actual errors --- coderd/database/dbauthz/dbauthz.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go index 47b18f69a8629..ced17e95da370 100644 --- a/coderd/database/dbauthz/dbauthz.go +++ b/coderd/database/dbauthz/dbauthz.go @@ -34,8 +34,8 @@ func (e NotAuthorizedError) Error() string { // Unwrap will always unwrap to a sql.ErrNoRows so the API returns a 404. // So 'errors.Is(err, sql.ErrNoRows)' will always be true. -func (NotAuthorizedError) Unwrap() error { - return sql.ErrNoRows +func (e NotAuthorizedError) Unwrap() error { + return e.Err } func IsNotAuthorizedError(err error) bool { From f19e5fae057bb99ea6e309bfa9d6c8a5eacc40ec Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Thu, 13 Apr 2023 10:44:24 -0500 Subject: [PATCH 2/5] Replace sql.ErrNoRow checks --- coderd/apikey.go | 8 +++----- coderd/files.go | 2 +- coderd/httpapi/httpapi.go | 14 ++++++++++++++ coderd/httpmw/groupparam.go | 7 ++----- coderd/httpmw/organizationparam.go | 6 ++---- coderd/httpmw/templateparam.go | 4 +--- coderd/httpmw/templateversionparam.go | 3 +-- coderd/httpmw/userparam.go | 5 +---- coderd/httpmw/workspacebuildparam.go | 4 +--- coderd/httpmw/workspaceparam.go | 6 ++---- coderd/parameters.go | 2 +- coderd/templates.go | 11 +---------- coderd/templateversions.go | 20 ++++++++++---------- coderd/users.go | 4 ++-- coderd/workspaceagents.go | 5 ----- coderd/workspacebuilds.go | 4 ++-- coderd/workspaceresourceauth.go | 4 +--- coderd/workspaces.go | 2 +- enterprise/coderd/licenses.go | 2 +- 19 files changed, 47 insertions(+), 66 deletions(-) diff --git a/coderd/apikey.go b/coderd/apikey.go index 25a1c767dd346..5c0c2a10a040d 100644 --- a/coderd/apikey.go +++ b/coderd/apikey.go @@ -3,8 +3,6 @@ package coderd import ( "context" "crypto/sha256" - "database/sql" - "errors" "fmt" "net" "net/http" @@ -167,7 +165,7 @@ func (api *API) apiKeyByID(rw http.ResponseWriter, r *http.Request) { keyID := chi.URLParam(r, "keyid") key, err := api.Database.GetAPIKeyByID(ctx, keyID) - if errors.Is(err, sql.ErrNoRows) { + if httpapi.Is404Error(err) { httpapi.ResourceNotFound(rw) return } @@ -202,7 +200,7 @@ func (api *API) apiKeyByName(rw http.ResponseWriter, r *http.Request) { TokenName: tokenName, UserID: user.ID, }) - if errors.Is(err, sql.ErrNoRows) { + if httpapi.Is404Error(err) { httpapi.ResourceNotFound(rw) return } @@ -323,7 +321,7 @@ func (api *API) deleteAPIKey(rw http.ResponseWriter, r *http.Request) { defer commitAudit() err = api.Database.DeleteAPIKeyByID(ctx, keyID) - if errors.Is(err, sql.ErrNoRows) { + if httpapi.Is404Error(err) { httpapi.ResourceNotFound(rw) return } diff --git a/coderd/files.go b/coderd/files.go index 1362bfef7ebde..486ef26b90c90 100644 --- a/coderd/files.go +++ b/coderd/files.go @@ -126,7 +126,7 @@ func (api *API) fileByID(rw http.ResponseWriter, r *http.Request) { } file, err := api.Database.GetFileByID(ctx, id) - if errors.Is(err, sql.ErrNoRows) { + if httpapi.Is404Error(err) { httpapi.ResourceNotFound(rw) return } diff --git a/coderd/httpapi/httpapi.go b/coderd/httpapi/httpapi.go index bd0555f812364..d71e69a55ee79 100644 --- a/coderd/httpapi/httpapi.go +++ b/coderd/httpapi/httpapi.go @@ -3,6 +3,7 @@ package httpapi import ( "bytes" "context" + "database/sql" "encoding/json" "errors" "flag" @@ -12,6 +13,9 @@ import ( "strings" "time" + "github.com/coder/coder/coderd/database/dbauthz" + "github.com/coder/coder/coderd/rbac" + "github.com/go-playground/validator/v10" "golang.org/x/xerrors" @@ -80,6 +84,16 @@ func init() { } } +// Is404Error returns true if the given error should return a 404 status code. +// Both actual 404s and unauthorized errors should return 404s to not leak +// information about the existence of resources. +func Is404Error(err error) bool { + if err == nil { + return false + } + return xerrors.Is(err, sql.ErrNoRows) || dbauthz.IsNotAuthorizedError(err) || rbac.IsUnauthorizedError(err) +} + // Convenience error functions don't take contexts since their responses are // static, it doesn't make much sense to trace them. diff --git a/coderd/httpmw/groupparam.go b/coderd/httpmw/groupparam.go index a513f811a6916..db226c263b6d9 100644 --- a/coderd/httpmw/groupparam.go +++ b/coderd/httpmw/groupparam.go @@ -2,12 +2,9 @@ package httpmw import ( "context" - "database/sql" - "errors" "net/http" "github.com/go-chi/chi/v5" - "golang.org/x/xerrors" "github.com/coder/coder/coderd/database" "github.com/coder/coder/coderd/httpapi" @@ -45,7 +42,7 @@ func ExtractGroupByNameParam(db database.Store) func(http.Handler) http.Handler OrganizationID: org.ID, Name: name, }) - if xerrors.Is(err, sql.ErrNoRows) { + if httpapi.Is404Error(err) { httpapi.ResourceNotFound(rw) return } @@ -73,7 +70,7 @@ func ExtractGroupParam(db database.Store) func(http.Handler) http.Handler { } group, err := db.GetGroupByID(r.Context(), groupID) - if errors.Is(err, sql.ErrNoRows) { + if httpapi.Is404Error(err) { httpapi.ResourceNotFound(rw) return } diff --git a/coderd/httpmw/organizationparam.go b/coderd/httpmw/organizationparam.go index 8dc65df20e7dc..ce2e4f483c5b4 100644 --- a/coderd/httpmw/organizationparam.go +++ b/coderd/httpmw/organizationparam.go @@ -2,8 +2,6 @@ package httpmw import ( "context" - "database/sql" - "errors" "net/http" "github.com/coder/coder/coderd/database" @@ -47,7 +45,7 @@ func ExtractOrganizationParam(db database.Store) func(http.Handler) http.Handler } organization, err := db.GetOrganizationByID(ctx, orgID) - if errors.Is(err, sql.ErrNoRows) { + if httpapi.Is404Error(err) { httpapi.ResourceNotFound(rw) return } @@ -77,7 +75,7 @@ func ExtractOrganizationMemberParam(db database.Store) func(http.Handler) http.H OrganizationID: organization.ID, UserID: user.ID, }) - if errors.Is(err, sql.ErrNoRows) { + if httpapi.Is404Error(err) { httpapi.ResourceNotFound(rw) return } diff --git a/coderd/httpmw/templateparam.go b/coderd/httpmw/templateparam.go index 9400a47f77546..1ba57167d5483 100644 --- a/coderd/httpmw/templateparam.go +++ b/coderd/httpmw/templateparam.go @@ -2,8 +2,6 @@ package httpmw import ( "context" - "database/sql" - "errors" "net/http" "github.com/go-chi/chi/v5" @@ -34,7 +32,7 @@ func ExtractTemplateParam(db database.Store) func(http.Handler) http.Handler { return } template, err := db.GetTemplateByID(r.Context(), templateID) - if errors.Is(err, sql.ErrNoRows) || (err == nil && template.Deleted) { + if httpapi.Is404Error(err) || (err == nil && template.Deleted) { httpapi.ResourceNotFound(rw) return } diff --git a/coderd/httpmw/templateversionparam.go b/coderd/httpmw/templateversionparam.go index ada988cfdf28b..de86a5d1ac5f0 100644 --- a/coderd/httpmw/templateversionparam.go +++ b/coderd/httpmw/templateversionparam.go @@ -3,7 +3,6 @@ package httpmw import ( "context" "database/sql" - "errors" "net/http" "github.com/go-chi/chi/v5" @@ -35,7 +34,7 @@ func ExtractTemplateVersionParam(db database.Store) func(http.Handler) http.Hand return } templateVersion, err := db.GetTemplateVersionByID(ctx, templateVersionID) - if errors.Is(err, sql.ErrNoRows) { + if httpapi.Is404Error(err) { httpapi.ResourceNotFound(rw) return } diff --git a/coderd/httpmw/userparam.go b/coderd/httpmw/userparam.go index bca52156c815a..25404190f20ca 100644 --- a/coderd/httpmw/userparam.go +++ b/coderd/httpmw/userparam.go @@ -2,11 +2,8 @@ package httpmw import ( "context" - "database/sql" "net/http" - "golang.org/x/xerrors" - "github.com/go-chi/chi/v5" "github.com/google/uuid" @@ -71,7 +68,7 @@ func ExtractUserParam(db database.Store, redirectToLoginOnMe bool) func(http.Han } //nolint:gocritic // System needs to be able to get user from param. user, err = db.GetUserByID(dbauthz.AsSystemRestricted(ctx), apiKey.UserID) - if xerrors.Is(err, sql.ErrNoRows) { + if httpapi.Is404Error(err) { httpapi.ResourceNotFound(rw) return } diff --git a/coderd/httpmw/workspacebuildparam.go b/coderd/httpmw/workspacebuildparam.go index 7ae728dfa6734..285c3ffae7a97 100644 --- a/coderd/httpmw/workspacebuildparam.go +++ b/coderd/httpmw/workspacebuildparam.go @@ -2,8 +2,6 @@ package httpmw import ( "context" - "database/sql" - "errors" "net/http" "github.com/go-chi/chi/v5" @@ -34,7 +32,7 @@ func ExtractWorkspaceBuildParam(db database.Store) func(http.Handler) http.Handl return } workspaceBuild, err := db.GetWorkspaceBuildByID(ctx, workspaceBuildID) - if errors.Is(err, sql.ErrNoRows) { + if httpapi.Is404Error(err) { httpapi.ResourceNotFound(rw) return } diff --git a/coderd/httpmw/workspaceparam.go b/coderd/httpmw/workspaceparam.go index f002f25508b06..fc7b1ade08316 100644 --- a/coderd/httpmw/workspaceparam.go +++ b/coderd/httpmw/workspaceparam.go @@ -2,8 +2,6 @@ package httpmw import ( "context" - "database/sql" - "errors" "fmt" "net/http" "strings" @@ -37,7 +35,7 @@ func ExtractWorkspaceParam(db database.Store) func(http.Handler) http.Handler { return } workspace, err := db.GetWorkspaceByID(ctx, workspaceID) - if errors.Is(err, sql.ErrNoRows) { + if httpapi.Is404Error(err) { httpapi.ResourceNotFound(rw) return } @@ -74,7 +72,7 @@ func ExtractWorkspaceAndAgentParam(db database.Store) func(http.Handler) http.Ha Name: workspaceParts[0], }) if err != nil { - if errors.Is(err, sql.ErrNoRows) { + if httpapi.Is404Error(err) { httpapi.ResourceNotFound(rw) return } diff --git a/coderd/parameters.go b/coderd/parameters.go index 59814ba1bd9c5..8800f6acb6265 100644 --- a/coderd/parameters.go +++ b/coderd/parameters.go @@ -141,7 +141,7 @@ func (api *API) deleteParameter(rw http.ResponseWriter, r *http.Request) { ScopeID: scopeID, Name: name, }) - if errors.Is(err, sql.ErrNoRows) { + if httpapi.Is404Error(err) { httpapi.ResourceNotFound(rw) return } diff --git a/coderd/templates.go b/coderd/templates.go index c791013641792..f36e25348e259 100644 --- a/coderd/templates.go +++ b/coderd/templates.go @@ -407,7 +407,7 @@ func (api *API) templateByOrganizationAndName(rw http.ResponseWriter, r *http.Re Name: templateName, }) if err != nil { - if errors.Is(err, sql.ErrNoRows) { + if httpapi.Is404Error(err) { httpapi.ResourceNotFound(rw) return } @@ -419,11 +419,6 @@ func (api *API) templateByOrganizationAndName(rw http.ResponseWriter, r *http.Re return } - if !api.Authorize(r, rbac.ActionRead, template) { - httpapi.ResourceNotFound(rw) - return - } - createdByNameMap, err := getCreatedByNamesByTemplateIDs(ctx, api.Database, []database.Template{template}) if err != nil { httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{ @@ -583,10 +578,6 @@ func (api *API) patchTemplateMeta(rw http.ResponseWriter, r *http.Request) { func (api *API) templateDAUs(rw http.ResponseWriter, r *http.Request) { ctx := r.Context() template := httpmw.TemplateParam(r) - if !api.Authorize(r, rbac.ActionRead, template) { - httpapi.ResourceNotFound(rw) - return - } resp, _ := api.metricsCache.TemplateDAUs(template.ID) if resp == nil || resp.Entries == nil { diff --git a/coderd/templateversions.go b/coderd/templateversions.go index 95901c159464d..a6472e147327a 100644 --- a/coderd/templateversions.go +++ b/coderd/templateversions.go @@ -737,7 +737,7 @@ func (api *API) fetchTemplateVersionDryRunJob(rw http.ResponseWriter, r *http.Re } job, err := api.Database.GetProvisionerJobByID(ctx, jobUUID) - if xerrors.Is(err, sql.ErrNoRows) { + if httpapi.Is404Error(err) { httpapi.Write(ctx, rw, http.StatusNotFound, codersdk.Response{ Message: fmt.Sprintf("Provisioner job %q not found.", jobUUID), }) @@ -905,7 +905,7 @@ func (api *API) templateVersionByName(rw http.ResponseWriter, r *http.Request) { }, Name: templateVersionName, }) - if errors.Is(err, sql.ErrNoRows) { + if httpapi.Is404Error(err) { httpapi.Write(ctx, rw, http.StatusNotFound, codersdk.Response{ Message: fmt.Sprintf("No template version found by name %q.", templateVersionName), }) @@ -959,7 +959,7 @@ func (api *API) templateVersionByOrganizationTemplateAndName(rw http.ResponseWri Name: templateName, }) if err != nil { - if errors.Is(err, sql.ErrNoRows) { + if httpapi.Is404Error(err) { httpapi.ResourceNotFound(rw) return } @@ -979,7 +979,7 @@ func (api *API) templateVersionByOrganizationTemplateAndName(rw http.ResponseWri }, Name: templateVersionName, }) - if errors.Is(err, sql.ErrNoRows) { + if httpapi.Is404Error(err) { httpapi.Write(ctx, rw, http.StatusNotFound, codersdk.Response{ Message: fmt.Sprintf("No template version found by name %q.", templateVersionName), }) @@ -1032,7 +1032,7 @@ func (api *API) previousTemplateVersionByOrganizationTemplateAndName(rw http.Res Name: templateName, }) if err != nil { - if errors.Is(err, sql.ErrNoRows) { + if httpapi.Is404Error(err) { httpapi.ResourceNotFound(rw) return } @@ -1053,7 +1053,7 @@ func (api *API) previousTemplateVersionByOrganizationTemplateAndName(rw http.Res Name: templateVersionName, }) if err != nil { - if xerrors.Is(err, sql.ErrNoRows) { + if httpapi.Is404Error(err) { httpapi.Write(ctx, rw, http.StatusNotFound, codersdk.Response{ Message: fmt.Sprintf("No template version found by name %q.", templateVersionName), }) @@ -1073,7 +1073,7 @@ func (api *API) previousTemplateVersionByOrganizationTemplateAndName(rw http.Res TemplateID: templateVersion.TemplateID, }) if err != nil { - if xerrors.Is(err, sql.ErrNoRows) { + if httpapi.Is404Error(err) { httpapi.Write(ctx, rw, http.StatusNotFound, codersdk.Response{ Message: fmt.Sprintf("No previous template version found for %q.", templateVersionName), }) @@ -1138,7 +1138,7 @@ func (api *API) patchActiveTemplateVersion(rw http.ResponseWriter, r *http.Reque return } version, err := api.Database.GetTemplateVersionByID(ctx, req.ID) - if errors.Is(err, sql.ErrNoRows) { + if httpapi.Is404Error(err) { httpapi.Write(ctx, rw, http.StatusNotFound, codersdk.Response{ Message: "Template version not found.", }) @@ -1222,7 +1222,7 @@ func (api *API) postTemplateVersionsByOrganization(rw http.ResponseWriter, r *ht if req.TemplateID != uuid.Nil { _, err := api.Database.GetTemplateByID(ctx, req.TemplateID) - if errors.Is(err, sql.ErrNoRows) { + if httpapi.Is404Error(err) { httpapi.Write(ctx, rw, http.StatusNotFound, codersdk.Response{ Message: "Template does not exist.", }) @@ -1318,7 +1318,7 @@ func (api *API) postTemplateVersionsByOrganization(rw http.ResponseWriter, r *ht if req.FileID != uuid.Nil { file, err = api.Database.GetFileByID(ctx, req.FileID) - if errors.Is(err, sql.ErrNoRows) { + if httpapi.Is404Error(err) { httpapi.Write(ctx, rw, http.StatusNotFound, codersdk.Response{ Message: "File not found.", }) diff --git a/coderd/users.go b/coderd/users.go index c39b33b931f9b..44130cfbab940 100644 --- a/coderd/users.go +++ b/coderd/users.go @@ -314,7 +314,7 @@ func (api *API) postUser(rw http.ResponseWriter, r *http.Request) { } _, err = api.Database.GetOrganizationByID(ctx, req.OrganizationID) - if errors.Is(err, sql.ErrNoRows) { + if httpapi.Is404Error(err) { httpapi.Write(ctx, rw, http.StatusNotFound, codersdk.Response{ Message: fmt.Sprintf("Organization does not exist with the provided id %q.", req.OrganizationID), }) @@ -938,7 +938,7 @@ func (api *API) organizationByUserAndName(rw http.ResponseWriter, r *http.Reques ctx := r.Context() organizationName := chi.URLParam(r, "organizationname") organization, err := api.Database.GetOrganizationByName(ctx, organizationName) - if errors.Is(err, sql.ErrNoRows) || rbac.IsUnauthorizedError(err) { + if httpapi.Is404Error(err) { httpapi.ResourceNotFound(rw) return } diff --git a/coderd/workspaceagents.go b/coderd/workspaceagents.go index 1abf0af78178d..d081737cfcf73 100644 --- a/coderd/workspaceagents.go +++ b/coderd/workspaceagents.go @@ -397,15 +397,10 @@ func (api *API) workspaceAgentStartupLogs(rw http.ResponseWriter, r *http.Reques ctx = r.Context() actor, _ = dbauthz.ActorFromContext(ctx) workspaceAgent = httpmw.WorkspaceAgentParam(r) - workspace = httpmw.WorkspaceParam(r) logger = api.Logger.With(slog.F("workspace_agent_id", workspaceAgent.ID)) follow = r.URL.Query().Has("follow") afterRaw = r.URL.Query().Get("after") ) - if !api.Authorize(r, rbac.ActionRead, workspace) { - httpapi.ResourceNotFound(rw) - return - } var after int64 // Only fetch logs created after the time provided. diff --git a/coderd/workspacebuilds.go b/coderd/workspacebuilds.go index c6f2e591d5bdd..687233a01cba3 100644 --- a/coderd/workspacebuilds.go +++ b/coderd/workspacebuilds.go @@ -227,7 +227,7 @@ func (api *API) workspaceBuildByBuildNumber(rw http.ResponseWriter, r *http.Requ OwnerID: owner.ID, Name: workspaceName, }) - if errors.Is(err, sql.ErrNoRows) { + if httpapi.Is404Error(err) { httpapi.ResourceNotFound(rw) return } @@ -243,7 +243,7 @@ func (api *API) workspaceBuildByBuildNumber(rw http.ResponseWriter, r *http.Requ WorkspaceID: workspace.ID, BuildNumber: int32(buildNumber), }) - if errors.Is(err, sql.ErrNoRows) { + if httpapi.Is404Error(err) { httpapi.Write(ctx, rw, http.StatusNotFound, codersdk.Response{ Message: fmt.Sprintf("Workspace %q Build %d does not exist.", workspaceName, buildNumber), }) diff --git a/coderd/workspaceresourceauth.go b/coderd/workspaceresourceauth.go index b37d8ea151ee1..b43434c1d6c0f 100644 --- a/coderd/workspaceresourceauth.go +++ b/coderd/workspaceresourceauth.go @@ -1,9 +1,7 @@ package coderd import ( - "database/sql" "encoding/json" - "errors" "fmt" "net/http" @@ -131,7 +129,7 @@ func (api *API) handleAuthInstanceID(rw http.ResponseWriter, r *http.Request, in ctx := r.Context() //nolint:gocritic // needed for auth instance id agent, err := api.Database.GetWorkspaceAgentByInstanceID(dbauthz.AsSystemRestricted(ctx), instanceID) - if errors.Is(err, sql.ErrNoRows) { + if httpapi.Is404Error(err) { httpapi.Write(ctx, rw, http.StatusNotFound, codersdk.Response{ Message: fmt.Sprintf("Instance with id %q not found.", instanceID), }) diff --git a/coderd/workspaces.go b/coderd/workspaces.go index 240095723f836..454eb40c58483 100644 --- a/coderd/workspaces.go +++ b/coderd/workspaces.go @@ -225,7 +225,7 @@ func (api *API) workspaceByOwnerAndName(rw http.ResponseWriter, r *http.Request) Deleted: includeDeleted, }) } - if errors.Is(err, sql.ErrNoRows) { + if httpapi.Is404Error(err) { httpapi.ResourceNotFound(rw) return } diff --git a/enterprise/coderd/licenses.go b/enterprise/coderd/licenses.go index 71baa570645dc..24085ee9a7bea 100644 --- a/enterprise/coderd/licenses.go +++ b/enterprise/coderd/licenses.go @@ -235,7 +235,7 @@ func (api *API) deleteLicense(rw http.ResponseWriter, r *http.Request) { } _, err = api.Database.DeleteLicense(ctx, int32(id)) - if xerrors.Is(err, sql.ErrNoRows) { + if httpapi.Is404Error(err) { httpapi.Write(ctx, rw, http.StatusNotFound, codersdk.Response{ Message: "Unknown license ID", }) From 33c76653a748fc650d6710b50b3d5686baee8558 Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Thu, 13 Apr 2023 10:48:48 -0500 Subject: [PATCH 3/5] Fixup --- coderd/httpapi/httpapi.go | 5 ++--- enterprise/coderd/groups.go | 2 +- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/coderd/httpapi/httpapi.go b/coderd/httpapi/httpapi.go index d71e69a55ee79..bfdfe0d876b47 100644 --- a/coderd/httpapi/httpapi.go +++ b/coderd/httpapi/httpapi.go @@ -13,12 +13,11 @@ import ( "strings" "time" - "github.com/coder/coder/coderd/database/dbauthz" - "github.com/coder/coder/coderd/rbac" - "github.com/go-playground/validator/v10" "golang.org/x/xerrors" + "github.com/coder/coder/coderd/database/dbauthz" + "github.com/coder/coder/coderd/rbac" "github.com/coder/coder/coderd/tracing" "github.com/coder/coder/codersdk" ) diff --git a/enterprise/coderd/groups.go b/enterprise/coderd/groups.go index 423ab38b2b2ef..2ce1685d97ca8 100644 --- a/enterprise/coderd/groups.go +++ b/enterprise/coderd/groups.go @@ -231,7 +231,7 @@ func (api *API) patchGroup(rw http.ResponseWriter, r *http.Request) { }) return } - if xerrors.Is(err, sql.ErrNoRows) { + if httpapi.Is404Error(err) { httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{ Message: "Failed to add or remove non-existent group member", Detail: err.Error(), From 2d1c92483d7b5660e22c316ba71d998d0624fc1b Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Thu, 13 Apr 2023 10:50:10 -0500 Subject: [PATCH 4/5] Remove sql err no rows check from dbauthz test --- coderd/database/dbauthz/setup_test.go | 2 -- 1 file changed, 2 deletions(-) diff --git a/coderd/database/dbauthz/setup_test.go b/coderd/database/dbauthz/setup_test.go index 578a6d0445465..10870bd01a6e9 100644 --- a/coderd/database/dbauthz/setup_test.go +++ b/coderd/database/dbauthz/setup_test.go @@ -2,7 +2,6 @@ package dbauthz_test import ( "context" - "database/sql" "fmt" "reflect" "sort" @@ -219,7 +218,6 @@ func (s *MethodTestSuite) NotAuthorizedErrorTest(ctx context.Context, az *coderd if err != nil || !hasEmptySliceResponse(resp) { s.ErrorContainsf(err, "unauthorized", "error string should have a good message") s.Errorf(err, "method should an error with disallow authz") - s.ErrorIsf(err, sql.ErrNoRows, "error should match sql.ErrNoRows") s.ErrorAs(err, &dbauthz.NotAuthorizedError{}, "error should be NotAuthorizedError") } }) From f035f9a90ce9e5e429cec4a6f038421d33814611 Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Thu, 13 Apr 2023 10:54:09 -0500 Subject: [PATCH 5/5] Fix to use dbauthz system user --- coderd/provisionerjobs.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/coderd/provisionerjobs.go b/coderd/provisionerjobs.go index e03f5b9ffd28d..e9c7273dab5e8 100644 --- a/coderd/provisionerjobs.go +++ b/coderd/provisionerjobs.go @@ -224,7 +224,7 @@ func (api *API) provisionerJobResources(rw http.ResponseWriter, r *http.Request, } // nolint:gocritic // GetWorkspaceAppsByAgentIDs is a system function. - apps, err := api.Database.GetWorkspaceAppsByAgentIDs(ctx, resourceAgentIDs) + apps, err := api.Database.GetWorkspaceAppsByAgentIDs(dbauthz.AsSystemRestricted(ctx), resourceAgentIDs) if errors.Is(err, sql.ErrNoRows) { err = nil }