From a21f319f8281ae8f1185c9b795b4a104665d8255 Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Mon, 12 Jun 2023 10:20:38 -0500 Subject: [PATCH 01/13] feat: add disabling of default 'everyone' group access to template --- cli/templatecreate.go | 18 +++++++++++++----- coderd/apidoc/docs.go | 4 ++++ coderd/apidoc/swagger.json | 4 ++++ coderd/templates.go | 30 +++++++++++++++++------------- codersdk/organizations.go | 7 +++++++ docs/api/schemas.md | 30 ++++++++++++++++-------------- docs/api/templates.md | 1 + docs/cli/templates_create.md | 8 ++++++++ site/src/api/typesGenerated.ts | 1 + 9 files changed, 71 insertions(+), 32 deletions(-) diff --git a/cli/templatecreate.go b/cli/templatecreate.go index a49997c3315ab..0625760864afe 100644 --- a/cli/templatecreate.go +++ b/cli/templatecreate.go @@ -28,6 +28,7 @@ func (r *RootCmd) templateCreate() *clibase.Cmd { provisionerTags []string variablesFile string variables []string + disableEveryone bool defaultTTL time.Duration failureTTL time.Duration inactivityTTL time.Duration @@ -121,11 +122,12 @@ func (r *RootCmd) templateCreate() *clibase.Cmd { } createReq := codersdk.CreateTemplateRequest{ - Name: templateName, - VersionID: job.ID, - DefaultTTLMillis: ptr.Ref(defaultTTL.Milliseconds()), - FailureTTLMillis: ptr.Ref(failureTTL.Milliseconds()), - InactivityTTLMillis: ptr.Ref(inactivityTTL.Milliseconds()), + Name: templateName, + VersionID: job.ID, + DefaultTTLMillis: ptr.Ref(defaultTTL.Milliseconds()), + FailureTTLMillis: ptr.Ref(failureTTL.Milliseconds()), + InactivityTTLMillis: ptr.Ref(inactivityTTL.Milliseconds()), + DisableEveryoneGroupAccess: disableEveryone, } _, err = client.CreateTemplate(inv.Context(), organization.ID, createReq) @@ -144,6 +146,12 @@ func (r *RootCmd) templateCreate() *clibase.Cmd { }, } cmd.Options = clibase.OptionSet{ + { + Flag: "disable-everyone", + Description: "Disable the default behavior of granting template access to the 'everyone' group. " + + "The template permissions must be updated to allow non-admin users to use this template.", + Value: clibase.BoolOf(&disableEveryone), + }, { Flag: "variables-file", Description: "Specify a file path with values for Terraform-managed variables.", diff --git a/coderd/apidoc/docs.go b/coderd/apidoc/docs.go index fcc08069ab70a..6610961a32cbf 100644 --- a/coderd/apidoc/docs.go +++ b/coderd/apidoc/docs.go @@ -6658,6 +6658,10 @@ const docTemplate = `{ "description": "Description is a description of what the template contains. It must be\nless than 128 bytes.", "type": "string" }, + "disable_everyone_group_access": { + "description": "DisableEveryoneGroupAccess allows optionally disabling the default\nbehavior of granting the 'everyone' group access to use the template.\nIf this is set to true, the template will not be available to all users,\nand must be explicitly granted to users or groups in the permissions settings\nof the template.", + "type": "boolean" + }, "display_name": { "description": "DisplayName is the displayed name of the template.", "type": "string" diff --git a/coderd/apidoc/swagger.json b/coderd/apidoc/swagger.json index f97718458a847..6084cf051983f 100644 --- a/coderd/apidoc/swagger.json +++ b/coderd/apidoc/swagger.json @@ -5929,6 +5929,10 @@ "description": "Description is a description of what the template contains. It must be\nless than 128 bytes.", "type": "string" }, + "disable_everyone_group_access": { + "description": "DisableEveryoneGroupAccess allows optionally disabling the default\nbehavior of granting the 'everyone' group access to use the template.\nIf this is set to true, the template will not be available to all users,\nand must be explicitly granted to users or groups in the permissions settings\nof the template.", + "type": "boolean" + }, "display_name": { "description": "DisplayName is the displayed name of the template.", "type": "string" diff --git a/coderd/templates.go b/coderd/templates.go index e54c0b3ddb8a7..9aefb174172ca 100644 --- a/coderd/templates.go +++ b/coderd/templates.go @@ -274,22 +274,26 @@ func (api *API) postTemplateByOrganization(rw http.ResponseWriter, r *http.Reque allowUserAutostop = ptr.NilToDefault(createTemplate.AllowUserAutostop, true) ) + defaultsGroups := database.TemplateACL{} + if !createTemplate.DisableEveryoneGroupAccess { + // The organization ID is used as the group ID for the everyone group + // in this organization. + defaultsGroups[organization.ID.String()] = []rbac.Action{rbac.ActionRead} + } err = api.Database.InTx(func(tx database.Store) error { now := database.Now() dbTemplate, err = tx.InsertTemplate(ctx, database.InsertTemplateParams{ - ID: uuid.New(), - CreatedAt: now, - UpdatedAt: now, - OrganizationID: organization.ID, - Name: createTemplate.Name, - Provisioner: importJob.Provisioner, - ActiveVersionID: templateVersion.ID, - Description: createTemplate.Description, - CreatedBy: apiKey.UserID, - UserACL: database.TemplateACL{}, - GroupACL: database.TemplateACL{ - organization.ID.String(): []rbac.Action{rbac.ActionRead}, - }, + ID: uuid.New(), + CreatedAt: now, + UpdatedAt: now, + OrganizationID: organization.ID, + Name: createTemplate.Name, + Provisioner: importJob.Provisioner, + ActiveVersionID: templateVersion.ID, + Description: createTemplate.Description, + CreatedBy: apiKey.UserID, + UserACL: database.TemplateACL{}, + GroupACL: defaultsGroups, DisplayName: createTemplate.DisplayName, Icon: createTemplate.Icon, AllowUserCancelWorkspaceJobs: allowUserCancelWorkspaceJobs, diff --git a/codersdk/organizations.go b/codersdk/organizations.go index 1eb2aab973cb3..19af059277ea0 100644 --- a/codersdk/organizations.go +++ b/codersdk/organizations.go @@ -108,6 +108,13 @@ type CreateTemplateRequest struct { // InactivityTTLMillis allows optionally specifying the max lifetime before Coder // deletes inactive workspaces created from this template. InactivityTTLMillis *int64 `json:"inactivity_ttl_ms,omitempty"` + + // DisableEveryoneGroupAccess allows optionally disabling the default + // behavior of granting the 'everyone' group access to use the template. + // If this is set to true, the template will not be available to all users, + // and must be explicitly granted to users or groups in the permissions settings + // of the template. + DisableEveryoneGroupAccess bool `json:"disable_everyone_group_access"` } // CreateWorkspaceRequest provides options for creating a new workspace. diff --git a/docs/api/schemas.md b/docs/api/schemas.md index e4fd03c5cd0b7..2a15b0706d42a 100644 --- a/docs/api/schemas.md +++ b/docs/api/schemas.md @@ -1343,6 +1343,7 @@ AuthorizationObject can represent a "set" of objects, such as: all workspaces in "allow_user_cancel_workspace_jobs": true, "default_ttl_ms": 0, "description": "string", + "disable_everyone_group_access": true, "display_name": "string", "failure_ttl_ms": 0, "icon": "string", @@ -1355,20 +1356,21 @@ AuthorizationObject can represent a "set" of objects, such as: all workspaces in ### Properties -| Name | Type | Required | Restrictions | Description | -| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | -------- | ------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `allow_user_autostart` | boolean | false | | Allow user autostart allows users to set a schedule for autostarting their workspace. By default this is true. This can only be disabled when using an enterprise license. | -| `allow_user_autostop` | boolean | false | | Allow user autostop allows users to set a custom workspace TTL to use in place of the template's DefaultTTL field. By default this is true. If false, the DefaultTTL will always be used. This can only be disabled when using an enterprise license. | -| `allow_user_cancel_workspace_jobs` | boolean | false | | Allow users to cancel in-progress workspace jobs. \*bool as the default value is "true". | -| `default_ttl_ms` | integer | false | | Default ttl ms allows optionally specifying the default TTL for all workspaces created from this template. | -| `description` | string | false | | Description is a description of what the template contains. It must be less than 128 bytes. | -| `display_name` | string | false | | Display name is the displayed name of the template. | -| `failure_ttl_ms` | integer | false | | Failure ttl ms allows optionally specifying the max lifetime before Coder stops all resources for failed workspaces created from this template. | -| `icon` | string | false | | Icon is a relative path or external URL that specifies an icon to be displayed in the dashboard. | -| `inactivity_ttl_ms` | integer | false | | Inactivity ttl ms allows optionally specifying the max lifetime before Coder deletes inactive workspaces created from this template. | -| `max_ttl_ms` | integer | false | | Max ttl ms allows optionally specifying the max lifetime for workspaces created from this template. | -| `name` | string | true | | Name is the name of the template. | -| `template_version_id` | string | true | | Template version ID is an in-progress or completed job to use as an initial version of the template. | +| Name | Type | Required | Restrictions | Description | +| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | -------- | ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| `allow_user_autostart` | boolean | false | | Allow user autostart allows users to set a schedule for autostarting their workspace. By default this is true. This can only be disabled when using an enterprise license. | +| `allow_user_autostop` | boolean | false | | Allow user autostop allows users to set a custom workspace TTL to use in place of the template's DefaultTTL field. By default this is true. If false, the DefaultTTL will always be used. This can only be disabled when using an enterprise license. | +| `allow_user_cancel_workspace_jobs` | boolean | false | | Allow users to cancel in-progress workspace jobs. \*bool as the default value is "true". | +| `default_ttl_ms` | integer | false | | Default ttl ms allows optionally specifying the default TTL for all workspaces created from this template. | +| `description` | string | false | | Description is a description of what the template contains. It must be less than 128 bytes. | +| `disable_everyone_group_access` | boolean | false | | Disable everyone group access allows optionally disabling the default behavior of granting the 'everyone' group access to use the template. If this is set to true, the template will not be available to all users, and must be explicitly granted to users or groups in the permissions settings of the template. | +| `display_name` | string | false | | Display name is the displayed name of the template. | +| `failure_ttl_ms` | integer | false | | Failure ttl ms allows optionally specifying the max lifetime before Coder stops all resources for failed workspaces created from this template. | +| `icon` | string | false | | Icon is a relative path or external URL that specifies an icon to be displayed in the dashboard. | +| `inactivity_ttl_ms` | integer | false | | Inactivity ttl ms allows optionally specifying the max lifetime before Coder deletes inactive workspaces created from this template. | +| `max_ttl_ms` | integer | false | | Max ttl ms allows optionally specifying the max lifetime for workspaces created from this template. | +| `name` | string | true | | Name is the name of the template. | +| `template_version_id` | string | true | | Template version ID is an in-progress or completed job to use as an initial version of the template. | | This is required on creation to enable a user-flow of validating a template works. There is no reason the data-model cannot support empty templates, but it doesn't make sense for users. | ## codersdk.CreateTemplateVersionDryRunRequest diff --git a/docs/api/templates.md b/docs/api/templates.md index 50275ab168f90..b9e3033a83e73 100644 --- a/docs/api/templates.md +++ b/docs/api/templates.md @@ -129,6 +129,7 @@ curl -X POST http://coder-server:8080/api/v2/organizations/{organization}/templa "allow_user_cancel_workspace_jobs": true, "default_ttl_ms": 0, "description": "string", + "disable_everyone_group_access": true, "display_name": "string", "failure_ttl_ms": 0, "icon": "string", diff --git a/docs/cli/templates_create.md b/docs/cli/templates_create.md index bec1eb4165074..f5f8c3a56bd2f 100644 --- a/docs/cli/templates_create.md +++ b/docs/cli/templates_create.md @@ -30,6 +30,14 @@ Specify a default TTL for workspaces created from this template. Specify the directory to create from, use '-' to read tar from stdin. +### --disable-everyone + +| | | +| ---- | ----------------- | +| Type | bool | + +Disable the default behavior of granting template access to the 'everyone' group. The template permissions must be updated to allow non-admin users to use this template. + ### --failure-ttl | | | diff --git a/site/src/api/typesGenerated.ts b/site/src/api/typesGenerated.ts index dea9dd74080ff..0af5c0c06a65e 100644 --- a/site/src/api/typesGenerated.ts +++ b/site/src/api/typesGenerated.ts @@ -179,6 +179,7 @@ export interface CreateTemplateRequest { readonly allow_user_autostop?: boolean readonly failure_ttl_ms?: number readonly inactivity_ttl_ms?: number + readonly disable_everyone_group_access: boolean } // From codersdk/templateversions.go From 8dd7e5fdc8ca616b2f62bb01e6e41435ea92e532 Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Mon, 12 Jun 2023 10:31:52 -0500 Subject: [PATCH 02/13] add unit test --- coderd/audit/audit.go | 8 ++++++++ coderd/templates_test.go | 43 +++++++++++++++++++++++++++++++--------- 2 files changed, 42 insertions(+), 9 deletions(-) diff --git a/coderd/audit/audit.go b/coderd/audit/audit.go index cf941611500c8..d3e83d19e85fb 100644 --- a/coderd/audit/audit.go +++ b/coderd/audit/audit.go @@ -42,6 +42,14 @@ type MockAuditor struct { auditLogs []database.AuditLog } +// ResetLogs removes all audit logs from the mock auditor. +// This is helpful for testing to get a clean slate. +func (a *MockAuditor) ResetLogs() { + a.mutex.Lock() + defer a.mutex.Unlock() + a.auditLogs = make([]database.AuditLog, 0) +} + func (a *MockAuditor) AuditLogs() []database.AuditLog { a.mutex.Lock() defer a.mutex.Unlock() diff --git a/coderd/templates_test.go b/coderd/templates_test.go index 03a3556f56e1a..a4da6768d8a8c 100644 --- a/coderd/templates_test.go +++ b/coderd/templates_test.go @@ -48,25 +48,29 @@ func TestPostTemplateByOrganization(t *testing.T) { t.Parallel() auditor := audit.NewMock() client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true, Auditor: auditor}) - user := coderdtest.CreateFirstUser(t, client) - version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil) + owner := coderdtest.CreateFirstUser(t, client) + // By default, everyone in the org can read the template. + user, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID) + auditor.ResetLogs() + + version := coderdtest.CreateTemplateVersion(t, client, owner.OrganizationID, nil) - expected := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID) + expected := coderdtest.CreateTemplate(t, client, owner.OrganizationID, version.ID) ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong) defer cancel() - got, err := client.Template(ctx, expected.ID) + got, err := user.Template(ctx, expected.ID) require.NoError(t, err) assert.Equal(t, expected.Name, got.Name) assert.Equal(t, expected.Description, got.Description) - require.Len(t, auditor.AuditLogs(), 4) - assert.Equal(t, database.AuditActionLogin, auditor.AuditLogs()[0].Action) - assert.Equal(t, database.AuditActionCreate, auditor.AuditLogs()[1].Action) - assert.Equal(t, database.AuditActionWrite, auditor.AuditLogs()[2].Action) - assert.Equal(t, database.AuditActionCreate, auditor.AuditLogs()[3].Action) + x := auditor.AuditLogs() + require.Len(t, auditor.AuditLogs(), 3) + assert.Equal(t, database.AuditActionCreate, auditor.AuditLogs()[0].Action) + assert.Equal(t, database.AuditActionWrite, auditor.AuditLogs()[1].Action) + assert.Equal(t, database.AuditActionCreate, auditor.AuditLogs()[2].Action) }) t.Run("AlreadyExists", func(t *testing.T) { @@ -126,6 +130,27 @@ func TestPostTemplateByOrganization(t *testing.T) { require.Zero(t, got.DefaultTTLMillis) }) + t.Run("DisableEveryone", func(t *testing.T) { + t.Parallel() + auditor := audit.NewMock() + client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true, Auditor: auditor}) + owner := coderdtest.CreateFirstUser(t, client) + user, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID) + version := coderdtest.CreateTemplateVersion(t, client, owner.OrganizationID, nil) + + expected := coderdtest.CreateTemplate(t, client, owner.OrganizationID, version.ID, func(request *codersdk.CreateTemplateRequest) { + request.DisableEveryoneGroupAccess = true + }) + + ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong) + defer cancel() + + _, err := user.Template(ctx, expected.ID) + var apiErr *codersdk.Error + require.ErrorAs(t, err, &apiErr) + require.Equal(t, http.StatusNotFound, apiErr.StatusCode()) + }) + t.Run("Unauthorized", func(t *testing.T) { t.Parallel() client := coderdtest.New(t, nil) From ec47f5012e942ea42ef9174ffd9851d723a12546 Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Mon, 12 Jun 2023 13:13:39 -0500 Subject: [PATCH 03/13] add FE to disable everyone group --- .../CreateTemplatePage/CreateTemplateForm.tsx | 113 +++++++++++++----- .../createTemplate/createTemplateXService.ts | 3 + 2 files changed, 85 insertions(+), 31 deletions(-) diff --git a/site/src/pages/CreateTemplatePage/CreateTemplateForm.tsx b/site/src/pages/CreateTemplatePage/CreateTemplateForm.tsx index cbaa48adadcb0..f94f58bebcab1 100644 --- a/site/src/pages/CreateTemplatePage/CreateTemplateForm.tsx +++ b/site/src/pages/CreateTemplatePage/CreateTemplateForm.tsx @@ -102,6 +102,7 @@ const defaultInitialValues: CreateTemplateData = { allow_user_cancel_workspace_jobs: false, allow_user_autostart: false, allow_user_autostop: false, + allow_everyone_group_access: true, } type GetInitialValuesParams = { @@ -384,39 +385,89 @@ export const CreateTemplateForm: FC = ({ title="Operations" description="Regulate actions allowed on workspaces created from this template." > - - - + + + + + + {/* Variables */} diff --git a/site/src/xServices/createTemplate/createTemplateXService.ts b/site/src/xServices/createTemplate/createTemplateXService.ts index cfe02947343f4..db537be8e08f5 100644 --- a/site/src/xServices/createTemplate/createTemplateXService.ts +++ b/site/src/xServices/createTemplate/createTemplateXService.ts @@ -45,6 +45,7 @@ export interface CreateTemplateData { allow_user_cancel_workspace_jobs: boolean parameter_values_by_name?: Record user_variable_values?: VariableValue[] + allow_everyone_group_access: boolean } interface CreateTemplateContext { organizationId: string @@ -457,11 +458,13 @@ export const createTemplateMachine = default_ttl_hours, max_ttl_hours, parameter_values_by_name, + allow_everyone_group_access, ...safeTemplateData } = templateData return createTemplate(organizationId, { ...safeTemplateData, + disable_everyone_group_access: !allow_everyone_group_access, default_ttl_ms: templateData.default_ttl_hours * 60 * 60 * 1000, // Convert hours to ms max_ttl_ms: templateData.max_ttl_hours * 60 * 60 * 1000, // Convert hours to ms template_version_id: version.id, From 0a3f6794259dc18a12eb2fc7d9817acb66500bc9 Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Mon, 12 Jun 2023 13:32:38 -0500 Subject: [PATCH 04/13] require entitlement to uncheck box --- .../pages/CreateTemplatePage/CreateTemplateForm.stories.tsx | 1 + site/src/pages/CreateTemplatePage/CreateTemplateForm.tsx | 4 +++- site/src/pages/CreateTemplatePage/CreateTemplatePage.tsx | 5 +++++ 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/site/src/pages/CreateTemplatePage/CreateTemplateForm.stories.tsx b/site/src/pages/CreateTemplatePage/CreateTemplateForm.stories.tsx index 3a2a87bc65a70..22811b15cf874 100644 --- a/site/src/pages/CreateTemplatePage/CreateTemplateForm.stories.tsx +++ b/site/src/pages/CreateTemplatePage/CreateTemplateForm.stories.tsx @@ -17,6 +17,7 @@ export default { component: CreateTemplateForm, args: { isSubmitting: false, + allowDisableEveryoneAccess: true, }, } as ComponentMeta diff --git a/site/src/pages/CreateTemplatePage/CreateTemplateForm.tsx b/site/src/pages/CreateTemplatePage/CreateTemplateForm.tsx index f94f58bebcab1..e472c50db62fe 100644 --- a/site/src/pages/CreateTemplatePage/CreateTemplateForm.tsx +++ b/site/src/pages/CreateTemplatePage/CreateTemplateForm.tsx @@ -175,6 +175,7 @@ export interface CreateTemplateFormProps { logs?: ProvisionerJobLog[] allowAdvancedScheduling: boolean copiedTemplate?: Template + allowDisableEveryoneAccess: boolean } export const CreateTemplateForm: FC = ({ @@ -189,6 +190,7 @@ export const CreateTemplateForm: FC = ({ jobError, logs, allowAdvancedScheduling, + allowDisableEveryoneAccess, }) => { const styles = useStyles() const form = useFormik({ @@ -425,7 +427,7 @@ export const CreateTemplateForm: FC = ({ diff --git a/site/src/pages/CreateTemplatePage/CreateTemplatePage.tsx b/site/src/pages/CreateTemplatePage/CreateTemplatePage.tsx index 7632d0b385047..b22b6e72fefe7 100644 --- a/site/src/pages/CreateTemplatePage/CreateTemplatePage.tsx +++ b/site/src/pages/CreateTemplatePage/CreateTemplatePage.tsx @@ -39,6 +39,10 @@ const CreateTemplatePage: FC = () => { const { entitlements } = useDashboard() const allowAdvancedScheduling = entitlements.features["advanced_template_scheduling"].enabled + // Requires the template RBAC feature, otherwise disabling everyone access + // means no one can access. + const allowDisableEveryoneAccess = + entitlements.features["template_rbac"].enabled const onCancel = () => { navigate(-1) @@ -64,6 +68,7 @@ const CreateTemplatePage: FC = () => { Date: Mon, 12 Jun 2023 13:37:22 -0500 Subject: [PATCH 05/13] Fix wording --- site/src/pages/CreateTemplatePage/CreateTemplateForm.tsx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/src/pages/CreateTemplatePage/CreateTemplateForm.tsx b/site/src/pages/CreateTemplatePage/CreateTemplateForm.tsx index e472c50db62fe..7a03a39385cce 100644 --- a/site/src/pages/CreateTemplatePage/CreateTemplateForm.tsx +++ b/site/src/pages/CreateTemplatePage/CreateTemplateForm.tsx @@ -440,7 +440,7 @@ export const CreateTemplateForm: FC = ({ className={styles.optionText} > - Allow the 'everyone' group read 'user' + Allow the 'everyone' group 'use' access to the template From 91b015b7cde24018eab821ecb9f0044d581010d7 Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Mon, 12 Jun 2023 13:44:04 -0500 Subject: [PATCH 06/13] Wording --- site/src/pages/CreateTemplatePage/CreateTemplateForm.tsx | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/site/src/pages/CreateTemplatePage/CreateTemplateForm.tsx b/site/src/pages/CreateTemplatePage/CreateTemplateForm.tsx index 7a03a39385cce..3c82e229fb7ff 100644 --- a/site/src/pages/CreateTemplatePage/CreateTemplateForm.tsx +++ b/site/src/pages/CreateTemplatePage/CreateTemplateForm.tsx @@ -439,10 +439,7 @@ export const CreateTemplateForm: FC = ({ spacing={0.5} className={styles.optionText} > - - Allow the 'everyone' group 'use' - access to the template - + Allow the everyone to use the template From e1bfab9b4fd3a8a9d70110175d8fa692a871f3eb Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Mon, 12 Jun 2023 18:45:33 +0000 Subject: [PATCH 07/13] Update golden files --- cli/testdata/coder_templates_create_--help.golden | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/cli/testdata/coder_templates_create_--help.golden b/cli/testdata/coder_templates_create_--help.golden index 4695d5dbfe6bb..0e101b79eff25 100644 --- a/cli/testdata/coder_templates_create_--help.golden +++ b/cli/testdata/coder_templates_create_--help.golden @@ -9,6 +9,11 @@ Create a template from the current directory or as specified by flag -d, --directory string (default: .) Specify the directory to create from, use '-' to read tar from stdin. + --disable-everyone bool + Disable the default behavior of granting template access to the + 'everyone' group. The template permissions must be updated to allow + non-admin users to use this template. + --failure-ttl duration (default: 0h) Specify a failure TTL for workspaces created from this template. This licensed feature's default is 0h (off). From a0578f33c237f9fe111fe4ee277f74095fea95a7 Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Mon, 12 Jun 2023 14:00:51 -0500 Subject: [PATCH 08/13] remove debug code --- coderd/templates_test.go | 1 - 1 file changed, 1 deletion(-) diff --git a/coderd/templates_test.go b/coderd/templates_test.go index a4da6768d8a8c..fbfdfd6786c3b 100644 --- a/coderd/templates_test.go +++ b/coderd/templates_test.go @@ -66,7 +66,6 @@ func TestPostTemplateByOrganization(t *testing.T) { assert.Equal(t, expected.Name, got.Name) assert.Equal(t, expected.Description, got.Description) - x := auditor.AuditLogs() require.Len(t, auditor.AuditLogs(), 3) assert.Equal(t, database.AuditActionCreate, auditor.AuditLogs()[0].Action) assert.Equal(t, database.AuditActionWrite, auditor.AuditLogs()[1].Action) From 911018f4f964184bd92dabf1bda352f784cb3016 Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Tue, 13 Jun 2023 09:48:06 -0500 Subject: [PATCH 09/13] Change wording from PR suggestion --- cli/templatecreate.go | 2 +- site/src/pages/CreateTemplatePage/CreateTemplateForm.tsx | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/cli/templatecreate.go b/cli/templatecreate.go index 0625760864afe..eb23b10fdb30f 100644 --- a/cli/templatecreate.go +++ b/cli/templatecreate.go @@ -147,7 +147,7 @@ func (r *RootCmd) templateCreate() *clibase.Cmd { } cmd.Options = clibase.OptionSet{ { - Flag: "disable-everyone", + Flag: "private", Description: "Disable the default behavior of granting template access to the 'everyone' group. " + "The template permissions must be updated to allow non-admin users to use this template.", Value: clibase.BoolOf(&disableEveryone), diff --git a/site/src/pages/CreateTemplatePage/CreateTemplateForm.tsx b/site/src/pages/CreateTemplatePage/CreateTemplateForm.tsx index 3c82e229fb7ff..e530a61a38709 100644 --- a/site/src/pages/CreateTemplatePage/CreateTemplateForm.tsx +++ b/site/src/pages/CreateTemplatePage/CreateTemplateForm.tsx @@ -382,9 +382,9 @@ export const CreateTemplateForm: FC = ({ - {/* Operations */} + {/* Permissions */} From 7359db2ab4241a1fffa964a304c1b18cbd98c4ef Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Tue, 13 Jun 2023 14:06:17 -0500 Subject: [PATCH 10/13] Update golden files --- cli/testdata/coder_templates_create_--help.golden | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/cli/testdata/coder_templates_create_--help.golden b/cli/testdata/coder_templates_create_--help.golden index 0e101b79eff25..cf6e5c9e3a40b 100644 --- a/cli/testdata/coder_templates_create_--help.golden +++ b/cli/testdata/coder_templates_create_--help.golden @@ -9,11 +9,6 @@ Create a template from the current directory or as specified by flag -d, --directory string (default: .) Specify the directory to create from, use '-' to read tar from stdin. - --disable-everyone bool - Disable the default behavior of granting template access to the - 'everyone' group. The template permissions must be updated to allow - non-admin users to use this template. - --failure-ttl duration (default: 0h) Specify a failure TTL for workspaces created from this template. This licensed feature's default is 0h (off). @@ -22,6 +17,11 @@ Create a template from the current directory or as specified by flag Specify an inactivity TTL for workspaces created from this template. This licensed feature's default is 0h (off). + --private bool + Disable the default behavior of granting template access to the + 'everyone' group. The template permissions must be updated to allow + non-admin users to use this template. + --provisioner-tag string-array Specify a set of tags to target provisioner daemons. From 678171f4b6d175f477ccbc7dfe05168fefd7f199 Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Tue, 13 Jun 2023 19:10:09 +0000 Subject: [PATCH 11/13] update golden files --- docs/cli/templates_create.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/cli/templates_create.md b/docs/cli/templates_create.md index f5f8c3a56bd2f..123bd0bed9205 100644 --- a/docs/cli/templates_create.md +++ b/docs/cli/templates_create.md @@ -30,14 +30,6 @@ Specify a default TTL for workspaces created from this template. Specify the directory to create from, use '-' to read tar from stdin. -### --disable-everyone - -| | | -| ---- | ----------------- | -| Type | bool | - -Disable the default behavior of granting template access to the 'everyone' group. The template permissions must be updated to allow non-admin users to use this template. - ### --failure-ttl | | | @@ -56,6 +48,14 @@ Specify a failure TTL for workspaces created from this template. This licensed f Specify an inactivity TTL for workspaces created from this template. This licensed feature's default is 0h (off). +### --private + +| | | +| ---- | ----------------- | +| Type | bool | + +Disable the default behavior of granting template access to the 'everyone' group. The template permissions must be updated to allow non-admin users to use this template. + ### --provisioner-tag | | | From 62c0d82d7b103d4ed8f4af523cf7615ed4f2f7f4 Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Wed, 14 Jun 2023 09:26:37 -0500 Subject: [PATCH 12/13] Update site/src/pages/CreateTemplatePage/CreateTemplateForm.tsx Co-authored-by: Dean Sheather --- site/src/pages/CreateTemplatePage/CreateTemplateForm.tsx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/src/pages/CreateTemplatePage/CreateTemplateForm.tsx b/site/src/pages/CreateTemplatePage/CreateTemplateForm.tsx index e530a61a38709..cfc2d03f2891a 100644 --- a/site/src/pages/CreateTemplatePage/CreateTemplateForm.tsx +++ b/site/src/pages/CreateTemplatePage/CreateTemplateForm.tsx @@ -439,7 +439,7 @@ export const CreateTemplateForm: FC = ({ spacing={0.5} className={styles.optionText} > - Allow the everyone to use the template + Allow everyone to use the template From 340b8b208541ca326d88dffcf043ff9c7a1e058c Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Wed, 14 Jun 2023 09:28:33 -0500 Subject: [PATCH 13/13] Drop some wording --- site/src/pages/CreateTemplatePage/CreateTemplateForm.tsx | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/site/src/pages/CreateTemplatePage/CreateTemplateForm.tsx b/site/src/pages/CreateTemplatePage/CreateTemplateForm.tsx index cfc2d03f2891a..4b833164472a3 100644 --- a/site/src/pages/CreateTemplatePage/CreateTemplateForm.tsx +++ b/site/src/pages/CreateTemplatePage/CreateTemplateForm.tsx @@ -459,8 +459,7 @@ export const CreateTemplateForm: FC = ({ 'Template RBAC' {" "} - feature to customize permissions. Without this license, - unchecking this box prevents template usage by non-admins. + feature to customize permissions.