Skip to content

refactor(coderd): fetch owner information when authorizing workspace agent #9123

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 19 commits into from
Aug 21, 2023
Merged

refactor(coderd): fetch owner information when authorizing workspace agent #9123

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
11c20d6
use dbtestutil in httpmw test, refactor
johnstcn Aug 15, 2023
da03c4b
add new query
johnstcn Aug 15, 2023
317537c
remove old query
johnstcn Aug 15, 2023
8e2430d
alter query
johnstcn Aug 16, 2023
4aa23c6
mockgen
johnstcn Aug 16, 2023
41561b9
rm unused tx in dbfake
johnstcn Aug 16, 2023
0cb0d18
add TODO
johnstcn Aug 17, 2023
e6ce0f5
fix dbfake
johnstcn Aug 18, 2023
b1d4084
return latest workspace build
johnstcn Aug 18, 2023
b64a870
fixup! return latest workspace build
johnstcn Aug 18, 2023
73de552
fix TestWorkspaceAgentListen/FailNonLatestBuild
johnstcn Aug 18, 2023
1218fa4
the bug was inside you all along
johnstcn Aug 18, 2023
8e222e3
linter
johnstcn Aug 18, 2023
e8844ae
Merge remote-tracking branch 'origin/main' into cj/GetWorkspaceAgentA…
johnstcn Aug 21, 2023
06bbda2
address comments in dbfake impl
johnstcn Aug 21, 2023
3e21545
match indentation
johnstcn Aug 21, 2023
3a603fc
reword error
johnstcn Aug 21, 2023
267aa6c
rm unnecessary pubsub close
johnstcn Aug 21, 2023
6e0d3b3
rename misleading argument
johnstcn Aug 21, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
fix dbfake
  • Loading branch information
@johnstcn
johnstcn committed Aug 18, 2023
commit e6ce0f53a8d23c12e48163a370cc94c86e5bf943
104 changes: 37 additions & 67 deletions coderd/database/dbfake/dbfake.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -651,48 +651,6 @@ func (q *FakeQuerier) isEveryoneGroup(id uuid.UUID) bool {
return false
}

func (q *FakeQuerier) GetWorkspaceAgentAndOwnerByAuthToken(ctx context.Context, authToken uuid.UUID) (database.GetWorkspaceAgentAndOwnerByAuthTokenRow, error) {
q.mutex.RLock()
defer q.mutex.RUnlock()
var resp database.GetWorkspaceAgentAndOwnerByAuthTokenRow
var found bool
for _, agt := range q.workspaceAgents {
if agt.AuthToken == authToken {
resp.WorkspaceAgent = agt
found = true
break
}
}
if !found {
return resp, sql.ErrNoRows
}

// get the related workspace and user
for _, res := range q.workspaceResources {
if resp.WorkspaceAgent.ResourceID != res.ID {
continue
}
for _, build := range q.workspaceBuilds {
if build.JobID != res.JobID {
continue
}
for _, ws := range q.workspaces {
if build.WorkspaceID != ws.ID {
continue
}
resp.WorkspaceID = ws.ID
if usr, err := q.getUserByIDNoLock(ws.OwnerID); err == nil {
resp.OwnerID = usr.ID
resp.OwnerRoles = usr.RBACRoles
resp.OwnerName = usr.Username
return resp, nil
}
}
}
}
return database.GetWorkspaceAgentAndOwnerByAuthTokenRow{}, sql.ErrNoRows
}

func (*FakeQuerier) AcquireLock(_ context.Context, _ int64) error {
return xerrors.New("AcquireLock must only be called within a transaction")
}
Expand Down Expand Up @@ -2837,36 +2795,48 @@ func (q *FakeQuerier) GetWorkspaceAgentAndOwnerByAuthToken(_ context.Context, au
q.mutex.RLock()
defer q.mutex.RUnlock()
var resp database.GetWorkspaceAgentAndOwnerByAuthTokenRow
var found bool
AgentLoop:
for _, agt := range q.workspaceAgents {
if agt.AuthToken == authToken {
resp.WorkspaceAgent = agt
found = true
break
}
}
if !found {
return resp, sql.ErrNoRows
}

// get the related workspace and user
for _, res := range q.workspaceResources {
if resp.WorkspaceAgent.ResourceID != res.ID {
continue
}
for _, build := range q.workspaceBuilds {
if build.JobID != res.JobID { // <-- jobID does not match up
continue
if agt.AuthToken != authToken {
continue AgentLoop
}
// get the related workspace and user
ResourceLoop:
for _, res := range q.workspaceResources {
if agt.ResourceID != res.ID {
continue ResourceLoop
}
for _, ws := range q.workspaces {
if build.WorkspaceID != ws.ID {
continue
BuildLoop:
for _, build := range q.workspaceBuilds {
if build.JobID != res.JobID {
continue BuildLoop
}
resp.WorkspaceID = ws.ID
if usr, err := q.getUserByIDNoLock(ws.OwnerID); err == nil {
WorkspaceLoop:
for _, ws := range q.workspaces {
if build.WorkspaceID != ws.ID {
continue WorkspaceLoop
}
resp.WorkspaceID = ws.ID
usr, err := q.getUserByIDNoLock(ws.OwnerID)
if err != nil {
return database.GetWorkspaceAgentAndOwnerByAuthTokenRow{}, sql.ErrNoRows
}
resp.OwnerID = usr.ID
resp.OwnerRoles = usr.RBACRoles
resp.OwnerRoles = append(usr.RBACRoles, "member")
// We also need to get org roles for the user
resp.OwnerName = usr.Username
resp.WorkspaceAgent = agt
for _, mem := range q.organizationMembers {
if mem.UserID == usr.ID {
resp.OwnerRoles = append(resp.OwnerRoles, fmt.Sprintf("organization-member:%s", mem.OrganizationID.String()))
}
}
// And group memberships
for _, groupMem := range q.groupMembers {
if groupMem.UserID == usr.ID {
resp.OwnerGroups = append(resp.OwnerGroups, groupMem.GroupID.String())
}
}
return resp, nil
}
}
Expand Down
6 changes: 4 additions & 2 deletions coderd/database/queries.sql.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 4 additions & 2 deletions coderd/database/queries/workspaceagents.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -229,9 +229,11 @@ FROM users
ON
group_members.user_id = users.id
WHERE
-- TODO: we can add more conditions here, such as:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: out of curiosity, why is it left for later improvement?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would change the existing behaviour; right now we just get the agent by the token without further restrictions.

-- 1) The user must be active
-- 2) The user must not be deleted
-- 3) The workspace must be running
workspace_agents.auth_token = @auth_token
AND
users.status = 'active' -- workspaces that belong to inactive users should not be
GROUP BY
workspace_agents.id, workspaces.id, users.id, organization_members.organization_id
LIMIT 1;