chore: fixup quotas to only include groups you are a member of (coder#14271)

Emyrk · web-flow · commit 83ccdaa75577 · 2024-08-15T13:27:50.000-05:00
* chore: fixup quotas to only include groups you are a member of

Before all everyone groups were included in the allowance.

* chore: add unit test to execercise the bug
* add unit test to add rows into the everyone group
diff --git a/coderd/database/dbmem/dbmem.go b/coderd/database/dbmem/dbmem.go
@@ -3318,20 +3318,34 @@ func (q *FakeQuerier) GetQuotaAllowanceForUser(_ context.Context, userID uuid.UU
 		if member.UserID != userID {
 			continue
 		}
+		if _, err := q.getOrganizationByIDNoLock(member.GroupID); err == nil {
+			// This should never happen, but it has been reported in customer deployments.
+			// The SQL handles this case, and omits `group_members` rows in the
+			// Everyone group. It counts these distinctly via `organization_members` table.
+			continue
+		}
 		for _, group := range q.groups {
 			if group.ID == member.GroupID {
 				sum += int64(group.QuotaAllowance)
 				continue
 			}
 		}
 	}
-	// Grab the quota for the Everyone group.
-	for _, group := range q.groups {
-		if group.ID == group.OrganizationID {
-			sum += int64(group.QuotaAllowance)
-			break
+
+	// Grab the quota for the Everyone group iff the user is a member of
+	// said organization.
+	for _, mem := range q.organizationMembers {
+		if mem.UserID != userID {
+			continue
 		}
+
+		group, err := q.getGroupByIDNoLock(context.Background(), mem.OrganizationID)
+		if err != nil {
+			return -1, xerrors.Errorf("failed to get everyone group for org %q", mem.OrganizationID.String())
+		}
+		sum += int64(group.QuotaAllowance)
 	}
+
 	return sum, nil
 }
 
diff --git a/coderd/database/querier_test.go b/coderd/database/querier_test.go
@@ -545,6 +545,84 @@ func TestAuditLogDefaultLimit(t *testing.T) {
 	require.Len(t, rows, 100)
 }
 
+func TestWorkspaceQuotas(t *testing.T) {
+	t.Parallel()
+	orgMemberIDs := func(o database.OrganizationMember) uuid.UUID {
+		return o.UserID
+	}
+	groupMemberIDs := func(m database.GroupMember) uuid.UUID {
+		return m.UserID
+	}
+
+	t.Run("CorruptedEveryone", func(t *testing.T) {
+		t.Parallel()
+
+		ctx := testutil.Context(t, testutil.WaitLong)
+
+		db, _ := dbtestutil.NewDB(t)
+		// Create an extra org as a distraction
+		distract := dbgen.Organization(t, db, database.Organization{})
+		_, err := db.InsertAllUsersGroup(ctx, distract.ID)
+		require.NoError(t, err)
+
+		_, err = db.UpdateGroupByID(ctx, database.UpdateGroupByIDParams{
+			QuotaAllowance: 15,
+			ID:             distract.ID,
+		})
+		require.NoError(t, err)
+
+		// Create an org with 2 users
+		org := dbgen.Organization(t, db, database.Organization{})
+
+		everyoneGroup, err := db.InsertAllUsersGroup(ctx, org.ID)
+		require.NoError(t, err)
+
+		// Add a quota to the everyone group
+		_, err = db.UpdateGroupByID(ctx, database.UpdateGroupByIDParams{
+			QuotaAllowance: 50,
+			ID:             everyoneGroup.ID,
+		})
+		require.NoError(t, err)
+
+		// Add people to the org
+		one := dbgen.User(t, db, database.User{})
+		two := dbgen.User(t, db, database.User{})
+		memOne := dbgen.OrganizationMember(t, db, database.OrganizationMember{
+			OrganizationID: org.ID,
+			UserID:         one.ID,
+		})
+		memTwo := dbgen.OrganizationMember(t, db, database.OrganizationMember{
+			OrganizationID: org.ID,
+			UserID:         two.ID,
+		})
+
+		// Fetch the 'Everyone' group members
+		everyoneMembers, err := db.GetGroupMembersByGroupID(ctx, org.ID)
+		require.NoError(t, err)
+
+		require.ElementsMatch(t, db2sdk.List(everyoneMembers, groupMemberIDs),
+			db2sdk.List([]database.OrganizationMember{memOne, memTwo}, orgMemberIDs))
+
+		// Check the quota is correct.
+		allowance, err := db.GetQuotaAllowanceForUser(ctx, one.ID)
+		require.NoError(t, err)
+		require.Equal(t, int64(50), allowance)
+
+		// Now try to corrupt the DB
+		// Insert rows into the everyone group
+		err = db.InsertGroupMember(ctx, database.InsertGroupMemberParams{
+			UserID:  memOne.UserID,
+			GroupID: org.ID,
+		})
+		require.NoError(t, err)
+
+		// Ensure allowance remains the same
+		allowance, err = db.GetQuotaAllowanceForUser(ctx, one.ID)
+		require.NoError(t, err)
+		require.Equal(t, int64(50), allowance)
+	})
+}
+
 // TestReadCustomRoles tests the input params returns the correct set of roles.
 func TestReadCustomRoles(t *testing.T) {
 	t.Parallel()
diff --git a/coderd/database/queries.sql.go b/coderd/database/queries.sql.go
diff --git a/coderd/database/queries/quotas.sql b/coderd/database/queries/quotas.sql
@@ -1,14 +1,15 @@
 -- name: GetQuotaAllowanceForUser :one
 SELECT
-	coalesce(SUM(quota_allowance), 0)::BIGINT
+	coalesce(SUM(groups.quota_allowance), 0)::BIGINT
 FROM
-	groups g
-LEFT JOIN group_members gm ON
-	g.id = gm.group_id
-WHERE
-	user_id = $1
-OR
-    g.id = g.organization_id;
+	(
+		-- Select all groups this user is a member of. This will also include
+		-- the "Everyone" group for organizations the user is a member of.
+		SELECT * FROM group_members_expanded WHERE @user_id = user_id
+	) AS members
+INNER JOIN groups ON
+	members.group_id = groups.id
+;
 
 -- name: GetQuotaConsumedForUser :one
 WITH latest_builds AS (
diff --git a/enterprise/coderd/workspacequota_test.go b/enterprise/coderd/workspacequota_test.go
@@ -233,6 +233,51 @@ func TestWorkspaceQuota(t *testing.T) {
 		verifyQuota(ctx, t, client, 4, 4)
 		require.Equal(t, codersdk.WorkspaceStatusRunning, build.Status)
 	})
+
+	// Ensures allowance from everyone groups only counts if you are an org member.
+	// This was a bug where the group "Everyone" was being counted for all users,
+	// regardless of membership.
+	t.Run("AllowanceEveryone", func(t *testing.T) {
+		t.Parallel()
+
+		dv := coderdtest.DeploymentValues(t)
+		dv.Experiments = []string{string(codersdk.ExperimentMultiOrganization)}
+		owner, first := coderdenttest.New(t, &coderdenttest.Options{
+			Options: &coderdtest.Options{
+				DeploymentValues: dv,
+			},
+			LicenseOptions: &coderdenttest.LicenseOptions{
+				Features: license.Features{
+					codersdk.FeatureTemplateRBAC:          1,
+					codersdk.FeatureMultipleOrganizations: 1,
+				},
+			},
+		})
+		member, _ := coderdtest.CreateAnotherUser(t, owner, first.OrganizationID)
+
+		// Create a second organization
+		second := coderdenttest.CreateOrganization(t, owner, coderdenttest.CreateOrganizationOptions{})
+
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancel()
+
+		// update everyone quotas
+		//nolint:gocritic // using owner for simplicity
+		_, err := owner.PatchGroup(ctx, first.OrganizationID, codersdk.PatchGroupRequest{
+			QuotaAllowance: ptr.Ref(30),
+		})
+		require.NoError(t, err)
+
+		_, err = owner.PatchGroup(ctx, second.ID, codersdk.PatchGroupRequest{
+			QuotaAllowance: ptr.Ref(15),
+		})
+		require.NoError(t, err)
+
+		verifyQuota(ctx, t, member, 0, 30)
+		// This currently reports the total site wide quotas. We might want to
+		// org scope this api call in the future.
+		verifyQuota(ctx, t, owner, 0, 45)
+	})
 }
 
 func planWithCost(cost int32) []*proto.Response {

Original file line number	Diff line number	Diff line change
`@@ -3318,20 +3318,34 @@ func (q *FakeQuerier) GetQuotaAllowanceForUser(_ context.Context, userID uuid.UU`
`3318`	`3318`	`if member.UserID != userID {`
`3319`	`3319`	`continue`
`3320`	`3320`	`}`
	`3321`	`+ if _, err := q.getOrganizationByIDNoLock(member.GroupID); err == nil {`
	`3322`	`+ // This should never happen, but it has been reported in customer deployments.`
	`3323`	+ // The SQL handles this case, and omits `group_members` rows in the
	`3324`	+ // Everyone group. It counts these distinctly via `organization_members` table.
	`3325`	`+ continue`
	`3326`	`+ }`
`3321`	`3327`	`for _, group := range q.groups {`
`3322`	`3328`	`if group.ID == member.GroupID {`
`3323`	`3329`	`sum += int64(group.QuotaAllowance)`
`3324`	`3330`	`continue`
`3325`	`3331`	`}`
`3326`	`3332`	`}`
`3327`	`3333`	`}`
`3328`		`- // Grab the quota for the Everyone group.`
`3329`		`- for _, group := range q.groups {`
`3330`		`- if group.ID == group.OrganizationID {`
`3331`		`- sum += int64(group.QuotaAllowance)`
`3332`		`- break`
	`3334`	`+`
	`3335`	`+ // Grab the quota for the Everyone group iff the user is a member of`
	`3336`	`+ // said organization.`
	`3337`	`+ for _, mem := range q.organizationMembers {`
	`3338`	`+ if mem.UserID != userID {`
	`3339`	`+ continue`
`3333`	`3340`	`}`
	`3341`	`+`
	`3342`	`+ group, err := q.getGroupByIDNoLock(context.Background(), mem.OrganizationID)`
	`3343`	`+ if err != nil {`
	`3344`	`+ return -1, xerrors.Errorf("failed to get everyone group for org %q", mem.OrganizationID.String())`
	`3345`	`+ }`
	`3346`	`+ sum += int64(group.QuotaAllowance)`
`3334`	`3347`	`}`
	`3348`	`+`
`3335`	`3349`	`return sum, nil`
`3336`	`3350`	`}`
`3337`	`3351`