Skip to content

Commit ea65ddc

Browse files
EmyrkEmyrk
authored
fix: correct user roles being passed into terraform context (coder#17460)
Roles were being passed into the workspace context incorrectly. Site wide scopes were being org scoped. Roles outside the org should also not be sent.
1 parent 90eacc1 commit ea65ddc

File tree

2 files changed

+42
-8
lines changed

2 files changed

+42
-8
lines changed

coderd/provisionerdserver/provisionerdserver.go

Lines changed: 13 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -595,17 +595,24 @@ func (s *server) acquireProtoJob(ctx context.Context, job database.ProvisionerJo
595595
})
596596
}
597597

598-
roles, err := s.Database.GetAuthorizationUserRoles(ctx, owner.ID)
598+
allUserRoles, err := s.Database.GetAuthorizationUserRoles(ctx, owner.ID)
599599
if err != nil {
600600
return nil, failJob(fmt.Sprintf("get owner authorization roles: %s", err))
601601
}
602602
ownerRbacRoles := []*sdkproto.Role{}
603-
for _, role := range roles.Roles {
604-
if s.OrganizationID == uuid.Nil {
605-
ownerRbacRoles = append(ownerRbacRoles, &sdkproto.Role{Name: role, OrgId: ""})
606-
continue
603+
roles, err := allUserRoles.RoleNames()
604+
if err == nil {
605+
for _, role := range roles {
606+
if role.OrganizationID != uuid.Nil && role.OrganizationID != s.OrganizationID {
607+
continue // Only include site wide and org specific roles
608+
}
609+
610+
orgID := role.OrganizationID.String()
611+
if role.OrganizationID == uuid.Nil {
612+
orgID = ""
613+
}
614+
ownerRbacRoles = append(ownerRbacRoles, &sdkproto.Role{Name: role.Name, OrgId: orgID})
607615
}
608-
ownerRbacRoles = append(ownerRbacRoles, &sdkproto.Role{Name: role, OrgId: s.OrganizationID.String()})
609616
}
610617

611618
protoJob.Type = &proto.AcquiredJob_WorkspaceBuild_{

coderd/provisionerdserver/provisionerdserver_test.go

Lines changed: 29 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ import (
66
"encoding/json"
77
"io"
88
"net/url"
9+
"slices"
910
"strconv"
1011
"strings"
1112
"sync"
@@ -22,6 +23,7 @@ import (
2223
"storj.io/drpc"
2324

2425
"cdr.dev/slog/sloggers/slogtest"
26+
"github.com/coder/coder/v2/coderd/rbac"
2527
"github.com/coder/quartz"
2628
"github.com/coder/serpent"
2729

@@ -203,6 +205,20 @@ func TestAcquireJob(t *testing.T) {
203205
GroupID: group1.ID,
204206
})
205207
require.NoError(t, err)
208+
dbgen.OrganizationMember(t, db, database.OrganizationMember{
209+
UserID: user.ID,
210+
OrganizationID: pd.OrganizationID,
211+
Roles: []string{rbac.RoleOrgAuditor()},
212+
})
213+
214+
// Add extra erronous roles
215+
secondOrg := dbgen.Organization(t, db, database.Organization{})
216+
dbgen.OrganizationMember(t, db, database.OrganizationMember{
217+
UserID: user.ID,
218+
OrganizationID: secondOrg.ID,
219+
Roles: []string{rbac.RoleOrgAuditor()},
220+
})
221+
206222
link := dbgen.UserLink(t, db, database.UserLink{
207223
LoginType: database.LoginTypeOIDC,
208224
UserID: user.ID,
@@ -350,7 +366,7 @@ func TestAcquireJob(t *testing.T) {
350366
WorkspaceOwnerEmail: user.Email,
351367
WorkspaceOwnerName: user.Name,
352368
WorkspaceOwnerOidcAccessToken: link.OAuthAccessToken,
353-
WorkspaceOwnerGroups: []string{group1.Name},
369+
WorkspaceOwnerGroups: []string{"Everyone", group1.Name},
354370
WorkspaceId: workspace.ID.String(),
355371
WorkspaceOwnerId: user.ID.String(),
356372
TemplateId: template.ID.String(),
@@ -361,11 +377,15 @@ func TestAcquireJob(t *testing.T) {
361377
WorkspaceOwnerSshPrivateKey: sshKey.PrivateKey,
362378
WorkspaceBuildId: build.ID.String(),
363379
WorkspaceOwnerLoginType: string(user.LoginType),
364-
WorkspaceOwnerRbacRoles: []*sdkproto.Role{{Name: "member", OrgId: pd.OrganizationID.String()}},
380+
WorkspaceOwnerRbacRoles: []*sdkproto.Role{{Name: rbac.RoleOrgMember(), OrgId: pd.OrganizationID.String()}, {Name: "member", OrgId: ""}, {Name: rbac.RoleOrgAuditor(), OrgId: pd.OrganizationID.String()}},
365381
}
366382
if prebuiltWorkspace {
367383
wantedMetadata.IsPrebuild = true
368384
}
385+
386+
slices.SortFunc(wantedMetadata.WorkspaceOwnerRbacRoles, func(a, b *sdkproto.Role) int {
387+
return strings.Compare(a.Name+a.OrgId, b.Name+b.OrgId)
388+
})
369389
want, err := json.Marshal(&proto.AcquiredJob_WorkspaceBuild_{
370390
WorkspaceBuild: &proto.AcquiredJob_WorkspaceBuild{
371391
WorkspaceBuildId: build.ID.String(),
@@ -467,6 +487,13 @@ func TestAcquireJob(t *testing.T) {
467487
job, err := tc.acquire(ctx, srv)
468488
require.NoError(t, err)
469489

490+
// sort
491+
if wk, ok := job.Type.(*proto.AcquiredJob_WorkspaceBuild_); ok {
492+
slices.SortFunc(wk.WorkspaceBuild.Metadata.WorkspaceOwnerRbacRoles, func(a, b *sdkproto.Role) int {
493+
return strings.Compare(a.Name+a.OrgId, b.Name+b.OrgId)
494+
})
495+
}
496+
470497
got, err := json.Marshal(job.Type)
471498
require.NoError(t, err)
472499

0 commit comments

Comments
 (0)