chore: remove read all provisioners from users (coder#14801)

Emyrk · web-flow · commit 9ef9044d9c7e · 2024-09-25T15:38:58.000-05:00
* chore: remove read all provisioners from users

Reading provisioner daemons now extends from org member,
not site wide member.

* update rbac perm test
* add unit test
diff --git a/coderd/rbac/roles.go b/coderd/rbac/roles.go
@@ -274,8 +274,6 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 		DisplayName: "Member",
 		Site: Permissions(map[string][]policy.Action{
 			ResourceAssignRole.Type: {policy.ActionRead},
-			// All users can see the provisioner daemons.
-			ResourceProvisionerDaemon.Type: {policy.ActionRead},
 			// All users can see OAuth2 provider applications.
 			ResourceOauth2App.Type:      {policy.ActionRead},
 			ResourceWorkspaceProxy.Type: {policy.ActionRead},
@@ -414,18 +412,15 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 				DisplayName: "",
 				Site:        []Permission{},
 				Org: map[string][]Permission{
-					organizationID.String(): {
-						{
-							// All org members can read the organization
-							ResourceType: ResourceOrganization.Type,
-							Action:       policy.ActionRead,
-						},
-						{
-							// Can read available roles.
-							ResourceType: ResourceAssignOrgRole.Type,
-							Action:       policy.ActionRead,
-						},
-					},
+					organizationID.String(): Permissions(map[string][]policy.Action{
+						// All users can see the provisioner daemons for workspace
+						// creation.
+						ResourceProvisionerDaemon.Type: {policy.ActionRead},
+						// All org members can read the organization
+						ResourceOrganization.Type: {policy.ActionRead},
+						// Can read available roles.
+						ResourceAssignOrgRole.Type: {policy.ActionRead},
+					}),
 				},
 				User: []Permission{
 					{
diff --git a/coderd/rbac/roles_test.go b/coderd/rbac/roles_test.go
@@ -531,9 +531,8 @@ func TestRolePermissions(t *testing.T) {
 			Actions:  []policy.Action{policy.ActionRead},
 			Resource: rbac.ResourceProvisionerDaemon.InOrg(orgID),
 			AuthorizeMap: map[bool][]hasAuthSubjects{
-				// This should be fixed when multi-org goes live
-				true:  {setOtherOrg, owner, templateAdmin, setOrgNotMe, memberMe, orgMemberMe, userAdmin},
-				false: {},
+				true:  {owner, templateAdmin, setOrgNotMe, orgMemberMe},
+				false: {setOtherOrg, memberMe, userAdmin},
 			},
 		},
 		{
diff --git a/enterprise/coderd/provisionerdaemons_test.go b/enterprise/coderd/provisionerdaemons_test.go
@@ -739,7 +739,7 @@ func TestGetProvisionerDaemons(t *testing.T) {
 		t.Parallel()
 		dv := coderdtest.DeploymentValues(t)
 		dv.Experiments = []string{string(codersdk.ExperimentMultiOrganization)}
-		client, _ := coderdenttest.New(t, &coderdenttest.Options{
+		client, first := coderdenttest.New(t, &coderdenttest.Options{
 			Options: &coderdtest.Options{
 				DeploymentValues: dv,
 			},
@@ -753,6 +753,7 @@ func TestGetProvisionerDaemons(t *testing.T) {
 		})
 		org := coderdenttest.CreateOrganization(t, client, coderdenttest.CreateOrganizationOptions{})
 		orgAdmin, _ := coderdtest.CreateAnotherUser(t, client, org.ID, rbac.ScopedRoleOrgAdmin(org.ID))
+		outsideOrg, _ := coderdtest.CreateAnotherUser(t, client, first.OrganizationID)
 
 		res, err := orgAdmin.CreateProvisionerKey(context.Background(), org.ID, codersdk.CreateProvisionerKeyRequest{
 			Name: "my-key",
@@ -800,5 +801,9 @@ func TestGetProvisionerDaemons(t *testing.T) {
 		assert.Equal(t, buildinfo.Version(), pkDaemons[0].Daemons[0].Version)
 		assert.Equal(t, proto.CurrentVersion.String(), pkDaemons[0].Daemons[0].APIVersion)
 		assert.Equal(t, keys[0].ID, pkDaemons[0].Daemons[0].KeyID)
+
+		// Verify user outside the org cannot read the provisioners
+		_, err = outsideOrg.ListProvisionerKeyDaemons(ctx, org.ID)
+		require.Error(t, err)
 	})
 }
