feat: Allow admins to access member workspace terminals (#2114)

AbhineetJain · web-flow · commit 953e8c8fe633 · 2022-06-10T10:46:48.000-04:00
* allow workspace update permissions to access agents

* do not show app links to users without workspace update access

* address CR comments

* initialize machine context in the hook

* revert scoped connected status check
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -292,6 +292,7 @@ func New(options *Options) *API {
 				r.Use(
 					apiKeyMiddleware,
 					httpmw.ExtractWorkspaceAgentParam(options.Database),
+					httpmw.ExtractWorkspaceParam(options.Database),
 				)
 				r.Get("/", api.workspaceAgent)
 				r.Get("/dial", api.workspaceAgentDial)
diff --git a/coderd/coderd_test.go b/coderd/coderd_test.go
@@ -153,10 +153,7 @@ func TestAuthorizeAllEndpoints(t *testing.T) {
 		"GET:/api/v2/workspaceagents/me/listen":                   {NoAuthorize: true},
 		"GET:/api/v2/workspaceagents/me/metadata":                 {NoAuthorize: true},
 		"GET:/api/v2/workspaceagents/me/turn":                     {NoAuthorize: true},
-		"GET:/api/v2/workspaceagents/{workspaceagent}":            {NoAuthorize: true},
-		"GET:/api/v2/workspaceagents/{workspaceagent}/dial":       {NoAuthorize: true},
 		"GET:/api/v2/workspaceagents/{workspaceagent}/iceservers": {NoAuthorize: true},
-		"GET:/api/v2/workspaceagents/{workspaceagent}/pty":        {NoAuthorize: true},
 		"GET:/api/v2/workspaceagents/{workspaceagent}/turn":       {NoAuthorize: true},
 
 		// These endpoints have more assertions. This is good, add more endpoints to assert if you can!
@@ -210,6 +207,18 @@ func TestAuthorizeAllEndpoints(t *testing.T) {
 			AssertAction: rbac.ActionRead,
 			AssertObject: workspaceRBACObj,
 		},
+		"GET:/api/v2/workspaceagents/{workspaceagent}": {
+			AssertAction: rbac.ActionRead,
+			AssertObject: workspaceRBACObj,
+		},
+		"GET:/api/v2/workspaceagents/{workspaceagent}/dial": {
+			AssertAction: rbac.ActionUpdate,
+			AssertObject: workspaceRBACObj,
+		},
+		"GET:/api/v2/workspaceagents/{workspaceagent}/pty": {
+			AssertAction: rbac.ActionUpdate,
+			AssertObject: workspaceRBACObj,
+		},
 		"GET:/api/v2/workspaces/": {
 			StatusCode:   http.StatusOK,
 			AssertAction: rbac.ActionRead,
@@ -378,6 +387,7 @@ func TestAuthorizeAllEndpoints(t *testing.T) {
 			route = strings.ReplaceAll(route, "{workspacebuild}", workspace.LatestBuild.ID.String())
 			route = strings.ReplaceAll(route, "{workspacename}", workspace.Name)
 			route = strings.ReplaceAll(route, "{workspacebuildname}", workspace.LatestBuild.Name)
+			route = strings.ReplaceAll(route, "{workspaceagent}", workspaceResources[0].Agents[0].ID.String())
 			route = strings.ReplaceAll(route, "{template}", template.ID.String())
 			route = strings.ReplaceAll(route, "{hash}", file.Hash)
 			route = strings.ReplaceAll(route, "{workspaceresource}", workspaceResources[0].ID.String())
diff --git a/coderd/httpmw/apikey.go b/coderd/httpmw/apikey.go
@@ -37,11 +37,11 @@ type userRolesKey struct{}
 // AuthorizationUserRoles returns the roles used for authorization.
 // Comes from the ExtractAPIKey handler.
 func AuthorizationUserRoles(r *http.Request) database.GetAuthorizationUserRolesRow {
-	apiKey, ok := r.Context().Value(userRolesKey{}).(database.GetAuthorizationUserRolesRow)
+	userRoles, ok := r.Context().Value(userRolesKey{}).(database.GetAuthorizationUserRolesRow)
 	if !ok {
 		panic("developer error: user roles middleware not provided")
 	}
-	return apiKey
+	return userRoles
 }
 
 // OAuth2Configs is a collection of configurations for OAuth-based authentication.
diff --git a/coderd/httpmw/workspaceagentparam.go b/coderd/httpmw/workspaceagentparam.go
@@ -6,6 +6,8 @@ import (
 	"errors"
 	"net/http"
 
+	"github.com/go-chi/chi/v5"
+
 	"github.com/coder/coder/coderd/database"
 	"github.com/coder/coder/coderd/httpapi"
 )
@@ -74,24 +76,9 @@ func ExtractWorkspaceAgentParam(db database.Store) func(http.Handler) http.Handl
 				})
 				return
 			}
-			workspace, err := db.GetWorkspaceByID(r.Context(), build.WorkspaceID)
-			if err != nil {
-				httpapi.Write(rw, http.StatusInternalServerError, httpapi.Response{
-					Message: "Internal error fetching workspace.",
-					Detail:  err.Error(),
-				})
-				return
-			}
-
-			apiKey := APIKey(r)
-			if apiKey.UserID != workspace.OwnerID {
-				httpapi.Write(rw, http.StatusUnauthorized, httpapi.Response{
-					Message: "Getting non-personal agents isn't supported.",
-				})
-				return
-			}
 
 			ctx := context.WithValue(r.Context(), workspaceAgentParamContextKey{}, agent)
+			chi.RouteContext(ctx).URLParams.Add("workspace", build.WorkspaceID.String())
 			next.ServeHTTP(rw, r.WithContext(ctx))
 		})
 	}
diff --git a/coderd/workspaceagents.go b/coderd/workspaceagents.go
@@ -21,6 +21,7 @@ import (
 	"github.com/coder/coder/coderd/database"
 	"github.com/coder/coder/coderd/httpapi"
 	"github.com/coder/coder/coderd/httpmw"
+	"github.com/coder/coder/coderd/rbac"
 	"github.com/coder/coder/coderd/turnconn"
 	"github.com/coder/coder/codersdk"
 	"github.com/coder/coder/peer"
@@ -31,6 +32,10 @@ import (
 
 func (api *API) workspaceAgent(rw http.ResponseWriter, r *http.Request) {
 	workspaceAgent := httpmw.WorkspaceAgentParam(r)
+	workspace := httpmw.WorkspaceParam(r)
+	if !api.Authorize(rw, r, rbac.ActionRead, workspace) {
+		return
+	}
 	dbApps, err := api.Database.GetWorkspaceAppsByAgentID(r.Context(), workspaceAgent.ID)
 	if err != nil && !xerrors.Is(err, sql.ErrNoRows) {
 		httpapi.Write(rw, http.StatusInternalServerError, httpapi.Response{
@@ -58,6 +63,10 @@ func (api *API) workspaceAgentDial(rw http.ResponseWriter, r *http.Request) {
 	defer api.websocketWaitGroup.Done()
 
 	workspaceAgent := httpmw.WorkspaceAgentParam(r)
+	workspace := httpmw.WorkspaceParam(r)
+	if !api.Authorize(rw, r, rbac.ActionUpdate, workspace) {
+		return
+	}
 	apiAgent, err := convertWorkspaceAgent(workspaceAgent, nil, api.AgentConnectionUpdateFrequency)
 	if err != nil {
 		httpapi.Write(rw, http.StatusInternalServerError, httpapi.Response{
@@ -369,6 +378,10 @@ func (api *API) workspaceAgentPTY(rw http.ResponseWriter, r *http.Request) {
 	defer api.websocketWaitGroup.Done()
 
 	workspaceAgent := httpmw.WorkspaceAgentParam(r)
+	workspace := httpmw.WorkspaceParam(r)
+	if !api.Authorize(rw, r, rbac.ActionUpdate, workspace) {
+		return
+	}
 	apiAgent, err := convertWorkspaceAgent(workspaceAgent, nil, api.AgentConnectionUpdateFrequency)
 	if err != nil {
 		httpapi.Write(rw, http.StatusInternalServerError, httpapi.Response{
diff --git a/site/src/components/Resources/Resources.tsx b/site/src/components/Resources/Resources.tsx
@@ -63,9 +63,10 @@ interface ResourcesProps {
   resources?: WorkspaceResource[]
   getResourcesError?: Error
   workspace: Workspace
+  canUpdateWorkspace: boolean
 }
 
-export const Resources: FC<ResourcesProps> = ({ resources, getResourcesError, workspace }) => {
+export const Resources: FC<ResourcesProps> = ({ resources, getResourcesError, workspace, canUpdateWorkspace }) => {
   const styles = useStyles()
   const theme: Theme = useTheme()
 
@@ -89,7 +90,7 @@ export const Resources: FC<ResourcesProps> = ({ resources, getResourcesError, wo
                   <AgentHelpTooltip />
                 </Stack>
               </TableCell>
-              <TableCell>{Language.accessLabel}</TableCell>
+              {canUpdateWorkspace && <TableCell>{Language.accessLabel}</TableCell>}
               <TableCell>{Language.statusLabel}</TableCell>
             </TableHeaderRow>
           </TableHead>
@@ -130,28 +131,30 @@ export const Resources: FC<ResourcesProps> = ({ resources, getResourcesError, wo
                       {agent.name}
                       <span className={styles.operatingSystem}>{agent.operating_system}</span>
                     </TableCell>
-                    <TableCell>
-                      <Stack>
-                        {agent.status === "connected" && (
-                          <TerminalLink
-                            className={styles.accessLink}
-                            workspaceName={workspace.name}
-                            agentName={agent.name}
-                            userName={workspace.owner_name}
-                          />
-                        )}
-                        {agent.status === "connected" &&
-                          agent.apps.map((app) => (
-                            <AppLink
-                              key={app.name}
-                              appIcon={app.icon}
-                              appName={app.name}
-                              userName={workspace.owner_name}
+                    {canUpdateWorkspace && (
+                      <TableCell>
+                        <Stack>
+                          {agent.status === "connected" && (
+                            <TerminalLink
+                              className={styles.accessLink}
                               workspaceName={workspace.name}
+                              agentName={agent.name}
+                              userName={workspace.owner_name}
                             />
-                          ))}
-                      </Stack>
-                    </TableCell>
+                          )}
+                          {agent.status === "connected" &&
+                            agent.apps.map((app) => (
+                              <AppLink
+                                key={app.name}
+                                appIcon={app.icon}
+                                appName={app.name}
+                                userName={workspace.owner_name}
+                                workspaceName={workspace.name}
+                              />
+                            ))}
+                        </Stack>
+                      </TableCell>
+                    )}
                     <TableCell>
                       <span style={{ color: getDisplayAgentStatus(theme, agent).color }}>
                         {getDisplayAgentStatus(theme, agent).status}
diff --git a/site/src/components/Workspace/Workspace.stories.tsx b/site/src/components/Workspace/Workspace.stories.tsx
@@ -22,6 +22,13 @@ Started.args = {
   handleStop: action("stop"),
   resources: [Mocks.MockWorkspaceResource, Mocks.MockWorkspaceResource2],
   builds: [Mocks.MockWorkspaceBuild],
+  canUpdateWorkspace: true,
+}
+
+export const WithoutUpdateAccess = Template.bind({})
+WithoutUpdateAccess.args = {
+  ...Started.args,
+  canUpdateWorkspace: false,
 }
 
 export const Starting = Template.bind({})
diff --git a/site/src/components/Workspace/Workspace.tsx b/site/src/components/Workspace/Workspace.tsx
@@ -28,6 +28,7 @@ export interface WorkspaceProps {
   resources?: TypesGen.WorkspaceResource[]
   getResourcesError?: Error
   builds?: TypesGen.WorkspaceBuild[]
+  canUpdateWorkspace: boolean
 }
 
 /**
@@ -44,6 +45,7 @@ export const Workspace: FC<WorkspaceProps> = ({
   resources,
   getResourcesError,
   builds,
+  canUpdateWorkspace,
 }) => {
   const styles = useStyles()
   const navigate = useNavigate()
@@ -80,7 +82,12 @@ export const Workspace: FC<WorkspaceProps> = ({
           <WorkspaceStats workspace={workspace} />
 
           {!!resources && !!resources.length && (
-            <Resources resources={resources} getResourcesError={getResourcesError} workspace={workspace} />
+            <Resources
+              resources={resources}
+              getResourcesError={getResourcesError}
+              workspace={workspace}
+              canUpdateWorkspace={canUpdateWorkspace}
+            />
           )}
 
           <WorkspaceSection title="Timeline" contentsProps={{ className: styles.timelineContents }}>
diff --git a/site/src/pages/WorkspacePage/WorkspacePage.tsx b/site/src/pages/WorkspacePage/WorkspacePage.tsx
@@ -1,5 +1,5 @@
-import { useMachine } from "@xstate/react"
-import React, { useEffect } from "react"
+import { useMachine, useSelector } from "@xstate/react"
+import React, { useContext, useEffect } from "react"
 import { Helmet } from "react-helmet"
 import { useParams } from "react-router-dom"
 import { DeleteWorkspaceDialog } from "../../components/DeleteWorkspaceDialog/DeleteWorkspaceDialog"
@@ -8,6 +8,8 @@ import { FullScreenLoader } from "../../components/Loader/FullScreenLoader"
 import { Workspace } from "../../components/Workspace/Workspace"
 import { firstOrItem } from "../../util/array"
 import { pageTitle } from "../../util/page"
+import { selectUser } from "../../xServices/auth/authSelectors"
+import { XServiceContext } from "../../xServices/StateContext"
 import { workspaceMachine } from "../../xServices/workspace/workspaceXService"
 import { workspaceScheduleBannerMachine } from "../../xServices/workspaceSchedule/workspaceScheduleBannerXService"
 
@@ -16,8 +18,17 @@ export const WorkspacePage: React.FC = () => {
   const username = firstOrItem(usernameQueryParam, null)
   const workspaceName = firstOrItem(workspaceQueryParam, null)
 
-  const [workspaceState, workspaceSend] = useMachine(workspaceMachine)
-  const { workspace, resources, getWorkspaceError, getResourcesError, builds } = workspaceState.context
+  const xServices = useContext(XServiceContext)
+  const me = useSelector(xServices.authXService, selectUser)
+
+  const [workspaceState, workspaceSend] = useMachine(workspaceMachine, {
+    context: {
+      userId: me?.id,
+    },
+  })
+  const { workspace, resources, getWorkspaceError, getResourcesError, builds, permissions } = workspaceState.context
+
+  const canUpdateWorkspace = !!permissions?.updateWorkspace
 
   const [bannerState, bannerSend] = useMachine(workspaceScheduleBannerMachine)
 
@@ -56,6 +67,7 @@ export const WorkspacePage: React.FC = () => {
           resources={resources}
           getResourcesError={getResourcesError instanceof Error ? getResourcesError : undefined}
           builds={builds}
+          canUpdateWorkspace={canUpdateWorkspace}
         />
         <DeleteWorkspaceDialog
           isOpen={workspaceState.matches({ ready: { build: "askingDelete" } })}
diff --git a/site/src/xServices/auth/authSelectors.ts b/site/src/xServices/auth/authSelectors.ts
@@ -10,3 +10,7 @@ export const selectOrgId = (state: AuthState): string | undefined => {
 export const selectPermissions = (state: AuthState): AuthContext["permissions"] => {
   return state.context.permissions
 }
+
+export const selectUser = (state: AuthState): AuthContext["me"] => {
+  return state.context.me
+}
diff --git a/site/src/xServices/workspace/workspaceXService.ts b/site/src/xServices/workspace/workspaceXService.ts

Original file line number	Diff line number	Diff line change
`@@ -292,6 +292,7 @@ func New(options Options) API {`
`292`	`292`	`r.Use(`
`293`	`293`	`apiKeyMiddleware,`
`294`	`294`	`httpmw.ExtractWorkspaceAgentParam(options.Database),`
	`295`	`+ httpmw.ExtractWorkspaceParam(options.Database),`
`295`	`296`	`)`
`296`	`297`	`r.Get("/", api.workspaceAgent)`
`297`	`298`	`r.Get("/dial", api.workspaceAgentDial)`
Original file line number	Diff line number	Diff line change
`@@ -37,11 +37,11 @@ type userRolesKey struct{}`
`37`	`37`	`// AuthorizationUserRoles returns the roles used for authorization.`
`38`	`38`	`// Comes from the ExtractAPIKey handler.`
`39`	`39`	`func AuthorizationUserRoles(r *http.Request) database.GetAuthorizationUserRolesRow {`
`40`		`- apiKey, ok := r.Context().Value(userRolesKey{}).(database.GetAuthorizationUserRolesRow)`
	`40`	`+ userRoles, ok := r.Context().Value(userRolesKey{}).(database.GetAuthorizationUserRolesRow)`
`41`	`41`	`if !ok {`
`42`	`42`	`panic("developer error: user roles middleware not provided")`
`43`	`43`	`}`
`44`		`- return apiKey`
	`44`	`+ return userRoles`
`45`	`45`	`}`
`46`	`46`
`47`	`47`	`// OAuth2Configs is a collection of configurations for OAuth-based authentication.`
Original file line number	Diff line number	Diff line change
`@@ -10,3 +10,7 @@ export const selectOrgId = (state: AuthState): string \| undefined => {`
`10`	`10`	`export const selectPermissions = (state: AuthState): AuthContext["permissions"] => {`
`11`	`11`	`return state.context.permissions`
`12`	`12`	`}`
	`13`	`+`
	`14`	`+export const selectUser = (state: AuthState): AuthContext["me"] => {`
	`15`	`+ return state.context.me`
	`16`	`+}`