NotificationsYou must be signed in to change notification settings
Fork1.1k
Star11.8k

Commit30e6fbd

authored

fix(coderd): ensure correct RBAC when enqueueing notifications (#15478)

- Assert rbac in fake notifications enqueuer- Move fake notifications enqueuer to separate notificationstest package- Update dbauthz rbac policy to allow provisionerd and autostart to create and read notification messages- Update tests as required

1 parentbb5c3a2 commit30e6fbdCopy full SHA for 30e6fbd

File tree

18 files changed

+323

-242

lines changed

coderd
- autobuild
  - lifecycle_executor_test.go
- coderdtest
  - coderdtest.go
- database/dbauthz
  - dbauthz.go
- notifications
  - notificationstest
    - fake_enqueuer.go
  - reports
    - generator_internal_test.go
- provisionerdserver
  - provisionerdserver_test.go
- templates.go
- templates_test.go
- userauth_test.go
- users.go
- users_test.go
- workspaces.go
- workspaces_test.go
enterprise/coderd
- schedule
  - template.go
  - template_test.go
- scim_test.go
- templates_test.go
testutil
- notifications.go

18 files changed

+323

-242

lines changed

`‎coderd/autobuild/lifecycle_executor_test.go‎`

Lines changed: 24 additions & 21 deletions

Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,7 @@ import (`
`19`	`19`	`"github.com/coder/coder/v2/coderd/database"`
`20`	`20`	`"github.com/coder/coder/v2/coderd/database/dbauthz"`
`21`	`21`	`"github.com/coder/coder/v2/coderd/notifications"`
	`22`	`+"github.com/coder/coder/v2/coderd/notifications/notificationstest"`
`22`	`23`	`"github.com/coder/coder/v2/coderd/schedule"`
`23`	`24`	`"github.com/coder/coder/v2/coderd/schedule/cron"`
`24`	`25`	`"github.com/coder/coder/v2/coderd/util/ptr"`
`@@ -116,7 +117,7 @@ func TestExecutorAutostartTemplateUpdated(t *testing.T) {`
`116`	`117`	`tickCh=make(chan time.Time)`
`117`	`118`	`statsCh=make(chan autobuild.Stats)`
`118`	`119`	`logger=slogtest.Make(t,&slogtest.Options{IgnoreErrors:!tc.expectStart}).Leveled(slog.LevelDebug)`
`119`		`-enqueuer=testutil.FakeNotificationsEnqueuer{}`
	`120`	`+enqueuer=notificationstest.FakeEnqueuer{}`
`120`	`121`	`client=coderdtest.New(t,&coderdtest.Options{`
`121`	`122`	`AutobuildTicker:tickCh,`
`122`	`123`	`IncludeProvisionerDaemon:true,`
`@@ -202,17 +203,18 @@ func TestExecutorAutostartTemplateUpdated(t *testing.T) {`
`202`	`203`	`}`
`203`	`204`
`204`	`205`	`iftc.expectNotification {`
`205`		`-require.Len(t,enqueuer.Sent,1)`
`206`		`-require.Equal(t,enqueuer.Sent[0].UserID,workspace.OwnerID)`
`207`		`-require.Contains(t,enqueuer.Sent[0].Targets,workspace.TemplateID)`
`208`		`-require.Contains(t,enqueuer.Sent[0].Targets,workspace.ID)`
`209`		`-require.Contains(t,enqueuer.Sent[0].Targets,workspace.OrganizationID)`
`210`		`-require.Contains(t,enqueuer.Sent[0].Targets,workspace.OwnerID)`
`211`		`-require.Equal(t,newVersion.Name,enqueuer.Sent[0].Labels["template_version_name"])`
`212`		`-require.Equal(t,"autobuild",enqueuer.Sent[0].Labels["initiator"])`
`213`		`-require.Equal(t,"autostart",enqueuer.Sent[0].Labels["reason"])`
	`206`	`+sent:=enqueuer.Sent()`
	`207`	`+require.Len(t,sent,1)`
	`208`	`+require.Equal(t,sent[0].UserID,workspace.OwnerID)`
	`209`	`+require.Contains(t,sent[0].Targets,workspace.TemplateID)`
	`210`	`+require.Contains(t,sent[0].Targets,workspace.ID)`
	`211`	`+require.Contains(t,sent[0].Targets,workspace.OrganizationID)`
	`212`	`+require.Contains(t,sent[0].Targets,workspace.OwnerID)`
	`213`	`+require.Equal(t,newVersion.Name,sent[0].Labels["template_version_name"])`
	`214`	`+require.Equal(t,"autobuild",sent[0].Labels["initiator"])`
	`215`	`+require.Equal(t,"autostart",sent[0].Labels["reason"])`
`214`	`216`	`}else {`
`215`		`-require.Len(t,enqueuer.Sent,0)`
	`217`	`+require.Empty(t,enqueuer.Sent())`
`216`	`218`	`}`
`217`	`219`	`})`
`218`	`220`	`}`
`@@ -1073,7 +1075,7 @@ func TestNotifications(t *testing.T) {`
`1073`	`1075`	`var (`
`1074`	`1076`	`ticker=make(chan time.Time)`
`1075`	`1077`	`statCh=make(chan autobuild.Stats)`
`1076`		`-notifyEnq=testutil.FakeNotificationsEnqueuer{}`
	`1078`	`+notifyEnq=notificationstest.FakeEnqueuer{}`
`1077`	`1079`	`timeTilDormant=time.Minute`
`1078`	`1080`	`client=coderdtest.New(t,&coderdtest.Options{`
`1079`	`1081`	`AutobuildTicker:ticker,`
`@@ -1107,6 +1109,7 @@ func TestNotifications(t *testing.T) {`
`1107`	`1109`	`_=coderdtest.AwaitWorkspaceBuildJobCompleted(t,userClient,workspace.LatestBuild.ID)`
`1108`	`1110`
`1109`	`1111`	`// Wait for workspace to become dormant`
	`1112`	`+notifyEnq.Clear()`
`1110`	`1113`	`ticker<-workspace.LastUsedAt.Add(timeTilDormant*3)`
`1111`	`1114`	`_=testutil.RequireRecvCtx(testutil.Context(t,testutil.WaitShort),t,statCh)`
`1112`	`1115`
`@@ -1115,14 +1118,14 @@ func TestNotifications(t *testing.T) {`
`1115`	`1118`	`require.NotNil(t,workspace.DormantAt)`
`1116`	`1119`
`1117`	`1120`	`// Check that a notification was enqueued`
`1118`		`-require.Len(t,notifyEnq.Sent,2)`
`1119`		`-// notifyEnq.Sent[0] is an event for created user account`
`1120`		`-require.Equal(t,notifyEnq.Sent[1].UserID,workspace.OwnerID)`
`1121`		`-require.Equal(t,notifyEnq.Sent[1].TemplateID,notifications.TemplateWorkspaceDormant)`
`1122`		`-require.Contains(t,notifyEnq.Sent[1].Targets,template.ID)`
`1123`		`-require.Contains(t,notifyEnq.Sent[1].Targets,workspace.ID)`
`1124`		`-require.Contains(t,notifyEnq.Sent[1].Targets,workspace.OrganizationID)`
`1125`		`-require.Contains(t,notifyEnq.Sent[1].Targets,workspace.OwnerID)`
	`1121`	`+sent:=notifyEnq.Sent()`
	`1122`	`+require.Len(t,sent,1)`
	`1123`	`+require.Equal(t,sent[0].UserID,workspace.OwnerID)`
	`1124`	`+require.Equal(t,sent[0].TemplateID,notifications.TemplateWorkspaceDormant)`
	`1125`	`+require.Contains(t,sent[0].Targets,template.ID)`
	`1126`	`+require.Contains(t,sent[0].Targets,workspace.ID)`
	`1127`	`+require.Contains(t,sent[0].Targets,workspace.OrganizationID)`
	`1128`	`+require.Contains(t,sent[0].Targets,workspace.OwnerID)`
`1126`	`1129`	`})`
`1127`	`1130`	`}`
`1128`	`1131`
`@@ -1168,7 +1171,7 @@ func mustSchedule(t testing.T, s string) cron.Schedule {`
`1168`	`1171`	`}`
`1169`	`1172`
`1170`	`1173`	`funcmustWorkspaceParameters(ttesting.T,clientcodersdk.Client,workspaceID uuid.UUID) {`
`1171`		`-ctx:=context.Background()`
	`1174`	`+ctx:=testutil.Context(t,testutil.WaitShort)`
`1172`	`1175`	`buildParameters,err:=client.WorkspaceBuildParameters(ctx,workspaceID)`
`1173`	`1176`	`require.NoError(t,err)`
`1174`	`1177`	`require.NotEmpty(t,buildParameters)`

`‎coderd/coderdtest/coderdtest.go‎`

Lines changed: 3 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -66,6 +66,7 @@ import (`
`66`	`66`	`"github.com/coder/coder/v2/coderd/gitsshkey"`
`67`	`67`	`"github.com/coder/coder/v2/coderd/httpmw"`
`68`	`68`	`"github.com/coder/coder/v2/coderd/notifications"`
	`69`	`+"github.com/coder/coder/v2/coderd/notifications/notificationstest"`
`69`	`70`	`"github.com/coder/coder/v2/coderd/rbac"`
`70`	`71`	`"github.com/coder/coder/v2/coderd/rbac/policy"`
`71`	`72`	`"github.com/coder/coder/v2/coderd/runtimeconfig"`
`@@ -251,7 +252,7 @@ func NewOptions(t testing.TB, options *Options) (func(http.Handler), context.Can`
`251`	`252`	`}`
`252`	`253`
`253`	`254`	`ifoptions.NotificationsEnqueuer==nil {`
`254`		`-options.NotificationsEnqueuer=new(testutil.FakeNotificationsEnqueuer)`
	`255`	`+options.NotificationsEnqueuer=&notificationstest.FakeEnqueuer{}`
`255`	`256`	`}`
`256`	`257`
`257`	`258`	`accessControlStore:=&atomic.Pointer[dbauthz.AccessControlStore]{}`
`@@ -311,7 +312,7 @@ func NewOptions(t testing.TB, options *Options) (func(http.Handler), context.Can`
`311`	`312`	`t.Cleanup(closeBatcher)`
`312`	`313`	`}`
`313`	`314`	`ifoptions.NotificationsEnqueuer==nil {`
`314`		`-options.NotificationsEnqueuer=&testutil.FakeNotificationsEnqueuer{}`
	`315`	`+options.NotificationsEnqueuer=&notificationstest.FakeEnqueuer{}`
`315`	`316`	`}`
`316`	`317`
`317`	`318`	`ifoptions.OneTimePasscodeValidityPeriod==0 {`

`‎coderd/database/dbauthz/dbauthz.go‎`

Lines changed: 8 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -178,6 +178,8 @@ var (`
`178`	`178`	`// this can be reduced to read a specific org.`
`179`	`179`	`rbac.ResourceOrganization.Type: {policy.ActionRead},`
`180`	`180`	`rbac.ResourceGroup.Type: {policy.ActionRead},`
	`181`	`+// Provisionerd creates notification messages`
	`182`	`+rbac.ResourceNotificationMessage.Type: {policy.ActionCreate,policy.ActionRead},`
`181`	`183`	`}),`
`182`	`184`	`Org:map[string][]rbac.Permission{},`
`183`	`185`	`User: []rbac.Permission{},`
`@@ -194,11 +196,12 @@ var (`
`194`	`196`	`Identifier: rbac.RoleIdentifier{Name:"autostart"},`
`195`	`197`	`DisplayName:"Autostart Daemon",`
`196`	`198`	`Site:rbac.Permissions(map[string][]policy.Action{`
`197`		`-rbac.ResourceSystem.Type: {policy.WildcardSymbol},`
`198`		`-rbac.ResourceTemplate.Type: {policy.ActionRead,policy.ActionUpdate},`
`199`		`-rbac.ResourceWorkspaceDormant.Type: {policy.ActionDelete,policy.ActionRead,policy.ActionUpdate,policy.ActionWorkspaceStop},`
`200`		`-rbac.ResourceWorkspace.Type: {policy.ActionDelete,policy.ActionRead,policy.ActionUpdate,policy.ActionWorkspaceStart,policy.ActionWorkspaceStop},`
`201`		`-rbac.ResourceUser.Type: {policy.ActionRead},`
	`199`	`+rbac.ResourceNotificationMessage.Type: {policy.ActionCreate,policy.ActionRead},`
	`200`	`+rbac.ResourceSystem.Type: {policy.WildcardSymbol},`
	`201`	`+rbac.ResourceTemplate.Type: {policy.ActionRead,policy.ActionUpdate},`
	`202`	`+rbac.ResourceUser.Type: {policy.ActionRead},`
	`203`	`+rbac.ResourceWorkspace.Type: {policy.ActionDelete,policy.ActionRead,policy.ActionUpdate,policy.ActionWorkspaceStart,policy.ActionWorkspaceStop},`
	`204`	`+rbac.ResourceWorkspaceDormant.Type: {policy.ActionDelete,policy.ActionRead,policy.ActionUpdate,policy.ActionWorkspaceStop},`
`202`	`205`	`}),`
`203`	`206`	`Org:map[string][]rbac.Permission{},`
`204`	`207`	`User: []rbac.Permission{},`

`‎coderd/notifications/notificationstest/fake_enqueuer.go‎`

Lines changed: 99 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,99 @@`
	`1`	`+package notificationstest`
	`2`	`+`
	`3`	`+import (`
	`4`	`+"context"`
	`5`	`+"fmt"`
	`6`	`+"sync"`
	`7`	`+`
	`8`	`+"github.com/google/uuid"`
	`9`	`+"github.com/prometheus/client_golang/prometheus"`
	`10`	`+`
	`11`	`+"github.com/coder/coder/v2/coderd/database/dbauthz"`
	`12`	`+"github.com/coder/coder/v2/coderd/rbac"`
	`13`	`+"github.com/coder/coder/v2/coderd/rbac/policy"`
	`14`	`+)`
	`15`	`+`
	`16`	`+typeFakeEnqueuerstruct {`
	`17`	`+authorizer rbac.Authorizer`
	`18`	`+mu sync.Mutex`
	`19`	`+sent []*FakeNotification`
	`20`	`+}`
	`21`	`+`
	`22`	`+typeFakeNotificationstruct {`
	`23`	`+UserID,TemplateID uuid.UUID`
	`24`	`+Labelsmap[string]string`
	`25`	`+Datamap[string]any`
	`26`	`+CreatedBystring`
	`27`	`+Targets []uuid.UUID`
	`28`	`+}`
	`29`	`+`
	`30`	`+// TODO: replace this with actual calls to dbauthz.`
	`31`	`+// See: https://github.com/coder/coder/issues/15481`
	`32`	`+func (f*FakeEnqueuer)assertRBACNoLock(ctx context.Context) {`
	`33`	`+iff.mu.TryLock() {`
	`34`	`+panic("Developer error: do not call assertRBACNoLock outside of a mutex lock!")`
	`35`	`+}`
	`36`	`+`
	`37`	`+// If we get here, we are locked.`
	`38`	`+iff.authorizer==nil {`
	`39`	`+f.authorizer=rbac.NewStrictCachingAuthorizer(prometheus.NewRegistry())`
	`40`	`+}`
	`41`	`+`
	`42`	`+act,ok:=dbauthz.ActorFromContext(ctx)`
	`43`	`+if!ok {`
	`44`	`+panic("Developer error: no actor in context, you may need to use dbauthz.AsNotifier(ctx)")`
	`45`	`+}`
	`46`	`+`
	`47`	`+for_,a:=range []policy.Action{policy.ActionCreate,policy.ActionRead} {`
	`48`	`+err:=f.authorizer.Authorize(ctx,act,a,rbac.ResourceNotificationMessage)`
	`49`	`+iferr==nil {`
	`50`	`+return`
	`51`	`+}`
	`52`	`+`
	`53`	`+ifrbac.IsUnauthorizedError(err) {`
	`54`	`+panic(fmt.Sprintf("Developer error: not authorized to %s %s. "+`
	`55`	`+"Ensure that you are using dbauthz.AsXXX with an actor that has "+`
	`56`	`+"policy.ActionCreate on rbac.ResourceNotificationMessage",a,rbac.ResourceNotificationMessage.Type))`
	`57`	`+}`
	`58`	`+panic("Developer error: failed to check auth:"+err.Error())`
	`59`	`+}`
	`60`	`+}`
	`61`	`+`
	`62`	`+func (fFakeEnqueuer)Enqueue(ctx context.Context,userID,templateID uuid.UUID,labelsmap[string]string,createdBystring,targets...uuid.UUID) (uuid.UUID,error) {`
	`63`	`+returnf.EnqueueWithData(ctx,userID,templateID,labels,nil,createdBy,targets...)`
	`64`	`+}`
	`65`	`+`
	`66`	`+func (fFakeEnqueuer)EnqueueWithData(ctx context.Context,userID,templateID uuid.UUID,labelsmap[string]string,datamap[string]any,createdBystring,targets...uuid.UUID) (uuid.UUID,error) {`
	`67`	`+returnf.enqueueWithDataLock(ctx,userID,templateID,labels,data,createdBy,targets...)`
	`68`	`+}`
	`69`	`+`
	`70`	`+func (fFakeEnqueuer)enqueueWithDataLock(ctx context.Context,userID,templateID uuid.UUID,labelsmap[string]string,datamap[string]any,createdBystring,targets...uuid.UUID) (uuid.UUID,error) {`
	`71`	`+f.mu.Lock()`
	`72`	`+deferf.mu.Unlock()`
	`73`	`+f.assertRBACNoLock(ctx)`
	`74`	`+`
	`75`	`+f.sent=append(f.sent,&FakeNotification{`
	`76`	`+UserID:userID,`
	`77`	`+TemplateID:templateID,`
	`78`	`+Labels:labels,`
	`79`	`+Data:data,`
	`80`	`+CreatedBy:createdBy,`
	`81`	`+Targets:targets,`
	`82`	`+})`
	`83`	`+`
	`84`	`+id:=uuid.New()`
	`85`	`+return&id,nil`
	`86`	`+}`
	`87`	`+`
	`88`	`+func (f*FakeEnqueuer)Clear() {`
	`89`	`+f.mu.Lock()`
	`90`	`+deferf.mu.Unlock()`
	`91`	`+`
	`92`	`+f.sent=nil`
	`93`	`+}`
	`94`	`+`
	`95`	`+func (fFakeEnqueuer)Sent() []FakeNotification {`
	`96`	`+f.mu.Lock()`
	`97`	`+deferf.mu.Unlock()`
	`98`	`+returnappend([]*FakeNotification{},f.sent...)`
	`99`	`+}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit30e6fbd

File tree

18 files changed

18 files changed

`‎coderd/autobuild/lifecycle_executor_test.go‎`

`‎coderd/coderdtest/coderdtest.go‎`

`‎coderd/database/dbauthz/dbauthz.go‎`

`‎coderd/notifications/notificationstest/fake_enqueuer.go‎`

0 commit comments