NotificationsYou must be signed in to change notification settings
Fork928
Star10.1k

Commit997493d

authored

feat: add template setting to require active template version (#10277)

1 parent1ad998e commit997493dCopy full SHA for 997493d

File tree

47 files changed

+802

-70

lines changed

cli
coderd
- apidoc
  - docs.go
  - swagger.json
- autobuild
  - lifecycle_executor.go
  - lifecycle_executor_test.go
- coderd.go
- coderdtest
  - coderdtest.go
- database
  - dbauthz
  - dbfake
    - dbfake.go
  - dbmetrics
    - dbmetrics.go
  - dbmock
    - dbmock.go
  - dump.sql
  - migrations
    - 000166_template_active_version.down.sql
    - 000166_template_active_version.up.sql
  - modelmethods.go
  - modelqueries.go
  - models.go
  - querier.go
  - queries
    - templates.sql
  - queries.sql.go
- templates.go
- wsbuilder
  - wsbuilder.go
codersdk
docs
- admin
  - audit-logs.md
- api
  - schemas.md
  - templates.md
enterprise
- audit
  - table.go
- coderd
site/src
- api
  - typesGenerated.ts
- pages
  - CreateTemplatePage
    - utils.ts
  - TemplateSettingsPage
    - TemplateGeneralSettingsPage
      - TemplateSettingsForm.tsx
      - TemplateSettingsPage.test.tsx
    - TemplateSchedulePage
      - TemplateScheduleForm.tsx
      - TemplateSchedulePage.test.tsx
- testHelpers
  - entities.ts

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

47 files changed

+802

-70

lines changed

`‎cli/server.go`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -940,7 +940,7 @@ func (r RootCmd) Server(newAPI func(context.Context, coderd.Options) (*coderd.`
`940`	`940`	`autobuildTicker:=time.NewTicker(vals.AutobuildPollInterval.Value())`
`941`	`941`	`deferautobuildTicker.Stop()`
`942`	`942`	`autobuildExecutor:=autobuild.NewExecutor(`
`943`		`-ctx,options.Database,options.Pubsub,coderAPI.TemplateScheduleStore,&coderAPI.Auditor,logger,autobuildTicker.C)`
	`943`	`+ctx,options.Database,options.Pubsub,coderAPI.TemplateScheduleStore,&coderAPI.Auditor,coderAPI.AccessControlStore,logger,autobuildTicker.C)`
`944`	`944`	`autobuildExecutor.Run()`
`945`	`945`
`946`	`946`	`hangDetectorTicker:=time.NewTicker(vals.JobHangDetectorInterval.Value())`

`‎cli/templates.go`

Lines changed: 0 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -6,8 +6,6 @@ import (`
`6`	`6`	`"github.com/google/uuid"`
`7`	`7`	`"golang.org/x/xerrors"`
`8`	`8`
`9`		`-"github.com/coder/pretty"`
`10`		`-`
`11`	`9`	`"github.com/coder/coder/v2/cli/clibase"`
`12`	`10`	`"github.com/coder/coder/v2/cli/cliui"`
`13`	`11`	`"github.com/coder/coder/v2/codersdk"`

`‎cli/templateversionarchive.go`

Lines changed: 0 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -8,8 +8,6 @@ import (`
`8`	`8`
`9`	`9`	`"golang.org/x/xerrors"`
`10`	`10`
`11`		`-"github.com/coder/pretty"`
`12`		`-`
`13`	`11`	`"github.com/coder/coder/v2/cli/clibase"`
`14`	`12`	`"github.com/coder/coder/v2/cli/cliui"`
`15`	`13`	`"github.com/coder/coder/v2/codersdk"`

`‎cli/templateversions.go`

Lines changed: 0 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -8,8 +8,6 @@ import (`
`8`	`8`	`"github.com/google/uuid"`
`9`	`9`	`"golang.org/x/xerrors"`
`10`	`10`
`11`		`-"github.com/coder/pretty"`
`12`		`-`
`13`	`11`	`"github.com/coder/coder/v2/cli/clibase"`
`14`	`12`	`"github.com/coder/coder/v2/cli/cliui"`
`15`	`13`	`"github.com/coder/coder/v2/codersdk"`

`‎coderd/apidoc/docs.go`

Lines changed: 8 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/apidoc/swagger.json`

Lines changed: 8 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/autobuild/lifecycle_executor.go`

Lines changed: 14 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -32,6 +32,7 @@ type Executor struct {`
`32`	`32`	`db database.Store`
`33`	`33`	`ps pubsub.Pubsub`
`34`	`34`	`templateScheduleStore*atomic.Pointer[schedule.TemplateScheduleStore]`
	`35`	`+accessControlStore*atomic.Pointer[dbauthz.AccessControlStore]`
`35`	`36`	`auditor*atomic.Pointer[audit.Auditor]`
`36`	`37`	`log slog.Logger`
`37`	`38`	`tick<-chan time.Time`
`@@ -46,7 +47,7 @@ type Stats struct {`
`46`	`47`	`}`
`47`	`48`
`48`	`49`	`// New returns a new wsactions executor.`
`49`		`-funcNewExecutor(ctx context.Context,db database.Store,ps pubsub.Pubsub,tssatomic.Pointer[schedule.TemplateScheduleStore],auditoratomic.Pointer[audit.Auditor],log slog.Logger,tick<-chan time.Time)*Executor {`
	`50`	`+funcNewExecutor(ctx context.Context,db database.Store,ps pubsub.Pubsub,tssatomic.Pointer[schedule.TemplateScheduleStore],auditoratomic.Pointer[audit.Auditor],acsatomic.Pointer[dbauthz.AccessControlStore],log slog.Logger,tick<-chan time.Time)Executor {`
`50`	`51`	`le:=&Executor{`
`51`	`52`	`//nolint:gocritic // Autostart has a limited set of permissions.`
`52`	`53`	`ctx:dbauthz.AsAutostart(ctx),`
`@@ -56,6 +57,7 @@ func NewExecutor(ctx context.Context, db database.Store, ps pubsub.Pubsub, tss *`
`56`	`57`	`tick:tick,`
`57`	`58`	`log:log.Named("autobuild"),`
`58`	`59`	`auditor:auditor,`
	`60`	`+accessControlStore:acs,`
`59`	`61`	`}`
`60`	`62`	`returnle`
`61`	`63`	`}`
`@@ -159,6 +161,12 @@ func (e *Executor) runOnce(t time.Time) Stats {`
`159`	`161`	`returnnil`
`160`	`162`	`}`
`161`	`163`
	`164`	`+template,err:=tx.GetTemplateByID(e.ctx,ws.TemplateID)`
	`165`	`+iferr!=nil {`
	`166`	`+log.Warn(e.ctx,"get template by id",slog.Error(err))`
	`167`	`+}`
	`168`	`+accessControl:= (*(e.accessControlStore.Load())).GetTemplateAccessControl(template)`
	`169`	`+`
`162`	`170`	`latestJob,err:=tx.GetProvisionerJobByID(e.ctx,latestBuild.JobID)`
`163`	`171`	`iferr!=nil {`
`164`	`172`	`log.Warn(e.ctx,"get last provisioner job for workspace %q: %w",slog.Error(err))`
`@@ -179,7 +187,7 @@ func (e *Executor) runOnce(t time.Time) Stats {`
`179`	`187`	`Reason(reason)`
`180`	`188`	`log.Debug(e.ctx,"auto building workspace",slog.F("transition",nextTransition))`
`181`	`189`	`ifnextTransition==database.WorkspaceTransitionStart&&`
`182`		`-ws.AutomaticUpdates==database.AutomaticUpdatesAlways {`
	`190`	`+useActiveVersion(accessControl,ws) {`
`183`	`191`	`log.Debug(e.ctx,"autostarting with active version")`
`184`	`192`	`builder=builder.ActiveVersion()`
`185`	`193`	`}`
`@@ -470,3 +478,7 @@ func auditBuild(ctx context.Context, log slog.Logger, auditor audit.Auditor, par`
`470`	`478`	`AdditionalFields:raw,`
`471`	`479`	`})`
`472`	`480`	`}`
	`481`	`+`
	`482`	`+funcuseActiveVersion(opts dbauthz.TemplateAccessControl,ws database.Workspace)bool {`
	`483`	`+returnopts.RequireActiveVersion\|\|ws.AutomaticUpdates==database.AutomaticUpdatesAlways`
	`484`	`+}`

`‎coderd/autobuild/lifecycle_executor_test.go`

Lines changed: 50 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -783,6 +783,56 @@ func TestExecutorAutostopTemplateDisabled(t *testing.T) {`
`783`	`783`	`assert.Len(t,stats.Transitions,0)`
`784`	`784`	`}`
`785`	`785`
	`786`	`+// Test that an AGPL AccessControlStore properly disables`
	`787`	`+// functionality.`
	`788`	`+funcTestExecutorRequireActiveVersion(t*testing.T) {`
	`789`	`+t.Parallel()`
	`790`	`+`
	`791`	`+var (`
	`792`	`+sched=mustSchedule(t,"CRON_TZ=UTC 0 * * * *")`
	`793`	`+ticker=make(chan time.Time)`
	`794`	`+statCh=make(chan autobuild.Stats)`
	`795`	`+`
	`796`	`+ownerClient=coderdtest.New(t,&coderdtest.Options{`
	`797`	`+AutobuildTicker:ticker,`
	`798`	`+IncludeProvisionerDaemon:true,`
	`799`	`+AutobuildStats:statCh,`
	`800`	`+TemplateScheduleStore:schedule.NewAGPLTemplateScheduleStore(),`
	`801`	`+})`
	`802`	`+)`
	`803`	`+owner:=coderdtest.CreateFirstUser(t,ownerClient)`
	`804`	`+`
	`805`	`+// Create an active and inactive template version. We'll`
	`806`	`+// build a regular member's workspace using a non-active`
	`807`	`+// template version and assert that the field is not abided`
	`808`	`+// since there is no enterprise license.`
	`809`	`+activeVersion:=coderdtest.CreateTemplateVersion(t,ownerClient,owner.OrganizationID,nil)`
	`810`	`+template:=coderdtest.CreateTemplate(t,ownerClient,owner.OrganizationID,activeVersion.ID,func(ctr*codersdk.CreateTemplateRequest) {`
	`811`	`+ctr.RequireActiveVersion=true`
	`812`	`+ctr.VersionID=activeVersion.ID`
	`813`	`+})`
	`814`	`+inactiveVersion:=coderdtest.CreateTemplateVersion(t,ownerClient,owner.OrganizationID,nil,func(ctvr*codersdk.CreateTemplateVersionRequest) {`
	`815`	`+ctvr.TemplateID=template.ID`
	`816`	`+})`
	`817`	`+coderdtest.AwaitTemplateVersionJobCompleted(t,ownerClient,activeVersion.ID)`
	`818`	`+memberClient,_:=coderdtest.CreateAnotherUser(t,ownerClient,owner.OrganizationID)`
	`819`	`+ws:=coderdtest.CreateWorkspace(t,memberClient,owner.OrganizationID,uuid.Nil,func(cwr*codersdk.CreateWorkspaceRequest) {`
	`820`	`+cwr.TemplateVersionID=inactiveVersion.ID`
	`821`	`+cwr.AutostartSchedule=ptr.Ref(sched.String())`
	`822`	`+})`
	`823`	`+_=coderdtest.AwaitWorkspaceBuildJobCompleted(t,ownerClient,ws.LatestBuild.ID)`
	`824`	`+ws=coderdtest.MustTransitionWorkspace(t,memberClient,ws.ID,database.WorkspaceTransitionStart,database.WorkspaceTransitionStop,func(req*codersdk.CreateWorkspaceBuildRequest) {`
	`825`	`+req.TemplateVersionID=inactiveVersion.ID`
	`826`	`+})`
	`827`	`+require.Equal(t,inactiveVersion.ID,ws.LatestBuild.TemplateVersionID)`
	`828`	`+ticker<-sched.Next(ws.LatestBuild.CreatedAt)`
	`829`	`+stats:=<-statCh`
	`830`	`+require.Len(t,stats.Transitions,1)`
	`831`	`+`
	`832`	`+ws=coderdtest.MustWorkspace(t,memberClient,ws.ID)`
	`833`	`+require.Equal(t,inactiveVersion.ID,ws.LatestBuild.TemplateVersionID)`
	`834`	`+}`
	`835`	`+`
`786`	`836`	`// TestExecutorFailedWorkspace test AGPL functionality which mainly`
`787`	`837`	`// ensures that autostop actions as a result of a failed workspace`
`788`	`838`	`// build do not trigger.`

`‎coderd/coderd.go`

Lines changed: 14 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -131,6 +131,7 @@ type Options struct {`
`131`	`131`	`SetUserSiteRolesfunc(ctx context.Context,logger slog.Logger,tx database.Store,userID uuid.UUID,roles []string)error`
`132`	`132`	`TemplateScheduleStore*atomic.Pointer[schedule.TemplateScheduleStore]`
`133`	`133`	`UserQuietHoursScheduleStore*atomic.Pointer[schedule.UserQuietHoursScheduleStore]`
	`134`	`+AccessControlStore*atomic.Pointer[dbauthz.AccessControlStore]`
`134`	`135`	`// AppSecurityKey is the crypto key used to sign and encrypt tokens related to`
`135`	`136`	`// workspace applications. It consists of both a signing and encryption key.`
`136`	`137`	`AppSecurityKey workspaceapps.SecurityKey`
`@@ -208,11 +209,20 @@ func New(options Options) API {`
`208`	`209`	`ifoptions.Authorizer==nil {`
`209`	`210`	`options.Authorizer=rbac.NewCachingAuthorizer(options.PrometheusRegistry)`
`210`	`211`	`}`
	`212`	`+`
	`213`	`+ifoptions.AccessControlStore==nil {`
	`214`	`+options.AccessControlStore=&atomic.Pointer[dbauthz.AccessControlStore]{}`
	`215`	`+vartacs dbauthz.AccessControlStore= dbauthz.AGPLTemplateAccessControlStore{}`
	`216`	`+options.AccessControlStore.Store(&tacs)`
	`217`	`+}`
	`218`	`+`
`211`	`219`	`options.Database=dbauthz.New(`
`212`	`220`	`options.Database,`
`213`	`221`	`options.Authorizer,`
`214`	`222`	`options.Logger.Named("authz_querier"),`
	`223`	`+options.AccessControlStore,`
`215`	`224`	`)`
	`225`	`+`
`216`	`226`	`experiments:=ReadExperiments(`
`217`	`227`	`options.Logger,options.DeploymentValues.Experiments.Value(),`
`218`	`228`	`)`
`@@ -369,6 +379,7 @@ func New(options Options) API {`
`369`	`379`	`Auditor: atomic.Pointer[audit.Auditor]{},`
`370`	`380`	`TemplateScheduleStore:options.TemplateScheduleStore,`
`371`	`381`	`UserQuietHoursScheduleStore:options.UserQuietHoursScheduleStore,`
	`382`	`+AccessControlStore:options.AccessControlStore,`
`372`	`383`	`Experiments:experiments,`
`373`	`384`	`healthCheckGroup:&singleflight.Group[string,*healthcheck.Report]{},`
`374`	`385`	`Acquirer:provisionerdserver.NewAcquirer(`
`@@ -1008,6 +1019,9 @@ type API struct {`
`1008`	`1019`	`UserQuietHoursScheduleStore*atomic.Pointer[schedule.UserQuietHoursScheduleStore]`
`1009`	`1020`	`// DERPMapper mutates the DERPMap to include workspace proxies.`
`1010`	`1021`	`DERPMapper atomic.Pointer[func(derpMaptailcfg.DERPMap)tailcfg.DERPMap]`
	`1022`	`+// AccessControlStore is a pointer to an atomic pointer since it is`
	`1023`	`+// passed to dbauthz.`
	`1024`	`+AccessControlStore*atomic.Pointer[dbauthz.AccessControlStore]`
`1011`	`1025`
`1012`	`1026`	`HTTPAuth*HTTPAuthorizer`
`1013`	`1027`

`‎coderd/coderdtest/coderdtest.go`

Lines changed: 15 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -218,7 +218,6 @@ func NewOptions(t testing.TB, options *Options) (func(http.Handler), context.Can`
`218`	`218`
`219`	`219`	`ifoptions.Database==nil {`
`220`	`220`	`options.Database,options.Pubsub=dbtestutil.NewDB(t)`
`221`		`-options.Database=dbauthz.New(options.Database,options.Authorizer,options.Logger.Leveled(slog.LevelDebug))`
`222`	`221`	`}`
`223`	`222`
`224`	`223`	`// Some routes expect a deployment ID, so just make sure one exists.`
`@@ -260,6 +259,10 @@ func NewOptions(t testing.TB, options *Options) (func(http.Handler), context.Can`
`260`	`259`	`t.Cleanup(closeBatcher)`
`261`	`260`	`}`
`262`	`261`
	`262`	`+accessControlStore:=&atomic.Pointer[dbauthz.AccessControlStore]{}`
	`263`	`+varacs dbauthz.AccessControlStore= dbauthz.AGPLTemplateAccessControlStore{}`
	`264`	`+accessControlStore.Store(&acs)`
	`265`	`+`
`263`	`266`	`vartemplateScheduleStore atomic.Pointer[schedule.TemplateScheduleStore]`
`264`	`267`	`ifoptions.TemplateScheduleStore==nil {`
`265`	`268`	`options.TemplateScheduleStore=schedule.NewAGPLTemplateScheduleStore()`
`@@ -279,6 +282,7 @@ func NewOptions(t testing.TB, options *Options) (func(http.Handler), context.Can`
`279`	`282`	`options.Pubsub,`
`280`	`283`	`&templateScheduleStore,`
`281`	`284`	`&auditor,`
	`285`	`+accessControlStore,`
`282`	`286`	`*options.Logger,`
`283`	`287`	`options.AutobuildTicker,`
`284`	`288`	`).WithStatsChannel(options.AutobuildStats)`
`@@ -416,6 +420,7 @@ func NewOptions(t testing.TB, options *Options) (func(http.Handler), context.Can`
`416`	`420`	`Authorizer:options.Authorizer,`
`417`	`421`	`Telemetry:telemetry.NewNoop(),`
`418`	`422`	`TemplateScheduleStore:&templateScheduleStore,`
	`423`	`+AccessControlStore:accessControlStore,`
`419`	`424`	`TLSCertificates:options.TLSCertificates,`
`420`	`425`	`TrialGenerator:options.TrialGenerator,`
`421`	`426`	`TailnetCoordinator:options.Coordinator,`
`@@ -915,7 +920,7 @@ func CreateWorkspace(t testing.TB, client *codersdk.Client, organization uuid.UU`
`915`	`920`	`}`
`916`	`921`
`917`	`922`	`// TransitionWorkspace is a convenience method for transitioning a workspace from one state to another.`
`918`		`-funcMustTransitionWorkspace(t testing.TB,client*codersdk.Client,workspaceID uuid.UUID,from,to database.WorkspaceTransition) codersdk.Workspace {`
	`923`	`+funcMustTransitionWorkspace(t testing.TB,clientcodersdk.Client,workspaceID uuid.UUID,from,to database.WorkspaceTransition,muts...func(reqcodersdk.CreateWorkspaceBuildRequest)) codersdk.Workspace {`
`919`	`924`	`t.Helper()`
`920`	`925`	`ctx:=context.Background()`
`921`	`926`	`workspace,err:=client.Workspace(ctx,workspaceID)`
`@@ -925,10 +930,16 @@ func MustTransitionWorkspace(t testing.TB, client *codersdk.Client, workspaceID`
`925`	`930`	`template,err:=client.Template(ctx,workspace.TemplateID)`
`926`	`931`	`require.NoError(t,err,"fetch workspace template")`
`927`	`932`
`928`		`-build,err:=client.CreateWorkspaceBuild(ctx,workspace.ID, codersdk.CreateWorkspaceBuildRequest{`
	`933`	`+req:= codersdk.CreateWorkspaceBuildRequest{`
`929`	`934`	`TemplateVersionID:template.ActiveVersionID,`
`930`	`935`	`Transition:codersdk.WorkspaceTransition(to),`
`931`		`-})`
	`936`	`+}`
	`937`	`+`
	`938`	`+for_,mut:=rangemuts {`
	`939`	`+mut(&req)`
	`940`	`+}`
	`941`	`+`
	`942`	`+build,err:=client.CreateWorkspaceBuild(ctx,workspace.ID,req)`
`932`	`943`	`require.NoError(t,err,"unexpected error transitioning workspace to %s",to)`
`933`	`944`
`934`	`945`	`_=AwaitWorkspaceBuildJobCompleted(t,client,build.ID)`

`‎coderd/database/dbauthz/accesscontrol.go`

Lines changed: 37 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,37 @@`
	`1`	`+package dbauthz`
	`2`	`+`
	`3`	`+import (`
	`4`	`+"context"`
	`5`	`+`
	`6`	`+"github.com/google/uuid"`
	`7`	`+`
	`8`	`+"github.com/coder/coder/v2/coderd/database"`
	`9`	`+)`
	`10`	`+`
	`11`	`+// AccessControlStore fetches access control-related configuration`
	`12`	`+// that is used when determining whether an actor is authorized`
	`13`	`+// to interact with an RBAC object.`
	`14`	`+typeAccessControlStoreinterface {`
	`15`	`+GetTemplateAccessControl(t database.Template)TemplateAccessControl`
	`16`	`+SetTemplateAccessControl(ctx context.Context,store database.Store,id uuid.UUID,optsTemplateAccessControl)error`
	`17`	`+}`
	`18`	`+`
	`19`	`+typeTemplateAccessControlstruct {`
	`20`	`+RequireActiveVersionbool`
	`21`	`+}`
	`22`	`+`
	`23`	`+// AGPLTemplateAccessControlStore always returns the defaults for access control`
	`24`	`+// settings.`
	`25`	`+typeAGPLTemplateAccessControlStorestruct{}`
	`26`	`+`
	`27`	`+var_AccessControlStore=AGPLTemplateAccessControlStore{}`
	`28`	`+`
	`29`	`+func (AGPLTemplateAccessControlStore)GetTemplateAccessControl(database.Template)TemplateAccessControl {`
	`30`	`+returnTemplateAccessControl{`
	`31`	`+RequireActiveVersion:false,`
	`32`	`+}`
	`33`	`+}`
	`34`	`+`
	`35`	`+func (AGPLTemplateAccessControlStore)SetTemplateAccessControl(context.Context, database.Store, uuid.UUID,TemplateAccessControl)error {`
	`36`	`+returnnil`
	`37`	`+}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit997493d

File tree

47 files changed

Some content is hidden

47 files changed

`‎cli/server.go`

`‎cli/templates.go`

`‎cli/templateversionarchive.go`

`‎cli/templateversions.go`

`‎coderd/apidoc/docs.go`

`‎coderd/apidoc/swagger.json`

`‎coderd/autobuild/lifecycle_executor.go`

`‎coderd/autobuild/lifecycle_executor_test.go`

`‎coderd/coderd.go`

`‎coderd/coderdtest/coderdtest.go`

`‎coderd/database/dbauthz/accesscontrol.go`

0 commit comments