NotificationsYou must be signed in to change notification settings
Fork926
Star10.1k

Commita4b2e8d

committed

chore: reorder prebuilt workspace authorization logic

1 parentba08d38 commita4b2e8dCopy full SHA for a4b2e8d

File tree

4 files changed

+47

-28

lines changed

coderd
- database/dbauthz
  - dbauthz.go
  - dbauthz_test.go
- workspacebuilds.go
- wsbuilder
  - wsbuilder.go

4 files changed

+47

-28

lines changed

`‎coderd/database/dbauthz/dbauthz.go`

Lines changed: 14 additions & 12 deletions

Original file line number	Diff line number	Diff line change
`@@ -151,26 +151,28 @@ func (q *querier) authorizeContext(ctx context.Context, action policy.Action, ob`
`151`	`151`
`152`	`152`	`// authorizePrebuiltWorkspace handles authorization for workspace resource types.`
`153`	`153`	`// prebuilt_workspaces are a subset of workspaces, currently limited to`
`154`		`-// supporting delete operations. Therefore, if the action is delete or`
`155`		`-// update and the workspace is a prebuild, a prebuilt-specific authorization`
`156`		`-// is attempted first. If that fails, it falls back to normal workspace`
`157`		`-// authorization.`
	`154`	`+// supporting delete operations. This function first attempts normal workspace`
	`155`	`+// authorization. If that fails, the action is delete or update and the workspace`
	`156`	`+// is a prebuild, a prebuilt-specific authorization is attempted.`
`158`	`157`	`// Note: Delete operations of workspaces requires both update and delete`
`159`	`158`	`// permissions.`
`160`	`159`	`func (q*querier)authorizePrebuiltWorkspace(ctx context.Context,action policy.Action,workspace database.Workspace)error {`
`161`		`-varprebuiltErrerror`
`162`		`-// Special handling for prebuilt_workspace deletion authorization check`
	`160`	`+// Try default workspace authorization first`
	`161`	`+varworkspaceErrerror`
	`162`	`+ifworkspaceErr=q.authorizeContext(ctx,action,workspace);workspaceErr==nil {`
	`163`	`+returnnil`
	`164`	`+}`
	`165`	`+`
	`166`	`+// Special handling for prebuilt workspace deletion`
`163`	`167`	`if (action==policy.ActionUpdate\|\|action==policy.ActionDelete)&&workspace.IsPrebuild() {`
`164`		`-// Try prebuilt-specific authorization first`
	`168`	`+varprebuiltErrerror`
`165`	`169`	`ifprebuiltErr=q.authorizeContext(ctx,action,workspace.AsPrebuild());prebuiltErr==nil {`
`166`	`170`	`returnnil`
`167`	`171`	`}`
	`172`	`+returnxerrors.Errorf("authorize context: %w",errors.Join(workspaceErr,prebuiltErr))`
`168`	`173`	`}`
`169`		`-// Fallback to normal workspace authorization check`
`170`		`-iferr:=q.authorizeContext(ctx,action,workspace);err!=nil {`
`171`		`-returnxerrors.Errorf("authorize context: %w",errors.Join(prebuiltErr,err))`
`172`		`-}`
`173`		`-returnnil`
	`174`	`+`
	`175`	`+returnxerrors.Errorf("authorize context: %w",errors.Join(workspaceErr))`
`174`	`176`	`}`
`175`	`177`
`176`	`178`	`typeauthContextKeystruct{}`

`‎coderd/database/dbauthz/dbauthz_test.go`

Lines changed: 22 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -5590,7 +5590,17 @@ func (s *MethodTestSuite) TestAuthorizePrebuiltWorkspace() {`
`5590`	`5590`	`Reason:database.BuildReasonInitiator,`
`5591`	`5591`	`TemplateVersionID:tv.ID,`
`5592`	`5592`	`JobID:pj.ID,`
`5593`		`-}).Asserts(w.AsPrebuild(),policy.ActionDelete)`
	`5593`	`+}).`
	`5594`	`+// Simulate a fallback authorization flow:`
	`5595`	`+// - First, the default workspace authorization fails (simulated by returning an error).`
	`5596`	`+// - Then, authorization is retried using the prebuilt workspace object, which succeeds.`
	`5597`	`+// The test asserts that both authorization attempts occur in the correct order.`
	`5598`	`+WithSuccessAuthorizer(func(ctx context.Context,subject rbac.Subject,action policy.Action,obj rbac.Object)error {`
	`5599`	`+ifobj.Type==rbac.ResourceWorkspace.Type {`
	`5600`	`+returnxerrors.Errorf("not authorized for workspace type")`
	`5601`	`+}`
	`5602`	`+returnnil`
	`5603`	`+}).Asserts(w,policy.ActionDelete,w.AsPrebuild(),policy.ActionDelete)`
`5594`	`5604`	`}))`
`5595`	`5605`	`s.Run("PrebuildUpdate/InsertWorkspaceBuildParameters",s.Subtest(func(db database.Store,check*expects) {`
`5596`	`5606`	`u:=dbgen.User(s.T(),db, database.User{})`
`@@ -5619,6 +5629,16 @@ func (s *MethodTestSuite) TestAuthorizePrebuiltWorkspace() {`
`5619`	`5629`	`})`
`5620`	`5630`	`check.Args(database.InsertWorkspaceBuildParametersParams{`
`5621`	`5631`	`WorkspaceBuildID:wb.ID,`
`5622`		`-}).Asserts(w.AsPrebuild(),policy.ActionUpdate)`
	`5632`	`+}).`
	`5633`	`+// Simulate a fallback authorization flow:`
	`5634`	`+// - First, the default workspace authorization fails (simulated by returning an error).`
	`5635`	`+// - Then, authorization is retried using the prebuilt workspace object, which succeeds.`
	`5636`	`+// The test asserts that both authorization attempts occur in the correct order.`
	`5637`	`+WithSuccessAuthorizer(func(ctx context.Context,subject rbac.Subject,action policy.Action,obj rbac.Object)error {`
	`5638`	`+ifobj.Type==rbac.ResourceWorkspace.Type {`
	`5639`	`+returnxerrors.Errorf("not authorized for workspace type")`
	`5640`	`+}`
	`5641`	`+returnnil`
	`5642`	`+}).Asserts(w,policy.ActionUpdate,w.AsPrebuild(),policy.ActionUpdate)`
`5623`	`5643`	`}))`
`5624`	`5644`	`}`

`‎coderd/workspacebuilds.go`

Lines changed: 6 additions & 7 deletions

Original file line number	Diff line number	Diff line change
`@@ -393,17 +393,16 @@ func (api API) postWorkspaceBuilds(rw http.ResponseWriter, r http.Request) {`
`393`	`393`	`ctx,`
`394`	`394`	`tx,`
`395`	`395`	`func(action policy.Action,object rbac.Objecter)bool {`
	`396`	`+ifauth:=api.Authorize(r,action,object);auth {`
	`397`	`+returntrue`
	`398`	`+}`
`396`	`399`	`// Special handling for prebuilt workspace deletion`
`397`	`400`	`ifobject.RBACObject().Type==rbac.ResourceWorkspace.Type&&action==policy.ActionDelete {`
`398`		`-ifworkspaceObj,ok:=object.(database.Workspace);ok {`
`399`		`-// Try prebuilt-specific authorization first`
`400`		`-ifauth:=api.Authorize(r,action,workspaceObj.AsPrebuild());auth {`
`401`		`-returnauth`
`402`		`-}`
	`401`	`+ifworkspaceObj,ok:=object.(database.Workspace);ok&&workspaceObj.IsPrebuild() {`
	`402`	`+returnapi.Authorize(r,action,workspaceObj.AsPrebuild())`
`403`	`403`	`}`
`404`	`404`	`}`
`405`		`-// Fallback to default authorization`
`406`		`-returnapi.Authorize(r,action,object)`
	`405`	`+returnfalse`
`407`	`406`	`},`
`408`	`407`	`audit.WorkspaceBuildBaggageFromRequest(r),`
`409`	`408`	`)`

`‎coderd/wsbuilder/wsbuilder.go`

Lines changed: 5 additions & 7 deletions

Original file line number	Diff line number	Diff line change
`@@ -963,14 +963,12 @@ func (b *Builder) authorize(authFunc func(action policy.Action, object rbac.Obje`
`963`	`963`	`returnBuildError{http.StatusBadRequest,msg,xerrors.New(msg)}`
`964`	`964`	`}`
`965`	`965`
	`966`	`+// Try default workspace authorization first`
	`967`	`+authorized:=authFunc(action,b.workspace)`
	`968`	`+`
`966`	`969`	`// Special handling for prebuilt workspace deletion`
`967`		`-authorized:=false`
`968`		`-ifaction==policy.ActionDelete&&b.workspace.IsPrebuild()&&authFunc(action,b.workspace.AsPrebuild()) {`
`969`		`-authorized=true`
`970`		`-}`
`971`		`-// Fallback to default authorization`
`972`		`-if!authorized&&authFunc(action,b.workspace) {`
`973`		`-authorized=true`
	`970`	`+if!authorized&&action==policy.ActionDelete&&b.workspace.IsPrebuild() {`
	`971`	`+authorized=authFunc(action,b.workspace.AsPrebuild())`
`974`	`972`	`}`
`975`	`973`
`976`	`974`	`if!authorized {`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commita4b2e8d

File tree

4 files changed

4 files changed

`‎coderd/database/dbauthz/dbauthz.go`

`‎coderd/database/dbauthz/dbauthz_test.go`

`‎coderd/workspacebuilds.go`

`‎coderd/wsbuilder/wsbuilder.go`

0 commit comments