NotificationsYou must be signed in to change notification settings
Fork907
Star10k

Commitdbdf49f

committed

chore: fixup permission assertions and testing

1 parent110809e commitdbdf49fCopy full SHA for dbdf49f

File tree

7 files changed

+201

-114

lines changed

coderd
- coderd.go
- coderdtest
  - authorize.go
- httpmw
  - organizationparam.go
  - userparam.go
- workspaces.go
- workspaces_test.go
enterprise/coderd
- workspaces_test.go

7 files changed

+201

-114

lines changed

`‎coderd/coderd.go`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1148,6 +1148,7 @@ func New(options Options) API {`
`1148`	`1148`	`})`
`1149`	`1149`	`r.Route("/{user}",func(r chi.Router) {`
`1150`	`1150`	`r.Group(func(r chi.Router) {`
	`1151`	`+r.Use(httpmw.ExtractUserParamOptional(options.Database))`
`1151`	`1152`	`// Creating workspaces does not require permissions on the user, only the`
`1152`	`1153`	`// organization member. This endpoint should match the authz story of`
`1153`	`1154`	`// postWorkspacesByOrganization`

`‎coderd/coderdtest/authorize.go`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -144,8 +144,8 @@ type AuthCalls []AuthCall`
`144`	`144`
`145`	`145`	`typeAuthCallstruct {`
`146`	`146`	`rbac.AuthCall`
	`147`	`+Errerror`
`147`	`148`
`148`		`-errerror`
`149`	`149`	`assertedbool`
`150`	`150`	`// callers is a small stack trace for debugging.`
`151`	`151`	`callers []string`
`@@ -265,7 +265,7 @@ func (r *RecordingAuthorizer) recordAuthorize(subject rbac.Subject, action polic`
`265`	`265`	`Action:action,`
`266`	`266`	`Object:object,`
`267`	`267`	`},`
`268`		`-err:err,`
	`268`	`+Err:err,`
`269`	`269`	`callers: []string{`
`270`	`270`	`// This is a decent stack trace for debugging.`
`271`	`271`	`// Some dbauthz calls are a bit nested, so we skip a few.`

`‎coderd/httpmw/organizationparam.go`

Lines changed: 40 additions & 50 deletions

Original file line number	Diff line number	Diff line change
`@@ -110,61 +110,51 @@ type OrganizationMember struct {`
`110`	`110`	`funcExtractOrganizationMemberParam(db database.Store)func(http.Handler) http.Handler {`
`111`	`111`	`returnfunc(next http.Handler) http.Handler {`
`112`	`112`	`returnhttp.HandlerFunc(func(rw http.ResponseWriter,r*http.Request) {`
`113`		`-organization:=OrganizationParam(r)`
`114`		`-organizationMember,ok:=ExtractOrganizationMemberContext(rw,r,db,organization.ID)`
	`113`	`+ctx:=r.Context()`
	`114`	+// We need to resolve the `{user}` URL parameter so that we can get the userID and
	`115`	`+// username. We do this as SystemRestricted since the caller might have permission`
	`116`	`+// to access the OrganizationMember object, but not the User object. So, it is`
	`117`	`+// very important that we do not add the User object to the request context or otherwise`
	`118`	`+// leak it to the API handler.`
	`119`	`+// nolint:gocritic`
	`120`	`+user,ok:=ExtractUserContext(dbauthz.AsSystemRestricted(ctx),db,rw,r)`
`115`	`121`	`if!ok {`
`116`	`122`	`return`
`117`	`123`	`}`
	`124`	`+organization:=OrganizationParam(r)`
`118`	`125`
`119`		`-ctx:=r.Context()`
`120`		`-ctx=context.WithValue(ctx,organizationMemberParamContextKey{},organizationMember)`
`121`		`-next.ServeHTTP(rw,r.WithContext(ctx))`
`122`		`-})`
`123`		`-}`
`124`		`-}`
`125`		`-`
`126`		`-funcExtractOrganizationMemberContext(rw http.ResponseWriter,r*http.Request,db database.Store,orgID uuid.UUID) (OrganizationMember,bool) {`
`127`		`-ctx:=r.Context()`
`128`		`-`
`129`		-// We need to resolve the `{user}` URL parameter so that we can get the userID and
`130`		`-// username. We do this as SystemRestricted since the caller might have permission`
`131`		`-// to access the OrganizationMember object, but not the User object. So, it is`
`132`		`-// very important that we do not add the User object to the request context or otherwise`
`133`		`-// leak it to the API handler.`
`134`		`-// nolint:gocritic`
`135`		`-user,ok:=extractUserContext(dbauthz.AsSystemRestricted(ctx),db,rw,r)`
`136`		`-if!ok {`
`137`		`-returnOrganizationMember{},false`
`138`		`-}`
	`126`	`+organizationMember,err:=database.ExpectOne(db.OrganizationMembers(ctx, database.OrganizationMembersParams{`
	`127`	`+OrganizationID:organization.ID,`
	`128`	`+UserID:user.ID,`
	`129`	`+IncludeSystem:false,`
	`130`	`+}))`
	`131`	`+ifhttpapi.Is404Error(err) {`
	`132`	`+httpapi.ResourceNotFound(rw)`
	`133`	`+return`
	`134`	`+}`
	`135`	`+iferr!=nil {`
	`136`	`+httpapi.Write(ctx,rw,http.StatusInternalServerError, codersdk.Response{`
	`137`	`+Message:"Internal error fetching organization member.",`
	`138`	`+Detail:err.Error(),`
	`139`	`+})`
	`140`	`+return`
	`141`	`+}`
`139`	`142`
`140`		`-organizationMember,err:=database.ExpectOne(db.OrganizationMembers(ctx, database.OrganizationMembersParams{`
`141`		`-OrganizationID:orgID,`
`142`		`-UserID:user.ID,`
`143`		`-IncludeSystem:false,`
`144`		`-}))`
`145`		`-ifhttpapi.Is404Error(err) {`
`146`		`-httpapi.ResourceNotFound(rw)`
`147`		`-returnOrganizationMember{},false`
`148`		`-}`
`149`		`-iferr!=nil {`
`150`		`-httpapi.Write(ctx,rw,http.StatusInternalServerError, codersdk.Response{`
`151`		`-Message:"Internal error fetching organization member.",`
`152`		`-Detail:err.Error(),`
	`143`	`+ctx=context.WithValue(ctx,organizationMemberParamContextKey{},OrganizationMember{`
	`144`	`+OrganizationMember:organizationMember.OrganizationMember,`
	`145`	`+// Here we're making two exceptions to the rule about not leaking data about the user`
	`146`	`+// to the API handler, which is to include the username and avatar URL.`
	`147`	`+// If the caller has permission to read the OrganizationMember, then we're explicitly`
	`148`	`+// saying here that they also have permission to see the member's username and avatar.`
	`149`	`+// This is OK!`
	`150`	`+//`
	`151`	`+// API handlers need this information for audit logging and returning the owner's`
	`152`	`+// username in response to creating a workspace. Additionally, the frontend consumes`
	`153`	`+// the Avatar URL and this allows the FE to avoid an extra request.`
	`154`	`+Username:user.Username,`
	`155`	`+AvatarURL:user.AvatarURL,`
	`156`	`+})`
	`157`	`+next.ServeHTTP(rw,r.WithContext(ctx))`
`153`	`158`	`})`
`154`		`-returnOrganizationMember{},false`
`155`	`159`	`}`
`156`		`-returnOrganizationMember{`
`157`		`-OrganizationMember:organizationMember.OrganizationMember,`
`158`		`-// Here we're making two exceptions to the rule about not leaking data about the user`
`159`		`-// to the API handler, which is to include the username and avatar URL.`
`160`		`-// If the caller has permission to read the OrganizationMember, then we're explicitly`
`161`		`-// saying here that they also have permission to see the member's username and avatar.`
`162`		`-// This is OK!`
`163`		`-//`
`164`		`-// API handlers need this information for audit logging and returning the owner's`
`165`		`-// username in response to creating a workspace. Additionally, the frontend consumes`
`166`		`-// the Avatar URL and this allows the FE to avoid an extra request.`
`167`		`-Username:user.Username,`
`168`		`-AvatarURL:user.AvatarURL,`
`169`		`-},true`
`170`	`160`	`}`

`‎coderd/httpmw/userparam.go`

Lines changed: 24 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -31,13 +31,18 @@ func UserParam(r *http.Request) database.User {`
`31`	`31`	`returnuser`
`32`	`32`	`}`
`33`	`33`
	`34`	`+funcUserParamOptional(r*http.Request) (database.User,bool) {`
	`35`	`+user,ok:=r.Context().Value(userParamContextKey{}).(database.User)`
	`36`	`+returnuser,ok`
	`37`	`+}`
	`38`	`+`
`34`	`39`	`// ExtractUserParam extracts a user from an ID/username in the {user} URL`
`35`	`40`	`// parameter.`
`36`	`41`	`funcExtractUserParam(db database.Store)func(http.Handler) http.Handler {`
`37`	`42`	`returnfunc(next http.Handler) http.Handler {`
`38`	`43`	`returnhttp.HandlerFunc(func(rw http.ResponseWriter,r*http.Request) {`
`39`	`44`	`ctx:=r.Context()`
`40`		`-user,ok:=extractUserContext(ctx,db,rw,r)`
	`45`	`+user,ok:=ExtractUserContext(ctx,db,rw,r)`
`41`	`46`	`if!ok {`
`42`	`47`	`// response already handled`
`43`	`48`	`return`
`@@ -48,8 +53,24 @@ func ExtractUserParam(db database.Store) func(http.Handler) http.Handler {`
`48`	`53`	`}`
`49`	`54`	`}`
`50`	`55`
`51`		-// extractUserContext queries the database for the parameterized `{user}` from the request URL.
`52`		`-funcextractUserContext(ctx context.Context,db database.Store,rw http.ResponseWriter,r*http.Request) (user database.User,okbool) {`
	`56`	`+// ExtractUserParamOptional does not fail if no user is present.`
	`57`	`+funcExtractUserParamOptional(db database.Store)func(http.Handler) http.Handler {`
	`58`	`+returnfunc(next http.Handler) http.Handler {`
	`59`	`+returnhttp.HandlerFunc(func(rw http.ResponseWriter,r*http.Request) {`
	`60`	`+ctx:=r.Context()`
	`61`	`+`
	`62`	`+user,ok:=ExtractUserContext(ctx,db,&noopResponseWriter{},r)`
	`63`	`+ifok {`
	`64`	`+ctx=context.WithValue(ctx,userParamContextKey{},user)`
	`65`	`+}`
	`66`	`+`
	`67`	`+next.ServeHTTP(rw,r.WithContext(ctx))`
	`68`	`+})`
	`69`	`+}`
	`70`	`+}`
	`71`	`+`
	`72`	+// ExtractUserContext queries the database for the parameterized `{user}` from the request URL.
	`73`	`+funcExtractUserContext(ctx context.Context,db database.Store,rw http.ResponseWriter,r*http.Request) (user database.User,okbool) {`
`53`	`74`	`// userQuery is either a uuid, a username, or 'me'`
`54`	`75`	`userQuery:=chi.URLParam(r,"user")`
`55`	`76`	`ifuserQuery=="" {`

`‎coderd/workspaces.go`

Lines changed: 57 additions & 20 deletions

Original file line number	Diff line number	Diff line change
`@@ -413,21 +413,64 @@ func (api API) postUserWorkspaces(rw http.ResponseWriter, r http.Request) {`
`413`	`413`	`return`
`414`	`414`	`}`
`415`	`415`
`416`		`-// No middleware exists to fetch the user from. This endpoint needs to fetch`
`417`		`-//the organization member, which requirestheorganization. Which can be`
`418`		`-//sourced from the template.`
	`416`	`+varownerworkspaceOwner`
	`417`	`+//This user fetch is an optimization path forthemost common case of creating a`
	`418`	`+//workspace for 'Me'.`
`419`	`419`	`//`
`420`		`-// TODO: This code gets called twice for each workspace build request.`
`421`		`-// This is inefficient and costs at most 2 extra RTTs to the DB.`
`422`		`-// This can be optimized. It exists as it is now for code simplicity.`
`423`		`-template,ok:=requestTemplate(ctx,rw,req,api.Database)`
`424`		`-if!ok {`
`425`		`-return`
`426`		`-}`
	`420`	+// This is also required to allow `owners` to create workspaces for users
	`421`	`+// that are not in an organization.`
	`422`	`+user,ok:=httpmw.UserParamOptional(r)`
	`423`	`+ifok {`
	`424`	`+owner=workspaceOwner{`
	`425`	`+ID:user.ID,`
	`426`	`+Username:user.Username,`
	`427`	`+AvatarURL:user.AvatarURL,`
	`428`	`+}`
	`429`	`+}else {`
	`430`	`+// A workspace can still be created if the caller can read the organization`
	`431`	`+// member. The organization is required, which can be sourced from the`
	`432`	`+// template.`
	`433`	`+//`
	`434`	`+// TODO: This code gets called twice for each workspace build request.`
	`435`	`+// This is inefficient and costs at most 2 extra RTTs to the DB.`
	`436`	`+// This can be optimized. It exists as it is now for code simplicity.`
	`437`	`+// The most common case is to create a workspace for 'Me'. Which does`
	`438`	`+// not enter this code branch.`
	`439`	`+template,ok:=requestTemplate(ctx,rw,req,api.Database)`
	`440`	`+if!ok {`
	`441`	`+return`
	`442`	`+}`
`427`	`443`
`428`		`-member,ok:=httpmw.ExtractOrganizationMemberContext(rw,r,api.Database,template.OrganizationID)`
`429`		`-if!ok {`
`430`		`-return`
	`444`	`+// We need to fetch the original user as a system user to fetch the`
	`445`	`+// user_id. 'ExtractUserContext' handles all cases like usernames,`
	`446`	`+// 'Me', etc.`
	`447`	`+// nolint:gocritic // The user_id needs to be fetched. This handles all those cases.`
	`448`	`+user,ok:=httpmw.ExtractUserContext(dbauthz.AsSystemRestricted(ctx),api.Database,rw,r)`
	`449`	`+if!ok {`
	`450`	`+return`
	`451`	`+}`
	`452`	`+`
	`453`	`+organizationMember,err:=database.ExpectOne(api.Database.OrganizationMembers(ctx, database.OrganizationMembersParams{`
	`454`	`+OrganizationID:template.OrganizationID,`
	`455`	`+UserID:user.ID,`
	`456`	`+IncludeSystem:false,`
	`457`	`+}))`
	`458`	`+ifhttpapi.Is404Error(err) {`
	`459`	`+httpapi.ResourceNotFound(rw)`
	`460`	`+return`
	`461`	`+}`
	`462`	`+iferr!=nil {`
	`463`	`+httpapi.Write(ctx,rw,http.StatusInternalServerError, codersdk.Response{`
	`464`	`+Message:"Internal error fetching organization member.",`
	`465`	`+Detail:err.Error(),`
	`466`	`+})`
	`467`	`+return`
	`468`	`+}`
	`469`	`+owner=workspaceOwner{`
	`470`	`+ID:organizationMember.OrganizationMember.UserID,`
	`471`	`+Username:organizationMember.Username,`
	`472`	`+AvatarURL:organizationMember.AvatarURL,`
	`473`	`+}`
`431`	`474`	`}`
`432`	`475`
`433`	`476`	`aReq,commitAudit:=audit.InitRequest[database.WorkspaceTable](rw,&audit.RequestParams{`
`@@ -436,17 +479,11 @@ func (api API) postUserWorkspaces(rw http.ResponseWriter, r http.Request) {`
`436`	`479`	`Request:r,`
`437`	`480`	`Action:database.AuditActionCreate,`
`438`	`481`	`AdditionalFields: audit.AdditionalFields{`
`439`		`-WorkspaceOwner:member.Username,`
	`482`	`+WorkspaceOwner:owner.Username,`
`440`	`483`	`},`
`441`	`484`	`})`
`442`	`485`
`443`	`486`	`defercommitAudit()`
`444`		`-`
`445`		`-owner:=workspaceOwner{`
`446`		`-ID:member.UserID,`
`447`		`-Username:member.Username,`
`448`		`-AvatarURL:member.AvatarURL,`
`449`		`-}`
`450`	`487`	`createWorkspace(ctx,aReq,apiKey.UserID,api,owner,req,rw,r)`
`451`	`488`	`}`
`452`	`489`

`‎coderd/workspaces_test.go`

Lines changed: 0 additions & 36 deletions

Original file line number	Diff line number	Diff line change
`@@ -423,42 +423,6 @@ func TestWorkspace(t *testing.T) {`
`423`	`423`	`require.ErrorAs(t,err,&apiError)`
`424`	`424`	`require.Equal(t,http.StatusForbidden,apiError.StatusCode())`
`425`	`425`	`})`
`426`		`-`
`427`		`-// Asserting some authz calls when creating a workspace.`
`428`		`-t.Run("AuthzStory",func(t*testing.T) {`
`429`		`-t.Parallel()`
`430`		`-owner,_,api:=coderdtest.NewWithAPI(t,&coderdtest.Options{IncludeProvisionerDaemon:true})`
`431`		`-first:=coderdtest.CreateFirstUser(t,owner)`
`432`		`-authz:=coderdtest.AssertRBAC(t,api,owner)`
`433`		`-`
`434`		`-version:=coderdtest.CreateTemplateVersion(t,owner,first.OrganizationID,nil)`
`435`		`-coderdtest.AwaitTemplateVersionJobCompleted(t,owner,version.ID)`
`436`		`-template:=coderdtest.CreateTemplate(t,owner,first.OrganizationID,version.ID)`
`437`		`-_,userID:=coderdtest.CreateAnotherUser(t,owner,first.OrganizationID)`
`438`		`-`
`439`		`-ctx,cancel:=context.WithTimeout(context.Background(),testutil.WaitLong)`
`440`		`-defercancel()`
`441`		`-`
`442`		`-// Create a workspace with the current api.`
`443`		`-authz.Reset()// Reset all previous checks done in setup.`
`444`		`-_,err:=owner.CreateUserWorkspace(ctx,userID.ID.String(), codersdk.CreateWorkspaceRequest{`
`445`		`-TemplateID:template.ID,`
`446`		`-Name:"test-user",`
`447`		`-})`
`448`		`-require.NoError(t,err)`
`449`		`-`
`450`		`-// Assert all authz properties`
`451`		`-t.Run("OnlyOrganizationAuthzCalls",func(t*testing.T) {`
`452`		`-// Creating workspaces is an organization action. So organization`
`453`		`-// permissions should be sufficient to complete the action.`
`454`		`-for_,call:=rangeauthz.AllCalls() {`
`455`		`-assert.Falsef(t,call.Object.OrgID=="",`
`456`		`-"call %q for object %q has no organization set. Site authz calls not expected here",`
`457`		`-call.Action,call.Object.String(),`
`458`		`-)`
`459`		`-}`
`460`		`-})`
`461`		`-})`
`462`	`426`	`}`
`463`	`427`
`464`	`428`	`funcTestResolveAutostart(t*testing.T) {`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitdbdf49f

File tree

7 files changed

7 files changed

`‎coderd/coderd.go`

`‎coderd/coderdtest/authorize.go`

`‎coderd/httpmw/organizationparam.go`

`‎coderd/httpmw/userparam.go`

`‎coderd/workspaces.go`

`‎coderd/workspaces_test.go`

0 commit comments