NotificationsYou must be signed in to change notification settings
Fork905
Star10k

Commitea65ddc

authored

fix: correct user roles being passed into terraform context (#17460)

Roles were being passed into the workspace context incorrectly. Sitewide scopes were being org scoped. Roles outside the org should also notbe sent.

1 parent90eacc1 commitea65ddcCopy full SHA for ea65ddc

File tree

2 files changed

+42

-8

lines changed

coderd/provisionerdserver
- provisionerdserver.go
- provisionerdserver_test.go

2 files changed

+42

-8

lines changed

`‎coderd/provisionerdserver/provisionerdserver.go`

Lines changed: 13 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -595,17 +595,24 @@ func (s *server) acquireProtoJob(ctx context.Context, job database.ProvisionerJo`
`595`	`595`	`})`
`596`	`596`	`}`
`597`	`597`
`598`		`-roles,err:=s.Database.GetAuthorizationUserRoles(ctx,owner.ID)`
	`598`	`+allUserRoles,err:=s.Database.GetAuthorizationUserRoles(ctx,owner.ID)`
`599`	`599`	`iferr!=nil {`
`600`	`600`	`returnnil,failJob(fmt.Sprintf("get owner authorization roles: %s",err))`
`601`	`601`	`}`
`602`	`602`	`ownerRbacRoles:= []*sdkproto.Role{}`
`603`		`-for_,role:=rangeroles.Roles {`
`604`		`-ifs.OrganizationID==uuid.Nil {`
`605`		`-ownerRbacRoles=append(ownerRbacRoles,&sdkproto.Role{Name:role,OrgId:""})`
`606`		`-continue`
	`603`	`+roles,err:=allUserRoles.RoleNames()`
	`604`	`+iferr==nil {`
	`605`	`+for_,role:=rangeroles {`
	`606`	`+ifrole.OrganizationID!=uuid.Nil&&role.OrganizationID!=s.OrganizationID {`
	`607`	`+continue// Only include site wide and org specific roles`
	`608`	`+}`
	`609`	`+`
	`610`	`+orgID:=role.OrganizationID.String()`
	`611`	`+ifrole.OrganizationID==uuid.Nil {`
	`612`	`+orgID=""`
	`613`	`+}`
	`614`	`+ownerRbacRoles=append(ownerRbacRoles,&sdkproto.Role{Name:role.Name,OrgId:orgID})`
`607`	`615`	`}`
`608`		`-ownerRbacRoles=append(ownerRbacRoles,&sdkproto.Role{Name:role,OrgId:s.OrganizationID.String()})`
`609`	`616`	`}`
`610`	`617`
`611`	`618`	`protoJob.Type=&proto.AcquiredJob_WorkspaceBuild_{`

`‎coderd/provisionerdserver/provisionerdserver_test.go`

Lines changed: 29 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,7 @@ import (`
`6`	`6`	`"encoding/json"`
`7`	`7`	`"io"`
`8`	`8`	`"net/url"`
	`9`	`+"slices"`
`9`	`10`	`"strconv"`
`10`	`11`	`"strings"`
`11`	`12`	`"sync"`
`@@ -22,6 +23,7 @@ import (`
`22`	`23`	`"storj.io/drpc"`
`23`	`24`
`24`	`25`	`"cdr.dev/slog/sloggers/slogtest"`
	`26`	`+"github.com/coder/coder/v2/coderd/rbac"`
`25`	`27`	`"github.com/coder/quartz"`
`26`	`28`	`"github.com/coder/serpent"`
`27`	`29`
`@@ -203,6 +205,20 @@ func TestAcquireJob(t *testing.T) {`
`203`	`205`	`GroupID:group1.ID,`
`204`	`206`	`})`
`205`	`207`	`require.NoError(t,err)`
	`208`	`+dbgen.OrganizationMember(t,db, database.OrganizationMember{`
	`209`	`+UserID:user.ID,`
	`210`	`+OrganizationID:pd.OrganizationID,`
	`211`	`+Roles: []string{rbac.RoleOrgAuditor()},`
	`212`	`+})`
	`213`	`+`
	`214`	`+// Add extra erronous roles`
	`215`	`+secondOrg:=dbgen.Organization(t,db, database.Organization{})`
	`216`	`+dbgen.OrganizationMember(t,db, database.OrganizationMember{`
	`217`	`+UserID:user.ID,`
	`218`	`+OrganizationID:secondOrg.ID,`
	`219`	`+Roles: []string{rbac.RoleOrgAuditor()},`
	`220`	`+})`
	`221`	`+`
`206`	`222`	`link:=dbgen.UserLink(t,db, database.UserLink{`
`207`	`223`	`LoginType:database.LoginTypeOIDC,`
`208`	`224`	`UserID:user.ID,`
`@@ -350,7 +366,7 @@ func TestAcquireJob(t *testing.T) {`
`350`	`366`	`WorkspaceOwnerEmail:user.Email,`
`351`	`367`	`WorkspaceOwnerName:user.Name,`
`352`	`368`	`WorkspaceOwnerOidcAccessToken:link.OAuthAccessToken,`
`353`		`-WorkspaceOwnerGroups: []string{group1.Name},`
	`369`	`+WorkspaceOwnerGroups: []string{"Everyone",group1.Name},`
`354`	`370`	`WorkspaceId:workspace.ID.String(),`
`355`	`371`	`WorkspaceOwnerId:user.ID.String(),`
`356`	`372`	`TemplateId:template.ID.String(),`
`@@ -361,11 +377,15 @@ func TestAcquireJob(t *testing.T) {`
`361`	`377`	`WorkspaceOwnerSshPrivateKey:sshKey.PrivateKey,`
`362`	`378`	`WorkspaceBuildId:build.ID.String(),`
`363`	`379`	`WorkspaceOwnerLoginType:string(user.LoginType),`
`364`		`-WorkspaceOwnerRbacRoles: []*sdkproto.Role{{Name:"member",OrgId:pd.OrganizationID.String()}},`
	`380`	`+WorkspaceOwnerRbacRoles: []*sdkproto.Role{{Name:rbac.RoleOrgMember(),OrgId:pd.OrganizationID.String()}, {Name:"member",OrgId:""}, {Name:rbac.RoleOrgAuditor(),OrgId:pd.OrganizationID.String()}},`
`365`	`381`	`}`
`366`	`382`	`ifprebuiltWorkspace {`
`367`	`383`	`wantedMetadata.IsPrebuild=true`
`368`	`384`	`}`
	`385`	`+`
	`386`	`+slices.SortFunc(wantedMetadata.WorkspaceOwnerRbacRoles,func(a,b*sdkproto.Role)int {`
	`387`	`+returnstrings.Compare(a.Name+a.OrgId,b.Name+b.OrgId)`
	`388`	`+})`
`369`	`389`	`want,err:=json.Marshal(&proto.AcquiredJob_WorkspaceBuild_{`
`370`	`390`	`WorkspaceBuild:&proto.AcquiredJob_WorkspaceBuild{`
`371`	`391`	`WorkspaceBuildId:build.ID.String(),`
`@@ -467,6 +487,13 @@ func TestAcquireJob(t *testing.T) {`
`467`	`487`	`job,err:=tc.acquire(ctx,srv)`
`468`	`488`	`require.NoError(t,err)`
`469`	`489`
	`490`	`+// sort`
	`491`	`+ifwk,ok:=job.Type.(*proto.AcquiredJob_WorkspaceBuild_);ok {`
	`492`	`+slices.SortFunc(wk.WorkspaceBuild.Metadata.WorkspaceOwnerRbacRoles,func(a,b*sdkproto.Role)int {`
	`493`	`+returnstrings.Compare(a.Name+a.OrgId,b.Name+b.OrgId)`
	`494`	`+})`
	`495`	`+}`
	`496`	`+`
`470`	`497`	`got,err:=json.Marshal(job.Type)`
`471`	`498`	`require.NoError(t,err)`
`472`	`499`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitea65ddc

File tree

2 files changed

2 files changed

`‎coderd/provisionerdserver/provisionerdserver.go`

`‎coderd/provisionerdserver/provisionerdserver_test.go`

0 commit comments