Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

fix: correct perms for forbidden error in TemplateScheduleStore.Load#11286

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
Emyrk merged 4 commits intomainfromstevenmasley/template_sch_load
Dec 20, 2023
Merged
Show file tree
Hide file tree
Changes fromall commits
Commits
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletioncoderd/agentapi/stats.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -61,7 +61,7 @@ func (a *StatsAPI) UpdateStats(ctx context.Context, req *agentproto.UpdateStatsR
templateSchedule, err := (*(a.TemplateScheduleStore.Load())).Get(ctx, a.Database, workspace.TemplateID)
// If the template schedule fails to load, just default to bumping without the next trasition and log it.
if err != nil {
a.Log.Warn(ctx, "failed to load template schedule bumping activity, defaulting to bumping by 60min",
a.Log.Error(ctx, "failed to load template schedule bumping activity, defaulting to bumping by 60min",
slog.F("workspace_id", workspace.ID),
slog.F("template_id", workspace.TemplateID),
slog.Error(err),
Expand Down
2 changes: 2 additions & 0 deletionscoderd/database/dbmem/dbmem.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -3796,6 +3796,7 @@ func (q *FakeQuerier) GetWorkspaceAgentAndOwnerByAuthToken(_ context.Context, au
}
var row database.GetWorkspaceAgentAndOwnerByAuthTokenRow
row.WorkspaceID = ws.ID
row.TemplateID = ws.TemplateID
usr, err := q.getUserByIDNoLock(ws.OwnerID)
if err != nil {
return database.GetWorkspaceAgentAndOwnerByAuthTokenRow{}, sql.ErrNoRows
Expand All@@ -3805,6 +3806,7 @@ func (q *FakeQuerier) GetWorkspaceAgentAndOwnerByAuthToken(_ context.Context, au
// We also need to get org roles for the user
row.OwnerName = usr.Username
row.WorkspaceAgent = agt
row.TemplateVersionID = build.TemplateVersionID
for _, mem := range q.organizationMembers {
if mem.UserID == usr.ID {
row.OwnerRoles = append(row.OwnerRoles, fmt.Sprintf("organization-member:%s", mem.OrganizationID.String()))
Expand Down
23 changes: 15 additions & 8 deletionscoderd/database/queries.sql.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more abouthow customized files appear on GitHub.

5 changes: 4 additions & 1 deletioncoderd/database/queries/workspaceagents.sql
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -219,6 +219,8 @@ SELECT
users.id AS owner_id,
users.username AS owner_name,
users.status AS owner_status,
workspaces.template_id AS template_id,
workspace_builds.template_version_id AS template_version_id,
array_cat(
array_append(users.rbac_roles, 'member'),
array_append(ARRAY[]::text[], 'organization-member:' || organization_members.organization_id::text)
Expand DownExpand Up@@ -261,7 +263,8 @@ GROUP BY
workspaces.id,
users.id,
organization_members.organization_id,
workspace_builds.build_number
workspace_builds.build_number,
workspace_builds.template_version_id
Comment on lines -264 to +267
Copy link
MemberAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I think this is totally safe

ORDER BY
workspace_builds.build_number DESC
LIMIT 1;
7 changes: 6 additions & 1 deletioncoderd/httpmw/workspaceagent.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -97,7 +97,12 @@ func ExtractWorkspaceAgent(opts ExtractWorkspaceAgentConfig) func(http.Handler)
ID: row.OwnerID.String(),
Roles: rbac.RoleNames(row.OwnerRoles),
Groups: row.OwnerGroups,
Scope: rbac.WorkspaceAgentScope(row.WorkspaceID, row.OwnerID),
Scope: rbac.WorkspaceAgentScope(rbac.WorkspaceAgentScopeParams{
WorkspaceID: row.WorkspaceID,
OwnerID: row.OwnerID,
TemplateID: row.TemplateID,
VersionID: row.TemplateVersionID,
}),
}.WithCachedASTValue()

ctx = context.WithValue(ctx, workspaceAgentContextKey{}, row.WorkspaceAgent)
Expand Down
2 changes: 2 additions & 0 deletionscoderd/prometheusmetrics/prometheusmetrics_test.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -394,12 +394,14 @@ func TestAgentStats(t *testing.T) {
require.NoError(t, err, "create stats batcher failed")
t.Cleanup(closeBatcher)

tLogger := slogtest.Make(t, nil)
// Build sample workspaces with test agents and fake agent client
client, _, _ := coderdtest.NewWithAPI(t, &coderdtest.Options{
Database: db,
IncludeProvisionerDaemon: true,
Pubsub: pubsub,
StatsBatcher: batcher,
Logger: &tLogger,
})

user := coderdtest.CreateFirstUser(t, client)
Expand Down
22 changes: 18 additions & 4 deletionscoderd/rbac/scopes.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -8,10 +8,21 @@ import (
"golang.org/x/xerrors"
)

type WorkspaceAgentScopeParams struct {
WorkspaceID uuid.UUID
OwnerID uuid.UUID
TemplateID uuid.UUID
VersionID uuid.UUID
}

// WorkspaceAgentScope returns a scope that is the same as ScopeAll but can only
// affect resources in the allow list. Only a scope is returned as the roles
// should come from the workspace owner.
func WorkspaceAgentScope(workspaceID, ownerID uuid.UUID) Scope {
func WorkspaceAgentScope(params WorkspaceAgentScopeParams) Scope {
if params.WorkspaceID == uuid.Nil || params.OwnerID == uuid.Nil || params.TemplateID == uuid.Nil || params.VersionID == uuid.Nil {
panic("all uuids must be non-nil, this is a developer error")
}

allScope, err := ScopeAll.Expand()
if err != nil {
panic("failed to expand scope all, this should never happen")
Expand All@@ -23,10 +34,13 @@ func WorkspaceAgentScope(workspaceID, ownerID uuid.UUID) Scope {
// and evolving.
Role: allScope.Role,
// This prevents the agent from being able to access any other resource.
// Include the list of IDs of anything that is required for the
// agent to function.
AllowIDList: []string{
workspaceID.String(),
ownerID.String(),
// TODO: Might want to include the template the workspace uses too?
params.WorkspaceID.String(),
params.TemplateID.String(),
params.VersionID.String(),
params.OwnerID.String(),
},
}
}
Expand Down
2 changes: 1 addition & 1 deletioncoderd/workspaceagents.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -1488,7 +1488,7 @@ func (api *API) workspaceAgentReportStats(rw http.ResponseWriter, r *http.Reques
templateSchedule, err := (*(api.TemplateScheduleStore.Load())).Get(ctx, api.Database, workspace.TemplateID)
// If the template schedule fails to load, just default to bumping without the next transition and log it.
if err != nil {
api.Logger.Warn(ctx, "failed to load template schedule bumping activity, defaulting to bumping by 60min",
api.Logger.Error(ctx, "failed to load template schedule bumping activity, defaulting to bumping by 60min",
slog.F("workspace_id", workspace.ID),
slog.F("template_id", workspace.TemplateID),
slog.Error(err),
Expand Down
[8]ページ先頭
©2009-2025 Movatter.jp