- Notifications
You must be signed in to change notification settings - Fork925
feat: allow TemplateAdmin to delete prebuilds via auth layer#18333
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Merged
Uh oh!
There was an error while loading.Please reload this page.
Merged
Changes fromall commits
Commits
Show all changes
15 commits Select commitHold shift + click to select a range
2ba15c5 feat: POC for allowing TemplateAdmin to delete prebuild workspaces vi…
ssncferreiraa043f92 fix: role permissions tests
ssncferreira6cae769 fix: exclude prebuiltWorkspace permissions from orgAdmin role
ssncferreiraafc5359 fix: explicitly set prebuild_workspace permissions
ssncferreirab2c7bdd chore: improve code quality and add clarifying comments
ssncferreiraf24e4ab refactor: move PrebuildsSystemUserID constant to database package to …
ssncferreira98576c6 chore: remove unnecessary comment
ssncferreira9d2bf8b Merge remote-tracking branch 'origin/main' into ssncferreira/poc-preb…
ssncferreirad461a3d test: fix roles_test PrebuiltWorkspace to have the PrebuildsSystemUse…
ssncferreira5f896f0 test: improve end-to-end permission tests for deletion of prebuilt wo…
ssncferreiraf4ae6bc test: fix end-to-end cli tests Workspace delete permissions
ssncferreira998fa3b test: add dbauthz tests for authorize prebuilt workspaces
ssncferreira007f3fd chore: address comments - add IsPrebuild and AsPrebuild methods to Wo…
ssncferreiraf811778 chore: address comments - update cli test name
ssncferreiraed8af65 Merge remote-tracking branch 'origin/main' into ssncferreira/poc-preb…
ssncferreiraFile filter
Filter by extension
Conversations
Failed to load comments.
Loading
Uh oh!
There was an error while loading.Please reload this page.
Jump to
Jump to file
Failed to load files.
Loading
Uh oh!
There was an error while loading.Please reload this page.
Diff view
Diff view
There are no files selected for viewing
230 changes: 230 additions & 0 deletionscli/delete_test.go
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
2 changes: 2 additions & 0 deletionscoderd/apidoc/docs.go
Some generated files are not rendered by default. Learn more abouthow customized files appear on GitHub.
Oops, something went wrong.
Uh oh!
There was an error while loading.Please reload this page.
2 changes: 2 additions & 0 deletionscoderd/apidoc/swagger.json
Some generated files are not rendered by default. Learn more abouthow customized files appear on GitHub.
Oops, something went wrong.
Uh oh!
There was an error while loading.Please reload this page.
5 changes: 5 additions & 0 deletionscoderd/database/constants.go
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,5 @@ | ||
| package database | ||
| import "github.com/google/uuid" | ||
| var PrebuildsSystemUserID = uuid.MustParse("c42fdf75-3097-471c-8c33-fb52454d81c0") |
42 changes: 36 additions & 6 deletionscoderd/database/dbauthz/dbauthz.go
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -21,7 +21,6 @@ import ( | ||
| "github.com/coder/coder/v2/coderd/database/dbtime" | ||
| "github.com/coder/coder/v2/coderd/httpapi/httpapiconstraints" | ||
| "github.com/coder/coder/v2/coderd/httpmw/loggermw" | ||
| "github.com/coder/coder/v2/coderd/rbac" | ||
| "github.com/coder/coder/v2/coderd/rbac/policy" | ||
| "github.com/coder/coder/v2/coderd/rbac/rolestore" | ||
| @@ -150,6 +149,30 @@ func (q *querier) authorizeContext(ctx context.Context, action policy.Action, ob | ||
| return nil | ||
| } | ||
| // authorizePrebuiltWorkspace handles authorization for workspace resource types. | ||
| // prebuilt_workspaces are a subset of workspaces, currently limited to | ||
| // supporting delete operations. Therefore, if the action is delete or | ||
| // update and the workspace is a prebuild, a prebuilt-specific authorization | ||
| // is attempted first. If that fails, it falls back to normal workspace | ||
| // authorization. | ||
| // Note: Delete operations of workspaces requires both update and delete | ||
| // permissions. | ||
| func (q *querier) authorizePrebuiltWorkspace(ctx context.Context, action policy.Action, workspace database.Workspace) error { | ||
ssncferreira marked this conversation as resolved. Show resolvedHide resolvedUh oh!There was an error while loading.Please reload this page. | ||
| var prebuiltErr error | ||
| // Special handling for prebuilt_workspace deletion authorization check | ||
| if (action == policy.ActionUpdate || action == policy.ActionDelete) && workspace.IsPrebuild() { | ||
| // Try prebuilt-specific authorization first | ||
| if prebuiltErr = q.authorizeContext(ctx, action, workspace.AsPrebuild()); prebuiltErr == nil { | ||
| return nil | ||
| } | ||
| } | ||
| // Fallback to normal workspace authorization check | ||
| if err := q.authorizeContext(ctx, action, workspace); err != nil { | ||
| return xerrors.Errorf("authorize context: %w", errors.Join(prebuiltErr, err)) | ||
| } | ||
Comment on lines +163 to +172 There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others.Learn more. I think the normal workspace check is more likely to succeed then the prebuild. So it might be a slight optimization to flip these checks. But that will probably break some of the unit tests? No need to change this, just a thought. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others.Learn more. Good point, I had considered that optimization as well. I believe it might require some test updates, so I'd prefer to merge this PR and address the optimization in a follow-up PR. | ||
| return nil | ||
| } | ||
| type authContextKey struct{} | ||
| // ActorFromContext returns the authorization subject from the context. | ||
| @@ -399,7 +422,7 @@ var ( | ||
| subjectPrebuildsOrchestrator = rbac.Subject{ | ||
| Type: rbac.SubjectTypePrebuildsOrchestrator, | ||
| FriendlyName: "Prebuilds Orchestrator", | ||
| ID:database.PrebuildsSystemUserID.String(), | ||
| Roles: rbac.Roles([]rbac.Role{ | ||
| { | ||
| Identifier: rbac.RoleIdentifier{Name: "prebuilds-orchestrator"}, | ||
| @@ -412,6 +435,12 @@ var ( | ||
| policy.ActionCreate, policy.ActionDelete, policy.ActionRead, policy.ActionUpdate, | ||
| policy.ActionWorkspaceStart, policy.ActionWorkspaceStop, | ||
| }, | ||
| // PrebuiltWorkspaces are a subset of Workspaces. | ||
| // Explicitly setting PrebuiltWorkspace permissions for clarity. | ||
| // Note: even without PrebuiltWorkspace permissions, access is still granted via Workspace permissions. | ||
| rbac.ResourcePrebuiltWorkspace.Type: { | ||
| policy.ActionUpdate, policy.ActionDelete, | ||
| }, | ||
| // Should be able to add the prebuilds system user as a member to any organization that needs prebuilds. | ||
| rbac.ResourceOrganizationMember.Type: { | ||
| policy.ActionCreate, | ||
| @@ -3953,8 +3982,9 @@ func (q *querier) InsertWorkspaceBuild(ctx context.Context, arg database.InsertW | ||
| action = policy.ActionWorkspaceStop | ||
| } | ||
| // Special handling for prebuilt workspace deletion | ||
| if err := q.authorizePrebuiltWorkspace(ctx, action, w); err != nil { | ||
| return err | ||
| } | ||
| // If we're starting a workspace we need to check the template. | ||
| @@ -3993,8 +4023,8 @@ func (q *querier) InsertWorkspaceBuildParameters(ctx context.Context, arg databa | ||
| return err | ||
| } | ||
| // Special handling for prebuiltworkspace deletion | ||
| if err:= q.authorizePrebuiltWorkspace(ctx, policy.ActionUpdate, workspace); err!= nil { | ||
| return err | ||
| } | ||
Oops, something went wrong.
Uh oh!
There was an error while loading.Please reload this page.
Oops, something went wrong.
Uh oh!
There was an error while loading.Please reload this page.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.