- Notifications
You must be signed in to change notification settings - Fork928
chore: reorder prebuilt workspace authorization logic#18506
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Merged
Uh oh!
There was an error while loading.Please reload this page.
Merged
Changes from1 commit
Commits
Show all changes
6 commits Select commitHold shift + click to select a range
a4b2e8d chore: reorder prebuilt workspace authorization logic
ssncferreira471d3e8 chore: update error message
ssncferreira1f0e33a chore: improve error message for failed workspace and prebuilt author…
ssncferreira2c387ce refactor: simplify workspace type assertion
ssncferreira4b8775f Merge remote-tracking branch 'origin/main' into ssncferreira/chore-pr…
ssncferreiraf3f0183 refactor: extract PrebuiltWorkspaceResource interface for prebuilt RB…
ssncferreiraFile filter
Filter by extension
Conversations
Failed to load comments.
Loading
Uh oh!
There was an error while loading.Please reload this page.
Jump to
Jump to file
Failed to load files.
Loading
Uh oh!
There was an error while loading.Please reload this page.
Diff view
Diff view
There are no files selected for viewing
26 changes: 14 additions & 12 deletionscoderd/database/dbauthz/dbauthz.go
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -151,26 +151,28 @@ func (q *querier) authorizeContext(ctx context.Context, action policy.Action, ob | ||
| // authorizePrebuiltWorkspace handles authorization for workspace resource types. | ||
| // prebuilt_workspaces are a subset of workspaces, currently limited to | ||
| // supporting delete operations. This function first attempts normal workspace | ||
| // authorization. If that fails, the action is delete or update and the workspace | ||
| // is a prebuild, a prebuilt-specific authorization is attempted. | ||
| // Note: Delete operations of workspaces requires both update and delete | ||
| // permissions. | ||
| func (q *querier) authorizePrebuiltWorkspace(ctx context.Context, action policy.Action, workspace database.Workspace) error { | ||
| // Try default workspace authorization first | ||
| var workspaceErr error | ||
| if workspaceErr = q.authorizeContext(ctx, action, workspace); workspaceErr == nil { | ||
| return nil | ||
| } | ||
| // Special handling for prebuilt workspace deletion | ||
| if (action == policy.ActionUpdate || action == policy.ActionDelete) && workspace.IsPrebuild() { | ||
| var prebuiltErr error | ||
| if prebuiltErr = q.authorizeContext(ctx, action, workspace.AsPrebuild()); prebuiltErr == nil { | ||
| return nil | ||
| } | ||
| return xerrors.Errorf("authorize context: %w", errors.Join(workspaceErr, prebuiltErr)) | ||
ssncferreira marked this conversation as resolved. Show resolvedHide resolvedUh oh!There was an error while loading.Please reload this page. | ||
| } | ||
| return xerrors.Errorf("authorize context: %w", errors.Join(workspaceErr)) | ||
ssncferreira marked this conversation as resolved. Show resolvedHide resolvedUh oh!There was an error while loading.Please reload this page. | ||
| } | ||
| type authContextKey struct{} | ||
24 changes: 22 additions & 2 deletionscoderd/database/dbauthz/dbauthz_test.go
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -5590,7 +5590,17 @@ func (s *MethodTestSuite) TestAuthorizePrebuiltWorkspace() { | ||
| Reason: database.BuildReasonInitiator, | ||
| TemplateVersionID: tv.ID, | ||
| JobID: pj.ID, | ||
| }). | ||
| // Simulate a fallback authorization flow: | ||
| // - First, the default workspace authorization fails (simulated by returning an error). | ||
| // - Then, authorization is retried using the prebuilt workspace object, which succeeds. | ||
| // The test asserts that both authorization attempts occur in the correct order. | ||
| WithSuccessAuthorizer(func(ctx context.Context, subject rbac.Subject, action policy.Action, obj rbac.Object) error { | ||
| if obj.Type == rbac.ResourceWorkspace.Type { | ||
| return xerrors.Errorf("not authorized for workspace type") | ||
| } | ||
| return nil | ||
| }).Asserts(w, policy.ActionDelete, w.AsPrebuild(), policy.ActionDelete) | ||
ssncferreira marked this conversation as resolved. Show resolvedHide resolvedUh oh!There was an error while loading.Please reload this page. | ||
| })) | ||
| s.Run("PrebuildUpdate/InsertWorkspaceBuildParameters", s.Subtest(func(db database.Store, check *expects) { | ||
| u := dbgen.User(s.T(), db, database.User{}) | ||
| @@ -5619,6 +5629,16 @@ func (s *MethodTestSuite) TestAuthorizePrebuiltWorkspace() { | ||
| }) | ||
| check.Args(database.InsertWorkspaceBuildParametersParams{ | ||
| WorkspaceBuildID: wb.ID, | ||
| }). | ||
| // Simulate a fallback authorization flow: | ||
| // - First, the default workspace authorization fails (simulated by returning an error). | ||
| // - Then, authorization is retried using the prebuilt workspace object, which succeeds. | ||
| // The test asserts that both authorization attempts occur in the correct order. | ||
| WithSuccessAuthorizer(func(ctx context.Context, subject rbac.Subject, action policy.Action, obj rbac.Object) error { | ||
| if obj.Type == rbac.ResourceWorkspace.Type { | ||
| return xerrors.Errorf("not authorized for workspace type") | ||
| } | ||
| return nil | ||
| }).Asserts(w, policy.ActionUpdate, w.AsPrebuild(), policy.ActionUpdate) | ||
| })) | ||
| } | ||
13 changes: 6 additions & 7 deletionscoderd/workspacebuilds.go
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -393,17 +393,16 @@ func (api *API) postWorkspaceBuilds(rw http.ResponseWriter, r *http.Request) { | ||
| ctx, | ||
| tx, | ||
| func(action policy.Action, object rbac.Objecter) bool { | ||
| if auth := api.Authorize(r, action, object); auth { | ||
| return true | ||
| } | ||
| // Special handling for prebuilt workspace deletion | ||
| if object.RBACObject().Type == rbac.ResourceWorkspace.Type && action == policy.ActionDelete { | ||
| if workspaceObj, ok := object.(database.Workspace); ok && workspaceObj.IsPrebuild() { | ||
| return api.Authorize(r, action, workspaceObj.AsPrebuild()) | ||
Emyrk marked this conversation as resolved. Show resolvedHide resolvedUh oh!There was an error while loading.Please reload this page. | ||
| } | ||
| } | ||
| return false | ||
| }, | ||
| audit.WorkspaceBuildBaggageFromRequest(r), | ||
| ) | ||
12 changes: 5 additions & 7 deletionscoderd/wsbuilder/wsbuilder.go
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
Oops, something went wrong.
Uh oh!
There was an error while loading.Please reload this page.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.