Skip to content

Commit 0109765

Browse files
ethanndicksonethanndickson
committed
remove auth, filter by owner id
1 parent 6b7b8ea commit 0109765

File tree

10 files changed

+88
-188
lines changed

10 files changed

+88
-188
lines changed

coderd/database/dbauthz/dbauthz.go

Lines changed: 2 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -2719,12 +2719,8 @@ func (q *querier) GetWorkspaces(ctx context.Context, arg database.GetWorkspacesP
27192719
return q.db.GetAuthorizedWorkspaces(ctx, arg, prep)
27202720
}
27212721

2722-
func (q *querier) GetWorkspacesAndAgents(ctx context.Context) ([]database.GetWorkspacesAndAgentsRow, error) {
2723-
prep, err := prepareSQLFilter(ctx, q.auth, policy.ActionRead, rbac.ResourceWorkspace.Type)
2724-
if err != nil {
2725-
return nil, xerrors.Errorf("(dev error) prepare sql filter: %w", err)
2726-
}
2727-
return q.db.GetAuthorizedWorkspacesAndAgents(ctx, prep)
2722+
func (q *querier) GetWorkspacesAndAgentsByOwnerID(ctx context.Context, ownerID uuid.UUID) ([]database.GetWorkspacesAndAgentsByOwnerIDRow, error) {
2723+
return q.db.GetWorkspacesAndAgentsByOwnerID(ctx, ownerID)
27282724
}
27292725

27302726
func (q *querier) GetWorkspacesEligibleForTransition(ctx context.Context, now time.Time) ([]database.Workspace, error) {
@@ -4172,10 +4168,6 @@ func (q *querier) GetAuthorizedWorkspaces(ctx context.Context, arg database.GetW
41724168
return q.GetWorkspaces(ctx, arg)
41734169
}
41744170

4175-
func (q *querier) GetAuthorizedWorkspacesAndAgents(ctx context.Context, _ rbac.PreparedAuthorized) ([]database.GetWorkspacesAndAgentsRow, error) {
4176-
return q.GetWorkspacesAndAgents(ctx)
4177-
}
4178-
41794171
// GetAuthorizedUsers is not required for dbauthz since GetUsers is already
41804172
// authenticated.
41814173
func (q *querier) GetAuthorizedUsers(ctx context.Context, arg database.GetUsersParams, _ rbac.PreparedAuthorized) ([]database.GetUsersRow, error) {

coderd/database/dbauthz/dbauthz_test.go

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1470,13 +1470,13 @@ func (s *MethodTestSuite) TestWorkspace() {
14701470
// No asserts here because SQLFilter.
14711471
check.Args(database.GetWorkspacesParams{}, emptyPreparedAuthorized{}).Asserts()
14721472
}))
1473-
s.Run("GetWorkspacesAndAgents", s.Subtest(func(db database.Store, check *expects) {
1474-
// No asserts here because SQLFilter.
1475-
check.Args().Asserts()
1476-
}))
1477-
s.Run("GetAuthorizedWorkspacesAndAgents", s.Subtest(func(db database.Store, check *expects) {
1478-
// No asserts here because SQLFilter.
1479-
check.Args(emptyPreparedAuthorized{}).Asserts()
1473+
s.Run("GetWorkspacesAndAgentsByOwnerID", s.Subtest(func(db database.Store, check *expects) {
1474+
ws := dbgen.Workspace(s.T(), db, database.Workspace{})
1475+
build := dbgen.WorkspaceBuild(s.T(), db, database.WorkspaceBuild{WorkspaceID: ws.ID, JobID: uuid.New()})
1476+
_ = dbgen.ProvisionerJob(s.T(), db, nil, database.ProvisionerJob{ID: build.JobID, Type: database.ProvisionerJobTypeWorkspaceBuild})
1477+
res := dbgen.WorkspaceResource(s.T(), db, database.WorkspaceResource{JobID: build.JobID})
1478+
_ = dbgen.WorkspaceAgent(s.T(), db, database.WorkspaceAgent{ResourceID: res.ID})
1479+
check.Args(ws.OwnerID).Asserts()
14801480
}))
14811481
s.Run("GetLatestWorkspaceBuildByWorkspaceID", s.Subtest(func(db database.Store, check *expects) {
14821482
ws := dbgen.Workspace(s.T(), db, database.Workspace{})

coderd/database/dbmem/dbmem.go

Lines changed: 53 additions & 65 deletions
Original file line numberDiff line numberDiff line change
@@ -6794,9 +6794,59 @@ func (q *FakeQuerier) GetWorkspaces(ctx context.Context, arg database.GetWorkspa
67946794
return workspaceRows, err
67956795
}
67966796

6797-
func (q *FakeQuerier) GetWorkspacesAndAgents(ctx context.Context) ([]database.GetWorkspacesAndAgentsRow, error) {
6798-
// No auth filter.
6799-
return q.GetAuthorizedWorkspacesAndAgents(ctx, nil)
6797+
func (q *FakeQuerier) GetWorkspacesAndAgentsByOwnerID(ctx context.Context, ownerID uuid.UUID) ([]database.GetWorkspacesAndAgentsByOwnerIDRow, error) {
6798+
q.mutex.RLock()
6799+
defer q.mutex.RUnlock()
6800+
6801+
workspaces := make([]database.Workspace, 0)
6802+
for _, workspace := range q.workspaces {
6803+
if workspace.OwnerID == ownerID {
6804+
workspaces = append(workspaces, workspace)
6805+
}
6806+
}
6807+
6808+
out := make([]database.GetWorkspacesAndAgentsByOwnerIDRow, 0, len(workspaces))
6809+
for _, w := range workspaces {
6810+
// these always exist
6811+
build, err := q.getLatestWorkspaceBuildByWorkspaceIDNoLock(ctx, w.ID)
6812+
if err != nil {
6813+
return nil, xerrors.Errorf("get latest build: %w", err)
6814+
}
6815+
6816+
job, err := q.getProvisionerJobByIDNoLock(ctx, build.JobID)
6817+
if err != nil {
6818+
return nil, xerrors.Errorf("get provisioner job: %w", err)
6819+
}
6820+
6821+
outAgents := make([]database.AgentIDNamePair, 0)
6822+
resources, err := q.getWorkspaceResourcesByJobIDNoLock(ctx, job.ID)
6823+
if err != nil {
6824+
return nil, xerrors.Errorf("get workspace resources: %w", err)
6825+
}
6826+
if len(resources) > 0 {
6827+
agents, err := q.getWorkspaceAgentsByResourceIDsNoLock(ctx, []uuid.UUID{resources[0].ID})
6828+
if err != nil {
6829+
return nil, xerrors.Errorf("get workspace agents: %w", err)
6830+
}
6831+
for _, a := range agents {
6832+
outAgents = append(outAgents, database.AgentIDNamePair{
6833+
ID: a.ID,
6834+
Name: a.Name,
6835+
})
6836+
}
6837+
}
6838+
6839+
out = append(out, database.GetWorkspacesAndAgentsByOwnerIDRow{
6840+
ID: w.ID,
6841+
Name: w.Name,
6842+
OwnerID: w.OwnerID,
6843+
JobStatus: job.JobStatus,
6844+
Transition: build.Transition,
6845+
Agents: outAgents,
6846+
})
6847+
}
6848+
6849+
return out, nil
68006850
}
68016851

68026852
func (q *FakeQuerier) GetWorkspacesEligibleForTransition(ctx context.Context, now time.Time) ([]database.Workspace, error) {
@@ -11178,68 +11228,6 @@ func (q *FakeQuerier) GetAuthorizedWorkspaces(ctx context.Context, arg database.
1117811228
return q.convertToWorkspaceRowsNoLock(ctx, workspaces, int64(beforePageCount), arg.WithSummary), nil
1117911229
}
1118011230

11181-
func (q *FakeQuerier) GetAuthorizedWorkspacesAndAgents(ctx context.Context, prepared rbac.PreparedAuthorized) ([]database.GetWorkspacesAndAgentsRow, error) {
11182-
q.mutex.RLock()
11183-
defer q.mutex.RUnlock()
11184-
11185-
if prepared != nil {
11186-
// Call this to match the same function calls as the SQL implementation.
11187-
_, err := prepared.CompileToSQL(ctx, rbac.ConfigWithoutACL())
11188-
if err != nil {
11189-
return nil, err
11190-
}
11191-
}
11192-
workspaces := make([]database.Workspace, 0)
11193-
for _, workspace := range q.workspaces {
11194-
if prepared != nil && prepared.Authorize(ctx, workspace.RBACObject()) == nil {
11195-
workspaces = append(workspaces, workspace)
11196-
}
11197-
}
11198-
11199-
out := make([]database.GetWorkspacesAndAgentsRow, 0, len(workspaces))
11200-
for _, w := range workspaces {
11201-
// these always exist
11202-
build, err := q.getLatestWorkspaceBuildByWorkspaceIDNoLock(ctx, w.ID)
11203-
if err != nil {
11204-
return nil, xerrors.Errorf("get latest build: %w", err)
11205-
}
11206-
11207-
job, err := q.getProvisionerJobByIDNoLock(ctx, build.JobID)
11208-
if err != nil {
11209-
return nil, xerrors.Errorf("get provisioner job: %w", err)
11210-
}
11211-
11212-
outAgents := make([]database.AgentIDNamePair, 0)
11213-
resources, err := q.getWorkspaceResourcesByJobIDNoLock(ctx, job.ID)
11214-
if err != nil {
11215-
return nil, xerrors.Errorf("get workspace resources: %w", err)
11216-
}
11217-
if len(resources) > 0 {
11218-
agents, err := q.getWorkspaceAgentsByResourceIDsNoLock(ctx, []uuid.UUID{resources[0].ID})
11219-
if err != nil {
11220-
return nil, xerrors.Errorf("get workspace agents: %w", err)
11221-
}
11222-
for _, a := range agents {
11223-
outAgents = append(outAgents, database.AgentIDNamePair{
11224-
ID: a.ID,
11225-
Name: a.Name,
11226-
})
11227-
}
11228-
}
11229-
11230-
out = append(out, database.GetWorkspacesAndAgentsRow{
11231-
ID: w.ID,
11232-
Name: w.Name,
11233-
OwnerID: w.OwnerID,
11234-
JobStatus: job.JobStatus,
11235-
Transition: build.Transition,
11236-
Agents: outAgents,
11237-
})
11238-
}
11239-
11240-
return out, nil
11241-
}
11242-
1124311231
func (q *FakeQuerier) GetAuthorizedUsers(ctx context.Context, arg database.GetUsersParams, prepared rbac.PreparedAuthorized) ([]database.GetUsersRow, error) {
1124411232
if err := validateDatabaseType(arg); err != nil {
1124511233
return nil, err

coderd/database/dbmetrics/dbmetrics.go

Lines changed: 3 additions & 10 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/database/dbmock/dbmock.go

Lines changed: 7 additions & 22 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/database/modelqueries.go

Lines changed: 0 additions & 41 deletions
Original file line numberDiff line numberDiff line change
@@ -221,7 +221,6 @@ func (q *sqlQuerier) GetTemplateGroupRoles(ctx context.Context, id uuid.UUID) ([
221221

222222
type workspaceQuerier interface {
223223
GetAuthorizedWorkspaces(ctx context.Context, arg GetWorkspacesParams, prepared rbac.PreparedAuthorized) ([]GetWorkspacesRow, error)
224-
GetAuthorizedWorkspacesAndAgents(ctx context.Context, prepared rbac.PreparedAuthorized) ([]GetWorkspacesAndAgentsRow, error)
225224
}
226225

227226
// GetAuthorizedWorkspaces returns all workspaces that the user is authorized to access.
@@ -313,46 +312,6 @@ func (q *sqlQuerier) GetAuthorizedWorkspaces(ctx context.Context, arg GetWorkspa
313312
return items, nil
314313
}
315314

316-
func (q *sqlQuerier) GetAuthorizedWorkspacesAndAgents(ctx context.Context, prepared rbac.PreparedAuthorized) ([]GetWorkspacesAndAgentsRow, error) {
317-
authorizedFilter, err := prepared.CompileToSQL(ctx, rbac.ConfigWorkspaces())
318-
if err != nil {
319-
return nil, xerrors.Errorf("compile authorized filter: %w", err)
320-
}
321-
filtered, err := insertAuthorizedFilter(getWorkspacesAndAgents, fmt.Sprintf(" WHERE %s", authorizedFilter))
322-
if err != nil {
323-
return nil, xerrors.Errorf("insert authorized filter: %w", err)
324-
}
325-
326-
query := fmt.Sprintf("-- name: GetAuthorizedWorkspaces :many\n%s", filtered)
327-
rows, err := q.db.QueryContext(ctx, query)
328-
if err != nil {
329-
return nil, err
330-
}
331-
defer rows.Close()
332-
var items []GetWorkspacesAndAgentsRow
333-
for rows.Next() {
334-
var i GetWorkspacesAndAgentsRow
335-
if err := rows.Scan(
336-
&i.ID,
337-
&i.Name,
338-
&i.OwnerID,
339-
&i.JobStatus,
340-
&i.Transition,
341-
pq.Array(&i.Agents),
342-
); err != nil {
343-
return nil, err
344-
}
345-
items = append(items, i)
346-
}
347-
if err := rows.Close(); err != nil {
348-
return nil, err
349-
}
350-
if err := rows.Err(); err != nil {
351-
return nil, err
352-
}
353-
return items, nil
354-
}
355-
356315
type userQuerier interface {
357316
GetAuthorizedUsers(ctx context.Context, arg GetUsersParams, prepared rbac.PreparedAuthorized) ([]GetUsersRow, error)
358317
}

coderd/database/querier.go

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/database/querier_test.go

Lines changed: 2 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -24,9 +24,7 @@ import (
2424
"github.com/coder/coder/v2/coderd/database/dbtestutil"
2525
"github.com/coder/coder/v2/coderd/database/dbtime"
2626
"github.com/coder/coder/v2/coderd/database/migrations"
27-
"github.com/coder/coder/v2/coderd/httpmw"
2827
"github.com/coder/coder/v2/coderd/rbac"
29-
"github.com/coder/coder/v2/coderd/rbac/policy"
3028
"github.com/coder/coder/v2/testutil"
3129
)
3230

@@ -614,7 +612,7 @@ func TestGetWorkspaceAgentUsageStatsAndLabels(t *testing.T) {
614612
})
615613
}
616614

617-
func TestGetAuthorizedWorkspacesAndAgents(t *testing.T) {
615+
func TestGetWorkspacesAndAgentsByOwnerID(t *testing.T) {
618616
t.Parallel()
619617
if testing.Short() {
620618
t.SkipNow()
@@ -630,7 +628,6 @@ func TestGetAuthorizedWorkspacesAndAgents(t *testing.T) {
630628
owner := dbgen.User(t, db, database.User{
631629
RBACRoles: []string{rbac.RoleOwner().String()},
632630
})
633-
user := dbgen.User(t, db, database.User{})
634631
tpl := dbgen.Template(t, db, database.Template{
635632
OrganizationID: org.ID,
636633
CreatedBy: owner.ID,
@@ -669,23 +666,7 @@ func TestGetAuthorizedWorkspacesAndAgents(t *testing.T) {
669666
CreateAgent: false,
670667
})
671668

672-
authorizer := rbac.NewStrictCachingAuthorizer(prometheus.NewRegistry())
673-
674-
userSubject, _, err := httpmw.UserRBACSubject(ctx, db, user.ID, rbac.ExpandableScope(rbac.ScopeAll))
675-
require.NoError(t, err)
676-
preparedUser, err := authorizer.Prepare(ctx, userSubject, policy.ActionRead, rbac.ResourceWorkspace.Type)
677-
require.NoError(t, err)
678-
userCtx := dbauthz.As(ctx, userSubject)
679-
userRows, err := db.GetAuthorizedWorkspacesAndAgents(userCtx, preparedUser)
680-
require.NoError(t, err)
681-
require.Len(t, userRows, 0)
682-
683-
ownerSubject, _, err := httpmw.UserRBACSubject(ctx, db, owner.ID, rbac.ExpandableScope(rbac.ScopeAll))
684-
require.NoError(t, err)
685-
preparedOwner, err := authorizer.Prepare(ctx, ownerSubject, policy.ActionRead, rbac.ResourceWorkspace.Type)
686-
require.NoError(t, err)
687-
ownerCtx := dbauthz.As(ctx, ownerSubject)
688-
ownerRows, err := db.GetAuthorizedWorkspacesAndAgents(ownerCtx, preparedOwner)
669+
ownerRows, err := db.GetWorkspacesAndAgentsByOwnerID(ctx, owner.ID)
689670
require.NoError(t, err)
690671
require.Len(t, ownerRows, 4)
691672
for _, row := range ownerRows {

0 commit comments

Comments
 (0)