synced/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2025-07-13 21:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: use system permission to prevent fetching all workspaces (#8843)

Browse Source 
* chore: use system permission to prevent fetching all workspaces
This commit is contained in:
Steven Masley
2023-08-01 12:26:22 -05:00
committed by GitHub
parent c575292ba6
commit 66649f97a8
3 changed files with 12 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
coderd/database/dbauthz/dbauthz.go
View File

@ -953,15 +953,10 @@ func (q *querier) GetLatestWorkspaceBuilds(ctx context.Context) ([]database.Work
} }
func (q *querier) GetLatestWorkspaceBuildsByWorkspaceIDs(ctx context.Context, ids []uuid.UUID) ([]database.WorkspaceBuild, error) { func (q *querier) GetLatestWorkspaceBuildsByWorkspaceIDs(ctx context.Context, ids []uuid.UUID) ([]database.WorkspaceBuild, error) {
// This is not ideal as not all builds will be returned if the workspace cannot be read. // This function is a system function until we implement a join for workspace builds.
// This should probably be handled differently? Maybe join workspace builds with workspace if err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceSystem); err != nil {
// ownership properties and filter on that.
for _, id := range ids {
_, err := q.GetWorkspaceByID(ctx, id)
if err != nil {
return nil, err return nil, err
} }
}
return q.db.GetLatestWorkspaceBuildsByWorkspaceIDs(ctx, ids) return q.db.GetLatestWorkspaceBuildsByWorkspaceIDs(ctx, ids)
} }

10
coderd/database/dbauthz/dbauthz_test.go
View File

@ -1024,11 +1024,6 @@ func (s *MethodTestSuite) TestWorkspace() {
b := dbgen.WorkspaceBuild(s.T(), db, database.WorkspaceBuild{WorkspaceID: ws.ID}) b := dbgen.WorkspaceBuild(s.T(), db, database.WorkspaceBuild{WorkspaceID: ws.ID})
check.Args(ws.ID).Asserts(ws, rbac.ActionRead).Returns(b) check.Args(ws.ID).Asserts(ws, rbac.ActionRead).Returns(b)
})) }))
s.Run("GetLatestWorkspaceBuildsByWorkspaceIDs", s.Subtest(func(db database.Store, check *expects) {
ws := dbgen.Workspace(s.T(), db, database.Workspace{})
b := dbgen.WorkspaceBuild(s.T(), db, database.WorkspaceBuild{WorkspaceID: ws.ID})
check.Args([]uuid.UUID{ws.ID}).Asserts(ws, rbac.ActionRead).Returns(slice.New(b))
}))
s.Run("GetWorkspaceAgentByID", s.Subtest(func(db database.Store, check *expects) { s.Run("GetWorkspaceAgentByID", s.Subtest(func(db database.Store, check *expects) {
ws := dbgen.Workspace(s.T(), db, database.Workspace{}) ws := dbgen.Workspace(s.T(), db, database.Workspace{})
build := dbgen.WorkspaceBuild(s.T(), db, database.WorkspaceBuild{WorkspaceID: ws.ID, JobID: uuid.New()}) build := dbgen.WorkspaceBuild(s.T(), db, database.WorkspaceBuild{WorkspaceID: ws.ID, JobID: uuid.New()})
@ -1298,6 +1293,11 @@ func (s *MethodTestSuite) TestSystemFunctions() {
LoginType: database.LoginTypeGithub, LoginType: database.LoginTypeGithub,
}).Asserts(rbac.ResourceSystem, rbac.ActionUpdate).Returns(l) }).Asserts(rbac.ResourceSystem, rbac.ActionUpdate).Returns(l)
})) }))
s.Run("GetLatestWorkspaceBuildsByWorkspaceIDs", s.Subtest(func(db database.Store, check *expects) {
ws := dbgen.Workspace(s.T(), db, database.Workspace{})
b := dbgen.WorkspaceBuild(s.T(), db, database.WorkspaceBuild{WorkspaceID: ws.ID})
check.Args([]uuid.UUID{ws.ID}).Asserts(rbac.ResourceSystem, rbac.ActionRead).Returns(slice.New(b))
}))
s.Run("UpsertDefaultProxy", s.Subtest(func(db database.Store, check *expects) { s.Run("UpsertDefaultProxy", s.Subtest(func(db database.Store, check *expects) {
check.Args(database.UpsertDefaultProxyParams{}).Asserts(rbac.ResourceSystem, rbac.ActionUpdate).Returns() check.Args(database.UpsertDefaultProxyParams{}).Asserts(rbac.ResourceSystem, rbac.ActionUpdate).Returns()
})) }))

5
coderd/workspaces.go
View File

@ -17,6 +17,7 @@ import (
"cdr.dev/slog" "cdr.dev/slog"
"github.com/coder/coder/coderd/audit" "github.com/coder/coder/coderd/audit"
"github.com/coder/coder/coderd/database" "github.com/coder/coder/coderd/database"
"github.com/coder/coder/coderd/database/dbauthz"
"github.com/coder/coder/coderd/httpapi" "github.com/coder/coder/coderd/httpapi"
"github.com/coder/coder/coderd/httpmw" "github.com/coder/coder/coderd/httpmw"
"github.com/coder/coder/coderd/rbac" "github.com/coder/coder/coderd/rbac"
@ -1031,7 +1032,9 @@ func (api *API) workspaceData(ctx context.Context, workspaces []database.Workspa
return workspaceData{}, xerrors.Errorf("get templates: %w", err) return workspaceData{}, xerrors.Errorf("get templates: %w", err)
} }
builds, err := api.Database.GetLatestWorkspaceBuildsByWorkspaceIDs(ctx, workspaceIDs) // This query must be run as system restricted to be efficient.
// nolint:gocritic
builds, err := api.Database.GetLatestWorkspaceBuildsByWorkspaceIDs(dbauthz.AsSystemRestricted(ctx), workspaceIDs)
if err != nil && !errors.Is(err, sql.ErrNoRows) { if err != nil && !errors.Is(err, sql.ErrNoRows) {
return workspaceData{}, xerrors.Errorf("get workspace builds: %w", err) return workspaceData{}, xerrors.Errorf("get workspace builds: %w", err)
} }