chore: protect organization endpoints with license (#14001)

* chore: move multi-org endpoints into enterprise directory All multi-organization features are gated behind "premium" licenses. Enterprise licenses can no longer access organization CRUD.
2025-07-06 15:41:45 +00:00 · 2024-07-25 16:07:53 -05:00
parent 915f69080a
commit 7ea1a4c686
37 changed files with 2222 additions and 1678 deletions
--- a/enterprise/coderd/coderdenttest/coderdenttest.go
+++ b/enterprise/coderd/coderdenttest/coderdenttest.go
@ -7,15 +7,29 @@ import (
 	"crypto/tls"
 	"io"
 	"net/http"
+	"strings"
 	"testing"
 	"time"

+	"github.com/moby/moby/pkg/namesgenerator"
+	"golang.org/x/xerrors"
+
+	"cdr.dev/slog"
+	"cdr.dev/slog/sloggers/slogtest"
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/database/dbmem"
 	"github.com/coder/coder/v2/coderd/database/pubsub"
+	"github.com/coder/coder/v2/codersdk/drpc"
+	"github.com/coder/coder/v2/provisioner/echo"
+	"github.com/coder/coder/v2/provisionerd"
+	provisionerdproto "github.com/coder/coder/v2/provisionerd/proto"
+	"github.com/coder/coder/v2/provisionersdk"
+	sdkproto "github.com/coder/coder/v2/provisionersdk/proto"
+	"github.com/coder/coder/v2/testutil"

 	"github.com/golang-jwt/jwt/v4"
 	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

 	"github.com/coder/coder/v2/coderd/coderdtest"
@ -248,3 +262,95 @@ func GenerateLicense(t *testing.T, options LicenseOptions) string {
 type nopcloser struct{}

 func (nopcloser) Close() error { return nil }
+
+type CreateOrganizationOptions struct {
+	// IncludeProvisionerDaemon will spin up an external provisioner for the organization.
+	// This requires enterprise and the feature 'codersdk.FeatureExternalProvisionerDaemons'
+	IncludeProvisionerDaemon bool
+}
+
+func CreateOrganization(t *testing.T, client *codersdk.Client, opts CreateOrganizationOptions, mutators ...func(*codersdk.CreateOrganizationRequest)) codersdk.Organization {
+	ctx := testutil.Context(t, testutil.WaitMedium)
+	req := codersdk.CreateOrganizationRequest{
+		Name:        strings.ReplaceAll(strings.ToLower(namesgenerator.GetRandomName(0)), "_", "-"),
+		DisplayName: namesgenerator.GetRandomName(1),
+		Description: namesgenerator.GetRandomName(1),
+		Icon:        "",
+	}
+	for _, mutator := range mutators {
+		mutator(&req)
+	}
+
+	org, err := client.CreateOrganization(ctx, req)
+	require.NoError(t, err)
+
+	if opts.IncludeProvisionerDaemon {
+		closer := NewExternalProvisionerDaemon(t, client, org.ID, map[string]string{})
+		t.Cleanup(func() {
+			_ = closer.Close()
+		})
+	}
+
+	return org
+}
+
+func NewExternalProvisionerDaemon(t testing.TB, client *codersdk.Client, org uuid.UUID, tags map[string]string) io.Closer {
+	t.Helper()
+
+	// Without this check, the provisioner will silently fail.
+	entitlements, err := client.Entitlements(context.Background())
+	if err != nil {
+		// AGPL instances will throw this error. They cannot use external
+		// provisioners.
+		t.Errorf("external provisioners requires a license with entitlements. The client failed to fetch the entitlements, is this an enterprise instance of coderd?")
+		t.FailNow()
+		return nil
+	}
+
+	feature := entitlements.Features[codersdk.FeatureExternalProvisionerDaemons]
+	if !feature.Enabled || feature.Entitlement != codersdk.EntitlementEntitled {
+		require.NoError(t, xerrors.Errorf("external provisioner daemons require an entitled license"))
+		return nil
+	}
+
+	echoClient, echoServer := drpc.MemTransportPipe()
+	ctx, cancelFunc := context.WithCancel(context.Background())
+	serveDone := make(chan struct{})
+	t.Cleanup(func() {
+		_ = echoClient.Close()
+		_ = echoServer.Close()
+		cancelFunc()
+		<-serveDone
+	})
+	go func() {
+		defer close(serveDone)
+		err := echo.Serve(ctx, &provisionersdk.ServeOptions{
+			Listener:      echoServer,
+			WorkDirectory: t.TempDir(),
+		})
+		assert.NoError(t, err)
+	}()
+
+	daemon := provisionerd.New(func(ctx context.Context) (provisionerdproto.DRPCProvisionerDaemonClient, error) {
+		return client.ServeProvisionerDaemon(ctx, codersdk.ServeProvisionerDaemonRequest{
+			ID:           uuid.New(),
+			Name:         t.Name(),
+			Organization: org,
+			Provisioners: []codersdk.ProvisionerType{codersdk.ProvisionerTypeEcho},
+			Tags:         tags,
+		})
+	}, &provisionerd.Options{
+		Logger:              slogtest.Make(t, nil).Named("provisionerd").Leveled(slog.LevelDebug),
+		UpdateInterval:      250 * time.Millisecond,
+		ForceCancelInterval: 5 * time.Second,
+		Connector: provisionerd.LocalProvisioners{
+			string(database.ProvisionerTypeEcho): sdkproto.NewDRPCProvisionerClient(echoClient),
+		},
+	})
+	closer := coderdtest.NewProvisionerDaemonCloser(daemon)
+	t.Cleanup(func() {
+		_ = closer.Close()
+	})
+
+	return closer
+}