feat: Add endpoint to get all workspaces a user can access (#1354)

This iterates through user organizations to get permitted
workspaces. This will allow admins to manage user workspaces!

coderd/coderd.go

@@ -258,6 +258,7 @@ func New(options *Options) (http.Handler, func()) {
 					})
 					r.Get("/gitsshkey", api.gitSSHKey)
 					r.Put("/gitsshkey", api.regenerateGitSSHKey)
+					r.Get("/workspaces", api.workspacesByOwner)
 				})
 			})
 		})

coderd/database/databasefake/databasefake.go

@@ -478,6 +478,28 @@ func (q *fakeQuerier) GetWorkspacesByOrganizationID(_ context.Context, req datab
 	return workspaces, nil
 }
 
+func (q *fakeQuerier) GetWorkspacesByOrganizationIDs(_ context.Context, req database.GetWorkspacesByOrganizationIDsParams) ([]database.Workspace, error) {
+	q.mutex.RLock()
+	defer q.mutex.RUnlock()
+
+	workspaces := make([]database.Workspace, 0)
+	for _, workspace := range q.workspaces {
+		for _, id := range req.Ids {
+			if workspace.ID != id {
+				continue
+			}
+			if workspace.Deleted != req.Deleted {
+				continue
+			}
+			workspaces = append(workspaces, workspace)
+		}
+	}
+	if len(workspaces) == 0 {
+		return nil, sql.ErrNoRows
+	}
+	return workspaces, nil
+}
+
 func (q *fakeQuerier) GetWorkspacesByOwnerID(_ context.Context, req database.GetWorkspacesByOwnerIDParams) ([]database.Workspace, error) {
 	q.mutex.RLock()
 	defer q.mutex.RUnlock()

coderd/database/querier.go

@@ -70,6 +70,7 @@ type querier interface {
 	GetWorkspaceResourceByID(ctx context.Context, id uuid.UUID) (WorkspaceResource, error)
 	GetWorkspaceResourcesByJobID(ctx context.Context, jobID uuid.UUID) ([]WorkspaceResource, error)
 	GetWorkspacesByOrganizationID(ctx context.Context, arg GetWorkspacesByOrganizationIDParams) ([]Workspace, error)
+	GetWorkspacesByOrganizationIDs(ctx context.Context, arg GetWorkspacesByOrganizationIDsParams) ([]Workspace, error)
 	GetWorkspacesByOwnerID(ctx context.Context, arg GetWorkspacesByOwnerIDParams) ([]Workspace, error)
 	GetWorkspacesByTemplateID(ctx context.Context, arg GetWorkspacesByTemplateIDParams) ([]Workspace, error)
 	InsertAPIKey(ctx context.Context, arg InsertAPIKeyParams) (APIKey, error)

coderd/database/queries.sql.go

@@ -3210,6 +3210,49 @@ func (q *sqlQuerier) GetWorkspacesByOrganizationID(ctx context.Context, arg GetW
 	return items, nil
 }
 
+const getWorkspacesByOrganizationIDs = `-- name: GetWorkspacesByOrganizationIDs :many
+SELECT id, created_at, updated_at, owner_id, organization_id, template_id, deleted, name, autostart_schedule, autostop_schedule FROM workspaces WHERE organization_id = ANY($1 :: uuid [ ]) AND deleted = $2
+`
+
+type GetWorkspacesByOrganizationIDsParams struct {
+	Ids     []uuid.UUID `db:"ids" json:"ids"`
+	Deleted bool        `db:"deleted" json:"deleted"`
+}
+
+func (q *sqlQuerier) GetWorkspacesByOrganizationIDs(ctx context.Context, arg GetWorkspacesByOrganizationIDsParams) ([]Workspace, error) {
+	rows, err := q.db.QueryContext(ctx, getWorkspacesByOrganizationIDs, pq.Array(arg.Ids), arg.Deleted)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []Workspace
+	for rows.Next() {
+		var i Workspace
+		if err := rows.Scan(
+			&i.ID,
+			&i.CreatedAt,
+			&i.UpdatedAt,
+			&i.OwnerID,
+			&i.OrganizationID,
+			&i.TemplateID,
+			&i.Deleted,
+			&i.Name,
+			&i.AutostartSchedule,
+			&i.AutostopSchedule,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Close(); err != nil {
+		return nil, err
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
 const getWorkspacesByOwnerID = `-- name: GetWorkspacesByOwnerID :many
 SELECT
 	id, created_at, updated_at, owner_id, organization_id, template_id, deleted, name, autostart_schedule, autostop_schedule

coderd/database/queries/workspaces.sql

@@ -11,6 +11,9 @@ LIMIT
 -- name: GetWorkspacesByOrganizationID :many
 SELECT * FROM workspaces WHERE organization_id = $1 AND deleted = $2;
 
+-- name: GetWorkspacesByOrganizationIDs :many
+SELECT * FROM workspaces WHERE organization_id = ANY(@ids :: uuid [ ]) AND deleted = @deleted;
+
 -- name: GetWorkspacesByTemplateID :many
 SELECT
 	*

coderd/users.go

@@ -806,6 +806,51 @@ func (api *api) createUser(ctx context.Context, req codersdk.CreateUserRequest)
 	})
 }
 
+func (api *api) workspacesByUser(rw http.ResponseWriter, r *http.Request) {
+	user := httpmw.UserParam(r)
+	roles := httpmw.UserRoles(r)
+
+	organizations, err := api.Database.GetOrganizationsByUserID(r.Context(), user.ID)
+	if err != nil {
+		httpapi.Write(rw, http.StatusInternalServerError, httpapi.Response{
+			Message: fmt.Sprintf("get organizations: %s", err),
+		})
+		return
+	}
+	organizationIDs := make([]uuid.UUID, 0)
+	for _, organization := range organizations {
+		err = api.Authorizer.AuthorizeByRoleName(r.Context(), user.ID.String(), roles.Roles, rbac.ActionRead, rbac.ResourceWorkspace.All().InOrg(organization.ID))
+		if errors.Is(err, &rbac.UnauthorizedError{}) {
+			continue
+		}
+		if err != nil {
+			httpapi.Write(rw, http.StatusInternalServerError, httpapi.Response{
+				Message: fmt.Sprintf("authorize: %s", err),
+			})
+			return
+		}
+		organizationIDs = append(organizationIDs, organization.ID)
+	}
+
+	workspaces, err := api.Database.GetWorkspacesByOrganizationIDs(r.Context(), database.GetWorkspacesByOrganizationIDsParams{
+		Ids: organizationIDs,
+	})
+	if err != nil {
+		httpapi.Write(rw, http.StatusInternalServerError, httpapi.Response{
+			Message: fmt.Sprintf("get workspaces for organizations: %s", err),
+		})
+		return
+	}
+	apiWorkspaces, err := convertWorkspaces(r.Context(), api.Database, workspaces)
+	if err != nil {
+		httpapi.Write(rw, http.StatusInternalServerError, httpapi.Response{
+			Message: fmt.Sprintf("convert workspaces: %s", err),
+		})
+		return
+	}
+	httpapi.Write(rw, http.StatusOK, apiWorkspaces)
+}
+
 func convertUser(user database.User, organizationIDs []uuid.UUID) codersdk.User {
 	convertedUser := codersdk.User{
 		ID:              user.ID,

coderd/users_test.go

@@ -662,6 +662,51 @@ func TestPostAPIKey(t *testing.T) {
 	})
 }
 
+func TestWorkspacesByUser(t *testing.T) {
+	t.Parallel()
+	t.Run("Empty", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, nil)
+		_ = coderdtest.CreateFirstUser(t, client)
+		workspaces, err := client.WorkspacesByUser(context.Background(), codersdk.Me)
+		require.NoError(t, err)
+		require.Len(t, workspaces, 0)
+	})
+	t.Run("Access", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, nil)
+		user := coderdtest.CreateFirstUser(t, client)
+		coderdtest.NewProvisionerDaemon(t, client)
+		newUser, err := client.CreateUser(context.Background(), codersdk.CreateUserRequest{
+			Email:          "test@coder.com",
+			Username:       "someone",
+			Password:       "password",
+			OrganizationID: user.OrganizationID,
+		})
+		require.NoError(t, err)
+		auth, err := client.LoginWithPassword(context.Background(), codersdk.LoginWithPasswordRequest{
+			Email:    newUser.Email,
+			Password: "password",
+		})
+		require.NoError(t, err)
+
+		newUserClient := codersdk.New(client.URL)
+		newUserClient.SessionToken = auth.SessionToken
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
+		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+		coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
+
+		workspaces, err := newUserClient.WorkspacesByUser(context.Background(), codersdk.Me)
+		require.NoError(t, err)
+		require.Len(t, workspaces, 0)
+
+		workspaces, err = client.WorkspacesByUser(context.Background(), codersdk.Me)
+		require.NoError(t, err)
+		require.Len(t, workspaces, 1)
+	})
+}
+
 // TestPaginatedUsers creates a list of users, then tries to paginate through
 // them using different page sizes.
 func TestPaginatedUsers(t *testing.T) {