feat: RBAC provisionerdaemons and parameters (#1755)

* chore: Remove org_id from provisionerdaemons
2025-07-03 16:13:58 +00:00 · 2022-05-26 11:20:54 -05:00
parent 104d07f659
commit c04d045279
18 changed files with 184 additions and 63 deletions
--- a/coderd/coderd_test.go
+++ b/coderd/coderd_test.go
@ -6,6 +6,7 @@ import (
 	"net/http"
 	"strings"
 	"testing"
+	"time"

 	"github.com/go-chi/chi/v5"
 	"github.com/stretchr/testify/assert"
@ -45,9 +46,29 @@ func TestAuthorizeAllEndpoints(t *testing.T) {
 		IncludeProvisionerD: true,
 	})
 	admin := coderdtest.CreateFirstUser(t, client)
-	organization, err := client.Organization(context.Background(), admin.OrganizationID)
+	// The provisioner will call to coderd and register itself. This is async,
+	// so we wait for it to occur.
+	require.Eventually(t, func() bool {
+		provisionerds, err := client.ProvisionerDaemons(ctx)
+		require.NoError(t, err)
+		return len(provisionerds) > 0
+	}, time.Second*10, time.Second)
+
+	provisionerds, err := client.ProvisionerDaemons(ctx)
+	require.NoError(t, err, "fetch provisioners")
+	require.Len(t, provisionerds, 1)
+
+	organization, err := client.Organization(ctx, admin.OrganizationID)
 	require.NoError(t, err, "fetch org")

+	organizationParam, err := client.CreateParameter(ctx, codersdk.ParameterOrganization, organization.ID, codersdk.CreateParameterRequest{
+		Name:              "test-param",
+		SourceValue:       "hello world",
+		SourceScheme:      codersdk.ParameterSourceSchemeData,
+		DestinationScheme: codersdk.ParameterDestinationSchemeProvisionerVariable,
+	})
+	require.NoError(t, err, "create org param")
+
 	// Setup some data in the database.
 	version := coderdtest.CreateTemplateVersion(t, client, admin.OrganizationID, &echo.Responses{
 		Parse: echo.ParseComplete,
@ -118,18 +139,10 @@ func TestAuthorizeAllEndpoints(t *testing.T) {
 		"GET:/api/v2/workspaceagents/{workspaceagent}/turn":       {NoAuthorize: true},

 		// TODO: @emyrk these need to be fixed by adding authorize calls
-		"GET:/api/v2/organizations/{organization}/provisionerdaemons":       {NoAuthorize: true},
-		"GET:/api/v2/organizations/{organization}/templates/{templatename}": {NoAuthorize: true},
-		"POST:/api/v2/organizations/{organization}/templateversions":        {NoAuthorize: true},
-		"POST:/api/v2/organizations/{organization}/workspaces":              {NoAuthorize: true},
-
-		"POST:/api/v2/parameters/{scope}/{id}":          {NoAuthorize: true},
-		"GET:/api/v2/parameters/{scope}/{id}":           {NoAuthorize: true},
-		"DELETE:/api/v2/parameters/{scope}/{id}/{name}": {NoAuthorize: true},
-
-		"POST:/api/v2/users/{user}/organizations": {NoAuthorize: true},
-
-		"GET:/api/v2/workspaces/{workspace}/watch": {NoAuthorize: true},
+		"POST:/api/v2/organizations/{organization}/workspaces":       {NoAuthorize: true},
+		"POST:/api/v2/users/{user}/organizations":                    {NoAuthorize: true},
+		"GET:/api/v2/workspaces/{workspace}/watch":                   {NoAuthorize: true},
+		"POST:/api/v2/organizations/{organization}/templateversions": {NoAuthorize: true},

 		// These endpoints have more assertions. This is good, add more endpoints to assert if you can!
 		"GET:/api/v2/organizations/{organization}":                   {AssertObject: rbac.ResourceOrganization.InOrg(admin.OrganizationID)},
@ -251,6 +264,27 @@ func TestAuthorizeAllEndpoints(t *testing.T) {
 			AssertAction: rbac.ActionRead,
 			AssertObject: rbac.ResourceTemplate.InOrg(template.OrganizationID).WithID(template.ID.String()),
 		},
+		"GET:/api/v2/provisionerdaemons": {
+			StatusCode:   http.StatusOK,
+			AssertObject: rbac.ResourceProvisionerDaemon.WithID(provisionerds[0].ID.String()),
+		},
+
+		"POST:/api/v2/parameters/{scope}/{id}": {
+			AssertAction: rbac.ActionUpdate,
+			AssertObject: rbac.ResourceOrganization.WithID(organization.ID.String()),
+		},
+		"GET:/api/v2/parameters/{scope}/{id}": {
+			AssertAction: rbac.ActionRead,
+			AssertObject: rbac.ResourceOrganization.WithID(organization.ID.String()),
+		},
+		"DELETE:/api/v2/parameters/{scope}/{id}/{name}": {
+			AssertAction: rbac.ActionUpdate,
+			AssertObject: rbac.ResourceOrganization.WithID(organization.ID.String()),
+		},
+		"GET:/api/v2/organizations/{organization}/templates/{templatename}": {
+			AssertAction: rbac.ActionRead,
+			AssertObject: rbac.ResourceTemplate.InOrg(template.OrganizationID).WithID(template.ID.String()),
+		},

 		// These endpoints need payloads to get to the auth part. Payloads will be required
 		"PUT:/api/v2/users/{user}/roles":                                {StatusCode: http.StatusBadRequest, NoAuthorize: true},
@ -292,6 +326,10 @@ func TestAuthorizeAllEndpoints(t *testing.T) {
 			route = strings.ReplaceAll(route, "{hash}", file.Hash)
 			route = strings.ReplaceAll(route, "{workspaceresource}", workspaceResources[0].ID.String())
 			route = strings.ReplaceAll(route, "{templateversion}", version.ID.String())
+			route = strings.ReplaceAll(route, "{templatename}", template.Name)
+			// Only checking org scoped params here
+			route = strings.ReplaceAll(route, "{scope}", string(organizationParam.Scope))
+			route = strings.ReplaceAll(route, "{id}", organizationParam.ScopeID.String())

 			resp, err := client.Request(context.Background(), method, route, nil)
 			require.NoError(t, err, "do req")