mirror of
https://github.com/coder/coder.git
synced 2025-07-09 11:45:56 +00:00
chore: implement 'use' verb to template object, read
has less scope now (#16075)
Template `use` is now a verb. - Template admins can `use` all templates (org template admins same in org) - Members get the `use` perm from the `everyone` group in the `group_acl`.
This commit is contained in:
@ -16,6 +16,7 @@ import (
|
||||
"github.com/coder/coder/v2/coderd/httpapi"
|
||||
"github.com/coder/coder/v2/coderd/httpmw"
|
||||
"github.com/coder/coder/v2/coderd/rbac/policy"
|
||||
"github.com/coder/coder/v2/coderd/util/slice"
|
||||
"github.com/coder/coder/v2/codersdk"
|
||||
)
|
||||
|
||||
@ -222,7 +223,7 @@ func (api *API) patchTemplateACL(rw http.ResponseWriter, r *http.Request) {
|
||||
delete(template.UserACL, id)
|
||||
continue
|
||||
}
|
||||
template.UserACL[id] = convertSDKTemplateRole(role)
|
||||
template.UserACL[id] = db2sdk.TemplateRoleActions(role)
|
||||
}
|
||||
}
|
||||
|
||||
@ -234,7 +235,7 @@ func (api *API) patchTemplateACL(rw http.ResponseWriter, r *http.Request) {
|
||||
delete(template.GroupACL, id)
|
||||
continue
|
||||
}
|
||||
template.GroupACL[id] = convertSDKTemplateRole(role)
|
||||
template.GroupACL[id] = db2sdk.TemplateRoleActions(role)
|
||||
}
|
||||
}
|
||||
|
||||
@ -316,8 +317,8 @@ func convertTemplateUsers(tus []database.TemplateUser, orgIDsByUserIDs map[uuid.
|
||||
}
|
||||
|
||||
func validateTemplateRole(role codersdk.TemplateRole) error {
|
||||
actions := convertSDKTemplateRole(role)
|
||||
if actions == nil && role != codersdk.TemplateRoleDeleted {
|
||||
actions := db2sdk.TemplateRoleActions(role)
|
||||
if len(actions) == 0 && role != codersdk.TemplateRoleDeleted {
|
||||
return xerrors.Errorf("role %q is not a valid Template role", role)
|
||||
}
|
||||
|
||||
@ -326,7 +327,7 @@ func validateTemplateRole(role codersdk.TemplateRole) error {
|
||||
|
||||
func convertToTemplateRole(actions []policy.Action) codersdk.TemplateRole {
|
||||
switch {
|
||||
case len(actions) == 1 && actions[0] == policy.ActionRead:
|
||||
case len(actions) == 2 && slice.SameElements(actions, []policy.Action{policy.ActionUse, policy.ActionRead}):
|
||||
return codersdk.TemplateRoleUse
|
||||
case len(actions) == 1 && actions[0] == policy.WildcardSymbol:
|
||||
return codersdk.TemplateRoleAdmin
|
||||
@ -335,17 +336,6 @@ func convertToTemplateRole(actions []policy.Action) codersdk.TemplateRole {
|
||||
return ""
|
||||
}
|
||||
|
||||
func convertSDKTemplateRole(role codersdk.TemplateRole) []policy.Action {
|
||||
switch role {
|
||||
case codersdk.TemplateRoleAdmin:
|
||||
return []policy.Action{policy.WildcardSymbol}
|
||||
case codersdk.TemplateRoleUse:
|
||||
return []policy.Action{policy.ActionRead}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// TODO move to api.RequireFeatureMW when we are OK with changing the behavior.
|
||||
func (api *API) templateRBACEnabledMW(next http.Handler) http.Handler {
|
||||
return api.RequireFeatureMW(codersdk.FeatureTemplateRBAC)(next)
|
||||
|
@ -193,6 +193,53 @@ func TestCreateWorkspace(t *testing.T) {
|
||||
require.Equal(t, http.StatusBadRequest, apiErr.StatusCode())
|
||||
require.Contains(t, apiErr.Message, "doesn't exist")
|
||||
})
|
||||
|
||||
// Auditors cannot "use" templates, they can only read them.
|
||||
t.Run("Auditor", func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
owner, first := coderdenttest.New(t, &coderdenttest.Options{
|
||||
Options: &coderdtest.Options{
|
||||
IncludeProvisionerDaemon: true,
|
||||
},
|
||||
LicenseOptions: &coderdenttest.LicenseOptions{
|
||||
Features: license.Features{
|
||||
codersdk.FeatureTemplateRBAC: 1,
|
||||
codersdk.FeatureMultipleOrganizations: 1,
|
||||
},
|
||||
},
|
||||
})
|
||||
|
||||
// A member of the org as an auditor
|
||||
auditor, _ := coderdtest.CreateAnotherUser(t, owner, first.OrganizationID, rbac.RoleAuditor())
|
||||
|
||||
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
|
||||
defer cancel()
|
||||
|
||||
// Given: a template with a version without the "use" permission on everyone
|
||||
version := coderdtest.CreateTemplateVersion(t, owner, first.OrganizationID, nil)
|
||||
_ = coderdtest.AwaitTemplateVersionJobCompleted(t, owner, version.ID)
|
||||
template := coderdtest.CreateTemplate(t, owner, first.OrganizationID, version.ID)
|
||||
|
||||
//nolint:gocritic // This should be run as the owner user.
|
||||
err := owner.UpdateTemplateACL(ctx, template.ID, codersdk.UpdateTemplateACL{
|
||||
UserPerms: nil,
|
||||
GroupPerms: map[string]codersdk.TemplateRole{
|
||||
first.OrganizationID.String(): codersdk.TemplateRoleDeleted,
|
||||
},
|
||||
})
|
||||
require.NoError(t, err)
|
||||
|
||||
_, err = auditor.CreateUserWorkspace(ctx, codersdk.Me, codersdk.CreateWorkspaceRequest{
|
||||
TemplateID: template.ID,
|
||||
Name: "workspace",
|
||||
})
|
||||
require.Error(t, err)
|
||||
var apiErr *codersdk.Error
|
||||
require.ErrorAs(t, err, &apiErr)
|
||||
require.Equal(t, http.StatusForbidden, apiErr.StatusCode())
|
||||
require.Contains(t, apiErr.Message, "Unauthorized access to use the template")
|
||||
})
|
||||
}
|
||||
|
||||
func TestCreateUserWorkspace(t *testing.T) {
|
||||
|
Reference in New Issue
Block a user