chore: implement 'use' verb to template object, read has less scope now (#16075)

Template `use` is now a verb.
- Template admins can `use` all templates (org template admins same in
org)
- Members get the `use` perm from the `everyone` group in the
`group_acl`.
This commit is contained in:
Steven Masley
2025-01-17 11:55:41 -06:00
committed by GitHub
parent 3217cb85f6
commit f34e6fd92c
17 changed files with 128 additions and 28 deletions

View File

@ -16,6 +16,7 @@ import (
"github.com/coder/coder/v2/coderd/httpapi"
"github.com/coder/coder/v2/coderd/httpmw"
"github.com/coder/coder/v2/coderd/rbac/policy"
"github.com/coder/coder/v2/coderd/util/slice"
"github.com/coder/coder/v2/codersdk"
)
@ -222,7 +223,7 @@ func (api *API) patchTemplateACL(rw http.ResponseWriter, r *http.Request) {
delete(template.UserACL, id)
continue
}
template.UserACL[id] = convertSDKTemplateRole(role)
template.UserACL[id] = db2sdk.TemplateRoleActions(role)
}
}
@ -234,7 +235,7 @@ func (api *API) patchTemplateACL(rw http.ResponseWriter, r *http.Request) {
delete(template.GroupACL, id)
continue
}
template.GroupACL[id] = convertSDKTemplateRole(role)
template.GroupACL[id] = db2sdk.TemplateRoleActions(role)
}
}
@ -316,8 +317,8 @@ func convertTemplateUsers(tus []database.TemplateUser, orgIDsByUserIDs map[uuid.
}
func validateTemplateRole(role codersdk.TemplateRole) error {
actions := convertSDKTemplateRole(role)
if actions == nil && role != codersdk.TemplateRoleDeleted {
actions := db2sdk.TemplateRoleActions(role)
if len(actions) == 0 && role != codersdk.TemplateRoleDeleted {
return xerrors.Errorf("role %q is not a valid Template role", role)
}
@ -326,7 +327,7 @@ func validateTemplateRole(role codersdk.TemplateRole) error {
func convertToTemplateRole(actions []policy.Action) codersdk.TemplateRole {
switch {
case len(actions) == 1 && actions[0] == policy.ActionRead:
case len(actions) == 2 && slice.SameElements(actions, []policy.Action{policy.ActionUse, policy.ActionRead}):
return codersdk.TemplateRoleUse
case len(actions) == 1 && actions[0] == policy.WildcardSymbol:
return codersdk.TemplateRoleAdmin
@ -335,17 +336,6 @@ func convertToTemplateRole(actions []policy.Action) codersdk.TemplateRole {
return ""
}
func convertSDKTemplateRole(role codersdk.TemplateRole) []policy.Action {
switch role {
case codersdk.TemplateRoleAdmin:
return []policy.Action{policy.WildcardSymbol}
case codersdk.TemplateRoleUse:
return []policy.Action{policy.ActionRead}
}
return nil
}
// TODO move to api.RequireFeatureMW when we are OK with changing the behavior.
func (api *API) templateRBACEnabledMW(next http.Handler) http.Handler {
return api.RequireFeatureMW(codersdk.FeatureTemplateRBAC)(next)

View File

@ -193,6 +193,53 @@ func TestCreateWorkspace(t *testing.T) {
require.Equal(t, http.StatusBadRequest, apiErr.StatusCode())
require.Contains(t, apiErr.Message, "doesn't exist")
})
// Auditors cannot "use" templates, they can only read them.
t.Run("Auditor", func(t *testing.T) {
t.Parallel()
owner, first := coderdenttest.New(t, &coderdenttest.Options{
Options: &coderdtest.Options{
IncludeProvisionerDaemon: true,
},
LicenseOptions: &coderdenttest.LicenseOptions{
Features: license.Features{
codersdk.FeatureTemplateRBAC: 1,
codersdk.FeatureMultipleOrganizations: 1,
},
},
})
// A member of the org as an auditor
auditor, _ := coderdtest.CreateAnotherUser(t, owner, first.OrganizationID, rbac.RoleAuditor())
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
defer cancel()
// Given: a template with a version without the "use" permission on everyone
version := coderdtest.CreateTemplateVersion(t, owner, first.OrganizationID, nil)
_ = coderdtest.AwaitTemplateVersionJobCompleted(t, owner, version.ID)
template := coderdtest.CreateTemplate(t, owner, first.OrganizationID, version.ID)
//nolint:gocritic // This should be run as the owner user.
err := owner.UpdateTemplateACL(ctx, template.ID, codersdk.UpdateTemplateACL{
UserPerms: nil,
GroupPerms: map[string]codersdk.TemplateRole{
first.OrganizationID.String(): codersdk.TemplateRoleDeleted,
},
})
require.NoError(t, err)
_, err = auditor.CreateUserWorkspace(ctx, codersdk.Me, codersdk.CreateWorkspaceRequest{
TemplateID: template.ID,
Name: "workspace",
})
require.Error(t, err)
var apiErr *codersdk.Error
require.ErrorAs(t, err, &apiErr)
require.Equal(t, http.StatusForbidden, apiErr.StatusCode())
require.Contains(t, apiErr.Message, "Unauthorized access to use the template")
})
}
func TestCreateUserWorkspace(t *testing.T) {