chore(coderd/database/dbauthz): update RBAC for InsertWorkspaceApp (#18223)

DanielleMaywood · web-flow · commit 4d0fe20ca6d8 · 2025-06-04T11:22:01.000Z
Instead of using `ResourceSystem` as the resource for
`InsertWorkspaceApp`, we instead use the associated workspace (if it
exists), with the action `ActionUpdate`.
diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go
@@ -3851,9 +3851,19 @@ func (q *querier) InsertWorkspaceAgentStats(ctx context.Context, arg database.In
 }
 
 func (q *querier) InsertWorkspaceApp(ctx context.Context, arg database.InsertWorkspaceAppParams) (database.WorkspaceApp, error) {
-	if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceSystem); err != nil {
+	// NOTE(DanielleMaywood):
+	// It is possible for there to exist an agent without a workspace.
+	// This means that we want to allow execution to continue if
+	// there isn't a workspace found to allow this behavior to continue.
+	workspace, err := q.db.GetWorkspaceByAgentID(ctx, arg.AgentID)
+	if err != nil && !errors.Is(err, sql.ErrNoRows) {
+		return database.WorkspaceApp{}, err
+	}
+
+	if err := q.authorizeContext(ctx, policy.ActionUpdate, workspace); err != nil {
 		return database.WorkspaceApp{}, err
 	}
+
 	return q.db.InsertWorkspaceApp(ctx, arg)
 }
 
diff --git a/coderd/database/dbauthz/dbauthz_test.go b/coderd/database/dbauthz/dbauthz_test.go
@@ -4093,13 +4093,28 @@ func (s *MethodTestSuite) TestSystemFunctions() {
 		}).Asserts(ws, policy.ActionCreateAgent)
 	}))
 	s.Run("InsertWorkspaceApp", s.Subtest(func(db database.Store, check *expects) {
-		dbtestutil.DisableForeignKeysAndTriggers(s.T(), db)
+		_ = dbgen.User(s.T(), db, database.User{})
+		u := dbgen.User(s.T(), db, database.User{})
+		o := dbgen.Organization(s.T(), db, database.Organization{})
+		j := dbgen.ProvisionerJob(s.T(), db, nil, database.ProvisionerJob{Type: database.ProvisionerJobTypeWorkspaceBuild})
+		tpl := dbgen.Template(s.T(), db, database.Template{CreatedBy: u.ID, OrganizationID: o.ID})
+		tv := dbgen.TemplateVersion(s.T(), db, database.TemplateVersion{
+			TemplateID:     uuid.NullUUID{UUID: tpl.ID, Valid: true},
+			JobID:          j.ID,
+			OrganizationID: o.ID,
+			CreatedBy:      u.ID,
+		})
+		ws := dbgen.Workspace(s.T(), db, database.WorkspaceTable{OwnerID: u.ID, TemplateID: tpl.ID, OrganizationID: o.ID})
+		_ = dbgen.WorkspaceBuild(s.T(), db, database.WorkspaceBuild{WorkspaceID: ws.ID, JobID: j.ID, TemplateVersionID: tv.ID})
+		res := dbgen.WorkspaceResource(s.T(), db, database.WorkspaceResource{JobID: j.ID})
+		agent := dbgen.WorkspaceAgent(s.T(), db, database.WorkspaceAgent{ResourceID: res.ID})
 		check.Args(database.InsertWorkspaceAppParams{
 			ID:           uuid.New(),
+			AgentID:      agent.ID,
 			Health:       database.WorkspaceAppHealthDisabled,
 			SharingLevel: database.AppSharingLevelOwner,
 			OpenIn:       database.WorkspaceAppOpenInSlimWindow,
-		}).Asserts(rbac.ResourceSystem, policy.ActionCreate)
+		}).Asserts(ws, policy.ActionUpdate)
 	}))
 	s.Run("InsertWorkspaceResourceMetadata", s.Subtest(func(db database.Store, check *expects) {
 		check.Args(database.InsertWorkspaceResourceMetadataParams{

Original file line number	Diff line number	Diff line change
`@@ -3851,9 +3851,19 @@ func (q *querier) InsertWorkspaceAgentStats(ctx context.Context, arg database.In`
`3851`	`3851`	`}`
`3852`	`3852`
`3853`	`3853`	`func (q *querier) InsertWorkspaceApp(ctx context.Context, arg database.InsertWorkspaceAppParams) (database.WorkspaceApp, error) {`
`3854`		`- if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceSystem); err != nil {`
	`3854`	`+ // NOTE(DanielleMaywood):`
	`3855`	`+ // It is possible for there to exist an agent without a workspace.`
	`3856`	`+ // This means that we want to allow execution to continue if`
	`3857`	`+ // there isn't a workspace found to allow this behavior to continue.`
	`3858`	`+ workspace, err := q.db.GetWorkspaceByAgentID(ctx, arg.AgentID)`
	`3859`	`+ if err != nil && !errors.Is(err, sql.ErrNoRows) {`
	`3860`	`+ return database.WorkspaceApp{}, err`
	`3861`	`+ }`
	`3862`	`+`
	`3863`	`+ if err := q.authorizeContext(ctx, policy.ActionUpdate, workspace); err != nil {`
`3855`	`3864`	`return database.WorkspaceApp{}, err`
`3856`	`3865`	`}`
	`3866`	`+`
`3857`	`3867`	`return q.db.InsertWorkspaceApp(ctx, arg)`
`3858`	`3868`	`}`
`3859`	`3869`