Skip to content

Commit ea65ddc

Browse files
EmyrkEmyrk
authored
fix: correct user roles being passed into terraform context (#17460)
Roles were being passed into the workspace context incorrectly. Site wide scopes were being org scoped. Roles outside the org should also not be sent.
1 parent 90eacc1 commit ea65ddc

File tree

2 files changed

+42
-8
lines changed

2 files changed

+42
-8
lines changed

coderd/provisionerdserver/provisionerdserver.go

Lines changed: 13 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -595,17 +595,24 @@ func (s *server) acquireProtoJob(ctx context.Context, job database.ProvisionerJo
595595
})
596596
}
597597

598-
roles, err := s.Database.GetAuthorizationUserRoles(ctx, owner.ID)
598+
allUserRoles, err := s.Database.GetAuthorizationUserRoles(ctx, owner.ID)
599599
if err != nil {
600600
return nil, failJob(fmt.Sprintf("get owner authorization roles: %s", err))
601601
}
602602
ownerRbacRoles := []*sdkproto.Role{}
603-
for _, role := range roles.Roles {
604-
if s.OrganizationID == uuid.Nil {
605-
ownerRbacRoles = append(ownerRbacRoles, &sdkproto.Role{Name: role, OrgId: ""})
606-
continue
603+
roles, err := allUserRoles.RoleNames()
604+
if err == nil {
605+
for _, role := range roles {
606+
if role.OrganizationID != uuid.Nil && role.OrganizationID != s.OrganizationID {
607+
continue // Only include site wide and org specific roles
608+
}
609+
610+
orgID := role.OrganizationID.String()
611+
if role.OrganizationID == uuid.Nil {
612+
orgID = ""
613+
}
614+
ownerRbacRoles = append(ownerRbacRoles, &sdkproto.Role{Name: role.Name, OrgId: orgID})
607615
}
608-
ownerRbacRoles = append(ownerRbacRoles, &sdkproto.Role{Name: role, OrgId: s.OrganizationID.String()})
609616
}
610617

611618
protoJob.Type = &proto.AcquiredJob_WorkspaceBuild_{

coderd/provisionerdserver/provisionerdserver_test.go

Lines changed: 29 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ import (
66
"encoding/json"
77
"io"
88
"net/url"
9+
"slices"
910
"strconv"
1011
"strings"
1112
"sync"
@@ -22,6 +23,7 @@ import (
2223
"storj.io/drpc"
2324

2425
"cdr.dev/slog/sloggers/slogtest"
26+
"github.com/coder/coder/v2/coderd/rbac"
2527
"github.com/coder/quartz"
2628
"github.com/coder/serpent"
2729

@@ -203,6 +205,20 @@ func TestAcquireJob(t *testing.T) {
203205
GroupID: group1.ID,
204206
})
205207
require.NoError(t, err)
208+
dbgen.OrganizationMember(t, db, database.OrganizationMember{
209+
UserID: user.ID,
210+
OrganizationID: pd.OrganizationID,
211+
Roles: []string{rbac.RoleOrgAuditor()},
212+
})
213+
214+
// Add extra erronous roles
215+
secondOrg := dbgen.Organization(t, db, database.Organization{})
216+
dbgen.OrganizationMember(t, db, database.OrganizationMember{
217+
UserID: user.ID,
218+
OrganizationID: secondOrg.ID,
219+
Roles: []string{rbac.RoleOrgAuditor()},
220+
})
221+
206222
link := dbgen.UserLink(t, db, database.UserLink{
207223
LoginType: database.LoginTypeOIDC,
208224
UserID: user.ID,
@@ -350,7 +366,7 @@ func TestAcquireJob(t *testing.T) {
350366
WorkspaceOwnerEmail: user.Email,
351367
WorkspaceOwnerName: user.Name,
352368
WorkspaceOwnerOidcAccessToken: link.OAuthAccessToken,
353-
WorkspaceOwnerGroups: []string{group1.Name},
369+
WorkspaceOwnerGroups: []string{"Everyone", group1.Name},
354370
WorkspaceId: workspace.ID.String(),
355371
WorkspaceOwnerId: user.ID.String(),
356372
TemplateId: template.ID.String(),
@@ -361,11 +377,15 @@ func TestAcquireJob(t *testing.T) {
361377
WorkspaceOwnerSshPrivateKey: sshKey.PrivateKey,
362378
WorkspaceBuildId: build.ID.String(),
363379
WorkspaceOwnerLoginType: string(user.LoginType),
364-
WorkspaceOwnerRbacRoles: []*sdkproto.Role{{Name: "member", OrgId: pd.OrganizationID.String()}},
380+
WorkspaceOwnerRbacRoles: []*sdkproto.Role{{Name: rbac.RoleOrgMember(), OrgId: pd.OrganizationID.String()}, {Name: "member", OrgId: ""}, {Name: rbac.RoleOrgAuditor(), OrgId: pd.OrganizationID.String()}},
365381
}
366382
if prebuiltWorkspace {
367383
wantedMetadata.IsPrebuild = true
368384
}
385+
386+
slices.SortFunc(wantedMetadata.WorkspaceOwnerRbacRoles, func(a, b *sdkproto.Role) int {
387+
return strings.Compare(a.Name+a.OrgId, b.Name+b.OrgId)
388+
})
369389
want, err := json.Marshal(&proto.AcquiredJob_WorkspaceBuild_{
370390
WorkspaceBuild: &proto.AcquiredJob_WorkspaceBuild{
371391
WorkspaceBuildId: build.ID.String(),
@@ -467,6 +487,13 @@ func TestAcquireJob(t *testing.T) {
467487
job, err := tc.acquire(ctx, srv)
468488
require.NoError(t, err)
469489

490+
// sort
491+
if wk, ok := job.Type.(*proto.AcquiredJob_WorkspaceBuild_); ok {
492+
slices.SortFunc(wk.WorkspaceBuild.Metadata.WorkspaceOwnerRbacRoles, func(a, b *sdkproto.Role) int {
493+
return strings.Compare(a.Name+a.OrgId, b.Name+b.OrgId)
494+
})
495+
}
496+
470497
got, err := json.Marshal(job.Type)
471498
require.NoError(t, err)
472499

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy