From 3b93d822f5666099a4f682fff4df44637be13edb Mon Sep 17 00:00:00 2001
From: Steven Masley <stevenmasley@gmail.com>
Date: Thu, 17 Apr 2025 15:04:50 -0500
Subject: [PATCH 1/2] fix: correct user roles being passed into terraform
 context

---
 .../provisionerdserver/provisionerdserver.go  | 15 +++++++-----
 .../provisionerdserver_test.go                | 23 +++++++++++++++++--
 2 files changed, 30 insertions(+), 8 deletions(-)

diff --git a/coderd/provisionerdserver/provisionerdserver.go b/coderd/provisionerdserver/provisionerdserver.go
index a4e28741ce988..504a1c01ada20 100644
--- a/coderd/provisionerdserver/provisionerdserver.go
+++ b/coderd/provisionerdserver/provisionerdserver.go
@@ -595,17 +595,20 @@ func (s *server) acquireProtoJob(ctx context.Context, job database.ProvisionerJo
 			})
 		}
 
-		roles, err := s.Database.GetAuthorizationUserRoles(ctx, owner.ID)
+		allUserRoles, err := s.Database.GetAuthorizationUserRoles(ctx, owner.ID)
 		if err != nil {
 			return nil, failJob(fmt.Sprintf("get owner authorization roles: %s", err))
 		}
 		ownerRbacRoles := []*sdkproto.Role{}
-		for _, role := range roles.Roles {
-			if s.OrganizationID == uuid.Nil {
-				ownerRbacRoles = append(ownerRbacRoles, &sdkproto.Role{Name: role, OrgId: ""})
-				continue
+		roles, err := allUserRoles.RoleNames()
+		if err == nil {
+			for _, role := range roles {
+				orgID := role.OrganizationID.String()
+				if role.OrganizationID == uuid.Nil {
+					orgID = ""
+				}
+				ownerRbacRoles = append(ownerRbacRoles, &sdkproto.Role{Name: role.Name, OrgId: orgID})
 			}
-			ownerRbacRoles = append(ownerRbacRoles, &sdkproto.Role{Name: role, OrgId: s.OrganizationID.String()})
 		}
 
 		protoJob.Type = &proto.AcquiredJob_WorkspaceBuild_{
diff --git a/coderd/provisionerdserver/provisionerdserver_test.go b/coderd/provisionerdserver/provisionerdserver_test.go
index 9a9eb91ac8b73..dea9a8d6f43d7 100644
--- a/coderd/provisionerdserver/provisionerdserver_test.go
+++ b/coderd/provisionerdserver/provisionerdserver_test.go
@@ -6,6 +6,7 @@ import (
 	"encoding/json"
 	"io"
 	"net/url"
+	"slices"
 	"strconv"
 	"strings"
 	"sync"
@@ -22,6 +23,7 @@ import (
 	"storj.io/drpc"
 
 	"cdr.dev/slog/sloggers/slogtest"
+	"github.com/coder/coder/v2/coderd/rbac"
 	"github.com/coder/quartz"
 	"github.com/coder/serpent"
 
@@ -203,6 +205,12 @@ func TestAcquireJob(t *testing.T) {
 					GroupID: group1.ID,
 				})
 				require.NoError(t, err)
+				dbgen.OrganizationMember(t, db, database.OrganizationMember{
+					UserID:         user.ID,
+					OrganizationID: pd.OrganizationID,
+					Roles:          []string{rbac.RoleOrgAuditor()},
+				})
+
 				link := dbgen.UserLink(t, db, database.UserLink{
 					LoginType:        database.LoginTypeOIDC,
 					UserID:           user.ID,
@@ -350,7 +358,7 @@ func TestAcquireJob(t *testing.T) {
 					WorkspaceOwnerEmail:           user.Email,
 					WorkspaceOwnerName:            user.Name,
 					WorkspaceOwnerOidcAccessToken: link.OAuthAccessToken,
-					WorkspaceOwnerGroups:          []string{group1.Name},
+					WorkspaceOwnerGroups:          []string{"Everyone", group1.Name},
 					WorkspaceId:                   workspace.ID.String(),
 					WorkspaceOwnerId:              user.ID.String(),
 					TemplateId:                    template.ID.String(),
@@ -361,11 +369,15 @@ func TestAcquireJob(t *testing.T) {
 					WorkspaceOwnerSshPrivateKey:   sshKey.PrivateKey,
 					WorkspaceBuildId:              build.ID.String(),
 					WorkspaceOwnerLoginType:       string(user.LoginType),
-					WorkspaceOwnerRbacRoles:       []*sdkproto.Role{{Name: "member", OrgId: pd.OrganizationID.String()}},
+					WorkspaceOwnerRbacRoles:       []*sdkproto.Role{{Name: rbac.RoleOrgMember(), OrgId: pd.OrganizationID.String()}, {Name: "member", OrgId: ""}, {Name: rbac.RoleOrgAuditor(), OrgId: pd.OrganizationID.String()}},
 				}
 				if prebuiltWorkspace {
 					wantedMetadata.IsPrebuild = true
 				}
+
+				slices.SortFunc(wantedMetadata.WorkspaceOwnerRbacRoles, func(a, b *sdkproto.Role) int {
+					return strings.Compare(a.Name+a.OrgId, b.Name+b.OrgId)
+				})
 				want, err := json.Marshal(&proto.AcquiredJob_WorkspaceBuild_{
 					WorkspaceBuild: &proto.AcquiredJob_WorkspaceBuild{
 						WorkspaceBuildId: build.ID.String(),
@@ -467,6 +479,13 @@ func TestAcquireJob(t *testing.T) {
 			job, err := tc.acquire(ctx, srv)
 			require.NoError(t, err)
 
+			// sort
+			if wk, ok := job.Type.(*proto.AcquiredJob_WorkspaceBuild_); ok {
+				slices.SortFunc(wk.WorkspaceBuild.Metadata.WorkspaceOwnerRbacRoles, func(a, b *sdkproto.Role) int {
+					return strings.Compare(a.Name+a.OrgId, b.Name+b.OrgId)
+				})
+			}
+
 			got, err := json.Marshal(job.Type)
 			require.NoError(t, err)
 

From feec988a070be5576ad689c19d96fd4f072cbc27 Mon Sep 17 00:00:00 2001
From: Steven Masley <stevenmasley@gmail.com>
Date: Thu, 17 Apr 2025 15:06:33 -0500
Subject: [PATCH 2/2] chore: only send org roles for the org the workspace is
 in

---
 coderd/provisionerdserver/provisionerdserver.go      | 4 ++++
 coderd/provisionerdserver/provisionerdserver_test.go | 8 ++++++++
 2 files changed, 12 insertions(+)

diff --git a/coderd/provisionerdserver/provisionerdserver.go b/coderd/provisionerdserver/provisionerdserver.go
index 504a1c01ada20..78f597fa55369 100644
--- a/coderd/provisionerdserver/provisionerdserver.go
+++ b/coderd/provisionerdserver/provisionerdserver.go
@@ -603,6 +603,10 @@ func (s *server) acquireProtoJob(ctx context.Context, job database.ProvisionerJo
 		roles, err := allUserRoles.RoleNames()
 		if err == nil {
 			for _, role := range roles {
+				if role.OrganizationID != uuid.Nil && role.OrganizationID != s.OrganizationID {
+					continue // Only include site wide and org specific roles
+				}
+
 				orgID := role.OrganizationID.String()
 				if role.OrganizationID == uuid.Nil {
 					orgID = ""
diff --git a/coderd/provisionerdserver/provisionerdserver_test.go b/coderd/provisionerdserver/provisionerdserver_test.go
index dea9a8d6f43d7..caeef8a9793b7 100644
--- a/coderd/provisionerdserver/provisionerdserver_test.go
+++ b/coderd/provisionerdserver/provisionerdserver_test.go
@@ -211,6 +211,14 @@ func TestAcquireJob(t *testing.T) {
 					Roles:          []string{rbac.RoleOrgAuditor()},
 				})
 
+				// Add extra erronous roles
+				secondOrg := dbgen.Organization(t, db, database.Organization{})
+				dbgen.OrganizationMember(t, db, database.OrganizationMember{
+					UserID:         user.ID,
+					OrganizationID: secondOrg.ID,
+					Roles:          []string{rbac.RoleOrgAuditor()},
+				})
+
 				link := dbgen.UserLink(t, db, database.UserLink{
 					LoginType:        database.LoginTypeOIDC,
 					UserID:           user.ID,

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>pFad - Phonifier reborn</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
<h1>Pfad - The Proxy pFad of &#169; 2024 Garber Painting. All rights reserved.</h1>


<!-- Disclaimer -->
<p>Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.</p>
<br>
<p>Alternative Proxies:</p><p><a href="http://clevelandohioweatherforecast.com/php-proxy/index.php?q=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/17460.patch" target="_blank">Alternative Proxy</a></p><p><a href="http://clevelandohioweatherforecast.com/pFad/index.php?u=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/17460.patch" target="_blank">pFad Proxy</a></p><p><a href="http://clevelandohioweatherforecast.com/pFad/v3index.php?u=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/17460.patch" target="_blank">pFad v3 Proxy</a></p><p><a href="http://clevelandohioweatherforecast.com/pFad/v4index.php?u=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/17460.patch" target="_blank">pFad v4 Proxy</a></p></body>
</html>