Skip to content

feat(enterprise/coderd): allow system users to be added to groups #18341

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

feat(enterprise/coderd): allow system users to be added to groups #18341

wants to merge 4 commits into from

Conversation

SasSwart
Copy link
Contributor

@SasSwart SasSwart commented Jun 12, 2025
edited by coderabbitai bot
Loading

closes #18274

This pull request makes system users visible in various group related queries so that they can be added to groups. This allows system user quotas to be configured. System users are still ignored in certain queries, such as when license seat consumption is determined.

Summary by CodeRabbit

  • New Features
    • Organization and group member listings now include system users.
  • Bug Fixes
    • Updated tests to reflect the inclusion of system users in member and group queries.

@SasSwart SasSwart changed the title feat: allow system users to be added to groups feat(enterprise/coderd): allow system users to be added to groups Jun 12, 2025
@github-actions github-actions bot added the stale This issue is like stale bread. label Jun 20, 2025
@github-actions github-actions bot closed this Jun 23, 2025
@johnstcn johnstcn reopened this Jun 23, 2025
@johnstcn johnstcn removed the stale This issue is like stale bread. label Jun 23, 2025
@github-actions github-actions bot added the stale This issue is like stale bread. label Jul 1, 2025
@github-actions github-actions bot closed this Jul 5, 2025
@SasSwart SasSwart reopened this Jul 14, 2025
@SasSwart SasSwart removed the stale This issue is like stale bread. label Jul 14, 2025
@SasSwart SasSwart requested a review from ssncferreira July 14, 2025 13:55
@SasSwart SasSwart marked this pull request as ready for review July 14, 2025 13:55
ssncferreira
ssncferreira reviewed Jul 15, 2025
View reviewed changes
Copy link
Contributor

@ssncferreira ssncferreira left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm wondering about this approach. Do we need to add IncludeSystem: true to all these queries just to support the prebuilds system user?
This means someone will need to manually create a group for the prebuilds user and assign it a quota, right?

Wouldn't it be more robust to automatically create a group for the prebuilds system user with a default quota, and allow users to override it if needed? That way, we avoid having to include system users in these queries and reduce the risk of system users leaking into user-facing features.

coderd/database/queries/organizationmembers.sql
Comment on lines +92 to +97
-- Filter by system type
AND CASE
WHEN @include_system::bool THEN TRUE
ELSE
is_system = false
END
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit for readability:

Suggested change
-- Filter by system type
AND CASE
WHEN @include_system::bool THEN TRUE
ELSE
is_system = false
END
-- Conditionally include system users based on @include_system flag
AND (@include_system OR is_system = false)

@SasSwart
Copy link
Contributor Author

The prebuilds user has already leaked into user facing features. Administrators search for prebuilds by specifying the prebuilds user on the workspace list page. For consistency and clarity, I think we should embrace listing and showing the prebuilds user.

I like the idea of automatically creating a prebuilds group, but we'll need to decide what a sensible default quota would be if there is such a value that makes sense.

@ssncferreira
Copy link
Contributor

ssncferreira commented Jul 16, 2025
edited
Loading

The prebuilds user has already leaked into user facing features. Administrators search for prebuilds by specifying the prebuilds user on the workspace list page. For consistency and clarity, I think we should embrace listing and showing the prebuilds user.

It’s true that the prebuilds user is already exposed in some user-facing features, like showing prebuilt workspaces, but that might not be the ideal approach 😕 The issue isn’t just about the prebuilds user, it extends to listing all current and future system users.

I like the idea of automatically creating a prebuilds group, but we'll need to decide what a sensible default quota would be if there is such a value that makes sense.

We already have a precedent with the Everyone group:

coder/coderd/database/queries/groups.sql

Lines 102 to 109 in 0cdcf89

-- name: InsertAllUsersGroup :one
INSERT INTO groups (
id,
name,
organization_id
)
VALUES
(sqlc.arg(organization_id), 'Everyone', sqlc.arg(organization_id)) RETURNING *;

We could apply the same pattern here: automatically create the prebuilds group with a default quota of 0, and clearly document this behavior along with instructions on how users can update the quota if needed.

@github-actions github-actions bot added the stale This issue is like stale bread. label Jul 24, 2025
@coderabbitai coderabbitai
Copy link

coderabbitai bot commented Jul 24, 2025
edited
Loading

Walkthrough

This change updates the logic for retrieving organization and group members to consistently include system users, such as the prebuilds system user, by default. It introduces a new boolean parameter to control this behavior in both SQL queries and Go code, and updates related tests to expect the presence of system users in member lists.

Changes

Files / Areas Change Summary
coderd/database/queries.sql.go, coderd/database/queries/organizationmembers.sql Added IncludeSystem boolean parameter to queries and Go structs/methods; updated SQL to filter system users.
coderd/members.go Modified queries to include system users by setting IncludeSystem: true.
enterprise/coderd/groups.go Updated group member queries to include system users (IncludeSystem: true).
coderd/members_test.go, enterprise/coderd/groups_test.go, enterprise/coderd/roles_test.go Updated tests to expect system users in member lists and adjusted assertions accordingly.

Sequence Diagram(s)

sequenceDiagram
    participant API
    participant MembersService
    participant Database

    API->>MembersService: Request organization/group members
    MembersService->>Database: Query members (IncludeSystem: true)
    Database-->>MembersService: Return all members (including system users)
    MembersService-->>API: Return member list with system users
Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

In the warren of code, a new rule appears,
System users hop in, dispelling old fears.
Member lists grow, with prebuilds in tow,
The queries now know who’s included below.
Tests count the bunnies, one more in the sun—
With every new member, the job is well done!
🐇✨

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 78af5e0 and af7c7cd.

📒 Files selected for processing (7)
  • coderd/database/queries.sql.go (2 hunks)
  • coderd/database/queries/organizationmembers.sql (1 hunks)
  • coderd/members.go (2 hunks)
  • coderd/members_test.go (2 hunks)
  • enterprise/coderd/groups.go (8 hunks)
  • enterprise/coderd/groups_test.go (1 hunks)
  • enterprise/coderd/roles_test.go (3 hunks)
🧰 Additional context used
📓 Path-based instructions (4)
coderd/database/queries/*.sql

📄 CodeRabbit Inference Engine (.cursorrules)

All new queries require proper database authorization (dbauthz) implementation to ensure that only users with appropriate permissions can access specific resources.

Modify coderd/database/queries/*.sql files for database changes

Files:

  • coderd/database/queries/organizationmembers.sql
**/*_test.go

📄 CodeRabbit Inference Engine (.cursorrules)

**/*_test.go: All tests must use t.Parallel() to run concurrently, which improves test suite performance and helps identify race conditions.
All tests should run in parallel using t.Parallel() to ensure efficient testing and expose potential race conditions.

**/*_test.go: Use unique identifiers in concurrent Go tests to prevent race conditions (e.g., fmt.Sprintf with t.Name() and time.Now().UnixNano())
Never use hardcoded names in concurrent Go tests

Files:

  • coderd/members_test.go
  • enterprise/coderd/groups_test.go
  • enterprise/coderd/roles_test.go
**/*.go

📄 CodeRabbit Inference Engine (.cursorrules)

**/*.go: The codebase is rigorously linted with golangci-lint to maintain consistent code quality.
Coder emphasizes clear error handling, with specific patterns required: Concise error messages that avoid phrases like "failed to"; Wrapping errors with %w to maintain error chains; Using sentinel errors with the "err" prefix (e.g., errNotFound).

**/*.go: OAuth2-compliant error responses must use writeOAuth2Error in Go code
Public endpoints needing system access should use dbauthz.AsSystemRestricted(ctx) when calling GetOAuth2ProviderAppByClientID
Authenticated endpoints with user context should use ctx directly when calling GetOAuth2ProviderAppByClientID
Follow Uber Go Style Guide

Files:

  • coderd/members_test.go
  • enterprise/coderd/groups_test.go
  • coderd/members.go
  • enterprise/coderd/roles_test.go
  • enterprise/coderd/groups.go
  • coderd/database/queries.sql.go
enterprise/**/*

📄 CodeRabbit Inference Engine (.cursorrules)

Enterprise code lives primarily in the enterprise/ directory.

Files:

  • enterprise/coderd/groups_test.go
  • enterprise/coderd/roles_test.go
  • enterprise/coderd/groups.go
🧠 Learnings (6)
coderd/database/queries/organizationmembers.sql (1)

Learnt from: CR
PR: coder/coder#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-21T14:32:56.474Z
Learning: Applies to coderd/database/queries/.sql : Modify coderd/database/queries/.sql files for database changes

coderd/members_test.go (7)

Learnt from: CR
PR: coder/coder#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-21T14:32:56.474Z
Learning: Applies to **/*_test.go : Never use hardcoded names in concurrent Go tests

Learnt from: CR
PR: coder/coder#0
File: .cursorrules:0-0
Timestamp: 2025-07-21T14:32:43.035Z
Learning: Applies to coderd/dbauthz/*.go : The database authorization (dbauthz) system enforces fine-grained access control across all database operations. All database operations must pass through this layer to ensure security.

Learnt from: CR
PR: coder/coder#0
File: .cursorrules:0-0
Timestamp: 2025-07-21T14:32:43.035Z
Learning: Applies to coderd/coderdtest/**/* : The coderdtest package in coderd/coderdtest/ provides utilities for creating test instances of the Coder server, setting up test users and workspaces, and mocking external components.

Learnt from: CR
PR: coder/coder#0
File: .cursorrules:0-0
Timestamp: 2025-07-21T14:32:43.034Z
Learning: Applies to coderd/coderd.go : The REST API is defined in coderd/coderd.go and uses Chi for HTTP routing.

Learnt from: CR
PR: coder/coder#0
File: .cursorrules:0-0
Timestamp: 2025-07-21T14:32:43.035Z
Learning: Applies to **/*.go : Coder emphasizes clear error handling, with specific patterns required: Concise error messages that avoid phrases like "failed to"; Wrapping errors with %w to maintain error chains; Using sentinel errors with the "err" prefix (e.g., errNotFound).

Learnt from: CR
PR: coder/coder#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-21T14:32:56.474Z
Learning: Applies to **/*.go : Public endpoints needing system access should use dbauthz.AsSystemRestricted(ctx) when calling GetOAuth2ProviderAppByClientID

Learnt from: ThomasK33
PR: #18809
File: coderd/apidoc/swagger.json:2160-2186
Timestamp: 2025-07-21T14:30:40.568Z
Learning: For the Coder repository, API specification or standards compliance issues should be raised in the Go source files (e.g., handler annotations or swaggo comments), not in auto-generated files like coderd/apidoc/swagger.json.

enterprise/coderd/groups_test.go (3)

Learnt from: CR
PR: coder/coder#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-21T14:32:56.474Z
Learning: Applies to **/*_test.go : Never use hardcoded names in concurrent Go tests

Learnt from: CR
PR: coder/coder#0
File: .cursorrules:0-0
Timestamp: 2025-07-21T14:32:43.035Z
Learning: Applies to coderd/coderdtest/**/* : The coderdtest package in coderd/coderdtest/ provides utilities for creating test instances of the Coder server, setting up test users and workspaces, and mocking external components.

Learnt from: CR
PR: coder/coder#0
File: .cursorrules:0-0
Timestamp: 2025-07-21T14:32:43.035Z
Learning: Applies to coderdenttest/**/* : Enterprise features have dedicated test utilities in the coderdenttest package.

coderd/members.go (1)

Learnt from: CR
PR: coder/coder#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-21T14:32:56.474Z
Learning: Applies to **/*.go : Public endpoints needing system access should use dbauthz.AsSystemRestricted(ctx) when calling GetOAuth2ProviderAppByClientID

enterprise/coderd/roles_test.go (6)

Learnt from: CR
PR: coder/coder#0
File: .cursorrules:0-0
Timestamp: 2025-07-21T14:32:43.035Z
Learning: Applies to coderd/dbauthz/*.go : The database authorization (dbauthz) system enforces fine-grained access control across all database operations. All database operations must pass through this layer to ensure security.

Learnt from: CR
PR: coder/coder#0
File: .cursorrules:0-0
Timestamp: 2025-07-21T14:32:43.035Z
Learning: Applies to coderd/coderdtest/**/* : The coderdtest package in coderd/coderdtest/ provides utilities for creating test instances of the Coder server, setting up test users and workspaces, and mocking external components.

Learnt from: CR
PR: coder/coder#0
File: .cursorrules:0-0
Timestamp: 2025-07-21T14:32:43.034Z
Learning: Applies to coderd/coderd.go : The REST API is defined in coderd/coderd.go and uses Chi for HTTP routing.

Learnt from: CR
PR: coder/coder#0
File: .cursorrules:0-0
Timestamp: 2025-07-21T14:32:43.035Z
Learning: Applies to **/*.go : Coder emphasizes clear error handling, with specific patterns required: Concise error messages that avoid phrases like "failed to"; Wrapping errors with %w to maintain error chains; Using sentinel errors with the "err" prefix (e.g., errNotFound).

Learnt from: CR
PR: coder/coder#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-21T14:32:56.474Z
Learning: Applies to **/*.go : Public endpoints needing system access should use dbauthz.AsSystemRestricted(ctx) when calling GetOAuth2ProviderAppByClientID

Learnt from: ThomasK33
PR: #18809
File: coderd/apidoc/swagger.json:2160-2186
Timestamp: 2025-07-21T14:30:40.568Z
Learning: For the Coder repository, API specification or standards compliance issues should be raised in the Go source files (e.g., handler annotations or swaggo comments), not in auto-generated files like coderd/apidoc/swagger.json.

enterprise/coderd/groups.go (3)

Learnt from: CR
PR: coder/coder#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-21T14:32:56.474Z
Learning: Applies to enterprise/audit/table.go : If audit errors occur after database changes, update enterprise/audit/table.go

Learnt from: CR
PR: coder/coder#0
File: .cursorrules:0-0
Timestamp: 2025-07-21T14:32:43.035Z
Learning: Applies to coderd/dbauthz/*.go : The database authorization (dbauthz) system enforces fine-grained access control across all database operations. All database operations must pass through this layer to ensure security.

Learnt from: CR
PR: coder/coder#0
File: CLAUDE.md:0-0
Timestamp: 2025-07-21T14:32:56.474Z
Learning: Applies to **/*.go : Public endpoints needing system access should use dbauthz.AsSystemRestricted(ctx) when calling GetOAuth2ProviderAppByClientID

🔇 Additional comments (19)
coderd/members_test.go (2)

10-10: Import addition looks good.

The database package import is necessary to access PrebuildsSystemUserID constant.

66-69: Test assertions correctly updated for system user inclusion.

The test now properly expects 3 members (including the prebuilds system user) and validates the presence of database.PrebuildsSystemUserID in the member list. This aligns with the PR objective of making system users visible in organization membership queries.

enterprise/coderd/groups_test.go (1)

865-870: Test correctly updated to expect system user in "Everyone" group.

The assertion changes properly reflect that the prebuilds system user is now included in group membership queries. The member count increase from 4 to 5 and the explicit check for the prebuilds user's presence are both accurate and necessary.

coderd/members.go (2)

164-164: Correctly enables system user inclusion in member listings.

Setting IncludeSystem: true ensures that system users like the prebuilds user are included in organization member queries, which aligns with the PR objective of making system users manageable for quota assignment.

206-206: Consistent system user inclusion in paginated queries.

The change maintains consistency by also including system users in the paginated member query, ensuring uniform behavior across both listing endpoints.

enterprise/coderd/groups.go (6)

159-159: System user inclusion enabled for group member retrieval.

Setting IncludeSystem: true ensures system users are visible when fetching current group members during group updates.

183-183: Organization membership check includes system users.

This change allows system users to pass the organization membership validation when being added to groups, which is necessary for the prebuilds user quota management use case.

299-299: Consistent system user inclusion in post-patch operations.

Both the member retrieval and count operations after group patching now include system users, ensuring consistent behavior and accurate audit trails.

Also applies to: 310-310

356-356: System users included in delete operation audit.

Including system users in the group member retrieval during deletion ensures complete audit information is captured.

410-410: System users visible in individual group queries.

The changes ensure system users are included when fetching a single group's details, maintaining consistency with the overall feature objective.

Also applies to: 419-419

515-515: System users included in bulk group operations.

The changes ensure system users are visible when listing multiple groups, providing consistent behavior across all group-related endpoints.

Also applies to: 523-523

enterprise/coderd/roles_test.go (4)

14-14: LGTM: Import addition is appropriate.

The database package import is necessary to access PrebuildsSystemUserID for the conditional logic added in the test.

364-364: LGTM: Assertion correctly updated for system user inclusion.

The member count assertion has been properly updated from 5 to 6 to account for the prebuilds system user now being included in organization member queries.

366-366: LGTM: Conditional logic correctly excludes system user from role verification.

The addition of the prebuilds system user check prevents the test from attempting to verify custom role assignments on system users, which is the correct behavior.

381-381: LGTM: Second assertion consistently updated.

The assertion correctly maintains the expected member count of 6 after role deletion, consistent with the earlier assertion change.

coderd/database/queries.sql.go (4)

5996-6001: LGTM! System user filtering logic is correctly implemented.

The CASE statement properly handles the IncludeSystem parameter - when true, all users are included; when false, system users are excluded by filtering is_system = false.

6004-6004: Parameter indices correctly updated.

The offset and limit parameter references have been properly shifted from $2/$3 to $3/$4 to accommodate the new IncludeSystem parameter at position $2.

Also applies to: 6007-6007

6012-6012: Struct field properly defined.

The IncludeSystem field is correctly added with appropriate database and JSON tags, maintaining consistency with the existing struct definition.

6028-6033: Method implementation correctly updated.

The parameter passing order matches the SQL query expectations:

  • arg.OrganizationID$1
  • arg.IncludeSystem$2
  • arg.OffsetOpt$3
  • arg.LimitOpt$4
✨ Finishing Touches
  • 📝 Generate Docstrings
🧪 Generate unit tests
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch jjs/prebuilds-user-group-membership
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Explain this complex logic.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai explain this code block.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and explain its main purpose.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai generate docstrings to generate docstrings for this PR.
  • @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
  • @coderabbitai generate unit tests to generate unit tests for this PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

@github-actions github-actions bot removed the stale This issue is like stale bread. label Jul 25, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ssncferreira ssncferreira ssncferreira left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@SasSwart SasSwart

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

bug: Workspace prebuilds conform to the site quota, leading many to fail
3 participants
@SasSwart @ssncferreira @johnstcn
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy