From 6b3a73161a74bdb194ec1601dfffba0774521c36 Mon Sep 17 00:00:00 2001 From: Sas Swart Date: Thu, 12 Jun 2025 08:07:05 +0000 Subject: [PATCH 1/5] Allow users to view and modify group membership for the prebuilds system user so that they can configure quotas --- enterprise/coderd/groups.go | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/enterprise/coderd/groups.go b/enterprise/coderd/groups.go index cfe5d081271e3..8eebc384b5b8a 100644 --- a/enterprise/coderd/groups.go +++ b/enterprise/coderd/groups.go @@ -156,7 +156,7 @@ func (api *API) patchGroup(rw http.ResponseWriter, r *http.Request) { currentMembers, err := api.Database.GetGroupMembersByGroupID(ctx, database.GetGroupMembersByGroupIDParams{ GroupID: group.ID, - IncludeSystem: false, + IncludeSystem: true, }) if err != nil { httpapi.InternalServerError(rw, err) @@ -174,7 +174,7 @@ func (api *API) patchGroup(rw http.ResponseWriter, r *http.Request) { _, err := database.ExpectOne(api.Database.OrganizationMembers(ctx, database.OrganizationMembersParams{ OrganizationID: group.OrganizationID, UserID: uuid.MustParse(id), - IncludeSystem: false, + IncludeSystem: true, })) if errors.Is(err, sql.ErrNoRows) { httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{ @@ -290,7 +290,7 @@ func (api *API) patchGroup(rw http.ResponseWriter, r *http.Request) { patchedMembers, err := api.Database.GetGroupMembersByGroupID(ctx, database.GetGroupMembersByGroupIDParams{ GroupID: group.ID, - IncludeSystem: false, + IncludeSystem: true, }) if err != nil { httpapi.InternalServerError(rw, err) @@ -301,7 +301,7 @@ func (api *API) patchGroup(rw http.ResponseWriter, r *http.Request) { memberCount, err := api.Database.GetGroupMembersCountByGroupID(ctx, database.GetGroupMembersCountByGroupIDParams{ GroupID: group.ID, - IncludeSystem: false, + IncludeSystem: true, }) if err != nil { httpapi.InternalServerError(rw, err) @@ -347,7 +347,7 @@ func (api *API) deleteGroup(rw http.ResponseWriter, r *http.Request) { groupMembers, getMembersErr := api.Database.GetGroupMembersByGroupID(ctx, database.GetGroupMembersByGroupIDParams{ GroupID: group.ID, - IncludeSystem: false, + IncludeSystem: true, }) if getMembersErr != nil { httpapi.InternalServerError(rw, getMembersErr) @@ -401,7 +401,7 @@ func (api *API) group(rw http.ResponseWriter, r *http.Request) { users, err := api.Database.GetGroupMembersByGroupID(ctx, database.GetGroupMembersByGroupIDParams{ GroupID: group.ID, - IncludeSystem: false, + IncludeSystem: true, }) if err != nil && !errors.Is(err, sql.ErrNoRows) { httpapi.InternalServerError(rw, err) @@ -410,7 +410,7 @@ func (api *API) group(rw http.ResponseWriter, r *http.Request) { memberCount, err := api.Database.GetGroupMembersCountByGroupID(ctx, database.GetGroupMembersCountByGroupIDParams{ GroupID: group.ID, - IncludeSystem: false, + IncludeSystem: true, }) if err != nil { httpapi.InternalServerError(rw, err) @@ -506,7 +506,7 @@ func (api *API) groups(rw http.ResponseWriter, r *http.Request) { for _, group := range groups { members, err := api.Database.GetGroupMembersByGroupID(ctx, database.GetGroupMembersByGroupIDParams{ GroupID: group.Group.ID, - IncludeSystem: false, + IncludeSystem: true, }) if err != nil { httpapi.InternalServerError(rw, err) @@ -514,7 +514,7 @@ func (api *API) groups(rw http.ResponseWriter, r *http.Request) { } memberCount, err := api.Database.GetGroupMembersCountByGroupID(ctx, database.GetGroupMembersCountByGroupIDParams{ GroupID: group.Group.ID, - IncludeSystem: false, + IncludeSystem: true, }) if err != nil { httpapi.InternalServerError(rw, err) From 4b63826647fdc366c279dfbf9c328cf258eb3d68 Mon Sep 17 00:00:00 2001 From: Sas Swart Date: Thu, 12 Jun 2025 09:05:07 +0000 Subject: [PATCH 2/5] Fix Tests --- enterprise/coderd/groups_test.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/enterprise/coderd/groups_test.go b/enterprise/coderd/groups_test.go index 028aa3328535f..6f19e585cc550 100644 --- a/enterprise/coderd/groups_test.go +++ b/enterprise/coderd/groups_test.go @@ -838,12 +838,12 @@ func TestGroup(t *testing.T) { // The 'Everyone' group always has an ID that matches the organization ID. group, err := userAdminClient.Group(ctx, user.OrganizationID) require.NoError(t, err) - require.Len(t, group.Members, 4) + require.Len(t, group.Members, 5) require.Equal(t, "Everyone", group.Name) require.Equal(t, user.OrganizationID, group.OrganizationID) require.Contains(t, group.Members, user1.ReducedUser) require.Contains(t, group.Members, user2.ReducedUser) - require.NotContains(t, group.Members, prebuildsUser.ReducedUser) + require.Contains(t, group.Members, prebuildsUser.ReducedUser) }) } From af7c7cd3016a2ba7daaf410fa838822ba33bcbf7 Mon Sep 17 00:00:00 2001 From: Sas Swart Date: Tue, 15 Jul 2025 09:47:02 +0000 Subject: [PATCH 3/5] fix tests --- coderd/database/queries.sql.go | 18 +++++++++++++++--- .../database/queries/organizationmembers.sql | 6 ++++++ coderd/members.go | 3 ++- coderd/members_test.go | 5 +++-- enterprise/coderd/roles_test.go | 7 ++++--- 5 files changed, 30 insertions(+), 9 deletions(-) diff --git a/coderd/database/queries.sql.go b/coderd/database/queries.sql.go index 04ded71f1242a..1511d92305a75 100644 --- a/coderd/database/queries.sql.go +++ b/coderd/database/queries.sql.go @@ -5993,16 +5993,23 @@ WHERE organization_id = $1 ELSE true END + -- Filter by system type + AND CASE + WHEN $2::bool THEN TRUE + ELSE + is_system = false + END ORDER BY -- Deterministic and consistent ordering of all users. This is to ensure consistent pagination. - LOWER(username) ASC OFFSET $2 + LOWER(username) ASC OFFSET $3 LIMIT -- A null limit means "no limit", so 0 means return all - NULLIF($3 :: int, 0) + NULLIF($4 :: int, 0) ` type PaginatedOrganizationMembersParams struct { OrganizationID uuid.UUID `db:"organization_id" json:"organization_id"` + IncludeSystem bool `db:"include_system" json:"include_system"` OffsetOpt int32 `db:"offset_opt" json:"offset_opt"` LimitOpt int32 `db:"limit_opt" json:"limit_opt"` } @@ -6018,7 +6025,12 @@ type PaginatedOrganizationMembersRow struct { } func (q *sqlQuerier) PaginatedOrganizationMembers(ctx context.Context, arg PaginatedOrganizationMembersParams) ([]PaginatedOrganizationMembersRow, error) { - rows, err := q.db.QueryContext(ctx, paginatedOrganizationMembers, arg.OrganizationID, arg.OffsetOpt, arg.LimitOpt) + rows, err := q.db.QueryContext(ctx, paginatedOrganizationMembers, + arg.OrganizationID, + arg.IncludeSystem, + arg.OffsetOpt, + arg.LimitOpt, + ) if err != nil { return nil, err } diff --git a/coderd/database/queries/organizationmembers.sql b/coderd/database/queries/organizationmembers.sql index 9d570bc1c49ee..692280415f1ea 100644 --- a/coderd/database/queries/organizationmembers.sql +++ b/coderd/database/queries/organizationmembers.sql @@ -89,6 +89,12 @@ WHERE organization_id = @organization_id ELSE true END + -- Filter by system type + AND CASE + WHEN @include_system::bool THEN TRUE + ELSE + is_system = false + END ORDER BY -- Deterministic and consistent ordering of all users. This is to ensure consistent pagination. LOWER(username) ASC OFFSET @offset_opt diff --git a/coderd/members.go b/coderd/members.go index 5a031fe7eab90..db4a81a31a8bb 100644 --- a/coderd/members.go +++ b/coderd/members.go @@ -161,7 +161,7 @@ func (api *API) listMembers(rw http.ResponseWriter, r *http.Request) { members, err := api.Database.OrganizationMembers(ctx, database.OrganizationMembersParams{ OrganizationID: organization.ID, UserID: uuid.Nil, - IncludeSystem: false, + IncludeSystem: true, }) if httpapi.Is404Error(err) { httpapi.ResourceNotFound(rw) @@ -203,6 +203,7 @@ func (api *API) paginatedMembers(rw http.ResponseWriter, r *http.Request) { paginatedMemberRows, err := api.Database.PaginatedOrganizationMembers(ctx, database.PaginatedOrganizationMembersParams{ OrganizationID: organization.ID, + IncludeSystem: true, // #nosec G115 - Pagination limits are small and fit in int32 LimitOpt: int32(paginationParams.Limit), // #nosec G115 - Pagination offsets are small and fit in int32 diff --git a/coderd/members_test.go b/coderd/members_test.go index bc892bb0679d4..5e7032ba20b1c 100644 --- a/coderd/members_test.go +++ b/coderd/members_test.go @@ -7,6 +7,7 @@ import ( "github.com/stretchr/testify/require" "github.com/coder/coder/v2/coderd/coderdtest" + "github.com/coder/coder/v2/coderd/database" "github.com/coder/coder/v2/coderd/database/db2sdk" "github.com/coder/coder/v2/coderd/rbac" "github.com/coder/coder/v2/codersdk" @@ -62,9 +63,9 @@ func TestListMembers(t *testing.T) { ctx := testutil.Context(t, testutil.WaitShort) members, err := client.OrganizationMembers(ctx, first.OrganizationID) require.NoError(t, err) - require.Len(t, members, 2) + require.Len(t, members, 3) require.ElementsMatch(t, - []uuid.UUID{first.UserID, user.ID}, + []uuid.UUID{first.UserID, user.ID, database.PrebuildsSystemUserID}, db2sdk.List(members, onlyIDs)) }) } diff --git a/enterprise/coderd/roles_test.go b/enterprise/coderd/roles_test.go index 70c432755f7fa..79dbf4ed2c98a 100644 --- a/enterprise/coderd/roles_test.go +++ b/enterprise/coderd/roles_test.go @@ -11,6 +11,7 @@ import ( "github.com/stretchr/testify/require" "github.com/coder/coder/v2/coderd/coderdtest" + "github.com/coder/coder/v2/coderd/database" "github.com/coder/coder/v2/coderd/database/db2sdk" "github.com/coder/coder/v2/coderd/rbac" "github.com/coder/coder/v2/codersdk" @@ -360,9 +361,9 @@ func TestCustomOrganizationRole(t *testing.T) { // Verify members have the custom role originalMembers, err := orgAdmin.OrganizationMembers(ctx, first.OrganizationID) require.NoError(t, err) - require.Len(t, originalMembers, 5) // 3 members + org admin + owner + require.Len(t, originalMembers, 6) // 3 members + org admin + owner + prebuilds system user for _, member := range originalMembers { - if member.UserID == orgAdminUser.ID || member.UserID == first.UserID { + if member.UserID == orgAdminUser.ID || member.UserID == first.UserID || member.UserID == database.PrebuildsSystemUserID { continue } @@ -377,7 +378,7 @@ func TestCustomOrganizationRole(t *testing.T) { // Verify the role was removed from all members members, err := orgAdmin.OrganizationMembers(ctx, first.OrganizationID) require.NoError(t, err) - require.Len(t, members, 5) // 3 members + org admin + owner + require.Len(t, members, 6) // 3 members + org admin + owner + prebuilds system user for _, member := range members { require.False(t, slices.ContainsFunc(member.Roles, func(role codersdk.SlimRole) bool { return role.Name == customRoleIdentifier.Name From 1cd68e3df3411cf7fe241e8d2618b53973b556b5 Mon Sep 17 00:00:00 2001 From: Sas Swart Date: Tue, 29 Jul 2025 07:33:17 +0000 Subject: [PATCH 4/5] create a prebuilds group in every org that needs it --- coderd/database/dbauthz/dbauthz.go | 8 + .../prebuilt-workspaces.md | 8 +- enterprise/coderd/prebuilds/membership.go | 71 +++-- .../coderd/prebuilds/membership_test.go | 242 ++++++++++++------ 4 files changed, 233 insertions(+), 96 deletions(-) diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go index 55665b4381862..438cc7c30359c 100644 --- a/coderd/database/dbauthz/dbauthz.go +++ b/coderd/database/dbauthz/dbauthz.go @@ -467,6 +467,14 @@ var ( rbac.ResourceFile.Type: { policy.ActionRead, }, + rbac.ResourceGroup.Type: { + policy.ActionRead, + policy.ActionCreate, + policy.ActionUpdate, + }, + rbac.ResourceGroupMember.Type: { + policy.ActionRead, + }, }), }, }), diff --git a/docs/admin/templates/extending-templates/prebuilt-workspaces.md b/docs/admin/templates/extending-templates/prebuilt-workspaces.md index 8e61687ce0f01..70161f687ba76 100644 --- a/docs/admin/templates/extending-templates/prebuilt-workspaces.md +++ b/docs/admin/templates/extending-templates/prebuilt-workspaces.md @@ -235,12 +235,18 @@ The system always maintains the desired number of prebuilt workspaces for the ac ### Managing resource quotas -Prebuilt workspaces can be used in conjunction with [resource quotas](../../users/quotas.md). +To help prevent unexpected infrastructure costs, prebuilt workspaces can be used in conjunction with [resource quotas](../../users/quotas.md). Because unclaimed prebuilt workspaces are owned by the `prebuilds` user, you can: 1. Configure quotas for any group that includes this user. 1. Set appropriate limits to balance prebuilt workspace availability with resource constraints. +When prebuilt workspaces are configured for an organization, Coder creates a "prebuilds" group in that organization and adds the prebuilds user to it. This group has a default quota allowance of 0, which you should adjust based on your needs: + +- **Set a quota allowance** on the "prebuilds" group to control how many prebuilt workspaces can be provisioned +- **Monitor usage** to ensure the quota is appropriate for your desired number of prebuilt instances +- **Adjust as needed** based on your template costs and desired prebuilt workspace pool size + If a quota is exceeded, the prebuilt workspace will fail provisioning the same way other workspaces do. ### Template configuration best practices diff --git a/enterprise/coderd/prebuilds/membership.go b/enterprise/coderd/prebuilds/membership.go index 079711bcbcc49..9b41d68787ea1 100644 --- a/enterprise/coderd/prebuilds/membership.go +++ b/enterprise/coderd/prebuilds/membership.go @@ -44,37 +44,74 @@ func (s StoreMembershipReconciler) ReconcileAll(ctx context.Context, userID uuid return xerrors.Errorf("determine prebuild organization membership: %w", err) } - systemUserMemberships := make(map[uuid.UUID]struct{}, 0) + orgMemberShips := make(map[uuid.UUID]struct{}, 0) defaultOrg, err := s.store.GetDefaultOrganization(ctx) if err != nil { return xerrors.Errorf("get default organization: %w", err) } - systemUserMemberships[defaultOrg.ID] = struct{}{} + orgMemberShips[defaultOrg.ID] = struct{}{} for _, o := range organizationMemberships { - systemUserMemberships[o.ID] = struct{}{} + orgMemberShips[o.ID] = struct{}{} } var membershipInsertionErrors error for _, preset := range presets { - _, alreadyMember := systemUserMemberships[preset.OrganizationID] - if alreadyMember { - continue + _, alreadyOrgMember := orgMemberShips[preset.OrganizationID] + if !alreadyOrgMember { + // Add the organization to our list of memberships regardless of potential failure below + // to avoid a retry that will probably be doomed anyway. + orgMemberShips[preset.OrganizationID] = struct{}{} + + // Insert the missing membership + _, err = s.store.InsertOrganizationMember(ctx, database.InsertOrganizationMemberParams{ + OrganizationID: preset.OrganizationID, + UserID: userID, + CreatedAt: s.clock.Now(), + UpdatedAt: s.clock.Now(), + Roles: []string{}, + }) + if err != nil { + membershipInsertionErrors = errors.Join(membershipInsertionErrors, xerrors.Errorf("insert membership for prebuilt workspaces: %w", err)) + continue + } } - // Add the organization to our list of memberships regardless of potential failure below - // to avoid a retry that will probably be doomed anyway. - systemUserMemberships[preset.OrganizationID] = struct{}{} - // Insert the missing membership - _, err = s.store.InsertOrganizationMember(ctx, database.InsertOrganizationMemberParams{ + // Create a "prebuilds" group in the organization and add the system user to it + // This group will have a quota of 0 by default, which users can adjust based on their needs + prebuildsGroup, err := s.store.InsertGroup(ctx, database.InsertGroupParams{ + ID: uuid.New(), + Name: "prebuilds", + DisplayName: "Prebuilds", OrganizationID: preset.OrganizationID, - UserID: userID, - CreatedAt: s.clock.Now(), - UpdatedAt: s.clock.Now(), - Roles: []string{}, + AvatarURL: "", + QuotaAllowance: 0, // Default quota of 0, users should set this based on their needs + }) + if err != nil { + // If the group already exists, try to get it + if !database.IsUniqueViolation(err) { + membershipInsertionErrors = errors.Join(membershipInsertionErrors, xerrors.Errorf("create prebuilds group: %w", err)) + continue + } + prebuildsGroup, err = s.store.GetGroupByOrgAndName(ctx, database.GetGroupByOrgAndNameParams{ + OrganizationID: preset.OrganizationID, + Name: "prebuilds", + }) + if err != nil { + membershipInsertionErrors = errors.Join(membershipInsertionErrors, xerrors.Errorf("get existing prebuilds group: %w", err)) + continue + } + } + + // Add the system user to the prebuilds group + err = s.store.InsertGroupMember(ctx, database.InsertGroupMemberParams{ + GroupID: prebuildsGroup.ID, + UserID: userID, }) if err != nil { - membershipInsertionErrors = errors.Join(membershipInsertionErrors, xerrors.Errorf("insert membership for prebuilt workspaces: %w", err)) - continue + // Ignore unique violation errors as the user might already be in the group + if !database.IsUniqueViolation(err) { + membershipInsertionErrors = errors.Join(membershipInsertionErrors, xerrors.Errorf("add system user to prebuilds group: %w", err)) + } } } return membershipInsertionErrors diff --git a/enterprise/coderd/prebuilds/membership_test.go b/enterprise/coderd/prebuilds/membership_test.go index 82d2abf92a4d8..06fe4af576fc6 100644 --- a/enterprise/coderd/prebuilds/membership_test.go +++ b/enterprise/coderd/prebuilds/membership_test.go @@ -1,18 +1,23 @@ package prebuilds_test import ( - "context" + "database/sql" + "errors" "testing" "github.com/google/uuid" "github.com/stretchr/testify/require" + "tailscale.com/types/ptr" "github.com/coder/quartz" + "github.com/coder/coder/v2/coderd/coderdtest" "github.com/coder/coder/v2/coderd/database" + "github.com/coder/coder/v2/coderd/database/dbauthz" "github.com/coder/coder/v2/coderd/database/dbgen" "github.com/coder/coder/v2/coderd/database/dbtestutil" "github.com/coder/coder/v2/enterprise/coderd/prebuilds" + "github.com/coder/coder/v2/testutil" ) // TestReconcileAll verifies that StoreMembershipReconciler correctly updates membership @@ -20,7 +25,7 @@ import ( func TestReconcileAll(t *testing.T) { t.Parallel() - ctx := context.Background() + ctx := dbauthz.AsPrebuildsOrchestrator(testutil.Context(t, testutil.WaitLong)) clock := quartz.NewMock(t) // Helper to build a minimal Preset row belonging to a given org. @@ -32,87 +37,168 @@ func TestReconcileAll(t *testing.T) { } tests := []struct { - name string - includePreset bool - preExistingMembership bool + name string + includePreset []bool + preExistingOrgMembership []bool + preExistingGroup []bool + preExistingGroupMembership []bool + // Expected outcomes + expectOrgMembershipExists *bool + expectGroupExists *bool + expectUserInGroup *bool }{ - // The StoreMembershipReconciler acts based on the provided agplprebuilds.GlobalSnapshot. - // These test cases must therefore trust any valid snapshot, so the only relevant functional test cases are: - - // No presets to act on and the prebuilds user does not belong to any organizations. - // Reconciliation should be a no-op - {name: "no presets, no memberships", includePreset: false, preExistingMembership: false}, - // If we have a preset that requires prebuilds, but the prebuilds user is not a member of - // that organization, then we should add the membership. - {name: "preset, but no membership", includePreset: true, preExistingMembership: false}, - // If the prebuilds system user is already a member of the organization to which a preset belongs, - // then reconciliation should be a no-op: - {name: "preset, but already a member", includePreset: true, preExistingMembership: true}, - // If the prebuilds system user is a member of an organization that doesn't have need any prebuilds, - // then it must have required prebuilds in the past. The membership is not currently necessary, but - // the reconciler won't remove it, because there's little cost to keeping it and prebuilds might be - // enabled again. - {name: "member, but no presets", includePreset: false, preExistingMembership: true}, + { + name: "if there are no presets, membership reconciliation is a no-op", + includePreset: []bool{false}, + preExistingOrgMembership: []bool{true, false}, + preExistingGroup: []bool{true, false}, + preExistingGroupMembership: []bool{true, false}, + expectOrgMembershipExists: ptr.To(false), + expectGroupExists: ptr.To(false), + }, + { + name: "if there is a preset, then we should enforce org and group membership in all cases", + includePreset: []bool{true}, + preExistingOrgMembership: []bool{true, false}, + preExistingGroup: []bool{true, false}, + preExistingGroupMembership: []bool{true, false}, + expectOrgMembershipExists: ptr.To(true), + expectGroupExists: ptr.To(true), + expectUserInGroup: ptr.To(true), + }, } for _, tc := range tests { - t.Run(tc.name, func(t *testing.T) { - t.Parallel() - - db, _ := dbtestutil.NewDB(t) - - defaultOrg, err := db.GetDefaultOrganization(ctx) - require.NoError(t, err) - - // introduce an unrelated organization to ensure that the membership reconciler don't interfere with it. - unrelatedOrg := dbgen.Organization(t, db, database.Organization{}) - targetOrg := dbgen.Organization(t, db, database.Organization{}) - - if !dbtestutil.WillUsePostgres() { - // dbmem doesn't ensure membership to the default organization - dbgen.OrganizationMember(t, db, database.OrganizationMember{ - OrganizationID: defaultOrg.ID, - UserID: database.PrebuildsSystemUserID, - }) - } - - dbgen.OrganizationMember(t, db, database.OrganizationMember{OrganizationID: unrelatedOrg.ID, UserID: database.PrebuildsSystemUserID}) - if tc.preExistingMembership { - // System user already a member of both orgs. - dbgen.OrganizationMember(t, db, database.OrganizationMember{OrganizationID: targetOrg.ID, UserID: database.PrebuildsSystemUserID}) + tc := tc + for _, includePreset := range tc.includePreset { + includePreset := includePreset + for _, preExistingOrgMembership := range tc.preExistingOrgMembership { + preExistingOrgMembership := preExistingOrgMembership + for _, preExistingGroup := range tc.preExistingGroup { + preExistingGroup := preExistingGroup + for _, preExistingGroupMembership := range tc.preExistingGroupMembership { + preExistingGroupMembership := preExistingGroupMembership + t.Run(tc.name, func(t *testing.T) { + t.Parallel() + + _, db := coderdtest.NewWithDatabase(t, nil) + + defaultOrg, err := db.GetDefaultOrganization(ctx) + require.NoError(t, err) + + // introduce an unrelated organization to ensure that the membership reconciler don't interfere with it. + unrelatedOrg := dbgen.Organization(t, db, database.Organization{}) + targetOrg := dbgen.Organization(t, db, database.Organization{}) + + if !dbtestutil.WillUsePostgres() { + // dbmem doesn't ensure membership to the default organization + dbgen.OrganizationMember(t, db, database.OrganizationMember{ + OrganizationID: defaultOrg.ID, + UserID: database.PrebuildsSystemUserID, + }) + } + + // Ensure membership to unrelated org. + dbgen.OrganizationMember(t, db, database.OrganizationMember{OrganizationID: unrelatedOrg.ID, UserID: database.PrebuildsSystemUserID}) + + if preExistingOrgMembership { + // System user already a member of both orgs. + dbgen.OrganizationMember(t, db, database.OrganizationMember{OrganizationID: targetOrg.ID, UserID: database.PrebuildsSystemUserID}) + } + + // Create pre-existing prebuilds group if required by test case + var prebuildsGroup database.Group + if preExistingGroup { + prebuildsGroup = dbgen.Group(t, db, database.Group{ + Name: "prebuilds", + DisplayName: "Prebuilds", + OrganizationID: targetOrg.ID, + QuotaAllowance: 0, + }) + + // Add the system user to the group if preExistingGroupMembership is true + if preExistingGroupMembership { + dbgen.GroupMember(t, db, database.GroupMemberTable{ + GroupID: prebuildsGroup.ID, + UserID: database.PrebuildsSystemUserID, + }) + } + } + + presets := []database.GetTemplatePresetsWithPrebuildsRow{newPresetRow(unrelatedOrg.ID)} + if includePreset { + presets = append(presets, newPresetRow(targetOrg.ID)) + } + + // Verify memberships before reconciliation. + preReconcileMemberships, err := db.GetOrganizationsByUserID(ctx, database.GetOrganizationsByUserIDParams{ + UserID: database.PrebuildsSystemUserID, + }) + require.NoError(t, err) + expectedMembershipsBefore := []uuid.UUID{defaultOrg.ID, unrelatedOrg.ID} + if preExistingOrgMembership { + expectedMembershipsBefore = append(expectedMembershipsBefore, targetOrg.ID) + } + require.ElementsMatch(t, expectedMembershipsBefore, extractOrgIDs(preReconcileMemberships)) + + // Reconcile + reconciler := prebuilds.NewStoreMembershipReconciler(db, clock) + require.NoError(t, reconciler.ReconcileAll(ctx, database.PrebuildsSystemUserID, presets)) + + // Verify memberships after reconciliation. + postReconcileMemberships, err := db.GetOrganizationsByUserID(ctx, database.GetOrganizationsByUserIDParams{ + UserID: database.PrebuildsSystemUserID, + }) + require.NoError(t, err) + expectedMembershipsAfter := expectedMembershipsBefore + if !preExistingOrgMembership && tc.expectOrgMembershipExists != nil && *tc.expectOrgMembershipExists { + expectedMembershipsAfter = append(expectedMembershipsAfter, targetOrg.ID) + } + require.ElementsMatch(t, expectedMembershipsAfter, extractOrgIDs(postReconcileMemberships)) + + // Verify prebuilds group behavior based on expected outcomes + prebuildsGroup, err = db.GetGroupByOrgAndName(ctx, database.GetGroupByOrgAndNameParams{ + OrganizationID: targetOrg.ID, + Name: "prebuilds", + }) + if tc.expectGroupExists != nil && *tc.expectGroupExists { + require.NoError(t, err) + require.Equal(t, "prebuilds", prebuildsGroup.Name) + require.Equal(t, "Prebuilds", prebuildsGroup.DisplayName) + require.Equal(t, int32(0), prebuildsGroup.QuotaAllowance) // Default quota should be 0 + + if tc.expectUserInGroup != nil && *tc.expectUserInGroup { + // Check that the system user is a member of the prebuilds group + groupMembers, err := db.GetGroupMembersByGroupID(ctx, database.GetGroupMembersByGroupIDParams{ + GroupID: prebuildsGroup.ID, + IncludeSystem: true, + }) + require.NoError(t, err) + require.Len(t, groupMembers, 1) + require.Equal(t, database.PrebuildsSystemUserID, groupMembers[0].UserID) + } + + if tc.expectUserInGroup != nil && !*tc.expectUserInGroup { + // Check that the system user is NOT a member of the prebuilds group + groupMembers, err := db.GetGroupMembersByGroupID(ctx, database.GetGroupMembersByGroupIDParams{ + GroupID: prebuildsGroup.ID, + IncludeSystem: true, + }) + require.NoError(t, err) + require.Len(t, groupMembers, 0) + } + } + + if !preExistingGroup && tc.expectGroupExists != nil && !*tc.expectGroupExists { + // Verify that no prebuilds group exists + require.Error(t, err) + require.True(t, errors.Is(err, sql.ErrNoRows)) + } + }) + } + } } - - presets := []database.GetTemplatePresetsWithPrebuildsRow{newPresetRow(unrelatedOrg.ID)} - if tc.includePreset { - presets = append(presets, newPresetRow(targetOrg.ID)) - } - - // Verify memberships before reconciliation. - preReconcileMemberships, err := db.GetOrganizationsByUserID(ctx, database.GetOrganizationsByUserIDParams{ - UserID: database.PrebuildsSystemUserID, - }) - require.NoError(t, err) - expectedMembershipsBefore := []uuid.UUID{defaultOrg.ID, unrelatedOrg.ID} - if tc.preExistingMembership { - expectedMembershipsBefore = append(expectedMembershipsBefore, targetOrg.ID) - } - require.ElementsMatch(t, expectedMembershipsBefore, extractOrgIDs(preReconcileMemberships)) - - // Reconcile - reconciler := prebuilds.NewStoreMembershipReconciler(db, clock) - require.NoError(t, reconciler.ReconcileAll(ctx, database.PrebuildsSystemUserID, presets)) - - // Verify memberships after reconciliation. - postReconcileMemberships, err := db.GetOrganizationsByUserID(ctx, database.GetOrganizationsByUserIDParams{ - UserID: database.PrebuildsSystemUserID, - }) - require.NoError(t, err) - expectedMembershipsAfter := expectedMembershipsBefore - if !tc.preExistingMembership && tc.includePreset { - expectedMembershipsAfter = append(expectedMembershipsAfter, targetOrg.ID) - } - require.ElementsMatch(t, expectedMembershipsAfter, extractOrgIDs(postReconcileMemberships)) - }) + } } } From 93c46e91a89006c96a0cbf5cbe377e7ab257c350 Mon Sep 17 00:00:00 2001 From: Sas Swart Date: Tue, 29 Jul 2025 10:04:38 +0000 Subject: [PATCH 5/5] add lint rule --- enterprise/coderd/prebuilds/membership_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/enterprise/coderd/prebuilds/membership_test.go b/enterprise/coderd/prebuilds/membership_test.go index 06fe4af576fc6..396bb55751242 100644 --- a/enterprise/coderd/prebuilds/membership_test.go +++ b/enterprise/coderd/prebuilds/membership_test.go @@ -25,6 +25,7 @@ import ( func TestReconcileAll(t *testing.T) { t.Parallel() + // nolint:gocritic // Reconciliation happens as prebuilds system user, not a human user. ctx := dbauthz.AsPrebuildsOrchestrator(testutil.Context(t, testutil.WaitLong)) clock := quartz.NewMock(t) pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy