chore: do not require site wide permission to use workspace apis

Emyrk · Emyrk · commit 08f3271c50a1 · 2025-05-07T14:53:30.000-05:00
Workspace apis scoped to an org should not require site wide perms.
Site wide perms should still work if the owner is not in an organzation
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -1076,7 +1076,7 @@ func New(options *Options) *API {
 
 						r.Group(func(r chi.Router) {
 							r.Use(
-								httpmw.ExtractOrganizationMemberParam(options.Database),
+								httpmw.ExtractOrganizationMemberParam(options.Database, api.HTTPAuth.Authorize),
 							)
 							r.Delete("/", api.deleteOrganizationMember)
 							r.Put("/roles", api.putMemberRoles)
@@ -1189,26 +1189,32 @@ func New(options *Options) *API {
 				})
 				r.Route("/{user}", func(r chi.Router) {
 					r.Group(func(r chi.Router) {
-						r.Use(httpmw.ExtractUserParamOptional(options.Database))
+						r.Use(httpmw.ExtractOrganizationMembersParam(options.Database, api.HTTPAuth.Authorize))
 						// Creating workspaces does not require permissions on the user, only the
 						// organization member. This endpoint should match the authz story of
 						// postWorkspacesByOrganization
 						r.Post("/workspaces", api.postUserWorkspaces)
+						r.Route("/workspace/{workspacename}", func(r chi.Router) {
+							r.Get("/", api.workspaceByOwnerAndName)
+							r.Get("/builds/{buildnumber}", api.workspaceBuildByBuildNumber)
+						})
+					})
+
+					r.Group(func(r chi.Router) {
+						r.Use(httpmw.ExtractUserParam(options.Database))
 
 						// Similarly to creating a workspace, evaluating parameters for a
 						// new workspace should also match the authz story of
 						// postWorkspacesByOrganization
+						// TODO: Do not require site wide read user permission. Make this work
+						//   with org member permissions.
 						r.Route("/templateversions/{templateversion}", func(r chi.Router) {
 							r.Use(
 								httpmw.ExtractTemplateVersionParam(options.Database),
 								httpmw.RequireExperiment(api.Experiments, codersdk.ExperimentDynamicParameters),
 							)
 							r.Get("/parameters", api.templateVersionDynamicParameters)
 						})
-					})
-
-					r.Group(func(r chi.Router) {
-						r.Use(httpmw.ExtractUserParam(options.Database))
 
 						r.Post("/convert-login", api.postConvertLoginType)
 						r.Delete("/", api.deleteUser)
@@ -1250,10 +1256,7 @@ func New(options *Options) *API {
 							r.Get("/", api.organizationsByUser)
 							r.Get("/{organizationname}", api.organizationByUserAndName)
 						})
-						r.Route("/workspace/{workspacename}", func(r chi.Router) {
-							r.Get("/", api.workspaceByOwnerAndName)
-							r.Get("/builds/{buildnumber}", api.workspaceBuildByBuildNumber)
-						})
+
 						r.Get("/gitsshkey", api.gitSSHKey)
 						r.Put("/gitsshkey", api.regenerateGitSSHKey)
 						r.Route("/notifications", func(r chi.Router) {
diff --git a/coderd/httpmw/organizationparam.go b/coderd/httpmw/organizationparam.go
@@ -11,12 +11,15 @@ import (
 	"github.com/coder/coder/v2/coderd/database"
 	"github.com/coder/coder/v2/coderd/database/dbauthz"
 	"github.com/coder/coder/v2/coderd/httpapi"
+	"github.com/coder/coder/v2/coderd/rbac"
+	"github.com/coder/coder/v2/coderd/rbac/policy"
 	"github.com/coder/coder/v2/codersdk"
 )
 
 type (
-	organizationParamContextKey       struct{}
-	organizationMemberParamContextKey struct{}
+	organizationParamContextKey        struct{}
+	organizationMemberParamContextKey  struct{}
+	organizationMembersParamContextKey struct{}
 )
 
 // OrganizationParam returns the organization from the ExtractOrganizationParam handler.
@@ -38,6 +41,14 @@ func OrganizationMemberParam(r *http.Request) OrganizationMember {
 	return organizationMember
 }
 
+func OrganizationMembersParam(r *http.Request) OrganizationMembers {
+	organizationMembers, ok := r.Context().Value(organizationMembersParamContextKey{}).(OrganizationMembers)
+	if !ok {
+		panic("developer error: organization members param middleware not provided")
+	}
+	return organizationMembers
+}
+
 // ExtractOrganizationParam grabs an organization from the "organization" URL parameter.
 // This middleware requires the API key middleware higher in the call stack for authentication.
 func ExtractOrganizationParam(db database.Store) func(http.Handler) http.Handler {
@@ -107,39 +118,27 @@ type OrganizationMember struct {
 
 // ExtractOrganizationMemberParam grabs a user membership from the "organization" and "user" URL parameter.
 // This middleware requires the ExtractUser and ExtractOrganization middleware higher in the stack
-func ExtractOrganizationMemberParam(db database.Store) func(http.Handler) http.Handler {
+func ExtractOrganizationMemberParam(db database.Store, auth func(r *http.Request, action policy.Action, object rbac.Objecter) bool) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 			ctx := r.Context()
-			// We need to resolve the `{user}` URL parameter so that we can get the userID and
-			// username.  We do this as SystemRestricted since the caller might have permission
-			// to access the OrganizationMember object, but *not* the User object.  So, it is
-			// very important that we do not add the User object to the request context or otherwise
-			// leak it to the API handler.
-			// nolint:gocritic
-			user, ok := ExtractUserContext(dbauthz.AsSystemRestricted(ctx), db, rw, r)
-			if !ok {
-				return
-			}
 			organization := OrganizationParam(r)
-
-			organizationMember, err := database.ExpectOne(db.OrganizationMembers(ctx, database.OrganizationMembersParams{
-				OrganizationID: organization.ID,
-				UserID:         user.ID,
-				IncludeSystem:  false,
-			}))
-			if httpapi.Is404Error(err) {
-				httpapi.ResourceNotFound(rw)
+			_, members, done := ExtractOrganizationMember(ctx, auth, rw, r, db, organization.ID)
+			if done {
 				return
 			}
-			if err != nil {
+
+			if len(members) != 1 {
 				httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
 					Message: "Internal error fetching organization member.",
-					Detail:  err.Error(),
+					// This is a developer error and should never happen.
+					Detail: fmt.Sprintf("Expected exactly one organization member, but got %d.", len(members)),
 				})
 				return
 			}
 
+			organizationMember := members[0]
+
 			ctx = context.WithValue(ctx, organizationMemberParamContextKey{}, OrganizationMember{
 				OrganizationMember: organizationMember.OrganizationMember,
 				// Here we're making two exceptions to the rule about not leaking data about the user
@@ -151,8 +150,105 @@ func ExtractOrganizationMemberParam(db database.Store) func(http.Handler) http.H
 				// API handlers need this information for audit logging and returning the owner's
 				// username in response to creating a workspace. Additionally, the frontend consumes
 				// the Avatar URL and this allows the FE to avoid an extra request.
-				Username:  user.Username,
-				AvatarURL: user.AvatarURL,
+				Username:  organizationMember.Username,
+				AvatarURL: organizationMember.AvatarURL,
+			})
+
+			next.ServeHTTP(rw, r.WithContext(ctx))
+		})
+	}
+}
+
+// ExtractOrganizationMember extracts all user memberships from the "user" URL
+// parameter. If orgID is uuid.Nil, then it will return all memberships for the
+// user, otherwise it will only return memberships to the org.
+//
+// If `user` is returned, that means the caller can use the data. This is returned because
+// it is possible to have a user with 0 organizations. So the user != nil, with 0 memberships.
+func ExtractOrganizationMember(ctx context.Context, auth func(r *http.Request, action policy.Action, object rbac.Objecter) bool, rw http.ResponseWriter, r *http.Request, db database.Store, orgID uuid.UUID) (*database.User, []database.OrganizationMembersRow, bool) {
+	// We need to resolve the `{user}` URL parameter so that we can get the userID and
+	// username.  We do this as SystemRestricted since the caller might have permission
+	// to access the OrganizationMember object, but *not* the User object.  So, it is
+	// very important that we do not add the User object to the request context or otherwise
+	// leak it to the API handler.
+	// nolint:gocritic
+	user, ok := ExtractUserContext(dbauthz.AsSystemRestricted(ctx), db, rw, r)
+	if !ok {
+		return nil, nil, true
+	}
+
+	organizationMembers, err := db.OrganizationMembers(ctx, database.OrganizationMembersParams{
+		OrganizationID: orgID,
+		UserID:         user.ID,
+		IncludeSystem:  false,
+	})
+	if httpapi.Is404Error(err) {
+		httpapi.ResourceNotFound(rw)
+		return nil, nil, true
+	}
+	if err != nil {
+		httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
+			Message: "Internal error fetching organization member.",
+			Detail:  err.Error(),
+		})
+		return nil, nil, true
+	}
+
+	if auth(r, policy.ActionRead, user) {
+		return &user, organizationMembers, true
+	}
+
+	// If the user cannot be read and 0 memberships exist, throw a 404 to not
+	// leak the user existance.
+	if len(organizationMembers) == 0 {
+		httpapi.ResourceNotFound(rw)
+		return nil, nil, true
+	}
+
+	return nil, organizationMembers, false
+}
+
+type OrganizationMembers struct {
+	User        *database.User
+	Memberships []OrganizationMember
+}
+
+func (om OrganizationMembers) UserID() uuid.UUID {
+	if om.User != nil {
+		return om.User.ID
+	}
+
+	if len(om.Memberships) > 0 {
+		return om.Memberships[0].UserID
+	}
+	return uuid.Nil
+}
+
+// ExtractOrganizationMembersParam grabs all user organization memberships.
+// Only requires the "user" URL parameter.
+func ExtractOrganizationMembersParam(db database.Store, auth func(r *http.Request, action policy.Action, object rbac.Objecter) bool) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+			ctx := r.Context()
+
+			// Fetch all memberships
+			user, members, done := ExtractOrganizationMember(ctx, auth, rw, r, db, uuid.Nil)
+			if done {
+				return
+			}
+
+			orgMembers := make([]OrganizationMember, 0, len(members))
+			for _, organizationMember := range members {
+				orgMembers = append(orgMembers, OrganizationMember{
+					OrganizationMember: organizationMember.OrganizationMember,
+					Username:           organizationMember.Username,
+					AvatarURL:          organizationMember.AvatarURL,
+				})
+			}
+
+			ctx = context.WithValue(ctx, organizationMembersParamContextKey{}, OrganizationMembers{
+				User:        user,
+				Memberships: orgMembers,
 			})
 			next.ServeHTTP(rw, r.WithContext(ctx))
 		})
diff --git a/coderd/httpmw/organizationparam_test.go b/coderd/httpmw/organizationparam_test.go
@@ -16,6 +16,8 @@ import (
 	"github.com/coder/coder/v2/coderd/database/dbmem"
 	"github.com/coder/coder/v2/coderd/database/dbtime"
 	"github.com/coder/coder/v2/coderd/httpmw"
+	"github.com/coder/coder/v2/coderd/rbac"
+	"github.com/coder/coder/v2/coderd/rbac/policy"
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/coder/v2/testutil"
 )
@@ -129,7 +131,9 @@ func TestOrganizationParam(t *testing.T) {
 			}),
 			httpmw.ExtractUserParam(db),
 			httpmw.ExtractOrganizationParam(db),
-			httpmw.ExtractOrganizationMemberParam(db),
+			httpmw.ExtractOrganizationMemberParam(db, func(r *http.Request, _ policy.Action, _ rbac.Objecter) bool {
+				return true
+			}),
 		)
 		rtr.Get("/", nil)
 		rtr.ServeHTTP(rw, r)
@@ -166,7 +170,12 @@ func TestOrganizationParam(t *testing.T) {
 			}),
 			httpmw.ExtractOrganizationParam(db),
 			httpmw.ExtractUserParam(db),
-			httpmw.ExtractOrganizationMemberParam(db),
+			httpmw.ExtractOrganizationMemberParam(db, func(r *http.Request, _ policy.Action, _ rbac.Objecter) bool {
+				return true
+			}),
+			httpmw.ExtractOrganizationMembersParam(db, func(r *http.Request, _ policy.Action, _ rbac.Objecter) bool {
+				return true
+			}),
 		)
 		rtr.Get("/", func(rw http.ResponseWriter, r *http.Request) {
 			org := httpmw.OrganizationParam(r)
@@ -190,6 +199,10 @@ func TestOrganizationParam(t *testing.T) {
 			assert.NotEmpty(t, orgMem.OrganizationMember.UpdatedAt)
 			assert.NotEmpty(t, orgMem.OrganizationMember.UserID)
 			assert.NotEmpty(t, orgMem.OrganizationMember.Roles)
+
+			orgMems := httpmw.OrganizationMembersParam(r)
+			assert.NotZero(t, orgMems)
+			assert.Equal(t, orgMem.UserID, orgMems[0].UserID)
 		})
 
 		// Try by ID
diff --git a/coderd/httpmw/userparam.go b/coderd/httpmw/userparam.go
@@ -9,6 +9,7 @@ import (
 	"github.com/google/uuid"
 
 	"github.com/coder/coder/v2/coderd/database"
+	"github.com/coder/coder/v2/coderd/database/dbauthz"
 	"github.com/coder/coder/v2/coderd/httpapi"
 	"github.com/coder/coder/v2/codersdk"
 )
@@ -128,3 +129,57 @@ func ExtractUserContext(ctx context.Context, db database.Store, rw http.Response
 	}
 	return user, true
 }
+
+// ExtractUserID will work if the requester can access any OrganizationMember that
+// belongs to the user.
+func ExtractUserID(db database.Store) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+			ctx := r.Context()
+			// We need to resolve the `{user}` URL parameter so that we can get the userID and
+			// username.  We do this as SystemRestricted since the caller might have permission
+			// to access the OrganizationMember object, but *not* the User object.  So, it is
+			// very important that we do not add the User object to the request context or otherwise
+			// leak it to the API handler.
+			// nolint:gocritic
+			user, ok := ExtractUserContext(dbauthz.AsSystemRestricted(ctx), db, rw, r)
+			if !ok {
+				return
+			}
+			organization := OrganizationParam(r)
+
+			organizationMember, err := database.ExpectOne(db.OrganizationMembers(ctx, database.OrganizationMembersParams{
+				OrganizationID: organization.ID,
+				UserID:         user.ID,
+				IncludeSystem:  false,
+			}))
+			if httpapi.Is404Error(err) {
+				httpapi.ResourceNotFound(rw)
+				return
+			}
+			if err != nil {
+				httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
+					Message: "Internal error fetching organization member.",
+					Detail:  err.Error(),
+				})
+				return
+			}
+
+			ctx = context.WithValue(ctx, organizationMemberParamContextKey{}, OrganizationMember{
+				OrganizationMember: organizationMember.OrganizationMember,
+				// Here we're making two exceptions to the rule about not leaking data about the user
+				// to the API handler, which is to include the username and avatar URL.
+				// If the caller has permission to read the OrganizationMember, then we're explicitly
+				// saying here that they also have permission to see the member's username and avatar.
+				// This is OK!
+				//
+				// API handlers need this information for audit logging and returning the owner's
+				// username in response to creating a workspace. Additionally, the frontend consumes
+				// the Avatar URL and this allows the FE to avoid an extra request.
+				Username:  user.Username,
+				AvatarURL: user.AvatarURL,
+			})
+			next.ServeHTTP(rw, r.WithContext(ctx))
+		})
+	}
+}
diff --git a/coderd/workspacebuilds.go b/coderd/workspacebuilds.go
@@ -232,7 +232,7 @@ func (api *API) workspaceBuilds(rw http.ResponseWriter, r *http.Request) {
 // @Router /users/{user}/workspace/{workspacename}/builds/{buildnumber} [get]
 func (api *API) workspaceBuildByBuildNumber(rw http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
-	owner := httpmw.UserParam(r)
+	mems := httpmw.OrganizationMembersParam(r)
 	workspaceName := chi.URLParam(r, "workspacename")
 	buildNumber, err := strconv.ParseInt(chi.URLParam(r, "buildnumber"), 10, 32)
 	if err != nil {
@@ -244,7 +244,7 @@ func (api *API) workspaceBuildByBuildNumber(rw http.ResponseWriter, r *http.Requ
 	}
 
 	workspace, err := api.Database.GetWorkspaceByOwnerIDAndName(ctx, database.GetWorkspaceByOwnerIDAndNameParams{
-		OwnerID: owner.ID,
+		OwnerID: mems.UserID(),
 		Name:    workspaceName,
 	})
 	if httpapi.Is404Error(err) {
diff --git a/coderd/workspaces.go b/coderd/workspaces.go
