Thanks to visit codestin.com
Credit goes to github.com

Skip to content

feat: Allow only workspace owner connections #6875

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

feat: Allow only workspace owner connections #6875

wants to merge 2 commits into from

Conversation

bensejas
Copy link
Contributor

Draft

This is a draft and I need some feedback. I suspect the best way to do this might be via permissions and RBCA but I need some guidance here.

Context

Currently, the owner role has the ability to connect to all workspaces. This is not ideal from a security perspective because it increases exposure as a compromised admin account has access to workspaces and can perform malicious actions.

Intent

We want to only allow the workspace owner to have the ability to connect to their workspace.

Changes

  • Adding a server option CODER_WORKSPACE_OWNER_CONNECTION_ONLY to only allow workspace owners connection to their workspaces

TODO

  • Write tests
  • Remove agent apps from the UI when non-owner views workspace (e.g. Terminal Link, SSH button)
  • Handle connection errors when attempting to SSH

@github-actions
Copy link

github-actions bot commented Mar 30, 2023
edited
Loading

CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅

@bensejas
Copy link
Contributor Author

I have read the CLA Document and I hereby sign the CLA

cdrcommunity added a commit to coder/cla that referenced this pull request Mar 30, 2023
@cdrcommunity
@bensejas has signed the CLA in coder/coder#6875
c6971f1
@kylecarbs
Copy link
Member

@bensejas love the contribution!

Seems reasonable to me... we actually have an RBAC permission that controls workspace connectivity, so this should actually be super easy to pipe through.

@Emyrk can you provide some thoughts on how we do this? We're also happy to take this over, since it might be a bit involved.

@Emyrk
Copy link
Member

Emyrk commented Mar 30, 2023

We do this for owner's app sharing, we can do something similar for workspace connectivity as well:

coder/codersdk/deployment.go

Lines 1102 to 1110 in 665b84d

{
Name: "DANGEROUS: Allow Site Owners to Access Path Apps",
Description: "Allow site-owners to access workspace apps from workspaces they do not own. Owners cannot access path-based apps they do not own by default. Path-based apps can make requests to the Coder API and pose a security risk when the workspace serves malicious JavaScript. Path-based apps can be disabled entirely with --disable-path-apps for further security.",
Flag: "dangerous-allow-path-app-site-owner-access",
Env: "CODER_DANGEROUS_ALLOW_PATH_APP_SITE_OWNER_ACCESS",
Value: &c.Dangerous.AllowPathAppSiteOwnerAccess,
Group: &deploymentGroupDangerous,
},

@kylecarbs
Copy link
Member

@Emyrk do you have time to take this over and implement it? The config flag seems reasonable from my perspective.

@Emyrk
Copy link
Member

Emyrk commented Mar 30, 2023

Would you ever want to support sharing workspaces?

Phrased differently, are you intending to reduce the scope of the Owner role, or permanently lock workspaces to their owners?

@Emyrk
Copy link
Member

Emyrk commented Mar 30, 2023

@Emyrk do you have time to take this over and implement it? The config flag seems reasonable from my perspective.

I can implement this yes. Just want to know what the end goal is. The way it is currently implemented does more than just reduce the owner role. It prevents any other access by any other means we might invent later. (Eg workspace proxies maybe)

@bensejas
Copy link
Contributor Author

We're also happy to take this over

Fantastic 🎉 Thank you!

@Emyrk Emyrk mentioned this pull request Mar 31, 2023
Merged
2 tasks
@Emyrk
Copy link
Member

Emyrk commented Apr 7, 2023

I am going to implement this is Golang. To do this in rbac would be to allow us to reduce the scope of * or actually expand it in the roles. We are currently lazy:

coder/coderd/rbac/roles.go

Line 80 in 0347231

ResourceWildcard.Type: {WildcardSymbol},

I will do in Go, and maybe we can revisit doing this in RBAC/rego

@Emyrk
Copy link
Member

Emyrk commented Apr 11, 2023

Sorry for the delay, I did this here: #7050

@Emyrk Emyrk closed this Apr 11, 2023
@github-actions github-actions bot locked and limited conversation to collaborators Apr 11, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees

@bensejas bensejas

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bensejas @kylecarbs @Emyrk