fix: correct perms for forbidden error in TemplateScheduleStore.Load (coder#11286)

Emyrk · web-flow · commit fe867d02e088 · 2023-12-20T11:38:49.000-06:00
* chore: TemplateScheduleStore.Load() throwing forbidden error
* fix: workspace agent scope to include template
diff --git a/coderd/agentapi/stats.go b/coderd/agentapi/stats.go
@@ -61,7 +61,7 @@ func (a *StatsAPI) UpdateStats(ctx context.Context, req *agentproto.UpdateStatsR
 			templateSchedule, err := (*(a.TemplateScheduleStore.Load())).Get(ctx, a.Database, workspace.TemplateID)
 			// If the template schedule fails to load, just default to bumping without the next trasition and log it.
 			if err != nil {
-				a.Log.Warn(ctx, "failed to load template schedule bumping activity, defaulting to bumping by 60min",
+				a.Log.Error(ctx, "failed to load template schedule bumping activity, defaulting to bumping by 60min",
 					slog.F("workspace_id", workspace.ID),
 					slog.F("template_id", workspace.TemplateID),
 					slog.Error(err),
diff --git a/coderd/database/dbmem/dbmem.go b/coderd/database/dbmem/dbmem.go
@@ -3796,6 +3796,7 @@ func (q *FakeQuerier) GetWorkspaceAgentAndOwnerByAuthToken(_ context.Context, au
 					}
 					var row database.GetWorkspaceAgentAndOwnerByAuthTokenRow
 					row.WorkspaceID = ws.ID
+					row.TemplateID = ws.TemplateID
 					usr, err := q.getUserByIDNoLock(ws.OwnerID)
 					if err != nil {
 						return database.GetWorkspaceAgentAndOwnerByAuthTokenRow{}, sql.ErrNoRows
@@ -3805,6 +3806,7 @@ func (q *FakeQuerier) GetWorkspaceAgentAndOwnerByAuthToken(_ context.Context, au
 					// We also need to get org roles for the user
 					row.OwnerName = usr.Username
 					row.WorkspaceAgent = agt
+					row.TemplateVersionID = build.TemplateVersionID
 					for _, mem := range q.organizationMembers {
 						if mem.UserID == usr.ID {
 							row.OwnerRoles = append(row.OwnerRoles, fmt.Sprintf("organization-member:%s", mem.OrganizationID.String()))
diff --git a/coderd/database/queries.sql.go b/coderd/database/queries.sql.go
diff --git a/coderd/database/queries/workspaceagents.sql b/coderd/database/queries/workspaceagents.sql
@@ -219,6 +219,8 @@ SELECT
 	users.id AS owner_id,
 	users.username AS owner_name,
 	users.status AS owner_status,
+	workspaces.template_id AS template_id,
+	workspace_builds.template_version_id AS template_version_id,
 	array_cat(
 		array_append(users.rbac_roles, 'member'),
 		array_append(ARRAY[]::text[], 'organization-member:' || organization_members.organization_id::text)
@@ -261,7 +263,8 @@ GROUP BY
 	workspaces.id,
 	users.id,
 	organization_members.organization_id,
-	workspace_builds.build_number
+	workspace_builds.build_number,
+	workspace_builds.template_version_id
 ORDER BY
 	workspace_builds.build_number DESC
 LIMIT 1;
diff --git a/coderd/httpmw/workspaceagent.go b/coderd/httpmw/workspaceagent.go
@@ -97,7 +97,12 @@ func ExtractWorkspaceAgent(opts ExtractWorkspaceAgentConfig) func(http.Handler)
 				ID:     row.OwnerID.String(),
 				Roles:  rbac.RoleNames(row.OwnerRoles),
 				Groups: row.OwnerGroups,
-				Scope:  rbac.WorkspaceAgentScope(row.WorkspaceID, row.OwnerID),
+				Scope: rbac.WorkspaceAgentScope(rbac.WorkspaceAgentScopeParams{
+					WorkspaceID: row.WorkspaceID,
+					OwnerID:     row.OwnerID,
+					TemplateID:  row.TemplateID,
+					VersionID:   row.TemplateVersionID,
+				}),
 			}.WithCachedASTValue()
 
 			ctx = context.WithValue(ctx, workspaceAgentContextKey{}, row.WorkspaceAgent)
diff --git a/coderd/prometheusmetrics/prometheusmetrics_test.go b/coderd/prometheusmetrics/prometheusmetrics_test.go
@@ -394,12 +394,14 @@ func TestAgentStats(t *testing.T) {
 	require.NoError(t, err, "create stats batcher failed")
 	t.Cleanup(closeBatcher)
 
+	tLogger := slogtest.Make(t, nil)
 	// Build sample workspaces with test agents and fake agent client
 	client, _, _ := coderdtest.NewWithAPI(t, &coderdtest.Options{
 		Database:                 db,
 		IncludeProvisionerDaemon: true,
 		Pubsub:                   pubsub,
 		StatsBatcher:             batcher,
+		Logger:                   &tLogger,
 	})
 
 	user := coderdtest.CreateFirstUser(t, client)
diff --git a/coderd/rbac/scopes.go b/coderd/rbac/scopes.go
@@ -8,10 +8,21 @@ import (
 	"golang.org/x/xerrors"
 )
 
+type WorkspaceAgentScopeParams struct {
+	WorkspaceID uuid.UUID
+	OwnerID     uuid.UUID
+	TemplateID  uuid.UUID
+	VersionID   uuid.UUID
+}
+
 // WorkspaceAgentScope returns a scope that is the same as ScopeAll but can only
 // affect resources in the allow list. Only a scope is returned as the roles
 // should come from the workspace owner.
-func WorkspaceAgentScope(workspaceID, ownerID uuid.UUID) Scope {
+func WorkspaceAgentScope(params WorkspaceAgentScopeParams) Scope {
+	if params.WorkspaceID == uuid.Nil || params.OwnerID == uuid.Nil || params.TemplateID == uuid.Nil || params.VersionID == uuid.Nil {
+		panic("all uuids must be non-nil, this is a developer error")
+	}
+
 	allScope, err := ScopeAll.Expand()
 	if err != nil {
 		panic("failed to expand scope all, this should never happen")
@@ -23,10 +34,13 @@ func WorkspaceAgentScope(workspaceID, ownerID uuid.UUID) Scope {
 		// and evolving.
 		Role: allScope.Role,
 		// This prevents the agent from being able to access any other resource.
+		// Include the list of IDs of anything that is required for the
+		// agent to function.
 		AllowIDList: []string{
-			workspaceID.String(),
-			ownerID.String(),
-			// TODO: Might want to include the template the workspace uses too?
+			params.WorkspaceID.String(),
+			params.TemplateID.String(),
+			params.VersionID.String(),
+			params.OwnerID.String(),
 		},
 	}
 }
diff --git a/coderd/workspaceagents.go b/coderd/workspaceagents.go
@@ -1488,7 +1488,7 @@ func (api *API) workspaceAgentReportStats(rw http.ResponseWriter, r *http.Reques
 			templateSchedule, err := (*(api.TemplateScheduleStore.Load())).Get(ctx, api.Database, workspace.TemplateID)
 			// If the template schedule fails to load, just default to bumping without the next transition and log it.
 			if err != nil {
-				api.Logger.Warn(ctx, "failed to load template schedule bumping activity, defaulting to bumping by 60min",
+				api.Logger.Error(ctx, "failed to load template schedule bumping activity, defaulting to bumping by 60min",
 					slog.F("workspace_id", workspace.ID),
 					slog.F("template_id", workspace.TemplateID),
 					slog.Error(err),
