shishantbiswas/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2026-06-02 20:48:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: add disabling of default 'everyone' group access to template (#7982)

Browse Source 
* feat: add disabling of default 'everyone' group access to template
* add FE to disable everyone group
* require entitlement to uncheck box
This commit is contained in:
Steven Masley
2023-06-14 11:08:58 -05:00
committed by GitHub
parent e4b6f5695b
commit 3619a3a6dd
16 changed files with 206 additions and 72 deletions
Download Patch File Download Diff File Expand all files Collapse all files
cli/templatecreate.go
+13 -5
View File
@@ -28,6 +28,7 @@ func (r *RootCmd) templateCreate() *clibase.Cmd {
provisionerTags []string
variablesFile string
variables []string
disableEveryone bool
defaultTTL time.Duration
failureTTL time.Duration
inactivityTTL time.Duration
@@ -121,11 +122,12 @@ func (r *RootCmd) templateCreate() *clibase.Cmd {
}
createReq := codersdk.CreateTemplateRequest{
Name: templateName,
VersionID: job.ID,
DefaultTTLMillis: ptr.Ref(defaultTTL.Milliseconds()),
FailureTTLMillis: ptr.Ref(failureTTL.Milliseconds()),
InactivityTTLMillis: ptr.Ref(inactivityTTL.Milliseconds()),
Name: templateName,
VersionID: job.ID,
DefaultTTLMillis: ptr.Ref(defaultTTL.Milliseconds()),
FailureTTLMillis: ptr.Ref(failureTTL.Milliseconds()),
InactivityTTLMillis: ptr.Ref(inactivityTTL.Milliseconds()),
DisableEveryoneGroupAccess: disableEveryone,
}
_, err = client.CreateTemplate(inv.Context(), organization.ID, createReq)
@@ -144,6 +146,12 @@ func (r *RootCmd) templateCreate() *clibase.Cmd {
},
}
cmd.Options = clibase.OptionSet{
{
Flag: "private",
Description: "Disable the default behavior of granting template access to the 'everyone' group. " +
"The template permissions must be updated to allow non-admin users to use this template.",
Value: clibase.BoolOf(&disableEveryone),
},
{
Flag: "variables-file",
Description: "Specify a file path with values for Terraform-managed variables.",
cli/testdata/coder_templates_create_--help.golden
Vendored
+5
View File
@@ -17,6 +17,11 @@ Create a template from the current directory or as specified by flag
Specify an inactivity TTL for workspaces created from this template.
This licensed feature's default is 0h (off).
--private bool
Disable the default behavior of granting template access to the
'everyone' group. The template permissions must be updated to allow
non-admin users to use this template.
--provisioner-tag string-array
Specify a set of tags to target provisioner daemons.
coderd/apidoc/docs.go
Generated
+4
View File
@@ -6664,6 +6664,10 @@ const docTemplate = `{
"description": "Description is a description of what the template contains. It must be\nless than 128 bytes.",
"type": "string"
},
"disable_everyone_group_access": {
"description": "DisableEveryoneGroupAccess allows optionally disabling the default\nbehavior of granting the 'everyone' group access to use the template.\nIf this is set to true, the template will not be available to all users,\nand must be explicitly granted to users or groups in the permissions settings\nof the template.",
"type": "boolean"
},
"display_name": {
"description": "DisplayName is the displayed name of the template.",
"type": "string"
coderd/apidoc/swagger.json
Generated
+4
View File
@@ -5935,6 +5935,10 @@
"description": "Description is a description of what the template contains. It must be\nless than 128 bytes.",
"type": "string"
},
"disable_everyone_group_access": {
"description": "DisableEveryoneGroupAccess allows optionally disabling the default\nbehavior of granting the 'everyone' group access to use the template.\nIf this is set to true, the template will not be available to all users,\nand must be explicitly granted to users or groups in the permissions settings\nof the template.",
"type": "boolean"
},
"display_name": {
"description": "DisplayName is the displayed name of the template.",
"type": "string"
coderd/audit/audit.go
+8
View File
@@ -42,6 +42,14 @@ type MockAuditor struct {
auditLogs []database.AuditLog
}
// ResetLogs removes all audit logs from the mock auditor.
// This is helpful for testing to get a clean slate.
func (a *MockAuditor) ResetLogs() {
a.mutex.Lock()
defer a.mutex.Unlock()
a.auditLogs = make([]database.AuditLog, 0)
}
func (a *MockAuditor) AuditLogs() []database.AuditLog {
a.mutex.Lock()
defer a.mutex.Unlock()
coderd/templates.go
+17 -13
View File
@@ -274,22 +274,26 @@ func (api *API) postTemplateByOrganization(rw http.ResponseWriter, r *http.Reque
allowUserAutostop = ptr.NilToDefault(createTemplate.AllowUserAutostop, true)
)
defaultsGroups := database.TemplateACL{}
if !createTemplate.DisableEveryoneGroupAccess {
// The organization ID is used as the group ID for the everyone group
// in this organization.
defaultsGroups[organization.ID.String()] = []rbac.Action{rbac.ActionRead}
}
err = api.Database.InTx(func(tx database.Store) error {
now := database.Now()
dbTemplate, err = tx.InsertTemplate(ctx, database.InsertTemplateParams{
ID: uuid.New(),
CreatedAt: now,
UpdatedAt: now,
OrganizationID: organization.ID,
Name: createTemplate.Name,
Provisioner: importJob.Provisioner,
ActiveVersionID: templateVersion.ID,
Description: createTemplate.Description,
CreatedBy: apiKey.UserID,
UserACL: database.TemplateACL{},
GroupACL: database.TemplateACL{
organization.ID.String(): []rbac.Action{rbac.ActionRead},
},
ID: uuid.New(),
CreatedAt: now,
UpdatedAt: now,
OrganizationID: organization.ID,
Name: createTemplate.Name,
Provisioner: importJob.Provisioner,
ActiveVersionID: templateVersion.ID,
Description: createTemplate.Description,
CreatedBy: apiKey.UserID,
UserACL: database.TemplateACL{},
GroupACL: defaultsGroups,
DisplayName: createTemplate.DisplayName,
Icon: createTemplate.Icon,
AllowUserCancelWorkspaceJobs: allowUserCancelWorkspaceJobs,
coderd/templates_test.go
+33 -9
View File
@@ -48,25 +48,28 @@ func TestPostTemplateByOrganization(t *testing.T) {
t.Parallel()
auditor := audit.NewMock()
client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true, Auditor: auditor})
user := coderdtest.CreateFirstUser(t, client)
version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
owner := coderdtest.CreateFirstUser(t, client)
// By default, everyone in the org can read the template.
user, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)
auditor.ResetLogs()
expected := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
version := coderdtest.CreateTemplateVersion(t, client, owner.OrganizationID, nil)
expected := coderdtest.CreateTemplate(t, client, owner.OrganizationID, version.ID)
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
defer cancel()
got, err := client.Template(ctx, expected.ID)
got, err := user.Template(ctx, expected.ID)
require.NoError(t, err)
assert.Equal(t, expected.Name, got.Name)
assert.Equal(t, expected.Description, got.Description)
require.Len(t, auditor.AuditLogs(), 4)
assert.Equal(t, database.AuditActionLogin, auditor.AuditLogs()[0].Action)
assert.Equal(t, database.AuditActionCreate, auditor.AuditLogs()[1].Action)
assert.Equal(t, database.AuditActionWrite, auditor.AuditLogs()[2].Action)
assert.Equal(t, database.AuditActionCreate, auditor.AuditLogs()[3].Action)
require.Len(t, auditor.AuditLogs(), 3)
assert.Equal(t, database.AuditActionCreate, auditor.AuditLogs()[0].Action)
assert.Equal(t, database.AuditActionWrite, auditor.AuditLogs()[1].Action)
assert.Equal(t, database.AuditActionCreate, auditor.AuditLogs()[2].Action)
})
t.Run("AlreadyExists", func(t *testing.T) {
@@ -126,6 +129,27 @@ func TestPostTemplateByOrganization(t *testing.T) {
require.Zero(t, got.DefaultTTLMillis)
})
t.Run("DisableEveryone", func(t *testing.T) {
t.Parallel()
auditor := audit.NewMock()
client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true, Auditor: auditor})
owner := coderdtest.CreateFirstUser(t, client)
user, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)
version := coderdtest.CreateTemplateVersion(t, client, owner.OrganizationID, nil)
expected := coderdtest.CreateTemplate(t, client, owner.OrganizationID, version.ID, func(request *codersdk.CreateTemplateRequest) {
request.DisableEveryoneGroupAccess = true
})
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
defer cancel()
_, err := user.Template(ctx, expected.ID)
var apiErr *codersdk.Error
require.ErrorAs(t, err, &apiErr)
require.Equal(t, http.StatusNotFound, apiErr.StatusCode())
})
t.Run("Unauthorized", func(t *testing.T) {
t.Parallel()
client := coderdtest.New(t, nil)
codersdk/organizations.go
+7
View File
@@ -108,6 +108,13 @@ type CreateTemplateRequest struct {
// InactivityTTLMillis allows optionally specifying the max lifetime before Coder
// deletes inactive workspaces created from this template.
InactivityTTLMillis *int64 `json:"inactivity_ttl_ms,omitempty"`
// DisableEveryoneGroupAccess allows optionally disabling the default
// behavior of granting the 'everyone' group access to use the template.
// If this is set to true, the template will not be available to all users,
// and must be explicitly granted to users or groups in the permissions settings
// of the template.
DisableEveryoneGroupAccess bool `json:"disable_everyone_group_access"`
}
// CreateWorkspaceRequest provides options for creating a new workspace.
docs/api/schemas.md
+16 -14
View File
@@ -1343,6 +1343,7 @@ AuthorizationObject can represent a "set" of objects, such as: all workspaces in
"allow_user_cancel_workspace_jobs": true,
"default_ttl_ms": 0,
"description": "string",
"disable_everyone_group_access": true,
"display_name": "string",
"failure_ttl_ms": 0,
"icon": "string",
@@ -1355,20 +1356,21 @@ AuthorizationObject can represent a "set" of objects, such as: all workspaces in
### Properties
| Name | Type | Required | Restrictions | Description |
| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | -------- | ------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `allow_user_autostart` | boolean | false | | Allow user autostart allows users to set a schedule for autostarting their workspace. By default this is true. This can only be disabled when using an enterprise license. |
| `allow_user_autostop` | boolean | false | | Allow user autostop allows users to set a custom workspace TTL to use in place of the template's DefaultTTL field. By default this is true. If false, the DefaultTTL will always be used. This can only be disabled when using an enterprise license. |
| `allow_user_cancel_workspace_jobs` | boolean | false | | Allow users to cancel in-progress workspace jobs. \*bool as the default value is "true". |
| `default_ttl_ms` | integer | false | | Default ttl ms allows optionally specifying the default TTL for all workspaces created from this template. |
| `description` | string | false | | Description is a description of what the template contains. It must be less than 128 bytes. |
| `display_name` | string | false | | Display name is the displayed name of the template. |
| `failure_ttl_ms` | integer | false | | Failure ttl ms allows optionally specifying the max lifetime before Coder stops all resources for failed workspaces created from this template. |
| `icon` | string | false | | Icon is a relative path or external URL that specifies an icon to be displayed in the dashboard. |
| `inactivity_ttl_ms` | integer | false | | Inactivity ttl ms allows optionally specifying the max lifetime before Coder deletes inactive workspaces created from this template. |
| `max_ttl_ms` | integer | false | | Max ttl ms allows optionally specifying the max lifetime for workspaces created from this template. |
| `name` | string | true | | Name is the name of the template. |
| `template_version_id` | string | true | | Template version ID is an in-progress or completed job to use as an initial version of the template. |
| Name | Type | Required | Restrictions | Description |
| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | -------- | ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `allow_user_autostart` | boolean | false | | Allow user autostart allows users to set a schedule for autostarting their workspace. By default this is true. This can only be disabled when using an enterprise license. |
| `allow_user_autostop` | boolean | false | | Allow user autostop allows users to set a custom workspace TTL to use in place of the template's DefaultTTL field. By default this is true. If false, the DefaultTTL will always be used. This can only be disabled when using an enterprise license. |
| `allow_user_cancel_workspace_jobs` | boolean | false | | Allow users to cancel in-progress workspace jobs. \*bool as the default value is "true". |
| `default_ttl_ms` | integer | false | | Default ttl ms allows optionally specifying the default TTL for all workspaces created from this template. |
| `description` | string | false | | Description is a description of what the template contains. It must be less than 128 bytes. |
| `disable_everyone_group_access` | boolean | false | | Disable everyone group access allows optionally disabling the default behavior of granting the 'everyone' group access to use the template. If this is set to true, the template will not be available to all users, and must be explicitly granted to users or groups in the permissions settings of the template. |
| `display_name` | string | false | | Display name is the displayed name of the template. |
| `failure_ttl_ms` | integer | false | | Failure ttl ms allows optionally specifying the max lifetime before Coder stops all resources for failed workspaces created from this template. |
| `icon` | string | false | | Icon is a relative path or external URL that specifies an icon to be displayed in the dashboard. |
| `inactivity_ttl_ms` | integer | false | | Inactivity ttl ms allows optionally specifying the max lifetime before Coder deletes inactive workspaces created from this template. |
| `max_ttl_ms` | integer | false | | Max ttl ms allows optionally specifying the max lifetime for workspaces created from this template. |
| `name` | string | true | | Name is the name of the template. |
| `template_version_id` | string | true | | Template version ID is an in-progress or completed job to use as an initial version of the template. |
| This is required on creation to enable a user-flow of validating a template works. There is no reason the data-model cannot support empty templates, but it doesn't make sense for users. |
## codersdk.CreateTemplateVersionDryRunRequest
docs/api/templates.md
+1
View File
@@ -129,6 +129,7 @@ curl -X POST http://coder-server:8080/api/v2/organizations/{organization}/templa
"allow_user_cancel_workspace_jobs": true,
"default_ttl_ms": 0,
"description": "string",
"disable_everyone_group_access": true,
"display_name": "string",
"failure_ttl_ms": 0,
"icon": "string",
docs/cli/templates_create.md
+8
View File
@@ -48,6 +48,14 @@ Specify a failure TTL for workspaces created from this template. This licensed f
Specify an inactivity TTL for workspaces created from this template. This licensed feature's default is 0h (off).
### --private
| | |
| ---- | ----------------- |
| Type | <code>bool</code> |
Disable the default behavior of granting template access to the 'everyone' group. The template permissions must be updated to allow non-admin users to use this template.
### --provisioner-tag
| | |
site/src/api/typesGenerated.ts
+1
View File
@@ -179,6 +179,7 @@ export interface CreateTemplateRequest {
readonly allow_user_autostop?: boolean
readonly failure_ttl_ms?: number
readonly inactivity_ttl_ms?: number
readonly disable_everyone_group_access: boolean
}
// From codersdk/templateversions.go
site/src/pages/CreateTemplatePage/CreateTemplateForm.stories.tsx
+1
View File
@@ -17,6 +17,7 @@ export default {
component: CreateTemplateForm,
args: {
isSubmitting: false,
allowDisableEveryoneAccess: true,
},
} as ComponentMeta<typeof CreateTemplateForm>
site/src/pages/CreateTemplatePage/CreateTemplateForm.tsx
+80 -31
View File
@@ -102,6 +102,7 @@ const defaultInitialValues: CreateTemplateData = {
allow_user_cancel_workspace_jobs: false,
allow_user_autostart: false,
allow_user_autostop: false,
allow_everyone_group_access: true,
}
type GetInitialValuesParams = {
@@ -174,6 +175,7 @@ export interface CreateTemplateFormProps {
logs?: ProvisionerJobLog[]
allowAdvancedScheduling: boolean
copiedTemplate?: Template
allowDisableEveryoneAccess: boolean
}
export const CreateTemplateForm: FC<CreateTemplateFormProps> = ({
@@ -188,6 +190,7 @@ export const CreateTemplateForm: FC<CreateTemplateFormProps> = ({
jobError,
logs,
allowAdvancedScheduling,
allowDisableEveryoneAccess,
}) => {
const styles = useStyles()
const form = useFormik<CreateTemplateData>({
@@ -379,44 +382,90 @@ export const CreateTemplateForm: FC<CreateTemplateFormProps> = ({
</FormFields>
</FormSection>
{/* Operations */}
{/* Permissions */}
<FormSection
title="Operations"
title="Permissions"
description="Regulate actions allowed on workspaces created from this template."
>
<FormFields>
<label htmlFor="allow_user_cancel_workspace_jobs">
<Stack direction="row" spacing={1}>
<Checkbox
id="allow_user_cancel_workspace_jobs"
name="allow_user_cancel_workspace_jobs"
disabled={isSubmitting}
checked={form.values.allow_user_cancel_workspace_jobs}
onChange={form.handleChange}
/>
<Stack direction="column">
<FormFields>
<label htmlFor="allow_user_cancel_workspace_jobs">
<Stack direction="row" spacing={1}>
<Checkbox
id="allow_user_cancel_workspace_jobs"
name="allow_user_cancel_workspace_jobs"
disabled={isSubmitting}
checked={form.values.allow_user_cancel_workspace_jobs}
onChange={form.handleChange}
/>
<Stack direction="column" spacing={0.5}>
<Stack
direction="row"
alignItems="center"
spacing={0.5}
className={styles.optionText}
>
<strong>{t("form.fields.allowUsersToCancel")}</strong>
<Stack direction="column" spacing={0.5}>
<Stack
direction="row"
alignItems="center"
spacing={0.5}
className={styles.optionText}
>
<strong>{t("form.fields.allowUsersToCancel")}</strong>
<HelpTooltip>
<HelpTooltipText>
{t("form.tooltip.allowUsersToCancel")}
</HelpTooltipText>
</HelpTooltip>
<HelpTooltip>
<HelpTooltipText>
{t("form.tooltip.allowUsersToCancel")}
</HelpTooltipText>
</HelpTooltip>
</Stack>
<span className={styles.optionHelperText}>
{t("form.helperText.allowUsersToCancel")}
</span>
</Stack>
<span className={styles.optionHelperText}>
{t("form.helperText.allowUsersToCancel")}
</span>
</Stack>
</Stack>
</label>
</FormFields>
</label>
</FormFields>
<FormFields>
<label htmlFor="allow_everyone_group_access">
<Stack direction="row" spacing={1}>
<Checkbox
id="allow_everyone_group_access"
name="allow_everyone_group_access"
disabled={isSubmitting || !allowDisableEveryoneAccess}
checked={form.values.allow_everyone_group_access}
onChange={form.handleChange}
/>
<Stack direction="column" spacing={0.5}>
<Stack
direction="row"
alignItems="center"
spacing={0.5}
className={styles.optionText}
>
<strong>Allow everyone to use the template</strong>
<HelpTooltip>
<HelpTooltipText>
If unchecked, only users with the &apos;template
admin&apos; and &apos;owner&apos; role can use this
template until the permissions are updated. Navigate to{" "}
<strong>
Templates &gt; Select a template &gt; Settings &gt;
Permissions
</strong>{" "}
to update permissions.
</HelpTooltipText>
</HelpTooltip>
</Stack>
<span className={styles.optionHelperText}>
This setting requires an enterprise license for the&nbsp;
<Link href="https://coder.com/docs/v2/latest/admin/rbac">
&apos;Template RBAC&apos;
</Link>{" "}
feature to customize permissions.
</span>
</Stack>
</Stack>
</label>
</FormFields>
</Stack>
</FormSection>
{/* Variables */}
site/src/pages/CreateTemplatePage/CreateTemplatePage.tsx
+5
View File
@@ -39,6 +39,10 @@ const CreateTemplatePage: FC = () => {
const { entitlements } = useDashboard()
const allowAdvancedScheduling =
entitlements.features["advanced_template_scheduling"].enabled
// Requires the template RBAC feature, otherwise disabling everyone access
// means no one can access.
const allowDisableEveryoneAccess =
entitlements.features["template_rbac"].enabled
const onCancel = () => {
navigate(-1)
@@ -64,6 +68,7 @@ const CreateTemplatePage: FC = () => {
<CreateTemplateForm
copiedTemplate={state.context.copiedTemplate}
allowAdvancedScheduling={allowAdvancedScheduling}
allowDisableEveryoneAccess={allowDisableEveryoneAccess}
error={error}
starterTemplate={starterTemplate}
isSubmitting={state.hasTag("submitting")}
site/src/xServices/createTemplate/createTemplateXService.ts
+3
View File
@@ -45,6 +45,7 @@ export interface CreateTemplateData {
allow_user_cancel_workspace_jobs: boolean
parameter_values_by_name?: Record<string, string>
user_variable_values?: VariableValue[]
allow_everyone_group_access: boolean
}
interface CreateTemplateContext {
organizationId: string
@@ -457,11 +458,13 @@ export const createTemplateMachine =
default_ttl_hours,
max_ttl_hours,
parameter_values_by_name,
allow_everyone_group_access,
...safeTemplateData
} = templateData
return createTemplate(organizationId, {
...safeTemplateData,
disable_everyone_group_access: !allow_everyone_group_access,
default_ttl_ms: templateData.default_ttl_hours * 60 * 60 * 1000, // Convert hours to ms
max_ttl_ms: templateData.max_ttl_hours * 60 * 60 * 1000, // Convert hours to ms
template_version_id: version.id,