shishantbiswas/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2026-06-03 21:18:24 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
2edf052d175c397d12b87faf995207a6dd54e55f
coder/enterprise/coderd/workspacesharing_test.go
T
Kayla はな c5f1a2fccf feat: make service accounts a Premium feature (#24020)
2026-04-07 12:25:32 -06:00

515 lines
18 KiB
Go
Raw Blame History

package coderd_test
import (
"net/http"
"testing"
"github.com/google/uuid"
"github.com/stretchr/testify/require"
"github.com/coder/coder/v2/coderd/audit"
"github.com/coder/coder/v2/coderd/coderdtest"
"github.com/coder/coder/v2/coderd/database"
"github.com/coder/coder/v2/coderd/database/dbfake"
"github.com/coder/coder/v2/coderd/database/dbtestutil"
"github.com/coder/coder/v2/coderd/rbac"
"github.com/coder/coder/v2/coderd/rbac/policy"
"github.com/coder/coder/v2/codersdk"
"github.com/coder/coder/v2/enterprise/coderd/coderdenttest"
"github.com/coder/coder/v2/enterprise/coderd/license"
"github.com/coder/coder/v2/testutil"
)
func TestWorkspaceSharingSettings(t *testing.T) {
t.Parallel()
t.Run("DisabledDefaultsFalse", func(t *testing.T) {
t.Parallel()
dv := coderdtest.DeploymentValues(t)
client, first := coderdenttest.New(t, &coderdenttest.Options{
Options: &coderdtest.Options{
DeploymentValues: dv,
},
})
ctx := testutil.Context(t, testutil.WaitMedium)
// Use a regular user to make sure the setting is exposed to them.
memberClient, _ := coderdtest.CreateAnotherUser(t, client, first.OrganizationID)
settings, err := memberClient.WorkspaceSharingSettings(ctx, first.OrganizationID.String())
require.NoError(t, err)
// Check the deprecated boolean field.
require.False(t, settings.SharingDisabled)
require.Equal(t, codersdk.ShareableWorkspaceOwnersEveryone, settings.ShareableWorkspaceOwners)
})
t.Run("DisabledTogglePersists", func(t *testing.T) {
t.Parallel()
dv := coderdtest.DeploymentValues(t)
client, first := coderdenttest.New(t, &coderdenttest.Options{
Options: &coderdtest.Options{
DeploymentValues: dv,
},
})
ctx := testutil.Context(t, testutil.WaitMedium)
orgAdminClient, _ := coderdtest.CreateAnotherUser(t, client, first.OrganizationID, rbac.ScopedRoleOrgAdmin(first.OrganizationID))
// Disable sharing via the deprecated boolean field.
settings, err := orgAdminClient.PatchWorkspaceSharingSettings(ctx, first.OrganizationID.String(), codersdk.UpdateWorkspaceSharingSettingsRequest{
SharingDisabled: true,
})
require.NoError(t, err)
require.True(t, settings.SharingDisabled)
require.Equal(t, codersdk.ShareableWorkspaceOwnersNone, settings.ShareableWorkspaceOwners)
settings, err = orgAdminClient.WorkspaceSharingSettings(ctx, first.OrganizationID.String())
require.NoError(t, err)
require.True(t, settings.SharingDisabled)
require.Equal(t, codersdk.ShareableWorkspaceOwnersNone, settings.ShareableWorkspaceOwners)
// Switch to service_accounts mode via the new field.
settings, err = orgAdminClient.PatchWorkspaceSharingSettings(ctx, first.OrganizationID.String(), codersdk.UpdateWorkspaceSharingSettingsRequest{
ShareableWorkspaceOwners: codersdk.ShareableWorkspaceOwnersServiceAccounts,
})
require.NoError(t, err)
require.False(t, settings.SharingDisabled)
require.Equal(t, codersdk.ShareableWorkspaceOwnersServiceAccounts, settings.ShareableWorkspaceOwners)
settings, err = orgAdminClient.WorkspaceSharingSettings(ctx, first.OrganizationID.String())
require.NoError(t, err)
require.Equal(t, codersdk.ShareableWorkspaceOwnersServiceAccounts, settings.ShareableWorkspaceOwners)
// Re-enable full sharing.
settings, err = orgAdminClient.PatchWorkspaceSharingSettings(ctx, first.OrganizationID.String(), codersdk.UpdateWorkspaceSharingSettingsRequest{
ShareableWorkspaceOwners: codersdk.ShareableWorkspaceOwnersEveryone,
})
require.NoError(t, err)
require.False(t, settings.SharingDisabled)
require.Equal(t, codersdk.ShareableWorkspaceOwnersEveryone, settings.ShareableWorkspaceOwners)
settings, err = orgAdminClient.WorkspaceSharingSettings(ctx, first.OrganizationID.String())
require.NoError(t, err)
require.Equal(t, codersdk.ShareableWorkspaceOwnersEveryone, settings.ShareableWorkspaceOwners)
})
t.Run("InvalidValueRejected", func(t *testing.T) {
t.Parallel()
client, first := coderdenttest.New(t, nil)
ctx := testutil.Context(t, testutil.WaitMedium)
orgAdminClient, _ := coderdtest.CreateAnotherUser(t, client, first.OrganizationID, rbac.ScopedRoleOrgAdmin(first.OrganizationID))
_, err := orgAdminClient.PatchWorkspaceSharingSettings(ctx, first.OrganizationID.String(), codersdk.UpdateWorkspaceSharingSettingsRequest{
ShareableWorkspaceOwners: "invalid",
})
var apiErr *codersdk.Error
require.ErrorAs(t, err, &apiErr)
require.Equal(t, http.StatusBadRequest, apiErr.StatusCode())
})
t.Run("UpdateAuthz", func(t *testing.T) {
t.Parallel()
dv := coderdtest.DeploymentValues(t)
client, first := coderdenttest.New(t, &coderdenttest.Options{
Options: &coderdtest.Options{
DeploymentValues: dv,
},
})
ctx := testutil.Context(t, testutil.WaitMedium)
memberClient, _ := coderdtest.CreateAnotherUser(t, client, first.OrganizationID)
_, err := memberClient.PatchWorkspaceSharingSettings(ctx, first.OrganizationID.String(), codersdk.UpdateWorkspaceSharingSettingsRequest{
SharingDisabled: true,
})
var apiErr *codersdk.Error
require.ErrorAs(t, err, &apiErr)
require.Equal(t, http.StatusForbidden, apiErr.StatusCode())
})
t.Run("AuditLog", func(t *testing.T) {
t.Parallel()
auditor := audit.NewMock()
dv := coderdtest.DeploymentValues(t)
client, first := coderdenttest.New(t, &coderdenttest.Options{
AuditLogging: true,
Options: &coderdtest.Options{
DeploymentValues: dv,
Auditor: auditor,
},
LicenseOptions: &coderdenttest.LicenseOptions{
Features: license.Features{
codersdk.FeatureAuditLog: 1,
},
},
})
ctx := testutil.Context(t, testutil.WaitMedium)
orgAdminClient, _ := coderdtest.CreateAnotherUser(t, client, first.OrganizationID, rbac.ScopedRoleOrgAdmin(first.OrganizationID))
auditor.ResetLogs()
_, err := orgAdminClient.PatchWorkspaceSharingSettings(ctx, first.OrganizationID.String(), codersdk.UpdateWorkspaceSharingSettingsRequest{
SharingDisabled: true,
})
require.NoError(t, err)
require.Len(t, auditor.AuditLogs(), 1)
alog := auditor.AuditLogs()[0]
require.Equal(t, database.AuditActionWrite, alog.Action)
require.Equal(t, database.ResourceTypeOrganization, alog.ResourceType)
require.Equal(t, first.OrganizationID, alog.ResourceID)
})
}
func TestWorkspaceSharingDisabled(t *testing.T) {
t.Parallel()
t.Run("ACLEndpointsForbidden", func(t *testing.T) {
t.Parallel()
dv := coderdtest.DeploymentValues(t)
client, db, owner := coderdenttest.NewWithDatabase(t, &coderdenttest.Options{
Options: &coderdtest.Options{
DeploymentValues: dv,
},
})
workspaceOwnerClient, workspaceOwner := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)
ws := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
OwnerID: workspaceOwner.ID,
OrganizationID: owner.OrganizationID,
}).Do().Workspace
ctx := testutil.Context(t, testutil.WaitMedium)
orgAdminClient, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID, rbac.ScopedRoleOrgAdmin(owner.OrganizationID))
_, err := orgAdminClient.PatchWorkspaceSharingSettings(ctx, owner.OrganizationID.String(), codersdk.UpdateWorkspaceSharingSettingsRequest{
ShareableWorkspaceOwners: codersdk.ShareableWorkspaceOwnersNone,
})
require.NoError(t, err)
// Reading the ACL list remains allowed even when workspace sharing is
// disabled, but mutating it is forbidden.
_, err = workspaceOwnerClient.WorkspaceACL(ctx, ws.ID)
require.NoError(t, err)
// We don't allow mutating the ACL.
assertSharingDisabled := func(t *testing.T, err error) {
t.Helper()
var apiErr *codersdk.Error
require.ErrorAs(t, err, &apiErr)
require.Equal(t, http.StatusForbidden, apiErr.StatusCode())
require.Equal(t, "Workspace sharing is disabled for this organization.", apiErr.Message)
}
// Despite the site-wide workspace.share permission for the owner,
// the endpoint should return an authz error.
err = client.UpdateWorkspaceACL(ctx, ws.ID, codersdk.UpdateWorkspaceACL{
UserRoles: map[string]codersdk.WorkspaceRole{
uuid.NewString(): codersdk.WorkspaceRoleUse,
},
})
assertSharingDisabled(t, err)
err = workspaceOwnerClient.DeleteWorkspaceACL(ctx, ws.ID)
assertSharingDisabled(t, err)
})
t.Run("ACLEndpointsForbiddenServiceAccountsMode", func(t *testing.T) {
t.Parallel()
client, db, owner := coderdenttest.NewWithDatabase(t, &coderdenttest.Options{
LicenseOptions: &coderdenttest.LicenseOptions{
Features: license.Features{
codersdk.FeatureServiceAccounts: 1,
},
},
})
regularClient, regularUser := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)
regularWS := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
OwnerID: regularUser.ID,
OrganizationID: owner.OrganizationID,
}).Do().Workspace
// Create an SA with a workspace.
saClient, saUser := coderdtest.CreateAnotherUserMutators(t, client, owner.OrganizationID, nil, func(r *codersdk.CreateUserRequestWithOrgs) {
r.ServiceAccount = true
})
saWS := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
OwnerID: saUser.ID,
OrganizationID: owner.OrganizationID,
}).Do().Workspace
ctx := testutil.Context(t, testutil.WaitMedium)
orgAdminClient, orgAdmin := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID, rbac.ScopedRoleOrgAdmin(owner.OrganizationID))
_, err := orgAdminClient.PatchWorkspaceSharingSettings(ctx, owner.OrganizationID.String(), codersdk.UpdateWorkspaceSharingSettingsRequest{
ShareableWorkspaceOwners: codersdk.ShareableWorkspaceOwnersServiceAccounts,
})
require.NoError(t, err)
// Regular member cannot share their own workspace.
err = regularClient.UpdateWorkspaceACL(ctx, regularWS.ID, codersdk.UpdateWorkspaceACL{
UserRoles: map[string]codersdk.WorkspaceRole{
orgAdmin.ID.String(): codersdk.WorkspaceRoleUse,
},
})
var apiErr *codersdk.Error
require.ErrorAs(t, err, &apiErr)
require.Equal(t, http.StatusForbidden, apiErr.StatusCode())
// SA can share their own workspace.
err = saClient.UpdateWorkspaceACL(ctx, saWS.ID, codersdk.UpdateWorkspaceACL{
UserRoles: map[string]codersdk.WorkspaceRole{
regularUser.ID.String(): codersdk.WorkspaceRoleUse,
},
})
require.NoError(t, err)
})
// Future-proofing: if custom roles with member-scoped
// workspace:share are ever allowed, the member-level negation
// from the organization-member system role must block sharing in
// service_accounts mode even with such custom role.
t.Run("MemberCannotBypassWithCustomRole", func(t *testing.T) {
t.Parallel()
rawDB, pubsub, sqlDB := dbtestutil.NewDBWithSQLDB(t)
client, _, _, owner := coderdenttest.NewWithAPI(t, &coderdenttest.Options{
Options: &coderdtest.Options{
Database: rawDB,
Pubsub: pubsub,
},
LicenseOptions: &coderdenttest.LicenseOptions{
Features: license.Features{
codersdk.FeatureCustomRoles: 1,
codersdk.FeatureTemplateRBAC: 1,
},
},
})
ctx := testutil.Context(t, testutil.WaitMedium)
// Create an empty custom role via the API, then add
// member-scoped workspace:share via raw SQL (the API and
// dbauthz both reject member permissions on custom roles).
//nolint:gocritic // owner context required for role creation
customRole, err := client.CreateOrganizationRole(ctx, codersdk.Role{
Name: "workspace-share-granter",
OrganizationID: owner.OrganizationID.String(),
})
require.NoError(t, err)
_, err = sqlDB.ExecContext(ctx,
`UPDATE custom_roles SET member_permissions = $1 WHERE name = $2 AND organization_id = $3`,
database.CustomRolePermissions{{
ResourceType: rbac.ResourceWorkspace.Type,
Action: policy.ActionShare,
}},
customRole.Name,
owner.OrganizationID,
)
require.NoError(t, err)
// Create a member and assign the custom role.
memberClient, memberUser := coderdtest.CreateAnotherUserMutators(
t, client, owner.OrganizationID,
[]rbac.RoleIdentifier{{
Name: customRole.Name,
OrganizationID: owner.OrganizationID,
}},
)
memberWS := dbfake.WorkspaceBuild(t, rawDB, database.WorkspaceTable{
OwnerID: memberUser.ID,
OrganizationID: owner.OrganizationID,
}).Do().Workspace
_, sharedUser := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)
// Switch to service_accounts mode.
orgAdminClient, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID, rbac.ScopedRoleOrgAdmin(owner.OrganizationID))
_, err = orgAdminClient.PatchWorkspaceSharingSettings(ctx, owner.OrganizationID.String(), codersdk.UpdateWorkspaceSharingSettingsRequest{
ShareableWorkspaceOwners: codersdk.ShareableWorkspaceOwnersServiceAccounts,
})
require.NoError(t, err)
// Despite the custom role granting workspace:share at the
// member level, the negation from organization-member should
// block it.
err = memberClient.UpdateWorkspaceACL(ctx, memberWS.ID, codersdk.UpdateWorkspaceACL{
UserRoles: map[string]codersdk.WorkspaceRole{
sharedUser.ID.String(): codersdk.WorkspaceRoleUse,
},
})
var apiErr *codersdk.Error
require.ErrorAs(t, err, &apiErr)
require.Equal(t, http.StatusForbidden, apiErr.StatusCode())
})
t.Run("ACLsPurged", func(t *testing.T) {
t.Parallel()
dv := coderdtest.DeploymentValues(t)
client, db, owner := coderdenttest.NewWithDatabase(t, &coderdenttest.Options{
Options: &coderdtest.Options{
DeploymentValues: dv,
},
LicenseOptions: &coderdenttest.LicenseOptions{
Features: license.Features{
codersdk.FeatureTemplateRBAC: 1,
},
},
})
workspaceOwnerClient, workspaceOwner := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)
_, sharedUser := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)
// Create a group to test group ACL purging.
group := coderdtest.CreateGroup(t, client, owner.OrganizationID, "test-group")
ws := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
OwnerID: workspaceOwner.ID,
OrganizationID: owner.OrganizationID,
}).Do().Workspace
ctx := testutil.Context(t, testutil.WaitMedium)
// Set both user and group ACLs.
err := workspaceOwnerClient.UpdateWorkspaceACL(ctx, ws.ID, codersdk.UpdateWorkspaceACL{
UserRoles: map[string]codersdk.WorkspaceRole{
sharedUser.ID.String(): codersdk.WorkspaceRoleUse,
},
GroupRoles: map[string]codersdk.WorkspaceRole{
group.ID.String(): codersdk.WorkspaceRoleUse,
},
})
require.NoError(t, err)
acl, err := workspaceOwnerClient.WorkspaceACL(ctx, ws.ID)
require.NoError(t, err)
require.Len(t, acl.Users, 1)
require.Equal(t, sharedUser.ID, acl.Users[0].ID)
require.Equal(t, codersdk.WorkspaceRoleUse, acl.Users[0].Role)
require.Len(t, acl.Groups, 1)
require.Equal(t, group.ID, acl.Groups[0].ID)
require.Equal(t, codersdk.WorkspaceRoleUse, acl.Groups[0].Role)
orgAdminClient, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID, rbac.ScopedRoleOrgAdmin(owner.OrganizationID))
_, err = orgAdminClient.PatchWorkspaceSharingSettings(ctx, owner.OrganizationID.String(), codersdk.UpdateWorkspaceSharingSettingsRequest{
ShareableWorkspaceOwners: codersdk.ShareableWorkspaceOwnersNone,
})
require.NoError(t, err)
_, err = orgAdminClient.PatchWorkspaceSharingSettings(ctx, owner.OrganizationID.String(), codersdk.UpdateWorkspaceSharingSettingsRequest{
ShareableWorkspaceOwners: codersdk.ShareableWorkspaceOwnersEveryone,
})
require.NoError(t, err)
// Verify both user and group ACLs are purged.
acl, err = workspaceOwnerClient.WorkspaceACL(ctx, ws.ID)
require.NoError(t, err)
require.Empty(t, acl.Users)
require.Empty(t, acl.Groups)
// Verify ACLs can be set again after re-enabling sharing.
err = workspaceOwnerClient.UpdateWorkspaceACL(ctx, ws.ID, codersdk.UpdateWorkspaceACL{
UserRoles: map[string]codersdk.WorkspaceRole{
sharedUser.ID.String(): codersdk.WorkspaceRoleUse,
},
})
require.NoError(t, err)
acl, err = workspaceOwnerClient.WorkspaceACL(ctx, ws.ID)
require.NoError(t, err)
require.Len(t, acl.Users, 1)
require.Equal(t, sharedUser.ID, acl.Users[0].ID)
})
t.Run("ACLsPurgedExceptServiceAccounts", func(t *testing.T) {
t.Parallel()
dv := coderdtest.DeploymentValues(t)
client, db, owner := coderdenttest.NewWithDatabase(t, &coderdenttest.Options{
Options: &coderdtest.Options{
DeploymentValues: dv,
},
LicenseOptions: &coderdenttest.LicenseOptions{
Features: license.Features{
codersdk.FeatureTemplateRBAC: 1,
codersdk.FeatureServiceAccounts: 1,
},
},
})
// Regular user with a workspace.
workspaceOwnerClient, workspaceOwner := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)
_, sharedUser := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)
regularWS := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
OwnerID: workspaceOwner.ID,
OrganizationID: owner.OrganizationID,
}).Do().Workspace
// Service account with a workspace.
_, saUser := coderdtest.CreateAnotherUserMutators(t, client, owner.OrganizationID, nil, func(r *codersdk.CreateUserRequestWithOrgs) {
r.ServiceAccount = true
})
saWS := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
OwnerID: saUser.ID,
OrganizationID: owner.OrganizationID,
}).Do().Workspace
ctx := testutil.Context(t, testutil.WaitMedium)
// Share regular user's workspace with sharedUser.
err := workspaceOwnerClient.UpdateWorkspaceACL(ctx, regularWS.ID, codersdk.UpdateWorkspaceACL{
UserRoles: map[string]codersdk.WorkspaceRole{
sharedUser.ID.String(): codersdk.WorkspaceRoleUse,
},
})
require.NoError(t, err)
// Use the owner client (site admin) to share the SA workspace,
// since the SA can't authenticate via the API.
err = client.UpdateWorkspaceACL(ctx, saWS.ID, codersdk.UpdateWorkspaceACL{
UserRoles: map[string]codersdk.WorkspaceRole{
sharedUser.ID.String(): codersdk.WorkspaceRoleUse,
},
})
require.NoError(t, err)
// Switch to service_accounts mode.
orgAdminClient, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID, rbac.ScopedRoleOrgAdmin(owner.OrganizationID))
_, err = orgAdminClient.PatchWorkspaceSharingSettings(ctx, owner.OrganizationID.String(), codersdk.UpdateWorkspaceSharingSettingsRequest{
ShareableWorkspaceOwners: codersdk.ShareableWorkspaceOwnersServiceAccounts,
})
require.NoError(t, err)
// Regular user workspace ACLs should be purged.
acl, err := workspaceOwnerClient.WorkspaceACL(ctx, regularWS.ID)
require.NoError(t, err)
require.Empty(t, acl.Users)
// Service account workspace ACLs should be preserved.
acl, err = client.WorkspaceACL(ctx, saWS.ID)
require.NoError(t, err)
require.Len(t, acl.Users, 1)
require.Equal(t, sharedUser.ID, acl.Users[0].ID)
})
}
Reference in New Issue View Git Blame Copy Permalink