Skip to content

feat: allow TemplateAdmin to delete prebuilds via auth layer #18333

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ssncferreira merged 15 commits into from
Jun 20, 2025
Merged

feat: allow TemplateAdmin to delete prebuilds via auth layer #18333

ssncferreira merged 15 commits into from
Jun 20, 2025

Conversation

@ssncferreira
Copy link
Contributor

@ssncferreira ssncferreira commented Jun 11, 2025
edited
Loading

Description

This PR adds support for deleting prebuilt workspaces via the authorization layer. It introduces special-case handling to ensure that prebuilt_workspace permissions are evaluated when attempting to delete a prebuilt workspace, falling back to the standard workspace resource as needed.

Prebuilt workspaces are a subset of workspaces, identified by having owner_id set to PREBUILD_SYSTEM_USER.
This means:

  • A user with prebuilt_workspace.delete permission is allowed to delete only prebuilt workspaces.
  • A user with workspace.delete permission can delete both normal and prebuilt workspaces.

⚠️ This implementation is scoped to deletion operations only. No other operations are currently supported for the prebuilt_workspace resource.

To delete a workspace, users must have the following permissions:

  • workspace.read: to read the current workspace state
  • update: to modify workspace metadata and related resources during deletion (e.g., updating the deleted field in the database)
  • delete: to perform the actual deletion of the workspace

Changes

  • Introduced authorizeWorkspace() helper to handle prebuilt workspace authorization logic.
  • Ensured both prebuilt_workspace and workspace permissions are checked.
  • Added comments to clarify the current behavior and limitations.
  • Moved SystemUserID constant from the prebuilds package to the database package PrebuildsSystemUserID to resolve an import cycle (commit f24e4ab).
  • Update middleware ExtractOrganizationMember to include system user members.

@ssncferreira ssncferreira changed the title feat: POC for allowing TemplateAdmin to delete prebuild workspaces via auth layer feat: poc to allow TemplateAdmin to delete prebuilds via auth layer Jun 11, 2025
@ssncferreira ssncferreira force-pushed the ssncferreira/poc-prebuild-rbac-authz branch 2 times, most recently from e05480d to db80b4d Compare June 11, 2025 19:37
@ssncferreira ssncferreira force-pushed the ssncferreira/poc-prebuild-rbac-authz branch from db80b4d to 2ba15c5 Compare June 11, 2025 19:38
johnstcn
johnstcn reviewed Jun 12, 2025
View reviewed changes
@ssncferreira ssncferreira changed the title feat: poc to allow TemplateAdmin to delete prebuilds via auth layer feat: allow TemplateAdmin to delete prebuilds via auth layer in POC Jun 12, 2025
@ssncferreira ssncferreira changed the title feat: allow TemplateAdmin to delete prebuilds via auth layer in POC feat: allow TemplateAdmin to delete prebuilds via auth layer (POC) Jun 12, 2025
johnstcn
johnstcn reviewed Jun 12, 2025
View reviewed changes
johnstcn
johnstcn reviewed Jun 18, 2025
View reviewed changes
@ssncferreira ssncferreira marked this pull request as ready for review June 18, 2025 09:06
@ssncferreira ssncferreira changed the title feat: allow TemplateAdmin to delete prebuilds via auth layer (POC) feat: allow TemplateAdmin to delete prebuilds via auth layer Jun 18, 2025
@ssncferreira ssncferreira requested a review from Emyrk June 18, 2025 18:45
Emyrk
Emyrk reviewed Jun 18, 2025
View reviewed changes
coderd/rbac/roles.go
Comment on lines +278 to +281
// PrebuiltWorkspaces are a subset of Workspaces.
// Explicitly setting PrebuiltWorkspace permissions for clarity.
// Note: even without PrebuiltWorkspace permissions, access is still granted via Workspace permissions.
ResourcePrebuiltWorkspace.Type: {policy.ActionUpdate, policy.ActionDelete},
Copy link
Member

@Emyrk Emyrk Jun 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 Always +1 for clarity.

johnstcn
johnstcn reviewed Jun 20, 2025
View reviewed changes
coderd/httpmw/organizationparam.go
OrganizationID: orgID,
UserID: user.ID,
IncludeSystem: false,
IncludeSystem: true,
Copy link
Member

@johnstcn johnstcn Jun 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

review: this is required in order to be able to delete a prebuilt workspace from the CLI, as it needs to fetch it first.

Copy link
Contributor Author

@ssncferreira ssncferreira Jun 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added to the PR description as well:

  • Update middleware ExtractOrganizationMember to include system user members.

johnstcn
johnstcn reviewed Jun 20, 2025
View reviewed changes
johnstcn
johnstcn approved these changes Jun 20, 2025
View reviewed changes
Copy link
Member

@johnstcn johnstcn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work! I don't have any blocking comments.

@ssncferreira ssncferreira requested a review from Emyrk June 20, 2025 14:01
Emyrk
Emyrk approved these changes Jun 20, 2025
View reviewed changes
Copy link
Member

@Emyrk Emyrk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Requiring workspace.read simplifies the problem. 👍

coderd/database/dbauthz/dbauthz.go
Comment on lines +163 to +172
if (action == policy.ActionUpdate || action == policy.ActionDelete) && workspace.IsPrebuild() {
// Try prebuilt-specific authorization first
if prebuiltErr = q.authorizeContext(ctx, action, workspace.AsPrebuild()); prebuiltErr == nil {
return nil
}
}
// Fallback to normal workspace authorization check
if err := q.authorizeContext(ctx, action, workspace); err != nil {
return xerrors.Errorf("authorize context: %w", errors.Join(prebuiltErr, err))
}
Copy link
Member

@Emyrk Emyrk Jun 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the normal workspace check is more likely to succeed then the prebuild. So it might be a slight optimization to flip these checks.

But that will probably break some of the unit tests? No need to change this, just a thought.

Copy link
Contributor Author

@ssncferreira ssncferreira Jun 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, I had considered that optimization as well. I believe it might require some test updates, so I'd prefer to merge this PR and address the optimization in a follow-up PR.

Emyrk
Emyrk reviewed Jun 20, 2025
View reviewed changes
coderd/database/dbauthz/dbauthz_test.go
}))
}

func (s *MethodTestSuite) TestAuthorizePrebuiltWorkspace() {
Copy link
Member

@Emyrk Emyrk Jun 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@ssncferreira ssncferreira merged commit 72f7d70 into main Jun 20, 2025
33 of 34 checks passed
@ssncferreira ssncferreira deleted the ssncferreira/poc-prebuild-rbac-authz branch June 20, 2025 16:36
@github-actions github-actions bot locked and limited conversation to collaborators Jun 20, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@Emyrk Emyrk Emyrk approved these changes

@johnstcn johnstcn johnstcn approved these changes

Assignees

@ssncferreira ssncferreira

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ssncferreira @johnstcn @Emyrk