feat: RBAC provisionerdaemons and parameters (#1755)

* chore: Remove org_id from provisionerdaemons

coderd/coderd.go

@@ -131,14 +131,20 @@ func New(options *Options) *API {
 			r.Get("/{hash}", api.fileByHash)
 			r.Post("/", api.postFile)
 		})
+		r.Route("/provisionerdaemons", func(r chi.Router) {
+			r.Use(
+				apiKeyMiddleware,
+				authRolesMiddleware,
+			)
+			r.Get("/", api.provisionerDaemons)
+		})
 		r.Route("/organizations/{organization}", func(r chi.Router) {
 			r.Use(
 				apiKeyMiddleware,
 				httpmw.ExtractOrganizationParam(options.Database),
 				authRolesMiddleware,
 			)
 			r.Get("/", api.organization)
-			r.Get("/provisionerdaemons", api.provisionerDaemonsByOrganization)
 			r.Post("/templateversions", api.postTemplateVersionsByOrganization)
 			r.Route("/templates", func(r chi.Router) {
 				r.Post("/", api.postTemplateByOrganization)
@@ -166,7 +172,7 @@ func New(options *Options) *API {
 			})
 		})
 		r.Route("/parameters/{scope}/{id}", func(r chi.Router) {
-			r.Use(apiKeyMiddleware)
+			r.Use(apiKeyMiddleware, authRolesMiddleware)
 			r.Post("/", api.postParameter)
 			r.Get("/", api.parameters)
 			r.Route("/{name}", func(r chi.Router) {

coderd/coderd_test.go

@@ -6,6 +6,7 @@ import (
 	"net/http"
 	"strings"
 	"testing"
+	"time"
 
 	"github.com/go-chi/chi/v5"
 	"github.com/stretchr/testify/assert"
@@ -45,9 +46,29 @@ func TestAuthorizeAllEndpoints(t *testing.T) {
 		IncludeProvisionerD: true,
 	})
 	admin := coderdtest.CreateFirstUser(t, client)
-	organization, err := client.Organization(context.Background(), admin.OrganizationID)
+	// The provisioner will call to coderd and register itself. This is async,
+	// so we wait for it to occur.
+	require.Eventually(t, func() bool {
+		provisionerds, err := client.ProvisionerDaemons(ctx)
+		require.NoError(t, err)
+		return len(provisionerds) > 0
+	}, time.Second*10, time.Second)
+
+	provisionerds, err := client.ProvisionerDaemons(ctx)
+	require.NoError(t, err, "fetch provisioners")
+	require.Len(t, provisionerds, 1)
+
+	organization, err := client.Organization(ctx, admin.OrganizationID)
 	require.NoError(t, err, "fetch org")
 
+	organizationParam, err := client.CreateParameter(ctx, codersdk.ParameterOrganization, organization.ID, codersdk.CreateParameterRequest{
+		Name:              "test-param",
+		SourceValue:       "hello world",
+		SourceScheme:      codersdk.ParameterSourceSchemeData,
+		DestinationScheme: codersdk.ParameterDestinationSchemeProvisionerVariable,
+	})
+	require.NoError(t, err, "create org param")
+
 	// Setup some data in the database.
 	version := coderdtest.CreateTemplateVersion(t, client, admin.OrganizationID, &echo.Responses{
 		Parse: echo.ParseComplete,
@@ -118,18 +139,10 @@ func TestAuthorizeAllEndpoints(t *testing.T) {
 		"GET:/api/v2/workspaceagents/{workspaceagent}/turn":       {NoAuthorize: true},
 
 		// TODO: @emyrk these need to be fixed by adding authorize calls
-		"GET:/api/v2/organizations/{organization}/provisionerdaemons":       {NoAuthorize: true},
-		"GET:/api/v2/organizations/{organization}/templates/{templatename}": {NoAuthorize: true},
-		"POST:/api/v2/organizations/{organization}/templateversions":        {NoAuthorize: true},
-		"POST:/api/v2/organizations/{organization}/workspaces":              {NoAuthorize: true},
-
-		"POST:/api/v2/parameters/{scope}/{id}":          {NoAuthorize: true},
-		"GET:/api/v2/parameters/{scope}/{id}":           {NoAuthorize: true},
-		"DELETE:/api/v2/parameters/{scope}/{id}/{name}": {NoAuthorize: true},
-
-		"POST:/api/v2/users/{user}/organizations": {NoAuthorize: true},
-
-		"GET:/api/v2/workspaces/{workspace}/watch": {NoAuthorize: true},
+		"POST:/api/v2/organizations/{organization}/workspaces":       {NoAuthorize: true},
+		"POST:/api/v2/users/{user}/organizations":                    {NoAuthorize: true},
+		"GET:/api/v2/workspaces/{workspace}/watch":                   {NoAuthorize: true},
+		"POST:/api/v2/organizations/{organization}/templateversions": {NoAuthorize: true},
 
 		// These endpoints have more assertions. This is good, add more endpoints to assert if you can!
 		"GET:/api/v2/organizations/{organization}":                   {AssertObject: rbac.ResourceOrganization.InOrg(admin.OrganizationID)},
@@ -251,6 +264,27 @@ func TestAuthorizeAllEndpoints(t *testing.T) {
 			AssertAction: rbac.ActionRead,
 			AssertObject: rbac.ResourceTemplate.InOrg(template.OrganizationID).WithID(template.ID.String()),
 		},
+		"GET:/api/v2/provisionerdaemons": {
+			StatusCode:   http.StatusOK,
+			AssertObject: rbac.ResourceProvisionerDaemon.WithID(provisionerds[0].ID.String()),
+		},
+
+		"POST:/api/v2/parameters/{scope}/{id}": {
+			AssertAction: rbac.ActionUpdate,
+			AssertObject: rbac.ResourceOrganization.WithID(organization.ID.String()),
+		},
+		"GET:/api/v2/parameters/{scope}/{id}": {
+			AssertAction: rbac.ActionRead,
+			AssertObject: rbac.ResourceOrganization.WithID(organization.ID.String()),
+		},
+		"DELETE:/api/v2/parameters/{scope}/{id}/{name}": {
+			AssertAction: rbac.ActionUpdate,
+			AssertObject: rbac.ResourceOrganization.WithID(organization.ID.String()),
+		},
+		"GET:/api/v2/organizations/{organization}/templates/{templatename}": {
+			AssertAction: rbac.ActionRead,
+			AssertObject: rbac.ResourceTemplate.InOrg(template.OrganizationID).WithID(template.ID.String()),
+		},
 
 		// These endpoints need payloads to get to the auth part. Payloads will be required
 		"PUT:/api/v2/users/{user}/roles":                                {StatusCode: http.StatusBadRequest, NoAuthorize: true},
@@ -292,6 +326,10 @@ func TestAuthorizeAllEndpoints(t *testing.T) {
 			route = strings.ReplaceAll(route, "{hash}", file.Hash)
 			route = strings.ReplaceAll(route, "{workspaceresource}", workspaceResources[0].ID.String())
 			route = strings.ReplaceAll(route, "{templateversion}", version.ID.String())
+			route = strings.ReplaceAll(route, "{templatename}", template.Name)
+			// Only checking org scoped params here
+			route = strings.ReplaceAll(route, "{scope}", string(organizationParam.Scope))
+			route = strings.ReplaceAll(route, "{id}", organizationParam.ScopeID.String())
 
 			resp, err := client.Request(context.Background(), method, route, nil)
 			require.NoError(t, err, "do req")

coderd/database/databasefake/databasefake.go

@@ -1283,11 +1283,10 @@ func (q *fakeQuerier) InsertProvisionerDaemon(_ context.Context, arg database.In
 	defer q.mutex.Unlock()
 
 	daemon := database.ProvisionerDaemon{
-		ID:             arg.ID,
-		CreatedAt:      arg.CreatedAt,
-		OrganizationID: arg.OrganizationID,
-		Name:           arg.Name,
-		Provisioners:   arg.Provisioners,
+		ID:           arg.ID,
+		CreatedAt:    arg.CreatedAt,
+		Name:         arg.Name,
+		Provisioners: arg.Provisioners,
 	}
 	q.provisionerDaemons = append(q.provisionerDaemons, daemon)
 	return daemon, nil

coderd/database/migrations/000014_provisioner_daemons_organization_id.down.sql

@@ -0,0 +1 @@
+ALTER TABLE provisioner_daemons ADD COLUMN organization_id uuid;

coderd/database/migrations/000014_provisioner_daemons_organization_id.up.sql

@@ -0,0 +1 @@
+ALTER TABLE provisioner_daemons DROP COLUMN organization_id;

coderd/database/modelmethods.go

@@ -22,3 +22,7 @@ func (m OrganizationMember) RBACObject() rbac.Object {
 func (o Organization) RBACObject() rbac.Object {
 	return rbac.ResourceOrganization.InOrg(o.ID).WithID(o.ID.String())
 }
+
+func (d ProvisionerDaemon) RBACObject() rbac.Object {
+	return rbac.ResourceProvisionerDaemon.WithID(d.ID.String())
+}

coderd/database/queries/provisionerdaemons.sql

@@ -17,12 +17,11 @@ INSERT INTO
 	provisioner_daemons (
 		id,
 		created_at,
-		organization_id,
 		"name",
 		provisioners
 	)
 VALUES
-	($1, $2, $3, $4, $5) RETURNING *;
+	($1, $2, $3, $4) RETURNING *;
 
 -- name: UpdateProvisionerDaemonByID :exec
 UPDATE