From 27c6919ebc8d30b694ce056a7cea6d1bf347ad0f Mon Sep 17 00:00:00 2001
From: Mathias Fredriksson <mafredri@gmail.com>
Date: Mon, 17 Feb 2025 09:59:44 +0000
Subject: [PATCH 1/3] fix(coderd): add stricter authorization for provisioners
 endpoint

References #16558
---
 coderd/provisionerdaemons.go      | 9 +++++++++
 coderd/provisionerdaemons_test.go | 9 ++++++---
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/coderd/provisionerdaemons.go b/coderd/provisionerdaemons.go
index e701771770091..6495c4eb15bee 100644
--- a/coderd/provisionerdaemons.go
+++ b/coderd/provisionerdaemons.go
@@ -9,6 +9,8 @@ import (
 	"github.com/coder/coder/v2/coderd/httpapi"
 	"github.com/coder/coder/v2/coderd/httpmw"
 	"github.com/coder/coder/v2/coderd/provisionerdserver"
+	"github.com/coder/coder/v2/coderd/rbac"
+	"github.com/coder/coder/v2/coderd/rbac/policy"
 	"github.com/coder/coder/v2/coderd/util/ptr"
 	"github.com/coder/coder/v2/codersdk"
 )
@@ -31,6 +33,13 @@ func (api *API) provisionerDaemons(rw http.ResponseWriter, r *http.Request) {
 		org = httpmw.OrganizationParam(r)
 	)
 
+	// This endpoint returns information about provisioner jobs.
+	// For now, only owners and template admins can access provisioner jobs.
+	if !api.Authorize(r, policy.ActionRead, rbac.ResourceProvisionerJobs.InOrg(org.ID)) {
+		httpapi.ResourceNotFound(rw)
+		return
+	}
+
 	qp := r.URL.Query()
 	p := httpapi.NewQueryParamParser()
 	limit := p.PositiveInt32(qp, 50, "limit")
diff --git a/coderd/provisionerdaemons_test.go b/coderd/provisionerdaemons_test.go
index 6496b4dd57e0a..d6d1138f7a912 100644
--- a/coderd/provisionerdaemons_test.go
+++ b/coderd/provisionerdaemons_test.go
@@ -241,11 +241,14 @@ func TestProvisionerDaemons(t *testing.T) {
 		require.Nil(t, daemons[0].PreviousJob)
 	})
 
-	t.Run("MemberAllowed", func(t *testing.T) {
+	// For now, this is not allowed even though the member has created a
+	// workspace. Once member-level permissions for jobs are supported
+	// by RBAC, this test should be updated.
+	t.Run("MemberDenied", func(t *testing.T) {
 		t.Parallel()
 		ctx := testutil.Context(t, testutil.WaitMedium)
 		daemons, err := memberClient.OrganizationProvisionerDaemons(ctx, owner.OrganizationID, nil)
-		require.NoError(t, err)
-		require.Len(t, daemons, 50)
+		require.Error(t, err)
+		require.Len(t, daemons, 0)
 	})
 }

From 360f8a6f41710a7e8be61985158c1abaf069c330 Mon Sep 17 00:00:00 2001
From: Mathias Fredriksson <mafredri@gmail.com>
Date: Mon, 17 Feb 2025 11:12:23 +0000
Subject: [PATCH 2/3] fix test

---
 cli/provisioners_test.go | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/cli/provisioners_test.go b/cli/provisioners_test.go
index ec528cfeda7cc..30a89714ff57f 100644
--- a/cli/provisioners_test.go
+++ b/cli/provisioners_test.go
@@ -71,7 +71,7 @@ func TestProvisioners_Golden(t *testing.T) {
 	})
 	owner := coderdtest.CreateFirstUser(t, client)
 	templateAdminClient, _ := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID, rbac.ScopedRoleOrgTemplateAdmin(owner.OrganizationID))
-	memberClient, member := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)
+	_, member := coderdtest.CreateAnotherUser(t, client, owner.OrganizationID)
 
 	// Create initial resources with a running provisioner.
 	firstProvisioner := coderdtest.NewTaggedProvisionerDaemon(t, coderdAPI, "default-provisioner", map[string]string{"owner": "", "scope": "organization"})
@@ -178,8 +178,9 @@ func TestProvisioners_Golden(t *testing.T) {
 		t.Logf("replace[%q] = %q", id, replaceID)
 	}
 
-	// Test provisioners list with member as members can access
-	// provisioner daemons.
+	// Test provisioners list with template admin as members are currently
+	// unable to access provisioner jobs. In the future (with RBAC
+	// changes), we may allow them to view _their_ jobs.
 	t.Run("list", func(t *testing.T) {
 		t.Parallel()
 
@@ -190,7 +191,7 @@ func TestProvisioners_Golden(t *testing.T) {
 			"--column", "id,created at,last seen at,name,version,tags,key name,status,current job id,current job status,previous job id,previous job status,organization",
 		)
 		inv.Stdout = &got
-		clitest.SetupConfig(t, memberClient, root)
+		clitest.SetupConfig(t, templateAdminClient, root)
 		err := inv.Run()
 		require.NoError(t, err)
 

From 04b668086fdd334ea3f36147268b5975f88b6adb Mon Sep 17 00:00:00 2001
From: Mathias Fredriksson <mafredri@gmail.com>
Date: Mon, 17 Feb 2025 11:43:49 +0000
Subject: [PATCH 3/3] fix member scoped test

---
 enterprise/coderd/provisionerdaemons_test.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/enterprise/coderd/provisionerdaemons_test.go b/enterprise/coderd/provisionerdaemons_test.go
index 20d784467591f..0cd812b45c5f1 100644
--- a/enterprise/coderd/provisionerdaemons_test.go
+++ b/enterprise/coderd/provisionerdaemons_test.go
@@ -953,7 +953,7 @@ func TestGetProvisionerDaemons(t *testing.T) {
 				org := coderdenttest.CreateOrganization(t, client, coderdenttest.CreateOrganizationOptions{
 					IncludeProvisionerDaemon: false,
 				})
-				orgAdmin, _ := coderdtest.CreateAnotherUser(t, client, org.ID, rbac.ScopedRoleOrgMember(org.ID))
+				orgTemplateAdmin, _ := coderdtest.CreateAnotherUser(t, client, org.ID, rbac.ScopedRoleOrgTemplateAdmin(org.ID))
 
 				daemonCreatedAt := time.Now()
 
@@ -986,11 +986,11 @@ func TestGetProvisionerDaemons(t *testing.T) {
 				require.NoError(t, err, "should be able to create provisioner daemon")
 				daemonAsCreated := db2sdk.ProvisionerDaemon(pd)
 
-				allDaemons, err := orgAdmin.OrganizationProvisionerDaemons(ctx, org.ID, nil)
+				allDaemons, err := orgTemplateAdmin.OrganizationProvisionerDaemons(ctx, org.ID, nil)
 				require.NoError(t, err)
 				require.Len(t, allDaemons, 1)
 
-				daemonsAsFound, err := orgAdmin.OrganizationProvisionerDaemons(ctx, org.ID, &codersdk.OrganizationProvisionerDaemonsOptions{
+				daemonsAsFound, err := orgTemplateAdmin.OrganizationProvisionerDaemons(ctx, org.ID, &codersdk.OrganizationProvisionerDaemonsOptions{
 					Tags: tt.tagsToFilterBy,
 				})
 				if tt.expectToGetDaemon {

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>pFad - Phonifier reborn</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
<h1>Pfad - The Proxy pFad of &#169; 2024 Garber Painting. All rights reserved.</h1>


<!-- Disclaimer -->
<p>Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.</p>
<br>
<p>Alternative Proxies:</p><p><a href="http://rainy.clevelandohioweatherforecast.com/php-proxy/index.php?q=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/16587.patch" target="_blank">Alternative Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/index.php?u=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/16587.patch" target="_blank">pFad Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v3index.php?u=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/16587.patch" target="_blank">pFad v3 Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v4index.php?u=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/16587.patch" target="_blank">pFad v4 Proxy</a></p></body>
</html>