feat: app sharing pt.3

coder · deansheather · Oct 14, 2022 · Oct 5, 2022 · Oct 5, 2022 · Oct 5, 2022
commit d7403ec8ea1cc148c09e40206dad5dcd7a6564e9
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -204,7 +204,7 @@ func New(options *Options) *API {
 				RedirectToLogin: false,
 				Optional:        true,
 			}),
-			httpmw.ExtractUserParam(api.Database),
+			httpmw.ExtractUserParam(api.Database, false),
 			httpmw.ExtractWorkspaceAndAgentParam(api.Database),
 		),
 		// Build-Version is helpful for debugging.
@@ -221,8 +221,18 @@ func New(options *Options) *API {
 		r.Use(
 			tracing.Middleware(api.TracerProvider),
 			httpmw.RateLimitPerMinute(options.APIRateLimit),
-			apiKeyMiddlewareRedirect,
-			httpmw.ExtractUserParam(api.Database),
+			httpmw.ExtractAPIKey(httpmw.ExtractAPIKeyConfig{
+				DB:            options.Database,
+				OAuth2Configs: oauthConfigs,
+				// Optional is true to allow for public apps. If an
+				// authorization check fails and the user is not authenticated,
+				// they will be redirected to the login page by the app handler.
+				RedirectToLogin: false,
+				Optional:        true,
+			}),
+			// Redirect to the login page if the user tries to open an app with
+			// "me" as the username and they are not logged in.
+			httpmw.ExtractUserParam(api.Database, true),
 			// Extracts the <workspace.agent> from the url
 			httpmw.ExtractWorkspaceAndAgentParam(api.Database),
 		)
@@ -312,7 +322,7 @@ func New(options *Options) *API {
 					r.Get("/roles", api.assignableOrgRoles)
 					r.Route("/{user}", func(r chi.Router) {
 						r.Use(
-							httpmw.ExtractUserParam(options.Database),
+							httpmw.ExtractUserParam(options.Database, false),
 							httpmw.ExtractOrganizationMemberParam(options.Database),
 						)
 						r.Put("/roles", api.putMemberRoles)
@@ -391,7 +401,7 @@ func New(options *Options) *API {
 					r.Get("/", api.assignableSiteRoles)
 				})
 				r.Route("/{user}", func(r chi.Router) {
-					r.Use(httpmw.ExtractUserParam(options.Database))
+					r.Use(httpmw.ExtractUserParam(options.Database, false))
 					r.Delete("/", api.deleteUser)
 					r.Get("/", api.userByName)
 					r.Put("/profile", api.putUserProfile)

diff --git a/coderd/database/databasefake/databasefake.go b/coderd/database/databasefake/databasefake.go
@@ -2060,6 +2060,10 @@ func (q *fakeQuerier) InsertWorkspaceApp(_ context.Context, arg database.InsertW
 	q.mutex.Lock()
 	defer q.mutex.Unlock()
 
+	if arg.SharingLevel == "" {
+		arg.SharingLevel = database.AppSharingLevelOwner
+	}
+
 	// nolint:gosimple
 	workspaceApp := database.WorkspaceApp{
 		ID:                   arg.ID,
@@ -2070,6 +2074,7 @@ func (q *fakeQuerier) InsertWorkspaceApp(_ context.Context, arg database.InsertW
 		Command:              arg.Command,
 		Url:                  arg.Url,
 		Subdomain:            arg.Subdomain,
+		SharingLevel:         arg.SharingLevel,
 		HealthcheckUrl:       arg.HealthcheckUrl,
 		HealthcheckInterval:  arg.HealthcheckInterval,
 		HealthcheckThreshold: arg.HealthcheckThreshold,

diff --git a/coderd/database/dump.sql b/coderd/database/dump.sql
diff --git a/...igrations/000056_app_share_level.down.sql → ...rations/000056_app_sharing_level.down.sql b/...igrations/000056_app_share_level.down.sql → ...rations/000056_app_sharing_level.down.sql
diff --git a/.../migrations/000056_app_share_level.up.sql → ...igrations/000056_app_sharing_level.up.sql b/.../migrations/000056_app_share_level.up.sql → ...igrations/000056_app_sharing_level.up.sql
@@ -1,5 +1,5 @@
--- Add enum app_share_level
-CREATE TYPE app_share_level AS ENUM (
+-- Add enum app_sharing_level
+CREATE TYPE app_sharing_level AS ENUM (
 	-- only the workspace owner can access the app
 	'owner',
 	-- the workspace owner and other users that can read the workspace template
@@ -11,5 +11,5 @@ CREATE TYPE app_share_level AS ENUM (
 	'public'
 );
 
--- Add share_level column to workspace_apps table
-ALTER TABLE workspace_apps ADD COLUMN share_level app_share_level NOT NULL DEFAULT 'owner'::app_share_level;
+-- Add sharing_level column to workspace_apps table
+ALTER TABLE workspace_apps ADD COLUMN sharing_level app_sharing_level NOT NULL DEFAULT 'owner'::app_sharing_level;
diff --git a/coderd/database/models.go b/coderd/database/models.go
diff --git a/coderd/database/queries.sql.go b/coderd/database/queries.sql.go
diff --git a/coderd/database/queries/workspaceapps.sql b/coderd/database/queries/workspaceapps.sql
@@ -21,13 +21,14 @@ INSERT INTO
         command,
         url,
         subdomain,
+		sharing_level,
         healthcheck_url,
         healthcheck_interval,
         healthcheck_threshold,
         health
     )
 VALUES
-    ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12) RETURNING *;
+    ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13) RETURNING *;
 
 -- name: UpdateWorkspaceAppHealthByID :exec
 UPDATE

diff --git a/coderd/httpmw/apikey.go b/coderd/httpmw/apikey.go
@@ -82,8 +82,8 @@ type OAuth2Configs struct {
 }
 
 const (
-	signedOutErrorMessage string = "You are signed out or your session has expired. Please sign in again to continue."
-	internalErrorMessage  string = "An internal error occurred. Please try again or contact the system administrator."
+	SignedOutErrorMessage = "You are signed out or your session has expired. Please sign in again to continue."
+	internalErrorMessage  = "An internal error occurred. Please try again or contact the system administrator."
 )
 
 type ExtractAPIKeyConfig struct {
@@ -118,21 +118,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {
 			// like workspace applications.
 			write := func(code int, response codersdk.Response) {
 				if cfg.RedirectToLogin {
-					path := r.URL.Path
-					if r.URL.RawQuery != "" {
-						path += "?" + r.URL.RawQuery
-					}
-
-					q := url.Values{}
-					q.Add("message", response.Message)
-					q.Add("redirect", path)
-
-					u := &url.URL{
-						Path:     "/login",
-						RawQuery: q.Encode(),
-					}
-
-					http.Redirect(rw, r, u.String(), http.StatusTemporaryRedirect)
+					RedirectToLogin(rw, r, response.Message)
 					return
 				}
 
@@ -156,7 +142,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {
 			token := apiTokenFromRequest(r)
 			if token == "" {
 				optionalWrite(http.StatusUnauthorized, codersdk.Response{
-					Message: signedOutErrorMessage,
+					Message: SignedOutErrorMessage,
 					Detail:  fmt.Sprintf("Cookie %q or query parameter must be provided.", codersdk.SessionTokenKey),
 				})
 				return
@@ -165,7 +151,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {
 			keyID, keySecret, err := SplitAPIToken(token)
 			if err != nil {
 				optionalWrite(http.StatusUnauthorized, codersdk.Response{
-					Message: signedOutErrorMessage,
+					Message: SignedOutErrorMessage,
 					Detail:  "Invalid API key format: " + err.Error(),
 				})
 				return
@@ -175,7 +161,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {
 			if err != nil {
 				if errors.Is(err, sql.ErrNoRows) {
 					optionalWrite(http.StatusUnauthorized, codersdk.Response{
-						Message: signedOutErrorMessage,
+						Message: SignedOutErrorMessage,
 						Detail:  "API key is invalid.",
 					})
 					return
@@ -191,7 +177,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {
 			hashedSecret := sha256.Sum256([]byte(keySecret))
 			if subtle.ConstantTimeCompare(key.HashedSecret, hashedSecret[:]) != 1 {
 				optionalWrite(http.StatusUnauthorized, codersdk.Response{
-					Message: signedOutErrorMessage,
+					Message: SignedOutErrorMessage,
 					Detail:  "API key secret is invalid.",
 				})
 				return
@@ -254,7 +240,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {
 			// Checking if the key is expired.
 			if key.ExpiresAt.Before(now) {
 				optionalWrite(http.StatusUnauthorized, codersdk.Response{
-					Message: signedOutErrorMessage,
+					Message: SignedOutErrorMessage,
 					Detail:  fmt.Sprintf("API key expired at %q.", key.ExpiresAt.String()),
 				})
 				return
@@ -420,3 +406,24 @@ func SplitAPIToken(token string) (id string, secret string, err error) {
 
 	return keyID, keySecret, nil
 }
+
+// RedirectToLogin redirects the user to the login page with the `message` and
+// `redirect` query parameters set.
+func RedirectToLogin(rw http.ResponseWriter, r *http.Request, message string) {
+	path := r.URL.Path
+	if r.URL.RawQuery != "" {
+		path += "?" + r.URL.RawQuery
+	}
+
+	q := url.Values{}
+	q.Add("message", message)
+	q.Add("redirect", path)
+
+	u := &url.URL{
+		Path:     "/login",
+		RawQuery: q.Encode(),
+	}
+
+	http.Redirect(rw, r, u.String(), http.StatusTemporaryRedirect)
+	return
+}
diff --git a/coderd/httpmw/organizationparam_test.go b/coderd/httpmw/organizationparam_test.go
@@ -148,7 +148,7 @@ func TestOrganizationParam(t *testing.T) {
 				DB:              db,
 				RedirectToLogin: false,
 			}),
-			httpmw.ExtractUserParam(db),
+			httpmw.ExtractUserParam(db, false),
 			httpmw.ExtractOrganizationParam(db),
 			httpmw.ExtractOrganizationMemberParam(db),
 		)
@@ -189,7 +189,7 @@ func TestOrganizationParam(t *testing.T) {
 				RedirectToLogin: false,
 			}),
 			httpmw.ExtractOrganizationParam(db),
-			httpmw.ExtractUserParam(db),
+			httpmw.ExtractUserParam(db, false),
 			httpmw.ExtractOrganizationMemberParam(db),
 		)
 		rtr.Get("/", func(rw http.ResponseWriter, r *http.Request) {