add some tests

sreya · sreya · commit 18fa31213c98 · 2023-06-28T02:18:58.000Z
diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go
@@ -1961,7 +1961,7 @@ func (q *querier) InsertWorkspaceBuild(ctx context.Context, arg database.InsertW
 		action = rbac.ActionDelete
 	}
 
-	if err = q.authorizeContext(ctx, action, w.WorkspaceBuildRBAC()); err != nil {
+	if err = q.authorizeContext(ctx, action, w.WorkspaceBuildRBAC(arg.Transition)); err != nil {
 		return database.WorkspaceBuild{}, err
 	}
 
diff --git a/coderd/database/modelmethods.go b/coderd/database/modelmethods.go
@@ -168,9 +168,13 @@ func (w Workspace) ApplicationConnectRBAC() rbac.Object {
 		WithOwner(w.OwnerID.String())
 }
 
-func (w Workspace) WorkspaceBuildRBAC() rbac.Object {
+func (w Workspace) WorkspaceBuildRBAC(transition WorkspaceTransition) rbac.Object {
 	// If a workspace is locked it cannot be built.
-	if w.LockedAt.Valid {
+	// However we need to allow stopping a workspace by a caller once a workspace
+	// is locked (e.g. for autobuild). Additionally, if a user wants to delete
+	// a locked workspace, they shouldn't have to have it unlocked first.
+	if w.LockedAt.Valid && transition != WorkspaceTransitionStop &&
+		transition != WorkspaceTransitionDelete {
 		return w.LockedRBAC()
 	}
 
diff --git a/coderd/workspacebuilds.go b/coderd/workspacebuilds.go
@@ -350,6 +350,11 @@ func (api *API) postWorkspaceBuilds(rw http.ResponseWriter, r *http.Request) {
 	)
 	var buildErr wsbuilder.BuildError
 	if xerrors.As(err, &buildErr) {
+		var authErr dbauthz.NotAuthorizedError
+		if xerrors.As(err, &authErr) {
+			buildErr.Status = http.StatusUnauthorized
+		}
+
 		if buildErr.Status == http.StatusInternalServerError {
 			api.Logger.Error(ctx, "workspace build error", slog.Error(buildErr.Wrapped))
 		}
diff --git a/coderd/workspaces_test.go b/coderd/workspaces_test.go
@@ -2375,3 +2375,79 @@ func TestWorkspaceWithOptionalRichParameters(t *testing.T) {
 	}
 	require.ElementsMatch(t, expectedBuildParameters, workspaceBuildParameters)
 }
+
+func TestWorkspaceLock(t *testing.T) {
+	t.Parallel()
+
+	t.Run("OK", func(t *testing.T) {
+		t.Parallel()
+		var (
+			client    = coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+			user      = coderdtest.CreateFirstUser(t, client)
+			version   = coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
+			_         = coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+			template  = coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+			workspace = coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
+			_         = coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
+		)
+
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancel()
+
+		err := client.UpdateWorkspaceLock(ctx, workspace.ID, codersdk.UpdateWorkspaceLock{
+			Lock: true,
+		})
+		require.NoError(t, err)
+
+		workspace, err = client.Workspace(ctx, workspace.ID)
+		require.NoError(t, err, "fetch provisioned workspace")
+		require.NotNil(t, workspace.LockedAt)
+		require.WithinRange(t, *workspace.LockedAt, time.Now().Add(-time.Second*10), time.Now())
+
+		err = client.UpdateWorkspaceLock(ctx, workspace.ID, codersdk.UpdateWorkspaceLock{
+			Lock: false,
+		})
+		require.NoError(t, err)
+
+		workspace, err = client.Workspace(ctx, workspace.ID)
+		require.NoError(t, err, "fetch provisioned workspace")
+		require.Nil(t, workspace.LockedAt)
+	})
+
+	t.Run("CannotStart", func(t *testing.T) {
+		t.Parallel()
+		var (
+			client    = coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+			user      = coderdtest.CreateFirstUser(t, client)
+			version   = coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
+			_         = coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+			template  = coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+			workspace = coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
+			_         = coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
+		)
+
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancel()
+
+		err := client.UpdateWorkspaceLock(ctx, workspace.ID, codersdk.UpdateWorkspaceLock{
+			Lock: true,
+		})
+		require.NoError(t, err)
+
+		// Should be able to stop a workspace while it is locked.
+		coderdtest.MustTransitionWorkspace(t, client, workspace.ID, database.WorkspaceTransitionStart, database.WorkspaceTransitionStop)
+
+		// Should not be able to start a workspace while it is locked.
+		_, err = client.CreateWorkspaceBuild(ctx, workspace.ID, codersdk.CreateWorkspaceBuildRequest{
+			TemplateVersionID: template.ActiveVersionID,
+			Transition:        codersdk.WorkspaceTransition(database.WorkspaceTransitionStart),
+		})
+		require.Error(t, err)
+
+		err = client.UpdateWorkspaceLock(ctx, workspace.ID, codersdk.UpdateWorkspaceLock{
+			Lock: false,
+		})
+		require.NoError(t, err)
+		coderdtest.MustTransitionWorkspace(t, client, workspace.ID, database.WorkspaceTransitionStop, database.WorkspaceTransitionStart)
+	})
+}
diff --git a/codersdk/workspaces.go b/codersdk/workspaces.go
@@ -287,7 +287,7 @@ type UpdateWorkspaceLock struct {
 }
 
 // UpdateWorkspaceLock locks or unlocks a workspace.
-func (c *Client) UpdateWorkspaceLock(ctx context.Context, id uuid.UUID, req PutExtendWorkspaceRequest) error {
+func (c *Client) UpdateWorkspaceLock(ctx context.Context, id uuid.UUID, req UpdateWorkspaceLock) error {
 	path := fmt.Sprintf("/api/v2/workspaces/%s/lock", id.String())
 	res, err := c.Request(ctx, http.MethodPut, path, req)
 	if err != nil {

Original file line number	Diff line number	Diff line change
`@@ -1961,7 +1961,7 @@ func (q *querier) InsertWorkspaceBuild(ctx context.Context, arg database.InsertW`
`1961`	`1961`	`action = rbac.ActionDelete`
`1962`	`1962`	`}`
`1963`	`1963`
`1964`		`- if err = q.authorizeContext(ctx, action, w.WorkspaceBuildRBAC()); err != nil {`
	`1964`	`+ if err = q.authorizeContext(ctx, action, w.WorkspaceBuildRBAC(arg.Transition)); err != nil {`
`1965`	`1965`	`return database.WorkspaceBuild{}, err`
`1966`	`1966`	`}`
`1967`	`1967`
Original file line number	Diff line number	Diff line change
`@@ -168,9 +168,13 @@ func (w Workspace) ApplicationConnectRBAC() rbac.Object {`
`168`	`168`	`WithOwner(w.OwnerID.String())`
`169`	`169`	`}`
`170`	`170`
`171`		`-func (w Workspace) WorkspaceBuildRBAC() rbac.Object {`
	`171`	`+func (w Workspace) WorkspaceBuildRBAC(transition WorkspaceTransition) rbac.Object {`
`172`	`172`	`// If a workspace is locked it cannot be built.`
`173`		`- if w.LockedAt.Valid {`
	`173`	`+ // However we need to allow stopping a workspace by a caller once a workspace`
	`174`	`+ // is locked (e.g. for autobuild). Additionally, if a user wants to delete`
	`175`	`+ // a locked workspace, they shouldn't have to have it unlocked first.`
	`176`	`+ if w.LockedAt.Valid && transition != WorkspaceTransitionStop &&`
	`177`	`+ transition != WorkspaceTransitionDelete {`
`174`	`178`	`return w.LockedRBAC()`
`175`	`179`	`}`
`176`	`180`
Original file line number	Diff line number	Diff line change
`@@ -350,6 +350,11 @@ func (api API) postWorkspaceBuilds(rw http.ResponseWriter, r http.Request) {`
`350`	`350`	`)`
`351`	`351`	`var buildErr wsbuilder.BuildError`
`352`	`352`	`if xerrors.As(err, &buildErr) {`
	`353`	`+ var authErr dbauthz.NotAuthorizedError`
	`354`	`+ if xerrors.As(err, &authErr) {`
	`355`	`+ buildErr.Status = http.StatusUnauthorized`
	`356`	`+ }`
	`357`	`+`
`353`	`358`	`if buildErr.Status == http.StatusInternalServerError {`
`354`	`359`	`api.Logger.Error(ctx, "workspace build error", slog.Error(buildErr.Wrapped))`
`355`	`360`	`}`
Original file line number	Diff line number	Diff line change
`@@ -287,7 +287,7 @@ type UpdateWorkspaceLock struct {`
`287`	`287`	`}`
`288`	`288`
`289`	`289`	`// UpdateWorkspaceLock locks or unlocks a workspace.`
`290`		`-func (c *Client) UpdateWorkspaceLock(ctx context.Context, id uuid.UUID, req PutExtendWorkspaceRequest) error {`
	`290`	`+func (c *Client) UpdateWorkspaceLock(ctx context.Context, id uuid.UUID, req UpdateWorkspaceLock) error {`
`291`	`291`	`path := fmt.Sprintf("/api/v2/workspaces/%s/lock", id.String())`
`292`	`292`	`res, err := c.Request(ctx, http.MethodPut, path, req)`
`293`	`293`	`if err != nil {`