coder
diff --git a/‎cli/testdata/coder_server_--help.golden‎
Lines changed: 7 additions & 0 deletions b/‎cli/testdata/coder_server_--help.golden‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎cli/testdata/server-config.yaml.golden‎
Lines changed: 6 additions & 0 deletions b/‎cli/testdata/server-config.yaml.golden‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎coderd/apidoc/docs.go‎
Lines changed: 3 additions & 0 deletions b/‎coderd/apidoc/docs.go‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎coderd/apidoc/swagger.json‎
Lines changed: 3 additions & 0 deletions b/‎coderd/apidoc/swagger.json‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎coderd/coderd.go‎
Lines changed: 4 additions & 0 deletions b/‎coderd/coderd.go‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎coderd/database/dbgen/dbgen.go‎
Lines changed: 10 additions & 0 deletions b/‎coderd/database/dbgen/dbgen.go‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎coderd/database/modelmethods.go‎
Lines changed: 9 additions & 2 deletions b/‎coderd/database/modelmethods.go‎
Lines changed: 9 additions & 2 deletions
diff --git a/‎coderd/database/modelmethods_internal_test.go‎
Lines changed: 39 additions & 0 deletions b/‎coderd/database/modelmethods_internal_test.go‎
Lines changed: 39 additions & 0 deletions
diff --git a/‎coderd/rbac/object.go‎
Lines changed: 16 additions & 0 deletions b/‎coderd/rbac/object.go‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎coderd/workspaces_test.go‎
Lines changed: 73 additions & 0 deletions b/‎coderd/workspaces_test.go‎
Lines changed: 73 additions & 0 deletions
@@ -46,6 +46,13 @@ OPTIONS:
           the workspace serves malicious JavaScript. This is recommended for
           security purposes if a --wildcard-access-url is configured.
 
+      --disable-workspace-sharing bool, $CODER_DISABLE_WORKSPACE_SHARING
+          Disable workspace sharing (requires the "workspace-sharing" experiment
+          to be enabled). Workspace ACL checking is disabled and only owners can
+          have ssh, apps and terminal access to workspaces. Access based on the
+          'owner' role is also allowed unless disabled via
+          --disable-owner-workspace-access.
+
       --swagger-enable bool, $CODER_SWAGGER_ENABLE
           Expose the swagger endpoint via /swagger.
 
 
@@ -497,6 +497,12 @@ disablePathApps: false
 # workspaces.
 # (default: <unset>, type: bool)
 disableOwnerWorkspaceAccess: false
+# Disable workspace sharing (requires the "workspace-sharing" experiment to be
+# enabled). Workspace ACL checking is disabled and only owners can have ssh, apps
+# and terminal access to workspaces. Access based on the 'owner' role is also
+# allowed unless disabled via --disable-owner-workspace-access.
+# (default: <unset>, type: bool)
+disableWorkspaceSharing: false
 # These options change the behavior of how clients interact with the Coder.
 # Clients include the Coder CLI, Coder Desktop, IDE extensions, and the web UI.
 client:
 
@@ -333,6 +333,10 @@ func New(options *Options) *API {
 		})
 	}
 
+	if options.DeploymentValues.DisableWorkspaceSharing {
+		rbac.SetWorkspaceACLDisabled(true)
+	}
+
 	if options.PrometheusRegistry == nil {
 		options.PrometheusRegistry = prometheus.NewRegistry()
 	}
 
@@ -439,6 +439,16 @@ func Workspace(t testing.TB, db database.Store, orig database.WorkspaceTable) da
 		require.NoError(t, err, "set workspace as dormant")
 		workspace.DormantAt = orig.DormantAt
 	}
+	if len(orig.UserACL) > 0 || len(orig.GroupACL) > 0 {
+		err = db.UpdateWorkspaceACLByID(genCtx, database.UpdateWorkspaceACLByIDParams{
+			ID:       workspace.ID,
+			UserACL:  orig.UserACL,
+			GroupACL: orig.GroupACL,
+		})
+		require.NoError(t, err, "set workspace ACL")
+		workspace.UserACL = orig.UserACL
+		workspace.GroupACL = orig.GroupACL
+	}
 	return workspace
 }
 
 
@@ -430,9 +430,16 @@ func (w WorkspaceTable) RBACObject() rbac.Object {
 		return w.DormantRBAC()
 	}
 
-	return rbac.ResourceWorkspace.WithID(w.ID).
+	obj := rbac.ResourceWorkspace.
+		WithID(w.ID).
 		InOrg(w.OrganizationID).
-		WithOwner(w.OwnerID.String()).
+		WithOwner(w.OwnerID.String())
+
+	if rbac.WorkspaceACLDisabled() {
+		return obj
+	}
+
+	return obj.
 		WithGroupACL(w.GroupACL.RBACACL()).
 		WithACLUserList(w.UserACL.RBACACL())
 }
 
@@ -143,6 +143,45 @@ func TestAPIKeyScopesExpand(t *testing.T) {
 	})
 }
 
+//nolint:tparallel,paralleltest
+func TestWorkspaceACLDisabled(t *testing.T) {
+	uid := uuid.NewString()
+	gid := uuid.NewString()
+
+	ws := WorkspaceTable{
+		ID:             uuid.New(),
+		OrganizationID: uuid.New(),
+		OwnerID:        uuid.New(),
+		UserACL: WorkspaceACL{
+			uid: WorkspaceACLEntry{Permissions: []policy.Action{policy.ActionSSH}},
+		},
+		GroupACL: WorkspaceACL{
+			gid: WorkspaceACLEntry{Permissions: []policy.Action{policy.ActionSSH}},
+		},
+	}
+
+	t.Run("ACLsOmittedWhenDisabled", func(t *testing.T) {
+		rbac.SetWorkspaceACLDisabled(true)
+		t.Cleanup(func() { rbac.SetWorkspaceACLDisabled(false) })
+
+		obj := ws.RBACObject()
+
+		require.Empty(t, obj.ACLUserList, "user ACLs should be empty when disabled")
+		require.Empty(t, obj.ACLGroupList, "group ACLs should be empty when disabled")
+	})
+
+	t.Run("ACLsIncludedWhenEnabled", func(t *testing.T) {
+		rbac.SetWorkspaceACLDisabled(false)
+
+		obj := ws.RBACObject()
+
+		require.NotEmpty(t, obj.ACLUserList, "user ACLs should be present when enabled")
+		require.NotEmpty(t, obj.ACLGroupList, "group ACLs should be present when enabled")
+		require.Contains(t, obj.ACLUserList, uid)
+		require.Contains(t, obj.ACLGroupList, gid)
+	})
+}
+
 // Helpers
 func requirePermission(t *testing.T, s rbac.Scope, resource string, action policy.Action) {
 	t.Helper()
 
@@ -236,3 +236,19 @@ func (z Object) WithGroupACL(groups map[string][]policy.Action) Object {
 		AnyOrgOwner:  z.AnyOrgOwner,
 	}
 }
+
+// TODO(geokat): similar to builtInRoles, this should ideally be
+// scoped to a coderd rather than a global.
+var workspaceACLDisabled bool
+
+// SetWorkspaceACLDisabled disables/enables workspace sharing for the
+// deployment.
+func SetWorkspaceACLDisabled(v bool) {
+	workspaceACLDisabled = v
+}
+
+// WorkspaceACLDisabled returns true if workspace sharing is disabled
+// for the deployment.
+func WorkspaceACLDisabled() bool {
+	return workspaceACLDisabled
+}
@@ -5240,6 +5240,79 @@ func TestDeleteWorkspaceACL(t *testing.T) {
 	})
 }
 
+// nolint:tparallel,paralleltest // Subtests modify package global.
+func TestWorkspaceSharingDisabled(t *testing.T) {
+	t.Run("CanAccessWhenEnabled", func(t *testing.T) {
+		var (
+			client, db = coderdtest.NewWithDatabase(t, &coderdtest.Options{
+				DeploymentValues: coderdtest.DeploymentValues(t, func(dv *codersdk.DeploymentValues) {
+					dv.Experiments = []string{string(codersdk.ExperimentWorkspaceSharing)}
+					// DisableWorkspaceSharing is false (default)
+				}),
+			})
+			admin            = coderdtest.CreateFirstUser(t, client)
+			_, wsOwner       = coderdtest.CreateAnotherUser(t, client, admin.OrganizationID)
+			userClient, user = coderdtest.CreateAnotherUser(t, client, admin.OrganizationID)
+		)
+
+		ctx := testutil.Context(t, testutil.WaitMedium)
+
+		// Create workspace with ACL granting access to user
+		ws := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
+			OwnerID:        wsOwner.ID,
+			OrganizationID: admin.OrganizationID,
+			UserACL: database.WorkspaceACL{
+				user.ID.String(): database.WorkspaceACLEntry{
+					Permissions: []policy.Action{
+						policy.ActionRead, policy.ActionSSH, policy.ActionApplicationConnect,
+					},
+				},
+			},
+		}).Do().Workspace
+
+		// User SHOULD be able to access workspace when sharing is enabled
+		fetchedWs, err := userClient.Workspace(ctx, ws.ID)
+		require.NoError(t, err)
+		require.Equal(t, ws.ID, fetchedWs.ID)
+	})
+
+	t.Run("NoAccessWhenDisabled", func(t *testing.T) {
+		var (
+			client, db = coderdtest.NewWithDatabase(t, &coderdtest.Options{
+				DeploymentValues: coderdtest.DeploymentValues(t, func(dv *codersdk.DeploymentValues) {
+					dv.Experiments = []string{string(codersdk.ExperimentWorkspaceSharing)}
+					dv.DisableWorkspaceSharing = true
+				}),
+			})
+			admin            = coderdtest.CreateFirstUser(t, client)
+			_, wsOwner       = coderdtest.CreateAnotherUser(t, client, admin.OrganizationID)
+			userClient, user = coderdtest.CreateAnotherUser(t, client, admin.OrganizationID)
+		)
+
+		ctx := testutil.Context(t, testutil.WaitMedium)
+
+		// Create workspace with ACL granting access to user directly in DB
+		ws := dbfake.WorkspaceBuild(t, db, database.WorkspaceTable{
+			OwnerID:        wsOwner.ID,
+			OrganizationID: admin.OrganizationID,
+			UserACL: database.WorkspaceACL{
+				user.ID.String(): database.WorkspaceACLEntry{
+					Permissions: []policy.Action{
+						policy.ActionRead, policy.ActionSSH, policy.ActionApplicationConnect,
+					},
+				},
+			},
+		}).Do().Workspace
+
+		// User should NOT be able to access workspace when sharing is disabled
+		_, err := userClient.Workspace(ctx, ws.ID)
+		require.Error(t, err)
+		var sdkErr *codersdk.Error
+		require.ErrorAs(t, err, &sdkErr)
+		require.Equal(t, http.StatusNotFound, sdkErr.StatusCode())
+	})
+}
+
 func TestWorkspaceCreateWithImplicitPreset(t *testing.T) {
 	t.Parallel()
Original file line number	Diff line number	Diff line change
`@@ -333,6 +333,10 @@ func New(options Options) API {`
`333`	`333`	`})`
`334`	`334`	`}`
`335`	`335`
	`336`	`+ if options.DeploymentValues.DisableWorkspaceSharing {`
	`337`	`+ rbac.SetWorkspaceACLDisabled(true)`
	`338`	`+ }`
	`339`	`+`
`336`	`340`	`if options.PrometheusRegistry == nil {`
`337`	`341`	`options.PrometheusRegistry = prometheus.NewRegistry()`
`338`	`342`	`}`