Skip to content

Commit 1f5788f

Browse files
EmyrkEmyrk
authored
chore: remove rbac psuedo resources, add custom verbs (coder#13276)
Removes our pseudo rbac resources like `WorkspaceApplicationConnect` in favor of additional verbs like `ssh`. This is to make more intuitive permissions for building custom roles. The source of truth is now `policy.go`
1 parent cb6b5e8 commit 1f5788f

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

48 files changed

+1788
-1032
lines changed

Makefile

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -486,6 +486,7 @@ gen: \
486486
$(DB_GEN_FILES) \
487487
site/src/api/typesGenerated.ts \
488488
coderd/rbac/object_gen.go \
489+
codersdk/rbacresources_gen.go \
489490
docs/admin/prometheus.md \
490491
docs/cli.md \
491492
docs/admin/audit-logs.md \
@@ -611,7 +612,10 @@ examples/examples.gen.json: scripts/examplegen/main.go examples/examples.go $(sh
611612
go run ./scripts/examplegen/main.go > examples/examples.gen.json
612613

613614
coderd/rbac/object_gen.go: scripts/rbacgen/main.go coderd/rbac/object.go
614-
go run scripts/rbacgen/main.go ./coderd/rbac > coderd/rbac/object_gen.go
615+
go run scripts/rbacgen/main.go rbac > coderd/rbac/object_gen.go
616+
617+
codersdk/rbacresources_gen.go: scripts/rbacgen/main.go coderd/rbac/object.go
618+
go run scripts/rbacgen/main.go codersdk > codersdk/rbacresources_gen.go
615619

616620
docs/admin/prometheus.md: scripts/metricsdocgen/main.go scripts/metricsdocgen/metrics
617621
go run scripts/metricsdocgen/main.go

coderd/apidoc/docs.go

Lines changed: 76 additions & 37 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/apidoc/swagger.json

Lines changed: 77 additions & 38 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/authorize.go

Lines changed: 2 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -169,7 +169,7 @@ func (api *API) checkAuthorization(rw http.ResponseWriter, r *http.Request) {
169169
obj := rbac.Object{
170170
Owner: v.Object.OwnerID,
171171
OrgID: v.Object.OrganizationID,
172-
Type: v.Object.ResourceType.String(),
172+
Type: string(v.Object.ResourceType),
173173
}
174174
if obj.Owner == "me" {
175175
obj.Owner = auth.ID
@@ -189,13 +189,7 @@ func (api *API) checkAuthorization(rw http.ResponseWriter, r *http.Request) {
189189
var dbObj rbac.Objecter
190190
var dbErr error
191191
// Only support referencing some resources by ID.
192-
switch v.Object.ResourceType.String() {
193-
case rbac.ResourceWorkspaceExecution.Type:
194-
workSpace, err := api.Database.GetWorkspaceByID(ctx, id)
195-
if err == nil {
196-
dbObj = workSpace.ExecutionRBAC()
197-
}
198-
dbErr = err
192+
switch string(v.Object.ResourceType) {
199193
case rbac.ResourceWorkspace.Type:
200194
dbObj, dbErr = api.Database.GetWorkspaceByID(ctx, id)
201195
case rbac.ResourceTemplate.Type:

coderd/coderdtest/authorize.go

Lines changed: 0 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -416,23 +416,16 @@ func RandomRBACObject() rbac.Object {
416416
func randomRBACType() string {
417417
all := []string{
418418
rbac.ResourceWorkspace.Type,
419-
rbac.ResourceWorkspaceExecution.Type,
420-
rbac.ResourceWorkspaceApplicationConnect.Type,
421419
rbac.ResourceAuditLog.Type,
422420
rbac.ResourceTemplate.Type,
423421
rbac.ResourceGroup.Type,
424422
rbac.ResourceFile.Type,
425423
rbac.ResourceProvisionerDaemon.Type,
426424
rbac.ResourceOrganization.Type,
427-
rbac.ResourceRoleAssignment.Type,
428-
rbac.ResourceOrgRoleAssignment.Type,
429-
rbac.ResourceAPIKey.Type,
430425
rbac.ResourceUser.Type,
431-
rbac.ResourceUserData.Type,
432426
rbac.ResourceOrganizationMember.Type,
433427
rbac.ResourceWildcard.Type,
434428
rbac.ResourceLicense.Type,
435-
rbac.ResourceDeploymentValues.Type,
436429
rbac.ResourceReplicas.Type,
437430
rbac.ResourceDebugInfo.Type,
438431
}

coderd/coderdtest/coderdtest.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -221,7 +221,7 @@ func NewOptions(t testing.TB, options *Options) (func(http.Handler), context.Can
221221
}
222222

223223
if options.Authorizer == nil {
224-
defAuth := rbac.NewCachingAuthorizer(prometheus.NewRegistry())
224+
defAuth := rbac.NewStrictCachingAuthorizer(prometheus.NewRegistry())
225225
if _, ok := t.(*testing.T); ok {
226226
options.Authorizer = &RecordingAuthorizer{
227227
Wrapped: defAuth,

0 commit comments

Comments
 (0)