remove user data object, and just use a data object

Emyrk · Emyrk · commit 0089e1d459a6 · 2024-05-14T17:16:27.000-05:00
diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go
diff --git a/coderd/database/dbauthz/dbauthz_test.go b/coderd/database/dbauthz/dbauthz_test.go
@@ -524,10 +524,10 @@ func (s *MethodTestSuite) TestLicense() {
 			Asserts(rbac.ResourceLicense, policy.ActionCreate)
 	}))
 	s.Run("UpsertLogoURL", s.Subtest(func(db database.Store, check *expects) {
-		check.Args("value").Asserts(rbac.ResourceDeploymentValues, policy.ActionCreate)
+		check.Args("value").Asserts(rbac.ResourceDeploymentConfig, policy.ActionCreate)
 	}))
 	s.Run("UpsertNotificationBanners", s.Subtest(func(db database.Store, check *expects) {
-		check.Args("value").Asserts(rbac.ResourceDeploymentValues, policy.ActionCreate)
+		check.Args("value").Asserts(rbac.ResourceDeploymentConfig, policy.ActionCreate)
 	}))
 	s.Run("GetLicenseByID", s.Subtest(func(db database.Store, check *expects) {
 		l, err := db.InsertLicense(context.Background(), database.InsertLicenseParams{
@@ -1038,13 +1038,13 @@ func (s *MethodTestSuite) TestUser() {
 		u := dbgen.User(s.T(), db, database.User{})
 		check.Args(database.UpdateUserHashedPasswordParams{
 			ID: u.ID,
-		}).Asserts(u.UserDataRBACObject(), policy.ActionUpdate).Returns()
+		}).Asserts(u, policy.ActionUpdatePersonal).Returns()
 	}))
 	s.Run("UpdateUserQuietHoursSchedule", s.Subtest(func(db database.Store, check *expects) {
 		u := dbgen.User(s.T(), db, database.User{})
 		check.Args(database.UpdateUserQuietHoursScheduleParams{
 			ID: u.ID,
-		}).Asserts(u.UserDataRBACObject(), policy.ActionUpdate)
+		}).Asserts(u, policy.ActionUpdatePersonal)
 	}))
 	s.Run("UpdateUserLastSeenAt", s.Subtest(func(db database.Store, check *expects) {
 		u := dbgen.User(s.T(), db, database.User{})
@@ -1061,7 +1061,7 @@ func (s *MethodTestSuite) TestUser() {
 			Email:     u.Email,
 			Username:  u.Username,
 			UpdatedAt: u.UpdatedAt,
-		}).Asserts(u.UserDataRBACObject(), policy.ActionUpdate).Returns(u)
+		}).Asserts(u, policy.ActionUpdatePersonal).Returns(u)
 	}))
 	s.Run("GetUserWorkspaceBuildParameters", s.Subtest(func(db database.Store, check *expects) {
 		u := dbgen.User(s.T(), db, database.User{})
@@ -1080,7 +1080,7 @@ func (s *MethodTestSuite) TestUser() {
 			ID:              u.ID,
 			ThemePreference: u.ThemePreference,
 			UpdatedAt:       u.UpdatedAt,
-		}).Asserts(u.UserDataRBACObject(), policy.ActionUpdate).Returns(u)
+		}).Asserts(u, policy.ActionUpdatePersonal).Returns(u)
 	}))
 	s.Run("UpdateUserStatus", s.Subtest(func(db database.Store, check *expects) {
 		u := dbgen.User(s.T(), db, database.User{})
@@ -1102,7 +1102,7 @@ func (s *MethodTestSuite) TestUser() {
 		u := dbgen.User(s.T(), db, database.User{})
 		check.Args(database.InsertGitSSHKeyParams{
 			UserID: u.ID,
-		}).Asserts(rbac.ResourceUserData.WithID(u.ID).WithOwner(u.ID.String()), policy.ActionCreate)
+		}).Asserts(rbac.ResourceUser.WithID(u.ID).WithOwner(u.ID.String()), policy.ActionUpdatePersonal)
 	}))
 	s.Run("UpdateGitSSHKey", s.Subtest(func(db database.Store, check *expects) {
 		key := dbgen.GitSSHKey(s.T(), db, database.GitSSHKey{})
@@ -2204,13 +2204,13 @@ func (s *MethodTestSuite) TestSystemFunctions() {
 		check.Args().Asserts()
 	}))
 	s.Run("UpsertApplicationName", s.Subtest(func(db database.Store, check *expects) {
-		check.Args("").Asserts(rbac.ResourceDeploymentValues, policy.ActionCreate)
+		check.Args("").Asserts(rbac.ResourceDeploymentConfig, policy.ActionCreate)
 	}))
 	s.Run("GetHealthSettings", s.Subtest(func(db database.Store, check *expects) {
 		check.Args().Asserts()
 	}))
 	s.Run("UpsertHealthSettings", s.Subtest(func(db database.Store, check *expects) {
-		check.Args("foo").Asserts(rbac.ResourceDeploymentValues, policy.ActionCreate)
+		check.Args("foo").Asserts(rbac.ResourceDeploymentConfig, policy.ActionCreate)
 	}))
 	s.Run("GetDeploymentWorkspaceAgentStats", s.Subtest(func(db database.Store, check *expects) {
 		check.Args(time.Time{}).Asserts()
diff --git a/coderd/database/modelmethods.go b/coderd/database/modelmethods.go
@@ -164,22 +164,6 @@ func (w Workspace) RBACObject() rbac.Object {
 		WithOwner(w.OwnerID.String())
 }
 
-func (w Workspace) WorkspaceBuildRBAC(transition WorkspaceTransition) rbac.Object {
-	// If a workspace is dormant it cannot be built.
-	// However we need to allow stopping a workspace by a caller once a workspace
-	// is locked (e.g. for autobuild). Additionally, if a user wants to delete
-	// a locked workspace, they shouldn't have to have it unlocked first.
-	if w.DormantAt.Valid && transition != WorkspaceTransitionStop &&
-		transition != WorkspaceTransitionDelete {
-		return w.DormantRBAC()
-	}
-
-	return rbac.ResourceWorkspaceBuild.
-		WithID(w.ID).
-		InOrg(w.OrganizationID).
-		WithOwner(w.OwnerID.String())
-}
-
 func (w Workspace) DormantRBAC() rbac.Object {
 	return rbac.ResourceWorkspaceDormant.
 		WithID(w.ID).
@@ -227,32 +211,17 @@ func (f File) RBACObject() rbac.Object {
 }
 
 // RBACObject returns the RBAC object for the site wide user resource.
-// If you are trying to get the RBAC object for the UserData, use
-// u.UserDataRBACObject() instead.
 func (u User) RBACObject() rbac.Object {
 	return rbac.ResourceUserObject(u.ID)
 }
 
-func (u User) UserDataRBACObject() rbac.Object {
-	return rbac.ResourceUserData.WithID(u.ID).WithOwner(u.ID.String())
-}
-
-func (u User) UserWorkspaceBuildParametersObject() rbac.Object {
-	return rbac.ResourceUserWorkspaceBuildParameters.WithID(u.ID).WithOwner(u.ID.String())
-}
-
 func (u GetUsersRow) RBACObject() rbac.Object {
 	return rbac.ResourceUserObject(u.ID)
 }
 
-func (u GitSSHKey) RBACObject() rbac.Object {
-	return rbac.ResourceUserData.WithID(u.UserID).WithOwner(u.UserID.String())
-}
-
-func (u ExternalAuthLink) RBACObject() rbac.Object {
-	// I assume UserData is ok?
-	return rbac.ResourceUserData.WithID(u.UserID).WithOwner(u.UserID.String())
-}
+func (u GitSSHKey) RBACObject() rbac.Object        { return rbac.ResourceUserObject(u.UserID) }
+func (u ExternalAuthLink) RBACObject() rbac.Object { return rbac.ResourceUserObject(u.UserID) }
+func (u UserLink) RBACObject() rbac.Object         { return rbac.ResourceUserObject(u.UserID) }
 
 func (u ExternalAuthLink) OAuthToken() *oauth2.Token {
 	return &oauth2.Token{
@@ -262,11 +231,6 @@ func (u ExternalAuthLink) OAuthToken() *oauth2.Token {
 	}
 }
 
-func (u UserLink) RBACObject() rbac.Object {
-	// I assume UserData is ok?
-	return rbac.ResourceUserData.WithOwner(u.UserID.String()).WithID(u.UserID)
-}
-
 func (l License) RBACObject() rbac.Object {
 	return rbac.ResourceLicense.WithIDString(strconv.FormatInt(int64(l.ID), 10))
 }
diff --git a/coderd/debug.go b/coderd/debug.go
@@ -194,7 +194,7 @@ func (api *API) deploymentHealthSettings(rw http.ResponseWriter, r *http.Request
 func (api *API) putDeploymentHealthSettings(rw http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 
-	if !api.Authorize(r, policy.ActionUpdate, rbac.ResourceDeploymentValues) {
+	if !api.Authorize(r, policy.ActionUpdate, rbac.ResourceDeploymentConfig) {
 		httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{
 			Message: "Insufficient permissions to update health settings.",
 		})
diff --git a/coderd/deployment.go b/coderd/deployment.go
@@ -17,7 +17,7 @@ import (
 // @Success 200 {object} codersdk.DeploymentConfig
 // @Router /deployment/config [get]
 func (api *API) deploymentValues(rw http.ResponseWriter, r *http.Request) {
-	if !api.Authorize(r, policy.ActionRead, rbac.ResourceDeploymentValues) {
+	if !api.Authorize(r, policy.ActionRead, rbac.ResourceDeploymentConfig) {
 		httpapi.Forbidden(rw)
 		return
 	}
diff --git a/coderd/insights.go b/coderd/insights.go
@@ -33,7 +33,7 @@ const insightsTimeLayout = time.RFC3339
 // @Success 200 {object} codersdk.DAUsResponse
 // @Router /insights/daus [get]
 func (api *API) deploymentDAUs(rw http.ResponseWriter, r *http.Request) {
-	if !api.Authorize(r, policy.ActionRead, rbac.ResourceDeploymentValues) {
+	if !api.Authorize(r, policy.ActionRead, rbac.ResourceDeploymentConfig) {
 		httpapi.Forbidden(rw)
 		return
 	}
diff --git a/coderd/rbac/object_gen.go b/coderd/rbac/object_gen.go
diff --git a/coderd/roles.go b/coderd/roles.go
@@ -23,7 +23,7 @@ import (
 func (api *API) assignableSiteRoles(rw http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	actorRoles := httpmw.UserAuthorization(r)
-	if !api.Authorize(r, policy.ActionRead, rbac.ResourceRoleAssignment) {
+	if !api.Authorize(r, policy.ActionRead, rbac.ResourceDeploymentConfig) {
 		httpapi.Forbidden(rw)
 		return
 	}
@@ -47,7 +47,7 @@ func (api *API) assignableOrgRoles(rw http.ResponseWriter, r *http.Request) {
 	organization := httpmw.OrganizationParam(r)
 	actorRoles := httpmw.UserAuthorization(r)
 
-	if !api.Authorize(r, policy.ActionRead, rbac.ResourceOrgRoleAssignment.InOrg(organization.ID)) {
+	if !api.Authorize(r, policy.ActionRead, rbac.ResourceDeploymentConfig.InOrg(organization.ID)) {
 		httpapi.ResourceNotFound(rw)
 		return
 	}
diff --git a/coderd/wsbuilder/wsbuilder.go b/coderd/wsbuilder/wsbuilder.go
@@ -665,7 +665,7 @@ func (b *Builder) authorize(authFunc func(action policy.Action, object rbac.Obje
 		}
 	}
 
-	if b.logLevel != "" && !authFunc(policy.ActionRead, rbac.ResourceDeploymentValues) {
+	if b.logLevel != "" && !authFunc(policy.ActionRead, rbac.ResourceDeploymentConfig) {
 		return BuildError{
 			http.StatusBadRequest,
 			"Workspace builds with a custom log level are restricted to administrators only.",
diff --git a/enterprise/coderd/appearance.go b/enterprise/coderd/appearance.go
@@ -137,7 +137,7 @@ func validateHexColor(color string) error {
 func (api *API) putAppearance(rw http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 
-	if !api.Authorize(r, policy.ActionUpdate, rbac.ResourceDeploymentValues) {
+	if !api.Authorize(r, policy.ActionUpdate, rbac.ResourceDeploymentConfig) {
 		httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{
 			Message: "Insufficient permissions to update appearance",
 		})
diff --git a/scripts/rbacgen/main.go b/scripts/rbacgen/main.go
@@ -121,6 +121,13 @@ func generate(ctx context.Context) ([]byte, error) {
 	tpl, err := template.New("object.gotmpl").Funcs(template.FuncMap{
 		"capitalize":     capitalize,
 		"pascalCaseName": pascalCaseName[string],
+		"actionsList": func() []string {
+			tmp := make([]string, 0)
+			for _, actionEnum := range actionMap {
+				tmp = append(tmp, actionEnum)
+			}
+			return tmp
+		},
 		"actionEnum": func(action policy.Action) string {
 			x++
 			v, ok := actionMap[string(action)]
diff --git a/scripts/rbacgen/object.gotmpl b/scripts/rbacgen/object.gotmpl
@@ -1,6 +1,8 @@
 // Code generated by rbacgen/main.go. DO NOT EDIT.
 package rbac
 
+import "github.com/coder/coder/v2/coderd/rbac/policy"
+
 // Objecter returns the RBAC object for itself.
 type Objecter interface {
 	RBACObject() Object
@@ -27,3 +29,11 @@ func AllResources() []Objecter {
 	{{- end }}
 	}
 }
+
+func AllActions() []policy.Action {
+	return []policy.Action {
+		{{- range $element := actionsList }}
+			policy.{{ $element }},
+		{{- end }}
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,7 @@ import (`
`17`	`17`	`// @Success 200 {object} codersdk.DeploymentConfig`
`18`	`18`	`// @Router /deployment/config [get]`
`19`	`19`	`func (api API) deploymentValues(rw http.ResponseWriter, r http.Request) {`
`20`		`- if !api.Authorize(r, policy.ActionRead, rbac.ResourceDeploymentValues) {`
	`20`	`+ if !api.Authorize(r, policy.ActionRead, rbac.ResourceDeploymentConfig) {`
`21`	`21`	`httpapi.Forbidden(rw)`
`22`	`22`	`return`
`23`	`23`	`}`
Original file line number	Diff line number	Diff line change
`@@ -33,7 +33,7 @@ const insightsTimeLayout = time.RFC3339`
`33`	`33`	`// @Success 200 {object} codersdk.DAUsResponse`
`34`	`34`	`// @Router /insights/daus [get]`
`35`	`35`	`func (api API) deploymentDAUs(rw http.ResponseWriter, r http.Request) {`
`36`		`- if !api.Authorize(r, policy.ActionRead, rbac.ResourceDeploymentValues) {`
	`36`	`+ if !api.Authorize(r, policy.ActionRead, rbac.ResourceDeploymentConfig) {`
`37`	`37`	`httpapi.Forbidden(rw)`
`38`	`38`	`return`
`39`	`39`	`}`
Original file line number	Diff line number	Diff line change
`@@ -665,7 +665,7 @@ func (b *Builder) authorize(authFunc func(action policy.Action, object rbac.Obje`
`665`	`665`	`}`
`666`	`666`	`}`
`667`	`667`
`668`		`- if b.logLevel != "" && !authFunc(policy.ActionRead, rbac.ResourceDeploymentValues) {`
	`668`	`+ if b.logLevel != "" && !authFunc(policy.ActionRead, rbac.ResourceDeploymentConfig) {`
`669`	`669`	`return BuildError{`
`670`	`670`	`http.StatusBadRequest,`
`671`	`671`	`"Workspace builds with a custom log level are restricted to administrators only.",`