Add nesting of teams to the policy

Emyrk · Emyrk · commit 0ffffebe31b3 · 2023-10-18T14:50:43.000-05:00
diff --git a/coderd/database/spice/policy/playground/main.go b/coderd/database/spice/policy/playground/main.go
@@ -23,8 +23,8 @@ func usage() {
 	fmt.Println("Usage: policycmd [command]")
 	fmt.Println("Commands:")
 	fmt.Println("  export")
-	fmt.Println("  import")
-	fmt.Println("  playground")
-	fmt.Println("  run")
-	fmt.Println("  test")
+	//fmt.Println("  import")
+	//fmt.Println("  playground")
+	//fmt.Println("  run")
+	//fmt.Println("  test")
 }
diff --git a/coderd/database/spice/policy/playground/relationships/generate.sh b/coderd/database/spice/policy/playground/relationships/generate.sh
diff --git a/coderd/database/spice/policy/playground/relationships/objects.go b/coderd/database/spice/policy/playground/relationships/objects.go
@@ -126,6 +126,22 @@ func (obj *ObjTeam) Platform(subs ...*ObjPlatform) *ObjTeam {
 	return obj
 }
 
+func (obj *ObjTeam) Parent(subs ...*ObjTeam) *ObjTeam {
+	for i := range subs {
+		sub := subs[i]
+		obj.AddRelation(v1.Relationship{
+			Resource: obj.Obj,
+			Relation: "parent",
+			Subject: &v1.SubjectReference{
+				Object:           sub.Obj,
+				OptionalRelation: "",
+			},
+			OptionalCaveat: nil,
+		})
+	}
+	return obj
+}
+
 func (obj *ObjTeam) MemberGroup(subs ...*ObjGroup) *ObjTeam {
 	for i := range subs {
 		sub := subs[i]
@@ -542,10 +558,10 @@ func (obj *ObjTeam) Template_insights_viewerUser(subs ...*ObjUser) *ObjTeam {
 	return obj
 }
 
-func (obj *ObjTeam) ValidateMembership() *ObjTeam {
+func (obj *ObjTeam) ValidateDirect_membership() *ObjTeam {
 	obj.AddValidation(v1.Relationship{
 		Resource:       obj.Obj,
-		Relation:       "membership",
+		Relation:       "direct_membership",
 		OptionalCaveat: nil,
 	})
 	return obj
@@ -659,12 +675,12 @@ func (obj *ObjTeam) ValidateCreate_template() *ObjTeam {
 	return obj
 }
 
-func (obj *ObjTeam) CanMembershipBy(subs ...ObjectWithRelationships) *ObjTeam {
+func (obj *ObjTeam) CanDirect_membershipBy(subs ...ObjectWithRelationships) *ObjTeam {
 	for i := range subs {
 		sub := subs[i]
 		obj.AssertTrue(v1.Relationship{
 			Resource: obj.Obj,
-			Relation: "membership",
+			Relation: "direct_membership",
 			Subject: &v1.SubjectReference{
 				Object:           sub.Object(),
 				OptionalRelation: "",
@@ -675,12 +691,12 @@ func (obj *ObjTeam) CanMembershipBy(subs ...ObjectWithRelationships) *ObjTeam {
 	return obj
 }
 
-func (obj *ObjTeam) CannotMembershipBy(subs ...ObjectWithRelationships) *ObjTeam {
+func (obj *ObjTeam) CannotDirect_membershipBy(subs ...ObjectWithRelationships) *ObjTeam {
 	for i := range subs {
 		sub := subs[i]
 		obj.AssertFalse(v1.Relationship{
 			Resource: obj.Obj,
-			Relation: "membership",
+			Relation: "direct_membership",
 			Subject: &v1.SubjectReference{
 				Object:           sub.Object(),
 				OptionalRelation: "",
diff --git a/coderd/database/spice/policy/playground/relationships/relationships.go b/coderd/database/spice/policy/playground/relationships/relationships.go
@@ -28,34 +28,50 @@ func GenerateRelationships() {
 	groupEveryone := Group("everyone").MemberWildcard()
 	groupHR := Group("hr").MemberUser(camilla)
 	groupFinance := Group("finance").MemberUser(ammar, kyle, shark)
-	groupCostControl := Group("cost-control").MemberGroup(groupFinance).MemberUser(dean, colin)
+	groupCostControl := Group("cost-control").MemberUser(ammar, kyle, dean, colin)
 	groupEngineers := Group("engineers").MemberUser(ammar, colin, dean, jon, kayla, kira, kyle, steven)
 	groupMarketing := Group("marketing").MemberUser(katherine, ammar)
 	groupSales := Group("sales").MemberUser(shark, eric)
 
 	// Teams
-	teamCompany := Team("company").Platform(platform)
-	teamLegal := Team("legal").Platform(platform)
-	teamMarketing := Team("marketing").Platform(platform)
+	teamCompany := Team("company").
+		Platform(platform).
+		// Cost control can see all workspaces
+		Workspace_viewerGroup(groupCostControl)
+	teamLegal := Team("legal").Platform(platform).
+		Parent(teamCompany)
+	teamMarketing := Team("marketing").Platform(platform).
+		Parent(teamCompany)
+
+	// company
+	// ├── legal
+	// ├── marketing
+	// └── engineering
+	//      ├── developers
+	//      └── technical
+	teamEngineering := Team("engineering").Platform(platform).
+		Parent(teamCompany)
+
 	// People who write code
-	teamDevelopers := Team("developers").Platform(platform)
+	teamDevelopers := Team("developers").Platform(platform).
+		Parent(teamEngineering)
 	// People who tinker
-	teamTechnical := Team("technical").Platform(platform)
-	//teamCustomerSuccess := Team("customer-success").Platform(platform) // Customer solutions
-	//teamEngineering := Team("engineering").Platform(platform)
+	teamTechnical := Team("technical").Platform(platform).
+		Parent(teamEngineering)
 
 	// Nest some teams
 	// TODO: This is currently unsupported
 
 	// Assign groups to teams
-	teamCompany.MemberGroup(groupEveryone)
-	teamLegal.MemberGroup(groupHR, groupFinance)
-	teamMarketing.MemberGroup(groupMarketing)
-	teamDevelopers.
-		Workspace_creatorGroup(groupEngineers).
+	teamCompany.MemberGroup(groupEveryone).
 		// Cost control groups can edit workspaces & delete them
 		Workspace_editorGroup(groupCostControl).
 		Workspace_deletorGroup(groupCostControl)
+	teamLegal.MemberGroup(groupHR, groupFinance)
+	teamMarketing.MemberGroup(groupMarketing)
+
+	teamDevelopers.
+		Workspace_creatorGroup(groupEngineers)
 
 	teamTechnical.
 		Workspace_creatorGroup(groupEngineers, groupSales).
@@ -78,9 +94,9 @@ func GenerateRelationships() {
 
 	// Add some assertions
 	stevenWorkspace.
-		CanViewBy(steven).
-		CannotViewBy(camilla)
+		CanViewBy(steven, ammar, kyle).
+		CannotViewBy(camilla, jon)
 
 	// Validations enumerate who can do the given action.
-	stevenWorkspace.ValidateView().ValidateSsh()
+	stevenWorkspace.ValidateView().ValidateSsh().ValidateEdit()
 }
diff --git a/coderd/database/spice/policy/schema.zed b/coderd/database/spice/policy/schema.zed
@@ -14,13 +14,17 @@ definition platform {
 	permission super_admin = administrator
 }
 
+
 // team is a collection of resources.
 // TODO: Should we call this a namespace?
 definition team {
 	// platform relation is the super admin level. All super-admin type permissions
 	// are passed through the team level.
 	relation platform: platform
 
+	// parent allows nesting teams
+	relation parent: team
+
 	// Teams have their own roles for user's to interact with team resources.
 	// Each role can be either a group or a user.
 
@@ -67,33 +71,34 @@ definition team {
 	 * Other Roles *
 	 *******************/
 
-	// membership needs to include all ways in which someone is a member of this team.
-	permission membership = member +
+	// direct_membership needs to include all ways in which someone is a member of this team.
+	// This does not include parent team members.
+	permission direct_membership = member +
 		workspace_viewer + workspace_creator + workspace_deletor + workspace_version_selector + dangerous_workspace_connector + workspace_editor +
 		template_viewer + template_creator + template_deletor + template_editor
 
 	/*************************
 	 * Workspace Permissions *
 	 *************************/
 	// view all workspaces owned by the team
-	permission view_workspaces = platform->super_admin + workspace_viewer
-	permission edit_workspaces = platform->super_admin + workspace_editor
-	permission select_workspace_version = platform->super_admin + workspace_version_selector
-	permission delete_workspaces = platform->super_admin + workspace_deletor
-	permission connect_workspaces = dangerous_workspace_connector
+	permission view_workspaces = platform->super_admin + workspace_viewer + parent->view_workspaces
+	permission edit_workspaces = platform->super_admin + workspace_editor + parent->edit_workspaces
+	permission select_workspace_version = platform->super_admin + workspace_version_selector + parent->select_workspace_version
+	permission delete_workspaces = platform->super_admin + workspace_deletor + parent->delete_workspaces
+	permission connect_workspaces = dangerous_workspace_connector + parent->connect_workspaces
 	// create_workspace is on the team level object. A workspace that is created is owned by the team
 	// and the application should setup the correct permissions/relations for the new resource.
-	permission create_workspace = platform->super_admin + workspace_creator
+	permission create_workspace = platform->super_admin + workspace_creator + parent->create_workspace
 
 	/************************
 	 * Template Permissions *
 	 ************************/
-	permission view_templates = platform->super_admin + template_viewer
-	permission view_template_insights = platform->super_admin + template_insights_viewer
-	permission edit_templates = platform->super_admin + template_editor
-	permission delete_templates = platform->super_admin + template_deletor
-	permission manage_template_permissions = platform->super_admin + template_permission_manager
-	permission create_template = platform->super_admin + template_creator
+	permission view_templates = platform->super_admin + template_viewer + parent->view_templates
+	permission view_template_insights = platform->super_admin + template_insights_viewer + parent->view_template_insights
+	permission edit_templates = platform->super_admin + template_editor + parent->edit_templates
+	permission delete_templates = platform->super_admin + template_deletor + parent->delete_templates
+	permission manage_template_permissions = platform->super_admin + template_permission_manager + parent->manage_template_permissions
+	permission create_template = platform->super_admin + template_creator + parent->create_template
 }
 
 // group is a collection of users and operates exactly like a user from
@@ -129,12 +134,12 @@ definition workspace {
 		// Some perms require view as well
 		edit + delete + select_template_version + ssh +
 		// Give view permissons to any role that requires reading the workspace to conduct their actions.
-		owner->view_workspaces + (viewer & owner->membership)
-	permission edit = owner->edit_workspaces + (editor & owner->membership)
-	permission delete = owner->delete_workspaces + (deletor & owner->membership)
+		owner->view_workspaces + viewer
+	permission edit = owner->edit_workspaces + editor
+	permission delete = owner->delete_workspaces + deletor
 	// TODO: Maybe a caveat to check if the selected version is the active template version, and if that is allowed.
-	permission select_template_version = owner->select_workspace_version + (selector & owner->membership)
-	permission ssh = owner->connect_workspaces + (connector & owner->membership)
+	permission select_template_version = owner->select_workspace_version + selector
+	permission ssh = owner->connect_workspaces + connector
 }
 
 definition workspace_build {
