Skip to content

Commit 4f71c30

Browse files
EmyrkEmyrk
committed
more progrss
1 parent 96f3fd9 commit 4f71c30

File tree

11 files changed

+299
-511
lines changed

11 files changed

+299
-511
lines changed

coderd/authorize.go

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -190,12 +190,6 @@ func (api *API) checkAuthorization(rw http.ResponseWriter, r *http.Request) {
190190
var dbErr error
191191
// Only support referencing some resources by ID.
192192
switch v.Object.ResourceType.String() {
193-
case rbac.ResourceWorkspaceExecution.Type:
194-
workSpace, err := api.Database.GetWorkspaceByID(ctx, id)
195-
if err == nil {
196-
dbObj = workSpace.ExecutionRBAC()
197-
}
198-
dbErr = err
199193
case rbac.ResourceWorkspace.Type:
200194
dbObj, dbErr = api.Database.GetWorkspaceByID(ctx, id)
201195
case rbac.ResourceTemplate.Type:

coderd/database/dbauthz/dbauthz.go

Lines changed: 30 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -193,11 +193,10 @@ var (
193193
Name: "autostart",
194194
DisplayName: "Autostart Daemon",
195195
Site: rbac.Permissions(map[string][]policy.Action{
196-
rbac.ResourceSystem.Type: {rbac.WildcardSymbol},
197-
rbac.ResourceTemplate.Type: {policy.ActionRead, policy.ActionUpdate},
198-
rbac.ResourceWorkspace.Type: {policy.ActionRead, policy.ActionUpdate},
199-
rbac.ResourceWorkspaceBuild.Type: {policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
200-
rbac.ResourceUser.Type: {policy.ActionRead},
196+
rbac.ResourceSystem.Type: {rbac.WildcardSymbol},
197+
rbac.ResourceTemplate.Type: {policy.ActionRead, policy.ActionUpdate},
198+
rbac.ResourceWorkspace.Type: {policy.ActionRead, policy.ActionUpdate, policy.ActionWorkspaceBuild},
199+
rbac.ResourceUser.Type: {policy.ActionRead},
201200
}),
202201
Org: map[string][]rbac.Permission{},
203202
User: []rbac.Permission{},
@@ -316,6 +315,20 @@ func insert[
316315
authorizer rbac.Authorizer,
317316
object rbac.Objecter,
318317
insertFunc Insert,
318+
) Insert {
319+
return insertWithAction(logger, authorizer, object, policy.ActionCreate, insertFunc)
320+
}
321+
322+
func insertWithAction[
323+
ObjectType any,
324+
ArgumentType any,
325+
Insert func(ctx context.Context, arg ArgumentType) (ObjectType, error),
326+
](
327+
logger slog.Logger,
328+
authorizer rbac.Authorizer,
329+
object rbac.Objecter,
330+
action policy.Action,
331+
insertFunc Insert,
319332
) Insert {
320333
return func(ctx context.Context, arg ArgumentType) (empty ObjectType, err error) {
321334
// Fetch the rbac subject
@@ -325,7 +338,7 @@ func insert[
325338
}
326339

327340
// Authorize the action
328-
err = authorizer.Authorize(ctx, act, policy.ActionCreate, object.RBACObject())
341+
err = authorizer.Authorize(ctx, act, action, object.RBACObject())
329342
if err != nil {
330343
return empty, logNotAuthorizedError(ctx, logger, err)
331344
}
@@ -1804,19 +1817,19 @@ func (q *querier) GetUnexpiredLicenses(ctx context.Context) ([]database.License,
18041817

18051818
func (q *querier) GetUserActivityInsights(ctx context.Context, arg database.GetUserActivityInsightsParams) ([]database.GetUserActivityInsightsRow, error) {
18061819
// Used by insights endpoints. Need to check both for auditors and for regular users with template acl perms.
1807-
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceTemplateInsights); err != nil {
1820+
if err := q.authorizeContext(ctx, policy.ActionViewInsights, rbac.ResourceTemplate); err != nil {
18081821
for _, templateID := range arg.TemplateIDs {
18091822
template, err := q.db.GetTemplateByID(ctx, templateID)
18101823
if err != nil {
18111824
return nil, err
18121825
}
18131826

1814-
if err := q.authorizeContext(ctx, policy.ActionUpdate, template); err != nil {
1827+
if err := q.authorizeContext(ctx, policy.ActionViewInsights, template.RBACObject()); err != nil {
18151828
return nil, err
18161829
}
18171830
}
18181831
if len(arg.TemplateIDs) == 0 {
1819-
if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceTemplate.All()); err != nil {
1832+
if err := q.authorizeContext(ctx, policy.ActionViewInsights, rbac.ResourceTemplate.All()); err != nil {
18201833
return nil, err
18211834
}
18221835
}
@@ -1841,19 +1854,19 @@ func (q *querier) GetUserCount(ctx context.Context) (int64, error) {
18411854

18421855
func (q *querier) GetUserLatencyInsights(ctx context.Context, arg database.GetUserLatencyInsightsParams) ([]database.GetUserLatencyInsightsRow, error) {
18431856
// Used by insights endpoints. Need to check both for auditors and for regular users with template acl perms.
1844-
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceTemplateInsights); err != nil {
1857+
if err := q.authorizeContext(ctx, policy.ActionViewInsights, rbac.ResourceTemplate); err != nil {
18451858
for _, templateID := range arg.TemplateIDs {
18461859
template, err := q.db.GetTemplateByID(ctx, templateID)
18471860
if err != nil {
18481861
return nil, err
18491862
}
18501863

1851-
if err := q.authorizeContext(ctx, policy.ActionUpdate, template); err != nil {
1864+
if err := q.authorizeContext(ctx, policy.ActionViewInsights, template); err != nil {
18521865
return nil, err
18531866
}
18541867
}
18551868
if len(arg.TemplateIDs) == 0 {
1856-
if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceTemplate.All()); err != nil {
1869+
if err := q.authorizeContext(ctx, policy.ActionViewInsights, rbac.ResourceTemplate.All()); err != nil {
18571870
return nil, err
18581871
}
18591872
}
@@ -2313,15 +2326,15 @@ func (q *querier) InsertDeploymentID(ctx context.Context, value string) error {
23132326
}
23142327

23152328
func (q *querier) InsertExternalAuthLink(ctx context.Context, arg database.InsertExternalAuthLinkParams) (database.ExternalAuthLink, error) {
2316-
return insert(q.log, q.auth, rbac.ResourceUserData.WithOwner(arg.UserID.String()).WithID(arg.UserID), q.db.InsertExternalAuthLink)(ctx, arg)
2329+
return insertWithAction(q.log, q.auth, rbac.ResourceUser.WithID(arg.UserID).WithOwner(arg.UserID.String()), policy.ActionUpdatePersonal, q.db.InsertExternalAuthLink)(ctx, arg)
23172330
}
23182331

23192332
func (q *querier) InsertFile(ctx context.Context, arg database.InsertFileParams) (database.File, error) {
23202333
return insert(q.log, q.auth, rbac.ResourceFile.WithOwner(arg.CreatedBy.String()), q.db.InsertFile)(ctx, arg)
23212334
}
23222335

23232336
func (q *querier) InsertGitSSHKey(ctx context.Context, arg database.InsertGitSSHKeyParams) (database.GitSSHKey, error) {
2324-
return insert(q.log, q.auth, rbac.ResourceUserData.WithOwner(arg.UserID.String()).WithID(arg.UserID), q.db.InsertGitSSHKey)(ctx, arg)
2337+
return insertWithAction(q.log, q.auth, rbac.ResourceUser.WithOwner(arg.UserID.String()).WithID(arg.UserID), policy.ActionUpdatePersonal, q.db.InsertGitSSHKey)(ctx, arg)
23252338
}
23262339

23272340
func (q *querier) InsertGroup(ctx context.Context, arg database.InsertGroupParams) (database.Group, error) {
@@ -2997,7 +3010,7 @@ func (q *querier) UpdateUserAppearanceSettings(ctx context.Context, arg database
29973010
if err != nil {
29983011
return database.User{}, err
29993012
}
3000-
if err := q.authorizeContext(ctx, policy.ActionUpdate, u.UserDataRBACObject()); err != nil {
3013+
if err := q.authorizeContext(ctx, policy.ActionUpdatePersonal, u); err != nil {
30013014
return database.User{}, err
30023015
}
30033016
return q.db.UpdateUserAppearanceSettings(ctx, arg)
@@ -3013,10 +3026,10 @@ func (q *querier) UpdateUserHashedPassword(ctx context.Context, arg database.Upd
30133026
return err
30143027
}
30153028

3016-
err = q.authorizeContext(ctx, policy.ActionUpdate, user.UserDataRBACObject())
3029+
err = q.authorizeContext(ctx, policy.ActionUpdatePersonal, user)
30173030
if err != nil {
30183031
// Admins can update passwords for other users.
3019-
err = q.authorizeContext(ctx, policy.ActionUpdate, user.RBACObject())
3032+
err = q.authorizeContext(ctx, policy.ActionUpdate, user)
30203033
if err != nil {
30213034
return err
30223035
}

coderd/database/modelmethods.go

Lines changed: 5 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -100,7 +100,7 @@ func (s APIKeyScope) ToRBAC() rbac.ScopeName {
100100
}
101101

102102
func (k APIKey) RBACObject() rbac.Object {
103-
return rbac.ResourceAPIKey.WithIDString(k.ID).
103+
return rbac.ResourceApiKey.WithIDString(k.ID).
104104
WithOwner(k.UserID.String())
105105
}
106106

@@ -154,31 +154,12 @@ func (w GetWorkspaceByAgentIDRow) RBACObject() rbac.Object {
154154
}
155155

156156
func (w Workspace) RBACObject() rbac.Object {
157-
return rbac.ResourceWorkspace.WithID(w.ID).
158-
InOrg(w.OrganizationID).
159-
WithOwner(w.OwnerID.String())
160-
}
161-
162-
func (w Workspace) ExecutionRBAC() rbac.Object {
163157
// If a workspace is locked it cannot be accessed.
164158
if w.DormantAt.Valid {
165159
return w.DormantRBAC()
166160
}
167161

168-
return rbac.ResourceWorkspaceExecution.
169-
WithID(w.ID).
170-
InOrg(w.OrganizationID).
171-
WithOwner(w.OwnerID.String())
172-
}
173-
174-
func (w Workspace) ApplicationConnectRBAC() rbac.Object {
175-
// If a workspace is locked it cannot be accessed.
176-
if w.DormantAt.Valid {
177-
return w.DormantRBAC()
178-
}
179-
180-
return rbac.ResourceWorkspaceApplicationConnect.
181-
WithID(w.ID).
162+
return rbac.ResourceWorkspace.WithID(w.ID).
182163
InOrg(w.OrganizationID).
183164
WithOwner(w.OwnerID.String())
184165
}
@@ -291,15 +272,15 @@ func (l License) RBACObject() rbac.Object {
291272
}
292273

293274
func (c OAuth2ProviderAppCode) RBACObject() rbac.Object {
294-
return rbac.ResourceOAuth2ProviderAppCodeToken.WithOwner(c.UserID.String())
275+
return rbac.ResourceOauth2AppCodeToken.WithOwner(c.UserID.String())
295276
}
296277

297278
func (OAuth2ProviderAppSecret) RBACObject() rbac.Object {
298-
return rbac.ResourceOAuth2ProviderAppSecret
279+
return rbac.ResourceOauth2AppSecret
299280
}
300281

301282
func (OAuth2ProviderApp) RBACObject() rbac.Object {
302-
return rbac.ResourceOAuth2ProviderApp
283+
return rbac.ResourceOauth2App
303284
}
304285

305286
func (a GetOAuth2ProviderAppsByUserIDRow) RBACObject() rbac.Object {

0 commit comments

Comments
 (0)