remove user data object, and just use a data object

Emyrk · Emyrk · commit 50aee629315e · 2024-05-14T17:25:33.000-05:00
diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go
diff --git a/coderd/database/dbauthz/dbauthz_test.go b/coderd/database/dbauthz/dbauthz_test.go
diff --git a/coderd/database/modelmethods.go b/coderd/database/modelmethods.go
@@ -164,22 +164,6 @@ func (w Workspace) RBACObject() rbac.Object {
 		WithOwner(w.OwnerID.String())
 }
 
-func (w Workspace) WorkspaceBuildRBAC(transition WorkspaceTransition) rbac.Object {
-	// If a workspace is dormant it cannot be built.
-	// However we need to allow stopping a workspace by a caller once a workspace
-	// is locked (e.g. for autobuild). Additionally, if a user wants to delete
-	// a locked workspace, they shouldn't have to have it unlocked first.
-	if w.DormantAt.Valid && transition != WorkspaceTransitionStop &&
-		transition != WorkspaceTransitionDelete {
-		return w.DormantRBAC()
-	}
-
-	return rbac.ResourceWorkspaceBuild.
-		WithID(w.ID).
-		InOrg(w.OrganizationID).
-		WithOwner(w.OwnerID.String())
-}
-
 func (w Workspace) DormantRBAC() rbac.Object {
 	return rbac.ResourceWorkspaceDormant.
 		WithID(w.ID).
@@ -227,32 +211,17 @@ func (f File) RBACObject() rbac.Object {
 }
 
 // RBACObject returns the RBAC object for the site wide user resource.
-// If you are trying to get the RBAC object for the UserData, use
-// u.UserDataRBACObject() instead.
 func (u User) RBACObject() rbac.Object {
 	return rbac.ResourceUserObject(u.ID)
 }
 
-func (u User) UserDataRBACObject() rbac.Object {
-	return rbac.ResourceUserData.WithID(u.ID).WithOwner(u.ID.String())
-}
-
-func (u User) UserWorkspaceBuildParametersObject() rbac.Object {
-	return rbac.ResourceUserWorkspaceBuildParameters.WithID(u.ID).WithOwner(u.ID.String())
-}
-
 func (u GetUsersRow) RBACObject() rbac.Object {
 	return rbac.ResourceUserObject(u.ID)
 }
 
-func (u GitSSHKey) RBACObject() rbac.Object {
-	return rbac.ResourceUserData.WithID(u.UserID).WithOwner(u.UserID.String())
-}
-
-func (u ExternalAuthLink) RBACObject() rbac.Object {
-	// I assume UserData is ok?
-	return rbac.ResourceUserData.WithID(u.UserID).WithOwner(u.UserID.String())
-}
+func (u GitSSHKey) RBACObject() rbac.Object        { return rbac.ResourceUserObject(u.UserID) }
+func (u ExternalAuthLink) RBACObject() rbac.Object { return rbac.ResourceUserObject(u.UserID) }
+func (u UserLink) RBACObject() rbac.Object         { return rbac.ResourceUserObject(u.UserID) }
 
 func (u ExternalAuthLink) OAuthToken() *oauth2.Token {
 	return &oauth2.Token{
@@ -262,11 +231,6 @@ func (u ExternalAuthLink) OAuthToken() *oauth2.Token {
 	}
 }
 
-func (u UserLink) RBACObject() rbac.Object {
-	// I assume UserData is ok?
-	return rbac.ResourceUserData.WithOwner(u.UserID.String()).WithID(u.UserID)
-}
-
 func (l License) RBACObject() rbac.Object {
 	return rbac.ResourceLicense.WithIDString(strconv.FormatInt(int64(l.ID), 10))
 }
diff --git a/coderd/debug.go b/coderd/debug.go
@@ -194,7 +194,7 @@ func (api *API) deploymentHealthSettings(rw http.ResponseWriter, r *http.Request
 func (api *API) putDeploymentHealthSettings(rw http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 
-	if !api.Authorize(r, policy.ActionUpdate, rbac.ResourceDeploymentValues) {
+	if !api.Authorize(r, policy.ActionUpdate, rbac.ResourceDeploymentConfig) {
 		httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{
 			Message: "Insufficient permissions to update health settings.",
 		})
diff --git a/coderd/deployment.go b/coderd/deployment.go
@@ -17,7 +17,7 @@ import (
 // @Success 200 {object} codersdk.DeploymentConfig
 // @Router /deployment/config [get]
 func (api *API) deploymentValues(rw http.ResponseWriter, r *http.Request) {
-	if !api.Authorize(r, policy.ActionRead, rbac.ResourceDeploymentValues) {
+	if !api.Authorize(r, policy.ActionRead, rbac.ResourceDeploymentConfig) {
 		httpapi.Forbidden(rw)
 		return
 	}
diff --git a/coderd/insights.go b/coderd/insights.go
@@ -33,7 +33,7 @@ const insightsTimeLayout = time.RFC3339
 // @Success 200 {object} codersdk.DAUsResponse
 // @Router /insights/daus [get]
 func (api *API) deploymentDAUs(rw http.ResponseWriter, r *http.Request) {
-	if !api.Authorize(r, policy.ActionRead, rbac.ResourceDeploymentValues) {
+	if !api.Authorize(r, policy.ActionRead, rbac.ResourceDeploymentConfig) {
 		httpapi.Forbidden(rw)
 		return
 	}
diff --git a/coderd/rbac/object_gen.go b/coderd/rbac/object_gen.go
diff --git a/coderd/rbac/policy/policy.go b/coderd/rbac/policy/policy.go
@@ -20,8 +20,7 @@ const (
 	ActionApplicationConnect Action = "application_connect"
 	ActionViewInsights       Action = "view_insights"
 
-	ActionWorkspaceBuild           Action = "build"
-	ActionViewWorkspaceBuildParams Action = "build_parameters"
+	ActionWorkspaceBuild Action = "build"
 
 	ActionAssign Action = "assign"
 
@@ -114,9 +113,6 @@ var RBACPermissions = map[string]PermissionDefinition{
 
 			// Workspace provisioning
 			ActionWorkspaceBuild: actDef(fieldOwner|fieldOrg|fieldACL, "allows starting, stopping, and updating a workspace"),
-			// TODO: ActionViewWorkspaceBuildParams is very werid. Seems to be used for autofilling the last params set.
-			//		Admins want this so they can update a user's workspace with the old values??
-			ActionViewWorkspaceBuildParams: actDef(fieldOwner|fieldOrg|fieldACL, "view workspace build parameters"),
 
 			// Running a workspace
 			ActionSSH:                actDef(fieldOwner|fieldOrg|fieldACL, "ssh into a given workspace"),
diff --git a/coderd/rbac/roles.go b/coderd/rbac/roles.go
@@ -166,8 +166,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 			Permissions(map[string][]policy.Action{
 				// Users cannot do create/update/delete on themselves, but they
 				// can read their own details.
-				ResourceUser.Type:      {policy.ActionRead},
-				ResourceWorkspace.Type: {policy.ActionViewWorkspaceBuildParams},
+				ResourceUser.Type: {policy.ActionRead, policy.ActionReadPersonal, policy.ActionUpdatePersonal},
 				// Users can create provisioner daemons scoped to themselves.
 				ResourceProvisionerDaemon.Type: {policy.ActionRead, policy.ActionCreate, policy.ActionRead, policy.ActionUpdate},
 			})...,
@@ -224,7 +223,6 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 				policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete,
 				policy.ActionUpdatePersonal, policy.ActionReadPersonal,
 			},
-			ResourceWorkspace.Type: {policy.ActionViewWorkspaceBuildParams},
 			// Full perms to manage org members
 			ResourceOrganizationMember.Type: {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
 			ResourceGroup.Type:              {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
diff --git a/coderd/roles.go b/coderd/roles.go
@@ -23,7 +23,7 @@ import (
 func (api *API) assignableSiteRoles(rw http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	actorRoles := httpmw.UserAuthorization(r)
-	if !api.Authorize(r, policy.ActionRead, rbac.ResourceRoleAssignment) {
+	if !api.Authorize(r, policy.ActionRead, rbac.ResourceDeploymentConfig) {
 		httpapi.Forbidden(rw)
 		return
 	}
@@ -47,7 +47,7 @@ func (api *API) assignableOrgRoles(rw http.ResponseWriter, r *http.Request) {
 	organization := httpmw.OrganizationParam(r)
 	actorRoles := httpmw.UserAuthorization(r)
 
-	if !api.Authorize(r, policy.ActionRead, rbac.ResourceOrgRoleAssignment.InOrg(organization.ID)) {
+	if !api.Authorize(r, policy.ActionRead, rbac.ResourceDeploymentConfig.InOrg(organization.ID)) {
 		httpapi.ResourceNotFound(rw)
 		return
 	}
diff --git a/coderd/wsbuilder/wsbuilder.go b/coderd/wsbuilder/wsbuilder.go
@@ -665,7 +665,7 @@ func (b *Builder) authorize(authFunc func(action policy.Action, object rbac.Obje
 		}
 	}
 
-	if b.logLevel != "" && !authFunc(policy.ActionRead, rbac.ResourceDeploymentValues) {
+	if b.logLevel != "" && !authFunc(policy.ActionRead, rbac.ResourceDeploymentConfig) {
 		return BuildError{
 			http.StatusBadRequest,
 			"Workspace builds with a custom log level are restricted to administrators only.",
diff --git a/enterprise/coderd/appearance.go b/enterprise/coderd/appearance.go
@@ -137,7 +137,7 @@ func validateHexColor(color string) error {
 func (api *API) putAppearance(rw http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 
-	if !api.Authorize(r, policy.ActionUpdate, rbac.ResourceDeploymentValues) {
+	if !api.Authorize(r, policy.ActionUpdate, rbac.ResourceDeploymentConfig) {
 		httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{
 			Message: "Insufficient permissions to update appearance",
 		})
diff --git a/scripts/rbacgen/main.go b/scripts/rbacgen/main.go
@@ -121,6 +121,13 @@ func generate(ctx context.Context) ([]byte, error) {
 	tpl, err := template.New("object.gotmpl").Funcs(template.FuncMap{
 		"capitalize":     capitalize,
 		"pascalCaseName": pascalCaseName[string],
+		"actionsList": func() []string {
+			tmp := make([]string, 0)
+			for _, actionEnum := range actionMap {
+				tmp = append(tmp, actionEnum)
+			}
+			return tmp
+		},
 		"actionEnum": func(action policy.Action) string {
 			x++
 			v, ok := actionMap[string(action)]
diff --git a/scripts/rbacgen/object.gotmpl b/scripts/rbacgen/object.gotmpl
@@ -1,6 +1,8 @@
 // Code generated by rbacgen/main.go. DO NOT EDIT.
 package rbac
 
+import "github.com/coder/coder/v2/coderd/rbac/policy"
+
 // Objecter returns the RBAC object for itself.
 type Objecter interface {
 	RBACObject() Object
@@ -27,3 +29,11 @@ func AllResources() []Objecter {
 	{{- end }}
 	}
 }
+
+func AllActions() []policy.Action {
+	return []policy.Action {
+		{{- range $element := actionsList }}
+			policy.{{ $element }},
+		{{- end }}
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,7 @@ import (`
`17`	`17`	`// @Success 200 {object} codersdk.DeploymentConfig`
`18`	`18`	`// @Router /deployment/config [get]`
`19`	`19`	`func (api API) deploymentValues(rw http.ResponseWriter, r http.Request) {`
`20`		`- if !api.Authorize(r, policy.ActionRead, rbac.ResourceDeploymentValues) {`
	`20`	`+ if !api.Authorize(r, policy.ActionRead, rbac.ResourceDeploymentConfig) {`
`21`	`21`	`httpapi.Forbidden(rw)`
`22`	`22`	`return`
`23`	`23`	`}`
Original file line number	Diff line number	Diff line change
`@@ -33,7 +33,7 @@ const insightsTimeLayout = time.RFC3339`
`33`	`33`	`// @Success 200 {object} codersdk.DAUsResponse`
`34`	`34`	`// @Router /insights/daus [get]`
`35`	`35`	`func (api API) deploymentDAUs(rw http.ResponseWriter, r http.Request) {`
`36`		`- if !api.Authorize(r, policy.ActionRead, rbac.ResourceDeploymentValues) {`
	`36`	`+ if !api.Authorize(r, policy.ActionRead, rbac.ResourceDeploymentConfig) {`
`37`	`37`	`httpapi.Forbidden(rw)`
`38`	`38`	`return`
`39`	`39`	`}`
Original file line number	Diff line number	Diff line change
`@@ -665,7 +665,7 @@ func (b *Builder) authorize(authFunc func(action policy.Action, object rbac.Obje`
`665`	`665`	`}`
`666`	`666`	`}`
`667`	`667`
`668`		`- if b.logLevel != "" && !authFunc(policy.ActionRead, rbac.ResourceDeploymentValues) {`
	`668`	`+ if b.logLevel != "" && !authFunc(policy.ActionRead, rbac.ResourceDeploymentConfig) {`
`669`	`669`	`return BuildError{`
`670`	`670`	`http.StatusBadRequest,`
`671`	`671`	`"Workspace builds with a custom log level are restricted to administrators only.",`