Add user-admin role

Emyrk · Emyrk · commit 6309ab88fce1 · 2022-08-12T13:56:52.000-05:00
diff --git a/coderd/rbac/builtin.go b/coderd/rbac/builtin.go
@@ -9,10 +9,11 @@ import (
 )
 
 const (
-	admin           string = "admin"
-	member          string = "member"
-	templateManager string = "template-manager"
-	auditor         string = "auditor"
+	admin         string = "admin"
+	member        string = "member"
+	templateAdmin string = "template-admin"
+	userAdmin     string = "user-admin"
+	auditor       string = "auditor"
 
 	orgAdmin  string = "organization-admin"
 	orgMember string = "organization-member"
@@ -27,6 +28,14 @@ func RoleAdmin() string {
 	return roleName(admin, "")
 }
 
+func RoleTemplateAdmin() string {
+	return roleName(templateAdmin, "")
+}
+
+func RoleUserAdmin() string {
+	return roleName(userAdmin, "")
+}
+
 func RoleMember() string {
 	return roleName(member, "")
 }
@@ -73,7 +82,8 @@ var (
 					ResourceProvisionerDaemon: {ActionRead},
 				}),
 				User: permissions(map[Object][]Action{
-					ResourceWildcard: {WildcardSymbol},
+					ResourceWildcard:           {WildcardSymbol},
+					ResourceWorkspaceExecution: {WildcardSymbol},
 				}),
 			}
 		},
@@ -94,14 +104,25 @@ var (
 			}
 		},
 
-		templateManager: func(_ string) Role {
+		templateAdmin: func(_ string) Role {
 			return Role{
-				Name:        templateManager,
-				DisplayName: "Template Manager",
+				Name:        templateAdmin,
+				DisplayName: "Template Admin",
 				Site: permissions(map[Object][]Action{
 					ResourceTemplate: {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
 					// CRUD all files, even those they did not upload.
-					ResourceFile: {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
+					ResourceFile:      {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
+					ResourceWorkspace: {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
+				}),
+			}
+		},
+
+		userAdmin: func(_ string) Role {
+			return Role{
+				Name:        userAdmin,
+				DisplayName: "User Admin",
+				Site: permissions(map[Object][]Action{
+					ResourceUser: {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
 				}),
 			}
 		},
@@ -166,12 +187,13 @@ var (
 	//	map[actor_role][assign_role]<can_assign>
 	assignRoles = map[string]map[string]bool{
 		admin: {
-			admin:           true,
-			auditor:         true,
-			member:          true,
-			orgAdmin:        true,
-			orgMember:       true,
-			templateManager: true,
+			admin:         true,
+			auditor:       true,
+			member:        true,
+			orgAdmin:      true,
+			orgMember:     true,
+			templateAdmin: true,
+			userAdmin:     true,
 		},
 		orgAdmin: {
 			orgAdmin:  true,
diff --git a/coderd/rbac/builtin_internal_test.go b/coderd/rbac/builtin_internal_test.go
@@ -18,7 +18,8 @@ func TestRoleByName(t *testing.T) {
 		}{
 			{Role: builtInRoles[admin]("")},
 			{Role: builtInRoles[member]("")},
-			{Role: builtInRoles[templateManager]("")},
+			{Role: builtInRoles[templateAdmin]("")},
+			{Role: builtInRoles[userAdmin]("")},
 			{Role: builtInRoles[auditor]("")},
 
 			{Role: builtInRoles[orgAdmin](uuid.New().String())},
diff --git a/coderd/rbac/builtin_test.go b/coderd/rbac/builtin_test.go
@@ -111,6 +111,7 @@ func TestRolePermissions(t *testing.T) {
 	// currentUser is anything that references "me", "mine", or "my".
 	currentUser := uuid.New()
 	adminID := uuid.New()
+	templateAdminID := uuid.New()
 	orgID := uuid.New()
 	otherOrg := uuid.New()
 
@@ -124,9 +125,12 @@ func TestRolePermissions(t *testing.T) {
 	otherOrgMember := authSubject{Name: "org_member_other", UserID: uuid.NewString(), Roles: []string{rbac.RoleMember(), rbac.RoleOrgMember(otherOrg)}}
 	otherOrgAdmin := authSubject{Name: "org_admin_other", UserID: uuid.NewString(), Roles: []string{rbac.RoleMember(), rbac.RoleOrgMember(otherOrg), rbac.RoleOrgAdmin(otherOrg)}}
 
+	templateAdmin := authSubject{Name: "template-admin", UserID: templateAdminID.String(), Roles: []string{rbac.RoleMember(), rbac.RoleTemplateAdmin()}}
+	userAdmin := authSubject{Name: "template-admin", UserID: templateAdminID.String(), Roles: []string{rbac.RoleMember(), rbac.RoleUserAdmin()}}
+
 	// requiredSubjects are required to be asserted in each test case. This is
 	// to make sure one is not forgotten.
-	requiredSubjects := []authSubject{memberMe, admin, orgMemberMe, orgAdmin, otherOrgAdmin, otherOrgMember}
+	requiredSubjects := []authSubject{memberMe, admin, orgMemberMe, orgAdmin, otherOrgAdmin, otherOrgMember, templateAdmin, userAdmin}
 
 	testCases := []struct {
 		// Name the test case to better locate the failing test case.
@@ -146,7 +150,7 @@ func TestRolePermissions(t *testing.T) {
 			Actions:  []rbac.Action{rbac.ActionRead},
 			Resource: rbac.ResourceUser,
 			AuthorizeMap: map[bool][]authSubject{
-				true:  {admin, memberMe, orgMemberMe, orgAdmin, otherOrgMember, otherOrgAdmin},
+				true:  {admin, memberMe, orgMemberMe, orgAdmin, otherOrgMember, otherOrgAdmin, templateAdmin, userAdmin},
 				false: {},
 			},
 		},
@@ -155,8 +159,8 @@ func TestRolePermissions(t *testing.T) {
 			Actions:  []rbac.Action{rbac.ActionCreate, rbac.ActionUpdate, rbac.ActionDelete},
 			Resource: rbac.ResourceUser,
 			AuthorizeMap: map[bool][]authSubject{
-				true:  {admin},
-				false: {memberMe, orgMemberMe, orgAdmin, otherOrgMember, otherOrgAdmin},
+				true:  {admin, userAdmin},
+				false: {memberMe, orgMemberMe, orgAdmin, otherOrgMember, otherOrgAdmin, templateAdmin},
 			},
 		},
 		{
@@ -165,44 +169,54 @@ func TestRolePermissions(t *testing.T) {
 			Actions:  []rbac.Action{rbac.ActionCreate, rbac.ActionRead, rbac.ActionUpdate, rbac.ActionDelete},
 			Resource: rbac.ResourceWorkspace.InOrg(orgID).WithOwner(currentUser.String()),
 			AuthorizeMap: map[bool][]authSubject{
-				true:  {admin, orgMemberMe, orgAdmin},
-				false: {memberMe, otherOrgAdmin, otherOrgMember},
+				true:  {admin, orgMemberMe, orgAdmin, templateAdmin},
+				false: {memberMe, otherOrgAdmin, otherOrgMember, userAdmin},
+			},
+		},
+		{
+			Name: "MyWorkspaceInOrgExecution",
+			// When creating the WithID won't be set, but it does not change the result.
+			Actions:  []rbac.Action{rbac.ActionCreate, rbac.ActionRead, rbac.ActionUpdate, rbac.ActionDelete},
+			Resource: rbac.ResourceWorkspaceExecution.InOrg(orgID).WithOwner(currentUser.String()),
+			AuthorizeMap: map[bool][]authSubject{
+				true:  {admin, orgAdmin, orgMemberMe},
+				false: {memberMe, otherOrgAdmin, otherOrgMember, templateAdmin, userAdmin},
 			},
 		},
 		{
 			Name:     "Templates",
 			Actions:  []rbac.Action{rbac.ActionCreate, rbac.ActionUpdate, rbac.ActionDelete},
 			Resource: rbac.ResourceTemplate.InOrg(orgID),
 			AuthorizeMap: map[bool][]authSubject{
-				true:  {admin, orgAdmin},
-				false: {memberMe, orgMemberMe, otherOrgAdmin, otherOrgMember},
+				true:  {admin, orgAdmin, templateAdmin},
+				false: {memberMe, orgMemberMe, otherOrgAdmin, otherOrgMember, userAdmin},
 			},
 		},
 		{
 			Name:     "ReadTemplates",
 			Actions:  []rbac.Action{rbac.ActionRead},
 			Resource: rbac.ResourceTemplate.InOrg(orgID),
 			AuthorizeMap: map[bool][]authSubject{
-				true:  {admin, orgMemberMe, orgAdmin},
-				false: {memberMe, otherOrgAdmin, otherOrgMember},
+				true:  {admin, orgMemberMe, orgAdmin, templateAdmin},
+				false: {memberMe, otherOrgAdmin, otherOrgMember, userAdmin},
 			},
 		},
 		{
 			Name:     "Files",
 			Actions:  []rbac.Action{rbac.ActionCreate},
 			Resource: rbac.ResourceFile,
 			AuthorizeMap: map[bool][]authSubject{
-				true:  {admin},
-				false: {orgMemberMe, orgAdmin, memberMe, otherOrgAdmin, otherOrgMember},
+				true:  {admin, templateAdmin},
+				false: {orgMemberMe, orgAdmin, memberMe, otherOrgAdmin, otherOrgMember, userAdmin},
 			},
 		},
 		{
 			Name:     "MyFile",
 			Actions:  []rbac.Action{rbac.ActionRead, rbac.ActionUpdate, rbac.ActionDelete},
 			Resource: rbac.ResourceFile.WithOwner(currentUser.String()),
 			AuthorizeMap: map[bool][]authSubject{
-				true:  {admin, memberMe, orgMemberMe},
-				false: {orgAdmin, otherOrgAdmin, otherOrgMember},
+				true:  {admin, memberMe, orgMemberMe, templateAdmin},
+				false: {orgAdmin, otherOrgAdmin, otherOrgMember, userAdmin},
 			},
 		},
 		{
@@ -211,7 +225,7 @@ func TestRolePermissions(t *testing.T) {
 			Resource: rbac.ResourceOrganization,
 			AuthorizeMap: map[bool][]authSubject{
 				true:  {admin},
-				false: {orgAdmin, otherOrgAdmin, otherOrgMember, memberMe, orgMemberMe},
+				false: {orgAdmin, otherOrgAdmin, otherOrgMember, memberMe, orgMemberMe, templateAdmin, userAdmin},
 			},
 		},
 		{
@@ -220,7 +234,7 @@ func TestRolePermissions(t *testing.T) {
 			Resource: rbac.ResourceOrganization.InOrg(orgID),
 			AuthorizeMap: map[bool][]authSubject{
 				true:  {admin, orgAdmin},
-				false: {otherOrgAdmin, otherOrgMember, memberMe, orgMemberMe},
+				false: {otherOrgAdmin, otherOrgMember, memberMe, orgMemberMe, templateAdmin, userAdmin},
 			},
 		},
 		{
@@ -229,7 +243,7 @@ func TestRolePermissions(t *testing.T) {
 			Resource: rbac.ResourceOrganization.InOrg(orgID),
 			AuthorizeMap: map[bool][]authSubject{
 				true:  {admin, orgAdmin, orgMemberMe},
-				false: {otherOrgAdmin, otherOrgMember, memberMe},
+				false: {otherOrgAdmin, otherOrgMember, memberMe, templateAdmin, userAdmin},
 			},
 		},
 		{
@@ -238,15 +252,15 @@ func TestRolePermissions(t *testing.T) {
 			Resource: rbac.ResourceRoleAssignment,
 			AuthorizeMap: map[bool][]authSubject{
 				true:  {admin},
-				false: {orgAdmin, orgMemberMe, otherOrgAdmin, otherOrgMember, memberMe},
+				false: {orgAdmin, orgMemberMe, otherOrgAdmin, otherOrgMember, memberMe, templateAdmin, userAdmin},
 			},
 		},
 		{
 			Name:     "ReadRoleAssignment",
 			Actions:  []rbac.Action{rbac.ActionRead},
 			Resource: rbac.ResourceRoleAssignment,
 			AuthorizeMap: map[bool][]authSubject{
-				true:  {admin, orgAdmin, orgMemberMe, otherOrgAdmin, otherOrgMember, memberMe},
+				true:  {admin, orgAdmin, orgMemberMe, otherOrgAdmin, otherOrgMember, memberMe, templateAdmin, userAdmin},
 				false: {},
 			},
 		},
@@ -256,7 +270,7 @@ func TestRolePermissions(t *testing.T) {
 			Resource: rbac.ResourceOrgRoleAssignment.InOrg(orgID),
 			AuthorizeMap: map[bool][]authSubject{
 				true:  {admin, orgAdmin},
-				false: {orgMemberMe, otherOrgAdmin, otherOrgMember, memberMe},
+				false: {orgMemberMe, otherOrgAdmin, otherOrgMember, memberMe, templateAdmin, userAdmin},
 			},
 		},
 		{
@@ -265,7 +279,7 @@ func TestRolePermissions(t *testing.T) {
 			Resource: rbac.ResourceOrgRoleAssignment.InOrg(orgID),
 			AuthorizeMap: map[bool][]authSubject{
 				true:  {admin, orgAdmin, orgMemberMe},
-				false: {otherOrgAdmin, otherOrgMember, memberMe},
+				false: {otherOrgAdmin, otherOrgMember, memberMe, templateAdmin, userAdmin},
 			},
 		},
 		{
@@ -274,7 +288,7 @@ func TestRolePermissions(t *testing.T) {
 			Resource: rbac.ResourceAPIKey.WithOwner(currentUser.String()),
 			AuthorizeMap: map[bool][]authSubject{
 				true:  {admin, orgMemberMe, memberMe},
-				false: {orgAdmin, otherOrgAdmin, otherOrgMember},
+				false: {orgAdmin, otherOrgAdmin, otherOrgMember, templateAdmin, userAdmin},
 			},
 		},
 		{
@@ -283,7 +297,7 @@ func TestRolePermissions(t *testing.T) {
 			Resource: rbac.ResourceUserData.WithOwner(currentUser.String()),
 			AuthorizeMap: map[bool][]authSubject{
 				true:  {admin, orgMemberMe, memberMe},
-				false: {orgAdmin, otherOrgAdmin, otherOrgMember},
+				false: {orgAdmin, otherOrgAdmin, otherOrgMember, templateAdmin, userAdmin},
 			},
 		},
 		{
@@ -292,7 +306,7 @@ func TestRolePermissions(t *testing.T) {
 			Resource: rbac.ResourceOrganizationMember.InOrg(orgID),
 			AuthorizeMap: map[bool][]authSubject{
 				true:  {admin, orgAdmin},
-				false: {orgMemberMe, memberMe, otherOrgAdmin, otherOrgMember},
+				false: {orgMemberMe, memberMe, otherOrgAdmin, otherOrgMember, templateAdmin, userAdmin},
 			},
 		},
 		{
@@ -301,7 +315,7 @@ func TestRolePermissions(t *testing.T) {
 			Resource: rbac.ResourceOrganizationMember.InOrg(orgID),
 			AuthorizeMap: map[bool][]authSubject{
 				true:  {admin, orgAdmin, orgMemberMe},
-				false: {memberMe, otherOrgAdmin, otherOrgMember},
+				false: {memberMe, otherOrgAdmin, otherOrgMember, templateAdmin, userAdmin},
 			},
 		},
 	}
@@ -402,7 +416,8 @@ func TestListRoles(t *testing.T) {
 		"admin",
 		"member",
 		"auditor",
-		"template-manager",
+		"template-admin",
+		"user-admin",
 	},
 		siteRoleNames)
 
diff --git a/coderd/rbac/object.go b/coderd/rbac/object.go
@@ -22,6 +22,15 @@ var (
 		Type: "workspace",
 	}
 
+	// ResourceWorkspaceExecution CRUD. Org + User owner
+	//	create = workspace remote execution
+	// 	read = ?
+	//	update = ?
+	// 	delete = ?
+	ResourceWorkspaceExecution = Object{
+		Type: "workspace_execution",
+	}
+
 	// ResourceAuditLog
 	// read = access audit log
 	ResourceAuditLog = Object{
diff --git a/coderd/roles.go b/coderd/roles.go
@@ -32,8 +32,6 @@ func (api *API) assignableSiteRoles(rw http.ResponseWriter, r *http.Request) {
 
 // assignableSiteRoles returns all site wide roles that can be assigned.
 func (api *API) assignableOrgRoles(rw http.ResponseWriter, r *http.Request) {
-	// TODO: @emyrk in the future, allow granular subsets of roles to be returned based on the
-	// 	role of the user.
 	organization := httpmw.OrganizationParam(r)
 	actorRoles := httpmw.AuthorizationUserRoles(r)
 
diff --git a/coderd/workspaceapps.go b/coderd/workspaceapps.go
@@ -43,7 +43,9 @@ func (api *API) workspaceAppsProxyPath(rw http.ResponseWriter, r *http.Request)
 		})
 		return
 	}
-	if !api.Authorize(r, rbac.ActionRead, workspace) {
+
+	if !api.Authorize(r, rbac.ActionCreate,
+		rbac.ResourceWorkspaceExecution.InOrg(workspace.OrganizationID).WithOwner(workspace.OwnerID.String())) {
 		httpapi.ResourceNotFound(rw)
 		return
 	}

Original file line number	Diff line number	Diff line change
`@@ -43,7 +43,9 @@ func (api API) workspaceAppsProxyPath(rw http.ResponseWriter, r http.Request)`
`43`	`43`	`})`
`44`	`44`	`return`
`45`	`45`	`}`
`46`		`- if !api.Authorize(r, rbac.ActionRead, workspace) {`
	`46`	`+`
	`47`	`+ if !api.Authorize(r, rbac.ActionCreate,`
	`48`	`+ rbac.ResourceWorkspaceExecution.InOrg(workspace.OrganizationID).WithOwner(workspace.OwnerID.String())) {`
`47`	`49`	`httpapi.ResourceNotFound(rw)`
`48`	`50`	`return`
`49`	`51`	`}`