Skip to content

Commit 6727a2a

Browse files
EmyrkEmyrk
committed
WIP
1 parent 697b028 commit 6727a2a

File tree

4 files changed

+560
-12
lines changed

4 files changed

+560
-12
lines changed

coderd/database/spice/schema.zed

Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
1+
// Read this blog post before looking at this data
2+
// https://authzed.com/blog/check-it-out
3+
//
4+
// Glossary: https://authzed.com/docs/reference/glossary
5+
// Zanzibar Term Mapping: https://authzed.com/docs/reference/glossary#mapping-terminology-from-the-zanzibar-paper
6+
7+
// platform is the site-wide level on the Coder product.
8+
definition platform {
9+
relation administrator: user
10+
relation member: user
11+
relation auditor: user
12+
13+
14+
permission super_admin = administrator
15+
}
16+
17+
definition group {
18+
relation admin: user
19+
// Direct members are users.
20+
relation direct_member: user
21+
// Child groups allow nesting of groups
22+
relation child_group: group
23+
relation platform: platform
24+
25+
permission member = direct_member + child_group->member
26+
permission delete = admin + platform->super_admin
27+
}
28+
29+
// Resources
30+
31+
definition user {}
32+
33+
definition workspace_proxy {}
34+
35+
definition workspace {
36+
// Owner of the workspace
37+
relation owner: user
38+
relation platform: platform
39+
relation group: group
40+
41+
permission view = owner + platform->super_admin + group->member
42+
permission update = owner + platform->super_admin
43+
permission delete= owner + platform->super_admin
44+
// Only the owner can connect
45+
permission ssh = owner
46+
}
47+
definition workspace_build {
48+
// A workspace owns this build
49+
relation workspace: workspace
50+
51+
// Can view if the workspace->view perm exists
52+
permission view = workspace->view
53+
}
54+
55+
56+
definition provisioner {
57+
}
58+
59+
definition template {
60+
}
61+
62+
63+
definition template_version{
64+
}
65+
66+
definition file {}
67+
68+
definition provisioner_job {}

coderd/database/spice/spice.go

Lines changed: 103 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,103 @@
1+
package spice
2+
3+
import (
4+
"context"
5+
_ "embed"
6+
"log"
7+
8+
v1 "github.com/authzed/authzed-go/proto/authzed/api/v1"
9+
"github.com/authzed/spicedb/pkg/cmd/datastore"
10+
"github.com/authzed/spicedb/pkg/cmd/server"
11+
"github.com/authzed/spicedb/pkg/cmd/util"
12+
)
13+
14+
var _ = v1.NewSchemaServiceClient
15+
16+
//go:embed schema.zed
17+
var schema string
18+
19+
func foo(ctx context.Context) error {
20+
srv, err := newServer(ctx)
21+
if err != nil {
22+
return err
23+
}
24+
25+
conn, err := srv.GRPCDialContext(ctx)
26+
if err != nil {
27+
return err
28+
}
29+
30+
schemaSrv := v1.NewSchemaServiceClient(conn)
31+
permSrv := v1.NewPermissionsServiceClient(conn)
32+
go func() {
33+
if err := srv.Run(ctx); err != nil {
34+
log.Print("error while shutting down server: %w", err)
35+
}
36+
}()
37+
38+
_, err = schemaSrv.WriteSchema(ctx, &v1.WriteSchemaRequest{
39+
Schema: schema,
40+
})
41+
if err != nil {
42+
return err
43+
}
44+
45+
resp, err := permSrv.WriteRelationships(ctx, &v1.WriteRelationshipsRequest{})
46+
if err != nil {
47+
return err
48+
}
49+
50+
token := resp.GetWrittenAt()
51+
checkResp, err := permSrv.CheckPermission(ctx, &v1.CheckPermissionRequest{
52+
Permission: "view",
53+
Consistency: &v1.Consistency{Requirement: &v1.Consistency_AtLeastAsFresh{AtLeastAsFresh: token}},
54+
Resource: &v1.ObjectReference{
55+
ObjectId: "my_book",
56+
ObjectType: "resource",
57+
},
58+
Subject: &v1.SubjectReference{
59+
Object: &v1.ObjectReference{
60+
ObjectId: "john_doe",
61+
ObjectType: "user",
62+
},
63+
},
64+
})
65+
if err != nil {
66+
log.Fatal("unable to issue PermissionCheck: %w", err)
67+
}
68+
69+
log.Printf("check result: %s", checkResp.Permissionship.String())
70+
71+
return nil
72+
}
73+
74+
func newServer(ctx context.Context) (server.RunnableServer, error) {
75+
ds, err := datastore.NewDatastore(ctx,
76+
datastore.WithEngine(datastore.PostgresEngine),
77+
datastore.DefaultDatastoreConfig().ToOption(),
78+
datastore.WithRequestHedgingEnabled(false),
79+
)
80+
if err != nil {
81+
log.Fatalf("unable to start memdb datastore: %s", err)
82+
}
83+
84+
configOpts := []server.ConfigOption{
85+
server.WithGRPCServer(util.GRPCServerConfig{
86+
Network: util.BufferedNetwork,
87+
Enabled: true,
88+
}),
89+
server.WithGRPCAuthFunc(func(ctx context.Context) (context.Context, error) {
90+
return ctx, nil
91+
}),
92+
server.WithHTTPGateway(util.HTTPServerConfig{HTTPEnabled: false}),
93+
//server.WithDashboardAPI(util.HTTPServerConfig{HTTPEnabled: false}),
94+
server.WithMetricsAPI(util.HTTPServerConfig{HTTPEnabled: true}),
95+
// disable caching since it's all in memory
96+
server.WithDispatchCacheConfig(server.CacheConfig{Enabled: false, Metrics: false}),
97+
server.WithNamespaceCacheConfig(server.CacheConfig{Enabled: false, Metrics: false}),
98+
server.WithClusterDispatchCacheConfig(server.CacheConfig{Enabled: false, Metrics: false}),
99+
server.WithDatastore(ds),
100+
}
101+
102+
return server.NewConfigWithOptionsAndDefaults(configOpts...).Complete(ctx)
103+
}

0 commit comments

Comments
 (0)