Skip to content

Commit 8d5fca2

Browse files
mafredrimafredri
committed
wip rbac stuff
1 parent 342e27f commit 8d5fca2

File tree

13 files changed

+49
-1
lines changed

13 files changed

+49
-1
lines changed

coderd/apidoc/docs.go

Lines changed: 2 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/apidoc/swagger.json

Lines changed: 2 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/database/modelmethods.go

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -464,7 +464,6 @@ func (p ProvisionerJob) RBACObject() rbac.Object {
464464
var input codersdk.ProvisionerJobInput
465465
_ = json.Unmarshal(p.Input, &input) // Best effort.
466466

467-
// TODO(mafredri): Do we need to check provisioner permissions as well (p.AvailableProvisioners?).
468467
id := uuid.Nil
469468
switch p.Type {
470469
case ProvisionerJobTypeTemplateVersionImport, ProvisionerJobTypeTemplateVersionDryRun:

coderd/provisionerjobs.go

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -60,6 +60,11 @@ func (api *API) provisionerJobs(rw http.ResponseWriter, r *http.Request) {
6060
Limit: sql.NullInt32{Int32: limit, Valid: limit > 0},
6161
})
6262
if err != nil {
63+
if httpapi.Is404Error(err) {
64+
httpapi.ResourceNotFound(rw)
65+
return
66+
}
67+
6368
httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
6469
Message: "Internal error fetching provisioner jobs.",
6570
Detail: err.Error(),

coderd/rbac/object_gen.go

Lines changed: 8 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/rbac/policy/policy.go

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -169,6 +169,11 @@ var RBACPermissions = map[string]PermissionDefinition{
169169
ActionDelete: actDef("delete a provisioner daemon"),
170170
},
171171
},
172+
"provisioner_jobs": {
173+
Actions: map[Action]ActionDefinition{
174+
ActionRead: actDef("read provisioner jobs"),
175+
},
176+
},
172177
"provisioner_keys": {
173178
Actions: map[Action]ActionDefinition{
174179
ActionCreate: actDef("create a provisioner key"),

coderd/rbac/roles.go

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -324,6 +324,8 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
324324
ResourceWorkspace.Type: {policy.ActionRead},
325325
// CRUD to provisioner daemons for now.
326326
ResourceProvisionerDaemon.Type: {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
327+
// Read to provisioner jobs for now.
328+
ResourceProvisionerJobs.Type: {policy.ActionRead},
327329
// Needs to read all organizations since
328330
ResourceOrganization.Type: {policy.ActionRead},
329331
ResourceUser.Type: {policy.ActionRead},
@@ -422,6 +424,9 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
422424
ResourceOrganization.Type: {policy.ActionRead},
423425
// Can read available roles.
424426
ResourceAssignOrgRole.Type: {policy.ActionRead},
427+
428+
// Users can read provisioner jobs scoped to themselves.
429+
ResourceProvisionerJobs.Type: {policy.ActionRead},
425430
}),
426431
},
427432
User: []Permission{

coderd/rbac/roles_test.go

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -553,6 +553,15 @@ func TestRolePermissions(t *testing.T) {
553553
false: {setOtherOrg, memberMe, orgMemberMe, userAdmin, templateAdmin, orgTemplateAdmin, orgUserAdmin, orgAuditor},
554554
},
555555
},
556+
{
557+
Name: "ProvisionerJobs",
558+
Actions: []policy.Action{policy.ActionRead},
559+
Resource: rbac.ResourceProvisionerJobs.InOrg(orgID),
560+
AuthorizeMap: map[bool][]hasAuthSubjects{
561+
true: {owner, templateAdmin, orgTemplateAdmin, orgMemberMe, orgAdmin},
562+
false: {setOtherOrg, memberMe, userAdmin, orgUserAdmin, orgAuditor},
563+
},
564+
},
556565
{
557566
Name: "System",
558567
Actions: crud,

codersdk/rbacresources_gen.go

Lines changed: 2 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

docs/reference/api/members.md

Lines changed: 5 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

docs/reference/api/schemas.md

Lines changed: 1 addition & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

site/src/api/rbacresourcesGenerated.ts

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -119,6 +119,9 @@ export const RBACResourceActions: Partial<
119119
read: "read provisioner daemon",
120120
update: "update a provisioner daemon",
121121
},
122+
provisioner_jobs: {
123+
read: "read provisioner jobs",
124+
},
122125
provisioner_keys: {
123126
create: "create a provisioner key",
124127
delete: "delete a provisioner key",

site/src/api/typesGenerated.ts

Lines changed: 2 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)