Flip rego json to key by user id

Emyrk · Emyrk · commit 8f837b7be4d9 · 2022-09-14T20:33:58.000-04:00
diff --git a/coderd/rbac/authz_internal_test.go b/coderd/rbac/authz_internal_test.go
@@ -193,27 +193,23 @@ func TestAuthorizeDomain(t *testing.T) {
 
 	testAuthorize(t, "ACLList", user, []authTestCase{
 		{
-			resource: ResourceWorkspace.WithOwner(unuseID.String()).InOrg(unuseID).WithACLUserList(map[Action][]string{
-				ActionRead:   {user.UserID},
-				ActionDelete: {user.UserID},
-				ActionCreate: {user.UserID},
-				ActionUpdate: {user.UserID},
+			resource: ResourceWorkspace.WithOwner(unuseID.String()).InOrg(unuseID).WithACLUserList(map[string][]Action{
+				user.UserID: allActions(),
 			}),
 			actions: allActions(),
 			allow:   true,
 		},
 		{
-			resource: ResourceWorkspace.WithOwner(unuseID.String()).InOrg(unuseID).WithACLUserList(map[Action][]string{
-				ActionRead:   {user.UserID},
-				ActionUpdate: {user.UserID},
+			resource: ResourceWorkspace.WithOwner(unuseID.String()).InOrg(unuseID).WithACLUserList(map[string][]Action{
+				user.UserID: {ActionRead, ActionUpdate},
 			}),
 			actions: []Action{ActionCreate, ActionDelete},
 			allow:   false,
 		},
 		{
 			// By default users cannot update templates
-			resource: ResourceTemplate.InOrg(defOrg).WithACLUserList(map[Action][]string{
-				ActionUpdate: {user.UserID},
+			resource: ResourceTemplate.InOrg(defOrg).WithACLUserList(map[string][]Action{
+				user.UserID: {ActionUpdate},
 			}),
 			actions: []Action{ActionRead, ActionUpdate},
 			allow:   true,
diff --git a/coderd/rbac/object.go b/coderd/rbac/object.go
@@ -139,8 +139,8 @@ type Object struct {
 	// Type is "workspace", "project", "app", etc
 	Type string `json:"type"`
 
-	// map[action][]user_id
-	ACLUserList map[Action][]string ` json:"acl_user_list"`
+	// map[string][]Action
+	ACLUserList map[string][]Action ` json:"acl_user_list"`
 }
 
 func (z Object) RBACObject() Object {
@@ -175,7 +175,7 @@ func (z Object) WithOwner(ownerID string) Object {
 }
 
 // WithACLUserList adds an ACL list to a given object
-func (z Object) WithACLUserList(acl map[Action][]string) Object {
+func (z Object) WithACLUserList(acl map[string][]Action) Object {
 	return Object{
 		Owner:       z.Owner,
 		OrgID:       z.OrgID,
diff --git a/coderd/rbac/policy.rego b/coderd/rbac/policy.rego
@@ -160,7 +160,6 @@ allow {
 # ACL Allow
 allow {
 	# Should you have to be a member of the org too?
-	input.subject.id in input.object.acl_user_list[input.action]
+	perms := input.object.acl_user_list[input.subject.id]
+	input.action in perms
 }
-
-
