Owners cannot do workspace exec site wide

Emyrk · Emyrk · commit 9113b16a474d · 2023-04-07T12:23:50.000-05:00
diff --git a/coderd/rbac/object_gen.go b/coderd/rbac/object_gen.go
diff --git a/coderd/rbac/object_test.go b/coderd/rbac/object_test.go
@@ -4,6 +4,7 @@ import (
 	"testing"
 
 	"github.com/coder/coder/coderd/rbac"
+	"github.com/coder/coder/coderd/util/slice"
 )
 
 func TestObjectEqual(t *testing.T) {
@@ -174,3 +175,20 @@ func TestObjectEqual(t *testing.T) {
 		})
 	}
 }
+
+// TestAllResources ensures that all resources have a unique type name.
+func TestAllResources(t *testing.T) {
+	var typeNames []string
+	resources := rbac.AllResources()
+	for _, r := range resources {
+		if r.Type == "" {
+			t.Errorf("empty type name: %s", r.Type)
+			continue
+		}
+		if slice.Contains(typeNames, r.Type) {
+			t.Errorf("duplicate type name: %s", r.Type)
+			continue
+		}
+		typeNames = append(typeNames, r.Type)
+	}
+}
diff --git a/coderd/rbac/roles.go b/coderd/rbac/roles.go
@@ -76,9 +76,26 @@ var builtInRoles = map[string]func(orgID string) Role{
 		return Role{
 			Name:        owner,
 			DisplayName: "Owner",
-			Site: Permissions(map[string][]Action{
-				ResourceWildcard.Type: {WildcardSymbol},
-			}),
+			Site: func() []Permission {
+				// Owner can do all actions on all resources, minus some exceptions.
+				resources := AllResources()
+				var perms []Permission
+
+				for _, r := range resources {
+					// Exceptions
+					if r.Equal(ResourceWildcard) ||
+						r.Equal(ResourceWorkspaceExecution) {
+						continue
+					}
+					// Owners can do everything else
+					perms = append(perms, Permission{
+						Negate:       false,
+						ResourceType: r.Type,
+						Action:       WildcardSymbol,
+					})
+				}
+				return perms
+			}(),
 			Org:  map[string][]Permission{},
 			User: []Permission{},
 		}
