Skip to content

Commit 96fee51

Browse files
ibetitsmikeibetitsmike
committed
WIP
1 parent 4385933 commit 96fee51

File tree

4 files changed

+31
-36
lines changed

4 files changed

+31
-36
lines changed

coderd/database/dbauthz/dbauthz.go

Lines changed: 28 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -170,10 +170,10 @@ var (
170170
Identifier: rbac.RoleIdentifier{Name: "provisionerd"},
171171
DisplayName: "Provisioner Daemon",
172172
Site: rbac.Permissions(map[string][]policy.Action{
173-
// TODO: Add ProvisionerJob resource type.
174-
rbac.ResourceFile.Type: {policy.ActionRead},
175-
rbac.ResourceSystem.Type: {policy.WildcardSymbol},
176-
rbac.ResourceTemplate.Type: {policy.ActionRead, policy.ActionUpdate},
173+
rbac.ResourceProvisionerJobs.Type: {policy.ActionRead, policy.ActionUpdate},
174+
rbac.ResourceFile.Type: {policy.ActionRead},
175+
rbac.ResourceSystem.Type: {policy.WildcardSymbol},
176+
rbac.ResourceTemplate.Type: {policy.ActionRead, policy.ActionUpdate},
177177
// Unsure why provisionerd needs update and read personal
178178
rbac.ResourceUser.Type: {policy.ActionRead, policy.ActionReadPersonal, policy.ActionUpdatePersonal},
179179
rbac.ResourceWorkspaceDormant.Type: {policy.ActionDelete, policy.ActionRead, policy.ActionUpdate, policy.ActionWorkspaceStop},
@@ -1093,11 +1093,10 @@ func (q *querier) AcquireNotificationMessages(ctx context.Context, arg database.
10931093
return q.db.AcquireNotificationMessages(ctx, arg)
10941094
}
10951095

1096-
// TODO: We need to create a ProvisionerJob resource type
10971096
func (q *querier) AcquireProvisionerJob(ctx context.Context, arg database.AcquireProvisionerJobParams) (database.ProvisionerJob, error) {
1098-
// if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceSystem); err != nil {
1099-
// return database.ProvisionerJob{}, err
1100-
// }
1097+
if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceProvisionerJobs); err != nil {
1098+
return database.ProvisionerJob{}, err
1099+
}
11011100
return q.db.AcquireProvisionerJob(ctx, arg)
11021101
}
11031102

@@ -2322,28 +2321,28 @@ func (q *querier) GetProvisionerJobTimingsByJobID(ctx context.Context, jobID uui
23222321
return q.db.GetProvisionerJobTimingsByJobID(ctx, jobID)
23232322
}
23242323

2325-
// TODO: We have a ProvisionerJobs resource, but it hasn't been checked for this use-case.
23262324
func (q *querier) GetProvisionerJobsByIDs(ctx context.Context, ids []uuid.UUID) ([]database.ProvisionerJob, error) {
2327-
// if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceSystem); err != nil {
2328-
// return nil, err
2329-
// }
2325+
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceProvisionerJobs); err != nil {
2326+
return nil, err
2327+
}
23302328
return q.db.GetProvisionerJobsByIDs(ctx, ids)
23312329
}
23322330

2333-
// TODO: We have a ProvisionerJobs resource, but it hasn't been checked for this use-case.
23342331
func (q *querier) GetProvisionerJobsByIDsWithQueuePosition(ctx context.Context, ids []uuid.UUID) ([]database.GetProvisionerJobsByIDsWithQueuePositionRow, error) {
2332+
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceProvisionerJobs); err != nil {
2333+
return nil, err
2334+
}
23352335
return q.db.GetProvisionerJobsByIDsWithQueuePosition(ctx, ids)
23362336
}
23372337

23382338
func (q *querier) GetProvisionerJobsByOrganizationAndStatusWithQueuePositionAndProvisioner(ctx context.Context, arg database.GetProvisionerJobsByOrganizationAndStatusWithQueuePositionAndProvisionerParams) ([]database.GetProvisionerJobsByOrganizationAndStatusWithQueuePositionAndProvisionerRow, error) {
23392339
return fetchWithPostFilter(q.auth, policy.ActionRead, q.db.GetProvisionerJobsByOrganizationAndStatusWithQueuePositionAndProvisioner)(ctx, arg)
23402340
}
23412341

2342-
// TODO: We have a ProvisionerJobs resource, but it hasn't been checked for this use-case.
23432342
func (q *querier) GetProvisionerJobsCreatedAfter(ctx context.Context, createdAt time.Time) ([]database.ProvisionerJob, error) {
2344-
// if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceSystem); err != nil {
2345-
// return nil, err
2346-
// }
2343+
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceProvisionerJobs); err != nil {
2344+
return nil, err
2345+
}
23472346
return q.db.GetProvisionerJobsCreatedAfter(ctx, createdAt)
23482347
}
23492348

@@ -3531,27 +3530,24 @@ func (q *querier) InsertPresetParameters(ctx context.Context, arg database.Inser
35313530
return q.db.InsertPresetParameters(ctx, arg)
35323531
}
35333532

3534-
// TODO: We need to create a ProvisionerJob resource type
35353533
func (q *querier) InsertProvisionerJob(ctx context.Context, arg database.InsertProvisionerJobParams) (database.ProvisionerJob, error) {
3536-
// if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceSystem); err != nil {
3537-
// return database.ProvisionerJob{}, err
3538-
// }
3534+
if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceProvisionerJobs); err != nil {
3535+
return database.ProvisionerJob{}, err
3536+
}
35393537
return q.db.InsertProvisionerJob(ctx, arg)
35403538
}
35413539

3542-
// TODO: We need to create a ProvisionerJob resource type
35433540
func (q *querier) InsertProvisionerJobLogs(ctx context.Context, arg database.InsertProvisionerJobLogsParams) ([]database.ProvisionerJobLog, error) {
3544-
// if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceSystem); err != nil {
3545-
// return nil, err
3546-
// }
3541+
if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceProvisionerJobs); err != nil {
3542+
return nil, err
3543+
}
35473544
return q.db.InsertProvisionerJobLogs(ctx, arg)
35483545
}
35493546

3550-
// TODO: We need to create a ProvisionerJob resource type
35513547
func (q *querier) InsertProvisionerJobTimings(ctx context.Context, arg database.InsertProvisionerJobTimingsParams) ([]database.ProvisionerJobTiming, error) {
3552-
// if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceSystem); err != nil {
3553-
// return nil, err
3554-
// }
3548+
if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceProvisionerJobs); err != nil {
3549+
return nil, err
3550+
}
35553551
return q.db.InsertProvisionerJobTimings(ctx, arg)
35563552
}
35573553

@@ -4174,11 +4170,10 @@ func (q *querier) UpdateProvisionerDaemonLastSeenAt(ctx context.Context, arg dat
41744170
return q.db.UpdateProvisionerDaemonLastSeenAt(ctx, arg)
41754171
}
41764172

4177-
// TODO: We need to create a ProvisionerJob resource type
41784173
func (q *querier) UpdateProvisionerJobByID(ctx context.Context, arg database.UpdateProvisionerJobByIDParams) error {
4179-
// if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceSystem); err != nil {
4180-
// return err
4181-
// }
4174+
if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceProvisionerJobs); err != nil {
4175+
return err
4176+
}
41824177
return q.db.UpdateProvisionerJobByID(ctx, arg)
41834178
}
41844179

coderd/rbac/roles.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -503,7 +503,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
503503
// the ability to create templates and provisioners has
504504
// a lot of overlap.
505505
ResourceProvisionerDaemon.Type: {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
506-
ResourceProvisionerJobs.Type: {policy.ActionRead},
506+
ResourceProvisionerJobs.Type: {policy.ActionRead, policy.ActionUpdate, policy.ActionCreate},
507507
}),
508508
},
509509
User: []Permission{},

coderd/rbac/roles_test.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -580,7 +580,7 @@ func TestRolePermissions(t *testing.T) {
580580
},
581581
{
582582
Name: "ProvisionerJobs",
583-
Actions: []policy.Action{policy.ActionRead},
583+
Actions: []policy.Action{policy.ActionRead, policy.ActionUpdate},
584584
Resource: rbac.ResourceProvisionerJobs.InOrg(orgID),
585585
AuthorizeMap: map[bool][]hasAuthSubjects{
586586
true: {owner, orgTemplateAdmin, orgAdmin},

codersdk/rbacresources_gen.go

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)