Skip to content

Commit edcfe19

Browse files
EmyrkEmyrk
committed
work on policy
1 parent adc9d13 commit edcfe19

File tree

3 files changed

+183
-37
lines changed

3 files changed

+183
-37
lines changed

coderd/rbac/object.go

Lines changed: 37 additions & 37 deletions
Original file line numberDiff line numberDiff line change
@@ -58,18 +58,18 @@ var (
5858
// read = ?
5959
// update = ?
6060
// delete = ?
61-
ResourceWorkspaceExecution = Object{
62-
Type: "workspace_execution",
63-
}
61+
//ResourceWorkspaceExecution = Object{
62+
// Type: "workspace_execution",
63+
//}
6464

6565
// ResourceWorkspaceApplicationConnect CRUD. Org + User owner
6666
// create = connect to an application
6767
// read = ?
6868
// update = ?
6969
// delete = ?
70-
ResourceWorkspaceApplicationConnect = Object{
71-
Type: "application_connect",
72-
}
70+
//ResourceWorkspaceApplicationConnect = Object{
71+
// Type: "application_connect",
72+
//}
7373

7474
// ResourceAuditLog
7575
// read = access audit log
@@ -81,33 +81,33 @@ var (
8181
// create/delete = Make or delete a new template
8282
// update = Update the template, make new template versions
8383
// read = read the template and all versions associated
84-
ResourceTemplate = Object{
85-
Type: "template",
86-
}
84+
//ResourceTemplate = Object{
85+
// Type: "template",
86+
//}
8787

8888
// ResourceGroup CRUD. Org admins only.
8989
// create/delete = Make or delete a new group.
9090
// update = Update the name or members of a group.
9191
// read = Read groups and their members.
92-
ResourceGroup = Object{
93-
Type: "group",
94-
}
92+
//ResourceGroup = Object{
93+
// Type: "group",
94+
//}
9595

96-
ResourceFile = Object{
97-
Type: "file",
98-
}
96+
//ResourceFile = Object{
97+
// Type: "file",
98+
//}
9999

100-
ResourceProvisionerDaemon = Object{
101-
Type: "provisioner_daemon",
102-
}
100+
//ResourceProvisionerDaemon = Object{
101+
// Type: "provisioner_daemon",
102+
//}
103103

104104
// ResourceOrganization CRUD. Has an org owner on all but 'create'.
105105
// create/delete = make or delete organizations
106106
// read = view org information (Can add user owner for read)
107107
// update = ??
108-
ResourceOrganization = Object{
109-
Type: "organization",
110-
}
108+
//ResourceOrganization = Object{
109+
// Type: "organization",
110+
//}
111111

112112
// ResourceRoleAssignment might be expanded later to allow more granular permissions
113113
// to modifying roles. For now, this covers all possible roles, so having this permission
@@ -140,15 +140,15 @@ var (
140140
// create/delete = make or delete a new user.
141141
// read = view all 'user' table data
142142
// update = update all 'user' table data
143-
ResourceUser = Object{
144-
Type: "user",
145-
}
143+
//ResourceUser = Object{
144+
// Type: "user",
145+
//}
146146

147147
// ResourceUserData is any data associated with a user. A user has control
148148
// over their data (profile, password, etc). So this resource has an owner.
149-
ResourceUserData = Object{
150-
Type: "user_data",
151-
}
149+
//ResourceUserData = Object{
150+
// Type: "user_data",
151+
//}
152152

153153
// ResourceUserWorkspaceBuildParameters is the user's workspace build
154154
// parameter history.
@@ -161,9 +161,9 @@ var (
161161
// create/delete = Create/delete member from org.
162162
// update = Update organization member
163163
// read = View member
164-
ResourceOrganizationMember = Object{
165-
Type: "organization_member",
166-
}
164+
//ResourceOrganizationMember = Object{
165+
// Type: "organization_member",
166+
//}
167167

168168
// ResourceLicense is the license in the 'licenses' table.
169169
// ResourceLicense is site wide.
@@ -175,9 +175,9 @@ var (
175175
//}
176176

177177
// ResourceDeploymentValues
178-
ResourceDeploymentValues = Object{
179-
Type: "deployment_config",
180-
}
178+
//ResourceDeploymentValues = Object{
179+
// Type: "deployment_config",
180+
//}
181181

182182
//ResourceDeploymentStats = Object{
183183
// Type: "deployment_stats",
@@ -202,10 +202,10 @@ var (
202202
Type: "tailnet_coordinator",
203203
}
204204

205-
// ResourceTemplateInsights is a pseudo-resource for reading template insights data.
206-
ResourceTemplateInsights = Object{
207-
Type: "template_insights",
208-
}
205+
//// ResourceTemplateInsights is a pseudo-resource for reading template insights data.
206+
//ResourceTemplateInsights = Object{
207+
// Type: "template_insights",
208+
//}
209209

210210
// ResourceOAuth2ProviderApp CRUD.
211211
// create/delete = Make or delete an OAuth2 app.

coderd/rbac/object_gen.go

Lines changed: 77 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/rbac/policy/policy.go

Lines changed: 69 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@ const (
1818
ActionUse Action = "use"
1919
ActionSSH Action = "ssh"
2020
ActionApplicationConnect = "application_connect"
21+
ActionViewInsights = "view_insights"
2122
)
2223

2324
const (
@@ -85,6 +86,20 @@ var RBACPermissions = []PermissionDefinition{
8586
},
8687
},
8788
},
89+
{
90+
Type: "user",
91+
Actions: map[Action]ActionDefinition{
92+
// Actions deal with site wide user objects.
93+
ActionRead: actDef(0, "read user data"),
94+
ActionCreate: actDef(0, "create a new user"),
95+
ActionUpdate: actDef(0, "update an existing user"),
96+
ActionDelete: actDef(0, "delete an existing user"),
97+
98+
"read_personal": actDef(fieldOwner, "read personal user data like password"),
99+
"update_personal": actDef(fieldOwner, "update personal data"),
100+
//ActionReadPublic: actDef(fieldOwner, "read public user data"),
101+
},
102+
},
88103
{
89104
Type: "workspace",
90105
Actions: map[Action]ActionDefinition{
@@ -139,4 +154,58 @@ var RBACPermissions = []PermissionDefinition{
139154
ActionRead: actDef(0, "read replicas"),
140155
},
141156
},
157+
{
158+
Type: "template",
159+
Actions: map[Action]ActionDefinition{
160+
ActionCreate: actDef(fieldOrg, "create a template"),
161+
// TODO: Create a use permission maybe?
162+
ActionRead: actDef(fieldOrg|fieldACL, "read template"),
163+
ActionUpdate: actDef(fieldOrg|fieldACL, "update a template"),
164+
ActionDelete: actDef(fieldOrg|fieldACL, "delete a template"),
165+
ActionViewInsights: actDef(fieldOrg|fieldACL, "view insights"),
166+
},
167+
},
168+
{
169+
Type: "group",
170+
Actions: map[Action]ActionDefinition{
171+
ActionCreate: actDef(fieldOrg, "create a group"),
172+
ActionRead: actDef(fieldOrg, "read groups"),
173+
ActionDelete: actDef(fieldOrg, "delete a group"),
174+
ActionUpdate: actDef(fieldOrg, "update a group"),
175+
},
176+
},
177+
{
178+
Type: "file",
179+
Actions: map[Action]ActionDefinition{
180+
ActionCreate: actDef(0, "create a file"),
181+
ActionRead: actDef(0, "read files"),
182+
},
183+
},
184+
{
185+
Type: "provisioner_daemon",
186+
Actions: map[Action]ActionDefinition{
187+
ActionCreate: actDef(fieldOrg, "create a provisioner daemon"),
188+
// TODO: Move to use?
189+
ActionRead: actDef(fieldOrg, "read provisioner daemon"),
190+
ActionUpdate: actDef(fieldOrg, "update a provisioner daemon"),
191+
ActionDelete: actDef(fieldOrg, "delete a provisioner daemon"),
192+
},
193+
},
194+
{
195+
Type: "organization",
196+
Actions: map[Action]ActionDefinition{
197+
ActionCreate: actDef(0, "create an organization"),
198+
ActionRead: actDef(0, "read organizations"),
199+
ActionDelete: actDef(0, "delete a organization"),
200+
},
201+
},
202+
{
203+
Type: "organization_member",
204+
Actions: map[Action]ActionDefinition{
205+
ActionCreate: actDef(fieldOrg, "create an organization member"),
206+
ActionRead: actDef(fieldOrg, "read member"),
207+
ActionUpdate: actDef(fieldOrg, "update a organization member"),
208+
ActionDelete: actDef(fieldOrg, "delete member"),
209+
},
210+
},
142211
}

0 commit comments

Comments
 (0)