coder · Emyrk · Feb 24, 2025 · Feb 19, 2025 · Feb 19, 2025 · Feb 19, 2025
diff --git a/coderd/apidoc/docs.go b/coderd/apidoc/docs.go
diff --git a/coderd/apidoc/swagger.json b/coderd/apidoc/swagger.json
diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go
@@ -324,7 +324,6 @@ var (
 					rbac.ResourceOrganization.Type:           {policy.ActionCreate, policy.ActionRead},
 					rbac.ResourceOrganizationMember.Type:     {policy.ActionCreate, policy.ActionDelete, policy.ActionRead},
 					rbac.ResourceProvisionerDaemon.Type:      {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate},
-					rbac.ResourceProvisionerKeys.Type:        {policy.ActionCreate, policy.ActionRead, policy.ActionDelete},
 					rbac.ResourceUser.Type:                   rbac.ResourceUser.AvailableActions(),
 					rbac.ResourceWorkspaceDormant.Type:       {policy.ActionUpdate, policy.ActionDelete, policy.ActionWorkspaceStop},
 					rbac.ResourceWorkspace.Type:              {policy.ActionUpdate, policy.ActionDelete, policy.ActionWorkspaceStart, policy.ActionWorkspaceStop, policy.ActionSSH},
@@ -3196,7 +3195,7 @@ func (q *querier) InsertProvisionerJobTimings(ctx context.Context, arg database.
 }
 
 func (q *querier) InsertProvisionerKey(ctx context.Context, arg database.InsertProvisionerKeyParams) (database.ProvisionerKey, error) {
-	return insert(q.log, q.auth, rbac.ResourceProvisionerKeys.InOrg(arg.OrganizationID).WithID(arg.ID), q.db.InsertProvisionerKey)(ctx, arg)
+	return insert(q.log, q.auth, rbac.ResourceProvisionerDaemon.InOrg(arg.OrganizationID).WithID(arg.ID), q.db.InsertProvisionerKey)(ctx, arg)
 }
 
 func (q *querier) InsertReplica(ctx context.Context, arg database.InsertReplicaParams) (database.Replica, error) {

diff --git a/coderd/database/modelmethods.go b/coderd/database/modelmethods.go
@@ -277,8 +277,10 @@ func (p GetEligibleProvisionerDaemonsByProvisionerJobIDsRow) RBACObject() rbac.O
 	return p.ProvisionerDaemon.RBACObject()
 }
 
+// RBACObject for a provisioner key is the same as a provisioner daemon.
+// Keys == provisioners from a RBAC perspective.
 func (p ProvisionerKey) RBACObject() rbac.Object {
-	return rbac.ResourceProvisionerKeys.
+	return rbac.ResourceProvisionerDaemon.
 		WithID(p.ID).
 		InOrg(p.OrganizationID)
 }

diff --git a/coderd/rbac/object_gen.go b/coderd/rbac/object_gen.go
diff --git a/coderd/rbac/policy/policy.go b/coderd/rbac/policy/policy.go
@@ -162,25 +162,18 @@ var RBACPermissions = map[string]PermissionDefinition{
 	},
 	"provisioner_daemon": {
 		Actions: map[Action]ActionDefinition{
-			ActionCreate: actDef("create a provisioner daemon"),
+			ActionCreate: actDef("create a provisioner daemon key"),
 			// TODO: Move to use?
 			ActionRead:   actDef("read provisioner daemon"),
 			ActionUpdate: actDef("update a provisioner daemon"),
-			ActionDelete: actDef("delete a provisioner daemon"),
+			ActionDelete: actDef("delete a provisioner daemon/key"),
 		},
 	},
 	"provisioner_jobs": {
 		Actions: map[Action]ActionDefinition{
 			ActionRead: actDef("read provisioner jobs"),
 		},
 	},
-	"provisioner_keys": {
-		Actions: map[Action]ActionDefinition{
-			ActionCreate: actDef("create a provisioner key"),
-			ActionRead:   actDef("read provisioner keys"),
-			ActionDelete: actDef("delete a provisioner key"),
-		},
-	},
 	"organization": {
 		Actions: map[Action]ActionDefinition{
 			ActionCreate: actDef("create an organization"),

diff --git a/codersdk/rbacresources_gen.go b/codersdk/rbacresources_gen.go
diff --git a/docs/reference/api/members.md b/docs/reference/api/members.md
diff --git a/docs/reference/api/schemas.md b/docs/reference/api/schemas.md
diff --git a/enterprise/coderd/roles.go b/enterprise/coderd/roles.go
@@ -147,9 +147,13 @@
 			UUID:  organization.ID,
 			Valid: true,
 		},
-		SitePermissions: db2sdk.List(req.SitePermissions, sdkPermissionToDB),
-		OrgPermissions:  db2sdk.List(req.OrganizationPermissions, sdkPermissionToDB),
-		UserPermissions: db2sdk.List(req.UserPermissions, sdkPermissionToDB),
+		// Invalid permissions are filtered out. If this is changed
+		// to throw an error, then the story of a previously valid role
+		// now being invalid has to be addressed. Coder can change permissions,
+		// objects, and actions at any time.
+		SitePermissions: db2sdk.List(filterInvalidPermissions(req.SitePermissions), sdkPermissionToDB),
+		OrgPermissions:  db2sdk.List(filterInvalidPermissions(req.OrganizationPermissions), sdkPermissionToDB),
+		UserPermissions: db2sdk.List(filterInvalidPermissions(req.UserPermissions), sdkPermissionToDB),
 	})
 	if httpapi.Is404Error(err) {
 		httpapi.ResourceNotFound(rw)
@@ -247,6 +251,24 @@
 	httpapi.Write(ctx, rw, http.StatusNoContent, nil)
 }
 
+func filterInvalidPermissions(permissions []codersdk.Permission) []codersdk.Permission {
+	// Filter out any invalid permissions
+	var validPermissions []codersdk.Permission
+	for _, permission := range permissions {
+		err := (&rbac.Permission{
+			Negate:       permission.Negate,
+			ResourceType: string(permission.ResourceType),
+			Action:       policy.Action(permission.Action),
+		}).Valid()
+		if err == nil {
+			validPermissions = append(validPermissions, permission)
+		} else {
+			fmt.Println(err.Error())
+		}
+	}
+	return validPermissions
+}
+
 func sdkPermissionToDB(p codersdk.Permission) database.CustomRolePermission {
 	return database.CustomRolePermission{
 		Negate:       p.Negate,

diff --git a/site/src/api/rbacresourcesGenerated.ts b/site/src/api/rbacresourcesGenerated.ts
@@ -114,19 +114,14 @@ export const RBACResourceActions: Partial<
 		update: "update an organization member",
 	},
 	provisioner_daemon: {
-		create: "create a provisioner daemon",
-		delete: "delete a provisioner daemon",
+		create: "create a provisioner daemon key",
+		delete: "delete a provisioner daemon/key",
 		read: "read provisioner daemon",
 		update: "update a provisioner daemon",
 	},
 	provisioner_jobs: {
 		read: "read provisioner jobs",
 	},
-	provisioner_keys: {
-		create: "create a provisioner key",
-		delete: "delete a provisioner key",
-		read: "read provisioner keys",
-	},
 	replicas: {
 		read: "read replicas",
 	},

diff --git a/site/src/api/typesGenerated.ts b/site/src/api/typesGenerated.ts
diff --git a/site/src/pages/UsersPage/storybookData/roles.ts b/site/src/pages/UsersPage/storybookData/roles.ts
@@ -101,11 +101,6 @@ export const MockRoles: (AssignableRoles | Role)[] = [
 				resource_type: "provisioner_daemon",
 				action: "*" as RBACAction,
 			},
-			{
-				negate: false,
-				resource_type: "provisioner_keys",
-				action: "*" as RBACAction,
-			},
 			{
 				negate: false,
 				resource_type: "replicas",