Skip to content

feat: Option to remove WorkspaceExec from owner role #7050

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 19 commits into from
Apr 11, 2023
Merged

feat: Option to remove WorkspaceExec from owner role #7050

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
8a8c895
chore: Add AllResources option for listing all RBAC objects
Emyrk Apr 7, 2023
9113b16
Owners cannot do workspace exec site wide
Emyrk Apr 7, 2023
57cb9b7
Rena,e
Emyrk Apr 7, 2023
659800c
Add deployment config
Emyrk Apr 7, 2023
e6970e1
Add rbac resource enums
Emyrk Apr 7, 2023
b530358
Fix FE authchecks to valid RBAC resources
Emyrk Apr 7, 2023
8595f15
Add unit test
Emyrk Apr 7, 2023
a535b2c
make fmt
Emyrk Apr 7, 2023
9203a42
Lint
Emyrk Apr 7, 2023
2438f67
Fix test
Emyrk Apr 7, 2023
7526059
Merge remote-tracking branch 'origin/main' into stevenmasley/owner_ca…
Emyrk Apr 10, 2023
bafafe4
Fix unit test
Emyrk Apr 10, 2023
ae7c130
Goldne files
Emyrk Apr 10, 2023
449dfa5
Linter
Emyrk Apr 10, 2023
5839794
Fix make gen deps
Emyrk Apr 10, 2023
ade0d4e
Fix FE test
Emyrk Apr 10, 2023
3449edc
Rename flag/env var
Emyrk Apr 11, 2023
cc04d93
fixup! Rename flag/env var
Emyrk Apr 11, 2023
9ed9fdc
Update golden files
Emyrk Apr 11, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Add deployment config
  • Loading branch information
@Emyrk
Emyrk committed Apr 7, 2023
commit 659800c1f8fc31f0f08d61547c6779394fc3ca16
8 changes: 5 additions & 3 deletions coderd/coderd.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -171,9 +171,11 @@ func New(options *Options) *API {
options = &Options{}
}

rbac.ReloadBuiltinRoles(&rbac.RoleOptions{
NoOwnerWorkspaceExec: true,
})
if options.DeploymentValues.DisableOwnerWorkspaceExec {
rbac.ReloadBuiltinRoles(&rbac.RoleOptions{
NoOwnerWorkspaceExec: true,
})
}

if options.Authorizer == nil {
options.Authorizer = rbac.NewCachingAuthorizer(options.PrometheusRegistry)
Expand Down
2 changes: 2 additions & 0 deletions coderd/coderdtest/coderdtest.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -203,6 +203,8 @@ func NewOptions(t *testing.T, options *Options) (func(http.Handler), context.Can
if options.DeploymentValues == nil {
options.DeploymentValues = DeploymentValues(t)
}
// This value is not safe to run in parallel. Force it to be false.
options.DeploymentValues.DisableOwnerWorkspaceExec = false

// If no ratelimits are set, disable all rate limiting for tests.
if options.APIRateLimit == 0 {
Expand Down
5 changes: 0 additions & 5 deletions coderd/rbac/object.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -136,11 +136,6 @@ var (
Type: "organization_member",
}

// ResourceWildcard represents all resource types
ResourceWildcard = Object{
Type: WildcardSymbol,
}

// ResourceLicense is the license in the 'licenses' table.
// ResourceLicense is site wide.
// create/delete = add or remove license from site.
Expand Down
10 changes: 2 additions & 8 deletions coderd/rbac/roles.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,10 +80,6 @@ func allPermsExcept(excepts ...Object) []Permission {
if skip[r.Type] {
continue
}
// Do not include the wildcard
if r.Type == ResourceWildcard.Type {
continue
}
// Owners can do everything else
perms = append(perms, Permission{
Negate: false,
Expand Down Expand Up @@ -149,10 +145,8 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
// All users can see the provisioner daemons.
ResourceProvisionerDaemon.Type: {ActionRead},
}),
Org: map[string][]Permission{},
User: Permissions(map[string][]Action{
ResourceWildcard.Type: {WildcardSymbol},
}),
Org: map[string][]Permission{},
User: allPermsExcept(),
}
},

Expand Down
10 changes: 10 additions & 0 deletions codersdk/deployment.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -162,6 +162,7 @@ type DeploymentValues struct {
GitAuthProviders clibase.Struct[[]GitAuthConfig] `json:"git_auth,omitempty" typescript:",notnull"`
SSHConfig SSHConfig `json:"config_ssh,omitempty" typescript:",notnull"`
WgtunnelHost clibase.String `json:"wgtunnel_host,omitempty" typescript:",notnull"`
DisableOwnerWorkspaceExec clibase.Bool `json:"disable_owner_workspace_exec,omitempty" typescript:",notnull"`

Config clibase.String `json:"config,omitempty" typescript:",notnull"`
WriteConfig clibase.Bool `json:"write_config,omitempty" typescript:",notnull"`
Expand Down Expand Up @@ -1302,6 +1303,15 @@ when required by your organization's security policy.`,
Value: &c.DisablePathApps,
YAML: "disablePathApps",
},
{
Name: "Disable Owner Workspace Execution",
Description: "Remove the permission for the 'owner' role to have workspace execution on all workspaces. This prevents the 'owner' from ssh, apps, and terminal access based on the 'owner' role. They still have their user permissions to access their own workspaces.",
Flag: "disable-owner-workspace-exec",
Env: "CODER_DISABLE_OWNER_WORKSPACE_EXEC",

Value: &c.DisableOwnerWorkspaceExec,
YAML: "disableOwnerWorkspaceExec",
},
{
Name: "Session Duration",
Description: "The token expiry duration for browser sessions. Sessions may last longer if they are actively making requests, but this functionality can be disabled via --disable-session-expiry-refresh.",
Expand Down