Skip to content

feat: Option to remove WorkspaceExec from owner role #7050

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 19 commits into from
Apr 11, 2023
Merged

feat: Option to remove WorkspaceExec from owner role #7050

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
8a8c895
chore: Add AllResources option for listing all RBAC objects
Emyrk Apr 7, 2023
9113b16
Owners cannot do workspace exec site wide
Emyrk Apr 7, 2023
57cb9b7
Rena,e
Emyrk Apr 7, 2023
659800c
Add deployment config
Emyrk Apr 7, 2023
e6970e1
Add rbac resource enums
Emyrk Apr 7, 2023
b530358
Fix FE authchecks to valid RBAC resources
Emyrk Apr 7, 2023
8595f15
Add unit test
Emyrk Apr 7, 2023
a535b2c
make fmt
Emyrk Apr 7, 2023
9203a42
Lint
Emyrk Apr 7, 2023
2438f67
Fix test
Emyrk Apr 7, 2023
7526059
Merge remote-tracking branch 'origin/main' into stevenmasley/owner_ca…
Emyrk Apr 10, 2023
bafafe4
Fix unit test
Emyrk Apr 10, 2023
ae7c130
Goldne files
Emyrk Apr 10, 2023
449dfa5
Linter
Emyrk Apr 10, 2023
5839794
Fix make gen deps
Emyrk Apr 10, 2023
ade0d4e
Fix FE test
Emyrk Apr 10, 2023
3449edc
Rename flag/env var
Emyrk Apr 11, 2023
cc04d93
fixup! Rename flag/env var
Emyrk Apr 11, 2023
9ed9fdc
Update golden files
Emyrk Apr 11, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Add unit test
  • Loading branch information
@Emyrk
Emyrk committed Apr 7, 2023
commit 8595f1510838cbc90b421d3623a2c43f6458ca8a
9 changes: 8 additions & 1 deletion coderd/rbac/roles.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,10 @@ func allPermsExcept(excepts ...Object) []Permission {
if skip[r.Type] {
continue
}
// This should always be skipped.
if r.Type == ResourceWildcard.Type {
continue
}
// Owners can do everything else
perms = append(perms, Permission{
Negate: false,
Expand Down Expand Up @@ -118,7 +122,10 @@ func ReloadBuiltinRoles(opts *RoleOptions) {

var ownerAndAdminExceptions []Object
if opts.NoOwnerWorkspaceExec {
ownerAndAdminExceptions = append(ownerAndAdminExceptions, ResourceWorkspaceExecution)
ownerAndAdminExceptions = append(ownerAndAdminExceptions,
ResourceWorkspaceExecution,
ResourceWorkspaceApplicationConnect,
)
}

builtInRoles = map[string]func(orgID string) Role{
Expand Down
36 changes: 36 additions & 0 deletions coderd/rbac/roles_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,42 @@ type authSubject struct {
Actor rbac.Subject
}

//nolint:tparallel,paralleltest
func TestOwnerExec(t *testing.T) {
owner := rbac.Subject{
ID: uuid.NewString(),
Roles: rbac.RoleNames{rbac.RoleMember(), rbac.RoleOwner()},
Scope: rbac.ScopeAll,
}

t.Run("NoExec", func(t *testing.T) {
rbac.ReloadBuiltinRoles(&rbac.RoleOptions{
NoOwnerWorkspaceExec: true,
})
t.Cleanup(func() { rbac.ReloadBuiltinRoles(nil) })

auth := rbac.NewCachingAuthorizer(prometheus.NewRegistry())
// Exec a random workspace
err := auth.Authorize(context.Background(), owner, rbac.ActionCreate,
rbac.ResourceWorkspaceExecution.WithID(uuid.New()).InOrg(uuid.New()).WithOwner(uuid.NewString()))
require.ErrorAsf(t, err, &rbac.UnauthorizedError{}, "expected unauthorized error")
})

t.Run("Exec", func(t *testing.T) {
rbac.ReloadBuiltinRoles(&rbac.RoleOptions{
NoOwnerWorkspaceExec: false,
})
t.Cleanup(func() { rbac.ReloadBuiltinRoles(nil) })

auth := rbac.NewCachingAuthorizer(prometheus.NewRegistry())

// Exec a random workspace
err := auth.Authorize(context.Background(), owner, rbac.ActionCreate,
rbac.ResourceWorkspaceExecution.WithID(uuid.New()).InOrg(uuid.New()).WithOwner(uuid.NewString()))
require.NoError(t, err, "expected owner can")
})
}

// TODO: add the SYSTEM to the MATRIX
func TestRolePermissions(t *testing.T) {
t.Parallel()
Expand Down