Skip to content

feat: Add RBAC package for managing user permissions #929

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 79 commits into from
Apr 13, 2022
Merged

feat: Add RBAC package for managing user permissions #929

Changes from 1 commit
Commits
Show all changes
79 commits
Select commit Hold shift + click to select a range
ab61328
WIP: This is a massive WIP
Emyrk Mar 26, 2022
03e4d0f
More info in the print
Emyrk Mar 26, 2022
9981291
Fix all()
Emyrk Mar 27, 2022
3ab32da
reduce the amount of memoery allocated
Emyrk Mar 27, 2022
e1d5893
Reuse a buffer
Emyrk Mar 28, 2022
84a90f3
fix: use return size over size
Emyrk Mar 29, 2022
1fac0d9
WIP: don't look at this
Emyrk Mar 29, 2022
1e3aac0
WIP: 🍐 auth-> testdata, refactoring and restructuring
johnstcn Mar 30, 2022
e977e84
testdata -> authztest
johnstcn Mar 30, 2022
00a7c3f
WIP: start work on SVO
johnstcn Mar 30, 2022
1f04c01
reduce allocations for union sets
Emyrk Mar 31, 2022
fbf4db1
fix: Fix nil permissions as Strings()
Emyrk Mar 31, 2022
4946897
chore: Make all permission variant levels
Emyrk Mar 31, 2022
7e6cc66
First full draft of the authz authorize test
Emyrk Mar 31, 2022
a0017e5
Tally up failed tests
Emyrk Mar 31, 2022
4b110b3
Change test pkg
Emyrk Mar 31, 2022
65ef4e3
Use an interface for the object
Emyrk Mar 31, 2022
d294786
fix: make authztest.Objects return correct type
johnstcn Apr 1, 2022
c1f8945
refactor: rename consts {Read,Write,Modify,Delete}Action to Action$1
johnstcn Apr 1, 2022
01f3d40
chore: Define object interface
Emyrk Apr 1, 2022
de7de6e
test: Unit test extra properties
Emyrk Apr 1, 2022
4c86e44
Merge remote-tracking branch 'origin/stevenmasley/rbac' into stevenma…
Emyrk Apr 1, 2022
30c6568
put back interface assertion
Emyrk Apr 1, 2022
a419a65
Fix some compile errors from merge
Emyrk Apr 1, 2022
bbd1c4c
test: Roles, sets, permissions, iterators
Emyrk Apr 1, 2022
def010f
Test string functions
Emyrk Apr 1, 2022
c4ee590
test: Unit test permission string
Emyrk Apr 4, 2022
84e3ab9
Add A+ and A-
Emyrk Apr 4, 2022
c2eec18
Parallelize tests
Emyrk Apr 4, 2022
5a2834a
fix code line in readme
Emyrk Apr 4, 2022
913d141
Merge remote-tracking branch 'origin/main' into stevenmasley/rbac
Emyrk Apr 4, 2022
2804b92
test: ParsePermissions from strings
Emyrk Apr 4, 2022
5698938
use fmt over str builder for easier to read
Emyrk Apr 4, 2022
75ed8ef
Linting
Emyrk Apr 4, 2022
b2db661
authz: README.md: update table formatting
johnstcn Apr 5, 2022
26ef1e6
Make action CRUD
Emyrk Apr 5, 2022
19aba30
LevelID -> OrganizationID
Emyrk Apr 5, 2022
ceee9cd
feat: authztest: categorize test failures by test name
johnstcn Apr 5, 2022
ee8bf04
fixup! feat: authztest: categorize test failures by test name
johnstcn Apr 5, 2022
44c02a1
chore: add documentation for authz and authztest
johnstcn Apr 6, 2022
dfb9ad1
fixup! chore: add documentation for authz and authztest
johnstcn Apr 6, 2022
e482d2c
chore: more authz/authztest docs
johnstcn Apr 6, 2022
a4e038f
Remove underscore from test names
Emyrk Apr 6, 2022
9918c16
zObject does not need exported fields
Emyrk Apr 6, 2022
4cf4808
checkpoint: crowd programming: define and simplify top-level API
johnstcn Apr 7, 2022
359a04d
Add tabled tests for authz
Emyrk Apr 7, 2022
22cf0cc
fix: made roles named and now they span all levels
johnstcn Apr 8, 2022
c51ddd1
fixup! fix: made roles named and now they span all levels
johnstcn Apr 8, 2022
891e442
fixup! fixup! fix: made roles named and now they span all levels
johnstcn Apr 8, 2022
ad048dd
vscode is illiterate
johnstcn Apr 8, 2022
bb28930
fixup! vscode is illiterate
johnstcn Apr 8, 2022
2e23a34
Remove Org & Owner obj interfaces
Emyrk Apr 8, 2022
13466e1
Show a nice builder syntax
Emyrk Apr 8, 2022
3ac2eaa
Add more tabled tests
Emyrk Apr 8, 2022
c7dc715
fixup! Add more tabled tests
Emyrk Apr 8, 2022
f5d95ef
correct comments
Emyrk Apr 8, 2022
0868301
fixup! correct comments
Emyrk Apr 8, 2022
512c09e
Address PR comments
Emyrk Apr 10, 2022
d9f761d
Drop unused resources & roles
Emyrk Apr 11, 2022
81ca08a
Rename chaining functions
Emyrk Apr 11, 2022
fced411
Rename OrgOwner -> OrgID
Emyrk Apr 11, 2022
f620ebf
feat: Add rego policy implementation
Emyrk Apr 12, 2022
07951a7
Merge remote-tracking branch 'origin/main' into cj/rbac_table_driven
Emyrk Apr 12, 2022
690d41d
Update go mod with opa
Emyrk Apr 12, 2022
fae3314
Go mod tidy
Emyrk Apr 12, 2022
856a933
Add rego comments
Emyrk Apr 12, 2022
e048104
Use cached rego query
Emyrk Apr 12, 2022
adae379
Correct user-deny perm in test
Emyrk Apr 12, 2022
0e7f9fa
tabs to spaces
Emyrk Apr 12, 2022
b1c7df4
Rename package to rbac
Emyrk Apr 12, 2022
35574ad
run golangci-lint and goimports
johnstcn Apr 12, 2022
8a16947
authz_test.go: log internal error
johnstcn Apr 12, 2022
2969fc1
fixup! run golangci-lint and goimports
johnstcn Apr 12, 2022
b22b723
to-done
johnstcn Apr 12, 2022
c1423d4
Merge remote-tracking branch 'origin/main' into cj/rbac_table_driven
johnstcn Apr 12, 2022
c2b1dde
Remove unused fields
Emyrk Apr 12, 2022
cfdd2cb
Add some comments to rego
Emyrk Apr 12, 2022
5c113a0
Move Authorize param order
Emyrk Apr 12, 2022
44a7679
Drop resources.go file
Emyrk Apr 12, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Add some comments to rego
  • Loading branch information
@Emyrk
Emyrk committed Apr 12, 2022
commit cfdd2cb78f7ab0a459136b36f1a6dc138b923aa9
20 changes: 14 additions & 6 deletions coderd/rbac/policy.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,8 @@ bool_flip(b) = flipped {
flipped = true
}

# perms_grant returns a set of boolean values (true, false).
# perms_grant returns a set of boolean values {true, false}.
# True means a positive permission in the set, false is a negative permission.
# It will only return `bool_flip(perm.negate)` for permissions that affect a given
# resource_type, resource_id, and action.
# The empty set is returned if no relevant permissions are found.
Expand All @@ -41,7 +42,7 @@ perms_grant(permissions) = grants {
default site = {}
site = grant {
# Boolean set for all site wide permissions.
grant = { v | # Use set comprehension to remove dulpicate values
grant = { v | # Use set comprehension to remove duplicate values
# For each role, grab the site permission.
# Find the grants on this permission list.
v = perms_grant(input.subject.roles[_].site)[_]
Expand All @@ -53,7 +54,7 @@ user = grant {
# Only apply user permissions if the user owns the resource
input.object.owner != ""
input.object.owner == input.subject.id
grant = { v | # Use set comprehension to remove dulpicate values
grant = { v |
# For each role, grab the user permissions.
# Find the grants on this permission list.
v = perms_grant(input.subject.roles[_].user)[_]
Expand Down Expand Up @@ -84,12 +85,15 @@ org_non_member {
}

# org is two rules that equate to the following
# if !org_non_member { return org_member }
# else {false}
# if org_non_member { return {false} }
# else { org_member }
#
# It is important both rules cannot be true, as the `org` rules cannot produce multiple outputs.
default org = []
default org = {}
org = set {
# We have to do !org_non_member because rego rules must evaluate to 'true'
# to have a value set.
# So we do "not not-org-member" which means "subject is in org"
not org_non_member
set = org_member
}
Expand All @@ -112,6 +116,8 @@ allow {
site[_]
}

# OR

# org allow
allow {
# No site or org deny
Expand All @@ -121,6 +127,8 @@ allow {
org[_]
}

# OR

# user allow
allow {
# No site, org, or user deny
Expand Down