Skip to content

Commit 1544b49

Browse files
mafredrimafredri
committed
add rbac resource for workspace agent devcontainer
1 parent b466e4e commit 1544b49

File tree

12 files changed

+92
-34
lines changed

12 files changed

+92
-34
lines changed

coderd/apidoc/docs.go

Lines changed: 2 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/apidoc/swagger.json

Lines changed: 2 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/database/dbauthz/dbauthz.go

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -186,6 +186,7 @@ var (
186186
rbac.ResourceNotificationMessage.Type: {policy.ActionCreate, policy.ActionRead},
187187
// Provisionerd creates workspaces resources monitor
188188
rbac.ResourceWorkspaceAgentResourceMonitor.Type: {policy.ActionCreate},
189+
rbac.ResourceWorkspaceAgentDevcontainers.Type: {policy.ActionCreate},
189190
}),
190191
Org: map[string][]rbac.Permission{},
191192
User: []rbac.Permission{},
@@ -3399,9 +3400,7 @@ func (q *querier) InsertWorkspaceAgent(ctx context.Context, arg database.InsertW
33993400
}
34003401

34013402
func (q *querier) InsertWorkspaceAgentDevcontainers(ctx context.Context, arg database.InsertWorkspaceAgentDevcontainersParams) ([]database.WorkspaceAgentDevcontainer, error) {
3402-
// TODO: This should probably be a new RBAC resource and not rely on ResourceSystem.
3403-
// See: https://github.com/coder/coder/issues/13315
3404-
if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceSystem); err != nil {
3403+
if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceWorkspaceAgentDevcontainers); err != nil {
34053404
return nil, err
34063405
}
34073406
return q.db.InsertWorkspaceAgentDevcontainers(ctx, arg)

coderd/database/dbauthz/dbauthz_test.go

Lines changed: 42 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -3988,37 +3988,6 @@ func (s *MethodTestSuite) TestSystemFunctions() {
39883988
WorkspaceResourceID: uuid.New(),
39893989
}).Asserts(rbac.ResourceSystem, policy.ActionCreate)
39903990
}))
3991-
s.Run("InsertWorkspaceAgentDevcontainers", s.Subtest(func(db database.Store, check *expects) {
3992-
u := dbgen.User(s.T(), db, database.User{})
3993-
o := dbgen.Organization(s.T(), db, database.Organization{})
3994-
tpl := dbgen.Template(s.T(), db, database.Template{
3995-
OrganizationID: o.ID,
3996-
CreatedBy: u.ID,
3997-
})
3998-
tv := dbgen.TemplateVersion(s.T(), db, database.TemplateVersion{
3999-
TemplateID: uuid.NullUUID{UUID: tpl.ID, Valid: true},
4000-
OrganizationID: o.ID,
4001-
CreatedBy: u.ID,
4002-
})
4003-
w := dbgen.Workspace(s.T(), db, database.WorkspaceTable{
4004-
TemplateID: tpl.ID,
4005-
OrganizationID: o.ID,
4006-
OwnerID: u.ID,
4007-
})
4008-
j := dbgen.ProvisionerJob(s.T(), db, nil, database.ProvisionerJob{
4009-
Type: database.ProvisionerJobTypeWorkspaceBuild,
4010-
})
4011-
b := dbgen.WorkspaceBuild(s.T(), db, database.WorkspaceBuild{
4012-
JobID: j.ID,
4013-
WorkspaceID: w.ID,
4014-
TemplateVersionID: tv.ID,
4015-
})
4016-
res := dbgen.WorkspaceResource(s.T(), db, database.WorkspaceResource{JobID: b.JobID})
4017-
agt := dbgen.WorkspaceAgent(s.T(), db, database.WorkspaceAgent{ResourceID: res.ID})
4018-
check.Args(database.InsertWorkspaceAgentDevcontainersParams{
4019-
WorkspaceAgentID: agt.ID,
4020-
}).Asserts(rbac.ResourceSystem, policy.ActionCreate)
4021-
}))
40223991
s.Run("UpdateWorkspaceAgentConnectionByID", s.Subtest(func(db database.Store, check *expects) {
40233992
dbtestutil.DisableForeignKeysAndTriggers(s.T(), db)
40243993
ws := dbgen.Workspace(s.T(), db, database.WorkspaceTable{})
@@ -5082,3 +5051,45 @@ func (s *MethodTestSuite) TestResourcesMonitor() {
50825051
check.Args(agt.ID).Asserts(w, policy.ActionRead).Returns(monitors)
50835052
}))
50845053
}
5054+
5055+
func (s *MethodTestSuite) TestResourcesProvisionerdserver() {
5056+
createAgent := func(t *testing.T, db database.Store) (database.WorkspaceAgent, database.WorkspaceTable) {
5057+
t.Helper()
5058+
5059+
u := dbgen.User(t, db, database.User{})
5060+
o := dbgen.Organization(t, db, database.Organization{})
5061+
tpl := dbgen.Template(t, db, database.Template{
5062+
OrganizationID: o.ID,
5063+
CreatedBy: u.ID,
5064+
})
5065+
tv := dbgen.TemplateVersion(t, db, database.TemplateVersion{
5066+
TemplateID: uuid.NullUUID{UUID: tpl.ID, Valid: true},
5067+
OrganizationID: o.ID,
5068+
CreatedBy: u.ID,
5069+
})
5070+
w := dbgen.Workspace(t, db, database.WorkspaceTable{
5071+
TemplateID: tpl.ID,
5072+
OrganizationID: o.ID,
5073+
OwnerID: u.ID,
5074+
})
5075+
j := dbgen.ProvisionerJob(t, db, nil, database.ProvisionerJob{
5076+
Type: database.ProvisionerJobTypeWorkspaceBuild,
5077+
})
5078+
b := dbgen.WorkspaceBuild(t, db, database.WorkspaceBuild{
5079+
JobID: j.ID,
5080+
WorkspaceID: w.ID,
5081+
TemplateVersionID: tv.ID,
5082+
})
5083+
res := dbgen.WorkspaceResource(t, db, database.WorkspaceResource{JobID: b.JobID})
5084+
agt := dbgen.WorkspaceAgent(t, db, database.WorkspaceAgent{ResourceID: res.ID})
5085+
5086+
return agt, w
5087+
}
5088+
5089+
s.Run("InsertWorkspaceAgentDevcontainers", s.Subtest(func(db database.Store, check *expects) {
5090+
agt, _ := createAgent(s.T(), db)
5091+
check.Args(database.InsertWorkspaceAgentDevcontainersParams{
5092+
WorkspaceAgentID: agt.ID,
5093+
}).Asserts(rbac.ResourceWorkspaceAgentDevcontainers, policy.ActionCreate)
5094+
}))
5095+
}

coderd/rbac/object_gen.go

Lines changed: 9 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/rbac/policy/policy.go

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -309,4 +309,10 @@ var RBACPermissions = map[string]PermissionDefinition{
309309
ActionUpdate: actDef("update workspace agent resource monitor"),
310310
},
311311
},
312+
"workspace_agent_devcontainers": {
313+
Actions: map[Action]ActionDefinition{
314+
ActionRead: actDef("read workspace agent devcontainers"),
315+
ActionCreate: actDef("create workspace agent devcontainers"),
316+
},
317+
},
312318
}

coderd/rbac/roles_test.go

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -806,6 +806,21 @@ func TestRolePermissions(t *testing.T) {
806806
},
807807
},
808808
},
809+
{
810+
Name: "WorkspaceAgentDevcontainers",
811+
Actions: []policy.Action{policy.ActionCreate},
812+
Resource: rbac.ResourceWorkspaceAgentDevcontainers,
813+
AuthorizeMap: map[bool][]hasAuthSubjects{
814+
true: {owner},
815+
false: {
816+
memberMe, orgMemberMe, otherOrgMember,
817+
orgAdmin, otherOrgAdmin,
818+
orgAuditor, otherOrgAuditor,
819+
templateAdmin, orgTemplateAdmin, otherOrgTemplateAdmin,
820+
userAdmin, orgUserAdmin, otherOrgUserAdmin,
821+
},
822+
},
823+
},
809824
}
810825

811826
// We expect every permission to be tested above.

codersdk/rbacresources_gen.go

Lines changed: 2 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

docs/reference/api/members.md

Lines changed: 5 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

docs/reference/api/schemas.md

Lines changed: 1 addition & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy