Skip to content

Commit 18b809c

Browse files
ibetitsmikeibetitsmike
committed
taking a step back with RBAC
1 parent 8d4fa5a commit 18b809c

File tree

4 files changed

+54
-48
lines changed

4 files changed

+54
-48
lines changed

coderd/database/dbauthz/dbauthz.go

Lines changed: 41 additions & 36 deletions
Original file line numberDiff line numberDiff line change
@@ -1088,9 +1088,9 @@ func (q *querier) AcquireNotificationMessages(ctx context.Context, arg database.
10881088
}
10891089

10901090
func (q *querier) AcquireProvisionerJob(ctx context.Context, arg database.AcquireProvisionerJobParams) (database.ProvisionerJob, error) {
1091-
if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceProvisionerJobs); err != nil {
1092-
return database.ProvisionerJob{}, err
1093-
}
1091+
// if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceProvisionerJobs); err != nil {
1092+
// return database.ProvisionerJob{}, err
1093+
// }
10941094
return q.db.AcquireProvisionerJob(ctx, arg)
10951095
}
10961096

@@ -2309,30 +2309,31 @@ func (q *querier) GetProvisionerJobTimingsByJobID(ctx context.Context, jobID uui
23092309
}
23102310

23112311
func (q *querier) GetProvisionerJobsByIDs(ctx context.Context, ids []uuid.UUID) ([]database.ProvisionerJob, error) {
2312-
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceProvisionerJobs); err != nil {
2313-
return nil, err
2314-
}
2312+
// if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceProvisionerJobs); err != nil {
2313+
// return nil, err
2314+
// }
23152315
return q.db.GetProvisionerJobsByIDs(ctx, ids)
23162316
}
23172317

23182318
func (q *querier) GetProvisionerJobsByIDsWithQueuePosition(ctx context.Context, ids []uuid.UUID) ([]database.GetProvisionerJobsByIDsWithQueuePositionRow, error) {
2319-
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceProvisionerJobs); err != nil {
2320-
return nil, err
2321-
}
2319+
// if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceProvisionerJobs); err != nil {
2320+
// return nil, err
2321+
// }
2322+
// policy.ActionRead, rbac.ResourceProvisionerJobs.InOrg(org.ID)
23222323
return q.db.GetProvisionerJobsByIDsWithQueuePosition(ctx, ids)
23232324
}
23242325

23252326
func (q *querier) GetProvisionerJobsByOrganizationAndStatusWithQueuePositionAndProvisioner(ctx context.Context, arg database.GetProvisionerJobsByOrganizationAndStatusWithQueuePositionAndProvisionerParams) ([]database.GetProvisionerJobsByOrganizationAndStatusWithQueuePositionAndProvisionerRow, error) {
2326-
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceProvisionerJobs); err != nil {
2327-
return nil, err
2328-
}
2327+
// if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceProvisionerJobs); err != nil {
2328+
// return nil, err
2329+
// }
23292330
return fetchWithPostFilter(q.auth, policy.ActionRead, q.db.GetProvisionerJobsByOrganizationAndStatusWithQueuePositionAndProvisioner)(ctx, arg)
23302331
}
23312332

23322333
func (q *querier) GetProvisionerJobsCreatedAfter(ctx context.Context, createdAt time.Time) ([]database.ProvisionerJob, error) {
2333-
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceProvisionerJobs); err != nil {
2334-
return nil, err
2335-
}
2334+
// if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceProvisionerJobs); err != nil {
2335+
// return nil, err
2336+
// }
23362337
return q.db.GetProvisionerJobsCreatedAfter(ctx, createdAt)
23372338
}
23382339

@@ -3528,23 +3529,27 @@ func (q *querier) InsertPresetParameters(ctx context.Context, arg database.Inser
35283529
}
35293530

35303531
func (q *querier) InsertProvisionerJob(ctx context.Context, arg database.InsertProvisionerJobParams) (database.ProvisionerJob, error) {
3531-
if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceProvisionerJobs); err != nil {
3532-
return database.ProvisionerJob{}, err
3533-
}
3532+
// TODO: Remove this once we have a proper rbac check for provisioner jobs.
3533+
// Currently ProvisionerJobs are not associated with a user, so we can't
3534+
// check for a user's permissions. We'd need to check for the associated workspace
3535+
// and verify ownership through that.
3536+
// if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceProvisionerJobs); err != nil {
3537+
// return database.ProvisionerJob{}, err
3538+
// }
35343539
return q.db.InsertProvisionerJob(ctx, arg)
35353540
}
35363541

35373542
func (q *querier) InsertProvisionerJobLogs(ctx context.Context, arg database.InsertProvisionerJobLogsParams) ([]database.ProvisionerJobLog, error) {
3538-
if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceProvisionerJobs); err != nil {
3539-
return nil, err
3540-
}
3543+
// if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceProvisionerJobs); err != nil {
3544+
// return nil, err
3545+
// }
35413546
return q.db.InsertProvisionerJobLogs(ctx, arg)
35423547
}
35433548

35443549
func (q *querier) InsertProvisionerJobTimings(ctx context.Context, arg database.InsertProvisionerJobTimingsParams) ([]database.ProvisionerJobTiming, error) {
3545-
if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceProvisionerJobs); err != nil {
3546-
return nil, err
3547-
}
3550+
// if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceProvisionerJobs); err != nil {
3551+
// return nil, err
3552+
// }
35483553
return q.db.InsertProvisionerJobTimings(ctx, arg)
35493554
}
35503555

@@ -4168,16 +4173,16 @@ func (q *querier) UpdateProvisionerDaemonLastSeenAt(ctx context.Context, arg dat
41684173
}
41694174

41704175
func (q *querier) UpdateProvisionerJobByID(ctx context.Context, arg database.UpdateProvisionerJobByIDParams) error {
4171-
if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceProvisionerJobs); err != nil {
4172-
return err
4173-
}
4176+
// if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceProvisionerJobs); err != nil {
4177+
// return err
4178+
// }
41744179
return q.db.UpdateProvisionerJobByID(ctx, arg)
41754180
}
41764181

41774182
func (q *querier) UpdateProvisionerJobWithCancelByID(ctx context.Context, arg database.UpdateProvisionerJobWithCancelByIDParams) error {
4178-
if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceProvisionerJobs); err != nil {
4179-
return err
4180-
}
4183+
// if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceProvisionerJobs); err != nil {
4184+
// return err
4185+
// }
41814186

41824187
job, err := q.db.GetProvisionerJobByID(ctx, arg.ID)
41834188
if err != nil {
@@ -4246,16 +4251,16 @@ func (q *querier) UpdateProvisionerJobWithCancelByID(ctx context.Context, arg da
42464251
}
42474252

42484253
func (q *querier) UpdateProvisionerJobWithCompleteByID(ctx context.Context, arg database.UpdateProvisionerJobWithCompleteByIDParams) error {
4249-
if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceProvisionerJobs); err != nil {
4250-
return err
4251-
}
4254+
// if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceProvisionerJobs); err != nil {
4255+
// return err
4256+
// }
42524257
return q.db.UpdateProvisionerJobWithCompleteByID(ctx, arg)
42534258
}
42544259

42554260
func (q *querier) UpdateProvisionerJobWithCompleteWithStartedAtByID(ctx context.Context, arg database.UpdateProvisionerJobWithCompleteWithStartedAtByIDParams) error {
4256-
if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceProvisionerJobs); err != nil {
4257-
return err
4258-
}
4261+
// if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceProvisionerJobs); err != nil {
4262+
// return err
4263+
// }
42594264
return q.db.UpdateProvisionerJobWithCompleteWithStartedAtByID(ctx, arg)
42604265
}
42614266

coderd/database/dbauthz/dbauthz_test.go

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -3892,7 +3892,7 @@ func (s *MethodTestSuite) TestSystemFunctions() {
38923892
}))
38933893
s.Run("GetProvisionerJobsCreatedAfter", s.Subtest(func(db database.Store, check *expects) {
38943894
_ = dbgen.ProvisionerJob(s.T(), db, nil, database.ProvisionerJob{CreatedAt: time.Now().Add(-time.Hour)})
3895-
check.Args(time.Now()).Asserts(rbac.ResourceProvisionerJobs, policy.ActionRead)
3895+
check.Args(time.Now()).Asserts( /* rbac.ResourceProvisionerJobs, policy.ActionRead */ )
38963896
}))
38973897
s.Run("GetTemplateVersionsByIDs", s.Subtest(func(db database.Store, check *expects) {
38983898
dbtestutil.DisableForeignKeysAndTriggers(s.T(), db)
@@ -3978,7 +3978,7 @@ func (s *MethodTestSuite) TestSystemFunctions() {
39783978
a := dbgen.ProvisionerJob(s.T(), db, nil, database.ProvisionerJob{})
39793979
b := dbgen.ProvisionerJob(s.T(), db, nil, database.ProvisionerJob{})
39803980
check.Args([]uuid.UUID{a.ID, b.ID}).
3981-
Asserts(rbac.ResourceProvisionerJobs, policy.ActionRead).
3981+
Asserts( /* rbac.ResourceProvisionerJobs, policy.ActionRead */ ).
39823982
Returns(slice.New(a, b))
39833983
}))
39843984
s.Run("InsertWorkspaceAgent", s.Subtest(func(db database.Store, check *expects) {
@@ -4022,26 +4022,26 @@ func (s *MethodTestSuite) TestSystemFunctions() {
40224022
OrganizationID: j.OrganizationID,
40234023
Types: []database.ProvisionerType{j.Provisioner},
40244024
ProvisionerTags: must(json.Marshal(j.Tags)),
4025-
}).Asserts(rbac.ResourceProvisionerJobs, policy.ActionUpdate)
4025+
}).Asserts( /* rbac.ResourceProvisionerJobs, policy.ActionUpdate */ )
40264026
}))
40274027
s.Run("UpdateProvisionerJobWithCompleteByID", s.Subtest(func(db database.Store, check *expects) {
40284028
j := dbgen.ProvisionerJob(s.T(), db, nil, database.ProvisionerJob{})
40294029
check.Args(database.UpdateProvisionerJobWithCompleteByIDParams{
40304030
ID: j.ID,
4031-
}).Asserts(rbac.ResourceProvisionerJobs, policy.ActionUpdate)
4031+
}).Asserts( /* rbac.ResourceProvisionerJobs, policy.ActionUpdate */ )
40324032
}))
40334033
s.Run("UpdateProvisionerJobWithCompleteWithStartedAtByID", s.Subtest(func(db database.Store, check *expects) {
40344034
j := dbgen.ProvisionerJob(s.T(), db, nil, database.ProvisionerJob{})
40354035
check.Args(database.UpdateProvisionerJobWithCompleteWithStartedAtByIDParams{
40364036
ID: j.ID,
4037-
}).Asserts(rbac.ResourceProvisionerJobs, policy.ActionUpdate)
4037+
}).Asserts( /* rbac.ResourceProvisionerJobs, policy.ActionUpdate */ )
40384038
}))
40394039
s.Run("UpdateProvisionerJobByID", s.Subtest(func(db database.Store, check *expects) {
40404040
j := dbgen.ProvisionerJob(s.T(), db, nil, database.ProvisionerJob{})
40414041
check.Args(database.UpdateProvisionerJobByIDParams{
40424042
ID: j.ID,
40434043
UpdatedAt: time.Now(),
4044-
}).Asserts(rbac.ResourceProvisionerJobs, policy.ActionUpdate)
4044+
}).Asserts( /* rbac.ResourceProvisionerJobs, policy.ActionUpdate */ )
40454045
}))
40464046
s.Run("InsertProvisionerJob", s.Subtest(func(db database.Store, check *expects) {
40474047
dbtestutil.DisableForeignKeysAndTriggers(s.T(), db)
@@ -4051,19 +4051,19 @@ func (s *MethodTestSuite) TestSystemFunctions() {
40514051
StorageMethod: database.ProvisionerStorageMethodFile,
40524052
Type: database.ProvisionerJobTypeWorkspaceBuild,
40534053
Input: json.RawMessage("{}"),
4054-
}).Asserts(rbac.ResourceProvisionerJobs, policy.ActionCreate)
4054+
}).Asserts( /* rbac.ResourceProvisionerJobs, policy.ActionCreate */ )
40554055
}))
40564056
s.Run("InsertProvisionerJobLogs", s.Subtest(func(db database.Store, check *expects) {
40574057
j := dbgen.ProvisionerJob(s.T(), db, nil, database.ProvisionerJob{})
40584058
check.Args(database.InsertProvisionerJobLogsParams{
40594059
JobID: j.ID,
4060-
}).Asserts(rbac.ResourceProvisionerJobs, policy.ActionUpdate)
4060+
}).Asserts( /* rbac.ResourceProvisionerJobs, policy.ActionUpdate */ )
40614061
}))
40624062
s.Run("InsertProvisionerJobTimings", s.Subtest(func(db database.Store, check *expects) {
40634063
j := dbgen.ProvisionerJob(s.T(), db, nil, database.ProvisionerJob{})
40644064
check.Args(database.InsertProvisionerJobTimingsParams{
40654065
JobID: j.ID,
4066-
}).Asserts(rbac.ResourceProvisionerJobs, policy.ActionUpdate)
4066+
}).Asserts( /* rbac.ResourceProvisionerJobs, policy.ActionUpdate */ )
40674067
}))
40684068
s.Run("UpsertProvisionerDaemon", s.Subtest(func(db database.Store, check *expects) {
40694069
dbtestutil.DisableForeignKeysAndTriggers(s.T(), db)
@@ -4279,7 +4279,7 @@ func (s *MethodTestSuite) TestSystemFunctions() {
42794279
check.Args([]uuid.UUID{uuid.New()}).Asserts(rbac.ResourceSystem, policy.ActionRead)
42804280
}))
42814281
s.Run("GetProvisionerJobsByIDsWithQueuePosition", s.Subtest(func(db database.Store, check *expects) {
4282-
check.Args([]uuid.UUID{}).Asserts(rbac.ResourceProvisionerJobs, policy.ActionRead)
4282+
check.Args([]uuid.UUID{}).Asserts( /* rbac.ResourceProvisionerJobs, policy.ActionRead */ )
42834283
}))
42844284
s.Run("GetReplicaByID", s.Subtest(func(db database.Store, check *expects) {
42854285
check.Args(uuid.New()).Asserts(rbac.ResourceSystem, policy.ActionRead).Errors(sql.ErrNoRows)

coderd/database/queries.sql.go

Lines changed: 2 additions & 2 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

site/src/api/rbacresourcesGenerated.ts

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -130,6 +130,7 @@ export const RBACResourceActions: Partial<
130130
update: "update a provisioner daemon",
131131
},
132132
provisioner_jobs: {
133+
create: "create provisioner jobs",
133134
read: "read provisioner jobs",
134135
update: "update provisioner jobs",
135136
},

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy