Skip to content

Commit 1f5788f

Browse files
EmyrkEmyrk
authored
chore: remove rbac psuedo resources, add custom verbs (#13276)
Removes our pseudo rbac resources like `WorkspaceApplicationConnect` in favor of additional verbs like `ssh`. This is to make more intuitive permissions for building custom roles. The source of truth is now `policy.go`
1 parent cb6b5e8 commit 1f5788f

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

48 files changed

+1788
-1032
lines changed

Makefile

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -486,6 +486,7 @@ gen: \
486486
$(DB_GEN_FILES) \
487487
site/src/api/typesGenerated.ts \
488488
coderd/rbac/object_gen.go \
489+
codersdk/rbacresources_gen.go \
489490
docs/admin/prometheus.md \
490491
docs/cli.md \
491492
docs/admin/audit-logs.md \
@@ -611,7 +612,10 @@ examples/examples.gen.json: scripts/examplegen/main.go examples/examples.go $(sh
611612
go run ./scripts/examplegen/main.go > examples/examples.gen.json
612613

613614
coderd/rbac/object_gen.go: scripts/rbacgen/main.go coderd/rbac/object.go
614-
go run scripts/rbacgen/main.go ./coderd/rbac > coderd/rbac/object_gen.go
615+
go run scripts/rbacgen/main.go rbac > coderd/rbac/object_gen.go
616+
617+
codersdk/rbacresources_gen.go: scripts/rbacgen/main.go coderd/rbac/object.go
618+
go run scripts/rbacgen/main.go codersdk > codersdk/rbacresources_gen.go
615619

616620
docs/admin/prometheus.md: scripts/metricsdocgen/main.go scripts/metricsdocgen/metrics
617621
go run scripts/metricsdocgen/main.go

coderd/apidoc/docs.go

Lines changed: 76 additions & 37 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/apidoc/swagger.json

Lines changed: 77 additions & 38 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/authorize.go

Lines changed: 2 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -169,7 +169,7 @@ func (api *API) checkAuthorization(rw http.ResponseWriter, r *http.Request) {
169169
obj := rbac.Object{
170170
Owner: v.Object.OwnerID,
171171
OrgID: v.Object.OrganizationID,
172-
Type: v.Object.ResourceType.String(),
172+
Type: string(v.Object.ResourceType),
173173
}
174174
if obj.Owner == "me" {
175175
obj.Owner = auth.ID
@@ -189,13 +189,7 @@ func (api *API) checkAuthorization(rw http.ResponseWriter, r *http.Request) {
189189
var dbObj rbac.Objecter
190190
var dbErr error
191191
// Only support referencing some resources by ID.
192-
switch v.Object.ResourceType.String() {
193-
case rbac.ResourceWorkspaceExecution.Type:
194-
workSpace, err := api.Database.GetWorkspaceByID(ctx, id)
195-
if err == nil {
196-
dbObj = workSpace.ExecutionRBAC()
197-
}
198-
dbErr = err
192+
switch string(v.Object.ResourceType) {
199193
case rbac.ResourceWorkspace.Type:
200194
dbObj, dbErr = api.Database.GetWorkspaceByID(ctx, id)
201195
case rbac.ResourceTemplate.Type:

coderd/coderdtest/authorize.go

Lines changed: 0 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -416,23 +416,16 @@ func RandomRBACObject() rbac.Object {
416416
func randomRBACType() string {
417417
all := []string{
418418
rbac.ResourceWorkspace.Type,
419-
rbac.ResourceWorkspaceExecution.Type,
420-
rbac.ResourceWorkspaceApplicationConnect.Type,
421419
rbac.ResourceAuditLog.Type,
422420
rbac.ResourceTemplate.Type,
423421
rbac.ResourceGroup.Type,
424422
rbac.ResourceFile.Type,
425423
rbac.ResourceProvisionerDaemon.Type,
426424
rbac.ResourceOrganization.Type,
427-
rbac.ResourceRoleAssignment.Type,
428-
rbac.ResourceOrgRoleAssignment.Type,
429-
rbac.ResourceAPIKey.Type,
430425
rbac.ResourceUser.Type,
431-
rbac.ResourceUserData.Type,
432426
rbac.ResourceOrganizationMember.Type,
433427
rbac.ResourceWildcard.Type,
434428
rbac.ResourceLicense.Type,
435-
rbac.ResourceDeploymentValues.Type,
436429
rbac.ResourceReplicas.Type,
437430
rbac.ResourceDebugInfo.Type,
438431
}

coderd/coderdtest/coderdtest.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -221,7 +221,7 @@ func NewOptions(t testing.TB, options *Options) (func(http.Handler), context.Can
221221
}
222222

223223
if options.Authorizer == nil {
224-
defAuth := rbac.NewCachingAuthorizer(prometheus.NewRegistry())
224+
defAuth := rbac.NewStrictCachingAuthorizer(prometheus.NewRegistry())
225225
if _, ok := t.(*testing.T); ok {
226226
options.Authorizer = &RecordingAuthorizer{
227227
Wrapped: defAuth,

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy