Skip to content

Commit 8d5fca2

Browse files
mafredrimafredri
committed
wip rbac stuff
1 parent 342e27f commit 8d5fca2

File tree

13 files changed

+49
-1
lines changed

13 files changed

+49
-1
lines changed

coderd/apidoc/docs.go

Lines changed: 2 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/apidoc/swagger.json

Lines changed: 2 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/database/modelmethods.go

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -464,7 +464,6 @@ func (p ProvisionerJob) RBACObject() rbac.Object {
464464
var input codersdk.ProvisionerJobInput
465465
_ = json.Unmarshal(p.Input, &input) // Best effort.
466466

467-
// TODO(mafredri): Do we need to check provisioner permissions as well (p.AvailableProvisioners?).
468467
id := uuid.Nil
469468
switch p.Type {
470469
case ProvisionerJobTypeTemplateVersionImport, ProvisionerJobTypeTemplateVersionDryRun:

coderd/provisionerjobs.go

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -60,6 +60,11 @@ func (api *API) provisionerJobs(rw http.ResponseWriter, r *http.Request) {
6060
Limit: sql.NullInt32{Int32: limit, Valid: limit > 0},
6161
})
6262
if err != nil {
63+
if httpapi.Is404Error(err) {
64+
httpapi.ResourceNotFound(rw)
65+
return
66+
}
67+
6368
httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
6469
Message: "Internal error fetching provisioner jobs.",
6570
Detail: err.Error(),

coderd/rbac/object_gen.go

Lines changed: 8 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/rbac/policy/policy.go

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -169,6 +169,11 @@ var RBACPermissions = map[string]PermissionDefinition{
169169
ActionDelete: actDef("delete a provisioner daemon"),
170170
},
171171
},
172+
"provisioner_jobs": {
173+
Actions: map[Action]ActionDefinition{
174+
ActionRead: actDef("read provisioner jobs"),
175+
},
176+
},
172177
"provisioner_keys": {
173178
Actions: map[Action]ActionDefinition{
174179
ActionCreate: actDef("create a provisioner key"),

coderd/rbac/roles.go

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -324,6 +324,8 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
324324
ResourceWorkspace.Type: {policy.ActionRead},
325325
// CRUD to provisioner daemons for now.
326326
ResourceProvisionerDaemon.Type: {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
327+
// Read to provisioner jobs for now.
328+
ResourceProvisionerJobs.Type: {policy.ActionRead},
327329
// Needs to read all organizations since
328330
ResourceOrganization.Type: {policy.ActionRead},
329331
ResourceUser.Type: {policy.ActionRead},
@@ -422,6 +424,9 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
422424
ResourceOrganization.Type: {policy.ActionRead},
423425
// Can read available roles.
424426
ResourceAssignOrgRole.Type: {policy.ActionRead},
427+
428+
// Users can read provisioner jobs scoped to themselves.
429+
ResourceProvisionerJobs.Type: {policy.ActionRead},
425430
}),
426431
},
427432
User: []Permission{

coderd/rbac/roles_test.go

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -553,6 +553,15 @@ func TestRolePermissions(t *testing.T) {
553553
false: {setOtherOrg, memberMe, orgMemberMe, userAdmin, templateAdmin, orgTemplateAdmin, orgUserAdmin, orgAuditor},
554554
},
555555
},
556+
{
557+
Name: "ProvisionerJobs",
558+
Actions: []policy.Action{policy.ActionRead},
559+
Resource: rbac.ResourceProvisionerJobs.InOrg(orgID),
560+
AuthorizeMap: map[bool][]hasAuthSubjects{
561+
true: {owner, templateAdmin, orgTemplateAdmin, orgMemberMe, orgAdmin},
562+
false: {setOtherOrg, memberMe, userAdmin, orgUserAdmin, orgAuditor},
563+
},
564+
},
556565
{
557566
Name: "System",
558567
Actions: crud,

codersdk/rbacresources_gen.go

Lines changed: 2 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

docs/reference/api/members.md

Lines changed: 5 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy