Skip to content

Commit 96fee51

Browse files
ibetitsmikeibetitsmike
committed
WIP
1 parent 4385933 commit 96fee51

File tree

4 files changed

+31
-36
lines changed

4 files changed

+31
-36
lines changed

coderd/database/dbauthz/dbauthz.go

Lines changed: 28 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -170,10 +170,10 @@ var (
170170
Identifier: rbac.RoleIdentifier{Name: "provisionerd"},
171171
DisplayName: "Provisioner Daemon",
172172
Site: rbac.Permissions(map[string][]policy.Action{
173-
// TODO: Add ProvisionerJob resource type.
174-
rbac.ResourceFile.Type: {policy.ActionRead},
175-
rbac.ResourceSystem.Type: {policy.WildcardSymbol},
176-
rbac.ResourceTemplate.Type: {policy.ActionRead, policy.ActionUpdate},
173+
rbac.ResourceProvisionerJobs.Type: {policy.ActionRead, policy.ActionUpdate},
174+
rbac.ResourceFile.Type: {policy.ActionRead},
175+
rbac.ResourceSystem.Type: {policy.WildcardSymbol},
176+
rbac.ResourceTemplate.Type: {policy.ActionRead, policy.ActionUpdate},
177177
// Unsure why provisionerd needs update and read personal
178178
rbac.ResourceUser.Type: {policy.ActionRead, policy.ActionReadPersonal, policy.ActionUpdatePersonal},
179179
rbac.ResourceWorkspaceDormant.Type: {policy.ActionDelete, policy.ActionRead, policy.ActionUpdate, policy.ActionWorkspaceStop},
@@ -1093,11 +1093,10 @@ func (q *querier) AcquireNotificationMessages(ctx context.Context, arg database.
10931093
return q.db.AcquireNotificationMessages(ctx, arg)
10941094
}
10951095

1096-
// TODO: We need to create a ProvisionerJob resource type
10971096
func (q *querier) AcquireProvisionerJob(ctx context.Context, arg database.AcquireProvisionerJobParams) (database.ProvisionerJob, error) {
1098-
// if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceSystem); err != nil {
1099-
// return database.ProvisionerJob{}, err
1100-
// }
1097+
if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceProvisionerJobs); err != nil {
1098+
return database.ProvisionerJob{}, err
1099+
}
11011100
return q.db.AcquireProvisionerJob(ctx, arg)
11021101
}
11031102

@@ -2322,28 +2321,28 @@ func (q *querier) GetProvisionerJobTimingsByJobID(ctx context.Context, jobID uui
23222321
return q.db.GetProvisionerJobTimingsByJobID(ctx, jobID)
23232322
}
23242323

2325-
// TODO: We have a ProvisionerJobs resource, but it hasn't been checked for this use-case.
23262324
func (q *querier) GetProvisionerJobsByIDs(ctx context.Context, ids []uuid.UUID) ([]database.ProvisionerJob, error) {
2327-
// if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceSystem); err != nil {
2328-
// return nil, err
2329-
// }
2325+
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceProvisionerJobs); err != nil {
2326+
return nil, err
2327+
}
23302328
return q.db.GetProvisionerJobsByIDs(ctx, ids)
23312329
}
23322330

2333-
// TODO: We have a ProvisionerJobs resource, but it hasn't been checked for this use-case.
23342331
func (q *querier) GetProvisionerJobsByIDsWithQueuePosition(ctx context.Context, ids []uuid.UUID) ([]database.GetProvisionerJobsByIDsWithQueuePositionRow, error) {
2332+
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceProvisionerJobs); err != nil {
2333+
return nil, err
2334+
}
23352335
return q.db.GetProvisionerJobsByIDsWithQueuePosition(ctx, ids)
23362336
}
23372337

23382338
func (q *querier) GetProvisionerJobsByOrganizationAndStatusWithQueuePositionAndProvisioner(ctx context.Context, arg database.GetProvisionerJobsByOrganizationAndStatusWithQueuePositionAndProvisionerParams) ([]database.GetProvisionerJobsByOrganizationAndStatusWithQueuePositionAndProvisionerRow, error) {
23392339
return fetchWithPostFilter(q.auth, policy.ActionRead, q.db.GetProvisionerJobsByOrganizationAndStatusWithQueuePositionAndProvisioner)(ctx, arg)
23402340
}
23412341

2342-
// TODO: We have a ProvisionerJobs resource, but it hasn't been checked for this use-case.
23432342
func (q *querier) GetProvisionerJobsCreatedAfter(ctx context.Context, createdAt time.Time) ([]database.ProvisionerJob, error) {
2344-
// if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceSystem); err != nil {
2345-
// return nil, err
2346-
// }
2343+
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceProvisionerJobs); err != nil {
2344+
return nil, err
2345+
}
23472346
return q.db.GetProvisionerJobsCreatedAfter(ctx, createdAt)
23482347
}
23492348

@@ -3531,27 +3530,24 @@ func (q *querier) InsertPresetParameters(ctx context.Context, arg database.Inser
35313530
return q.db.InsertPresetParameters(ctx, arg)
35323531
}
35333532

3534-
// TODO: We need to create a ProvisionerJob resource type
35353533
func (q *querier) InsertProvisionerJob(ctx context.Context, arg database.InsertProvisionerJobParams) (database.ProvisionerJob, error) {
3536-
// if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceSystem); err != nil {
3537-
// return database.ProvisionerJob{}, err
3538-
// }
3534+
if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceProvisionerJobs); err != nil {
3535+
return database.ProvisionerJob{}, err
3536+
}
35393537
return q.db.InsertProvisionerJob(ctx, arg)
35403538
}
35413539

3542-
// TODO: We need to create a ProvisionerJob resource type
35433540
func (q *querier) InsertProvisionerJobLogs(ctx context.Context, arg database.InsertProvisionerJobLogsParams) ([]database.ProvisionerJobLog, error) {
3544-
// if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceSystem); err != nil {
3545-
// return nil, err
3546-
// }
3541+
if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceProvisionerJobs); err != nil {
3542+
return nil, err
3543+
}
35473544
return q.db.InsertProvisionerJobLogs(ctx, arg)
35483545
}
35493546

3550-
// TODO: We need to create a ProvisionerJob resource type
35513547
func (q *querier) InsertProvisionerJobTimings(ctx context.Context, arg database.InsertProvisionerJobTimingsParams) ([]database.ProvisionerJobTiming, error) {
3552-
// if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceSystem); err != nil {
3553-
// return nil, err
3554-
// }
3548+
if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceProvisionerJobs); err != nil {
3549+
return nil, err
3550+
}
35553551
return q.db.InsertProvisionerJobTimings(ctx, arg)
35563552
}
35573553

@@ -4174,11 +4170,10 @@ func (q *querier) UpdateProvisionerDaemonLastSeenAt(ctx context.Context, arg dat
41744170
return q.db.UpdateProvisionerDaemonLastSeenAt(ctx, arg)
41754171
}
41764172

4177-
// TODO: We need to create a ProvisionerJob resource type
41784173
func (q *querier) UpdateProvisionerJobByID(ctx context.Context, arg database.UpdateProvisionerJobByIDParams) error {
4179-
// if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceSystem); err != nil {
4180-
// return err
4181-
// }
4174+
if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceProvisionerJobs); err != nil {
4175+
return err
4176+
}
41824177
return q.db.UpdateProvisionerJobByID(ctx, arg)
41834178
}
41844179

coderd/rbac/roles.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -503,7 +503,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
503503
// the ability to create templates and provisioners has
504504
// a lot of overlap.
505505
ResourceProvisionerDaemon.Type: {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
506-
ResourceProvisionerJobs.Type: {policy.ActionRead},
506+
ResourceProvisionerJobs.Type: {policy.ActionRead, policy.ActionUpdate, policy.ActionCreate},
507507
}),
508508
},
509509
User: []Permission{},

coderd/rbac/roles_test.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -580,7 +580,7 @@ func TestRolePermissions(t *testing.T) {
580580
},
581581
{
582582
Name: "ProvisionerJobs",
583-
Actions: []policy.Action{policy.ActionRead},
583+
Actions: []policy.Action{policy.ActionRead, policy.ActionUpdate},
584584
Resource: rbac.ResourceProvisionerJobs.InOrg(orgID),
585585
AuthorizeMap: map[bool][]hasAuthSubjects{
586586
true: {owner, orgTemplateAdmin, orgAdmin},

codersdk/rbacresources_gen.go

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy