Skip to content

Commit c281c5e

Browse files
evgeniy-scherbinaevgeniy-scherbina
committed
tmp commit
1 parent 57044e3 commit c281c5e

File tree

3 files changed

+46
-4
lines changed

3 files changed

+46
-4
lines changed

coderd/agentapi/manifest.go

Lines changed: 23 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,9 @@ package agentapi
33
import (
44
"context"
55
"database/sql"
6+
"encoding/json"
67
"errors"
8+
"fmt"
79
"net/url"
810
"strings"
911
"time"
@@ -51,6 +53,22 @@ func (a *ManifestAPI) GetManifest(ctx context.Context, _ *agentproto.GetManifest
5153
userSecrets []database.UserSecret
5254
)
5355

56+
//workspaceAgent.ID
57+
58+
act, ok := dbauthz.ActorFromContext(ctx)
59+
if !ok {
60+
return nil, dbauthz.ErrNoActor
61+
}
62+
fmt.Printf("act: %v\n", act)
63+
64+
actInJSON, err := json.Marshal(act)
65+
if err != nil {
66+
return nil, err
67+
}
68+
fmt.Printf("actInJSON: %s\n", actInJSON)
69+
70+
userID := uuid.MustParse(act.ID)
71+
5472
var eg errgroup.Group
5573
eg.Go(func() (err error) {
5674
dbApps, err = a.Database.GetWorkspaceAppsByAgentID(ctx, workspaceAgent.ID)
@@ -86,8 +104,9 @@ func (a *ManifestAPI) GetManifest(ctx context.Context, _ *agentproto.GetManifest
86104
return nil
87105
})
88106
eg.Go(func() (err error) {
89-
userSecrets, err = a.Database.ListUserSecrets(ctx, workspace.OwnerID)
107+
userSecrets, err = a.Database.ListUserSecrets(ctx, userID)
90108
if err != nil && !xerrors.Is(err, sql.ErrNoRows) {
109+
fmt.Printf("\n\n\nfailed to execute listUserSecrets: %v\n\n\n", err)
91110
return err
92111
}
93112
return nil
@@ -99,6 +118,9 @@ func (a *ManifestAPI) GetManifest(ctx context.Context, _ *agentproto.GetManifest
99118

100119
_ = userSecrets
101120

121+
fmt.Printf("workspace.OwnerID: %v\n", workspace.OwnerID)
122+
fmt.Printf("workspace.OwnerID == act.ID %v\n", workspace.OwnerID.String() == act.ID)
123+
102124
appSlug := appurl.ApplicationURL{
103125
AppSlugOrPort: "{{port}}",
104126
AgentName: workspaceAgent.Name,

coderd/database/dbauthz/dbauthz.go

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@ import (
55
"database/sql"
66
"encoding/json"
77
"errors"
8+
"fmt"
89
"slices"
910
"strings"
1011
"sync/atomic"
@@ -4178,6 +4179,22 @@ func (q *querier) ListProvisionerKeysByOrganizationExcludeReserved(ctx context.C
41784179

41794180
func (q *querier) ListUserSecrets(ctx context.Context, userID uuid.UUID) ([]database.UserSecret, error) {
41804181
obj := rbac.ResourceUserSecret.WithOwner(userID.String())
4182+
4183+
act, ok := ActorFromContext(ctx)
4184+
if !ok {
4185+
return nil, ErrNoActor
4186+
}
4187+
actInJSON, err := json.Marshal(act)
4188+
if err != nil {
4189+
return nil, err
4190+
}
4191+
objInJSON, err := json.Marshal(obj)
4192+
if err != nil {
4193+
return nil, err
4194+
}
4195+
fmt.Printf("DEBUG actInJSON: %s\n", actInJSON)
4196+
fmt.Printf("DEBUG objInJSON: %s\n", objInJSON)
4197+
41814198
if err := q.authorizeContext(ctx, policy.ActionRead, obj); err != nil {
41824199
return nil, err
41834200
}

coderd/rbac/roles.go

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -270,7 +270,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
270270
Site: append(
271271
// Workspace dormancy and workspace are omitted.
272272
// Workspace is specifically handled based on the opts.NoOwnerWorkspaceExec
273-
allPermsExcept(ResourceWorkspaceDormant, ResourcePrebuiltWorkspace, ResourceWorkspace, ResourceUserSecret),
273+
allPermsExcept(ResourceWorkspaceDormant, ResourcePrebuiltWorkspace, ResourceWorkspace),
274274
// This adds back in the Workspace permissions.
275275
Permissions(map[string][]policy.Action{
276276
ResourceWorkspace.Type: ownerWorkspaceActions,
@@ -280,8 +280,10 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
280280
// Note: even without PrebuiltWorkspace permissions, access is still granted via Workspace permissions.
281281
ResourcePrebuiltWorkspace.Type: {policy.ActionUpdate, policy.ActionDelete},
282282
})...),
283-
Org: map[string][]Permission{},
284-
User: []Permission{},
283+
Org: map[string][]Permission{},
284+
User: Permissions(map[string][]policy.Action{
285+
ResourceUserSecret.Type: {policy.ActionRead, policy.ActionCreate, policy.ActionUpdate, policy.ActionDelete},
286+
}),
285287
}.withCachedRegoValue()
286288

287289
memberRole := Role{
@@ -305,6 +307,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
305307
ResourceOrganizationMember.Type: {policy.ActionRead},
306308
// Users can create provisioner daemons scoped to themselves.
307309
ResourceProvisionerDaemon.Type: {policy.ActionRead, policy.ActionCreate, policy.ActionRead, policy.ActionUpdate},
310+
ResourceUserSecret.Type: {policy.ActionRead, policy.ActionCreate, policy.ActionUpdate, policy.ActionDelete},
308311
})...,
309312
),
310313
}.withCachedRegoValue()

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy