Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit2ba15c5

Browse files
committed
feat: POC for allowing TemplateAdmin to delete prebuild workspaces via auth layer
1 parentaf4a668 commit2ba15c5

File tree

15 files changed

+245
-54
lines changed

15 files changed

+245
-54
lines changed

‎coderd/apidoc/docs.go

Lines changed: 2 additions & 0 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

‎coderd/apidoc/swagger.json

Lines changed: 2 additions & 0 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

‎coderd/database/dbauthz/dbauthz.go

Lines changed: 55 additions & 37 deletions
Original file line numberDiff line numberDiff line change
@@ -412,6 +412,9 @@ var (
412412
policy.ActionCreate,policy.ActionDelete,policy.ActionRead,policy.ActionUpdate,
413413
policy.ActionWorkspaceStart,policy.ActionWorkspaceStop,
414414
},
415+
rbac.ResourcePrebuiltWorkspace.Type: {
416+
policy.ActionRead,policy.ActionUpdate,policy.ActionDelete,
417+
},
415418
// Should be able to add the prebuilds system user as a member to any organization that needs prebuilds.
416419
rbac.ResourceOrganizationMember.Type: {
417420
policy.ActionCreate,
@@ -527,9 +530,9 @@ func As(ctx context.Context, actor rbac.Subject) context.Context {
527530
// running the insertFunc. The insertFunc is expected to return the object that
528531
// was inserted.
529532
funcinsert[
530-
ObjectTypeany,
531-
ArgumentTypeany,
532-
Insertfunc(ctx context.Context,argArgumentType) (ObjectType,error),
533+
ObjectTypeany,
534+
ArgumentTypeany,
535+
Insertfunc(ctx context.Context,argArgumentType) (ObjectType,error),
533536
](
534537
logger slog.Logger,
535538
authorizer rbac.Authorizer,
@@ -540,9 +543,9 @@ func insert[
540543
}
541544

542545
funcinsertWithAction[
543-
ObjectTypeany,
544-
ArgumentTypeany,
545-
Insertfunc(ctx context.Context,argArgumentType) (ObjectType,error),
546+
ObjectTypeany,
547+
ArgumentTypeany,
548+
Insertfunc(ctx context.Context,argArgumentType) (ObjectType,error),
546549
](
547550
logger slog.Logger,
548551
authorizer rbac.Authorizer,
@@ -569,10 +572,10 @@ func insertWithAction[
569572
}
570573

571574
funcdeleteQ[
572-
ObjectType rbac.Objecter,
573-
ArgumentTypeany,
574-
Fetchfunc(ctx context.Context,argArgumentType) (ObjectType,error),
575-
Deletefunc(ctx context.Context,argArgumentType)error,
575+
ObjectType rbac.Objecter,
576+
ArgumentTypeany,
577+
Fetchfunc(ctx context.Context,argArgumentType) (ObjectType,error),
578+
Deletefunc(ctx context.Context,argArgumentType)error,
576579
](
577580
logger slog.Logger,
578581
authorizer rbac.Authorizer,
@@ -584,10 +587,10 @@ func deleteQ[
584587
}
585588

586589
funcupdateWithReturn[
587-
ObjectType rbac.Objecter,
588-
ArgumentTypeany,
589-
Fetchfunc(ctx context.Context,argArgumentType) (ObjectType,error),
590-
UpdateQueryfunc(ctx context.Context,argArgumentType) (ObjectType,error),
590+
ObjectType rbac.Objecter,
591+
ArgumentTypeany,
592+
Fetchfunc(ctx context.Context,argArgumentType) (ObjectType,error),
593+
UpdateQueryfunc(ctx context.Context,argArgumentType) (ObjectType,error),
591594
](
592595
logger slog.Logger,
593596
authorizer rbac.Authorizer,
@@ -598,10 +601,10 @@ func updateWithReturn[
598601
}
599602

600603
funcupdate[
601-
ObjectType rbac.Objecter,
602-
ArgumentTypeany,
603-
Fetchfunc(ctx context.Context,argArgumentType) (ObjectType,error),
604-
Execfunc(ctx context.Context,argArgumentType)error,
604+
ObjectType rbac.Objecter,
605+
ArgumentTypeany,
606+
Fetchfunc(ctx context.Context,argArgumentType) (ObjectType,error),
607+
Execfunc(ctx context.Context,argArgumentType)error,
605608
](
606609
logger slog.Logger,
607610
authorizer rbac.Authorizer,
@@ -619,9 +622,9 @@ func update[
619622
// user cannot read the resource. This is because the resource details are
620623
// required to run a proper authorization check.
621624
funcfetchWithAction[
622-
ArgumentTypeany,
623-
ObjectType rbac.Objecter,
624-
DatabaseFuncfunc(ctx context.Context,argArgumentType) (ObjectType,error),
625+
ArgumentTypeany,
626+
ObjectType rbac.Objecter,
627+
DatabaseFuncfunc(ctx context.Context,argArgumentType) (ObjectType,error),
625628
](
626629
logger slog.Logger,
627630
authorizer rbac.Authorizer,
@@ -652,9 +655,9 @@ func fetchWithAction[
652655
}
653656

654657
funcfetch[
655-
ArgumentTypeany,
656-
ObjectType rbac.Objecter,
657-
DatabaseFuncfunc(ctx context.Context,argArgumentType) (ObjectType,error),
658+
ArgumentTypeany,
659+
ObjectType rbac.Objecter,
660+
DatabaseFuncfunc(ctx context.Context,argArgumentType) (ObjectType,error),
658661
](
659662
logger slog.Logger,
660663
authorizer rbac.Authorizer,
@@ -667,10 +670,10 @@ func fetch[
667670
// from SQL 'exec' functions which only return an error.
668671
// See fetchAndQuery for more information.
669672
funcfetchAndExec[
670-
ObjectType rbac.Objecter,
671-
ArgumentTypeany,
672-
Fetchfunc(ctx context.Context,argArgumentType) (ObjectType,error),
673-
Execfunc(ctx context.Context,argArgumentType)error,
673+
ObjectType rbac.Objecter,
674+
ArgumentTypeany,
675+
Fetchfunc(ctx context.Context,argArgumentType) (ObjectType,error),
676+
Execfunc(ctx context.Context,argArgumentType)error,
674677
](
675678
logger slog.Logger,
676679
authorizer rbac.Authorizer,
@@ -693,10 +696,10 @@ func fetchAndExec[
693696
// **before** the query runs. The returns from the fetch are only used to
694697
// assert rbac. The final return of this function comes from the Query function.
695698
funcfetchAndQuery[
696-
ObjectType rbac.Objecter,
697-
ArgumentTypeany,
698-
Fetchfunc(ctx context.Context,argArgumentType) (ObjectType,error),
699-
Queryfunc(ctx context.Context,argArgumentType) (ObjectType,error),
699+
ObjectType rbac.Objecter,
700+
ArgumentTypeany,
701+
Fetchfunc(ctx context.Context,argArgumentType) (ObjectType,error),
702+
Queryfunc(ctx context.Context,argArgumentType) (ObjectType,error),
700703
](
701704
logger slog.Logger,
702705
authorizer rbac.Authorizer,
@@ -730,9 +733,9 @@ func fetchAndQuery[
730733
// fetchWithPostFilter is like fetch, but works with lists of objects.
731734
// SQL filters are much more optimal.
732735
funcfetchWithPostFilter[
733-
ArgumentTypeany,
734-
ObjectType rbac.Objecter,
735-
DatabaseFuncfunc(ctx context.Context,argArgumentType) ([]ObjectType,error),
736+
ArgumentTypeany,
737+
ObjectType rbac.Objecter,
738+
DatabaseFuncfunc(ctx context.Context,argArgumentType) ([]ObjectType,error),
736739
](
737740
authorizer rbac.Authorizer,
738741
action policy.Action,
@@ -3909,7 +3912,14 @@ func (q *querier) InsertWorkspaceBuild(ctx context.Context, arg database.InsertW
39093912
action=policy.ActionWorkspaceStop
39103913
}
39113914

3912-
iferr=q.authorizeContext(ctx,action,w);err!=nil {
3915+
ifaction==policy.ActionDelete&&w.IsPrebuild() {
3916+
iferr:=q.authorizeContext(ctx,action,w.PrebuildRBAC());err!=nil {
3917+
// Fallback to normal workspace auth check
3918+
iferr=q.authorizeContext(ctx,action,w);err!=nil {
3919+
returnxerrors.Errorf("authorize context: %w",err)
3920+
}
3921+
}
3922+
}elseiferr=q.authorizeContext(ctx,action,w);err!=nil {
39133923
returnxerrors.Errorf("authorize context: %w",err)
39143924
}
39153925

@@ -3949,7 +3959,15 @@ func (q *querier) InsertWorkspaceBuildParameters(ctx context.Context, arg databa
39493959
returnerr
39503960
}
39513961

3952-
err=q.authorizeContext(ctx,policy.ActionUpdate,workspace)
3962+
ifworkspace.IsPrebuild() {
3963+
err=q.authorizeContext(ctx,policy.ActionUpdate,workspace.PrebuildRBAC())
3964+
// Fallback to normal workspace auth check
3965+
iferr!=nil {
3966+
err=q.authorizeContext(ctx,policy.ActionUpdate,workspace)
3967+
}
3968+
}else {
3969+
err=q.authorizeContext(ctx,policy.ActionUpdate,workspace)
3970+
}
39533971
iferr!=nil {
39543972
returnerr
39553973
}

‎coderd/database/modelmethods.go

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -226,9 +226,26 @@ func (w Workspace) WorkspaceTable() WorkspaceTable {
226226
}
227227

228228
func (wWorkspace)RBACObject() rbac.Object {
229+
// if w.IsPrebuild() {
230+
//return w.PrebuildRBAC()
231+
//}
229232
returnw.WorkspaceTable().RBACObject()
230233
}
231234

235+
func (wWorkspace)IsPrebuild()bool {
236+
// TODO: avoid import cycle
237+
returnw.OwnerID==uuid.MustParse("c42fdf75-3097-471c-8c33-fb52454d81c0")
238+
}
239+
240+
func (wWorkspace)PrebuildRBAC() rbac.Object {
241+
ifw.IsPrebuild() {
242+
returnrbac.ResourcePrebuiltWorkspace.WithID(w.ID).
243+
InOrg(w.OrganizationID).
244+
WithOwner(w.OwnerID.String())
245+
}
246+
returnw.RBACObject()
247+
}
248+
232249
func (wWorkspaceTable)RBACObject() rbac.Object {
233250
ifw.DormantAt.Valid {
234251
returnw.DormantRBAC()

‎coderd/rbac/object_gen.go

Lines changed: 10 additions & 0 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

‎coderd/rbac/policy/policy.go

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -102,6 +102,13 @@ var RBACPermissions = map[string]PermissionDefinition{
102102
"workspace_dormant": {
103103
Actions:workspaceActions,
104104
},
105+
"prebuilt_workspace": {
106+
Actions:map[Action]ActionDefinition{
107+
ActionRead:actDef("read prebuilt workspace"),
108+
ActionUpdate:actDef("update prebuilt workspace"),
109+
ActionDelete:actDef("delete prebuilt workspace"),
110+
},
111+
},
105112
"workspace_proxy": {
106113
Actions:map[Action]ActionDefinition{
107114
ActionCreate:actDef("create a workspace proxy"),

‎coderd/rbac/roles.go

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -335,8 +335,9 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
335335
ResourceAssignOrgRole.Type: {policy.ActionRead},
336336
ResourceTemplate.Type:ResourceTemplate.AvailableActions(),
337337
// CRUD all files, even those they did not upload.
338-
ResourceFile.Type: {policy.ActionCreate,policy.ActionRead},
339-
ResourceWorkspace.Type: {policy.ActionRead},
338+
ResourceFile.Type: {policy.ActionCreate,policy.ActionRead},
339+
ResourceWorkspace.Type: {policy.ActionRead},
340+
ResourcePrebuiltWorkspace.Type: {policy.ActionRead,policy.ActionUpdate,policy.ActionDelete},
340341
// CRUD to provisioner daemons for now.
341342
ResourceProvisionerDaemon.Type: {policy.ActionCreate,policy.ActionRead,policy.ActionUpdate,policy.ActionDelete},
342343
// Needs to read all organizations since
@@ -493,9 +494,10 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
493494
Site: []Permission{},
494495
Org:map[string][]Permission{
495496
organizationID.String():Permissions(map[string][]policy.Action{
496-
ResourceTemplate.Type:ResourceTemplate.AvailableActions(),
497-
ResourceFile.Type: {policy.ActionCreate,policy.ActionRead},
498-
ResourceWorkspace.Type: {policy.ActionRead},
497+
ResourceTemplate.Type:ResourceTemplate.AvailableActions(),
498+
ResourceFile.Type: {policy.ActionCreate,policy.ActionRead},
499+
ResourceWorkspace.Type: {policy.ActionRead},
500+
ResourcePrebuiltWorkspace.Type: {policy.ActionRead,policy.ActionUpdate,policy.ActionDelete},
499501
// Assigning template perms requires this permission.
500502
ResourceOrganization.Type: {policy.ActionRead},
501503
ResourceOrganizationMember.Type: {policy.ActionRead},

‎coderd/workspacebuilds.go

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -404,6 +404,16 @@ func (api *API) postWorkspaceBuilds(rw http.ResponseWriter, r *http.Request) {
404404
ctx,
405405
tx,
406406
func(action policy.Action,object rbac.Objecter)bool {
407+
ifobject.RBACObject().Type==rbac.ResourceWorkspace.Type&&action==policy.ActionDelete {
408+
workspaceObj,ok:=object.(database.Workspace)
409+
ifok {
410+
prebuild:=workspaceObj.PrebuildRBAC()
411+
// Fallback to normal workspace auth check
412+
ifauth:=api.Authorize(r,action,prebuild);auth {
413+
returnauth
414+
}
415+
}
416+
}
407417
returnapi.Authorize(r,action,object)
408418
},
409419
audit.WorkspaceBuildBaggageFromRequest(r),

‎codersdk/rbacresources_gen.go

Lines changed: 2 additions & 0 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

‎docs/reference/api/members.md

Lines changed: 5 additions & 0 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

‎docs/reference/api/schemas.md

Lines changed: 1 addition & 0 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp