Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit9a30a8e

Browse files
committed
chore: optimize for partial queries
1 parenta87cef9 commit9a30a8e

File tree

1 file changed

+48
-23
lines changed

1 file changed

+48
-23
lines changed

‎coderd/rbac/policy.rego

Lines changed: 48 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -62,33 +62,36 @@ number(set) := c if {
6262
}
6363

6464

65+
prebuild_workspace_type:="prebuilt_workspace"
66+
default_object_set:= [input.object.type,"*"]
6567
is_prebuild_workspace if{
6668
input.object.type="workspace"
6769
input.object.owner="c42fdf75-3097-471c-8c33-fb52454d81c0"
6870
}
6971

70-
object_set:= object_types if{
71-
is_prebuild_workspace
72-
object_types:= [input.object.type,"prebuilt_workspace","*"]
73-
}
74-
75-
object_set:= object_types if{
76-
notis_prebuild_workspace
77-
object_types:= [input.object.type,"*"]
78-
}
79-
8072
# site, org, and user rules are all similar. Each rule should return a number
8173
# from [-1, 1]. The number corresponds to "negative", "abstain", and "positive"
8274
# for the given level. See the 'allow' rules for how these numbers are used.
8375
defaultsite:=0
8476

85-
site:=site_allow(input.subject.roles)
77+
site:= num if{
78+
notis_prebuild_workspace
79+
num:=site_allow(input.subject.roles, default_object_set)
80+
}
81+
82+
site:= num if{
83+
is_prebuild_workspace
84+
num:=number([
85+
site_allow(input.subject.roles, default_object_set),
86+
site_allow(input.subject.roles, [prebuild_workspace_type])
87+
])
88+
}
8689

8790
defaultscope_site:=0
8891

89-
scope_site:=site_allow([input.subject.scope])
92+
scope_site:=site_allow([input.subject.scope], default_object_set)
9093

91-
site_allow(roles):= num if{
94+
site_allow(roles, object_set):= num if{
9295
# allow is a set of boolean values without duplicates.
9396
allow:= {x|
9497
# Iterate over all site permissions in all roles
@@ -111,11 +114,22 @@ org_members := {orgID |
111114
# that the actor is a member of.
112115
defaultorg:=0
113116

114-
org:=org_allow(input.subject.roles)
117+
org:= num if{
118+
notis_prebuild_workspace
119+
num:=org_allow(input.subject.roles, default_object_set)
120+
}
121+
122+
org:= num if{
123+
is_prebuild_workspace
124+
num:=number([
125+
org_allow(input.subject.roles, default_object_set),
126+
org_allow(input.subject.roles, [prebuild_workspace_type])
127+
])
128+
}
115129

116130
defaultscope_org:=0
117131

118-
scope_org:=org_allow([input.scope])
132+
scope_org:=org_allow([input.scope], default_object_set)
119133

120134
# org_allow_set is a helper function that iterates over all orgs that the actor
121135
# is a member of. For each organization it sets the numerical allow value
@@ -127,7 +141,7 @@ scope_org := org_allow([input.scope])
127141
# The reason we calculate this for all orgs, and not just the input.object.org_owner
128142
# is that sometimes the input.object.org_owner is unknown. In those cases
129143
# we have a list of org_ids that can we use in a SQL 'WHERE' clause.
130-
org_allow_set(roles):= allow_set if{
144+
org_allow_set(roles, object_set):= allow_set if{
131145
allow_set:= {id: num|
132146
id:= org_members[_]
133147
set:= {x|
@@ -140,11 +154,11 @@ org_allow_set(roles) := allow_set if {
140154
}
141155
}
142156

143-
org_allow(roles):= num if{
157+
org_allow(roles, object_set):= num if{
144158
# If the object has "any_org" set to true, then use the other
145159
# org_allow block.
146160
notinput.object.any_org
147-
allow:=org_allow_set(roles)
161+
allow:=org_allow_set(roles, object_set)
148162

149163
# Return only the org value of the input's org.
150164
# The reason why we do not do this up front, is that we need to make sure
@@ -160,9 +174,9 @@ org_allow(roles) := num if {
160174
# This is useful for UI elements when we want to conclude, "Can the user create
161175
# a new template in any organization?"
162176
# It is easier than iterating over every organization the user is apart of.
163-
org_allow(roles):= num if{
177+
org_allow(roles, object_set):= num if{
164178
input.object.any_org# if this is false, this code block is not used
165-
allow:=org_allow_set(roles)
179+
allow:=org_allow_set(roles, object_set)
166180

167181
# allow is a map of {"<org_id>": <number>}. We only care about values
168182
# that are 1, and ignore the rest.
@@ -211,13 +225,24 @@ org_ok if {
211225
# the user is apart of the org (if the object has an org).
212226
defaultuser:=0
213227

214-
user:=user_allow(input.subject.roles)
228+
user:= num if{
229+
notis_prebuild_workspace
230+
num:=user_allow(input.subject.roles, default_object_set)
231+
}
232+
233+
user:= num if{
234+
is_prebuild_workspace
235+
num:=number([
236+
user_allow(input.subject.roles, default_object_set),
237+
user_allow(input.subject.roles, [prebuild_workspace_type])
238+
])
239+
}
215240

216241
defaultuser_scope:=0
217242

218-
scope_user:=user_allow([input.scope])
243+
scope_user:=user_allow([input.scope], default_object_set)
219244

220-
user_allow(roles):= num if{
245+
user_allow(roles, object_set):= num if{
221246
input.object.owner!=""
222247
input.subject.id= input.object.owner
223248
allow:= {x|

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp