Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commita87cef9

Browse files
committed
feat: add prebuilt_workspace type and embed behavior to rego policy
Prebuild workspaces can also be referenced by the prebuilt_workspaceresource type. Allowing permissions to apply only to prebuilts
1 parentca8660c commita87cef9

File tree

6 files changed

+167
-37
lines changed

6 files changed

+167
-37
lines changed

‎coderd/rbac/authz_internal_test.go

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -712,6 +712,39 @@ func TestAuthorizeDomain(t *testing.T) {
712712

713713
{resource:ResourceWorkspace.WithOwner("not-me")},
714714
}))
715+
716+
// Prebuild
717+
prebuildUserID:=uuid.MustParse("c42fdf75-3097-471c-8c33-fb52454d81c0").String()
718+
prebuilder:=Subject{
719+
ID:prebuildUserID,
720+
Scope:must(ExpandScope(ScopeAll)),
721+
Roles:Roles{
722+
{
723+
Identifier:RoleIdentifier{Name:"Prebuilder"},
724+
Site: []Permission{},
725+
Org:map[string][]Permission{
726+
defOrg.String():Permissions(map[string][]policy.Action{
727+
ResourcePrebuiltWorkspace.Type:ResourcePrebuiltWorkspace.AvailableActions(),
728+
}),
729+
},
730+
User: []Permission{},
731+
},
732+
},
733+
}
734+
735+
testAuthorize(t,"AllWorkspaceActions",prebuilder,
736+
cases(func(cauthTestCase)authTestCase {
737+
c.actions=ResourceWorkspace.AvailableActions()
738+
returnc
739+
}, []authTestCase{
740+
// Prebuilder cannot access all workspaces
741+
{allow:false,resource:ResourceWorkspace.InOrg(defOrg).WithOwner(user.ID)},
742+
// They can access their workspaces because of the prebuild user ID
743+
{allow:true,resource:ResourceWorkspace.InOrg(defOrg).WithOwner(prebuildUserID)},
744+
// Also the prebuild type, although this should never be used directly.
745+
{allow:true,resource:ResourcePrebuiltWorkspace.InOrg(defOrg).WithOwner(prebuildUserID)},
746+
}),
747+
)
715748
}
716749

717750
// TestAuthorizeLevels ensures level overrides are acting appropriately

‎coderd/rbac/input.json

Lines changed: 93 additions & 34 deletions
Original file line numberDiff line numberDiff line change
@@ -1,46 +1,105 @@
11
{
2-
"action":"never-match-action",
3-
"object": {
4-
"id":"9046b041-58ed-47a3-9c3a-de302577875a",
5-
"owner":"00000000-0000-0000-0000-000000000000",
6-
"org_owner":"bf7b72bd-a2b1-4ef2-962c-1d698e0483f6",
7-
"type":"workspace",
8-
"acl_user_list": {
9-
"f041847d-711b-40da-a89a-ede39f70dc7f": ["create"]
10-
},
11-
"acl_group_list": {}
2+
"action":"create",
3+
"object":{
4+
"id":"",
5+
"owner":"c42fdf75-3097-471c-8c33-fb52454d81c0",
6+
"org_owner":"915066be-d016-4993-9f16-fe40b083ab98",
7+
"any_org":false,
8+
"type":"workspace",
9+
"acl_user_list":null,
10+
"acl_group_list":null
1211
},
13-
"subject":{
14-
"id":"10d03e62-7703-4df5-a358-4f76577d4e2f",
15-
"roles":[
12+
"subject":{
13+
"id":"c42fdf75-3097-471c-8c33-fb52454d81c0",
14+
"roles":[
1615
{
17-
"name":"owner",
18-
"display_name":"Owner",
19-
"site": [
20-
{
21-
"negate":false,
22-
"resource_type":"*",
23-
"action":"*"
24-
}
16+
"name":"Prebuilder",
17+
"display_name":"",
18+
"site":[
19+
2520
],
26-
"org": {},
27-
"user": []
21+
"org":{
22+
"915066be-d016-4993-9f16-fe40b083ab98":[
23+
{
24+
"negate":false,
25+
"resource_type":"prebuilt_workspace",
26+
"action":"read"
27+
},
28+
{
29+
"negate":false,
30+
"resource_type":"prebuilt_workspace",
31+
"action":"update"
32+
},
33+
{
34+
"negate":false,
35+
"resource_type":"prebuilt_workspace",
36+
"action":"delete"
37+
},
38+
{
39+
"negate":false,
40+
"resource_type":"prebuilt_workspace",
41+
"action":"start"
42+
},
43+
{
44+
"negate":false,
45+
"resource_type":"prebuilt_workspace",
46+
"action":"ssh"
47+
},
48+
{
49+
"negate":false,
50+
"resource_type":"prebuilt_workspace",
51+
"action":"application_connect"
52+
},
53+
{
54+
"negate":false,
55+
"resource_type":"prebuilt_workspace",
56+
"action":"stop"
57+
},
58+
{
59+
"negate":false,
60+
"resource_type":"prebuilt_workspace",
61+
"action":"create_agent"
62+
},
63+
{
64+
"negate":false,
65+
"resource_type":"prebuilt_workspace",
66+
"action":"delete_agent"
67+
},
68+
{
69+
"negate":false,
70+
"resource_type":"prebuilt_workspace",
71+
"action":"create"
72+
}
73+
]
74+
},
75+
"user":[
76+
77+
]
2878
}
2979
],
30-
"groups": ["b617a647-b5d0-4cbe-9e40-26f89710bf18"],
31-
"scope": {
32-
"name":"Scope_all",
33-
"display_name":"All operations",
34-
"site": [
80+
"groups":null,
81+
"scope":{
82+
"name":{
83+
"Name":"Scope_all",
84+
"OrganizationID":"00000000-0000-0000-0000-000000000000"
85+
},
86+
"display_name":"All operations",
87+
"site":[
3588
{
36-
"negate":false,
37-
"resource_type":"*",
38-
"action":"*"
89+
"negate":false,
90+
"resource_type":"*",
91+
"action":"*"
3992
}
4093
],
41-
"org": {},
42-
"user": [],
43-
"allow_list": ["*"]
94+
"org":{
95+
96+
},
97+
"user":[
98+
99+
],
100+
"allow_list":[
101+
"*"
102+
]
44103
}
45104
}
46105
}

‎coderd/rbac/object_gen.go

Lines changed: 17 additions & 0 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

‎coderd/rbac/policy.rego

Lines changed: 19 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -61,6 +61,22 @@ number(set) := c if {
6161
c:=1
6262
}
6363

64+
65+
is_prebuild_workspace if{
66+
input.object.type="workspace"
67+
input.object.owner="c42fdf75-3097-471c-8c33-fb52454d81c0"
68+
}
69+
70+
object_set:= object_types if{
71+
is_prebuild_workspace
72+
object_types:= [input.object.type,"prebuilt_workspace","*"]
73+
}
74+
75+
object_set:= object_types if{
76+
notis_prebuild_workspace
77+
object_types:= [input.object.type,"*"]
78+
}
79+
6480
# site, org, and user rules are all similar. Each rule should return a number
6581
# from [-1, 1]. The number corresponds to "negative", "abstain", and "positive"
6682
# for the given level. See the 'allow' rules for how these numbers are used.
@@ -78,7 +94,7 @@ site_allow(roles) := num if {
7894
# Iterate over all site permissions in all roles
7995
perm:= roles[_].site[_]
8096
perm.action in[input.action,"*"]
81-
perm.resource_type in[input.object.type,"*"]
97+
perm.resource_type inobject_set
8298

8399
# x is either 'true' or 'false' if a matching permission exists.
84100
x:=bool_flip(perm.negate)
@@ -117,7 +133,7 @@ org_allow_set(roles) := allow_set if {
117133
set:= {x|
118134
perm:= roles[_].org[id][_]
119135
perm.action in[input.action,"*"]
120-
perm.resource_type in[input.object.type,"*"]
136+
perm.resource_type inobject_set
121137
x:=bool_flip(perm.negate)
122138
}
123139
num:=number(set)
@@ -207,7 +223,7 @@ user_allow(roles) := num if {
207223
allow:= {x|
208224
perm:= roles[_].user[_]
209225
perm.action in[input.action,"*"]
210-
perm.resource_type in[input.object.type,"*"]
226+
perm.resource_type inobject_set
211227
x:=bool_flip(perm.negate)
212228
}
213229
num:=number(allow)

‎coderd/rbac/policy/policy.go

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -102,6 +102,9 @@ var RBACPermissions = map[string]PermissionDefinition{
102102
"workspace_dormant": {
103103
Actions:workspaceActions,
104104
},
105+
"prebuilt_workspace": {
106+
Actions:workspaceActions,
107+
},
105108
"workspace_proxy": {
106109
Actions:map[Action]ActionDefinition{
107110
ActionCreate:actDef("create a workspace proxy"),

‎codersdk/rbacresources_gen.go

Lines changed: 2 additions & 0 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp