Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

feat: add organization scope for shared ports#18314

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
aslilac merged 27 commits intomainfromlilac/org-port-sharing
Jun 16, 2025
Merged
Show file tree
Hide file tree
Changes from1 commit
Commits
Show all changes
27 commits
Select commitHold shift + click to select a range
4724f79
claude be doing something certainly
aslilacJun 10, 2025
408d70d
get claude off its nonsense
aslilacJun 10, 2025
dfea63d
Revert "get claude off its nonsense"
aslilacJun 10, 2025
429bc13
let 'er rip some more
aslilacJun 11, 2025
e04084e
do the thing
aslilacJun 11, 2025
842c5bb
fix story
aslilacJun 11, 2025
e9abb74
clean up permission checking
aslilacJun 11, 2025
a60f072
🧹
aslilacJun 13, 2025
c26bf27
fmt
aslilacJun 13, 2025
c10de9e
a test that actually makes any sense
aslilacJun 13, 2025
bdee7ac
jk
aslilacJun 13, 2025
29d19a2
tighten, don't loosen
aslilacJun 13, 2025
d5cbd9a
fix tooltips
aslilacJun 13, 2025
9bb36ec
move comment
aslilacJun 13, 2025
089f094
add new sharing level to agent.proto
aslilacJun 13, 2025
45c8508
Merge branch 'main' into lilac/org-port-sharing
aslilacJun 13, 2025
e8f031e
why
aslilacJun 13, 2025
495fbc3
oh my
aslilacJun 13, 2025
27bccf2
fix migration numbers
aslilacJun 13, 2025
2da3691
update changelog
aslilacJun 16, 2025
e21abef
assert default level
aslilacJun 16, 2025
ae27911
eh, maybe not
aslilacJun 16, 2025
04872d2
update subagent api
aslilacJun 16, 2025
f58ae61
Merge branch 'main' into lilac/org-port-sharing
aslilacJun 16, 2025
ee8d5e3
tweak port number
aslilacJun 16, 2025
ceb8c76
add missing organization max sharing level option
aslilacJun 16, 2025
53f9124
add missing map member
aslilacJun 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
NextNext commit
claude be doing something certainly
  • Loading branch information
@aslilac
aslilac committedJun 10, 2025
commit4724f79bccac2246dfd43d8874199eb7069e2818
4 changes: 4 additions & 0 deletionscoderd/apidoc/docs.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more abouthow customized files appear on GitHub.

7 changes: 4 additions & 3 deletionscoderd/apidoc/swagger.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more abouthow customized files appear on GitHub.

1 change: 1 addition & 0 deletionscoderd/database/dump.sql
View file
Open in desktop

Some generated files are not rendered by default. Learn more abouthow customized files appear on GitHub.

View file
Open in desktop
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,113 @@
-- Remove 'organization' from the app_sharing_level enum

-- Drop the view that depends on the templates table
DROP VIEW template_with_names;

CREATE TYPE new_app_sharing_level AS ENUM (
'owner',
'authenticated',
'public'
);

-- Update workspace_agent_port_share table to use old enum
-- Convert any 'organization' values to 'authenticated' during downgrade
ALTER TABLE workspace_agent_port_share
ALTER COLUMN share_level TYPE new_app_sharing_level USING (
CASE
WHEN share_level = 'organization' THEN 'authenticated'::new_app_sharing_level
ELSE share_level::text::new_app_sharing_level
END
);

-- Update workspace_apps table to use old enum
-- Convert any 'organization' values to 'authenticated' during downgrade
ALTER TABLE workspace_apps
ALTER COLUMN sharing_level DROP DEFAULT,
ALTER COLUMN sharing_level TYPE new_app_sharing_level USING (
CASE
WHEN sharing_level = 'organization' THEN 'authenticated'::new_app_sharing_level
ELSE sharing_level::text::new_app_sharing_level
END
),
ALTER COLUMN sharing_level SET DEFAULT 'owner'::new_app_sharing_level;

-- Update templates table to use old enum
-- Convert any 'organization' values to 'authenticated' during downgrade
ALTER TABLE templates
ALTER COLUMN max_port_sharing_level DROP DEFAULT,
ALTER COLUMN max_port_sharing_level TYPE new_app_sharing_level USING (
CASE
WHEN max_port_sharing_level = 'organization' THEN 'authenticated'::new_app_sharing_level
ELSE max_port_sharing_level::text::new_app_sharing_level
END
),
ALTER COLUMN max_port_sharing_level SET DEFAULT 'owner'::new_app_sharing_level;

-- Drop old enum and rename new one
DROP TYPE app_sharing_level;
ALTER TYPE new_app_sharing_level RENAME TO app_sharing_level;

-- Recreate the template_with_names view
CREATE VIEW template_with_names AS
SELECT
templates.id,
templates.created_at,
templates.updated_at,
templates.organization_id,
templates.deleted,
templates.name,
templates.provisioner,
templates.active_version_id,
templates.description,
templates.default_ttl,
templates.created_by,
templates.icon,
templates.user_acl,
templates.group_acl,
templates.display_name,
templates.allow_user_cancel_workspace_jobs,
templates.allow_user_autostart,
templates.allow_user_autostop,
templates.failure_ttl,
templates.time_til_dormant,
templates.time_til_dormant_autodelete,
templates.autostop_requirement_days_of_week,
templates.autostop_requirement_weeks,
templates.autostart_block_days_of_week,
templates.require_active_version,
templates.deprecated,
templates.activity_bump,
templates.max_port_sharing_level,
templates.use_classic_parameter_flow,
COALESCE(
visible_users.avatar_url,
''::text
) AS created_by_avatar_url,
COALESCE(
visible_users.username,
''::text
) AS created_by_username,
COALESCE(visible_users.name, ''::text) AS created_by_name,
COALESCE(organizations.name, ''::text) AS organization_name,
COALESCE(
organizations.display_name,
''::text
) AS organization_display_name,
COALESCE(organizations.icon, ''::text) AS organization_icon
FROM (
(
templates
LEFT JOIN visible_users ON (
(
templates.created_by = visible_users.id
)
)
)
LEFT JOIN organizations ON (
(
templates.organization_id = organizations.id
)
)
);

COMMENT ON VIEW template_with_names IS 'Joins in the display name information such as username, avatar, and organization name.';
View file
Open in desktop
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,96 @@
-- Add 'organization' to the app_sharing_level enum

-- Drop the view that depends on the templates table
DROP VIEW template_with_names;

CREATE TYPE new_app_sharing_level AS ENUM (
'owner',
'authenticated',
'organization',
'public'
);

-- Update workspace_agent_port_share table to use new enum
ALTER TABLE workspace_agent_port_share
ALTER COLUMN share_level TYPE new_app_sharing_level USING (share_level::text::new_app_sharing_level);

-- Update workspace_apps table to use new enum
ALTER TABLE workspace_apps
ALTER COLUMN sharing_level DROP DEFAULT,
ALTER COLUMN sharing_level TYPE new_app_sharing_level USING (sharing_level::text::new_app_sharing_level),
ALTER COLUMN sharing_level SET DEFAULT 'owner'::new_app_sharing_level;

-- Update templates table to use new enum
ALTER TABLE templates
ALTER COLUMN max_port_sharing_level DROP DEFAULT,
ALTER COLUMN max_port_sharing_level TYPE new_app_sharing_level USING (max_port_sharing_level::text::new_app_sharing_level),
ALTER COLUMN max_port_sharing_level SET DEFAULT 'owner'::new_app_sharing_level;

-- Drop old enum and rename new one
DROP TYPE app_sharing_level;
ALTER TYPE new_app_sharing_level RENAME TO app_sharing_level;

-- Recreate the template_with_names view
CREATE VIEW template_with_names AS
SELECT
templates.id,
templates.created_at,
templates.updated_at,
templates.organization_id,
templates.deleted,
templates.name,
templates.provisioner,
templates.active_version_id,
templates.description,
templates.default_ttl,
templates.created_by,
templates.icon,
templates.user_acl,
templates.group_acl,
templates.display_name,
templates.allow_user_cancel_workspace_jobs,
templates.allow_user_autostart,
templates.allow_user_autostop,
templates.failure_ttl,
templates.time_til_dormant,
templates.time_til_dormant_autodelete,
templates.autostop_requirement_days_of_week,
templates.autostop_requirement_weeks,
templates.autostart_block_days_of_week,
templates.require_active_version,
templates.deprecated,
templates.activity_bump,
templates.max_port_sharing_level,
templates.use_classic_parameter_flow,
COALESCE(
visible_users.avatar_url,
''::text
) AS created_by_avatar_url,
COALESCE(
visible_users.username,
''::text
) AS created_by_username,
COALESCE(visible_users.name, ''::text) AS created_by_name,
COALESCE(organizations.name, ''::text) AS organization_name,
COALESCE(
organizations.display_name,
''::text
) AS organization_display_name,
COALESCE(organizations.icon, ''::text) AS organization_icon
FROM (
(
templates
LEFT JOIN visible_users ON (
(
templates.created_by = visible_users.id
)
)
)
LEFT JOIN organizations ON (
(
templates.organization_id = organizations.id
)
)
);

COMMENT ON VIEW template_with_names IS 'Joins in the display name information such as username, avatar, and organization name.';
3 changes: 3 additions & 0 deletionscoderd/database/models.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more abouthow customized files appear on GitHub.

47 changes: 47 additions & 0 deletionscoderd/workspaceapps/db.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -316,6 +316,32 @@ func (p *DBTokenProvider) authorizeRequest(ctx context.Context, roles *rbac.Subj
return false, warnings, nil
}

// For organization level path-based apps, block access if path app sharing is disabled
// and the user is not in the same organization
if isPathApp &&
sharingLevel == database.AppSharingLevelOrganization &&
!p.DeploymentValues.Dangerous.AllowPathAppSharing.Value() {
// Check if user is in the same organization as the workspace
workspaceOrgID := dbReq.Workspace.OrganizationID
inSameOrg := false
expandedRoles, err := roles.Roles.Expand()
if err != nil {
return false, warnings, xerrors.Errorf("expand roles: %w", err)
}
for _, role := range expandedRoles {
if _, ok := role.Org[workspaceOrgID.String()]; ok {
inSameOrg = true
break
}
}
if !inSameOrg {
if roles != nil && slices.Contains(roles.Roles.Names(), rbac.RoleOwner()) {
warnings = append(warnings, "path-based apps with \"organization\" share level are only accessible by organization members (see --dangerous-allow-path-app-sharing)")
}
return false, warnings, nil
}
}

// Figure out which RBAC resource to check. For terminals we use execution
// instead of application connect.
var (
Expand DownExpand Up@@ -354,6 +380,27 @@ func (p *DBTokenProvider) authorizeRequest(ctx context.Context, roles *rbac.Subj
if err == nil {
return true, []string{}, nil
}
case database.AppSharingLevelOrganization:
// Check if the user is a member of the same organization as the workspace
// First check if they have permission to connect to their own workspace (enforces scopes)
err := p.Authorizer.Authorize(ctx, *roles, rbacAction, rbacResourceOwned)
if err != nil {
return false, warnings, nil
}

// Check if the user is a member of the workspace's organization
workspaceOrgID := dbReq.Workspace.OrganizationID
expandedRoles, err := roles.Roles.Expand()
if err != nil {
return false, warnings, xerrors.Errorf("expand roles: %w", err)
}
for _, role := range expandedRoles {
if _, ok := role.Org[workspaceOrgID.String()]; ok {
return true, []string{}, nil
}
}
// User is not a member of the workspace's organization
return false, warnings, nil
case database.AppSharingLevelPublic:
// We don't really care about scopes and stuff if it's public anyways.
// Someone with a restricted-scope API key could just not submit the API
Expand Down
Loading
Loading
[8]ページ先頭
©2009-2025 Movatter.jp