NotificationsYou must be signed in to change notification settings
Fork928
Star10.1k

Commit0d1096d

authored

feat: add auditing for groups (#4527)

- Clean up `database.TemplateACL` implementation.

1 parentd4585fe commit0d1096dCopy full SHA for 0d1096d

File tree

27 files changed

+405

-213

lines changed

coderd
- audit
  - diff.go
  - request.go
- database
  - databasefake
    - databasefake.go
  - drivers.go
  - dump.sql
  - migrations
    - 000063_resource_type_group.down.sql
    - 000063_resource_type_group.up.sql
  - modelmethods.go
  - modelqueries.go
  - models.go
  - querier.go
  - queries
    - templates.sql
  - queries.sql.go
  - sqlc.yaml
- templates.go
codersdk
- audit.go
enterprise
- audit
  - diff.go
  - table.go
- cli
  - server.go
- coderd
go.mod
site/src/api
- typesGenerated.ts

27 files changed

+405

-213

lines changed

`‎coderd/audit/diff.go`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,8 @@ type Auditable interface {`
`15`	`15`	`database.TemplateVersion\|`
`16`	`16`	`database.User\|`
`17`	`17`	`database.Workspace\|`
`18`		`-database.GitSSHKey`
	`18`	`+database.GitSSHKey\|`
	`19`	`+database.Group`
`19`	`20`	`}`
`20`	`21`
`21`	`22`	`// Map is a map of changed fields in an audited resource. It maps field names to`

`‎coderd/audit/request.go`

Lines changed: 6 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -45,6 +45,8 @@ func ResourceTarget[T Auditable](tgt T) string {`
`45`	`45`	`returntyped.Name`
`46`	`46`	`case database.GitSSHKey:`
`47`	`47`	`returntyped.PublicKey`
	`48`	`+case database.Group:`
	`49`	`+returntyped.Name`
`48`	`50`	`default:`
`49`	`51`	`panic(fmt.Sprintf("unknown resource %T",tgt))`
`50`	`52`	`}`
`@@ -64,6 +66,8 @@ func ResourceID[T Auditable](tgt T) uuid.UUID {`
`64`	`66`	`returntyped.ID`
`65`	`67`	`case database.GitSSHKey:`
`66`	`68`	`returntyped.UserID`
	`69`	`+case database.Group:`
	`70`	`+returntyped.ID`
`67`	`71`	`default:`
`68`	`72`	`panic(fmt.Sprintf("unknown resource %T",tgt))`
`69`	`73`	`}`
`@@ -83,6 +87,8 @@ func ResourceType[T Auditable](tgt T) database.ResourceType {`
`83`	`87`	`returndatabase.ResourceTypeWorkspace`
`84`	`88`	`case database.GitSSHKey:`
`85`	`89`	`returndatabase.ResourceTypeGitSshKey`
	`90`	`+case database.Group:`
	`91`	`+returndatabase.ResourceTypeGroup`
`86`	`92`	`default:`
`87`	`93`	`panic(fmt.Sprintf("unknown resource %T",tgt))`
`88`	`94`	`}`

`‎coderd/database/databasefake/databasefake.go`

Lines changed: 23 additions & 40 deletions

Original file line number	Diff line number	Diff line change
`@@ -1457,34 +1457,6 @@ func (q *fakeQuerier) GetTemplates(_ context.Context) ([]database.Template, erro`
`1457`	`1457`	`returntemplates,nil`
`1458`	`1458`	`}`
`1459`	`1459`
`1460`		`-func (q*fakeQuerier)UpdateTemplateUserACLByID(_ context.Context,id uuid.UUID,acl database.TemplateACL)error {`
`1461`		`-q.mutex.RLock()`
`1462`		`-deferq.mutex.RUnlock()`
`1463`		`-`
`1464`		`-fori,t:=rangeq.templates {`
`1465`		`-ift.ID==id {`
`1466`		`-t=t.SetUserACL(acl)`
`1467`		`-q.templates[i]=t`
`1468`		`-returnnil`
`1469`		`-}`
`1470`		`-}`
`1471`		`-returnsql.ErrNoRows`
`1472`		`-}`
`1473`		`-`
`1474`		`-func (q*fakeQuerier)UpdateTemplateGroupACLByID(_ context.Context,id uuid.UUID,acl database.TemplateACL)error {`
`1475`		`-q.mutex.RLock()`
`1476`		`-deferq.mutex.RUnlock()`
`1477`		`-`
`1478`		`-fori,t:=rangeq.templates {`
`1479`		`-ift.ID==id {`
`1480`		`-t=t.SetGroupACL(acl)`
`1481`		`-q.templates[i]=t`
`1482`		`-returnnil`
`1483`		`-}`
`1484`		`-}`
`1485`		`-returnsql.ErrNoRows`
`1486`		`-}`
`1487`		`-`
`1488`	`1460`	`func (q*fakeQuerier)GetTemplateUserRoles(_ context.Context,id uuid.UUID) ([]database.TemplateUser,error) {`
`1489`	`1461`	`q.mutex.RLock()`
`1490`	`1462`	`deferq.mutex.RUnlock()`
`@@ -1501,10 +1473,8 @@ func (q *fakeQuerier) GetTemplateUserRoles(_ context.Context, id uuid.UUID) ([]d`
`1501`	`1473`	`returnnil,sql.ErrNoRows`
`1502`	`1474`	`}`
`1503`	`1475`
`1504`		`-acl:=template.UserACL()`
`1505`		`-`
`1506`		`-users:=make([]database.TemplateUser,0,len(acl))`
`1507`		`-fork,v:=rangeacl {`
	`1476`	`+users:=make([]database.TemplateUser,0,len(template.UserACL))`
	`1477`	`+fork,v:=rangetemplate.UserACL {`
`1508`	`1478`	`user,err:=q.GetUserByID(context.Background(),uuid.MustParse(k))`
`1509`	`1479`	`iferr!=nil&&xerrors.Is(err,sql.ErrNoRows) {`
`1510`	`1480`	`returnnil,xerrors.Errorf("get user by ID: %w",err)`
`@@ -1544,10 +1514,8 @@ func (q *fakeQuerier) GetTemplateGroupRoles(_ context.Context, id uuid.UUID) ([]`
`1544`	`1514`	`returnnil,sql.ErrNoRows`
`1545`	`1515`	`}`
`1546`	`1516`
`1547`		`-acl:=template.GroupACL()`
`1548`		`-`
`1549`		`-groups:=make([]database.TemplateGroup,0,len(acl))`
`1550`		`-fork,v:=rangeacl {`
	`1517`	`+groups:=make([]database.TemplateGroup,0,len(template.GroupACL))`
	`1518`	`+fork,v:=rangetemplate.GroupACL {`
`1551`	`1519`	`group,err:=q.GetGroupByID(context.Background(),uuid.MustParse(k))`
`1552`	`1520`	`iferr!=nil&&!xerrors.Is(err,sql.ErrNoRows) {`
`1553`	`1521`	`returnnil,xerrors.Errorf("get group by ID: %w",err)`
`@@ -2047,11 +2015,9 @@ func (q *fakeQuerier) InsertTemplate(_ context.Context, arg database.InsertTempl`
`2047`	`2015`	`MaxTtl:arg.MaxTtl,`
`2048`	`2016`	`MinAutostartInterval:arg.MinAutostartInterval,`
`2049`	`2017`	`CreatedBy:arg.CreatedBy,`
	`2018`	`+UserACL:arg.UserACL,`
	`2019`	`+GroupACL:arg.GroupACL,`
`2050`	`2020`	`}`
`2051`		`-template=template.SetUserACL(database.TemplateACL{})`
`2052`		`-template=template.SetGroupACL(database.TemplateACL{`
`2053`		`-arg.OrganizationID.String(): []rbac.Action{rbac.ActionRead},`
`2054`		`-})`
`2055`	`2021`	`q.templates=append(q.templates,template)`
`2056`	`2022`	`returntemplate,nil`
`2057`	`2023`	`}`
`@@ -2470,6 +2436,23 @@ func (q *fakeQuerier) UpdateTemplateDeletedByID(_ context.Context, arg database.`
`2470`	`2436`	`returnsql.ErrNoRows`
`2471`	`2437`	`}`
`2472`	`2438`
	`2439`	`+func (q*fakeQuerier)UpdateTemplateACLByID(_ context.Context,arg database.UpdateTemplateACLByIDParams) (database.Template,error) {`
	`2440`	`+q.mutex.Lock()`
	`2441`	`+deferq.mutex.Unlock()`
	`2442`	`+`
	`2443`	`+fori,template:=rangeq.templates {`
	`2444`	`+iftemplate.ID==arg.ID {`
	`2445`	`+template.GroupACL=arg.GroupACL`
	`2446`	`+template.UserACL=arg.UserACL`
	`2447`	`+`
	`2448`	`+q.templates[i]=template`
	`2449`	`+returntemplate,nil`
	`2450`	`+}`
	`2451`	`+}`
	`2452`	`+`
	`2453`	`+return database.Template{},sql.ErrNoRows`
	`2454`	`+}`
	`2455`	`+`
`2473`	`2456`	`func (q*fakeQuerier)UpdateTemplateVersionByID(_ context.Context,arg database.UpdateTemplateVersionByIDParams)error {`
`2474`	`2457`	`q.mutex.Lock()`
`2475`	`2458`	`deferq.mutex.Unlock()`

`‎coderd/database/drivers.go`

Lines changed: 19 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -24,3 +24,22 @@ func (a *Actions) Scan(src interface{}) error {`
`24`	`24`	`func (a*Actions)Value() (driver.Value,error) {`
`25`	`25`	`returnjson.Marshal(a)`
`26`	`26`	`}`
	`27`	`+`
	`28`	`+// TemplateACL is a map of ids to permissions.`
	`29`	`+typeTemplateACLmap[string][]rbac.Action`
	`30`	`+`
	`31`	`+func (t*TemplateACL)Scan(srcinterface{})error {`
	`32`	`+switchv:=src.(type) {`
	`33`	`+casestring:`
	`34`	`+returnjson.Unmarshal([]byte(v),&t)`
	`35`	`+case []byte, json.RawMessage:`
	`36`	`+//nolint`
	`37`	`+returnjson.Unmarshal(v.([]byte),&t)`
	`38`	`+}`
	`39`	`+`
	`40`	`+returnxerrors.Errorf("unexpected type %T",src)`
	`41`	`+}`
	`42`	`+`
	`43`	`+func (tTemplateACL)Value() (driver.Value,error) {`
	`44`	`+returnjson.Marshal(t)`
	`45`	`+}`

`‎coderd/database/dump.sql`

Lines changed: 2 additions & 1 deletion

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/database/migrations/000063_resource_type_group.down.sql`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+-- You cannot safely remove values from enums https://www.postgresql.org/docs/current/datatype-enum.html`
	`2`	`+-- You cannot create a new type and do a rename because objects depend on this type now.`

`‎coderd/database/migrations/000063_resource_type_group.up.sql`

Lines changed: 5 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,5 @@`
	`1`	`+BEGIN;`
	`2`	`+`
	`3`	`+ALTERTYPE resource_type ADD VALUE IF NOT EXISTS'group';`
	`4`	`+`
	`5`	`+COMMIT;`

`‎coderd/database/modelmethods.go`

Lines changed: 2 additions & 56 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,65 +1,11 @@`
`1`	`1`	`package database`
`2`	`2`
`3`	`3`	`import (`
`4`		`-"encoding/json"`
`5`		`-"fmt"`
`6`		`-`
`7`	`4`	`"github.com/coder/coder/coderd/rbac"`
`8`	`5`	`)`
`9`	`6`
`10`	`7`	`constAllUsersGroup="Everyone"`
`11`	`8`
`12`		`-// TemplateACL is a map of user_ids to permissions.`
`13`		`-typeTemplateACLmap[string][]rbac.Action`
`14`		`-`
`15`		`-func (tTemplate)UserACL()TemplateACL {`
`16`		`-varaclTemplateACL`
`17`		`-iflen(t.userACL)==0 {`
`18`		`-returnacl`
`19`		`-}`
`20`		`-`
`21`		`-err:=json.Unmarshal(t.userACL,&acl)`
`22`		`-iferr!=nil {`
`23`		`-panic(fmt.Sprintf("failed to unmarshal template.userACL: %v",err.Error()))`
`24`		`-}`
`25`		`-`
`26`		`-returnacl`
`27`		`-}`
`28`		`-`
`29`		`-func (tTemplate)GroupACL()TemplateACL {`
`30`		`-varaclTemplateACL`
`31`		`-iflen(t.groupACL)==0 {`
`32`		`-returnacl`
`33`		`-}`
`34`		`-`
`35`		`-err:=json.Unmarshal(t.groupACL,&acl)`
`36`		`-iferr!=nil {`
`37`		`-panic(fmt.Sprintf("failed to unmarshal template.userACL: %v",err.Error()))`
`38`		`-}`
`39`		`-`
`40`		`-returnacl`
`41`		`-}`
`42`		`-`
`43`		`-func (tTemplate)SetGroupACL(aclTemplateACL)Template {`
`44`		`-raw,err:=json.Marshal(acl)`
`45`		`-iferr!=nil {`
`46`		`-panic(fmt.Sprintf("marshal user acl: %v",err))`
`47`		`-}`
`48`		`-`
`49`		`-t.groupACL=raw`
`50`		`-returnt`
`51`		`-}`
`52`		`-`
`53`		`-func (tTemplate)SetUserACL(aclTemplateACL)Template {`
`54`		`-raw,err:=json.Marshal(acl)`
`55`		`-iferr!=nil {`
`56`		`-panic(fmt.Sprintf("marshal user acl: %v",err))`
`57`		`-}`
`58`		`-`
`59`		`-t.userACL=raw`
`60`		`-returnt`
`61`		`-}`
`62`		`-`
`63`	`9`	`func (sAPIKeyScope)ToRBAC() rbac.Scope {`
`64`	`10`	`switchs {`
`65`	`11`	`caseAPIKeyScopeAll:`
`@@ -74,8 +20,8 @@ func (s APIKeyScope) ToRBAC() rbac.Scope {`
`74`	`20`	`func (tTemplate)RBACObject() rbac.Object {`
`75`	`21`	`obj:=rbac.ResourceTemplate`
`76`	`22`	`returnobj.InOrg(t.OrganizationID).`
`77`		`-WithACLUserList(t.UserACL()).`
`78`		`-WithGroupACL(t.GroupACL())`
	`23`	`+WithACLUserList(t.UserACL).`
	`24`	`+WithGroupACL(t.GroupACL)`
`79`	`25`	`}`
`80`	`26`
`81`	`27`	`func (TemplateVersion)RBACObject(templateTemplate) rbac.Object {`

`‎coderd/database/modelqueries.go`

Lines changed: 0 additions & 47 deletions

Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,6 @@ package database`
`2`	`2`
`3`	`3`	`import (`
`4`	`4`	`"context"`
`5`		`-"encoding/json"`
`6`	`5`	`"fmt"`
`7`	`6`	`"strings"`
`8`	`7`
`@@ -23,8 +22,6 @@ type customQuerier interface {`
`23`	`22`	`}`
`24`	`23`
`25`	`24`	`typetemplateQuerierinterface {`
`26`		`-UpdateTemplateUserACLByID(ctx context.Context,id uuid.UUID,aclTemplateACL)error`
`27`		`-UpdateTemplateGroupACLByID(ctx context.Context,id uuid.UUID,aclTemplateACL)error`
`28`	`25`	`GetTemplateGroupRoles(ctx context.Context,id uuid.UUID) ([]TemplateGroup,error)`
`29`	`26`	`GetTemplateUserRoles(ctx context.Context,id uuid.UUID) ([]TemplateUser,error)`
`30`	`27`	`}`
`@@ -34,28 +31,6 @@ type TemplateUser struct {`
`34`	`31`	ActionsActions`db:"actions"`
`35`	`32`	`}`
`36`	`33`
`37`		`-func (q*sqlQuerier)UpdateTemplateUserACLByID(ctx context.Context,id uuid.UUID,aclTemplateACL)error {`
`38`		`-raw,err:=json.Marshal(acl)`
`39`		`-iferr!=nil {`
`40`		`-returnxerrors.Errorf("marshal user acl: %w",err)`
`41`		`-}`
`42`		`-`
`43`		-constquery=`
`44`		`-UPDATE`
`45`		`-templates`
`46`		`-SET`
`47`		`-user_acl = $2`
`48`		`-WHERE`
`49`		-id = $1`
`50`		`-`
`51`		`-_,err=q.db.ExecContext(ctx,query,id.String(),raw)`
`52`		`-iferr!=nil {`
`53`		`-returnxerrors.Errorf("update user acl: %w",err)`
`54`		`-}`
`55`		`-`
`56`		`-returnnil`
`57`		`-}`
`58`		`-`
`59`	`34`	`func (q*sqlQuerier)GetTemplateUserRoles(ctx context.Context,id uuid.UUID) ([]TemplateUser,error) {`
`60`	`35`	constquery=`
`61`	`36`	`SELECT`
`@@ -100,28 +75,6 @@ type TemplateGroup struct {`
`100`	`75`	ActionsActions`db:"actions"`
`101`	`76`	`}`
`102`	`77`
`103`		`-func (q*sqlQuerier)UpdateTemplateGroupACLByID(ctx context.Context,id uuid.UUID,aclTemplateACL)error {`
`104`		`-raw,err:=json.Marshal(acl)`
`105`		`-iferr!=nil {`
`106`		`-returnxerrors.Errorf("marshal user acl: %w",err)`
`107`		`-}`
`108`		`-`
`109`		-constquery=`
`110`		`-UPDATE`
`111`		`-templates`
`112`		`-SET`
`113`		`-group_acl = $2`
`114`		`-WHERE`
`115`		-id = $1`
`116`		`-`
`117`		`-_,err=q.db.ExecContext(ctx,query,id.String(),raw)`
`118`		`-iferr!=nil {`
`119`		`-returnxerrors.Errorf("update user acl: %w",err)`
`120`		`-}`
`121`		`-`
`122`		`-returnnil`
`123`		`-}`
`124`		`-`
`125`	`78`	`func (q*sqlQuerier)GetTemplateGroupRoles(ctx context.Context,id uuid.UUID) ([]TemplateGroup,error) {`
`126`	`79`	constquery=`
`127`	`80`	`SELECT`

`‎coderd/database/models.go`

Lines changed: 3 additions & 2 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/database/querier.go`

Lines changed: 1 addition & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit0d1096d

File tree

27 files changed

27 files changed

`‎coderd/audit/diff.go`

`‎coderd/audit/request.go`

`‎coderd/database/databasefake/databasefake.go`

`‎coderd/database/drivers.go`

`‎coderd/database/dump.sql`

`‎coderd/database/migrations/000063_resource_type_group.down.sql`

`‎coderd/database/migrations/000063_resource_type_group.up.sql`

`‎coderd/database/modelmethods.go`

`‎coderd/database/modelqueries.go`

`‎coderd/database/models.go`

`‎coderd/database/querier.go`

0 commit comments