NotificationsYou must be signed in to change notification settings
Fork1k
Star11.2k

Commit18b809c

committed

taking a step back with RBAC

1 parent8d4fa5a commit18b809cCopy full SHA for 18b809c

File tree

4 files changed

+54

-48

lines changed

coderd/database
- dbauthz
  - dbauthz.go
  - dbauthz_test.go
- queries.sql.go
site/src/api
- rbacresourcesGenerated.ts

4 files changed

+54

-48

lines changed

`‎coderd/database/dbauthz/dbauthz.go‎`

Lines changed: 41 additions & 36 deletions

Original file line number	Diff line number	Diff line change
`@@ -1088,9 +1088,9 @@ func (q *querier) AcquireNotificationMessages(ctx context.Context, arg database.`
`1088`	`1088`	`}`
`1089`	`1089`
`1090`	`1090`	`func (q*querier)AcquireProvisionerJob(ctx context.Context,arg database.AcquireProvisionerJobParams) (database.ProvisionerJob,error) {`
`1091`		`-iferr:=q.authorizeContext(ctx,policy.ActionUpdate,rbac.ResourceProvisionerJobs);err!=nil {`
`1092`		`-return database.ProvisionerJob{},err`
`1093`		`-}`
	`1091`	`+//if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceProvisionerJobs); err != nil {`
	`1092`	`+//return database.ProvisionerJob{}, err`
	`1093`	`+//}`
`1094`	`1094`	`returnq.db.AcquireProvisionerJob(ctx,arg)`
`1095`	`1095`	`}`
`1096`	`1096`
`@@ -2309,30 +2309,31 @@ func (q *querier) GetProvisionerJobTimingsByJobID(ctx context.Context, jobID uui`
`2309`	`2309`	`}`
`2310`	`2310`
`2311`	`2311`	`func (q*querier)GetProvisionerJobsByIDs(ctx context.Context,ids []uuid.UUID) ([]database.ProvisionerJob,error) {`
`2312`		`-iferr:=q.authorizeContext(ctx,policy.ActionRead,rbac.ResourceProvisionerJobs);err!=nil {`
`2313`		`-returnnil,err`
`2314`		`-}`
	`2312`	`+//if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceProvisionerJobs); err != nil {`
	`2313`	`+//return nil, err`
	`2314`	`+//}`
`2315`	`2315`	`returnq.db.GetProvisionerJobsByIDs(ctx,ids)`
`2316`	`2316`	`}`
`2317`	`2317`
`2318`	`2318`	`func (q*querier)GetProvisionerJobsByIDsWithQueuePosition(ctx context.Context,ids []uuid.UUID) ([]database.GetProvisionerJobsByIDsWithQueuePositionRow,error) {`
`2319`		`-iferr:=q.authorizeContext(ctx,policy.ActionRead,rbac.ResourceProvisionerJobs);err!=nil {`
`2320`		`-returnnil,err`
`2321`		`-}`
	`2319`	`+// if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceProvisionerJobs); err != nil {`
	`2320`	`+// return nil, err`
	`2321`	`+// }`
	`2322`	`+// policy.ActionRead, rbac.ResourceProvisionerJobs.InOrg(org.ID)`
`2322`	`2323`	`returnq.db.GetProvisionerJobsByIDsWithQueuePosition(ctx,ids)`
`2323`	`2324`	`}`
`2324`	`2325`
`2325`	`2326`	`func (q*querier)GetProvisionerJobsByOrganizationAndStatusWithQueuePositionAndProvisioner(ctx context.Context,arg database.GetProvisionerJobsByOrganizationAndStatusWithQueuePositionAndProvisionerParams) ([]database.GetProvisionerJobsByOrganizationAndStatusWithQueuePositionAndProvisionerRow,error) {`
`2326`		`-iferr:=q.authorizeContext(ctx,policy.ActionRead,rbac.ResourceProvisionerJobs);err!=nil {`
`2327`		`-returnnil,err`
`2328`		`-}`
	`2327`	`+//if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceProvisionerJobs); err != nil {`
	`2328`	`+//return nil, err`
	`2329`	`+//}`
`2329`	`2330`	`returnfetchWithPostFilter(q.auth,policy.ActionRead,q.db.GetProvisionerJobsByOrganizationAndStatusWithQueuePositionAndProvisioner)(ctx,arg)`
`2330`	`2331`	`}`
`2331`	`2332`
`2332`	`2333`	`func (q*querier)GetProvisionerJobsCreatedAfter(ctx context.Context,createdAt time.Time) ([]database.ProvisionerJob,error) {`
`2333`		`-iferr:=q.authorizeContext(ctx,policy.ActionRead,rbac.ResourceProvisionerJobs);err!=nil {`
`2334`		`-returnnil,err`
`2335`		`-}`
	`2334`	`+//if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceProvisionerJobs); err != nil {`
	`2335`	`+//return nil, err`
	`2336`	`+//}`
`2336`	`2337`	`returnq.db.GetProvisionerJobsCreatedAfter(ctx,createdAt)`
`2337`	`2338`	`}`
`2338`	`2339`
`@@ -3528,23 +3529,27 @@ func (q *querier) InsertPresetParameters(ctx context.Context, arg database.Inser`
`3528`	`3529`	`}`
`3529`	`3530`
`3530`	`3531`	`func (q*querier)InsertProvisionerJob(ctx context.Context,arg database.InsertProvisionerJobParams) (database.ProvisionerJob,error) {`
`3531`		`-iferr:=q.authorizeContext(ctx,policy.ActionCreate,rbac.ResourceProvisionerJobs);err!=nil {`
`3532`		`-return database.ProvisionerJob{},err`
`3533`		`-}`
	`3532`	`+// TODO: Remove this once we have a proper rbac check for provisioner jobs.`
	`3533`	`+// Currently ProvisionerJobs are not associated with a user, so we can't`
	`3534`	`+// check for a user's permissions. We'd need to check for the associated workspace`
	`3535`	`+// and verify ownership through that.`
	`3536`	`+// if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceProvisionerJobs); err != nil {`
	`3537`	`+// return database.ProvisionerJob{}, err`
	`3538`	`+// }`
`3534`	`3539`	`returnq.db.InsertProvisionerJob(ctx,arg)`
`3535`	`3540`	`}`
`3536`	`3541`
`3537`	`3542`	`func (q*querier)InsertProvisionerJobLogs(ctx context.Context,arg database.InsertProvisionerJobLogsParams) ([]database.ProvisionerJobLog,error) {`
`3538`		`-iferr:=q.authorizeContext(ctx,policy.ActionUpdate,rbac.ResourceProvisionerJobs);err!=nil {`
`3539`		`-returnnil,err`
`3540`		`-}`
	`3543`	`+//if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceProvisionerJobs); err != nil {`
	`3544`	`+//return nil, err`
	`3545`	`+//}`
`3541`	`3546`	`returnq.db.InsertProvisionerJobLogs(ctx,arg)`
`3542`	`3547`	`}`
`3543`	`3548`
`3544`	`3549`	`func (q*querier)InsertProvisionerJobTimings(ctx context.Context,arg database.InsertProvisionerJobTimingsParams) ([]database.ProvisionerJobTiming,error) {`
`3545`		`-iferr:=q.authorizeContext(ctx,policy.ActionUpdate,rbac.ResourceProvisionerJobs);err!=nil {`
`3546`		`-returnnil,err`
`3547`		`-}`
	`3550`	`+//if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceProvisionerJobs); err != nil {`
	`3551`	`+//return nil, err`
	`3552`	`+//}`
`3548`	`3553`	`returnq.db.InsertProvisionerJobTimings(ctx,arg)`
`3549`	`3554`	`}`
`3550`	`3555`
`@@ -4168,16 +4173,16 @@ func (q *querier) UpdateProvisionerDaemonLastSeenAt(ctx context.Context, arg dat`
`4168`	`4173`	`}`
`4169`	`4174`
`4170`	`4175`	`func (q*querier)UpdateProvisionerJobByID(ctx context.Context,arg database.UpdateProvisionerJobByIDParams)error {`
`4171`		`-iferr:=q.authorizeContext(ctx,policy.ActionUpdate,rbac.ResourceProvisionerJobs);err!=nil {`
`4172`		`-returnerr`
`4173`		`-}`
	`4176`	`+//if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceProvisionerJobs); err != nil {`
	`4177`	`+//return err`
	`4178`	`+//}`
`4174`	`4179`	`returnq.db.UpdateProvisionerJobByID(ctx,arg)`
`4175`	`4180`	`}`
`4176`	`4181`
`4177`	`4182`	`func (q*querier)UpdateProvisionerJobWithCancelByID(ctx context.Context,arg database.UpdateProvisionerJobWithCancelByIDParams)error {`
`4178`		`-iferr:=q.authorizeContext(ctx,policy.ActionUpdate,rbac.ResourceProvisionerJobs);err!=nil {`
`4179`		`-returnerr`
`4180`		`-}`
	`4183`	`+//if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceProvisionerJobs); err != nil {`
	`4184`	`+//return err`
	`4185`	`+//}`
`4181`	`4186`
`4182`	`4187`	`job,err:=q.db.GetProvisionerJobByID(ctx,arg.ID)`
`4183`	`4188`	`iferr!=nil {`
`@@ -4246,16 +4251,16 @@ func (q *querier) UpdateProvisionerJobWithCancelByID(ctx context.Context, arg da`
`4246`	`4251`	`}`
`4247`	`4252`
`4248`	`4253`	`func (q*querier)UpdateProvisionerJobWithCompleteByID(ctx context.Context,arg database.UpdateProvisionerJobWithCompleteByIDParams)error {`
`4249`		`-iferr:=q.authorizeContext(ctx,policy.ActionUpdate,rbac.ResourceProvisionerJobs);err!=nil {`
`4250`		`-returnerr`
`4251`		`-}`
	`4254`	`+//if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceProvisionerJobs); err != nil {`
	`4255`	`+//return err`
	`4256`	`+//}`
`4252`	`4257`	`returnq.db.UpdateProvisionerJobWithCompleteByID(ctx,arg)`
`4253`	`4258`	`}`
`4254`	`4259`
`4255`	`4260`	`func (q*querier)UpdateProvisionerJobWithCompleteWithStartedAtByID(ctx context.Context,arg database.UpdateProvisionerJobWithCompleteWithStartedAtByIDParams)error {`
`4256`		`-iferr:=q.authorizeContext(ctx,policy.ActionUpdate,rbac.ResourceProvisionerJobs);err!=nil {`
`4257`		`-returnerr`
`4258`		`-}`
	`4261`	`+//if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceProvisionerJobs); err != nil {`
	`4262`	`+//return err`
	`4263`	`+//}`
`4259`	`4264`	`returnq.db.UpdateProvisionerJobWithCompleteWithStartedAtByID(ctx,arg)`
`4260`	`4265`	`}`
`4261`	`4266`

`‎coderd/database/dbauthz/dbauthz_test.go‎`

Lines changed: 10 additions & 10 deletions

Original file line number	Diff line number	Diff line change
`@@ -3892,7 +3892,7 @@ func (s *MethodTestSuite) TestSystemFunctions() {`
`3892`	`3892`	`}))`
`3893`	`3893`	`s.Run("GetProvisionerJobsCreatedAfter",s.Subtest(func(db database.Store,check*expects) {`
`3894`	`3894`	`_=dbgen.ProvisionerJob(s.T(),db,nil, database.ProvisionerJob{CreatedAt:time.Now().Add(-time.Hour)})`
`3895`		`-check.Args(time.Now()).Asserts(rbac.ResourceProvisionerJobs,policy.ActionRead)`
	`3895`	`+check.Args(time.Now()).Asserts(/rbac.ResourceProvisionerJobs, policy.ActionRead /)`
`3896`	`3896`	`}))`
`3897`	`3897`	`s.Run("GetTemplateVersionsByIDs",s.Subtest(func(db database.Store,check*expects) {`
`3898`	`3898`	`dbtestutil.DisableForeignKeysAndTriggers(s.T(),db)`
`@@ -3978,7 +3978,7 @@ func (s *MethodTestSuite) TestSystemFunctions() {`
`3978`	`3978`	`a:=dbgen.ProvisionerJob(s.T(),db,nil, database.ProvisionerJob{})`
`3979`	`3979`	`b:=dbgen.ProvisionerJob(s.T(),db,nil, database.ProvisionerJob{})`
`3980`	`3980`	`check.Args([]uuid.UUID{a.ID,b.ID}).`
`3981`		`-Asserts(rbac.ResourceProvisionerJobs,policy.ActionRead).`
	`3981`	`+Asserts(/rbac.ResourceProvisionerJobs, policy.ActionRead /).`
`3982`	`3982`	`Returns(slice.New(a,b))`
`3983`	`3983`	`}))`
`3984`	`3984`	`s.Run("InsertWorkspaceAgent",s.Subtest(func(db database.Store,check*expects) {`
`@@ -4022,26 +4022,26 @@ func (s *MethodTestSuite) TestSystemFunctions() {`
`4022`	`4022`	`OrganizationID:j.OrganizationID,`
`4023`	`4023`	`Types: []database.ProvisionerType{j.Provisioner},`
`4024`	`4024`	`ProvisionerTags:must(json.Marshal(j.Tags)),`
`4025`		`-}).Asserts(rbac.ResourceProvisionerJobs,policy.ActionUpdate)`
	`4025`	`+}).Asserts(/rbac.ResourceProvisionerJobs, policy.ActionUpdate /)`
`4026`	`4026`	`}))`
`4027`	`4027`	`s.Run("UpdateProvisionerJobWithCompleteByID",s.Subtest(func(db database.Store,check*expects) {`
`4028`	`4028`	`j:=dbgen.ProvisionerJob(s.T(),db,nil, database.ProvisionerJob{})`
`4029`	`4029`	`check.Args(database.UpdateProvisionerJobWithCompleteByIDParams{`
`4030`	`4030`	`ID:j.ID,`
`4031`		`-}).Asserts(rbac.ResourceProvisionerJobs,policy.ActionUpdate)`
	`4031`	`+}).Asserts(/rbac.ResourceProvisionerJobs, policy.ActionUpdate /)`
`4032`	`4032`	`}))`
`4033`	`4033`	`s.Run("UpdateProvisionerJobWithCompleteWithStartedAtByID",s.Subtest(func(db database.Store,check*expects) {`
`4034`	`4034`	`j:=dbgen.ProvisionerJob(s.T(),db,nil, database.ProvisionerJob{})`
`4035`	`4035`	`check.Args(database.UpdateProvisionerJobWithCompleteWithStartedAtByIDParams{`
`4036`	`4036`	`ID:j.ID,`
`4037`		`-}).Asserts(rbac.ResourceProvisionerJobs,policy.ActionUpdate)`
	`4037`	`+}).Asserts(/rbac.ResourceProvisionerJobs, policy.ActionUpdate /)`
`4038`	`4038`	`}))`
`4039`	`4039`	`s.Run("UpdateProvisionerJobByID",s.Subtest(func(db database.Store,check*expects) {`
`4040`	`4040`	`j:=dbgen.ProvisionerJob(s.T(),db,nil, database.ProvisionerJob{})`
`4041`	`4041`	`check.Args(database.UpdateProvisionerJobByIDParams{`
`4042`	`4042`	`ID:j.ID,`
`4043`	`4043`	`UpdatedAt:time.Now(),`
`4044`		`-}).Asserts(rbac.ResourceProvisionerJobs,policy.ActionUpdate)`
	`4044`	`+}).Asserts(/rbac.ResourceProvisionerJobs, policy.ActionUpdate /)`
`4045`	`4045`	`}))`
`4046`	`4046`	`s.Run("InsertProvisionerJob",s.Subtest(func(db database.Store,check*expects) {`
`4047`	`4047`	`dbtestutil.DisableForeignKeysAndTriggers(s.T(),db)`
`@@ -4051,19 +4051,19 @@ func (s *MethodTestSuite) TestSystemFunctions() {`
`4051`	`4051`	`StorageMethod:database.ProvisionerStorageMethodFile,`
`4052`	`4052`	`Type:database.ProvisionerJobTypeWorkspaceBuild,`
`4053`	`4053`	`Input:json.RawMessage("{}"),`
`4054`		`-}).Asserts(rbac.ResourceProvisionerJobs,policy.ActionCreate)`
	`4054`	`+}).Asserts(/rbac.ResourceProvisionerJobs, policy.ActionCreate /)`
`4055`	`4055`	`}))`
`4056`	`4056`	`s.Run("InsertProvisionerJobLogs",s.Subtest(func(db database.Store,check*expects) {`
`4057`	`4057`	`j:=dbgen.ProvisionerJob(s.T(),db,nil, database.ProvisionerJob{})`
`4058`	`4058`	`check.Args(database.InsertProvisionerJobLogsParams{`
`4059`	`4059`	`JobID:j.ID,`
`4060`		`-}).Asserts(rbac.ResourceProvisionerJobs,policy.ActionUpdate)`
	`4060`	`+}).Asserts(/rbac.ResourceProvisionerJobs, policy.ActionUpdate /)`
`4061`	`4061`	`}))`
`4062`	`4062`	`s.Run("InsertProvisionerJobTimings",s.Subtest(func(db database.Store,check*expects) {`
`4063`	`4063`	`j:=dbgen.ProvisionerJob(s.T(),db,nil, database.ProvisionerJob{})`
`4064`	`4064`	`check.Args(database.InsertProvisionerJobTimingsParams{`
`4065`	`4065`	`JobID:j.ID,`
`4066`		`-}).Asserts(rbac.ResourceProvisionerJobs,policy.ActionUpdate)`
	`4066`	`+}).Asserts(/rbac.ResourceProvisionerJobs, policy.ActionUpdate /)`
`4067`	`4067`	`}))`
`4068`	`4068`	`s.Run("UpsertProvisionerDaemon",s.Subtest(func(db database.Store,check*expects) {`
`4069`	`4069`	`dbtestutil.DisableForeignKeysAndTriggers(s.T(),db)`
`@@ -4279,7 +4279,7 @@ func (s *MethodTestSuite) TestSystemFunctions() {`
`4279`	`4279`	`check.Args([]uuid.UUID{uuid.New()}).Asserts(rbac.ResourceSystem,policy.ActionRead)`
`4280`	`4280`	`}))`
`4281`	`4281`	`s.Run("GetProvisionerJobsByIDsWithQueuePosition",s.Subtest(func(db database.Store,check*expects) {`
`4282`		`-check.Args([]uuid.UUID{}).Asserts(rbac.ResourceProvisionerJobs,policy.ActionRead)`
	`4282`	`+check.Args([]uuid.UUID{}).Asserts(/rbac.ResourceProvisionerJobs, policy.ActionRead /)`
`4283`	`4283`	`}))`
`4284`	`4284`	`s.Run("GetReplicaByID",s.Subtest(func(db database.Store,check*expects) {`
`4285`	`4285`	`check.Args(uuid.New()).Asserts(rbac.ResourceSystem,policy.ActionRead).Errors(sql.ErrNoRows)`

`‎coderd/database/queries.sql.go‎`

Lines changed: 2 additions & 2 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎site/src/api/rbacresourcesGenerated.ts‎`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -130,6 +130,7 @@ export const RBACResourceActions: Partial<`
`130`	`130`	`update:"update a provisioner daemon",`
`131`	`131`	`},`
`132`	`132`	`provisioner_jobs:{`
	`133`	`+create:"create provisioner jobs",`
`133`	`134`	`read:"read provisioner jobs",`
`134`	`135`	`update:"update provisioner jobs",`
`135`	`136`	`},`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit18b809c

File tree

4 files changed

4 files changed

`‎coderd/database/dbauthz/dbauthz.go‎`

`‎coderd/database/dbauthz/dbauthz_test.go‎`

`‎coderd/database/queries.sql.go‎`

`‎site/src/api/rbacresourcesGenerated.ts‎`

0 commit comments