Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit2528929

Browse files
committed
feat: add prebuilt_workspace resource type logic in rego policy
1 parent2ebda31 commit2528929

File tree

6 files changed

+133
-25
lines changed

6 files changed

+133
-25
lines changed

‎coderd/rbac/authz_internal_test.go

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -712,6 +712,39 @@ func TestAuthorizeDomain(t *testing.T) {
712712

713713
{resource:ResourceWorkspace.WithOwner("not-me")},
714714
}))
715+
716+
// Prebuild
717+
prebuildUserID:=uuid.MustParse("c42fdf75-3097-471c-8c33-fb52454d81c0").String()
718+
prebuilder:=Subject{
719+
ID:prebuildUserID,
720+
Scope:must(ExpandScope(ScopeAll)),
721+
Roles:Roles{
722+
{
723+
Identifier:RoleIdentifier{Name:"Prebuilder"},
724+
Site: []Permission{},
725+
Org:map[string][]Permission{
726+
defOrg.String():Permissions(map[string][]policy.Action{
727+
ResourcePrebuiltWorkspace.Type:ResourcePrebuiltWorkspace.AvailableActions(),
728+
}),
729+
},
730+
User: []Permission{},
731+
},
732+
},
733+
}
734+
735+
testAuthorize(t,"AllWorkspaceActions",prebuilder,
736+
cases(func(cauthTestCase)authTestCase {
737+
c.actions=ResourceWorkspace.AvailableActions()
738+
returnc
739+
}, []authTestCase{
740+
// Prebuild cannot access all workspaces
741+
{allow:false,resource:ResourceWorkspace.InOrg(defOrg).WithOwner(user.ID)},
742+
// They can access their workspaces because of the prebuild user ID
743+
{allow:true,resource:ResourceWorkspace.InOrg(defOrg).WithOwner(prebuildUserID)},
744+
// Also the prebuild type, although this should never be used directly.
745+
{allow:true,resource:ResourcePrebuiltWorkspace.InOrg(defOrg).WithOwner(prebuildUserID)},
746+
}),
747+
)
715748
}
716749

717750
// TestAuthorizeLevels ensures level overrides are acting appropriately

‎coderd/rbac/input.json

Lines changed: 6 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,26 +1,23 @@
11
{
2-
"action":"never-match-action",
2+
"action":"delete",
33
"object": {
44
"id":"9046b041-58ed-47a3-9c3a-de302577875a",
5-
"owner":"00000000-0000-0000-0000-000000000000",
65
"org_owner":"bf7b72bd-a2b1-4ef2-962c-1d698e0483f6",
76
"type":"workspace",
8-
"acl_user_list": {
9-
"f041847d-711b-40da-a89a-ede39f70dc7f": ["create"]
10-
},
7+
"acl_user_list": {},
118
"acl_group_list": {}
129
},
1310
"subject": {
1411
"id":"10d03e62-7703-4df5-a358-4f76577d4e2f",
1512
"roles": [
1613
{
17-
"name":"owner",
18-
"display_name":"Owner",
14+
"name":"test",
15+
"display_name":"Test",
1916
"site": [
2017
{
2118
"negate":false,
22-
"resource_type":"*",
23-
"action":"*"
19+
"resource_type":"workspace",
20+
"action":"delete"
2421
}
2522
],
2623
"org": {},

‎coderd/rbac/object_gen.go

Lines changed: 17 additions & 0 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

‎coderd/rbac/policy.rego

Lines changed: 72 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -61,24 +61,48 @@ number(set) := c if {
6161
c:=1
6262
}
6363

64+
prebuild_workspace_type:="prebuilt_workspace"
65+
default_object_set:= [input.object.type,"*"]
66+
67+
is_prebuild_workspace:=true if{
68+
input.object.type="workspace"
69+
input.object.owner="c42fdf75-3097-471c-8c33-fb52454d81c0"
70+
}
71+
6472
# site, org, and user rules are all similar. Each rule should return a number
6573
# from [-1, 1]. The number corresponds to "negative", "abstain", and "positive"
6674
# for the given level. See the 'allow' rules for how these numbers are used.
6775
defaultsite:=0
6876

69-
site:=site_allow(input.subject.roles)
77+
site:= num if{
78+
notis_prebuild_workspace
79+
num:=site_allow(input.subject.roles, default_object_set)
80+
}
81+
82+
site:= num if{
83+
is_prebuild_workspace
84+
num:=site_allow(input.subject.roles, [input.object.type,"*", prebuild_workspace_type])
85+
}
7086

7187
defaultscope_site:=0
7288

73-
scope_site:=site_allow([input.subject.scope])
89+
scope_site:= num if{
90+
is_prebuild_workspace
91+
num:=site_allow([input.subject.scope], default_object_set)
92+
}
93+
94+
scope_site:= num if{
95+
notis_prebuild_workspace
96+
num:=site_allow([input.subject.scope], [input.object.type,"*", prebuild_workspace_type])
97+
}
7498

75-
site_allow(roles):= num if{
99+
site_allow(roles, object_set):= num if{
76100
# allow is a set of boolean values without duplicates.
77101
allow:= {x|
78102
# Iterate over all site permissions in all roles
79103
perm:= roles[_].site[_]
80104
perm.action in[input.action,"*"]
81-
perm.resource_type in[input.object.type,"*"]
105+
perm.resource_type inobject_set
82106

83107
# x is either 'true' or 'false' if a matching permission exists.
84108
x:=bool_flip(perm.negate)
@@ -95,11 +119,27 @@ org_members := {orgID |
95119
# that the actor is a member of.
96120
defaultorg:=0
97121

98-
org:=org_allow(input.subject.roles)
122+
org:= num if{
123+
notis_prebuild_workspace
124+
num:=org_allow(input.subject.roles, default_object_set)
125+
}
126+
127+
org:= num if{
128+
is_prebuild_workspace
129+
num:=org_allow(input.subject.roles, [input.object.type,"*", prebuild_workspace_type])
130+
}
99131

100132
defaultscope_org:=0
101133

102-
scope_org:=org_allow([input.scope])
134+
scope_org:= num if{
135+
notis_prebuild_workspace
136+
num:=org_allow([input.subject.scope], default_object_set)
137+
}
138+
139+
scope_org:= num if{
140+
is_prebuild_workspace
141+
num:=org_allow([input.subject.scope], [input.object.type,"*", prebuild_workspace_type])
142+
}
103143

104144
# org_allow_set is a helper function that iterates over all orgs that the actor
105145
# is a member of. For each organization it sets the numerical allow value
@@ -111,24 +151,24 @@ scope_org := org_allow([input.scope])
111151
# The reason we calculate this for all orgs, and not just the input.object.org_owner
112152
# is that sometimes the input.object.org_owner is unknown. In those cases
113153
# we have a list of org_ids that can we use in a SQL 'WHERE' clause.
114-
org_allow_set(roles):= allow_set if{
154+
org_allow_set(roles, object_set):= allow_set if{
115155
allow_set:= {id: num|
116156
id:= org_members[_]
117157
set:= {x|
118158
perm:= roles[_].org[id][_]
119159
perm.action in[input.action,"*"]
120-
perm.resource_type in[input.object.type,"*"]
160+
perm.resource_type inobject_set
121161
x:=bool_flip(perm.negate)
122162
}
123163
num:=number(set)
124164
}
125165
}
126166

127-
org_allow(roles):= num if{
167+
org_allow(roles, object_set):= num if{
128168
# If the object has "any_org" set to true, then use the other
129169
# org_allow block.
130170
notinput.object.any_org
131-
allow:=org_allow_set(roles)
171+
allow:=org_allow_set(roles, object_set)
132172

133173
# Return only the org value of the input's org.
134174
# The reason why we do not do this up front, is that we need to make sure
@@ -144,9 +184,9 @@ org_allow(roles) := num if {
144184
# This is useful for UI elements when we want to conclude, "Can the user create
145185
# a new template in any organization?"
146186
# It is easier than iterating over every organization the user is apart of.
147-
org_allow(roles):= num if{
187+
org_allow(roles, object_set):= num if{
148188
input.object.any_org# if this is false, this code block is not used
149-
allow:=org_allow_set(roles)
189+
allow:=org_allow_set(roles, object_set)
150190

151191
# allow is a map of {"<org_id>": <number>}. We only care about values
152192
# that are 1, and ignore the rest.
@@ -195,19 +235,35 @@ org_ok if {
195235
# the user is apart of the org (if the object has an org).
196236
defaultuser:=0
197237

198-
user:=user_allow(input.subject.roles)
238+
user:= num if{
239+
notis_prebuild_workspace
240+
num:=user_allow(input.subject.roles, default_object_set)
241+
}
242+
243+
user:= num if{
244+
is_prebuild_workspace
245+
num:=user_allow(input.subject.roles, [input.object.type,"*", prebuild_workspace_type])
246+
}
199247

200248
defaultuser_scope:=0
201249

202-
scope_user:=user_allow([input.scope])
250+
scope_user:= num if{
251+
notis_prebuild_workspace
252+
num:=user_allow([input.subject.scope], default_object_set)
253+
}
254+
255+
scope_user:= num if{
256+
is_prebuild_workspace
257+
num:=user_allow([input.subject.scope], [input.object.type,"*", prebuild_workspace_type])
258+
}
203259

204-
user_allow(roles):= num if{
260+
user_allow(roles, object_set):= num if{
205261
input.object.owner!=""
206262
input.subject.id= input.object.owner
207263
allow:= {x|
208264
perm:= roles[_].user[_]
209265
perm.action in[input.action,"*"]
210-
perm.resource_type in[input.object.type,"*"]
266+
perm.resource_type inobject_set
211267
x:=bool_flip(perm.negate)
212268
}
213269
num:=number(allow)

‎coderd/rbac/policy/policy.go

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -102,6 +102,9 @@ var RBACPermissions = map[string]PermissionDefinition{
102102
"workspace_dormant": {
103103
Actions:workspaceActions,
104104
},
105+
"prebuilt_workspace": {
106+
Actions:workspaceActions,
107+
},
105108
"workspace_proxy": {
106109
Actions:map[Action]ActionDefinition{
107110
ActionCreate:actDef("create a workspace proxy"),

‎codersdk/rbacresources_gen.go

Lines changed: 2 additions & 0 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp