Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit300e80f

Browse files
SasSwartdannykopping
authored andcommitted
add prebuilds system user database changes and associated changes
Signed-off-by: Danny Kopping <dannykopping@gmail.com>
1 parent27a160d commit300e80f

File tree

14 files changed

+184
-15
lines changed

14 files changed

+184
-15
lines changed

‎coderd/database/dbauthz/dbauthz.go

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@ import (
1818

1919
"cdr.dev/slog"
2020

21+
"github.com/coder/coder/v2/coderd/prebuilds"
2122
"github.com/coder/coder/v2/coderd/rbac/policy"
2223
"github.com/coder/coder/v2/coderd/rbac/rolestore"
2324

@@ -358,6 +359,27 @@ var (
358359
}),
359360
Scope:rbac.ScopeAll,
360361
}.WithCachedASTValue()
362+
363+
subjectPrebuildsOrchestrator= rbac.Subject{
364+
FriendlyName:"Prebuilds Orchestrator",
365+
ID:prebuilds.OwnerID.String(),
366+
Roles:rbac.Roles([]rbac.Role{
367+
{
368+
Identifier: rbac.RoleIdentifier{Name:"prebuilds-orchestrator"},
369+
DisplayName:"Coder",
370+
Site:rbac.Permissions(map[string][]policy.Action{
371+
// May use template, read template-related info, & insert template-related resources (preset prebuilds).
372+
rbac.ResourceTemplate.Type: {policy.ActionRead,policy.ActionUpdate,policy.ActionUse},
373+
// May CRUD workspaces, and start/stop them.
374+
rbac.ResourceWorkspace.Type: {
375+
policy.ActionCreate,policy.ActionDelete,policy.ActionRead,policy.ActionUpdate,
376+
policy.ActionWorkspaceStart,policy.ActionWorkspaceStop,
377+
},
378+
}),
379+
},
380+
}),
381+
Scope:rbac.ScopeAll,
382+
}.WithCachedASTValue()
361383
)
362384

363385
// AsProvisionerd returns a context with an actor that has permissions required
@@ -412,6 +434,12 @@ func AsSystemReadProvisionerDaemons(ctx context.Context) context.Context {
412434
returncontext.WithValue(ctx,authContextKey{},subjectSystemReadProvisionerDaemons)
413435
}
414436

437+
// AsPrebuildsOrchestrator returns a context with an actor that has permissions
438+
// to read orchestrator workspace prebuilds.
439+
funcAsPrebuildsOrchestrator(ctx context.Context) context.Context {
440+
returncontext.WithValue(ctx,authContextKey{},subjectPrebuildsOrchestrator)
441+
}
442+
415443
varAsRemoveActor= rbac.Subject{
416444
ID:"remove-actor",
417445
}

‎coderd/database/dump.sql

Lines changed: 20 additions & 0 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.
Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
-- Remove system user from organizations
2+
DELETEFROM organization_members
3+
WHERE user_id='c42fdf75-3097-471c-8c33-fb52454d81c0';
4+
5+
-- Drop triggers first
6+
DROPTRIGGER IF EXISTS prevent_system_user_updatesON users;
7+
DROPTRIGGER IF EXISTS prevent_system_user_deletionsON users;
8+
9+
-- Drop function
10+
DROPFUNCTION IF EXISTS prevent_system_user_changes();
11+
12+
-- Delete system user
13+
DELETEFROM users
14+
WHERE id='c42fdf75-3097-471c-8c33-fb52454d81c0';
15+
16+
-- Drop index
17+
DROPINDEX IF EXISTS user_is_system_idx;
18+
19+
-- Drop column
20+
ALTERTABLE users DROP COLUMN IF EXISTS is_system;
Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,51 @@
1+
ALTERTABLE users
2+
ADD COLUMN is_system bool DEFAULT false;
3+
4+
CREATEINDEXuser_is_system_idxON users USING btree (is_system);
5+
6+
COMMENT ON COLUMN users.is_system IS'Determines if a user is a system user, and therefore cannot login or perform normal actions';
7+
8+
-- TODO: tried using "none" for login type, but the migration produced this error: 'unsafe use of new value "none" of enum type login_type'
9+
-- -> not sure why though? it exists on the login_type enum.
10+
INSERT INTO users (id, email, username, name, created_at, updated_at, status, rbac_roles, hashed_password, is_system, login_type)
11+
VALUES ('c42fdf75-3097-471c-8c33-fb52454d81c0','prebuilds@system','prebuilds','Prebuilds Owner', now(), now(),
12+
'active','{}','none', true,'password'::login_type);
13+
14+
-- Create function to check system user modifications
15+
CREATE OR REPLACEFUNCTIONprevent_system_user_changes()
16+
RETURNS TRIGGERAS
17+
$$
18+
BEGIN
19+
IFOLD.is_system= true THEN
20+
RAISE EXCEPTION'Cannot modify or delete system users';
21+
END IF;
22+
RETURN OLD;
23+
END;
24+
$$ LANGUAGE plpgsql;
25+
26+
-- Create trigger to prevent updates to system users
27+
CREATETRIGGERprevent_system_user_updates
28+
BEFOREUPDATEON users
29+
FOR EACH ROW
30+
WHEN (OLD.is_system= true)
31+
EXECUTE FUNCTION prevent_system_user_changes();
32+
33+
-- Create trigger to prevent deletion of system users
34+
CREATETRIGGERprevent_system_user_deletions
35+
BEFOREDELETEON users
36+
FOR EACH ROW
37+
WHEN (OLD.is_system= true)
38+
EXECUTE FUNCTION prevent_system_user_changes();
39+
40+
-- TODO: do we *want* to use the default org here? how do we handle multi-org?
41+
WITH default_orgAS (SELECT id
42+
FROM organizations
43+
WHERE is_default= true
44+
LIMIT1)
45+
INSERT
46+
INTO organization_members (organization_id, user_id, created_at, updated_at)
47+
SELECTdefault_org.id,
48+
'c42fdf75-3097-471c-8c33-fb52454d81c0',-- The system user responsible for prebuilds.
49+
NOW(),
50+
NOW()
51+
FROM default_org;

‎coderd/database/modelmethods.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -423,6 +423,7 @@ func ConvertUserRows(rows []GetUsersRow) []User {
423423
AvatarURL:r.AvatarURL,
424424
Deleted:r.Deleted,
425425
LastSeenAt:r.LastSeenAt,
426+
IsSystem:r.IsSystem,
426427
}
427428
}
428429

‎coderd/database/modelqueries.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -421,6 +421,7 @@ func (q *sqlQuerier) GetAuthorizedUsers(ctx context.Context, arg GetUsersParams,
421421
&i.GithubComUserID,
422422
&i.HashedOneTimePasscode,
423423
&i.OneTimePasscodeExpiresAt,
424+
&i.IsSystem,
424425
&i.Count,
425426
);err!=nil {
426427
returnnil,err

‎coderd/database/models.go

Lines changed: 2 additions & 0 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

‎coderd/database/queries.sql.go

Lines changed: 23 additions & 11 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp