@@ -13,225 +13,6 @@ type Objecter interface {
1313RBACObject ()Object
1414}
1515
16- // Resources are just typed objects. Making resources this way allows directly
17- // passing them into an Authorize function and use the chaining api.
18- var (
19- // ResourceWildcard represents all resource types
20- // Try to avoid using this where possible.
21- //ResourceWildcard = Object{
22- //Type: WildcardSymbol,
23- //}
24-
25- // ResourceWorkspace CRUD. Org + User owner
26- //create/delete = make or delete workspaces
27- // read = access workspace
28- //update = edit workspace variables
29- //ResourceWorkspace = Object{
30- //Type: "workspace",
31- //}
32-
33- // ResourceWorkspaceBuild refers to permissions necessary to
34- // insert a workspace build job.
35- // create/delete = ?
36- // read = read workspace builds
37- // update = insert/update workspace builds.
38- ResourceWorkspaceBuild = Object {
39- Type :"workspace_build" ,
40- }
41-
42- // ResourceWorkspaceDormant is returned if a workspace is dormant.
43- // It grants restricted permissions on workspace builds.
44- ResourceWorkspaceDormant = Object {
45- Type :"workspace_dormant" ,
46- }
47-
48- // ResourceWorkspaceProxy CRUD. Org
49- //create/delete = make or delete proxies
50- // read = read proxy urls
51- //update = edit workspace proxy fields
52- //ResourceWorkspaceProxy = Object{
53- //Type: "workspace_proxy",
54- //}
55-
56- // ResourceWorkspaceExecution CRUD. Org + User owner
57- //create = workspace remote execution
58- // read = ?
59- //update = ?
60- // delete = ?
61- //ResourceWorkspaceExecution = Object{
62- //Type: "workspace_execution",
63- //}
64-
65- // ResourceWorkspaceApplicationConnect CRUD. Org + User owner
66- //create = connect to an application
67- // read = ?
68- //update = ?
69- // delete = ?
70- //ResourceWorkspaceApplicationConnect = Object{
71- //Type: "application_connect",
72- //}
73-
74- // ResourceAuditLog
75- // read = access audit log
76- //ResourceAuditLog = Object{
77- //Type: "audit_log",
78- //}
79-
80- // ResourceTemplate CRUD. Org owner only.
81- //create/delete = Make or delete a new template
82- //update = Update the template, make new template versions
83- //read = read the template and all versions associated
84- //ResourceTemplate = Object{
85- //Type: "template",
86- //}
87-
88- // ResourceGroup CRUD. Org admins only.
89- //create/delete = Make or delete a new group.
90- //update = Update the name or members of a group.
91- //read = Read groups and their members.
92- //ResourceGroup = Object{
93- //Type: "group",
94- //}
95-
96- //ResourceFile = Object{
97- //Type: "file",
98- //}
99-
100- //ResourceProvisionerDaemon = Object{
101- //Type: "provisioner_daemon",
102- //}
103-
104- // ResourceOrganization CRUD. Has an org owner on all but 'create'.
105- //create/delete = make or delete organizations
106- // read = view org information (Can add user owner for read)
107- //update = ??
108- //ResourceOrganization = Object{
109- //Type: "organization",
110- //}
111-
112- // ResourceRoleAssignment might be expanded later to allow more granular permissions
113- // to modifying roles. For now, this covers all possible roles, so having this permission
114- // allows granting/deleting **ALL** roles.
115- // Never has an owner or org.
116- //create = Assign roles
117- //update = ??
118- //read= View available roles to assign
119- //delete= Remove role
120- ResourceRoleAssignment = Object {
121- Type :"assign_role" ,
122- }
123-
124- // ResourceOrgRoleAssignment is just like ResourceRoleAssignment but for organization roles.
125- ResourceOrgRoleAssignment = Object {
126- Type :"assign_org_role" ,
127- }
128-
129- // ResourceAPIKey is owned by a user.
130- //create = Create a new api key for user
131- //update = ??
132- //read= View api key
133- //delete= Delete api key
134- ResourceAPIKey = Object {
135- Type :"api_key" ,
136- }
137-
138- // ResourceUser is the user in the 'users' table.
139- // ResourceUser never has any owners or in an org, as it's site wide.
140- // create/delete = make or delete a new user.
141- // read = view all 'user' table data
142- // update = update all 'user' table data
143- //ResourceUser = Object{
144- //Type: "user",
145- //}
146-
147- // ResourceUserData is any data associated with a user. A user has control
148- // over their data (profile, password, etc). So this resource has an owner.
149- //ResourceUserData = Object{
150- //Type: "user_data",
151- //}
152-
153- // ResourceUserWorkspaceBuildParameters is the user's workspace build
154- // parameter history.
155- ResourceUserWorkspaceBuildParameters = Object {
156- Type :"user_workspace_build_parameters" ,
157- }
158-
159- // ResourceOrganizationMember is a user's membership in an organization.
160- // Has ONLY an organization owner.
161- //create/delete = Create/delete member from org.
162- //update = Update organization member
163- //read= View member
164- //ResourceOrganizationMember = Object{
165- //Type: "organization_member",
166- //}
167-
168- // ResourceLicense is the license in the 'licenses' table.
169- // ResourceLicense is site wide.
170- // create/delete = add or remove license from site.
171- // read = view license claims
172- // update = not applicable; licenses are immutable
173- //ResourceLicense = Object{
174- //Type: "license",
175- //}
176-
177- // ResourceDeploymentValues
178- //ResourceDeploymentValues = Object{
179- //Type: "deployment_config",
180- //}
181-
182- //ResourceDeploymentStats = Object{
183- //Type: "deployment_stats",
184- //}
185-
186- //ResourceReplicas = Object{
187- //Type: "replicas",
188- //}
189-
190- // ResourceDebugInfo controls access to the debug routes `/api/v2/debug/*`.
191- ResourceDebugInfo = Object {
192- Type :"debug_info" ,
193- }
194-
195- // ResourceSystem is a pseudo-resource only used for system-level actions.
196- ResourceSystem = Object {
197- Type :"system" ,
198- }
199-
200- // ResourceTailnetCoordinator is a pseudo-resource for use by the tailnet coordinator
201- ResourceTailnetCoordinator = Object {
202- Type :"tailnet_coordinator" ,
203- }
204-
205- //// ResourceTemplateInsights is a pseudo-resource for reading template insights data.
206- //ResourceTemplateInsights = Object{
207- //Type: "template_insights",
208- //}
209-
210- // ResourceOAuth2ProviderApp CRUD.
211- //create/delete = Make or delete an OAuth2 app.
212- //update = Update the properties of the OAuth2 app.
213- //read = Read OAuth2 apps.
214- ResourceOAuth2ProviderApp = Object {
215- Type :"oauth2_app" ,
216- }
217-
218- // ResourceOAuth2ProviderAppSecret CRUD.
219- //create/delete = Make or delete an OAuth2 app secret.
220- //update = Update last used date.
221- //read = Read OAuth2 app hashed or truncated secret.
222- ResourceOAuth2ProviderAppSecret = Object {
223- Type :"oauth2_app_secret" ,
224- }
225-
226- // ResourceOAuth2ProviderAppCodeToken CRUD.
227- //create/delete = Make or delete an OAuth2 app code or token.
228- // update = None
229- //read = Check if OAuth2 app code or token exists.
230- ResourceOAuth2ProviderAppCodeToken = Object {
231- Type :"oauth2_app_code_token" ,
232- }
233- )
234-
23516// ResourceUserObject is a helper function to create a user object for authz checks.
23617func ResourceUserObject (userID uuid.UUID )Object {
23718return ResourceUser .WithID (userID ).WithOwner (userID .String ())