NotificationsYou must be signed in to change notification settings
Fork909
Star10k

Commit398c07d

committed

chore: deprecate and lint for ResourceSystem

1 parentb1f5d45 commit398c07dCopy full SHA for 398c07d

File tree

5 files changed

+56

-35

lines changed

coderd
- database/dbauthz
  - dbauthz.go
- rbac
  - object_gen.go
  - policy
    - policy.go
scripts
- rules.go
- typegen
  - rbacobject.gotmpl

5 files changed

+56

-35

lines changed

`‎coderd/database/dbauthz/dbauthz.go`

Lines changed: 39 additions & 35 deletions

Original file line number	Diff line number	Diff line change
`@@ -441,9 +441,9 @@ func As(ctx context.Context, actor rbac.Subject) context.Context {`
`441`	`441`	`// running the insertFunc. The insertFunc is expected to return the object that`
`442`	`442`	`// was inserted.`
`443`	`443`	`funcinsert[`
`444`		`-ObjectTypeany,`
`445`		`-ArgumentTypeany,`
`446`		`-Insertfunc(ctx context.Context,argArgumentType) (ObjectType,error),`
	`444`	`+ObjectTypeany,`
	`445`	`+ArgumentTypeany,`
	`446`	`+Insertfunc(ctx context.Context,argArgumentType) (ObjectType,error),`
`447`	`447`	`](`
`448`	`448`	`logger slog.Logger,`
`449`	`449`	`authorizer rbac.Authorizer,`
`@@ -454,9 +454,9 @@ func insert[`
`454`	`454`	`}`
`455`	`455`
`456`	`456`	`funcinsertWithAction[`
`457`		`-ObjectTypeany,`
`458`		`-ArgumentTypeany,`
`459`		`-Insertfunc(ctx context.Context,argArgumentType) (ObjectType,error),`
	`457`	`+ObjectTypeany,`
	`458`	`+ArgumentTypeany,`
	`459`	`+Insertfunc(ctx context.Context,argArgumentType) (ObjectType,error),`
`460`	`460`	`](`
`461`	`461`	`logger slog.Logger,`
`462`	`462`	`authorizer rbac.Authorizer,`
`@@ -483,10 +483,10 @@ func insertWithAction[`
`483`	`483`	`}`
`484`	`484`
`485`	`485`	`funcdeleteQ[`
`486`		`-ObjectType rbac.Objecter,`
`487`		`-ArgumentTypeany,`
`488`		`-Fetchfunc(ctx context.Context,argArgumentType) (ObjectType,error),`
`489`		`-Deletefunc(ctx context.Context,argArgumentType)error,`
	`486`	`+ObjectType rbac.Objecter,`
	`487`	`+ArgumentTypeany,`
	`488`	`+Fetchfunc(ctx context.Context,argArgumentType) (ObjectType,error),`
	`489`	`+Deletefunc(ctx context.Context,argArgumentType)error,`
`490`	`490`	`](`
`491`	`491`	`logger slog.Logger,`
`492`	`492`	`authorizer rbac.Authorizer,`
`@@ -498,10 +498,10 @@ func deleteQ[`
`498`	`498`	`}`
`499`	`499`
`500`	`500`	`funcupdateWithReturn[`
`501`		`-ObjectType rbac.Objecter,`
`502`		`-ArgumentTypeany,`
`503`		`-Fetchfunc(ctx context.Context,argArgumentType) (ObjectType,error),`
`504`		`-UpdateQueryfunc(ctx context.Context,argArgumentType) (ObjectType,error),`
	`501`	`+ObjectType rbac.Objecter,`
	`502`	`+ArgumentTypeany,`
	`503`	`+Fetchfunc(ctx context.Context,argArgumentType) (ObjectType,error),`
	`504`	`+UpdateQueryfunc(ctx context.Context,argArgumentType) (ObjectType,error),`
`505`	`505`	`](`
`506`	`506`	`logger slog.Logger,`
`507`	`507`	`authorizer rbac.Authorizer,`
`@@ -512,10 +512,10 @@ func updateWithReturn[`
`512`	`512`	`}`
`513`	`513`
`514`	`514`	`funcupdate[`
`515`		`-ObjectType rbac.Objecter,`
`516`		`-ArgumentTypeany,`
`517`		`-Fetchfunc(ctx context.Context,argArgumentType) (ObjectType,error),`
`518`		`-Execfunc(ctx context.Context,argArgumentType)error,`
	`515`	`+ObjectType rbac.Objecter,`
	`516`	`+ArgumentTypeany,`
	`517`	`+Fetchfunc(ctx context.Context,argArgumentType) (ObjectType,error),`
	`518`	`+Execfunc(ctx context.Context,argArgumentType)error,`
`519`	`519`	`](`
`520`	`520`	`logger slog.Logger,`
`521`	`521`	`authorizer rbac.Authorizer,`
`@@ -533,9 +533,9 @@ func update[`
`533`	`533`	`// user cannot read the resource. This is because the resource details are`
`534`	`534`	`// required to run a proper authorization check.`
`535`	`535`	`funcfetchWithAction[`
`536`		`-ArgumentTypeany,`
`537`		`-ObjectType rbac.Objecter,`
`538`		`-DatabaseFuncfunc(ctx context.Context,argArgumentType) (ObjectType,error),`
	`536`	`+ArgumentTypeany,`
	`537`	`+ObjectType rbac.Objecter,`
	`538`	`+DatabaseFuncfunc(ctx context.Context,argArgumentType) (ObjectType,error),`
`539`	`539`	`](`
`540`	`540`	`logger slog.Logger,`
`541`	`541`	`authorizer rbac.Authorizer,`
`@@ -566,9 +566,9 @@ func fetchWithAction[`
`566`	`566`	`}`
`567`	`567`
`568`	`568`	`funcfetch[`
`569`		`-ArgumentTypeany,`
`570`		`-ObjectType rbac.Objecter,`
`571`		`-DatabaseFuncfunc(ctx context.Context,argArgumentType) (ObjectType,error),`
	`569`	`+ArgumentTypeany,`
	`570`	`+ObjectType rbac.Objecter,`
	`571`	`+DatabaseFuncfunc(ctx context.Context,argArgumentType) (ObjectType,error),`
`572`	`572`	`](`
`573`	`573`	`logger slog.Logger,`
`574`	`574`	`authorizer rbac.Authorizer,`
`@@ -581,10 +581,10 @@ func fetch[`
`581`	`581`	`// from SQL 'exec' functions which only return an error.`
`582`	`582`	`// See fetchAndQuery for more information.`
`583`	`583`	`funcfetchAndExec[`
`584`		`-ObjectType rbac.Objecter,`
`585`		`-ArgumentTypeany,`
`586`		`-Fetchfunc(ctx context.Context,argArgumentType) (ObjectType,error),`
`587`		`-Execfunc(ctx context.Context,argArgumentType)error,`
	`584`	`+ObjectType rbac.Objecter,`
	`585`	`+ArgumentTypeany,`
	`586`	`+Fetchfunc(ctx context.Context,argArgumentType) (ObjectType,error),`
	`587`	`+Execfunc(ctx context.Context,argArgumentType)error,`
`588`	`588`	`](`
`589`	`589`	`logger slog.Logger,`
`590`	`590`	`authorizer rbac.Authorizer,`
`@@ -607,10 +607,10 @@ func fetchAndExec[`
`607`	`607`	`// before the query runs. The returns from the fetch are only used to`
`608`	`608`	`// assert rbac. The final return of this function comes from the Query function.`
`609`	`609`	`funcfetchAndQuery[`
`610`		`-ObjectType rbac.Objecter,`
`611`		`-ArgumentTypeany,`
`612`		`-Fetchfunc(ctx context.Context,argArgumentType) (ObjectType,error),`
`613`		`-Queryfunc(ctx context.Context,argArgumentType) (ObjectType,error),`
	`610`	`+ObjectType rbac.Objecter,`
	`611`	`+ArgumentTypeany,`
	`612`	`+Fetchfunc(ctx context.Context,argArgumentType) (ObjectType,error),`
	`613`	`+Queryfunc(ctx context.Context,argArgumentType) (ObjectType,error),`
`614`	`614`	`](`
`615`	`615`	`logger slog.Logger,`
`616`	`616`	`authorizer rbac.Authorizer,`
`@@ -644,9 +644,9 @@ func fetchAndQuery[`
`644`	`644`	`// fetchWithPostFilter is like fetch, but works with lists of objects.`
`645`	`645`	`// SQL filters are much more optimal.`
`646`	`646`	`funcfetchWithPostFilter[`
`647`		`-ArgumentTypeany,`
`648`		`-ObjectType rbac.Objecter,`
`649`		`-DatabaseFuncfunc(ctx context.Context,argArgumentType) ([]ObjectType,error),`
	`647`	`+ArgumentTypeany,`
	`648`	`+ObjectType rbac.Objecter,`
	`649`	`+DatabaseFuncfunc(ctx context.Context,argArgumentType) ([]ObjectType,error),`
`650`	`650`	`](`
`651`	`651`	`authorizer rbac.Authorizer,`
`652`	`652`	`action policy.Action,`
`@@ -1405,6 +1405,10 @@ func (q *querier) DeleteWebpushSubscriptions(ctx context.Context, ids []uuid.UUI`
`1405`	`1405`	`}`
`1406`	`1406`
`1407`	`1407`	`func (q*querier)DeleteWorkspaceAgentPortShare(ctx context.Context,arg database.DeleteWorkspaceAgentPortShareParams)error {`
	`1408`	`+iferr:=q.authorizeContext(ctx,policy.ActionDelete,rbac.ResourceSystem);err!=nil {`
	`1409`	`+returnerr`
	`1410`	`+}`
	`1411`	`+`
`1408`	`1412`	`w,err:=q.db.GetWorkspaceByID(ctx,arg.WorkspaceID)`
`1409`	`1413`	`iferr!=nil {`
`1410`	`1414`	`returnerr`

`‎coderd/rbac/object_gen.go`

Lines changed: 3 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/rbac/policy/policy.go`

Lines changed: 6 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -33,6 +33,8 @@ type PermissionDefinition struct {`
`33`	`33`	`// should represent. The key in the actions map is the verb to use`
`34`	`34`	`// in the rbac policy.`
`35`	`35`	`Actionsmap[Action]ActionDefinition`
	`36`	`+// Comment is additional text to include in the generated object comment.`
	`37`	`+Commentstring`
`36`	`38`	`}`
`37`	`39`
`38`	`40`	`typeActionDefinitionstruct {`
`@@ -203,6 +205,10 @@ var RBACPermissions = map[string]PermissionDefinition{`
`203`	`205`	`ActionUpdate:actDef("update system resources"),`
`204`	`206`	`ActionDelete:actDef("delete system resources"),`
`205`	`207`	`},`
	`208`	+Comment:`
	`209`	`+// DEPRECATED: New resources should be created for new things, rather than adding them to System, which has become`
	`210`	`+// an unmanaged collection of things that don't relate to one another. We can't effectively enforce`
	`211`	+// least privilege access control when unrelated resources are grouped together.`,
`206`	`212`	`},`
`207`	`213`	`"api_key": {`
`208`	`214`	`Actions:map[Action]ActionDefinition{`

`‎scripts/rules.go`

Lines changed: 7 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -523,3 +523,10 @@ func noPTYInAgent(m dsl.Matcher) {`
`523`	`523`	`).`
`524`	`524`	`Report("The agent and its subpackages should not use pty.Command or pty.CommandContext directly. Consider using an agentexec.Execer instead.")`
`525`	`525`	`}`
	`526`	`+`
	`527`	`+funcnoResourceSystem(m dsl.Matcher) {`
	`528`	`+m.Import("github.com/coder/coder/v2/coderd/rbac")`
	`529`	+m.Match(`rbac.ResourceSystem`).
	`530`	+Where(!m.File().PkgPath.Matches(`/rbac`)).
	`531`	`+Report("ResourceSystem is deprecated. Create new resources to represent the access you are adding/modifying.")`
	`532`	`+}`

`‎scripts/typegen/rbacobject.gotmpl`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,7 @@ var (`
`16`	`16`	`{{- range $action, $value := .Actions }}`
`17`	`17`	`// - "{{ actionEnum $action }}" :: {{ $value.Description }}`
`18`	`18`	`{{- end }}`
	`19`	`+{{- .Comment }}`
`19`	`20`	`Resource{{ $Name }} = Object {`
`20`	`21`	`Type: "{{ $element.Type }}",`
`21`	`22`	`}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit398c07d

File tree

5 files changed

5 files changed

`‎coderd/database/dbauthz/dbauthz.go`

`‎coderd/rbac/object_gen.go`

`‎coderd/rbac/policy/policy.go`

`‎scripts/rules.go`

`‎scripts/typegen/rbacobject.gotmpl`

0 commit comments