NotificationsYou must be signed in to change notification settings
Fork1k
Star11.1k

Commit3e7ff9d

authored

chore(coderd/rbac): addAction{Create,Delete}Agent toResourceWorkspace (#17932)

1 parentd2d2189 commit3e7ff9dCopy full SHA for 3e7ff9d

File tree

19 files changed

+253

-11

lines changed

coderd
- apidoc
  - docs.go
  - swagger.json
- database
  - dbauthz
    - dbauthz.go
    - dbauthz_test.go
  - dbmem
    - dbmem.go
  - dbmetrics
    - querymetrics.go
  - dbmock
    - dbmock.go
  - querier.go
  - queries.sql.go
  - queries
    - workspaces.sql
- rbac
  - object_gen.go
  - policy
    - policy.go
  - roles.go
  - roles_test.go
codersdk
- rbacresources_gen.go
docs/reference/api
- members.md
- schemas.md
site/src/api
- rbacresourcesGenerated.ts
- typesGenerated.ts

19 files changed

+253

-11

lines changed

`‎coderd/apidoc/docs.go‎`

Lines changed: 4 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/apidoc/swagger.json‎`

Lines changed: 4 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/database/dbauthz/dbauthz.go‎`

Lines changed: 22 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -177,7 +177,7 @@ var (`
`177`	`177`	`// Unsure why provisionerd needs update and read personal`
`178`	`178`	`rbac.ResourceUser.Type: {policy.ActionRead,policy.ActionReadPersonal,policy.ActionUpdatePersonal},`
`179`	`179`	`rbac.ResourceWorkspaceDormant.Type: {policy.ActionDelete,policy.ActionRead,policy.ActionUpdate,policy.ActionWorkspaceStop},`
`180`		`-rbac.ResourceWorkspace.Type: {policy.ActionDelete,policy.ActionRead,policy.ActionUpdate,policy.ActionWorkspaceStart,policy.ActionWorkspaceStop},`
	`180`	`+rbac.ResourceWorkspace.Type: {policy.ActionDelete,policy.ActionRead,policy.ActionUpdate,policy.ActionWorkspaceStart,policy.ActionWorkspaceStop,policy.ActionCreateAgent},`
`181`	`181`	`rbac.ResourceApiKey.Type: {policy.WildcardSymbol},`
`182`	`182`	`// When org scoped provisioner credentials are implemented,`
`183`	`183`	`// this can be reduced to read a specific org.`
`@@ -339,7 +339,7 @@ var (`
`339`	`339`	`rbac.ResourceProvisionerDaemon.Type: {policy.ActionCreate,policy.ActionRead,policy.ActionUpdate},`
`340`	`340`	`rbac.ResourceUser.Type:rbac.ResourceUser.AvailableActions(),`
`341`	`341`	`rbac.ResourceWorkspaceDormant.Type: {policy.ActionUpdate,policy.ActionDelete,policy.ActionWorkspaceStop},`
`342`		`-rbac.ResourceWorkspace.Type: {policy.ActionUpdate,policy.ActionDelete,policy.ActionWorkspaceStart,policy.ActionWorkspaceStop,policy.ActionSSH},`
	`342`	`+rbac.ResourceWorkspace.Type: {policy.ActionUpdate,policy.ActionDelete,policy.ActionWorkspaceStart,policy.ActionWorkspaceStop,policy.ActionSSH,policy.ActionCreateAgent,policy.ActionDeleteAgent},`
`343`	`343`	`rbac.ResourceWorkspaceProxy.Type: {policy.ActionCreate,policy.ActionUpdate,policy.ActionDelete},`
`344`	`344`	`rbac.ResourceDeploymentConfig.Type: {policy.ActionCreate,policy.ActionUpdate,policy.ActionDelete},`
`345`	`345`	`rbac.ResourceNotificationMessage.Type: {policy.ActionCreate,policy.ActionRead,policy.ActionUpdate,policy.ActionDelete},`
`@@ -3180,6 +3180,10 @@ func (q *querier) GetWorkspaceByOwnerIDAndName(ctx context.Context, arg database`
`3180`	`3180`	`returnfetch(q.log,q.auth,q.db.GetWorkspaceByOwnerIDAndName)(ctx,arg)`
`3181`	`3181`	`}`
`3182`	`3182`
	`3183`	`+func (q*querier)GetWorkspaceByResourceID(ctx context.Context,resourceID uuid.UUID) (database.Workspace,error) {`
	`3184`	`+returnfetch(q.log,q.auth,q.db.GetWorkspaceByResourceID)(ctx,resourceID)`
	`3185`	`+}`
	`3186`	`+`
`3183`	`3187`	`func (q*querier)GetWorkspaceByWorkspaceAppID(ctx context.Context,workspaceAppID uuid.UUID) (database.Workspace,error) {`
`3184`	`3188`	`returnfetch(q.log,q.auth,q.db.GetWorkspaceByWorkspaceAppID)(ctx,workspaceAppID)`
`3185`	`3189`	`}`
`@@ -3713,9 +3717,24 @@ func (q *querier) InsertWorkspace(ctx context.Context, arg database.InsertWorksp`
`3713`	`3717`	`}`
`3714`	`3718`
`3715`	`3719`	`func (q*querier)InsertWorkspaceAgent(ctx context.Context,arg database.InsertWorkspaceAgentParams) (database.WorkspaceAgent,error) {`
`3716`		`-iferr:=q.authorizeContext(ctx,policy.ActionCreate,rbac.ResourceSystem);err!=nil {`
	`3720`	`+// NOTE(DanielleMaywood):`
	`3721`	`+// Currently, the only way to link a Resource back to a Workspace is by following this chain:`
	`3722`	`+//`
	`3723`	`+// WorkspaceResource -> WorkspaceBuild -> Workspace`
	`3724`	`+//`
	`3725`	`+// It is possible for this function to be called without there existing`
	`3726`	+// a `WorkspaceBuild` to link back to. This means that we want to allow
	`3727`	`+// execution to continue if there isn't a workspace found to allow this`
	`3728`	`+// behavior to continue.`
	`3729`	`+workspace,err:=q.db.GetWorkspaceByResourceID(ctx,arg.ResourceID)`
	`3730`	`+iferr!=nil&&!errors.Is(err,sql.ErrNoRows) {`
`3717`	`3731`	`return database.WorkspaceAgent{},err`
`3718`	`3732`	`}`
	`3733`	`+`
	`3734`	`+iferr:=q.authorizeContext(ctx,policy.ActionCreateAgent,workspace);err!=nil {`
	`3735`	`+return database.WorkspaceAgent{},err`
	`3736`	`+}`
	`3737`	`+`
`3719`	`3738`	`returnq.db.InsertWorkspaceAgent(ctx,arg)`
`3720`	`3739`	`}`
`3721`	`3740`

`‎coderd/database/dbauthz/dbauthz_test.go‎`

Lines changed: 31 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -1928,6 +1928,22 @@ func (s *MethodTestSuite) TestWorkspace() {`
`1928`	`1928`	`})`
`1929`	`1929`	`check.Args(ws.ID).Asserts(ws,policy.ActionRead)`
`1930`	`1930`	`}))`
	`1931`	`+s.Run("GetWorkspaceByResourceID",s.Subtest(func(db database.Store,check*expects) {`
	`1932`	`+u:=dbgen.User(s.T(),db, database.User{})`
	`1933`	`+o:=dbgen.Organization(s.T(),db, database.Organization{})`
	`1934`	`+j:=dbgen.ProvisionerJob(s.T(),db,nil, database.ProvisionerJob{Type:database.ProvisionerJobTypeWorkspaceBuild})`
	`1935`	`+tpl:=dbgen.Template(s.T(),db, database.Template{CreatedBy:u.ID,OrganizationID:o.ID})`
	`1936`	`+tv:=dbgen.TemplateVersion(s.T(),db, database.TemplateVersion{`
	`1937`	`+TemplateID: uuid.NullUUID{UUID:tpl.ID,Valid:true},`
	`1938`	`+JobID:j.ID,`
	`1939`	`+OrganizationID:o.ID,`
	`1940`	`+CreatedBy:u.ID,`
	`1941`	`+})`
	`1942`	`+ws:=dbgen.Workspace(s.T(),db, database.WorkspaceTable{OwnerID:u.ID,TemplateID:tpl.ID,OrganizationID:o.ID})`
	`1943`	`+_=dbgen.WorkspaceBuild(s.T(),db, database.WorkspaceBuild{WorkspaceID:ws.ID,JobID:j.ID,TemplateVersionID:tv.ID})`
	`1944`	`+res:=dbgen.WorkspaceResource(s.T(),db, database.WorkspaceResource{JobID:j.ID})`
	`1945`	`+check.Args(res.ID).Asserts(ws,policy.ActionRead)`
	`1946`	`+}))`
`1931`	`1947`	`s.Run("GetWorkspaces",s.Subtest(func(_ database.Store,check*expects) {`
`1932`	`1948`	`// No asserts here because SQLFilter.`
`1933`	`1949`	`check.Args(database.GetWorkspacesParams{}).Asserts()`
`@@ -4018,12 +4034,25 @@ func (s *MethodTestSuite) TestSystemFunctions() {`
`4018`	`4034`	`Returns(slice.New(a,b))`
`4019`	`4035`	`}))`
`4020`	`4036`	`s.Run("InsertWorkspaceAgent",s.Subtest(func(db database.Store,check*expects) {`
`4021`		`-dbtestutil.DisableForeignKeysAndTriggers(s.T(),db)`
	`4037`	`+u:=dbgen.User(s.T(),db, database.User{})`
	`4038`	`+o:=dbgen.Organization(s.T(),db, database.Organization{})`
	`4039`	`+j:=dbgen.ProvisionerJob(s.T(),db,nil, database.ProvisionerJob{Type:database.ProvisionerJobTypeWorkspaceBuild})`
	`4040`	`+tpl:=dbgen.Template(s.T(),db, database.Template{CreatedBy:u.ID,OrganizationID:o.ID})`
	`4041`	`+tv:=dbgen.TemplateVersion(s.T(),db, database.TemplateVersion{`
	`4042`	`+TemplateID: uuid.NullUUID{UUID:tpl.ID,Valid:true},`
	`4043`	`+JobID:j.ID,`
	`4044`	`+OrganizationID:o.ID,`
	`4045`	`+CreatedBy:u.ID,`
	`4046`	`+})`
	`4047`	`+ws:=dbgen.Workspace(s.T(),db, database.WorkspaceTable{OwnerID:u.ID,TemplateID:tpl.ID,OrganizationID:o.ID})`
	`4048`	`+_=dbgen.WorkspaceBuild(s.T(),db, database.WorkspaceBuild{WorkspaceID:ws.ID,JobID:j.ID,TemplateVersionID:tv.ID})`
	`4049`	`+res:=dbgen.WorkspaceResource(s.T(),db, database.WorkspaceResource{JobID:j.ID})`
`4022`	`4050`	`check.Args(database.InsertWorkspaceAgentParams{`
`4023`	`4051`	`ID:uuid.New(),`
	`4052`	`+ResourceID:res.ID,`
`4024`	`4053`	`Name:"dev",`
`4025`	`4054`	`APIKeyScope:database.AgentKeyScopeEnumAll,`
`4026`		`-}).Asserts(rbac.ResourceSystem,policy.ActionCreate)`
	`4055`	`+}).Asserts(ws,policy.ActionCreateAgent)`
`4027`	`4056`	`}))`
`4028`	`4057`	`s.Run("InsertWorkspaceApp",s.Subtest(func(db database.Store,check*expects) {`
`4029`	`4058`	`dbtestutil.DisableForeignKeysAndTriggers(s.T(),db)`

`‎coderd/database/dbmem/dbmem.go‎`

Lines changed: 27 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -8053,6 +8053,33 @@ func (q *FakeQuerier) GetWorkspaceByOwnerIDAndName(_ context.Context, arg databa`
`8053`	`8053`	`return database.Workspace{},sql.ErrNoRows`
`8054`	`8054`	`}`
`8055`	`8055`
	`8056`	`+func (q*FakeQuerier)GetWorkspaceByResourceID(ctx context.Context,resourceID uuid.UUID) (database.Workspace,error) {`
	`8057`	`+q.mutex.RLock()`
	`8058`	`+deferq.mutex.RUnlock()`
	`8059`	`+`
	`8060`	`+for_,resource:=rangeq.workspaceResources {`
	`8061`	`+ifresource.ID!=resourceID {`
	`8062`	`+continue`
	`8063`	`+}`
	`8064`	`+`
	`8065`	`+for_,build:=rangeq.workspaceBuilds {`
	`8066`	`+ifbuild.JobID!=resource.JobID {`
	`8067`	`+continue`
	`8068`	`+}`
	`8069`	`+`
	`8070`	`+for_,workspace:=rangeq.workspaces {`
	`8071`	`+ifworkspace.ID!=build.WorkspaceID {`
	`8072`	`+continue`
	`8073`	`+}`
	`8074`	`+`
	`8075`	`+returnq.extendWorkspace(workspace),nil`
	`8076`	`+}`
	`8077`	`+}`
	`8078`	`+}`
	`8079`	`+`
	`8080`	`+return database.Workspace{},sql.ErrNoRows`
	`8081`	`+}`
	`8082`	`+`
`8056`	`8083`	`func (q*FakeQuerier)GetWorkspaceByWorkspaceAppID(_ context.Context,workspaceAppID uuid.UUID) (database.Workspace,error) {`
`8057`	`8084`	`iferr:=validateDatabaseType(workspaceAppID);err!=nil {`
`8058`	`8085`	`return database.Workspace{},err`

`‎coderd/database/dbmetrics/querymetrics.go‎`

Lines changed: 7 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/database/dbmock/dbmock.go‎`

Lines changed: 15 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/database/querier.go‎`

Lines changed: 1 addition & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/database/queries.sql.go‎`

Lines changed: 59 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/database/queries/workspaces.sql‎`

Lines changed: 24 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,30 @@ WHERE`
`8`	`8`	`LIMIT`
`9`	`9`	`1;`
`10`	`10`
	`11`	`+-- name: GetWorkspaceByResourceID :one`
	`12`	`+SELECT`
	`13`	`+*`
	`14`	`+FROM`
	`15`	`+workspaces_expandedas workspaces`
	`16`	`+WHERE`
	`17`	`+workspaces.id= (`
	`18`	`+SELECT`
	`19`	`+workspace_id`
	`20`	`+FROM`
	`21`	`+workspace_builds`
	`22`	`+WHERE`
	`23`	`+workspace_builds.job_id= (`
	`24`	`+SELECT`
	`25`	`+job_id`
	`26`	`+FROM`
	`27`	`+workspace_resources`
	`28`	`+WHERE`
	`29`	`+workspace_resources.id= @resource_id`
	`30`	`+)`
	`31`	`+)`
	`32`	`+LIMIT`
	`33`	`+1;`
	`34`	`+`
`11`	`35`	`-- name: GetWorkspaceByWorkspaceAppID :one`
`12`	`36`	`SELECT`
`13`	`37`	`*`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit3e7ff9d

File tree

19 files changed

19 files changed

`‎coderd/apidoc/docs.go‎`

`‎coderd/apidoc/swagger.json‎`

`‎coderd/database/dbauthz/dbauthz.go‎`

`‎coderd/database/dbauthz/dbauthz_test.go‎`

`‎coderd/database/dbmem/dbmem.go‎`

`‎coderd/database/dbmetrics/querymetrics.go‎`

`‎coderd/database/dbmock/dbmock.go‎`

`‎coderd/database/querier.go‎`

`‎coderd/database/queries.sql.go‎`

`‎coderd/database/queries/workspaces.sql‎`

0 commit comments