NotificationsYou must be signed in to change notification settings
Fork928
Star10.1k

Commit4da9a94

committed

refactor(dbauthz): add authz for system-level functions

- Introduces rbac.ResourceSystem- Grants system.* to system and provisionerd rbac subjects

1 parent1cc10f2 commit4da9a94Copy full SHA for 4da9a94

File tree

5 files changed

+312

-157

lines changed

coderd
- database/dbauthz
- rbac
  - object.go

5 files changed

+312

-157

lines changed

`‎coderd/database/dbauthz/dbauthz.go`

Lines changed: 27 additions & 22 deletions

Original file line number	Diff line number	Diff line change
`@@ -115,17 +115,16 @@ func ActorFromContext(ctx context.Context) (rbac.Subject, bool) {`
`115`	`115`	`returna,ok`
`116`	`116`	`}`
`117`	`117`
`118`		`-// AsProvisionerd returns a context with an actor that has permissions required`
`119`		`-// for provisionerd to function.`
`120`		`-funcAsProvisionerd(ctx context.Context) context.Context {`
`121`		`-returncontext.WithValue(ctx,authContextKey{}, rbac.Subject{`
	`118`	`+var (`
	`119`	`+subjectProvisionerd= rbac.Subject{`
`122`	`120`	`ID:uuid.Nil.String(),`
`123`	`121`	`Roles:rbac.Roles([]rbac.Role{`
`124`	`122`	`{`
`125`	`123`	`Name:"provisionerd",`
`126`	`124`	`DisplayName:"Provisioner Daemon",`
`127`	`125`	`Site:rbac.Permissions(map[string][]rbac.Action{`
`128`	`126`	`rbac.ResourceFile.Type: {rbac.ActionRead},`
	`127`	`+rbac.ResourceSystem.Type: {rbac.WildcardSymbol},`
`129`	`128`	`rbac.ResourceTemplate.Type: {rbac.ActionRead,rbac.ActionUpdate},`
`130`	`129`	`rbac.ResourceUser.Type: {rbac.ActionRead},`
`131`	`130`	`rbac.ResourceWorkspace.Type: {rbac.ActionRead,rbac.ActionUpdate,rbac.ActionDelete},`
`@@ -135,14 +134,8 @@ func AsProvisionerd(ctx context.Context) context.Context {`
`135`	`134`	`},`
`136`	`135`	`}),`
`137`	`136`	`Scope:rbac.ScopeAll,`
`138`		`-},`
`139`		`-)`
`140`		`-}`
`141`		`-`
`142`		`-// AsAutostart returns a context with an actor that has permissions required`
`143`		`-// for autostart to function.`
`144`		`-funcAsAutostart(ctx context.Context) context.Context {`
`145`		`-returncontext.WithValue(ctx,authContextKey{}, rbac.Subject{`
	`137`	`+}`
	`138`	`+subjectAutostart= rbac.Subject{`
`146`	`139`	`ID:uuid.Nil.String(),`
`147`	`140`	`Roles:rbac.Roles([]rbac.Role{`
`148`	`141`	`{`
`@@ -157,14 +150,8 @@ func AsAutostart(ctx context.Context) context.Context {`
`157`	`150`	`},`
`158`	`151`	`}),`
`159`	`152`	`Scope:rbac.ScopeAll,`
`160`		`-},`
`161`		`-)`
`162`		`-}`
`163`		`-`
`164`		`-// AsSystemRestricted returns a context with an actor that has permissions`
`165`		`-// required for various system operations (login, logout, metrics cache).`
`166`		`-funcAsSystemRestricted(ctx context.Context) context.Context {`
`167`		`-returncontext.WithValue(ctx,authContextKey{}, rbac.Subject{`
	`153`	`+}`
	`154`	`+subjectSystemRestricted= rbac.Subject{`
`168`	`155`	`ID:uuid.Nil.String(),`
`169`	`156`	`Roles:rbac.Roles([]rbac.Role{`
`170`	`157`	`{`
`@@ -175,6 +162,7 @@ func AsSystemRestricted(ctx context.Context) context.Context {`
`175`	`162`	`rbac.ResourceAPIKey.Type: {rbac.ActionCreate,rbac.ActionUpdate,rbac.ActionDelete},`
`176`	`163`	`rbac.ResourceGroup.Type: {rbac.ActionCreate,rbac.ActionUpdate},`
`177`	`164`	`rbac.ResourceRoleAssignment.Type: {rbac.ActionCreate},`
	`165`	`+rbac.ResourceSystem.Type: {rbac.WildcardSymbol},`
`178`	`166`	`rbac.ResourceOrganization.Type: {rbac.ActionCreate},`
`179`	`167`	`rbac.ResourceOrganizationMember.Type: {rbac.ActionCreate},`
`180`	`168`	`rbac.ResourceOrgRoleAssignment.Type: {rbac.ActionCreate},`
`@@ -187,8 +175,25 @@ func AsSystemRestricted(ctx context.Context) context.Context {`
`187`	`175`	`},`
`188`	`176`	`}),`
`189`	`177`	`Scope:rbac.ScopeAll,`
`190`		`-},`
`191`		`-)`
	`178`	`+}`
	`179`	`+)`
	`180`	`+`
	`181`	`+// AsProvisionerd returns a context with an actor that has permissions required`
	`182`	`+// for provisionerd to function.`
	`183`	`+funcAsProvisionerd(ctx context.Context) context.Context {`
	`184`	`+returncontext.WithValue(ctx,authContextKey{},subjectProvisionerd)`
	`185`	`+}`
	`186`	`+`
	`187`	`+// AsAutostart returns a context with an actor that has permissions required`
	`188`	`+// for autostart to function.`
	`189`	`+funcAsAutostart(ctx context.Context) context.Context {`
	`190`	`+returncontext.WithValue(ctx,authContextKey{},subjectAutostart)`
	`191`	`+}`
	`192`	`+`
	`193`	`+// AsSystemRestricted returns a context with an actor that has permissions`
	`194`	`+// required for various system operations (login, logout, metrics cache).`
	`195`	`+funcAsSystemRestricted(ctx context.Context) context.Context {`
	`196`	`+returncontext.WithValue(ctx,authContextKey{},subjectSystemRestricted)`
`192`	`197`	`}`
`193`	`198`
`194`	`199`	`varAsRemoveActor= rbac.Subject{`

`‎coderd/database/dbauthz/querier_test.go`

Lines changed: 0 additions & 74 deletions

Original file line number	Diff line number	Diff line change
`@@ -282,11 +282,6 @@ func (s *MethodTestSuite) TestProvsionerJob() {`
`282`	`282`	`check.Args(database.UpdateProvisionerJobWithCancelByIDParams{ID:j.ID}).`
`283`	`283`	`Asserts(v.RBACObject(tpl), []rbac.Action{rbac.ActionRead,rbac.ActionUpdate}).Returns()`
`284`	`284`	`}))`
`285`		`-s.Run("GetProvisionerJobsByIDs",s.Subtest(func(db database.Store,check*expects) {`
`286`		`-a:=dbgen.ProvisionerJob(s.T(),db, database.ProvisionerJob{})`
`287`		`-b:=dbgen.ProvisionerJob(s.T(),db, database.ProvisionerJob{})`
`288`		`-check.Args([]uuid.UUID{a.ID,b.ID}).Asserts().Returns(slice.New(a,b))`
`289`		`-}))`
`290`	`285`	`s.Run("GetProvisionerLogsByIDBetween",s.Subtest(func(db database.Store,check*expects) {`
`291`	`286`	`w:=dbgen.Workspace(s.T(),db, database.Workspace{})`
`292`	`287`	`j:=dbgen.ProvisionerJob(s.T(),db, database.ProvisionerJob{`
`@@ -619,22 +614,6 @@ func (s *MethodTestSuite) TestTemplate() {`
`619`	`614`	`})`
`620`	`615`	`check.Args(tv.ID).Asserts(t1,rbac.ActionRead).Returns(tv)`
`621`	`616`	`}))`
`622`		`-s.Run("GetTemplateVersionsByIDs",s.Subtest(func(db database.Store,check*expects) {`
`623`		`-t1:=dbgen.Template(s.T(),db, database.Template{})`
`624`		`-t2:=dbgen.Template(s.T(),db, database.Template{})`
`625`		`-tv1:=dbgen.TemplateVersion(s.T(),db, database.TemplateVersion{`
`626`		`-TemplateID: uuid.NullUUID{UUID:t1.ID,Valid:true},`
`627`		`-})`
`628`		`-tv2:=dbgen.TemplateVersion(s.T(),db, database.TemplateVersion{`
`629`		`-TemplateID: uuid.NullUUID{UUID:t2.ID,Valid:true},`
`630`		`-})`
`631`		`-tv3:=dbgen.TemplateVersion(s.T(),db, database.TemplateVersion{`
`632`		`-TemplateID: uuid.NullUUID{UUID:t2.ID,Valid:true},`
`633`		`-})`
`634`		`-check.Args([]uuid.UUID{tv1.ID,tv2.ID,tv3.ID}).`
`635`		`-Asserts(/t1, rbac.ActionRead, t2, rbac.ActionRead/ ).`
`636`		`-Returns(slice.New(tv1,tv2,tv3))`
`637`		`-}))`
`638`	`617`	`s.Run("GetTemplateVersionsByTemplateID",s.Subtest(func(db database.Store,check*expects) {`
`639`	`618`	`t1:=dbgen.Template(s.T(),db, database.Template{})`
`640`	`619`	`a:=dbgen.TemplateVersion(s.T(),db, database.TemplateVersion{`
`@@ -803,13 +782,6 @@ func (s *MethodTestSuite) TestUser() {`
`803`	`782`	`b:=dbgen.User(s.T(),db, database.User{CreatedAt:database.Now()})`
`804`	`783`	`check.Args(database.GetUsersParams{}).Asserts(a,rbac.ActionRead,b,rbac.ActionRead)`
`805`	`784`	`}))`
`806`		`-s.Run("GetUsersByIDs",s.Subtest(func(db database.Store,check*expects) {`
`807`		`-a:=dbgen.User(s.T(),db, database.User{CreatedAt:database.Now().Add(-time.Hour)})`
`808`		`-b:=dbgen.User(s.T(),db, database.User{CreatedAt:database.Now()})`
`809`		`-check.Args([]uuid.UUID{a.ID,b.ID}).`
`810`		`-Asserts(/a, rbac.ActionRead, b, rbac.ActionRead/ ).`
`811`		`-Returns(slice.New(a,b))`
`812`		`-}))`
`813`	`785`	`s.Run("InsertUser",s.Subtest(func(db database.Store,check*expects) {`
`814`	`786`	`check.Args(database.InsertUserParams{`
`815`	`787`	`ID:uuid.New(),`
`@@ -977,14 +949,6 @@ func (s *MethodTestSuite) TestWorkspace() {`
`977`	`949`	`agt:=dbgen.WorkspaceAgent(s.T(),db, database.WorkspaceAgent{ResourceID:res.ID})`
`978`	`950`	`check.Args(agt.AuthInstanceID.String).Asserts(ws,rbac.ActionRead).Returns(agt)`
`979`	`951`	`}))`
`980`		`-s.Run("GetWorkspaceAgentsByResourceIDs",s.Subtest(func(db database.Store,check*expects) {`
`981`		`-ws:=dbgen.Workspace(s.T(),db, database.Workspace{})`
`982`		`-build:=dbgen.WorkspaceBuild(s.T(),db, database.WorkspaceBuild{WorkspaceID:ws.ID,JobID:uuid.New()})`
`983`		`-res:=dbgen.WorkspaceResource(s.T(),db, database.WorkspaceResource{JobID:build.JobID})`
`984`		`-agt:=dbgen.WorkspaceAgent(s.T(),db, database.WorkspaceAgent{ResourceID:res.ID})`
`985`		`-check.Args([]uuid.UUID{res.ID}).Asserts(/ws, rbac.ActionRead/ ).`
`986`		`-Returns([]database.WorkspaceAgent{agt})`
`987`		`-}))`
`988`	`952`	`s.Run("UpdateWorkspaceAgentLifecycleStateByID",s.Subtest(func(db database.Store,check*expects) {`
`989`	`953`	`ws:=dbgen.Workspace(s.T(),db, database.Workspace{})`
`990`	`954`	`build:=dbgen.WorkspaceBuild(s.T(),db, database.WorkspaceBuild{WorkspaceID:ws.ID,JobID:uuid.New()})`
`@@ -1026,23 +990,6 @@ func (s *MethodTestSuite) TestWorkspace() {`
`1026`	`990`
`1027`	`991`	`check.Args(agt.ID).Asserts(ws,rbac.ActionRead).Returns(slice.New(a,b))`
`1028`	`992`	`}))`
`1029`		`-s.Run("GetWorkspaceAppsByAgentIDs",s.Subtest(func(db database.Store,check*expects) {`
`1030`		`-aWs:=dbgen.Workspace(s.T(),db, database.Workspace{})`
`1031`		`-aBuild:=dbgen.WorkspaceBuild(s.T(),db, database.WorkspaceBuild{WorkspaceID:aWs.ID,JobID:uuid.New()})`
`1032`		`-aRes:=dbgen.WorkspaceResource(s.T(),db, database.WorkspaceResource{JobID:aBuild.JobID})`
`1033`		`-aAgt:=dbgen.WorkspaceAgent(s.T(),db, database.WorkspaceAgent{ResourceID:aRes.ID})`
`1034`		`-a:=dbgen.WorkspaceApp(s.T(),db, database.WorkspaceApp{AgentID:aAgt.ID})`
`1035`		`-`
`1036`		`-bWs:=dbgen.Workspace(s.T(),db, database.Workspace{})`
`1037`		`-bBuild:=dbgen.WorkspaceBuild(s.T(),db, database.WorkspaceBuild{WorkspaceID:bWs.ID,JobID:uuid.New()})`
`1038`		`-bRes:=dbgen.WorkspaceResource(s.T(),db, database.WorkspaceResource{JobID:bBuild.JobID})`
`1039`		`-bAgt:=dbgen.WorkspaceAgent(s.T(),db, database.WorkspaceAgent{ResourceID:bRes.ID})`
`1040`		`-b:=dbgen.WorkspaceApp(s.T(),db, database.WorkspaceApp{AgentID:bAgt.ID})`
`1041`		`-`
`1042`		`-check.Args([]uuid.UUID{a.AgentID,b.AgentID}).`
`1043`		`-Asserts(/aWs, rbac.ActionRead, bWs, rbac.ActionRead/ ).`
`1044`		`-Returns([]database.WorkspaceApp{a,b})`
`1045`		`-}))`
`1046`	`993`	`s.Run("GetWorkspaceBuildByID",s.Subtest(func(db database.Store,check*expects) {`
`1047`	`994`	`ws:=dbgen.Workspace(s.T(),db, database.Workspace{})`
`1048`	`995`	`build:=dbgen.WorkspaceBuild(s.T(),db, database.WorkspaceBuild{WorkspaceID:ws.ID})`
`@@ -1096,15 +1043,6 @@ func (s *MethodTestSuite) TestWorkspace() {`
`1096`	`1043`	`res:=dbgen.WorkspaceResource(s.T(),db, database.WorkspaceResource{JobID:build.JobID})`
`1097`	`1044`	`check.Args(res.ID).Asserts(ws,rbac.ActionRead).Returns(res)`
`1098`	`1045`	`}))`
`1099`		`-s.Run("GetWorkspaceResourceMetadataByResourceIDs",s.Subtest(func(db database.Store,check*expects) {`
`1100`		`-ws:=dbgen.Workspace(s.T(),db, database.Workspace{})`
`1101`		`-build:=dbgen.WorkspaceBuild(s.T(),db, database.WorkspaceBuild{WorkspaceID:ws.ID,JobID:uuid.New()})`
`1102`		`-_=dbgen.ProvisionerJob(s.T(),db, database.ProvisionerJob{ID:build.JobID,Type:database.ProvisionerJobTypeWorkspaceBuild})`
`1103`		`-a:=dbgen.WorkspaceResource(s.T(),db, database.WorkspaceResource{JobID:build.JobID})`
`1104`		`-b:=dbgen.WorkspaceResource(s.T(),db, database.WorkspaceResource{JobID:build.JobID})`
`1105`		`-check.Args([]uuid.UUID{a.ID,b.ID}).`
`1106`		`-Asserts(/ws, []rbac.Action{rbac.ActionRead, rbac.ActionRead}/ )`
`1107`		`-}))`
`1108`	`1046`	`s.Run("Build/GetWorkspaceResourcesByJobID",s.Subtest(func(db database.Store,check*expects) {`
`1109`	`1047`	`ws:=dbgen.Workspace(s.T(),db, database.Workspace{})`
`1110`	`1048`	`build:=dbgen.WorkspaceBuild(s.T(),db, database.WorkspaceBuild{WorkspaceID:ws.ID,JobID:uuid.New()})`
`@@ -1117,18 +1055,6 @@ func (s *MethodTestSuite) TestWorkspace() {`
`1117`	`1055`	`job:=dbgen.ProvisionerJob(s.T(),db, database.ProvisionerJob{ID:v.JobID,Type:database.ProvisionerJobTypeTemplateVersionImport})`
`1118`	`1056`	`check.Args(job.ID).Asserts(v.RBACObject(tpl), []rbac.Action{rbac.ActionRead,rbac.ActionRead}).Returns([]database.WorkspaceResource{})`
`1119`	`1057`	`}))`
`1120`		`-s.Run("GetWorkspaceResourcesByJobIDs",s.Subtest(func(db database.Store,check*expects) {`
`1121`		`-tpl:=dbgen.Template(s.T(),db, database.Template{})`
`1122`		`-v:=dbgen.TemplateVersion(s.T(),db, database.TemplateVersion{TemplateID: uuid.NullUUID{UUID:tpl.ID,Valid:true},JobID:uuid.New()})`
`1123`		`-tJob:=dbgen.ProvisionerJob(s.T(),db, database.ProvisionerJob{ID:v.JobID,Type:database.ProvisionerJobTypeTemplateVersionImport})`
`1124`		`-`
`1125`		`-ws:=dbgen.Workspace(s.T(),db, database.Workspace{})`
`1126`		`-build:=dbgen.WorkspaceBuild(s.T(),db, database.WorkspaceBuild{WorkspaceID:ws.ID,JobID:uuid.New()})`
`1127`		`-wJob:=dbgen.ProvisionerJob(s.T(),db, database.ProvisionerJob{ID:build.JobID,Type:database.ProvisionerJobTypeWorkspaceBuild})`
`1128`		`-check.Args([]uuid.UUID{tJob.ID,wJob.ID}).`
`1129`		`-Asserts(/v.RBACObject(tpl), rbac.ActionRead, ws, rbac.ActionRead/ ).`
`1130`		`-Returns([]database.WorkspaceResource{})`
`1131`		`-}))`
`1132`	`1058`	`s.Run("InsertWorkspace",s.Subtest(func(db database.Store,check*expects) {`
`1133`	`1059`	`u:=dbgen.User(s.T(),db, database.User{})`
`1134`	`1060`	`o:=dbgen.Organization(s.T(),db, database.Organization{})`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit4da9a94

File tree

5 files changed

5 files changed

`‎coderd/database/dbauthz/dbauthz.go`

`‎coderd/database/dbauthz/querier_test.go`

0 commit comments