Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit4f71c30

Browse files
committed
more progrss
1 parent96f3fd9 commit4f71c30

File tree

11 files changed

+299
-511
lines changed

11 files changed

+299
-511
lines changed

‎coderd/authorize.go

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -190,12 +190,6 @@ func (api *API) checkAuthorization(rw http.ResponseWriter, r *http.Request) {
190190
vardbErrerror
191191
// Only support referencing some resources by ID.
192192
switchv.Object.ResourceType.String() {
193-
caserbac.ResourceWorkspaceExecution.Type:
194-
workSpace,err:=api.Database.GetWorkspaceByID(ctx,id)
195-
iferr==nil {
196-
dbObj=workSpace.ExecutionRBAC()
197-
}
198-
dbErr=err
199193
caserbac.ResourceWorkspace.Type:
200194
dbObj,dbErr=api.Database.GetWorkspaceByID(ctx,id)
201195
caserbac.ResourceTemplate.Type:

‎coderd/database/dbauthz/dbauthz.go

Lines changed: 30 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -193,11 +193,10 @@ var (
193193
Name:"autostart",
194194
DisplayName:"Autostart Daemon",
195195
Site:rbac.Permissions(map[string][]policy.Action{
196-
rbac.ResourceSystem.Type: {rbac.WildcardSymbol},
197-
rbac.ResourceTemplate.Type: {policy.ActionRead,policy.ActionUpdate},
198-
rbac.ResourceWorkspace.Type: {policy.ActionRead,policy.ActionUpdate},
199-
rbac.ResourceWorkspaceBuild.Type: {policy.ActionRead,policy.ActionUpdate,policy.ActionDelete},
200-
rbac.ResourceUser.Type: {policy.ActionRead},
196+
rbac.ResourceSystem.Type: {rbac.WildcardSymbol},
197+
rbac.ResourceTemplate.Type: {policy.ActionRead,policy.ActionUpdate},
198+
rbac.ResourceWorkspace.Type: {policy.ActionRead,policy.ActionUpdate,policy.ActionWorkspaceBuild},
199+
rbac.ResourceUser.Type: {policy.ActionRead},
201200
}),
202201
Org:map[string][]rbac.Permission{},
203202
User: []rbac.Permission{},
@@ -316,6 +315,20 @@ func insert[
316315
authorizer rbac.Authorizer,
317316
object rbac.Objecter,
318317
insertFuncInsert,
318+
)Insert {
319+
returninsertWithAction(logger,authorizer,object,policy.ActionCreate,insertFunc)
320+
}
321+
322+
funcinsertWithAction[
323+
ObjectTypeany,
324+
ArgumentTypeany,
325+
Insertfunc(ctx context.Context,argArgumentType) (ObjectType,error),
326+
](
327+
logger slog.Logger,
328+
authorizer rbac.Authorizer,
329+
object rbac.Objecter,
330+
action policy.Action,
331+
insertFuncInsert,
319332
)Insert {
320333
returnfunc(ctx context.Context,argArgumentType) (emptyObjectType,errerror) {
321334
// Fetch the rbac subject
@@ -325,7 +338,7 @@ func insert[
325338
}
326339

327340
// Authorize the action
328-
err=authorizer.Authorize(ctx,act,policy.ActionCreate,object.RBACObject())
341+
err=authorizer.Authorize(ctx,act,action,object.RBACObject())
329342
iferr!=nil {
330343
returnempty,logNotAuthorizedError(ctx,logger,err)
331344
}
@@ -1804,19 +1817,19 @@ func (q *querier) GetUnexpiredLicenses(ctx context.Context) ([]database.License,
18041817

18051818
func (q*querier)GetUserActivityInsights(ctx context.Context,arg database.GetUserActivityInsightsParams) ([]database.GetUserActivityInsightsRow,error) {
18061819
// Used by insights endpoints. Need to check both for auditors and for regular users with template acl perms.
1807-
iferr:=q.authorizeContext(ctx,policy.ActionRead,rbac.ResourceTemplateInsights);err!=nil {
1820+
iferr:=q.authorizeContext(ctx,policy.ActionViewInsights,rbac.ResourceTemplate);err!=nil {
18081821
for_,templateID:=rangearg.TemplateIDs {
18091822
template,err:=q.db.GetTemplateByID(ctx,templateID)
18101823
iferr!=nil {
18111824
returnnil,err
18121825
}
18131826

1814-
iferr:=q.authorizeContext(ctx,policy.ActionUpdate,template);err!=nil {
1827+
iferr:=q.authorizeContext(ctx,policy.ActionViewInsights,template.RBACObject());err!=nil {
18151828
returnnil,err
18161829
}
18171830
}
18181831
iflen(arg.TemplateIDs)==0 {
1819-
iferr:=q.authorizeContext(ctx,policy.ActionUpdate,rbac.ResourceTemplate.All());err!=nil {
1832+
iferr:=q.authorizeContext(ctx,policy.ActionViewInsights,rbac.ResourceTemplate.All());err!=nil {
18201833
returnnil,err
18211834
}
18221835
}
@@ -1841,19 +1854,19 @@ func (q *querier) GetUserCount(ctx context.Context) (int64, error) {
18411854

18421855
func (q*querier)GetUserLatencyInsights(ctx context.Context,arg database.GetUserLatencyInsightsParams) ([]database.GetUserLatencyInsightsRow,error) {
18431856
// Used by insights endpoints. Need to check both for auditors and for regular users with template acl perms.
1844-
iferr:=q.authorizeContext(ctx,policy.ActionRead,rbac.ResourceTemplateInsights);err!=nil {
1857+
iferr:=q.authorizeContext(ctx,policy.ActionViewInsights,rbac.ResourceTemplate);err!=nil {
18451858
for_,templateID:=rangearg.TemplateIDs {
18461859
template,err:=q.db.GetTemplateByID(ctx,templateID)
18471860
iferr!=nil {
18481861
returnnil,err
18491862
}
18501863

1851-
iferr:=q.authorizeContext(ctx,policy.ActionUpdate,template);err!=nil {
1864+
iferr:=q.authorizeContext(ctx,policy.ActionViewInsights,template);err!=nil {
18521865
returnnil,err
18531866
}
18541867
}
18551868
iflen(arg.TemplateIDs)==0 {
1856-
iferr:=q.authorizeContext(ctx,policy.ActionUpdate,rbac.ResourceTemplate.All());err!=nil {
1869+
iferr:=q.authorizeContext(ctx,policy.ActionViewInsights,rbac.ResourceTemplate.All());err!=nil {
18571870
returnnil,err
18581871
}
18591872
}
@@ -2313,15 +2326,15 @@ func (q *querier) InsertDeploymentID(ctx context.Context, value string) error {
23132326
}
23142327

23152328
func (q*querier)InsertExternalAuthLink(ctx context.Context,arg database.InsertExternalAuthLinkParams) (database.ExternalAuthLink,error) {
2316-
returninsert(q.log,q.auth,rbac.ResourceUserData.WithOwner(arg.UserID.String()).WithID(arg.UserID),q.db.InsertExternalAuthLink)(ctx,arg)
2329+
returninsertWithAction(q.log,q.auth,rbac.ResourceUser.WithID(arg.UserID).WithOwner(arg.UserID.String()),policy.ActionUpdatePersonal,q.db.InsertExternalAuthLink)(ctx,arg)
23172330
}
23182331

23192332
func (q*querier)InsertFile(ctx context.Context,arg database.InsertFileParams) (database.File,error) {
23202333
returninsert(q.log,q.auth,rbac.ResourceFile.WithOwner(arg.CreatedBy.String()),q.db.InsertFile)(ctx,arg)
23212334
}
23222335

23232336
func (q*querier)InsertGitSSHKey(ctx context.Context,arg database.InsertGitSSHKeyParams) (database.GitSSHKey,error) {
2324-
returninsert(q.log,q.auth,rbac.ResourceUserData.WithOwner(arg.UserID.String()).WithID(arg.UserID),q.db.InsertGitSSHKey)(ctx,arg)
2337+
returninsertWithAction(q.log,q.auth,rbac.ResourceUser.WithOwner(arg.UserID.String()).WithID(arg.UserID),policy.ActionUpdatePersonal,q.db.InsertGitSSHKey)(ctx,arg)
23252338
}
23262339

23272340
func (q*querier)InsertGroup(ctx context.Context,arg database.InsertGroupParams) (database.Group,error) {
@@ -2997,7 +3010,7 @@ func (q *querier) UpdateUserAppearanceSettings(ctx context.Context, arg database
29973010
iferr!=nil {
29983011
return database.User{},err
29993012
}
3000-
iferr:=q.authorizeContext(ctx,policy.ActionUpdate,u.UserDataRBACObject());err!=nil {
3013+
iferr:=q.authorizeContext(ctx,policy.ActionUpdatePersonal,u);err!=nil {
30013014
return database.User{},err
30023015
}
30033016
returnq.db.UpdateUserAppearanceSettings(ctx,arg)
@@ -3013,10 +3026,10 @@ func (q *querier) UpdateUserHashedPassword(ctx context.Context, arg database.Upd
30133026
returnerr
30143027
}
30153028

3016-
err=q.authorizeContext(ctx,policy.ActionUpdate,user.UserDataRBACObject())
3029+
err=q.authorizeContext(ctx,policy.ActionUpdatePersonal,user)
30173030
iferr!=nil {
30183031
// Admins can update passwords for other users.
3019-
err=q.authorizeContext(ctx,policy.ActionUpdate,user.RBACObject())
3032+
err=q.authorizeContext(ctx,policy.ActionUpdate,user)
30203033
iferr!=nil {
30213034
returnerr
30223035
}

‎coderd/database/modelmethods.go

Lines changed: 5 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -100,7 +100,7 @@ func (s APIKeyScope) ToRBAC() rbac.ScopeName {
100100
}
101101

102102
func (kAPIKey)RBACObject() rbac.Object {
103-
returnrbac.ResourceAPIKey.WithIDString(k.ID).
103+
returnrbac.ResourceApiKey.WithIDString(k.ID).
104104
WithOwner(k.UserID.String())
105105
}
106106

@@ -154,31 +154,12 @@ func (w GetWorkspaceByAgentIDRow) RBACObject() rbac.Object {
154154
}
155155

156156
func (wWorkspace)RBACObject() rbac.Object {
157-
returnrbac.ResourceWorkspace.WithID(w.ID).
158-
InOrg(w.OrganizationID).
159-
WithOwner(w.OwnerID.String())
160-
}
161-
162-
func (wWorkspace)ExecutionRBAC() rbac.Object {
163157
// If a workspace is locked it cannot be accessed.
164158
ifw.DormantAt.Valid {
165159
returnw.DormantRBAC()
166160
}
167161

168-
returnrbac.ResourceWorkspaceExecution.
169-
WithID(w.ID).
170-
InOrg(w.OrganizationID).
171-
WithOwner(w.OwnerID.String())
172-
}
173-
174-
func (wWorkspace)ApplicationConnectRBAC() rbac.Object {
175-
// If a workspace is locked it cannot be accessed.
176-
ifw.DormantAt.Valid {
177-
returnw.DormantRBAC()
178-
}
179-
180-
returnrbac.ResourceWorkspaceApplicationConnect.
181-
WithID(w.ID).
162+
returnrbac.ResourceWorkspace.WithID(w.ID).
182163
InOrg(w.OrganizationID).
183164
WithOwner(w.OwnerID.String())
184165
}
@@ -291,15 +272,15 @@ func (l License) RBACObject() rbac.Object {
291272
}
292273

293274
func (cOAuth2ProviderAppCode)RBACObject() rbac.Object {
294-
returnrbac.ResourceOAuth2ProviderAppCodeToken.WithOwner(c.UserID.String())
275+
returnrbac.ResourceOauth2AppCodeToken.WithOwner(c.UserID.String())
295276
}
296277

297278
func (OAuth2ProviderAppSecret)RBACObject() rbac.Object {
298-
returnrbac.ResourceOAuth2ProviderAppSecret
279+
returnrbac.ResourceOauth2AppSecret
299280
}
300281

301282
func (OAuth2ProviderApp)RBACObject() rbac.Object {
302-
returnrbac.ResourceOAuth2ProviderApp
283+
returnrbac.ResourceOauth2App
303284
}
304285

305286
func (aGetOAuth2ProviderAppsByUserIDRow)RBACObject() rbac.Object {

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp