NotificationsYou must be signed in to change notification settings
Fork1k
Star11.1k

Commit6585fe0

committed

group permissions by org id

1 parentbe22c38 commit6585fe0Copy full SHA for 6585fe0

File tree

15 files changed

+234

-203

lines changed

coderd
- database
  - db2sdk
    - db2sdk.go
  - dbauthz
    - dbauthz.go
  - modelmethods.go
- rbac
- workspaceapps
  - db.go
enterprise
- coderd
  - coderd_test.go
- tailnet
  - pgcoord.go

15 files changed

+234

-203

lines changed

`‎coderd/database/db2sdk/db2sdk.go‎`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -693,13 +693,13 @@ func SlimRoleFromName(name string) codersdk.SlimRole {`
`693`	`693`	`funcRBACRole(role rbac.Role) codersdk.Role {`
`694`	`694`	`slim:=SlimRole(role)`
`695`	`695`
`696`		`-orgPerms:=role.Org[slim.OrganizationID]`
	`696`	`+orgPerms:=role.ByOrgID[slim.OrganizationID]`
`697`	`697`	`return codersdk.Role{`
`698`	`698`	`Name:slim.Name,`
`699`	`699`	`OrganizationID:slim.OrganizationID,`
`700`	`700`	`DisplayName:slim.DisplayName,`
`701`	`701`	`SitePermissions:List(role.Site,RBACPermission),`
`702`		`-OrganizationPermissions:List(orgPerms,RBACPermission),`
	`702`	`+OrganizationPermissions:List(orgPerms.Org,RBACPermission),`
`703`	`703`	`UserPermissions:List(role.User,RBACPermission),`
`704`	`704`	`}`
`705`	`705`	`}`

`‎coderd/database/dbauthz/dbauthz.go‎`

Lines changed: 33 additions & 33 deletions

Original file line number	Diff line number	Diff line change
`@@ -232,8 +232,8 @@ var (`
`232`	`232`	`// Provisionerd creates usage events`
`233`	`233`	`rbac.ResourceUsageEvent.Type: {policy.ActionCreate},`
`234`	`234`	`}),`
`235`		`-Org:map[string][]rbac.Permission{},`
`236`		`-User: []rbac.Permission{},`
	`235`	`+User:[]rbac.Permission{},`
	`236`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`237`	`237`	`},`
`238`	`238`	`}),`
`239`	`239`	`Scope:rbac.ScopeAll,`
`@@ -257,8 +257,8 @@ var (`
`257`	`257`	`rbac.ResourceWorkspace.Type: {policy.ActionDelete,policy.ActionRead,policy.ActionUpdate,policy.ActionWorkspaceStart,policy.ActionWorkspaceStop},`
`258`	`258`	`rbac.ResourceWorkspaceDormant.Type: {policy.ActionDelete,policy.ActionRead,policy.ActionUpdate,policy.ActionWorkspaceStop},`
`259`	`259`	`}),`
`260`		`-Org:map[string][]rbac.Permission{},`
`261`		`-User: []rbac.Permission{},`
	`260`	`+User:[]rbac.Permission{},`
	`261`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`262`	`262`	`},`
`263`	`263`	`}),`
`264`	`264`	`Scope:rbac.ScopeAll,`
`@@ -279,8 +279,8 @@ var (`
`279`	`279`	`rbac.ResourceWorkspace.Type: {policy.ActionRead,policy.ActionUpdate},`
`280`	`280`	`rbac.ResourceProvisionerJobs.Type: {policy.ActionRead,policy.ActionUpdate},`
`281`	`281`	`}),`
`282`		`-Org:map[string][]rbac.Permission{},`
`283`		`-User: []rbac.Permission{},`
	`282`	`+User:[]rbac.Permission{},`
	`283`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`284`	`284`	`},`
`285`	`285`	`}),`
`286`	`286`	`Scope:rbac.ScopeAll,`
`@@ -298,8 +298,8 @@ var (`
`298`	`298`	`Site:rbac.Permissions(map[string][]policy.Action{`
`299`	`299`	`rbac.ResourceCryptoKey.Type: {policy.WildcardSymbol},`
`300`	`300`	`}),`
`301`		`-Org:map[string][]rbac.Permission{},`
`302`		`-User: []rbac.Permission{},`
	`301`	`+User:[]rbac.Permission{},`
	`302`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`303`	`303`	`},`
`304`	`304`	`}),`
`305`	`305`	`Scope:rbac.ScopeAll,`
`@@ -317,8 +317,8 @@ var (`
`317`	`317`	`Site:rbac.Permissions(map[string][]policy.Action{`
`318`	`318`	`rbac.ResourceCryptoKey.Type: {policy.WildcardSymbol},`
`319`	`319`	`}),`
`320`		`-Org:map[string][]rbac.Permission{},`
`321`		`-User: []rbac.Permission{},`
	`320`	`+User:[]rbac.Permission{},`
	`321`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`322`	`322`	`},`
`323`	`323`	`}),`
`324`	`324`	`Scope:rbac.ScopeAll,`
`@@ -335,8 +335,8 @@ var (`
`335`	`335`	`Site:rbac.Permissions(map[string][]policy.Action{`
`336`	`336`	`rbac.ResourceConnectionLog.Type: {policy.ActionUpdate,policy.ActionRead},`
`337`	`337`	`}),`
`338`		`-Org:map[string][]rbac.Permission{},`
`339`		`-User: []rbac.Permission{},`
	`338`	`+User:[]rbac.Permission{},`
	`339`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`340`	`340`	`},`
`341`	`341`	`}),`
`342`	`342`	`Scope:rbac.ScopeAll,`
`@@ -356,8 +356,8 @@ var (`
`356`	`356`	`rbac.ResourceWebpushSubscription.Type: {policy.ActionCreate,policy.ActionRead,policy.ActionUpdate,policy.ActionDelete},`
`357`	`357`	`rbac.ResourceDeploymentConfig.Type: {policy.ActionRead,policy.ActionUpdate},// To read and upsert VAPID keys`
`358`	`358`	`}),`
`359`		`-Org:map[string][]rbac.Permission{},`
`360`		`-User: []rbac.Permission{},`
	`359`	`+User:[]rbac.Permission{},`
	`360`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`361`	`361`	`},`
`362`	`362`	`}),`
`363`	`363`	`Scope:rbac.ScopeAll,`
`@@ -375,8 +375,8 @@ var (`
`375`	`375`	`// The workspace monitor needs to be able to update monitors`
`376`	`376`	`rbac.ResourceWorkspaceAgentResourceMonitor.Type: {policy.ActionUpdate},`
`377`	`377`	`}),`
`378`		`-Org:map[string][]rbac.Permission{},`
`379`		`-User: []rbac.Permission{},`
	`378`	`+User:[]rbac.Permission{},`
	`379`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`380`	`380`	`},`
`381`	`381`	`}),`
`382`	`382`	`Scope:rbac.ScopeAll,`
`@@ -392,12 +392,12 @@ var (`
`392`	`392`	`Identifier: rbac.RoleIdentifier{Name:"subagentapi"},`
`393`	`393`	`DisplayName:"Sub Agent API",`
`394`	`394`	`Site: []rbac.Permission{},`
`395`		`-Org:map[string][]rbac.Permission{`
`396`		`-orgID.String(): {},`
`397`		`-},`
`398`	`395`	`User:rbac.Permissions(map[string][]policy.Action{`
`399`	`396`	`rbac.ResourceWorkspace.Type: {policy.ActionRead,policy.ActionUpdate,policy.ActionCreateAgent,policy.ActionDeleteAgent},`
`400`	`397`	`}),`
	`398`	`+ByOrgID:map[string]rbac.OrgPermissions{`
	`399`	`+orgID.String(): {},`
	`400`	`+},`
`401`	`401`	`},`
`402`	`402`	`}),`
`403`	`403`	`Scope:rbac.ScopeAll,`
`@@ -436,8 +436,8 @@ var (`
`436`	`436`	`rbac.ResourceOauth2App.Type: {policy.ActionCreate,policy.ActionRead,policy.ActionUpdate,policy.ActionDelete},`
`437`	`437`	`rbac.ResourceOauth2AppSecret.Type: {policy.ActionCreate,policy.ActionRead,policy.ActionUpdate,policy.ActionDelete},`
`438`	`438`	`}),`
`439`		`-Org:map[string][]rbac.Permission{},`
`440`		`-User: []rbac.Permission{},`
	`439`	`+User:[]rbac.Permission{},`
	`440`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`441`	`441`	`},`
`442`	`442`	`}),`
`443`	`443`	`Scope:rbac.ScopeAll,`
`@@ -454,8 +454,8 @@ var (`
`454`	`454`	`Site:rbac.Permissions(map[string][]policy.Action{`
`455`	`455`	`rbac.ResourceProvisionerDaemon.Type: {policy.ActionRead},`
`456`	`456`	`}),`
`457`		`-Org:map[string][]rbac.Permission{},`
`458`		`-User: []rbac.Permission{},`
	`457`	`+User:[]rbac.Permission{},`
	`458`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`459`	`459`	`},`
`460`	`460`	`}),`
`461`	`461`	`Scope:rbac.ScopeAll,`
`@@ -531,8 +531,8 @@ var (`
`531`	`531`	`Site:rbac.Permissions(map[string][]policy.Action{`
`532`	`532`	`rbac.ResourceFile.Type: {policy.ActionRead},`
`533`	`533`	`}),`
`534`		`-Org:map[string][]rbac.Permission{},`
`535`		`-User: []rbac.Permission{},`
	`534`	`+User:[]rbac.Permission{},`
	`535`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`536`	`536`	`},`
`537`	`537`	`}),`
`538`	`538`	`Scope:rbac.ScopeAll,`
`@@ -552,8 +552,8 @@ var (`
`552`	`552`	`// reads/processes them.`
`553`	`553`	`rbac.ResourceUsageEvent.Type: {policy.ActionRead,policy.ActionUpdate},`
`554`	`554`	`}),`
`555`		`-Org:map[string][]rbac.Permission{},`
`556`		`-User: []rbac.Permission{},`
	`555`	`+User:[]rbac.Permission{},`
	`556`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`557`	`557`	`},`
`558`	`558`	`}),`
`559`	`559`	`Scope:rbac.ScopeAll,`
`@@ -576,8 +576,8 @@ var (`
`576`	`576`	`rbac.ResourceApiKey.Type: {policy.ActionRead},// Validate API keys.`
`577`	`577`	`rbac.ResourceAibridgeInterception.Type: {policy.ActionCreate,policy.ActionRead,policy.ActionUpdate},`
`578`	`578`	`}),`
`579`		`-Org:map[string][]rbac.Permission{},`
`580`		`-User: []rbac.Permission{},`
	`579`	`+User:[]rbac.Permission{},`
	`580`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`581`	`581`	`},`
`582`	`582`	`}),`
`583`	`583`	`Scope:rbac.ScopeAll,`
`@@ -1253,13 +1253,13 @@ func (q *querier) customRoleCheck(ctx context.Context, role database.CustomRole)`
`1253`	`1253`	`returnxerrors.Errorf("invalid role: %w",err)`
`1254`	`1254`	`}`
`1255`	`1255`
`1256`		`-iflen(rbacRole.Org)>0&&len(rbacRole.Site)>0 {`
	`1256`	`+iflen(rbacRole.ByOrgID)>0&&len(rbacRole.Site)>0 {`
`1257`	`1257`	`// This is a choice to keep roles simple. If we allow mixing site and org scoped perms, then knowing who can`
`1258`	`1258`	`// do what gets more complicated.`
`1259`	`1259`	`returnxerrors.Errorf("invalid custom role, cannot assign both org and site permissions at the same time")`
`1260`	`1260`	`}`
`1261`	`1261`
`1262`		`-iflen(rbacRole.Org)>1 {`
	`1262`	`+iflen(rbacRole.ByOrgID)>1 {`
`1263`	`1263`	`// Again to avoid more complexity in our roles`
`1264`	`1264`	`returnxerrors.Errorf("invalid custom role, cannot assign permissions to more than 1 org at a time")`
`1265`	`1265`	`}`
`@@ -1272,8 +1272,8 @@ func (q *querier) customRoleCheck(ctx context.Context, role database.CustomRole)`
`1272`	`1272`	`}`
`1273`	`1273`	`}`
`1274`	`1274`
`1275`		`-fororgID,perms:=rangerbacRole.Org {`
`1276`		`-for_,orgPerm:=rangeperms {`
	`1275`	`+fororgID,perms:=rangerbacRole.ByOrgID {`
	`1276`	`+for_,orgPerm:=rangeperms.Org {`
`1277`	`1277`	`err:=q.customRoleEscalationCheck(ctx,act,orgPerm, rbac.Object{OrgID:orgID,Type:orgPerm.ResourceType})`
`1278`	`1278`	`iferr!=nil {`
`1279`	`1279`	`returnxerrors.Errorf("org=%q: %w",orgID,err)`

`‎coderd/database/modelmethods.go‎`

Lines changed: 9 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -170,8 +170,8 @@ func (s APIKeyScopes) Expand() (rbac.Scope, error) {`
`170`	`170`	`// Identifier is informational; not used in policy evaluation.`
`171`	`171`	`Identifier: rbac.RoleIdentifier{Name:"Scope_Multiple"},`
`172`	`172`	`Site:nil,`
`173`		`-Org:map[string][]rbac.Permission{},`
`174`	`173`	`User:nil,`
	`174`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`175`	`175`	`}`
`176`	`176`
`177`	`177`	`// Track allow list union, collapsing to wildcard if any child is wildcard.`
`@@ -186,8 +186,10 @@ func (s APIKeyScopes) Expand() (rbac.Scope, error) {`
`186`	`186`
`187`	`187`	`// Merge role permissions: union by simple concatenation.`
`188`	`188`	`merged.Site=append(merged.Site,expanded.Site...)`
`189`		`-fororgID,perms:=rangeexpanded.Org {`
`190`		`-merged.Org[orgID]=append(merged.Org[orgID],perms...)`
	`189`	`+fororgID,perms:=rangeexpanded.ByOrgID {`
	`190`	`+orgPerms:=merged.ByOrgID[orgID]`
	`191`	`+orgPerms.Org=append(orgPerms.Org,perms.Org...)`
	`192`	`+merged.ByOrgID[orgID]=orgPerms`
`191`	`193`	`}`
`192`	`194`	`merged.User=append(merged.User,expanded.User...)`
`193`	`195`
`@@ -205,10 +207,11 @@ func (s APIKeyScopes) Expand() (rbac.Scope, error) {`
`205`	`207`
`206`	`208`	`// De-duplicate permissions across Site/Org/User`
`207`	`209`	`merged.Site=rbac.DeduplicatePermissions(merged.Site)`
`208`		`-fororgID,perms:=rangemerged.Org {`
`209`		`-merged.Org[orgID]=rbac.DeduplicatePermissions(perms)`
`210`		`-}`
`211`	`210`	`merged.User=rbac.DeduplicatePermissions(merged.User)`
	`211`	`+fororgID,perms:=rangemerged.ByOrgID {`
	`212`	`+perms.Org=rbac.DeduplicatePermissions(perms.Org)`
	`213`	`+merged.ByOrgID[orgID]=perms`
	`214`	`+}`
`212`	`215`
`213`	`216`	`ifallowAll\|\|len(allowSet)==0 {`
`214`	`217`	`merged.AllowIDList= []rbac.AllowListElement{rbac.AllowListAll()}`

`‎coderd/rbac/astvalue.go‎`

Lines changed: 14 additions & 7 deletions

Original file line number	Diff line number	Diff line change
`@@ -157,23 +157,30 @@ func (role Role) regoValue() ast.Value {`
`157`	`157`	`ifrole.cachedRegoValue!=nil {`
`158`	`158`	`returnrole.cachedRegoValue`
`159`	`159`	`}`
`160`		`-orgMap:=ast.NewObject()`
`161`		`-fork,p:=rangerole.Org {`
`162`		`-orgMap.Insert(ast.StringTerm(k),ast.NewTerm(regoSlice(p)))`
	`160`	`+byOrgIDMap:=ast.NewObject()`
	`161`	`+fork,p:=rangerole.ByOrgID {`
	`162`	`+byOrgIDMap.Insert(ast.StringTerm(k),ast.NewTerm(`
	`163`	`+ast.NewObject(`
	`164`	`+[2]*ast.Term{`
	`165`	`+ast.StringTerm("org"),`
	`166`	`+ast.NewTerm(regoSlice(p.Org)),`
	`167`	`+},`
	`168`	`+),`
	`169`	`+))`
`163`	`170`	`}`
`164`	`171`	`returnast.NewObject(`
`165`	`172`	`[2]*ast.Term{`
`166`	`173`	`ast.StringTerm("site"),`
`167`	`174`	`ast.NewTerm(regoSlice(role.Site)),`
`168`	`175`	`},`
`169`		`-[2]*ast.Term{`
`170`		`-ast.StringTerm("org"),`
`171`		`-ast.NewTerm(orgMap),`
`172`		`-},`
`173`	`176`	`[2]*ast.Term{`
`174`	`177`	`ast.StringTerm("user"),`
`175`	`178`	`ast.NewTerm(regoSlice(role.User)),`
`176`	`179`	`},`
	`180`	`+[2]*ast.Term{`
	`181`	`+ast.StringTerm("by_org_id"),`
	`182`	`+ast.NewTerm(byOrgIDMap),`
	`183`	`+},`
`177`	`184`	`)`
`178`	`185`	`}`
`179`	`186`

`‎coderd/rbac/authz_internal_test.go‎`

Lines changed: 27 additions & 21 deletions

Original file line number	Diff line number	Diff line change
`@@ -633,20 +633,22 @@ func TestAuthorizeDomain(t *testing.T) {`
`633`	`633`	`{`
`634`	`634`	`Identifier:RoleIdentifier{Name:"ReadOnlyOrgAndUser"},`
`635`	`635`	`Site: []Permission{},`
`636`		`-Org:map[string][]Permission{`
`637`		`-defOrg.String(): {{`
`638`		`-Negate:false,`
`639`		`-ResourceType:"*",`
`640`		`-Action:policy.ActionRead,`
`641`		`-}},`
`642`		`-},`
`643`	`636`	`User: []Permission{`
`644`	`637`	`{`
`645`	`638`	`Negate:false,`
`646`	`639`	`ResourceType:"*",`
`647`	`640`	`Action:policy.ActionRead,`
`648`	`641`	`},`
`649`	`642`	`},`
	`643`	`+ByOrgID:map[string]OrgPermissions{`
	`644`	`+defOrg.String(): {`
	`645`	`+Org: []Permission{{`
	`646`	`+Negate:false,`
	`647`	`+ResourceType:"*",`
	`648`	`+Action:policy.ActionRead,`
	`649`	`+}},`
	`650`	`+},`
	`651`	`+},`
`650`	`652`	`},`
`651`	`653`	`},`
`652`	`654`	`}`
`@@ -726,12 +728,14 @@ func TestAuthorizeLevels(t *testing.T) {`
`726`	`728`	`must(RoleByName(RoleOwner())),`
`727`	`729`	`{`
`728`	`730`	`Identifier:RoleIdentifier{Name:"org-deny:",OrganizationID:defOrg},`
`729`		`-Org:map[string][]Permission{`
	`731`	`+ByOrgID:map[string]OrgPermissions{`
`730`	`732`	`defOrg.String(): {`
`731`		`-{`
`732`		`-Negate:true,`
`733`		`-ResourceType:"*",`
`734`		`-Action:"*",`
	`733`	`+Org: []Permission{`
	`734`	`+{`
	`735`	`+Negate:true,`
	`736`	`+ResourceType:"*",`
	`737`	`+Action:"*",`
	`738`	`+},`
`735`	`739`	`},`
`736`	`740`	`},`
`737`	`741`	`},`
`@@ -926,8 +930,8 @@ func TestAuthorizeScope(t *testing.T) {`
`926`	`930`	`// Only read access for workspaces.`
`927`	`931`	`ResourceWorkspace.Type: {policy.ActionRead},`
`928`	`932`	`}),`
`929`		`-Org:map[string][]Permission{},`
`930`		`-User: []Permission{},`
	`933`	`+User:[]Permission{},`
	`934`	`+ByOrgID:map[string]OrgPermissions{},`
`931`	`935`	`},`
`932`	`936`	`AllowIDList: []AllowListElement{{Type:ResourceWorkspace.Type,ID:workspaceID.String()}},`
`933`	`937`	`},`
`@@ -1015,8 +1019,8 @@ func TestAuthorizeScope(t *testing.T) {`
`1015`	`1019`	`// Only read access for workspaces.`
`1016`	`1020`	`ResourceWorkspace.Type: {policy.ActionCreate},`
`1017`	`1021`	`}),`
`1018`		`-Org:map[string][]Permission{},`
`1019`		`-User: []Permission{},`
	`1022`	`+User:[]Permission{},`
	`1023`	`+ByOrgID:map[string]OrgPermissions{},`
`1020`	`1024`	`},`
`1021`	`1025`	`// Empty string allow_list is allowed for actions like 'create'`
`1022`	`1026`	`AllowIDList: []AllowListElement{{`
`@@ -1138,14 +1142,16 @@ func TestAuthorizeScope(t *testing.T) {`
`1138`	`1142`	`},`
`1139`	`1143`	`DisplayName:"OrgAndUserScope",`
`1140`	`1144`	`Site:nil,`
`1141`		`-Org:map[string][]Permission{`
`1142`		`-defOrg.String():Permissions(map[string][]policy.Action{`
`1143`		`-ResourceWorkspace.Type: {policy.ActionRead},`
`1144`		`-}),`
`1145`		`-},`
`1146`	`1145`	`User:Permissions(map[string][]policy.Action{`
`1147`	`1146`	`ResourceUser.Type: {policy.ActionRead},`
`1148`	`1147`	`}),`
	`1148`	`+ByOrgID:map[string]OrgPermissions{`
	`1149`	`+defOrg.String(): {`
	`1150`	`+Org:Permissions(map[string][]policy.Action{`
	`1151`	`+ResourceWorkspace.Type: {policy.ActionRead},`
	`1152`	`+}),`
	`1153`	`+},`
	`1154`	`+},`
`1149`	`1155`	`},`
`1150`	`1156`	`AllowIDList: []AllowListElement{AllowListAll()},`
`1151`	`1157`	`},`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit6585fe0

File tree

15 files changed

15 files changed

`‎coderd/database/db2sdk/db2sdk.go‎`

`‎coderd/database/dbauthz/dbauthz.go‎`

`‎coderd/database/modelmethods.go‎`

`‎coderd/rbac/astvalue.go‎`

`‎coderd/rbac/authz_internal_test.go‎`

0 commit comments