Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit6f89f42

Browse files
committed
More dbauthz
1 parent4f71c30 commit6f89f42

File tree

1 file changed

+48
-105
lines changed

1 file changed

+48
-105
lines changed

‎coderd/database/dbauthz/dbauthz.go

Lines changed: 48 additions & 105 deletions
Original file line numberDiff line numberDiff line change
@@ -837,22 +837,22 @@ func (q *querier) DeleteOAuth2ProviderAppCodeByID(ctx context.Context, id uuid.U
837837

838838
func (q*querier)DeleteOAuth2ProviderAppCodesByAppAndUserID(ctx context.Context,arg database.DeleteOAuth2ProviderAppCodesByAppAndUserIDParams)error {
839839
iferr:=q.authorizeContext(ctx,policy.ActionDelete,
840-
rbac.ResourceOAuth2ProviderAppCodeToken.WithOwner(arg.UserID.String()));err!=nil {
840+
rbac.ResourceOauth2AppCodeToken.WithOwner(arg.UserID.String()));err!=nil {
841841
returnerr
842842
}
843843
returnq.db.DeleteOAuth2ProviderAppCodesByAppAndUserID(ctx,arg)
844844
}
845845

846846
func (q*querier)DeleteOAuth2ProviderAppSecretByID(ctx context.Context,id uuid.UUID)error {
847-
iferr:=q.authorizeContext(ctx,policy.ActionDelete,rbac.ResourceOAuth2ProviderAppSecret);err!=nil {
847+
iferr:=q.authorizeContext(ctx,policy.ActionDelete,rbac.ResourceOauth2AppSecret);err!=nil {
848848
returnerr
849849
}
850850
returnq.db.DeleteOAuth2ProviderAppSecretByID(ctx,id)
851851
}
852852

853853
func (q*querier)DeleteOAuth2ProviderAppTokensByAppAndUserID(ctx context.Context,arg database.DeleteOAuth2ProviderAppTokensByAppAndUserIDParams)error {
854854
iferr:=q.authorizeContext(ctx,policy.ActionDelete,
855-
rbac.ResourceOAuth2ProviderAppCodeToken.WithOwner(arg.UserID.String()));err!=nil {
855+
rbac.ResourceOauth2AppCodeToken.WithOwner(arg.UserID.String()));err!=nil {
856856
returnerr
857857
}
858858
returnq.db.DeleteOAuth2ProviderAppTokensByAppAndUserID(ctx,arg)
@@ -1241,7 +1241,7 @@ func (q *querier) GetNotificationBanners(ctx context.Context) (string, error) {
12411241
}
12421242

12431243
func (q*querier)GetOAuth2ProviderAppByID(ctx context.Context,id uuid.UUID) (database.OAuth2ProviderApp,error) {
1244-
iferr:=q.authorizeContext(ctx,policy.ActionRead,rbac.ResourceOAuth2ProviderApp);err!=nil {
1244+
iferr:=q.authorizeContext(ctx,policy.ActionRead,rbac.ResourceOauth2App);err!=nil {
12451245
return database.OAuth2ProviderApp{},err
12461246
}
12471247
returnq.db.GetOAuth2ProviderAppByID(ctx,id)
@@ -1256,7 +1256,7 @@ func (q *querier) GetOAuth2ProviderAppCodeByPrefix(ctx context.Context, secretPr
12561256
}
12571257

12581258
func (q*querier)GetOAuth2ProviderAppSecretByID(ctx context.Context,id uuid.UUID) (database.OAuth2ProviderAppSecret,error) {
1259-
iferr:=q.authorizeContext(ctx,policy.ActionRead,rbac.ResourceOAuth2ProviderAppSecret);err!=nil {
1259+
iferr:=q.authorizeContext(ctx,policy.ActionRead,rbac.ResourceOauth2AppSecret);err!=nil {
12601260
return database.OAuth2ProviderAppSecret{},err
12611261
}
12621262
returnq.db.GetOAuth2ProviderAppSecretByID(ctx,id)
@@ -1267,7 +1267,7 @@ func (q *querier) GetOAuth2ProviderAppSecretByPrefix(ctx context.Context, secret
12671267
}
12681268

12691269
func (q*querier)GetOAuth2ProviderAppSecretsByAppID(ctx context.Context,appID uuid.UUID) ([]database.OAuth2ProviderAppSecret,error) {
1270-
iferr:=q.authorizeContext(ctx,policy.ActionRead,rbac.ResourceOAuth2ProviderAppSecret);err!=nil {
1270+
iferr:=q.authorizeContext(ctx,policy.ActionRead,rbac.ResourceOauth2AppSecret);err!=nil {
12711271
return []database.OAuth2ProviderAppSecret{},err
12721272
}
12731273
returnq.db.GetOAuth2ProviderAppSecretsByAppID(ctx,appID)
@@ -1283,14 +1283,14 @@ func (q *querier) GetOAuth2ProviderAppTokenByPrefix(ctx context.Context, hashPre
12831283
iferr!=nil {
12841284
return database.OAuth2ProviderAppToken{},err
12851285
}
1286-
iferr:=q.authorizeContext(ctx,policy.ActionRead,rbac.ResourceOAuth2ProviderAppCodeToken.WithOwner(key.UserID.String()));err!=nil {
1286+
iferr:=q.authorizeContext(ctx,policy.ActionRead,rbac.ResourceOauth2AppCodeToken.WithOwner(key.UserID.String()));err!=nil {
12871287
return database.OAuth2ProviderAppToken{},err
12881288
}
12891289
returntoken,nil
12901290
}
12911291

12921292
func (q*querier)GetOAuth2ProviderApps(ctx context.Context) ([]database.OAuth2ProviderApp,error) {
1293-
iferr:=q.authorizeContext(ctx,policy.ActionRead,rbac.ResourceOAuth2ProviderApp);err!=nil {
1293+
iferr:=q.authorizeContext(ctx,policy.ActionRead,rbac.ResourceOauth2App);err!=nil {
12941294
return []database.OAuth2ProviderApp{},err
12951295
}
12961296
returnq.db.GetOAuth2ProviderApps(ctx)
@@ -1299,7 +1299,7 @@ func (q *querier) GetOAuth2ProviderApps(ctx context.Context) ([]database.OAuth2P
12991299
func (q*querier)GetOAuth2ProviderAppsByUserID(ctx context.Context,userID uuid.UUID) ([]database.GetOAuth2ProviderAppsByUserIDRow,error) {
13001300
// This authz check is to make sure the caller can read all their own tokens.
13011301
iferr:=q.authorizeContext(ctx,policy.ActionRead,
1302-
rbac.ResourceOAuth2ProviderAppCodeToken.WithOwner(userID.String()));err!=nil {
1302+
rbac.ResourceOauth2AppCodeToken.WithOwner(userID.String()));err!=nil {
13031303
return []database.GetOAuth2ProviderAppsByUserIDRow{},err
13041304
}
13051305
returnq.db.GetOAuth2ProviderAppsByUserID(ctx,userID)
@@ -1510,31 +1510,15 @@ func (q *querier) GetTailnetTunnelPeerIDs(ctx context.Context, srcID uuid.UUID)
15101510
}
15111511

15121512
func (q*querier)GetTemplateAppInsights(ctx context.Context,arg database.GetTemplateAppInsightsParams) ([]database.GetTemplateAppInsightsRow,error) {
1513-
// Used by TemplateAppInsights endpoint
1514-
// For auditors, check read template_insights, and fall back to update template.
1515-
iferr:=q.authorizeContext(ctx,policy.ActionRead,rbac.ResourceTemplateInsights);err!=nil {
1516-
for_,templateID:=rangearg.TemplateIDs {
1517-
template,err:=q.db.GetTemplateByID(ctx,templateID)
1518-
iferr!=nil {
1519-
returnnil,err
1520-
}
1521-
1522-
iferr:=q.authorizeContext(ctx,policy.ActionUpdate,template);err!=nil {
1523-
returnnil,err
1524-
}
1525-
}
1526-
iflen(arg.TemplateIDs)==0 {
1527-
iferr:=q.authorizeContext(ctx,policy.ActionUpdate,rbac.ResourceTemplate.All());err!=nil {
1528-
returnnil,err
1529-
}
1530-
}
1513+
iferr:=q.authorizeTemplateInsights(ctx,arg.TemplateIDs);err!=nil {
1514+
returnnil,err
15311515
}
15321516
returnq.db.GetTemplateAppInsights(ctx,arg)
15331517
}
15341518

15351519
func (q*querier)GetTemplateAppInsightsByTemplate(ctx context.Context,arg database.GetTemplateAppInsightsByTemplateParams) ([]database.GetTemplateAppInsightsByTemplateRow,error) {
15361520
// Only used by prometheus metrics, so we don't strictly need to check update template perms.
1537-
iferr:=q.authorizeContext(ctx,policy.ActionRead,rbac.ResourceTemplateInsights);err!=nil {
1521+
iferr:=q.authorizeContext(ctx,policy.ActionViewInsights,rbac.ResourceTemplate);err!=nil {
15381522
returnnil,err
15391523
}
15401524
returnq.db.GetTemplateAppInsightsByTemplate(ctx,arg)
@@ -1564,102 +1548,61 @@ func (q *querier) GetTemplateDAUs(ctx context.Context, arg database.GetTemplateD
15641548
returnq.db.GetTemplateDAUs(ctx,arg)
15651549
}
15661550

1567-
func (q*querier)GetTemplateInsights(ctx context.Context,arg database.GetTemplateInsightsParams) (database.GetTemplateInsightsRow,error) {
1568-
//Used by TemplateInsights endpoint
1569-
//For auditors, check read template_insights, and fall backtoupdate template.
1570-
iferr:=q.authorizeContext(ctx,policy.ActionRead,rbac.ResourceTemplateInsights);err!=nil {
1571-
for_,templateID:=rangearg.TemplateIDs {
1551+
func (q*querier)authorizeTemplateInsights(ctx context.Context,templateIDs []uuid.UUID)error {
1552+
//Abort early if can read all template insights, aka admins.
1553+
//TODO: If we know the org, that would allow org adminstoabort early too.
1554+
iferr:=q.authorizeContext(ctx,policy.ActionViewInsights,rbac.ResourceTemplate);err!=nil {
1555+
for_,templateID:=rangetemplateIDs {
15721556
template,err:=q.db.GetTemplateByID(ctx,templateID)
15731557
iferr!=nil {
1574-
returndatabase.GetTemplateInsightsRow{},err
1558+
returnerr
15751559
}
15761560

1577-
iferr:=q.authorizeContext(ctx,policy.ActionUpdate,template);err!=nil {
1578-
returndatabase.GetTemplateInsightsRow{},err
1561+
iferr:=q.authorizeContext(ctx,policy.ActionViewInsights,template);err!=nil {
1562+
returnerr
15791563
}
15801564
}
1581-
iflen(arg.TemplateIDs)==0 {
1582-
iferr:=q.authorizeContext(ctx,policy.ActionUpdate,rbac.ResourceTemplate.All());err!=nil {
1583-
returndatabase.GetTemplateInsightsRow{},err
1565+
iflen(templateIDs)==0 {
1566+
iferr:=q.authorizeContext(ctx,policy.ActionViewInsights,rbac.ResourceTemplate.All());err!=nil {
1567+
returnerr
15841568
}
15851569
}
15861570
}
1571+
returnnil
1572+
}
1573+
1574+
func (q*querier)GetTemplateInsights(ctx context.Context,arg database.GetTemplateInsightsParams) (database.GetTemplateInsightsRow,error) {
1575+
iferr:=q.authorizeTemplateInsights(ctx,arg.TemplateIDs);err!=nil {
1576+
return database.GetTemplateInsightsRow{},err
1577+
}
15871578
returnq.db.GetTemplateInsights(ctx,arg)
15881579
}
15891580

15901581
func (q*querier)GetTemplateInsightsByInterval(ctx context.Context,arg database.GetTemplateInsightsByIntervalParams) ([]database.GetTemplateInsightsByIntervalRow,error) {
1591-
// Used by TemplateInsights endpoint
1592-
// For auditors, check read template_insights, and fall back to update template.
1593-
iferr:=q.authorizeContext(ctx,policy.ActionRead,rbac.ResourceTemplateInsights);err!=nil {
1594-
for_,templateID:=rangearg.TemplateIDs {
1595-
template,err:=q.db.GetTemplateByID(ctx,templateID)
1596-
iferr!=nil {
1597-
returnnil,err
1598-
}
1599-
1600-
iferr:=q.authorizeContext(ctx,policy.ActionUpdate,template);err!=nil {
1601-
returnnil,err
1602-
}
1603-
}
1604-
iflen(arg.TemplateIDs)==0 {
1605-
iferr:=q.authorizeContext(ctx,policy.ActionUpdate,rbac.ResourceTemplate.All());err!=nil {
1606-
returnnil,err
1607-
}
1608-
}
1582+
iferr:=q.authorizeTemplateInsights(ctx,arg.TemplateIDs);err!=nil {
1583+
returnnil,err
16091584
}
16101585
returnq.db.GetTemplateInsightsByInterval(ctx,arg)
16111586
}
16121587

16131588
func (q*querier)GetTemplateInsightsByTemplate(ctx context.Context,arg database.GetTemplateInsightsByTemplateParams) ([]database.GetTemplateInsightsByTemplateRow,error) {
16141589
// Only used by prometheus metrics collector. No need to check update template perms.
1615-
iferr:=q.authorizeContext(ctx,policy.ActionRead,rbac.ResourceTemplateInsights);err!=nil {
1590+
iferr:=q.authorizeContext(ctx,policy.ActionViewInsights,rbac.ResourceTemplate);err!=nil {
16161591
returnnil,err
16171592
}
16181593
returnq.db.GetTemplateInsightsByTemplate(ctx,arg)
16191594
}
16201595

16211596
func (q*querier)GetTemplateParameterInsights(ctx context.Context,arg database.GetTemplateParameterInsightsParams) ([]database.GetTemplateParameterInsightsRow,error) {
1622-
// Used by both insights endpoint and prometheus collector.
1623-
// For auditors, check read template_insights, and fall back to update template.
1624-
iferr:=q.authorizeContext(ctx,policy.ActionRead,rbac.ResourceTemplateInsights);err!=nil {
1625-
for_,templateID:=rangearg.TemplateIDs {
1626-
template,err:=q.db.GetTemplateByID(ctx,templateID)
1627-
iferr!=nil {
1628-
returnnil,err
1629-
}
1630-
1631-
iferr:=q.authorizeContext(ctx,policy.ActionUpdate,template);err!=nil {
1632-
returnnil,err
1633-
}
1634-
}
1635-
iflen(arg.TemplateIDs)==0 {
1636-
iferr:=q.authorizeContext(ctx,policy.ActionUpdate,rbac.ResourceTemplate.All());err!=nil {
1637-
returnnil,err
1638-
}
1639-
}
1597+
iferr:=q.authorizeTemplateInsights(ctx,arg.TemplateIDs);err!=nil {
1598+
returnnil,err
16401599
}
16411600
returnq.db.GetTemplateParameterInsights(ctx,arg)
16421601
}
16431602

16441603
func (q*querier)GetTemplateUsageStats(ctx context.Context,arg database.GetTemplateUsageStatsParams) ([]database.TemplateUsageStat,error) {
1645-
// Used by dbrollup tests, use same safe-guard as other insights endpoints.
1646-
// For auditors, check read template_insights, and fall back to update template.
1647-
iferr:=q.authorizeContext(ctx,policy.ActionRead,rbac.ResourceTemplateInsights);err!=nil {
1648-
for_,templateID:=rangearg.TemplateIDs {
1649-
template,err:=q.db.GetTemplateByID(ctx,templateID)
1650-
iferr!=nil {
1651-
returnnil,err
1652-
}
1653-
1654-
iferr:=q.authorizeContext(ctx,policy.ActionUpdate,template);err!=nil {
1655-
returnnil,err
1656-
}
1657-
}
1658-
iflen(arg.TemplateIDs)==0 {
1659-
iferr:=q.authorizeContext(ctx,policy.ActionUpdate,rbac.ResourceTemplate.All());err!=nil {
1660-
returnnil,err
1661-
}
1662-
}
1604+
iferr:=q.authorizeTemplateInsights(ctx,arg.TemplateIDs);err!=nil {
1605+
returnnil,err
16631606
}
16641607
returnq.db.GetTemplateUsageStats(ctx,arg)
16651608
}
@@ -2291,7 +2234,7 @@ func (q *querier) GetWorkspacesEligibleForTransition(ctx context.Context, now ti
22912234

22922235
func (q*querier)InsertAPIKey(ctx context.Context,arg database.InsertAPIKeyParams) (database.APIKey,error) {
22932236
returninsert(q.log,q.auth,
2294-
rbac.ResourceAPIKey.WithOwner(arg.UserID.String()),
2237+
rbac.ResourceApiKey.WithOwner(arg.UserID.String()),
22952238
q.db.InsertAPIKey)(ctx,arg)
22962239
}
22972240

@@ -2363,22 +2306,22 @@ func (q *querier) InsertMissingGroups(ctx context.Context, arg database.InsertMi
23632306
}
23642307

23652308
func (q*querier)InsertOAuth2ProviderApp(ctx context.Context,arg database.InsertOAuth2ProviderAppParams) (database.OAuth2ProviderApp,error) {
2366-
iferr:=q.authorizeContext(ctx,policy.ActionCreate,rbac.ResourceOAuth2ProviderApp);err!=nil {
2309+
iferr:=q.authorizeContext(ctx,policy.ActionCreate,rbac.ResourceOauth2App);err!=nil {
23672310
return database.OAuth2ProviderApp{},err
23682311
}
23692312
returnq.db.InsertOAuth2ProviderApp(ctx,arg)
23702313
}
23712314

23722315
func (q*querier)InsertOAuth2ProviderAppCode(ctx context.Context,arg database.InsertOAuth2ProviderAppCodeParams) (database.OAuth2ProviderAppCode,error) {
23732316
iferr:=q.authorizeContext(ctx,policy.ActionCreate,
2374-
rbac.ResourceOAuth2ProviderAppCodeToken.WithOwner(arg.UserID.String()));err!=nil {
2317+
rbac.ResourceOauth2AppCodeToken.WithOwner(arg.UserID.String()));err!=nil {
23752318
return database.OAuth2ProviderAppCode{},err
23762319
}
23772320
returnq.db.InsertOAuth2ProviderAppCode(ctx,arg)
23782321
}
23792322

23802323
func (q*querier)InsertOAuth2ProviderAppSecret(ctx context.Context,arg database.InsertOAuth2ProviderAppSecretParams) (database.OAuth2ProviderAppSecret,error) {
2381-
iferr:=q.authorizeContext(ctx,policy.ActionCreate,rbac.ResourceOAuth2ProviderAppSecret);err!=nil {
2324+
iferr:=q.authorizeContext(ctx,policy.ActionCreate,rbac.ResourceOauth2AppSecret);err!=nil {
23822325
return database.OAuth2ProviderAppSecret{},err
23832326
}
23842327
returnq.db.InsertOAuth2ProviderAppSecret(ctx,arg)
@@ -2389,7 +2332,7 @@ func (q *querier) InsertOAuth2ProviderAppToken(ctx context.Context, arg database
23892332
iferr!=nil {
23902333
return database.OAuth2ProviderAppToken{},err
23912334
}
2392-
iferr:=q.authorizeContext(ctx,policy.ActionCreate,rbac.ResourceOAuth2ProviderAppCodeToken.WithOwner(key.UserID.String()));err!=nil {
2335+
iferr:=q.authorizeContext(ctx,policy.ActionCreate,rbac.ResourceOauth2AppCodeToken.WithOwner(key.UserID.String()));err!=nil {
23932336
return database.OAuth2ProviderAppToken{},err
23942337
}
23952338
returnq.db.InsertOAuth2ProviderAppToken(ctx,arg)
@@ -2779,14 +2722,14 @@ func (q *querier) UpdateMemberRoles(ctx context.Context, arg database.UpdateMemb
27792722
}
27802723

27812724
func (q*querier)UpdateOAuth2ProviderAppByID(ctx context.Context,arg database.UpdateOAuth2ProviderAppByIDParams) (database.OAuth2ProviderApp,error) {
2782-
iferr:=q.authorizeContext(ctx,policy.ActionUpdate,rbac.ResourceOAuth2ProviderApp);err!=nil {
2725+
iferr:=q.authorizeContext(ctx,policy.ActionUpdate,rbac.ResourceOauth2App);err!=nil {
27832726
return database.OAuth2ProviderApp{},err
27842727
}
27852728
returnq.db.UpdateOAuth2ProviderAppByID(ctx,arg)
27862729
}
27872730

27882731
func (q*querier)UpdateOAuth2ProviderAppSecretByID(ctx context.Context,arg database.UpdateOAuth2ProviderAppSecretByIDParams) (database.OAuth2ProviderAppSecret,error) {
2789-
iferr:=q.authorizeContext(ctx,policy.ActionUpdate,rbac.ResourceOAuth2ProviderAppSecret);err!=nil {
2732+
iferr:=q.authorizeContext(ctx,policy.ActionUpdate,rbac.ResourceOauth2AppSecret);err!=nil {
27902733
return database.OAuth2ProviderAppSecret{},err
27912734
}
27922735
returnq.db.UpdateOAuth2ProviderAppSecretByID(ctx,arg)
@@ -3324,7 +3267,7 @@ func (q *querier) UpsertAppSecurityKey(ctx context.Context, data string) error {
33243267
}
33253268

33263269
func (q*querier)UpsertApplicationName(ctx context.Context,valuestring)error {
3327-
iferr:=q.authorizeContext(ctx,policy.ActionCreate,rbac.ResourceDeploymentValues);err!=nil {
3270+
iferr:=q.authorizeContext(ctx,policy.ActionCreate,rbac.ResourceDeploymentConfig);err!=nil {
33283271
returnerr
33293272
}
33303273
returnq.db.UpsertApplicationName(ctx,value)
@@ -3338,7 +3281,7 @@ func (q *querier) UpsertDefaultProxy(ctx context.Context, arg database.UpsertDef
33383281
}
33393282

33403283
func (q*querier)UpsertHealthSettings(ctx context.Context,valuestring)error {
3341-
iferr:=q.authorizeContext(ctx,policy.ActionCreate,rbac.ResourceDeploymentValues);err!=nil {
3284+
iferr:=q.authorizeContext(ctx,policy.ActionCreate,rbac.ResourceDeploymentConfig);err!=nil {
33423285
returnerr
33433286
}
33443287
returnq.db.UpsertHealthSettings(ctx,value)
@@ -3373,14 +3316,14 @@ func (q *querier) UpsertLastUpdateCheck(ctx context.Context, value string) error
33733316
}
33743317

33753318
func (q*querier)UpsertLogoURL(ctx context.Context,valuestring)error {
3376-
iferr:=q.authorizeContext(ctx,policy.ActionCreate,rbac.ResourceDeploymentValues);err!=nil {
3319+
iferr:=q.authorizeContext(ctx,policy.ActionCreate,rbac.ResourceDeploymentConfig);err!=nil {
33773320
returnerr
33783321
}
33793322
returnq.db.UpsertLogoURL(ctx,value)
33803323
}
33813324

33823325
func (q*querier)UpsertNotificationBanners(ctx context.Context,valuestring)error {
3383-
iferr:=q.authorizeContext(ctx,policy.ActionCreate,rbac.ResourceDeploymentValues);err!=nil {
3326+
iferr:=q.authorizeContext(ctx,policy.ActionCreate,rbac.ResourceDeploymentConfig);err!=nil {
33843327
returnerr
33853328
}
33863329
returnq.db.UpsertNotificationBanners(ctx,value)

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp