NotificationsYou must be signed in to change notification settings
Fork923
Star10.1k

Commit765c93a

committed

adjust provisioner jobs rbac for owner and template admin only

1 parent8d5fca2 commit765c93aCopy full SHA for 765c93a

File tree

4 files changed

+16

-32

lines changed

coderd
- database
  - dbauthz
    - dbauthz.go
  - modelmethods.go
- rbac
  - roles.go
  - roles_test.go

4 files changed

+16

-32

lines changed

`‎coderd/database/dbauthz/dbauthz.go`

Lines changed: 4 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -1978,25 +1978,24 @@ func (q *querier) GetProvisionerJobTimingsByJobID(ctx context.Context, jobID uui`
`1978`	`1978`	`returnq.db.GetProvisionerJobTimingsByJobID(ctx,jobID)`
`1979`	`1979`	`}`
`1980`	`1980`
`1981`		`-// TODO:we need to add a provisioner job resource`
	`1981`	`+// TODO:We have a ProvisionerJobs resource, but it hasn't been checked for this use-case.`
`1982`	`1982`	`func (q*querier)GetProvisionerJobsByIDs(ctx context.Context,ids []uuid.UUID) ([]database.ProvisionerJob,error) {`
`1983`	`1983`	`// if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceSystem); err != nil {`
`1984`	`1984`	`// return nil, err`
`1985`	`1985`	`// }`
`1986`	`1986`	`returnq.db.GetProvisionerJobsByIDs(ctx,ids)`
`1987`	`1987`	`}`
`1988`	`1988`
`1989`		`-// TODO:we need to add a provisioner job resource`
	`1989`	`+// TODO:We have a ProvisionerJobs resource, but it hasn't been checked for this use-case.`
`1990`	`1990`	`func (q*querier)GetProvisionerJobsByIDsWithQueuePosition(ctx context.Context,ids []uuid.UUID) ([]database.GetProvisionerJobsByIDsWithQueuePositionRow,error) {`
`1991`	`1991`	`returnq.db.GetProvisionerJobsByIDsWithQueuePosition(ctx,ids)`
`1992`	`1992`	`}`
`1993`	`1993`
`1994`		`-// TODO: we need to add a provisioner job resource`
`1995`	`1994`	`func (q*querier)GetProvisionerJobsByOrganizationAndStatusWithQueuePositionAndProvisioner(ctx context.Context,arg database.GetProvisionerJobsByOrganizationAndStatusWithQueuePositionAndProvisionerParams) ([]database.GetProvisionerJobsByOrganizationAndStatusWithQueuePositionAndProvisionerRow,error) {`
`1996`		`-returnq.db.GetProvisionerJobsByOrganizationAndStatusWithQueuePositionAndProvisioner(ctx,arg)`
	`1995`	`+returnfetchWithPostFilter(q.auth,policy.ActionRead,q.db.GetProvisionerJobsByOrganizationAndStatusWithQueuePositionAndProvisioner)(ctx,arg)`
`1997`	`1996`	`}`
`1998`	`1997`
`1999`		`-// TODO: Weneed to create a ProvisionerJob resource type`
	`1998`	`+// TODO: Wehave a ProvisionerJobs resource, but it hasn't been checked for this use-case.`
`2000`	`1999`	`func (q*querier)GetProvisionerJobsCreatedAfter(ctx context.Context,createdAt time.Time) ([]database.ProvisionerJob,error) {`
`2001`	`2000`	`// if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceSystem); err != nil {`
`2002`	`2001`	`// return nil, err`

`‎coderd/database/modelmethods.go`

Lines changed: 9 additions & 20 deletions

Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,6 @@ package database`
`2`	`2`
`3`	`3`	`import (`
`4`	`4`	`"encoding/hex"`
`5`		`-"encoding/json"`
`6`	`5`	`"sort"`
`7`	`6`	`"strconv"`
`8`	`7`	`"time"`
`@@ -15,7 +14,6 @@ import (`
`15`	`14`	`"github.com/coder/coder/v2/coderd/database/dbtime"`
`16`	`15`	`"github.com/coder/coder/v2/coderd/rbac"`
`17`	`16`	`"github.com/coder/coder/v2/coderd/rbac/policy"`
`18`		`-"github.com/coder/coder/v2/codersdk"`
`19`	`17`	`)`
`20`	`18`
`21`	`19`	`typeWorkspaceStatusstring`
`@@ -461,25 +459,12 @@ func (g Group) IsEveryone() bool {`
`461`	`459`	`}`
`462`	`460`
`463`	`461`	`func (pProvisionerJob)RBACObject() rbac.Object {`
`464`		`-varinput codersdk.ProvisionerJobInput`
`465`		`-_=json.Unmarshal(p.Input,&input)// Best effort.`
`466`		`-`
`467`		`-id:=uuid.Nil`
`468`	`462`	`switchp.Type {`
`469`		`-caseProvisionerJobTypeTemplateVersionImport,ProvisionerJobTypeTemplateVersionDryRun:`
`470`		`-ifinput.TemplateVersionID!=nil {`
`471`		`-id=*input.TemplateVersionID`
`472`		`-}`
`473`		`-returnrbac.ResourceTemplate.`
`474`		`-WithID(id).`
`475`		`-InOrg(p.OrganizationID)`
`476`		`-caseProvisionerJobTypeWorkspaceBuild:`
`477`		`-ifinput.WorkspaceBuildID!=nil {`
`478`		`-id=*input.WorkspaceBuildID`
`479`		`-}`
`480`		`-returnrbac.ResourceWorkspace.`
`481`		`-WithID(id).`
`482`		`-InOrg(p.OrganizationID)`
	`463`	`+// Only acceptable for known job types at this time because template`
	`464`	`+// admins may not be allowed to view new types.`
	`465`	`+caseProvisionerJobTypeTemplateVersionImport,ProvisionerJobTypeTemplateVersionDryRun,ProvisionerJobTypeWorkspaceBuild:`
	`466`	`+returnrbac.ResourceProvisionerJobs.InOrg(p.OrganizationID)`
	`467`	`+`
`483`	`468`	`default:`
`484`	`469`	`panic("developer error: unknown provisioner job type "+string(p.Type))`
`485`	`470`	`}`
`@@ -538,3 +523,7 @@ func (k CryptoKey) CanVerify(now time.Time) bool {`
`538`	`523`	`isBeforeDeletion:=!k.DeletesAt.Valid\|\|now.Before(k.DeletesAt.Time)`
`539`	`524`	`returnhasSecret&&isBeforeDeletion`
`540`	`525`	`}`
	`526`	`+`
	`527`	`+func (rGetProvisionerJobsByOrganizationAndStatusWithQueuePositionAndProvisionerRow)RBACObject() rbac.Object {`
	`528`	`+returnr.ProvisionerJob.RBACObject()`
	`529`	`+}`

`‎coderd/rbac/roles.go`

Lines changed: 1 addition & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -324,8 +324,6 @@ func ReloadBuiltinRoles(opts *RoleOptions) {`
`324`	`324`	`ResourceWorkspace.Type: {policy.ActionRead},`
`325`	`325`	`// CRUD to provisioner daemons for now.`
`326`	`326`	`ResourceProvisionerDaemon.Type: {policy.ActionCreate,policy.ActionRead,policy.ActionUpdate,policy.ActionDelete},`
`327`		`-// Read to provisioner jobs for now.`
`328`		`-ResourceProvisionerJobs.Type: {policy.ActionRead},`
`329`	`327`	`// Needs to read all organizations since`
`330`	`328`	`ResourceOrganization.Type: {policy.ActionRead},`
`331`	`329`	`ResourceUser.Type: {policy.ActionRead},`
`@@ -424,9 +422,6 @@ func ReloadBuiltinRoles(opts *RoleOptions) {`
`424`	`422`	`ResourceOrganization.Type: {policy.ActionRead},`
`425`	`423`	`// Can read available roles.`
`426`	`424`	`ResourceAssignOrgRole.Type: {policy.ActionRead},`
`427`		`-`
`428`		`-// Users can read provisioner jobs scoped to themselves.`
`429`		`-ResourceProvisionerJobs.Type: {policy.ActionRead},`
`430`	`425`	`}),`
`431`	`426`	`},`
`432`	`427`	`User: []Permission{`
`@@ -488,6 +483,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {`
`488`	`483`	`ResourceOrganizationMember.Type: {policy.ActionRead},`
`489`	`484`	`ResourceGroup.Type: {policy.ActionRead},`
`490`	`485`	`ResourceGroupMember.Type: {policy.ActionRead},`
	`486`	`+ResourceProvisionerJobs.Type: {policy.ActionRead},`
`491`	`487`	`}),`
`492`	`488`	`},`
`493`	`489`	`User: []Permission{},`

`‎coderd/rbac/roles_test.go`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -558,8 +558,8 @@ func TestRolePermissions(t *testing.T) {`
`558`	`558`	`Actions: []policy.Action{policy.ActionRead},`
`559`	`559`	`Resource:rbac.ResourceProvisionerJobs.InOrg(orgID),`
`560`	`560`	`AuthorizeMap:map[bool][]hasAuthSubjects{`
`561`		`-true: {owner,templateAdmin,orgTemplateAdmin,orgMemberMe,orgAdmin},`
`562`		`-false: {setOtherOrg,memberMe,userAdmin,orgUserAdmin,orgAuditor},`
	`561`	`+true: {owner,orgTemplateAdmin,orgAdmin},`
	`562`	`+false: {setOtherOrg,memberMe,orgMemberMe,templateAdmin,userAdmin,orgUserAdmin,orgAuditor},`
`563`	`563`	`},`
`564`	`564`	`},`
`565`	`565`	`{`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit765c93a

File tree

4 files changed

4 files changed

`‎coderd/database/dbauthz/dbauthz.go`

`‎coderd/database/modelmethods.go`

`‎coderd/rbac/roles.go`

`‎coderd/rbac/roles_test.go`

0 commit comments