NotificationsYou must be signed in to change notification settings
Fork1k
Star11.1k

Commit7cecaee

committed

oh boy was that all??

1 parent4c25ec6 commit7cecaeeCopy full SHA for 7cecaee

File tree

13 files changed

+213

-253

lines changed

coderd
- database
  - db2sdk
    - db2sdk.go
  - dbauthz
    - dbauthz.go
  - modelmethods.go
- rbac
- workspaceapps
  - db.go
enterprise
- coderd
  - coderd_test.go
- tailnet
  - pgcoord.go

13 files changed

+213

-253

lines changed

`‎coderd/database/db2sdk/db2sdk.go‎`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -693,13 +693,13 @@ func SlimRoleFromName(name string) codersdk.SlimRole {`
`693`	`693`	`funcRBACRole(role rbac.Role) codersdk.Role {`
`694`	`694`	`slim:=SlimRole(role)`
`695`	`695`
`696`		`-orgPerms:=role.Org[slim.OrganizationID]`
	`696`	`+orgPerms:=role.ByOrgID[slim.OrganizationID]`
`697`	`697`	`return codersdk.Role{`
`698`	`698`	`Name:slim.Name,`
`699`	`699`	`OrganizationID:slim.OrganizationID,`
`700`	`700`	`DisplayName:slim.DisplayName,`
`701`	`701`	`SitePermissions:List(role.Site,RBACPermission),`
`702`		`-OrganizationPermissions:List(orgPerms,RBACPermission),`
	`702`	`+OrganizationPermissions:List(orgPerms.Org,RBACPermission),`
`703`	`703`	`UserPermissions:List(role.User,RBACPermission),`
`704`	`704`	`}`
`705`	`705`	`}`

`‎coderd/database/dbauthz/dbauthz.go‎`

Lines changed: 31 additions & 47 deletions

Original file line number	Diff line number	Diff line change
`@@ -232,9 +232,8 @@ var (`
`232`	`232`	`// Provisionerd creates usage events`
`233`	`233`	`rbac.ResourceUsageEvent.Type: {policy.ActionCreate},`
`234`	`234`	`}),`
`235`		`-Org:map[string][]rbac.Permission{},`
`236`		`-User: []rbac.Permission{},`
`237`		`-OrgMember:map[string][]rbac.Permission{},`
	`235`	`+User: []rbac.Permission{},`
	`236`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`238`	`237`	`},`
`239`	`238`	`}),`
`240`	`239`	`Scope:rbac.ScopeAll,`
`@@ -258,9 +257,8 @@ var (`
`258`	`257`	`rbac.ResourceWorkspace.Type: {policy.ActionDelete,policy.ActionRead,policy.ActionUpdate,policy.ActionWorkspaceStart,policy.ActionWorkspaceStop},`
`259`	`258`	`rbac.ResourceWorkspaceDormant.Type: {policy.ActionDelete,policy.ActionRead,policy.ActionUpdate,policy.ActionWorkspaceStop},`
`260`	`259`	`}),`
`261`		`-Org:map[string][]rbac.Permission{},`
`262`		`-User: []rbac.Permission{},`
`263`		`-OrgMember:map[string][]rbac.Permission{},`
	`260`	`+User: []rbac.Permission{},`
	`261`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`264`	`262`	`},`
`265`	`263`	`}),`
`266`	`264`	`Scope:rbac.ScopeAll,`
`@@ -281,9 +279,8 @@ var (`
`281`	`279`	`rbac.ResourceWorkspace.Type: {policy.ActionRead,policy.ActionUpdate},`
`282`	`280`	`rbac.ResourceProvisionerJobs.Type: {policy.ActionRead,policy.ActionUpdate},`
`283`	`281`	`}),`
`284`		`-Org:map[string][]rbac.Permission{},`
`285`		`-User: []rbac.Permission{},`
`286`		`-OrgMember:map[string][]rbac.Permission{},`
	`282`	`+User: []rbac.Permission{},`
	`283`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`287`	`284`	`},`
`288`	`285`	`}),`
`289`	`286`	`Scope:rbac.ScopeAll,`
`@@ -301,9 +298,8 @@ var (`
`301`	`298`	`Site:rbac.Permissions(map[string][]policy.Action{`
`302`	`299`	`rbac.ResourceCryptoKey.Type: {policy.WildcardSymbol},`
`303`	`300`	`}),`
`304`		`-Org:map[string][]rbac.Permission{},`
`305`		`-User: []rbac.Permission{},`
`306`		`-OrgMember:map[string][]rbac.Permission{},`
	`301`	`+User: []rbac.Permission{},`
	`302`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`307`	`303`	`},`
`308`	`304`	`}),`
`309`	`305`	`Scope:rbac.ScopeAll,`
`@@ -321,9 +317,8 @@ var (`
`321`	`317`	`Site:rbac.Permissions(map[string][]policy.Action{`
`322`	`318`	`rbac.ResourceCryptoKey.Type: {policy.WildcardSymbol},`
`323`	`319`	`}),`
`324`		`-Org:map[string][]rbac.Permission{},`
`325`		`-User: []rbac.Permission{},`
`326`		`-OrgMember:map[string][]rbac.Permission{},`
	`320`	`+User: []rbac.Permission{},`
	`321`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`327`	`322`	`},`
`328`	`323`	`}),`
`329`	`324`	`Scope:rbac.ScopeAll,`
`@@ -340,9 +335,8 @@ var (`
`340`	`335`	`Site:rbac.Permissions(map[string][]policy.Action{`
`341`	`336`	`rbac.ResourceConnectionLog.Type: {policy.ActionUpdate,policy.ActionRead},`
`342`	`337`	`}),`
`343`		`-Org:map[string][]rbac.Permission{},`
`344`		`-User: []rbac.Permission{},`
`345`		`-OrgMember:map[string][]rbac.Permission{},`
	`338`	`+User: []rbac.Permission{},`
	`339`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`346`	`340`	`},`
`347`	`341`	`}),`
`348`	`342`	`Scope:rbac.ScopeAll,`
`@@ -362,9 +356,8 @@ var (`
`362`	`356`	`rbac.ResourceWebpushSubscription.Type: {policy.ActionCreate,policy.ActionRead,policy.ActionUpdate,policy.ActionDelete},`
`363`	`357`	`rbac.ResourceDeploymentConfig.Type: {policy.ActionRead,policy.ActionUpdate},// To read and upsert VAPID keys`
`364`	`358`	`}),`
`365`		`-Org:map[string][]rbac.Permission{},`
`366`		`-User: []rbac.Permission{},`
`367`		`-OrgMember:map[string][]rbac.Permission{},`
	`359`	`+User: []rbac.Permission{},`
	`360`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`368`	`361`	`},`
`369`	`362`	`}),`
`370`	`363`	`Scope:rbac.ScopeAll,`
`@@ -382,9 +375,8 @@ var (`
`382`	`375`	`// The workspace monitor needs to be able to update monitors`
`383`	`376`	`rbac.ResourceWorkspaceAgentResourceMonitor.Type: {policy.ActionUpdate},`
`384`	`377`	`}),`
`385`		`-Org:map[string][]rbac.Permission{},`
`386`		`-User: []rbac.Permission{},`
`387`		`-OrgMember:map[string][]rbac.Permission{},`
	`378`	`+User: []rbac.Permission{},`
	`379`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`388`	`380`	`},`
`389`	`381`	`}),`
`390`	`382`	`Scope:rbac.ScopeAll,`
`@@ -400,13 +392,10 @@ var (`
`400`	`392`	`Identifier: rbac.RoleIdentifier{Name:"subagentapi"},`
`401`	`393`	`DisplayName:"Sub Agent API",`
`402`	`394`	`Site: []rbac.Permission{},`
`403`		`-Org:map[string][]rbac.Permission{`
`404`		`-orgID.String(): {},`
`405`		`-},`
`406`	`395`	`User:rbac.Permissions(map[string][]policy.Action{`
`407`	`396`	`rbac.ResourceWorkspace.Type: {policy.ActionRead,policy.ActionUpdate,policy.ActionCreateAgent,policy.ActionDeleteAgent},`
`408`	`397`	`}),`
`409`		`-OrgMember:map[string][]rbac.Permission{},`
	`398`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`410`	`399`	`},`
`411`	`400`	`}),`
`412`	`401`	`Scope:rbac.ScopeAll,`
`@@ -445,9 +434,8 @@ var (`
`445`	`434`	`rbac.ResourceOauth2App.Type: {policy.ActionCreate,policy.ActionRead,policy.ActionUpdate,policy.ActionDelete},`
`446`	`435`	`rbac.ResourceOauth2AppSecret.Type: {policy.ActionCreate,policy.ActionRead,policy.ActionUpdate,policy.ActionDelete},`
`447`	`436`	`}),`
`448`		`-Org:map[string][]rbac.Permission{},`
`449`		`-User: []rbac.Permission{},`
`450`		`-OrgMember:map[string][]rbac.Permission{},`
	`437`	`+User: []rbac.Permission{},`
	`438`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`451`	`439`	`},`
`452`	`440`	`}),`
`453`	`441`	`Scope:rbac.ScopeAll,`
`@@ -464,9 +452,8 @@ var (`
`464`	`452`	`Site:rbac.Permissions(map[string][]policy.Action{`
`465`	`453`	`rbac.ResourceProvisionerDaemon.Type: {policy.ActionRead},`
`466`	`454`	`}),`
`467`		`-Org:map[string][]rbac.Permission{},`
`468`		`-User: []rbac.Permission{},`
`469`		`-OrgMember:map[string][]rbac.Permission{},`
	`455`	`+User: []rbac.Permission{},`
	`456`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`470`	`457`	`},`
`471`	`458`	`}),`
`472`	`459`	`Scope:rbac.ScopeAll,`
`@@ -542,9 +529,8 @@ var (`
`542`	`529`	`Site:rbac.Permissions(map[string][]policy.Action{`
`543`	`530`	`rbac.ResourceFile.Type: {policy.ActionRead},`
`544`	`531`	`}),`
`545`		`-Org:map[string][]rbac.Permission{},`
`546`		`-User: []rbac.Permission{},`
`547`		`-OrgMember:map[string][]rbac.Permission{},`
	`532`	`+User: []rbac.Permission{},`
	`533`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`548`	`534`	`},`
`549`	`535`	`}),`
`550`	`536`	`Scope:rbac.ScopeAll,`
`@@ -564,9 +550,8 @@ var (`
`564`	`550`	`// reads/processes them.`
`565`	`551`	`rbac.ResourceUsageEvent.Type: {policy.ActionRead,policy.ActionUpdate},`
`566`	`552`	`}),`
`567`		`-Org:map[string][]rbac.Permission{},`
`568`		`-User: []rbac.Permission{},`
`569`		`-OrgMember:map[string][]rbac.Permission{},`
	`553`	`+User: []rbac.Permission{},`
	`554`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`570`	`555`	`},`
`571`	`556`	`}),`
`572`	`557`	`Scope:rbac.ScopeAll,`
`@@ -589,9 +574,8 @@ var (`
`589`	`574`	`rbac.ResourceApiKey.Type: {policy.ActionRead},// Validate API keys.`
`590`	`575`	`rbac.ResourceAibridgeInterception.Type: {policy.ActionCreate,policy.ActionRead,policy.ActionUpdate},`
`591`	`576`	`}),`
`592`		`-Org:map[string][]rbac.Permission{},`
`593`		`-User: []rbac.Permission{},`
`594`		`-OrgMember:map[string][]rbac.Permission{},`
	`577`	`+User: []rbac.Permission{},`
	`578`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`595`	`579`	`},`
`596`	`580`	`}),`
`597`	`581`	`Scope:rbac.ScopeAll,`
`@@ -1267,13 +1251,13 @@ func (q *querier) customRoleCheck(ctx context.Context, role database.CustomRole)`
`1267`	`1251`	`returnxerrors.Errorf("invalid role: %w",err)`
`1268`	`1252`	`}`
`1269`	`1253`
`1270`		`-iflen(rbacRole.Org)>0&&len(rbacRole.Site)>0 {`
	`1254`	`+iflen(rbacRole.ByOrgID)>0&&len(rbacRole.Site)>0 {`
`1271`	`1255`	`// This is a choice to keep roles simple. If we allow mixing site and org scoped perms, then knowing who can`
`1272`	`1256`	`// do what gets more complicated.`
`1273`	`1257`	`returnxerrors.Errorf("invalid custom role, cannot assign both org and site permissions at the same time")`
`1274`	`1258`	`}`
`1275`	`1259`
`1276`		`-iflen(rbacRole.Org)>1 {`
	`1260`	`+iflen(rbacRole.ByOrgID)>1 {`
`1277`	`1261`	`// Again to avoid more complexity in our roles`
`1278`	`1262`	`returnxerrors.Errorf("invalid custom role, cannot assign permissions to more than 1 org at a time")`
`1279`	`1263`	`}`
`@@ -1286,8 +1270,8 @@ func (q *querier) customRoleCheck(ctx context.Context, role database.CustomRole)`
`1286`	`1270`	`}`
`1287`	`1271`	`}`
`1288`	`1272`
`1289`		`-fororgID,perms:=rangerbacRole.Org {`
`1290`		`-for_,orgPerm:=rangeperms {`
	`1273`	`+fororgID,perms:=rangerbacRole.ByOrgID {`
	`1274`	`+for_,orgPerm:=rangeperms.Org {`
`1291`	`1275`	`err:=q.customRoleEscalationCheck(ctx,act,orgPerm, rbac.Object{OrgID:orgID,Type:orgPerm.ResourceType})`
`1292`	`1276`	`iferr!=nil {`
`1293`	`1277`	`returnxerrors.Errorf("org=%q: %w",orgID,err)`

`‎coderd/database/modelmethods.go‎`

Lines changed: 9 additions & 7 deletions

Original file line number	Diff line number	Diff line change
`@@ -170,9 +170,8 @@ func (s APIKeyScopes) Expand() (rbac.Scope, error) {`
`170`	`170`	`// Identifier is informational; not used in policy evaluation.`
`171`	`171`	`Identifier: rbac.RoleIdentifier{Name:"Scope_Multiple"},`
`172`	`172`	`Site:nil,`
`173`		`-Org:map[string][]rbac.Permission{},`
`174`	`173`	`User:nil,`
`175`		`-OrgMember:nil,`
	`174`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`176`	`175`	`}`
`177`	`176`
`178`	`177`	`// Track allow list union, collapsing to wildcard if any child is wildcard.`
`@@ -187,8 +186,10 @@ func (s APIKeyScopes) Expand() (rbac.Scope, error) {`
`187`	`186`
`188`	`187`	`// Merge role permissions: union by simple concatenation.`
`189`	`188`	`merged.Site=append(merged.Site,expanded.Site...)`
`190`		`-fororgID,perms:=rangeexpanded.Org {`
`191`		`-merged.Org[orgID]=append(merged.Org[orgID],perms...)`
	`189`	`+fororgID,perms:=rangeexpanded.ByOrgID {`
	`190`	`+orgPerms:=merged.ByOrgID[orgID]`
	`191`	`+orgPerms.Org=append(orgPerms.Org,perms.Org...)`
	`192`	`+merged.ByOrgID[orgID]=orgPerms`
`192`	`193`	`}`
`193`	`194`	`merged.User=append(merged.User,expanded.User...)`
`194`	`195`
`@@ -206,10 +207,11 @@ func (s APIKeyScopes) Expand() (rbac.Scope, error) {`
`206`	`207`
`207`	`208`	`// De-duplicate permissions across Site/Org/User`
`208`	`209`	`merged.Site=rbac.DeduplicatePermissions(merged.Site)`
`209`		`-fororgID,perms:=rangemerged.Org {`
`210`		`-merged.Org[orgID]=rbac.DeduplicatePermissions(perms)`
`211`		`-}`
`212`	`210`	`merged.User=rbac.DeduplicatePermissions(merged.User)`
	`211`	`+fororgID,perms:=rangemerged.ByOrgID {`
	`212`	`+perms.Org=rbac.DeduplicatePermissions(perms.Org)`
	`213`	`+merged.ByOrgID[orgID]=perms`
	`214`	`+}`
`213`	`215`
`214`	`216`	`ifallowAll\|\|len(allowSet)==0 {`
`215`	`217`	`merged.AllowIDList= []rbac.AllowListElement{rbac.AllowListAll()}`

`‎coderd/rbac/authz_internal_test.go‎`

Lines changed: 34 additions & 35 deletions

Original file line number	Diff line number	Diff line change
`@@ -638,27 +638,26 @@ func TestAuthorizeDomain(t *testing.T) {`
`638`	`638`	`{`
`639`	`639`	`Identifier:RoleIdentifier{Name:"ReadOnlyOrgAndUser"},`
`640`	`640`	`Site: []Permission{},`
`641`		`-Org:map[string][]Permission{`
`642`		`-defOrg.String(): {{`
`643`		`-Negate:false,`
`644`		`-ResourceType:"*",`
`645`		`-Action:policy.ActionRead,`
`646`		`-}},`
`647`		`-},`
`648`		`-OrgMember:map[string][]Permission{`
`649`		`-defOrg.String(): {{`
`650`		`-Negate:false,`
`651`		`-ResourceType:"*",`
`652`		`-Action:policy.ActionRead,`
`653`		`-}},`
`654`		`-},`
`655`	`641`	`User: []Permission{`
`656`	`642`	`{`
`657`	`643`	`Negate:false,`
`658`	`644`	`ResourceType:"*",`
`659`	`645`	`Action:policy.ActionRead,`
`660`	`646`	`},`
`661`	`647`	`},`
	`648`	`+ByOrgID:map[string]OrgPermissions{`
	`649`	`+defOrg.String(): {`
	`650`	`+Org: []Permission{{`
	`651`	`+Negate:false,`
	`652`	`+ResourceType:"*",`
	`653`	`+Action:policy.ActionRead,`
	`654`	`+}},`
	`655`	`+Member: []Permission{{`
	`656`	`+Negate:false,`
	`657`	`+ResourceType:"*",`
	`658`	`+Action:policy.ActionRead,`
	`659`	`+}},`
	`660`	`+}},`
`662`	`661`	`},`
`663`	`662`	`},`
`664`	`663`	`}`
`@@ -738,12 +737,14 @@ func TestAuthorizeLevels(t *testing.T) {`
`738`	`737`	`must(RoleByName(RoleOwner())),`
`739`	`738`	`{`
`740`	`739`	`Identifier:RoleIdentifier{Name:"org-deny:",OrganizationID:defOrg},`
`741`		`-Org:map[string][]Permission{`
	`740`	`+ByOrgID:map[string]OrgPermissions{`
`742`	`741`	`defOrg.String(): {`
`743`		`-{`
`744`		`-Negate:true,`
`745`		`-ResourceType:"*",`
`746`		`-Action:"*",`
	`742`	`+Org: []Permission{`
	`743`	`+{`
	`744`	`+Negate:true,`
	`745`	`+ResourceType:"*",`
	`746`	`+Action:"*",`
	`747`	`+},`
`747`	`748`	`},`
`748`	`749`	`},`
`749`	`750`	`},`
`@@ -938,9 +939,8 @@ func TestAuthorizeScope(t *testing.T) {`
`938`	`939`	`// Only read access for workspaces.`
`939`	`940`	`ResourceWorkspace.Type: {policy.ActionRead},`
`940`	`941`	`}),`
`941`		`-Org:map[string][]Permission{},`
`942`		`-User: []Permission{},`
`943`		`-OrgMember:map[string][]Permission{},`
	`942`	`+User: []Permission{},`
	`943`	`+ByOrgID:map[string]OrgPermissions{},`
`944`	`944`	`},`
`945`	`945`	`AllowIDList: []AllowListElement{{Type:ResourceWorkspace.Type,ID:workspaceID.String()}},`
`946`	`946`	`},`
`@@ -1028,9 +1028,8 @@ func TestAuthorizeScope(t *testing.T) {`
`1028`	`1028`	`// Only read access for workspaces.`
`1029`	`1029`	`ResourceWorkspace.Type: {policy.ActionCreate},`
`1030`	`1030`	`}),`
`1031`		`-Org:map[string][]Permission{},`
`1032`		`-User: []Permission{},`
`1033`		`-OrgMember:map[string][]Permission{},`
	`1031`	`+User: []Permission{},`
	`1032`	`+ByOrgID:map[string]OrgPermissions{},`
`1034`	`1033`	`},`
`1035`	`1034`	`// Empty string allow_list is allowed for actions like 'create'`
`1036`	`1035`	`AllowIDList: []AllowListElement{{`
`@@ -1152,19 +1151,19 @@ func TestAuthorizeScope(t *testing.T) {`
`1152`	`1151`	`},`
`1153`	`1152`	`DisplayName:"OrgAndUserScope",`
`1154`	`1153`	`Site:nil,`
`1155`		`-Org:map[string][]Permission{`
`1156`		`-defOrg.String():Permissions(map[string][]policy.Action{`
`1157`		`-ResourceWorkspace.Type: {policy.ActionRead},`
`1158`		`-}),`
`1159`		`-},`
`1160`		`-OrgMember:map[string][]Permission{`
`1161`		`-defOrg.String():Permissions(map[string][]policy.Action{`
`1162`		`-ResourceWorkspace.Type: {policy.ActionRead},`
`1163`		`-}),`
`1164`		`-},`
`1165`	`1154`	`User:Permissions(map[string][]policy.Action{`
`1166`	`1155`	`ResourceUser.Type: {policy.ActionRead},`
`1167`	`1156`	`}),`
	`1157`	`+ByOrgID:map[string]OrgPermissions{`
	`1158`	`+defOrg.String(): {`
	`1159`	`+Org:Permissions(map[string][]policy.Action{`
	`1160`	`+ResourceWorkspace.Type: {policy.ActionRead},`
	`1161`	`+}),`
	`1162`	`+Member:Permissions(map[string][]policy.Action{`
	`1163`	`+ResourceWorkspace.Type: {policy.ActionRead},`
	`1164`	`+}),`
	`1165`	`+},`
	`1166`	`+},`
`1168`	`1167`	`},`
`1169`	`1168`	`AllowIDList: []AllowListElement{AllowListAll()},`
`1170`	`1169`	`},`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit7cecaee

File tree

13 files changed

13 files changed

`‎coderd/database/db2sdk/db2sdk.go‎`

`‎coderd/database/dbauthz/dbauthz.go‎`

`‎coderd/database/modelmethods.go‎`

`‎coderd/rbac/authz_internal_test.go‎`

0 commit comments