NotificationsYou must be signed in to change notification settings
Fork1k
Star11.2k

Commitc24d0dc

committed

ok well one of you did something

1 parent74a6c99 commitc24d0dcCopy full SHA for c24d0dc

File tree

7 files changed

+70

-38

lines changed

coderd
- database
  - dbauthz
    - dbauthz.go
  - modelmethods.go
- rbac
enterprise
- coderd
  - coderd_test.go
- tailnet
  - pgcoord.go

7 files changed

+70

-38

lines changed

`‎coderd/database/dbauthz/dbauthz.go‎`

Lines changed: 40 additions & 26 deletions

Original file line number	Diff line number	Diff line change
`@@ -232,8 +232,9 @@ var (`
`232`	`232`	`// Provisionerd creates usage events`
`233`	`233`	`rbac.ResourceUsageEvent.Type: {policy.ActionCreate},`
`234`	`234`	`}),`
`235`		`-Org:map[string][]rbac.Permission{},`
`236`		`-User: []rbac.Permission{},`
	`235`	`+Org:map[string][]rbac.Permission{},`
	`236`	`+User: []rbac.Permission{},`
	`237`	`+OrgMember:map[string][]rbac.Permission{},`
`237`	`238`	`},`
`238`	`239`	`}),`
`239`	`240`	`Scope:rbac.ScopeAll,`
`@@ -257,8 +258,9 @@ var (`
`257`	`258`	`rbac.ResourceWorkspace.Type: {policy.ActionDelete,policy.ActionRead,policy.ActionUpdate,policy.ActionWorkspaceStart,policy.ActionWorkspaceStop},`
`258`	`259`	`rbac.ResourceWorkspaceDormant.Type: {policy.ActionDelete,policy.ActionRead,policy.ActionUpdate,policy.ActionWorkspaceStop},`
`259`	`260`	`}),`
`260`		`-Org:map[string][]rbac.Permission{},`
`261`		`-User: []rbac.Permission{},`
	`261`	`+Org:map[string][]rbac.Permission{},`
	`262`	`+User: []rbac.Permission{},`
	`263`	`+OrgMember:map[string][]rbac.Permission{},`
`262`	`264`	`},`
`263`	`265`	`}),`
`264`	`266`	`Scope:rbac.ScopeAll,`
`@@ -279,8 +281,9 @@ var (`
`279`	`281`	`rbac.ResourceWorkspace.Type: {policy.ActionRead,policy.ActionUpdate},`
`280`	`282`	`rbac.ResourceProvisionerJobs.Type: {policy.ActionRead,policy.ActionUpdate},`
`281`	`283`	`}),`
`282`		`-Org:map[string][]rbac.Permission{},`
`283`		`-User: []rbac.Permission{},`
	`284`	`+Org:map[string][]rbac.Permission{},`
	`285`	`+User: []rbac.Permission{},`
	`286`	`+OrgMember:map[string][]rbac.Permission{},`
`284`	`287`	`},`
`285`	`288`	`}),`
`286`	`289`	`Scope:rbac.ScopeAll,`
`@@ -298,8 +301,9 @@ var (`
`298`	`301`	`Site:rbac.Permissions(map[string][]policy.Action{`
`299`	`302`	`rbac.ResourceCryptoKey.Type: {policy.WildcardSymbol},`
`300`	`303`	`}),`
`301`		`-Org:map[string][]rbac.Permission{},`
`302`		`-User: []rbac.Permission{},`
	`304`	`+Org:map[string][]rbac.Permission{},`
	`305`	`+User: []rbac.Permission{},`
	`306`	`+OrgMember:map[string][]rbac.Permission{},`
`303`	`307`	`},`
`304`	`308`	`}),`
`305`	`309`	`Scope:rbac.ScopeAll,`
`@@ -317,8 +321,9 @@ var (`
`317`	`321`	`Site:rbac.Permissions(map[string][]policy.Action{`
`318`	`322`	`rbac.ResourceCryptoKey.Type: {policy.WildcardSymbol},`
`319`	`323`	`}),`
`320`		`-Org:map[string][]rbac.Permission{},`
`321`		`-User: []rbac.Permission{},`
	`324`	`+Org:map[string][]rbac.Permission{},`
	`325`	`+User: []rbac.Permission{},`
	`326`	`+OrgMember:map[string][]rbac.Permission{},`
`322`	`327`	`},`
`323`	`328`	`}),`
`324`	`329`	`Scope:rbac.ScopeAll,`
`@@ -335,8 +340,9 @@ var (`
`335`	`340`	`Site:rbac.Permissions(map[string][]policy.Action{`
`336`	`341`	`rbac.ResourceConnectionLog.Type: {policy.ActionUpdate,policy.ActionRead},`
`337`	`342`	`}),`
`338`		`-Org:map[string][]rbac.Permission{},`
`339`		`-User: []rbac.Permission{},`
	`343`	`+Org:map[string][]rbac.Permission{},`
	`344`	`+User: []rbac.Permission{},`
	`345`	`+OrgMember:map[string][]rbac.Permission{},`
`340`	`346`	`},`
`341`	`347`	`}),`
`342`	`348`	`Scope:rbac.ScopeAll,`
`@@ -356,8 +362,9 @@ var (`
`356`	`362`	`rbac.ResourceWebpushSubscription.Type: {policy.ActionCreate,policy.ActionRead,policy.ActionUpdate,policy.ActionDelete},`
`357`	`363`	`rbac.ResourceDeploymentConfig.Type: {policy.ActionRead,policy.ActionUpdate},// To read and upsert VAPID keys`
`358`	`364`	`}),`
`359`		`-Org:map[string][]rbac.Permission{},`
`360`		`-User: []rbac.Permission{},`
	`365`	`+Org:map[string][]rbac.Permission{},`
	`366`	`+User: []rbac.Permission{},`
	`367`	`+OrgMember:map[string][]rbac.Permission{},`
`361`	`368`	`},`
`362`	`369`	`}),`
`363`	`370`	`Scope:rbac.ScopeAll,`
`@@ -375,8 +382,9 @@ var (`
`375`	`382`	`// The workspace monitor needs to be able to update monitors`
`376`	`383`	`rbac.ResourceWorkspaceAgentResourceMonitor.Type: {policy.ActionUpdate},`
`377`	`384`	`}),`
`378`		`-Org:map[string][]rbac.Permission{},`
`379`		`-User: []rbac.Permission{},`
	`385`	`+Org:map[string][]rbac.Permission{},`
	`386`	`+User: []rbac.Permission{},`
	`387`	`+OrgMember:map[string][]rbac.Permission{},`
`380`	`388`	`},`
`381`	`389`	`}),`
`382`	`390`	`Scope:rbac.ScopeAll,`
`@@ -398,6 +406,7 @@ var (`
`398`	`406`	`User:rbac.Permissions(map[string][]policy.Action{`
`399`	`407`	`rbac.ResourceWorkspace.Type: {policy.ActionRead,policy.ActionUpdate,policy.ActionCreateAgent,policy.ActionDeleteAgent},`
`400`	`408`	`}),`
	`409`	`+OrgMember:map[string][]rbac.Permission{},`
`401`	`410`	`},`
`402`	`411`	`}),`
`403`	`412`	`Scope:rbac.ScopeAll,`
`@@ -436,8 +445,9 @@ var (`
`436`	`445`	`rbac.ResourceOauth2App.Type: {policy.ActionCreate,policy.ActionRead,policy.ActionUpdate,policy.ActionDelete},`
`437`	`446`	`rbac.ResourceOauth2AppSecret.Type: {policy.ActionCreate,policy.ActionRead,policy.ActionUpdate,policy.ActionDelete},`
`438`	`447`	`}),`
`439`		`-Org:map[string][]rbac.Permission{},`
`440`		`-User: []rbac.Permission{},`
	`448`	`+Org:map[string][]rbac.Permission{},`
	`449`	`+User: []rbac.Permission{},`
	`450`	`+OrgMember:map[string][]rbac.Permission{},`
`441`	`451`	`},`
`442`	`452`	`}),`
`443`	`453`	`Scope:rbac.ScopeAll,`
`@@ -454,8 +464,9 @@ var (`
`454`	`464`	`Site:rbac.Permissions(map[string][]policy.Action{`
`455`	`465`	`rbac.ResourceProvisionerDaemon.Type: {policy.ActionRead},`
`456`	`466`	`}),`
`457`		`-Org:map[string][]rbac.Permission{},`
`458`		`-User: []rbac.Permission{},`
	`467`	`+Org:map[string][]rbac.Permission{},`
	`468`	`+User: []rbac.Permission{},`
	`469`	`+OrgMember:map[string][]rbac.Permission{},`
`459`	`470`	`},`
`460`	`471`	`}),`
`461`	`472`	`Scope:rbac.ScopeAll,`
`@@ -531,8 +542,9 @@ var (`
`531`	`542`	`Site:rbac.Permissions(map[string][]policy.Action{`
`532`	`543`	`rbac.ResourceFile.Type: {policy.ActionRead},`
`533`	`544`	`}),`
`534`		`-Org:map[string][]rbac.Permission{},`
`535`		`-User: []rbac.Permission{},`
	`545`	`+Org:map[string][]rbac.Permission{},`
	`546`	`+User: []rbac.Permission{},`
	`547`	`+OrgMember:map[string][]rbac.Permission{},`
`536`	`548`	`},`
`537`	`549`	`}),`
`538`	`550`	`Scope:rbac.ScopeAll,`
`@@ -552,8 +564,9 @@ var (`
`552`	`564`	`// reads/processes them.`
`553`	`565`	`rbac.ResourceUsageEvent.Type: {policy.ActionRead,policy.ActionUpdate},`
`554`	`566`	`}),`
`555`		`-Org:map[string][]rbac.Permission{},`
`556`		`-User: []rbac.Permission{},`
	`567`	`+Org:map[string][]rbac.Permission{},`
	`568`	`+User: []rbac.Permission{},`
	`569`	`+OrgMember:map[string][]rbac.Permission{},`
`557`	`570`	`},`
`558`	`571`	`}),`
`559`	`572`	`Scope:rbac.ScopeAll,`
`@@ -575,8 +588,9 @@ var (`
`575`	`588`	`rbac.ResourceApiKey.Type: {policy.ActionRead},// Validate API keys.`
`576`	`589`	`rbac.ResourceAibridgeInterception.Type: {policy.ActionCreate,policy.ActionRead,policy.ActionUpdate},`
`577`	`590`	`}),`
`578`		`-Org:map[string][]rbac.Permission{},`
`579`		`-User: []rbac.Permission{},`
	`591`	`+Org:map[string][]rbac.Permission{},`
	`592`	`+User: []rbac.Permission{},`
	`593`	`+OrgMember:map[string][]rbac.Permission{},`
`580`	`594`	`},`
`581`	`595`	`}),`
`582`	`596`	`Scope:rbac.ScopeAll,`

`‎coderd/database/modelmethods.go‎`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -172,6 +172,7 @@ func (s APIKeyScopes) Expand() (rbac.Scope, error) {`
`172`	`172`	`Site:nil,`
`173`	`173`	`Org:map[string][]rbac.Permission{},`
`174`	`174`	`User:nil,`
	`175`	`+OrgMember:nil,`
`175`	`176`	`}`
`176`	`177`
`177`	`178`	`// Track allow list union, collapsing to wildcard if any child is wildcard.`

`‎coderd/rbac/astvalue.go‎`

Lines changed: 8 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -161,6 +161,10 @@ func (role Role) regoValue() ast.Value {`
`161`	`161`	`fork,p:=rangerole.Org {`
`162`	`162`	`orgMap.Insert(ast.StringTerm(k),ast.NewTerm(regoSlice(p)))`
`163`	`163`	`}`
	`164`	`+orgMemberMap:=ast.NewObject()`
	`165`	`+fork,p:=rangerole.OrgMember {`
	`166`	`+orgMemberMap.Insert(ast.StringTerm(k),ast.NewTerm(regoSlice(p)))`
	`167`	`+}`
`164`	`168`	`returnast.NewObject(`
`165`	`169`	`[2]*ast.Term{`
`166`	`170`	`ast.StringTerm("site"),`
`@@ -174,6 +178,10 @@ func (role Role) regoValue() ast.Value {`
`174`	`178`	`ast.StringTerm("user"),`
`175`	`179`	`ast.NewTerm(regoSlice(role.User)),`
`176`	`180`	`},`
	`181`	`+[2]*ast.Term{`
	`182`	`+ast.StringTerm("org_member"),`
	`183`	`+ast.NewTerm(orgMemberMap),`
	`184`	`+},`
`177`	`185`	`)`
`178`	`186`	`}`
`179`	`187`

`‎coderd/rbac/authz_internal_test.go‎`

Lines changed: 7 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -926,8 +926,9 @@ func TestAuthorizeScope(t *testing.T) {`
`926`	`926`	`// Only read access for workspaces.`
`927`	`927`	`ResourceWorkspace.Type: {policy.ActionRead},`
`928`	`928`	`}),`
`929`		`-Org:map[string][]Permission{},`
`930`		`-User: []Permission{},`
	`929`	`+Org:map[string][]Permission{},`
	`930`	`+User: []Permission{},`
	`931`	`+OrgMember:map[string][]Permission{},`
`931`	`932`	`},`
`932`	`933`	`AllowIDList: []AllowListElement{{Type:ResourceWorkspace.Type,ID:workspaceID.String()}},`
`933`	`934`	`},`
`@@ -1015,8 +1016,9 @@ func TestAuthorizeScope(t *testing.T) {`
`1015`	`1016`	`// Only read access for workspaces.`
`1016`	`1017`	`ResourceWorkspace.Type: {policy.ActionCreate},`
`1017`	`1018`	`}),`
`1018`		`-Org:map[string][]Permission{},`
`1019`		`-User: []Permission{},`
	`1019`	`+Org:map[string][]Permission{},`
	`1020`	`+User: []Permission{},`
	`1021`	`+OrgMember:map[string][]Permission{},`
`1020`	`1022`	`},`
`1021`	`1023`	`// Empty string allow_list is allowed for actions like 'create'`
`1022`	`1024`	`AllowIDList: []AllowListElement{{`
`@@ -1146,6 +1148,7 @@ func TestAuthorizeScope(t *testing.T) {`
`1146`	`1148`	`User:Permissions(map[string][]policy.Action{`
`1147`	`1149`	`ResourceUser.Type: {policy.ActionRead},`
`1148`	`1150`	`}),`
	`1151`	`+OrgMember:nil,`
`1149`	`1152`	`},`
`1150`	`1153`	`AllowIDList: []AllowListElement{AllowListAll()},`
`1151`	`1154`	`},`

`‎coderd/rbac/scopes.go‎`

Lines changed: 8 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -77,8 +77,9 @@ var builtinScopes = map[ScopeName]Scope{`
`77`	`77`	`Site:Permissions(map[string][]policy.Action{`
`78`	`78`	`ResourceWildcard.Type: {policy.WildcardSymbol},`
`79`	`79`	`}),`
`80`		`-Org:map[string][]Permission{},`
`81`		`-User: []Permission{},`
	`80`	`+Org:map[string][]Permission{},`
	`81`	`+User: []Permission{},`
	`82`	`+OrgMember:map[string][]Permission{},`
`82`	`83`	`},`
`83`	`84`	`AllowIDList: []AllowListElement{AllowListAll()},`
`84`	`85`	`},`
`@@ -90,8 +91,9 @@ var builtinScopes = map[ScopeName]Scope{`
`90`	`91`	`Site:Permissions(map[string][]policy.Action{`
`91`	`92`	`ResourceWorkspace.Type: {policy.ActionApplicationConnect},`
`92`	`93`	`}),`
`93`		`-Org:map[string][]Permission{},`
`94`		`-User: []Permission{},`
	`94`	`+Org:map[string][]Permission{},`
	`95`	`+User: []Permission{},`
	`96`	`+OrgMember:map[string][]Permission{},`
`95`	`97`	`},`
`96`	`98`	`AllowIDList: []AllowListElement{AllowListAll()},`
`97`	`99`	`},`
`@@ -103,6 +105,7 @@ var builtinScopes = map[ScopeName]Scope{`
`103`	`105`	`Site:allPermsExcept(ResourceUser),`
`104`	`106`	`Org:map[string][]Permission{},`
`105`	`107`	`User: []Permission{},`
	`108`	`+OrgMember:map[string][]Permission{},`
`106`	`109`	`},`
`107`	`110`	`AllowIDList: []AllowListElement{AllowListAll()},`
`108`	`111`	`},`
`@@ -222,6 +225,7 @@ func expandLowLevel(resource string, action policy.Action) Scope {`
`222`	`225`	`Site: []Permission{{ResourceType:resource,Action:action}},`
`223`	`226`	`Org:map[string][]Permission{},`
`224`	`227`	`User: []Permission{},`
	`228`	`+OrgMember:map[string][]Permission{},`
`225`	`229`	`},`
`226`	`230`	`// Low-level scopes intentionally return an empty allow list.`
`227`	`231`	`AllowIDList: []AllowListElement{},`

`‎enterprise/coderd/coderd_test.go‎`

Lines changed: 3 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -738,8 +738,9 @@ func testDBAuthzRole(ctx context.Context) context.Context {`
`738`	`738`	`Site:rbac.Permissions(map[string][]policy.Action{`
`739`	`739`	`rbac.ResourceWildcard.Type: {policy.WildcardSymbol},`
`740`	`740`	`}),`
`741`		`-Org:map[string][]rbac.Permission{},`
`742`		`-User: []rbac.Permission{},`
	`741`	`+Org:map[string][]rbac.Permission{},`
	`742`	`+User: []rbac.Permission{},`
	`743`	`+OrgMember:map[string][]rbac.Permission{},`
`743`	`744`	`},`
`744`	`745`	`}),`
`745`	`746`	`Scope:rbac.ScopeAll,`

`‎enterprise/tailnet/pgcoord.go‎`

Lines changed: 3 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -106,8 +106,9 @@ var pgCoordSubject = rbac.Subject{`
`106`	`106`	`Site:rbac.Permissions(map[string][]policy.Action{`
`107`	`107`	`rbac.ResourceTailnetCoordinator.Type: {policy.WildcardSymbol},`
`108`	`108`	`}),`
`109`		`-Org:map[string][]rbac.Permission{},`
`110`		`-User: []rbac.Permission{},`
	`109`	`+Org:map[string][]rbac.Permission{},`
	`110`	`+User: []rbac.Permission{},`
	`111`	`+OrgMember:map[string][]rbac.Permission{},`
`111`	`112`	`},`
`112`	`113`	`}),`
`113`	`114`	`Scope:rbac.ScopeAll,`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitc24d0dc

File tree

7 files changed

7 files changed

`‎coderd/database/dbauthz/dbauthz.go‎`

`‎coderd/database/modelmethods.go‎`

`‎coderd/rbac/astvalue.go‎`

`‎coderd/rbac/authz_internal_test.go‎`

`‎coderd/rbac/scopes.go‎`

`‎enterprise/coderd/coderd_test.go‎`

`‎enterprise/tailnet/pgcoord.go‎`

0 commit comments