Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitc96c93d

Browse files
committed
feat: add curated public API key scope catalog
Add public low-level scope catalog to RBAC system with curated set ofuser-requestable scopes. Includes workspace, template, API key, file,personal user, and user secret scopes. Updates scope checkingdocumentation to reference new catalog location in rbac package.
1 parent4810c5e commitc96c93d

File tree

3 files changed

+114
-1
lines changed

3 files changed

+114
-1
lines changed

‎coderd/rbac/scopes_catalog.go‎

Lines changed: 69 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,69 @@
1+
package rbac
2+
3+
import (
4+
"sort"
5+
"strings"
6+
)
7+
8+
// publicLowLevel is the curated set of low-level scope names exposed to users.
9+
// Any valid resource:action pair not in this set is considered internal-only
10+
// and must not be user-requestable.
11+
varpublicLowLevel=map[ScopeName]struct{}{
12+
// Workspaces
13+
"workspace:read": {},
14+
"workspace:create": {},
15+
"workspace:update": {},
16+
"workspace:delete": {},
17+
"workspace:ssh": {},
18+
"workspace:start": {},
19+
"workspace:stop": {},
20+
"workspace:application_connect": {},
21+
22+
// Templates
23+
"template:read": {},
24+
"template:create": {},
25+
"template:update": {},
26+
"template:delete": {},
27+
"template:use": {},
28+
29+
// API keys (self-management)
30+
"api_key:read": {},
31+
"api_key:create": {},
32+
"api_key:update": {},
33+
"api_key:delete": {},
34+
35+
// Files
36+
"file:read": {},
37+
"file:create": {},
38+
39+
// Users (personal profile only)
40+
"user:read_personal": {},
41+
"user:update_personal": {},
42+
43+
// User secrets
44+
"user_secret:read": {},
45+
"user_secret:create": {},
46+
"user_secret:update": {},
47+
"user_secret:delete": {},
48+
}
49+
50+
// IsPublicLowLevel reports whether the provided scope name is in the curated
51+
// public catalog.
52+
funcIsPublicLowLevel(nameScopeName)bool {
53+
_,ok:=publicLowLevel[name]
54+
returnok
55+
}
56+
57+
// PublicLowLevelScopeNames returns a sorted list of public low-level scope
58+
// names. The list is filtered through parseLowLevelScope defensively, so it
59+
// never returns invalid entries if RBAC evolves.
60+
funcPublicLowLevelScopeNames() []string {
61+
out:=make([]string,0,len(publicLowLevel))
62+
forname:=rangepublicLowLevel {
63+
if_,_,ok:=parseLowLevelScope(name);ok {
64+
out=append(out,string(name))
65+
}
66+
}
67+
sort.Slice(out,func(i,jint)bool {returnstrings.Compare(out[i],out[j])<0 })
68+
returnout
69+
}
Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,43 @@
1+
package rbac
2+
3+
import (
4+
"sort"
5+
"testing"
6+
7+
"github.com/stretchr/testify/require"
8+
)
9+
10+
funcTestPublicLowLevelScopeNames_AreValidAndSorted(t*testing.T) {
11+
t.Parallel()
12+
13+
names:=PublicLowLevelScopeNames()
14+
require.NotEmpty(t,names)
15+
16+
// Ensure sorted ascending
17+
sorted:=append([]string(nil),names...)
18+
sort.Strings(sorted)
19+
require.Equal(t,sorted,names)
20+
21+
// Ensure each entry parses and expands to site-only
22+
for_,name:=rangenames {
23+
res,act,ok:=parseLowLevelScope(ScopeName(name))
24+
require.Truef(t,ok,"catalog entry should parse: %s",name)
25+
26+
s,err:=ScopeName(name).Expand()
27+
require.NoErrorf(t,err,"catalog entry should expand: %s",name)
28+
require.Len(t,s.Site,1)
29+
require.Equal(t,res,s.Site[0].ResourceType)
30+
require.Equal(t,act,s.Site[0].Action)
31+
require.Empty(t,s.Org)
32+
require.Empty(t,s.User)
33+
}
34+
}
35+
36+
funcTestIsPublicLowLevel(t*testing.T) {
37+
t.Parallel()
38+
39+
require.True(t,IsPublicLowLevel("workspace:read"))
40+
require.True(t,IsPublicLowLevel("template:use"))
41+
require.False(t,IsPublicLowLevel("debug_info:read"))// internal-only
42+
require.False(t,IsPublicLowLevel("unknown:read"))
43+
}

‎scripts/check-scopes/README.md‎

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -40,4 +40,5 @@ When the tool reports missing values:
4040
make -B gen/db&& make lint/check-scopes
4141
```
4242

43-
3. Decide whether each new scope is public (exposed in the catalog) or internal-only (handled by the catalog task).
43+
3. Decide whether each new scope is public (exposed in the catalog) or internal-only.
44+
- If public, add it to the curated map in`coderd/rbac/scopes_catalog.go` (`publicLowLevel`) so it appears in the public catalog and can be requested by users.

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp