NotificationsYou must be signed in to change notification settings
Fork1k
Star11.1k

Commite0848ab

committed

oh boy was that all??

1 parentdcbd51f commite0848abCopy full SHA for e0848ab

File tree

14 files changed

+207

-214

lines changed

coderd
- database
  - db2sdk
    - db2sdk.go
  - dbauthz
    - dbauthz.go
  - modelmethods.go
- rbac
- workspaceapps
  - db.go
enterprise
- coderd
  - coderd_test.go
- tailnet
  - pgcoord.go

14 files changed

+207

-214

lines changed

`‎coderd/database/db2sdk/db2sdk.go‎`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -693,13 +693,13 @@ func SlimRoleFromName(name string) codersdk.SlimRole {`
`693`	`693`	`funcRBACRole(role rbac.Role) codersdk.Role {`
`694`	`694`	`slim:=SlimRole(role)`
`695`	`695`
`696`		`-orgPerms:=role.Org[slim.OrganizationID]`
	`696`	`+orgPerms:=role.ByOrgID[slim.OrganizationID]`
`697`	`697`	`return codersdk.Role{`
`698`	`698`	`Name:slim.Name,`
`699`	`699`	`OrganizationID:slim.OrganizationID,`
`700`	`700`	`DisplayName:slim.DisplayName,`
`701`	`701`	`SitePermissions:List(role.Site,RBACPermission),`
`702`		`-OrganizationPermissions:List(orgPerms,RBACPermission),`
	`702`	`+OrganizationPermissions:List(orgPerms.Org,RBACPermission),`
`703`	`703`	`UserPermissions:List(role.User,RBACPermission),`
`704`	`704`	`}`
`705`	`705`	`}`

`‎coderd/database/dbauthz/dbauthz.go‎`

Lines changed: 31 additions & 33 deletions

Original file line number	Diff line number	Diff line change
`@@ -232,8 +232,8 @@ var (`
`232`	`232`	`// Provisionerd creates usage events`
`233`	`233`	`rbac.ResourceUsageEvent.Type: {policy.ActionCreate},`
`234`	`234`	`}),`
`235`		`-Org:map[string][]rbac.Permission{},`
`236`		`-User: []rbac.Permission{},`
	`235`	`+User:[]rbac.Permission{},`
	`236`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`237`	`237`	`},`
`238`	`238`	`}),`
`239`	`239`	`Scope:rbac.ScopeAll,`
`@@ -257,8 +257,8 @@ var (`
`257`	`257`	`rbac.ResourceWorkspace.Type: {policy.ActionDelete,policy.ActionRead,policy.ActionUpdate,policy.ActionWorkspaceStart,policy.ActionWorkspaceStop},`
`258`	`258`	`rbac.ResourceWorkspaceDormant.Type: {policy.ActionDelete,policy.ActionRead,policy.ActionUpdate,policy.ActionWorkspaceStop},`
`259`	`259`	`}),`
`260`		`-Org:map[string][]rbac.Permission{},`
`261`		`-User: []rbac.Permission{},`
	`260`	`+User:[]rbac.Permission{},`
	`261`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`262`	`262`	`},`
`263`	`263`	`}),`
`264`	`264`	`Scope:rbac.ScopeAll,`
`@@ -279,8 +279,8 @@ var (`
`279`	`279`	`rbac.ResourceWorkspace.Type: {policy.ActionRead,policy.ActionUpdate},`
`280`	`280`	`rbac.ResourceProvisionerJobs.Type: {policy.ActionRead,policy.ActionUpdate},`
`281`	`281`	`}),`
`282`		`-Org:map[string][]rbac.Permission{},`
`283`		`-User: []rbac.Permission{},`
	`282`	`+User:[]rbac.Permission{},`
	`283`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`284`	`284`	`},`
`285`	`285`	`}),`
`286`	`286`	`Scope:rbac.ScopeAll,`
`@@ -298,8 +298,8 @@ var (`
`298`	`298`	`Site:rbac.Permissions(map[string][]policy.Action{`
`299`	`299`	`rbac.ResourceCryptoKey.Type: {policy.WildcardSymbol},`
`300`	`300`	`}),`
`301`		`-Org:map[string][]rbac.Permission{},`
`302`		`-User: []rbac.Permission{},`
	`301`	`+User:[]rbac.Permission{},`
	`302`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`303`	`303`	`},`
`304`	`304`	`}),`
`305`	`305`	`Scope:rbac.ScopeAll,`
`@@ -317,8 +317,8 @@ var (`
`317`	`317`	`Site:rbac.Permissions(map[string][]policy.Action{`
`318`	`318`	`rbac.ResourceCryptoKey.Type: {policy.WildcardSymbol},`
`319`	`319`	`}),`
`320`		`-Org:map[string][]rbac.Permission{},`
`321`		`-User: []rbac.Permission{},`
	`320`	`+User:[]rbac.Permission{},`
	`321`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`322`	`322`	`},`
`323`	`323`	`}),`
`324`	`324`	`Scope:rbac.ScopeAll,`
`@@ -335,8 +335,8 @@ var (`
`335`	`335`	`Site:rbac.Permissions(map[string][]policy.Action{`
`336`	`336`	`rbac.ResourceConnectionLog.Type: {policy.ActionUpdate,policy.ActionRead},`
`337`	`337`	`}),`
`338`		`-Org:map[string][]rbac.Permission{},`
`339`		`-User: []rbac.Permission{},`
	`338`	`+User:[]rbac.Permission{},`
	`339`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`340`	`340`	`},`
`341`	`341`	`}),`
`342`	`342`	`Scope:rbac.ScopeAll,`
`@@ -356,8 +356,8 @@ var (`
`356`	`356`	`rbac.ResourceWebpushSubscription.Type: {policy.ActionCreate,policy.ActionRead,policy.ActionUpdate,policy.ActionDelete},`
`357`	`357`	`rbac.ResourceDeploymentConfig.Type: {policy.ActionRead,policy.ActionUpdate},// To read and upsert VAPID keys`
`358`	`358`	`}),`
`359`		`-Org:map[string][]rbac.Permission{},`
`360`		`-User: []rbac.Permission{},`
	`359`	`+User:[]rbac.Permission{},`
	`360`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`361`	`361`	`},`
`362`	`362`	`}),`
`363`	`363`	`Scope:rbac.ScopeAll,`
`@@ -375,8 +375,8 @@ var (`
`375`	`375`	`// The workspace monitor needs to be able to update monitors`
`376`	`376`	`rbac.ResourceWorkspaceAgentResourceMonitor.Type: {policy.ActionUpdate},`
`377`	`377`	`}),`
`378`		`-Org:map[string][]rbac.Permission{},`
`379`		`-User: []rbac.Permission{},`
	`378`	`+User:[]rbac.Permission{},`
	`379`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`380`	`380`	`},`
`381`	`381`	`}),`
`382`	`382`	`Scope:rbac.ScopeAll,`
`@@ -392,12 +392,10 @@ var (`
`392`	`392`	`Identifier: rbac.RoleIdentifier{Name:"subagentapi"},`
`393`	`393`	`DisplayName:"Sub Agent API",`
`394`	`394`	`Site: []rbac.Permission{},`
`395`		`-Org:map[string][]rbac.Permission{`
`396`		`-orgID.String(): {},`
`397`		`-},`
`398`	`395`	`User:rbac.Permissions(map[string][]policy.Action{`
`399`	`396`	`rbac.ResourceWorkspace.Type: {policy.ActionRead,policy.ActionUpdate,policy.ActionCreateAgent,policy.ActionDeleteAgent},`
`400`	`397`	`}),`
	`398`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`401`	`399`	`},`
`402`	`400`	`}),`
`403`	`401`	`Scope:rbac.ScopeAll,`
`@@ -436,8 +434,8 @@ var (`
`436`	`434`	`rbac.ResourceOauth2App.Type: {policy.ActionCreate,policy.ActionRead,policy.ActionUpdate,policy.ActionDelete},`
`437`	`435`	`rbac.ResourceOauth2AppSecret.Type: {policy.ActionCreate,policy.ActionRead,policy.ActionUpdate,policy.ActionDelete},`
`438`	`436`	`}),`
`439`		`-Org:map[string][]rbac.Permission{},`
`440`		`-User: []rbac.Permission{},`
	`437`	`+User:[]rbac.Permission{},`
	`438`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`441`	`439`	`},`
`442`	`440`	`}),`
`443`	`441`	`Scope:rbac.ScopeAll,`
`@@ -454,8 +452,8 @@ var (`
`454`	`452`	`Site:rbac.Permissions(map[string][]policy.Action{`
`455`	`453`	`rbac.ResourceProvisionerDaemon.Type: {policy.ActionRead},`
`456`	`454`	`}),`
`457`		`-Org:map[string][]rbac.Permission{},`
`458`		`-User: []rbac.Permission{},`
	`455`	`+User:[]rbac.Permission{},`
	`456`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`459`	`457`	`},`
`460`	`458`	`}),`
`461`	`459`	`Scope:rbac.ScopeAll,`
`@@ -531,8 +529,8 @@ var (`
`531`	`529`	`Site:rbac.Permissions(map[string][]policy.Action{`
`532`	`530`	`rbac.ResourceFile.Type: {policy.ActionRead},`
`533`	`531`	`}),`
`534`		`-Org:map[string][]rbac.Permission{},`
`535`		`-User: []rbac.Permission{},`
	`532`	`+User:[]rbac.Permission{},`
	`533`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`536`	`534`	`},`
`537`	`535`	`}),`
`538`	`536`	`Scope:rbac.ScopeAll,`
`@@ -552,8 +550,8 @@ var (`
`552`	`550`	`// reads/processes them.`
`553`	`551`	`rbac.ResourceUsageEvent.Type: {policy.ActionRead,policy.ActionUpdate},`
`554`	`552`	`}),`
`555`		`-Org:map[string][]rbac.Permission{},`
`556`		`-User: []rbac.Permission{},`
	`553`	`+User:[]rbac.Permission{},`
	`554`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`557`	`555`	`},`
`558`	`556`	`}),`
`559`	`557`	`Scope:rbac.ScopeAll,`
`@@ -576,8 +574,8 @@ var (`
`576`	`574`	`rbac.ResourceApiKey.Type: {policy.ActionRead},// Validate API keys.`
`577`	`575`	`rbac.ResourceAibridgeInterception.Type: {policy.ActionCreate,policy.ActionRead,policy.ActionUpdate},`
`578`	`576`	`}),`
`579`		`-Org:map[string][]rbac.Permission{},`
`580`		`-User: []rbac.Permission{},`
	`577`	`+User:[]rbac.Permission{},`
	`578`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`581`	`579`	`},`
`582`	`580`	`}),`
`583`	`581`	`Scope:rbac.ScopeAll,`
`@@ -1253,13 +1251,13 @@ func (q *querier) customRoleCheck(ctx context.Context, role database.CustomRole)`
`1253`	`1251`	`returnxerrors.Errorf("invalid role: %w",err)`
`1254`	`1252`	`}`
`1255`	`1253`
`1256`		`-iflen(rbacRole.Org)>0&&len(rbacRole.Site)>0 {`
	`1254`	`+iflen(rbacRole.ByOrgID)>0&&len(rbacRole.Site)>0 {`
`1257`	`1255`	`// This is a choice to keep roles simple. If we allow mixing site and org scoped perms, then knowing who can`
`1258`	`1256`	`// do what gets more complicated.`
`1259`	`1257`	`returnxerrors.Errorf("invalid custom role, cannot assign both org and site permissions at the same time")`
`1260`	`1258`	`}`
`1261`	`1259`
`1262`		`-iflen(rbacRole.Org)>1 {`
	`1260`	`+iflen(rbacRole.ByOrgID)>1 {`
`1263`	`1261`	`// Again to avoid more complexity in our roles`
`1264`	`1262`	`returnxerrors.Errorf("invalid custom role, cannot assign permissions to more than 1 org at a time")`
`1265`	`1263`	`}`
`@@ -1272,8 +1270,8 @@ func (q *querier) customRoleCheck(ctx context.Context, role database.CustomRole)`
`1272`	`1270`	`}`
`1273`	`1271`	`}`
`1274`	`1272`
`1275`		`-fororgID,perms:=rangerbacRole.Org {`
`1276`		`-for_,orgPerm:=rangeperms {`
	`1273`	`+fororgID,perms:=rangerbacRole.ByOrgID {`
	`1274`	`+for_,orgPerm:=rangeperms.Org {`
`1277`	`1275`	`err:=q.customRoleEscalationCheck(ctx,act,orgPerm, rbac.Object{OrgID:orgID,Type:orgPerm.ResourceType})`
`1278`	`1276`	`iferr!=nil {`
`1279`	`1277`	`returnxerrors.Errorf("org=%q: %w",orgID,err)`

`‎coderd/database/modelmethods.go‎`

Lines changed: 9 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -170,8 +170,8 @@ func (s APIKeyScopes) Expand() (rbac.Scope, error) {`
`170`	`170`	`// Identifier is informational; not used in policy evaluation.`
`171`	`171`	`Identifier: rbac.RoleIdentifier{Name:"Scope_Multiple"},`
`172`	`172`	`Site:nil,`
`173`		`-Org:map[string][]rbac.Permission{},`
`174`	`173`	`User:nil,`
	`174`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`175`	`175`	`}`
`176`	`176`
`177`	`177`	`// Track allow list union, collapsing to wildcard if any child is wildcard.`
`@@ -186,8 +186,10 @@ func (s APIKeyScopes) Expand() (rbac.Scope, error) {`
`186`	`186`
`187`	`187`	`// Merge role permissions: union by simple concatenation.`
`188`	`188`	`merged.Site=append(merged.Site,expanded.Site...)`
`189`		`-fororgID,perms:=rangeexpanded.Org {`
`190`		`-merged.Org[orgID]=append(merged.Org[orgID],perms...)`
	`189`	`+fororgID,perms:=rangeexpanded.ByOrgID {`
	`190`	`+orgPerms:=merged.ByOrgID[orgID]`
	`191`	`+orgPerms.Org=append(orgPerms.Org,perms.Org...)`
	`192`	`+merged.ByOrgID[orgID]=orgPerms`
`191`	`193`	`}`
`192`	`194`	`merged.User=append(merged.User,expanded.User...)`
`193`	`195`
`@@ -205,10 +207,11 @@ func (s APIKeyScopes) Expand() (rbac.Scope, error) {`
`205`	`207`
`206`	`208`	`// De-duplicate permissions across Site/Org/User`
`207`	`209`	`merged.Site=rbac.DeduplicatePermissions(merged.Site)`
`208`		`-fororgID,perms:=rangemerged.Org {`
`209`		`-merged.Org[orgID]=rbac.DeduplicatePermissions(perms)`
`210`		`-}`
`211`	`210`	`merged.User=rbac.DeduplicatePermissions(merged.User)`
	`211`	`+fororgID,perms:=rangemerged.ByOrgID {`
	`212`	`+perms.Org=rbac.DeduplicatePermissions(perms.Org)`
	`213`	`+merged.ByOrgID[orgID]=perms`
	`214`	`+}`
`212`	`215`
`213`	`216`	`ifallowAll\|\|len(allowSet)==0 {`
`214`	`217`	`merged.AllowIDList= []rbac.AllowListElement{rbac.AllowListAll()}`

`‎coderd/rbac/astvalue.go‎`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -158,8 +158,8 @@ func (role Role) regoValue() ast.Value {`
`158`	`158`	`returnrole.cachedRegoValue`
`159`	`159`	`}`
`160`	`160`	`orgMap:=ast.NewObject()`
`161`		`-fork,p:=rangerole.Org {`
`162`		`-orgMap.Insert(ast.StringTerm(k),ast.NewTerm(regoSlice(p)))`
	`161`	`+fork,p:=rangerole.ByOrgID {`
	`162`	`+orgMap.Insert(ast.StringTerm(k),ast.NewTerm(regoSlice(p.Org)))`
`163`	`163`	`}`
`164`	`164`	`returnast.NewObject(`
`165`	`165`	`[2]*ast.Term{`

`‎coderd/rbac/authz_internal_test.go‎`

Lines changed: 26 additions & 21 deletions

Original file line number	Diff line number	Diff line change
`@@ -633,20 +633,21 @@ func TestAuthorizeDomain(t *testing.T) {`
`633`	`633`	`{`
`634`	`634`	`Identifier:RoleIdentifier{Name:"ReadOnlyOrgAndUser"},`
`635`	`635`	`Site: []Permission{},`
`636`		`-Org:map[string][]Permission{`
`637`		`-defOrg.String(): {{`
`638`		`-Negate:false,`
`639`		`-ResourceType:"*",`
`640`		`-Action:policy.ActionRead,`
`641`		`-}},`
`642`		`-},`
`643`	`636`	`User: []Permission{`
`644`	`637`	`{`
`645`	`638`	`Negate:false,`
`646`	`639`	`ResourceType:"*",`
`647`	`640`	`Action:policy.ActionRead,`
`648`	`641`	`},`
`649`	`642`	`},`
	`643`	`+ByOrgID:map[string]OrgPermissions{`
	`644`	`+defOrg.String(): {`
	`645`	`+Org: []Permission{{`
	`646`	`+Negate:false,`
	`647`	`+ResourceType:"*",`
	`648`	`+Action:policy.ActionRead,`
	`649`	`+}},`
	`650`	`+}},`
`650`	`651`	`},`
`651`	`652`	`},`
`652`	`653`	`}`
`@@ -726,12 +727,14 @@ func TestAuthorizeLevels(t *testing.T) {`
`726`	`727`	`must(RoleByName(RoleOwner())),`
`727`	`728`	`{`
`728`	`729`	`Identifier:RoleIdentifier{Name:"org-deny:",OrganizationID:defOrg},`
`729`		`-Org:map[string][]Permission{`
	`730`	`+ByOrgID:map[string]OrgPermissions{`
`730`	`731`	`defOrg.String(): {`
`731`		`-{`
`732`		`-Negate:true,`
`733`		`-ResourceType:"*",`
`734`		`-Action:"*",`
	`732`	`+Org: []Permission{`
	`733`	`+{`
	`734`	`+Negate:true,`
	`735`	`+ResourceType:"*",`
	`736`	`+Action:"*",`
	`737`	`+},`
`735`	`738`	`},`
`736`	`739`	`},`
`737`	`740`	`},`
`@@ -926,8 +929,8 @@ func TestAuthorizeScope(t *testing.T) {`
`926`	`929`	`// Only read access for workspaces.`
`927`	`930`	`ResourceWorkspace.Type: {policy.ActionRead},`
`928`	`931`	`}),`
`929`		`-Org:map[string][]Permission{},`
`930`		`-User: []Permission{},`
	`932`	`+User:[]Permission{},`
	`933`	`+ByOrgID:map[string]OrgPermissions{},`
`931`	`934`	`},`
`932`	`935`	`AllowIDList: []AllowListElement{{Type:ResourceWorkspace.Type,ID:workspaceID.String()}},`
`933`	`936`	`},`
`@@ -1015,8 +1018,8 @@ func TestAuthorizeScope(t *testing.T) {`
`1015`	`1018`	`// Only read access for workspaces.`
`1016`	`1019`	`ResourceWorkspace.Type: {policy.ActionCreate},`
`1017`	`1020`	`}),`
`1018`		`-Org:map[string][]Permission{},`
`1019`		`-User: []Permission{},`
	`1021`	`+User:[]Permission{},`
	`1022`	`+ByOrgID:map[string]OrgPermissions{},`
`1020`	`1023`	`},`
`1021`	`1024`	`// Empty string allow_list is allowed for actions like 'create'`
`1022`	`1025`	`AllowIDList: []AllowListElement{{`
`@@ -1138,14 +1141,16 @@ func TestAuthorizeScope(t *testing.T) {`
`1138`	`1141`	`},`
`1139`	`1142`	`DisplayName:"OrgAndUserScope",`
`1140`	`1143`	`Site:nil,`
`1141`		`-Org:map[string][]Permission{`
`1142`		`-defOrg.String():Permissions(map[string][]policy.Action{`
`1143`		`-ResourceWorkspace.Type: {policy.ActionRead},`
`1144`		`-}),`
`1145`		`-},`
`1146`	`1144`	`User:Permissions(map[string][]policy.Action{`
`1147`	`1145`	`ResourceUser.Type: {policy.ActionRead},`
`1148`	`1146`	`}),`
	`1147`	`+ByOrgID:map[string]OrgPermissions{`
	`1148`	`+defOrg.String(): {`
	`1149`	`+Org:Permissions(map[string][]policy.Action{`
	`1150`	`+ResourceWorkspace.Type: {policy.ActionRead},`
	`1151`	`+}),`
	`1152`	`+},`
	`1153`	`+},`
`1149`	`1154`	`},`
`1150`	`1155`	`AllowIDList: []AllowListElement{AllowListAll()},`
`1151`	`1156`	`},`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commite0848ab

File tree

14 files changed

14 files changed

`‎coderd/database/db2sdk/db2sdk.go‎`

`‎coderd/database/dbauthz/dbauthz.go‎`

`‎coderd/database/modelmethods.go‎`

`‎coderd/rbac/astvalue.go‎`

`‎coderd/rbac/authz_internal_test.go‎`

0 commit comments