NotificationsYou must be signed in to change notification settings
Fork1k
Star11.2k

Commitf34e6fd

authored

chore: implement 'use' verb to template object,read has less scope now (#16075)

Template `use` is now a verb.- Template admins can `use` all templates (org template admins same inorg)- Members get the `use` perm from the `everyone` group in the`group_acl`.

1 parent3217cb8 commitf34e6fdCopy full SHA for f34e6fd

File tree

17 files changed

+128

-28

lines changed

coderd
- database
  - db2sdk
    - db2sdk.go
  - dbauthz
    - dbauthz.go
    - dbauthz_test.go
  - dbgen
    - dbgen.go
  - migrations
    - 000287_template_read_to_use.down.sql
    - 000287_template_read_to_use.up.sql
- insights_test.go
- rbac
  - object_gen.go
  - policy
    - policy.go
  - roles.go
  - roles_test.go
- templates.go
- workspaces.go
codersdk
- rbacresources_gen.go
enterprise/coderd
- templates.go
- workspaces_test.go
site/src/api
- rbacresourcesGenerated.ts

17 files changed

+128

-28

lines changed

`‎coderd/database/db2sdk/db2sdk.go‎`

Lines changed: 11 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,7 @@ import (`
`17`	`17`
`18`	`18`	`"github.com/coder/coder/v2/coderd/database"`
`19`	`19`	`"github.com/coder/coder/v2/coderd/rbac"`
	`20`	`+"github.com/coder/coder/v2/coderd/rbac/policy"`
`20`	`21`	`"github.com/coder/coder/v2/coderd/render"`
`21`	`22`	`"github.com/coder/coder/v2/coderd/workspaceapps/appurl"`
`22`	`23`	`"github.com/coder/coder/v2/codersdk"`
`@@ -694,3 +695,13 @@ func MatchedProvisioners(provisionerDaemons []database.ProvisionerDaemon, now ti`
`694`	`695`	`}`
`695`	`696`	`returnmatched`
`696`	`697`	`}`
	`698`	`+`
	`699`	`+funcTemplateRoleActions(role codersdk.TemplateRole) []policy.Action {`
	`700`	`+switchrole {`
	`701`	`+casecodersdk.TemplateRoleAdmin:`
	`702`	`+return []policy.Action{policy.WildcardSymbol}`
	`703`	`+casecodersdk.TemplateRoleUse:`
	`704`	`+return []policy.Action{policy.ActionRead,policy.ActionUse}`
	`705`	`+}`
	`706`	`+return []policy.Action{}`
	`707`	`+}`

`‎coderd/database/dbauthz/dbauthz.go‎`

Lines changed: 8 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -3169,6 +3169,14 @@ func (q *querier) InsertUserLink(ctx context.Context, arg database.InsertUserLin`
`3169`	`3169`
`3170`	`3170`	`func (q*querier)InsertWorkspace(ctx context.Context,arg database.InsertWorkspaceParams) (database.WorkspaceTable,error) {`
`3171`	`3171`	`obj:=rbac.ResourceWorkspace.WithOwner(arg.OwnerID.String()).InOrg(arg.OrganizationID)`
	`3172`	`+tpl,err:=q.GetTemplateByID(ctx,arg.TemplateID)`
	`3173`	`+iferr!=nil {`
	`3174`	`+return database.WorkspaceTable{},xerrors.Errorf("verify template by id: %w",err)`
	`3175`	`+}`
	`3176`	`+iferr:=q.authorizeContext(ctx,policy.ActionUse,tpl);err!=nil {`
	`3177`	`+return database.WorkspaceTable{},xerrors.Errorf("use template for workspace: %w",err)`
	`3178`	`+}`
	`3179`	`+`
`3172`	`3180`	`returninsert(q.log,q.auth,obj,q.db.InsertWorkspace)(ctx,arg)`
`3173`	`3181`	`}`
`3174`	`3182`

`‎coderd/database/dbauthz/dbauthz_test.go‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -2459,7 +2459,7 @@ func (s *MethodTestSuite) TestWorkspace() {`
`2459`	`2459`	`OrganizationID:o.ID,`
`2460`	`2460`	`AutomaticUpdates:database.AutomaticUpdatesNever,`
`2461`	`2461`	`TemplateID:tpl.ID,`
`2462`		`-}).Asserts(rbac.ResourceWorkspace.WithOwner(u.ID.String()).InOrg(o.ID),policy.ActionCreate)`
	`2462`	`+}).Asserts(tpl,policy.ActionRead,tpl,policy.ActionUse,rbac.ResourceWorkspace.WithOwner(u.ID.String()).InOrg(o.ID),policy.ActionCreate)`
`2463`	`2463`	`}))`
`2464`	`2464`	`s.Run("Start/InsertWorkspaceBuild",s.Subtest(func(db database.Store,check*expects) {`
`2465`	`2465`	`u:=dbgen.User(s.T(),db, database.User{})`

`‎coderd/database/dbgen/dbgen.go‎`

Lines changed: 3 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -20,12 +20,13 @@ import (`
`20`	`20`	`"golang.org/x/xerrors"`
`21`	`21`
`22`	`22`	`"github.com/coder/coder/v2/coderd/database"`
	`23`	`+"github.com/coder/coder/v2/coderd/database/db2sdk"`
`23`	`24`	`"github.com/coder/coder/v2/coderd/database/dbauthz"`
`24`	`25`	`"github.com/coder/coder/v2/coderd/database/dbtime"`
`25`	`26`	`"github.com/coder/coder/v2/coderd/database/provisionerjobs"`
`26`	`27`	`"github.com/coder/coder/v2/coderd/database/pubsub"`
`27`	`28`	`"github.com/coder/coder/v2/coderd/rbac"`
`28`		`-"github.com/coder/coder/v2/coderd/rbac/policy"`
	`29`	`+"github.com/coder/coder/v2/codersdk"`
`29`	`30`	`"github.com/coder/coder/v2/cryptorand"`
`30`	`31`	`"github.com/coder/coder/v2/testutil"`
`31`	`32`	`)`
`@@ -75,7 +76,7 @@ func Template(t testing.TB, db database.Store, seed database.Template) database.`
`75`	`76`	`ifseed.GroupACL==nil {`
`76`	`77`	`// By default, all users in the organization can read the template.`
`77`	`78`	`seed.GroupACL= database.TemplateACL{`
`78`		`-seed.OrganizationID.String():[]policy.Action{policy.ActionRead},`
	`79`	`+seed.OrganizationID.String():db2sdk.TemplateRoleActions(codersdk.TemplateRoleUse),`
`79`	`80`	`}`
`80`	`81`	`}`
`81`	`82`	`ifseed.UserACL==nil {`

`‎coderd/database/migrations/000287_template_read_to_use.down.sql‎`

Lines changed: 5 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,5 @@`
	`1`	`+UPDATE`
	`2`	`+templates`
	`3`	`+SET`
	`4`	`+group_acl= replace(group_acl::text,'["read", "use"]','["read"]')::jsonb,`
	`5`	`+user_acl= replace(user_acl::text,'["read", "use"]','["read"]')::jsonb`

`‎coderd/database/migrations/000287_template_read_to_use.up.sql‎`

Lines changed: 12 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,12 @@`
	`1`	`+-- With the "use" verb now existing for templates, we need to update the acl's to`
	`2`	`+-- include "use" where the permissions set ["read"] is present.`
	`3`	`+-- The other permission set is ["*"] which is unaffected.`
	`4`	`+`
	`5`	`+UPDATE`
	`6`	`+templates`
	`7`	`+SET`
	`8`	`+-- Instead of trying to write a complicated SQL query to update the JSONB`
	`9`	`+-- object, a string replace is much simpler and easier to understand.`
	`10`	`+-- Both pieces of text are JSON arrays, so this safe to do.`
	`11`	`+group_acl= replace(group_acl::text,'["read"]','["read", "use"]')::jsonb,`
	`12`	`+user_acl= replace(user_acl::text,'["read"]','["read", "use"]')::jsonb`

`‎coderd/insights_test.go‎`

Lines changed: 3 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -23,12 +23,12 @@ import (`
`23`	`23`	`agentproto"github.com/coder/coder/v2/agent/proto"`
`24`	`24`	`"github.com/coder/coder/v2/coderd/coderdtest"`
`25`	`25`	`"github.com/coder/coder/v2/coderd/database"`
	`26`	`+"github.com/coder/coder/v2/coderd/database/db2sdk"`
`26`	`27`	`"github.com/coder/coder/v2/coderd/database/dbauthz"`
`27`	`28`	`"github.com/coder/coder/v2/coderd/database/dbgen"`
`28`	`29`	`"github.com/coder/coder/v2/coderd/database/dbrollup"`
`29`	`30`	`"github.com/coder/coder/v2/coderd/database/dbtestutil"`
`30`	`31`	`"github.com/coder/coder/v2/coderd/rbac"`
`31`		`-"github.com/coder/coder/v2/coderd/rbac/policy"`
`32`	`32`	`"github.com/coder/coder/v2/coderd/workspaceapps"`
`33`	`33`	`"github.com/coder/coder/v2/coderd/workspacestats"`
`34`	`34`	`"github.com/coder/coder/v2/codersdk"`
`@@ -675,7 +675,7 @@ func TestTemplateInsights_Golden(t *testing.T) {`
`675`	`675`	`OrganizationID:firstUser.OrganizationID,`
`676`	`676`	`CreatedBy:firstUser.UserID,`
`677`	`677`	`GroupACL: database.TemplateACL{`
`678`		`-firstUser.OrganizationID.String():[]policy.Action{policy.ActionRead},`
	`678`	`+firstUser.OrganizationID.String():db2sdk.TemplateRoleActions(codersdk.TemplateRoleUse),`
`679`	`679`	`},`
`680`	`680`	`})`
`681`	`681`	`err:=db.UpdateTemplateVersionByID(context.Background(), database.UpdateTemplateVersionByIDParams{`
`@@ -1573,7 +1573,7 @@ func TestUserActivityInsights_Golden(t *testing.T) {`
`1573`	`1573`	`OrganizationID:firstUser.OrganizationID,`
`1574`	`1574`	`CreatedBy:firstUser.UserID,`
`1575`	`1575`	`GroupACL: database.TemplateACL{`
`1576`		`-firstUser.OrganizationID.String():[]policy.Action{policy.ActionRead},`
	`1576`	`+firstUser.OrganizationID.String():db2sdk.TemplateRoleActions(codersdk.TemplateRoleUse),`
`1577`	`1577`	`},`
`1578`	`1578`	`})`
`1579`	`1579`	`err:=db.UpdateTemplateVersionByID(context.Background(), database.UpdateTemplateVersionByIDParams{`

`‎coderd/rbac/object_gen.go‎`

Lines changed: 1 addition & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/rbac/policy/policy.go‎`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -133,8 +133,8 @@ var RBACPermissions = map[string]PermissionDefinition{`
`133`	`133`	`},`
`134`	`134`	`"template": {`
`135`	`135`	`Actions:map[Action]ActionDefinition{`
`136`		`-ActionCreate:actDef("create a template"),`
`137`		`-// TODO: Create ausepermission maybe?`
	`136`	`+ActionCreate:actDef("create a template"),`
	`137`	`+ActionUse:actDef("usethe template to initially create a workspace, then workspace lifecycle permissions take over"),`
`138`	`138`	`ActionRead:actDef("read template"),`
`139`	`139`	`ActionUpdate:actDef("update a template"),`
`140`	`140`	`ActionDelete:actDef("delete a template"),`

`‎coderd/rbac/roles.go‎`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -318,7 +318,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {`
`318`	`318`	`Identifier:RoleTemplateAdmin(),`
`319`	`319`	`DisplayName:"Template Admin",`
`320`	`320`	`Site:Permissions(map[string][]policy.Action{`
`321`		`-ResourceTemplate.Type:{policy.ActionCreate,policy.ActionRead,policy.ActionUpdate,policy.ActionDelete,policy.ActionViewInsights},`
	`321`	`+ResourceTemplate.Type:ResourceTemplate.AvailableActions(),`
`322`	`322`	`// CRUD all files, even those they did not upload.`
`323`	`323`	`ResourceFile.Type: {policy.ActionCreate,policy.ActionRead},`
`324`	`324`	`ResourceWorkspace.Type: {policy.ActionRead},`
`@@ -476,7 +476,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {`
`476`	`476`	`Site: []Permission{},`
`477`	`477`	`Org:map[string][]Permission{`
`478`	`478`	`organizationID.String():Permissions(map[string][]policy.Action{`
`479`		`-ResourceTemplate.Type:{policy.ActionCreate,policy.ActionRead,policy.ActionUpdate,policy.ActionDelete,policy.ActionViewInsights},`
	`479`	`+ResourceTemplate.Type:ResourceTemplate.AvailableActions(),`
`480`	`480`	`ResourceFile.Type: {policy.ActionCreate,policy.ActionRead},`
`481`	`481`	`ResourceWorkspace.Type: {policy.ActionRead},`
`482`	`482`	`// Assigning template perms requires this permission.`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitf34e6fd

File tree

17 files changed

17 files changed

`‎coderd/database/db2sdk/db2sdk.go‎`

`‎coderd/database/dbauthz/dbauthz.go‎`

`‎coderd/database/dbauthz/dbauthz_test.go‎`

`‎coderd/database/dbgen/dbgen.go‎`

`‎coderd/database/migrations/000287_template_read_to_use.down.sql‎`

`‎coderd/database/migrations/000287_template_read_to_use.up.sql‎`

`‎coderd/insights_test.go‎`

`‎coderd/rbac/object_gen.go‎`

`‎coderd/rbac/policy/policy.go‎`

`‎coderd/rbac/roles.go‎`

0 commit comments