NotificationsYou must be signed in to change notification settings
Fork1k
Star11.1k

Commitfd71845

committed

Merge branch 'lilac/by-org-id' into lilac/organization-member-level

2 parentsa648977 +6585fe0 commitfd71845Copy full SHA for fd71845

File tree

14 files changed

+276

-243

lines changed

coderd
- database
  - db2sdk
    - db2sdk.go
  - dbauthz
    - dbauthz.go
  - modelmethods.go
- rbac
- workspaceapps
  - db.go
enterprise
- coderd
  - coderd_test.go
- tailnet
  - pgcoord.go

14 files changed

+276

-243

lines changed

`‎coderd/database/db2sdk/db2sdk.go‎`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -693,13 +693,13 @@ func SlimRoleFromName(name string) codersdk.SlimRole {`
`693`	`693`	`funcRBACRole(role rbac.Role) codersdk.Role {`
`694`	`694`	`slim:=SlimRole(role)`
`695`	`695`
`696`		`-orgPerms:=role.Org[slim.OrganizationID]`
	`696`	`+orgPerms:=role.ByOrgID[slim.OrganizationID]`
`697`	`697`	`return codersdk.Role{`
`698`	`698`	`Name:slim.Name,`
`699`	`699`	`OrganizationID:slim.OrganizationID,`
`700`	`700`	`DisplayName:slim.DisplayName,`
`701`	`701`	`SitePermissions:List(role.Site,RBACPermission),`
`702`		`-OrganizationPermissions:List(orgPerms,RBACPermission),`
	`702`	`+OrganizationPermissions:List(orgPerms.Org,RBACPermission),`
`703`	`703`	`UserPermissions:List(role.User,RBACPermission),`
`704`	`704`	`}`
`705`	`705`	`}`

`‎coderd/database/dbauthz/dbauthz.go‎`

Lines changed: 33 additions & 47 deletions

Original file line number	Diff line number	Diff line change
`@@ -232,9 +232,8 @@ var (`
`232`	`232`	`// Provisionerd creates usage events`
`233`	`233`	`rbac.ResourceUsageEvent.Type: {policy.ActionCreate},`
`234`	`234`	`}),`
`235`		`-Org:map[string][]rbac.Permission{},`
`236`		`-User: []rbac.Permission{},`
`237`		`-OrgMember:map[string][]rbac.Permission{},`
	`235`	`+User: []rbac.Permission{},`
	`236`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`238`	`237`	`},`
`239`	`238`	`}),`
`240`	`239`	`Scope:rbac.ScopeAll,`
`@@ -258,9 +257,8 @@ var (`
`258`	`257`	`rbac.ResourceWorkspace.Type: {policy.ActionDelete,policy.ActionRead,policy.ActionUpdate,policy.ActionWorkspaceStart,policy.ActionWorkspaceStop},`
`259`	`258`	`rbac.ResourceWorkspaceDormant.Type: {policy.ActionDelete,policy.ActionRead,policy.ActionUpdate,policy.ActionWorkspaceStop},`
`260`	`259`	`}),`
`261`		`-Org:map[string][]rbac.Permission{},`
`262`		`-User: []rbac.Permission{},`
`263`		`-OrgMember:map[string][]rbac.Permission{},`
	`260`	`+User: []rbac.Permission{},`
	`261`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`264`	`262`	`},`
`265`	`263`	`}),`
`266`	`264`	`Scope:rbac.ScopeAll,`
`@@ -281,9 +279,8 @@ var (`
`281`	`279`	`rbac.ResourceWorkspace.Type: {policy.ActionRead,policy.ActionUpdate},`
`282`	`280`	`rbac.ResourceProvisionerJobs.Type: {policy.ActionRead,policy.ActionUpdate},`
`283`	`281`	`}),`
`284`		`-Org:map[string][]rbac.Permission{},`
`285`		`-User: []rbac.Permission{},`
`286`		`-OrgMember:map[string][]rbac.Permission{},`
	`282`	`+User: []rbac.Permission{},`
	`283`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`287`	`284`	`},`
`288`	`285`	`}),`
`289`	`286`	`Scope:rbac.ScopeAll,`
`@@ -301,9 +298,8 @@ var (`
`301`	`298`	`Site:rbac.Permissions(map[string][]policy.Action{`
`302`	`299`	`rbac.ResourceCryptoKey.Type: {policy.WildcardSymbol},`
`303`	`300`	`}),`
`304`		`-Org:map[string][]rbac.Permission{},`
`305`		`-User: []rbac.Permission{},`
`306`		`-OrgMember:map[string][]rbac.Permission{},`
	`301`	`+User: []rbac.Permission{},`
	`302`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`307`	`303`	`},`
`308`	`304`	`}),`
`309`	`305`	`Scope:rbac.ScopeAll,`
`@@ -321,9 +317,8 @@ var (`
`321`	`317`	`Site:rbac.Permissions(map[string][]policy.Action{`
`322`	`318`	`rbac.ResourceCryptoKey.Type: {policy.WildcardSymbol},`
`323`	`319`	`}),`
`324`		`-Org:map[string][]rbac.Permission{},`
`325`		`-User: []rbac.Permission{},`
`326`		`-OrgMember:map[string][]rbac.Permission{},`
	`320`	`+User: []rbac.Permission{},`
	`321`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`327`	`322`	`},`
`328`	`323`	`}),`
`329`	`324`	`Scope:rbac.ScopeAll,`
`@@ -340,9 +335,8 @@ var (`
`340`	`335`	`Site:rbac.Permissions(map[string][]policy.Action{`
`341`	`336`	`rbac.ResourceConnectionLog.Type: {policy.ActionUpdate,policy.ActionRead},`
`342`	`337`	`}),`
`343`		`-Org:map[string][]rbac.Permission{},`
`344`		`-User: []rbac.Permission{},`
`345`		`-OrgMember:map[string][]rbac.Permission{},`
	`338`	`+User: []rbac.Permission{},`
	`339`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`346`	`340`	`},`
`347`	`341`	`}),`
`348`	`342`	`Scope:rbac.ScopeAll,`
`@@ -362,9 +356,8 @@ var (`
`362`	`356`	`rbac.ResourceWebpushSubscription.Type: {policy.ActionCreate,policy.ActionRead,policy.ActionUpdate,policy.ActionDelete},`
`363`	`357`	`rbac.ResourceDeploymentConfig.Type: {policy.ActionRead,policy.ActionUpdate},// To read and upsert VAPID keys`
`364`	`358`	`}),`
`365`		`-Org:map[string][]rbac.Permission{},`
`366`		`-User: []rbac.Permission{},`
`367`		`-OrgMember:map[string][]rbac.Permission{},`
	`359`	`+User: []rbac.Permission{},`
	`360`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`368`	`361`	`},`
`369`	`362`	`}),`
`370`	`363`	`Scope:rbac.ScopeAll,`
`@@ -382,9 +375,8 @@ var (`
`382`	`375`	`// The workspace monitor needs to be able to update monitors`
`383`	`376`	`rbac.ResourceWorkspaceAgentResourceMonitor.Type: {policy.ActionUpdate},`
`384`	`377`	`}),`
`385`		`-Org:map[string][]rbac.Permission{},`
`386`		`-User: []rbac.Permission{},`
`387`		`-OrgMember:map[string][]rbac.Permission{},`
	`378`	`+User: []rbac.Permission{},`
	`379`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`388`	`380`	`},`
`389`	`381`	`}),`
`390`	`382`	`Scope:rbac.ScopeAll,`
`@@ -400,13 +392,12 @@ var (`
`400`	`392`	`Identifier: rbac.RoleIdentifier{Name:"subagentapi"},`
`401`	`393`	`DisplayName:"Sub Agent API",`
`402`	`394`	`Site: []rbac.Permission{},`
`403`		`-Org:map[string][]rbac.Permission{`
`404`		`-orgID.String(): {},`
`405`		`-},`
`406`	`395`	`User:rbac.Permissions(map[string][]policy.Action{`
`407`	`396`	`rbac.ResourceWorkspace.Type: {policy.ActionRead,policy.ActionUpdate,policy.ActionCreateAgent,policy.ActionDeleteAgent},`
`408`	`397`	`}),`
`409`		`-OrgMember:map[string][]rbac.Permission{},`
	`398`	`+ByOrgID:map[string]rbac.OrgPermissions{`
	`399`	`+orgID.String(): {},`
	`400`	`+},`
`410`	`401`	`},`
`411`	`402`	`}),`
`412`	`403`	`Scope:rbac.ScopeAll,`
`@@ -445,9 +436,8 @@ var (`
`445`	`436`	`rbac.ResourceOauth2App.Type: {policy.ActionCreate,policy.ActionRead,policy.ActionUpdate,policy.ActionDelete},`
`446`	`437`	`rbac.ResourceOauth2AppSecret.Type: {policy.ActionCreate,policy.ActionRead,policy.ActionUpdate,policy.ActionDelete},`
`447`	`438`	`}),`
`448`		`-Org:map[string][]rbac.Permission{},`
`449`		`-User: []rbac.Permission{},`
`450`		`-OrgMember:map[string][]rbac.Permission{},`
	`439`	`+User: []rbac.Permission{},`
	`440`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`451`	`441`	`},`
`452`	`442`	`}),`
`453`	`443`	`Scope:rbac.ScopeAll,`
`@@ -464,9 +454,8 @@ var (`
`464`	`454`	`Site:rbac.Permissions(map[string][]policy.Action{`
`465`	`455`	`rbac.ResourceProvisionerDaemon.Type: {policy.ActionRead},`
`466`	`456`	`}),`
`467`		`-Org:map[string][]rbac.Permission{},`
`468`		`-User: []rbac.Permission{},`
`469`		`-OrgMember:map[string][]rbac.Permission{},`
	`457`	`+User: []rbac.Permission{},`
	`458`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`470`	`459`	`},`
`471`	`460`	`}),`
`472`	`461`	`Scope:rbac.ScopeAll,`
`@@ -542,9 +531,8 @@ var (`
`542`	`531`	`Site:rbac.Permissions(map[string][]policy.Action{`
`543`	`532`	`rbac.ResourceFile.Type: {policy.ActionRead},`
`544`	`533`	`}),`
`545`		`-Org:map[string][]rbac.Permission{},`
`546`		`-User: []rbac.Permission{},`
`547`		`-OrgMember:map[string][]rbac.Permission{},`
	`534`	`+User: []rbac.Permission{},`
	`535`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`548`	`536`	`},`
`549`	`537`	`}),`
`550`	`538`	`Scope:rbac.ScopeAll,`
`@@ -564,9 +552,8 @@ var (`
`564`	`552`	`// reads/processes them.`
`565`	`553`	`rbac.ResourceUsageEvent.Type: {policy.ActionRead,policy.ActionUpdate},`
`566`	`554`	`}),`
`567`		`-Org:map[string][]rbac.Permission{},`
`568`		`-User: []rbac.Permission{},`
`569`		`-OrgMember:map[string][]rbac.Permission{},`
	`555`	`+User: []rbac.Permission{},`
	`556`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`570`	`557`	`},`
`571`	`558`	`}),`
`572`	`559`	`Scope:rbac.ScopeAll,`
`@@ -589,9 +576,8 @@ var (`
`589`	`576`	`rbac.ResourceApiKey.Type: {policy.ActionRead},// Validate API keys.`
`590`	`577`	`rbac.ResourceAibridgeInterception.Type: {policy.ActionCreate,policy.ActionRead,policy.ActionUpdate},`
`591`	`578`	`}),`
`592`		`-Org:map[string][]rbac.Permission{},`
`593`		`-User: []rbac.Permission{},`
`594`		`-OrgMember:map[string][]rbac.Permission{},`
	`579`	`+User: []rbac.Permission{},`
	`580`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`595`	`581`	`},`
`596`	`582`	`}),`
`597`	`583`	`Scope:rbac.ScopeAll,`
`@@ -1267,13 +1253,13 @@ func (q *querier) customRoleCheck(ctx context.Context, role database.CustomRole)`
`1267`	`1253`	`returnxerrors.Errorf("invalid role: %w",err)`
`1268`	`1254`	`}`
`1269`	`1255`
`1270`		`-iflen(rbacRole.Org)>0&&len(rbacRole.Site)>0 {`
	`1256`	`+iflen(rbacRole.ByOrgID)>0&&len(rbacRole.Site)>0 {`
`1271`	`1257`	`// This is a choice to keep roles simple. If we allow mixing site and org scoped perms, then knowing who can`
`1272`	`1258`	`// do what gets more complicated.`
`1273`	`1259`	`returnxerrors.Errorf("invalid custom role, cannot assign both org and site permissions at the same time")`
`1274`	`1260`	`}`
`1275`	`1261`
`1276`		`-iflen(rbacRole.Org)>1 {`
	`1262`	`+iflen(rbacRole.ByOrgID)>1 {`
`1277`	`1263`	`// Again to avoid more complexity in our roles`
`1278`	`1264`	`returnxerrors.Errorf("invalid custom role, cannot assign permissions to more than 1 org at a time")`
`1279`	`1265`	`}`
`@@ -1286,8 +1272,8 @@ func (q *querier) customRoleCheck(ctx context.Context, role database.CustomRole)`
`1286`	`1272`	`}`
`1287`	`1273`	`}`
`1288`	`1274`
`1289`		`-fororgID,perms:=rangerbacRole.Org {`
`1290`		`-for_,orgPerm:=rangeperms {`
	`1275`	`+fororgID,perms:=rangerbacRole.ByOrgID {`
	`1276`	`+for_,orgPerm:=rangeperms.Org {`
`1291`	`1277`	`err:=q.customRoleEscalationCheck(ctx,act,orgPerm, rbac.Object{OrgID:orgID,Type:orgPerm.ResourceType})`
`1292`	`1278`	`iferr!=nil {`
`1293`	`1279`	`returnxerrors.Errorf("org=%q: %w",orgID,err)`

`‎coderd/database/modelmethods.go‎`

Lines changed: 9 additions & 7 deletions

Original file line number	Diff line number	Diff line change
`@@ -170,9 +170,8 @@ func (s APIKeyScopes) Expand() (rbac.Scope, error) {`
`170`	`170`	`// Identifier is informational; not used in policy evaluation.`
`171`	`171`	`Identifier: rbac.RoleIdentifier{Name:"Scope_Multiple"},`
`172`	`172`	`Site:nil,`
`173`		`-Org:map[string][]rbac.Permission{},`
`174`	`173`	`User:nil,`
`175`		`-OrgMember:nil,`
	`174`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
`176`	`175`	`}`
`177`	`176`
`178`	`177`	`// Track allow list union, collapsing to wildcard if any child is wildcard.`
`@@ -187,8 +186,10 @@ func (s APIKeyScopes) Expand() (rbac.Scope, error) {`
`187`	`186`
`188`	`187`	`// Merge role permissions: union by simple concatenation.`
`189`	`188`	`merged.Site=append(merged.Site,expanded.Site...)`
`190`		`-fororgID,perms:=rangeexpanded.Org {`
`191`		`-merged.Org[orgID]=append(merged.Org[orgID],perms...)`
	`189`	`+fororgID,perms:=rangeexpanded.ByOrgID {`
	`190`	`+orgPerms:=merged.ByOrgID[orgID]`
	`191`	`+orgPerms.Org=append(orgPerms.Org,perms.Org...)`
	`192`	`+merged.ByOrgID[orgID]=orgPerms`
`192`	`193`	`}`
`193`	`194`	`merged.User=append(merged.User,expanded.User...)`
`194`	`195`
`@@ -206,10 +207,11 @@ func (s APIKeyScopes) Expand() (rbac.Scope, error) {`
`206`	`207`
`207`	`208`	`// De-duplicate permissions across Site/Org/User`
`208`	`209`	`merged.Site=rbac.DeduplicatePermissions(merged.Site)`
`209`		`-fororgID,perms:=rangemerged.Org {`
`210`		`-merged.Org[orgID]=rbac.DeduplicatePermissions(perms)`
`211`		`-}`
`212`	`210`	`merged.User=rbac.DeduplicatePermissions(merged.User)`
	`211`	`+fororgID,perms:=rangemerged.ByOrgID {`
	`212`	`+perms.Org=rbac.DeduplicatePermissions(perms.Org)`
	`213`	`+merged.ByOrgID[orgID]=perms`
	`214`	`+}`
`213`	`215`
`214`	`216`	`ifallowAll\|\|len(allowSet)==0 {`
`215`	`217`	`merged.AllowIDList= []rbac.AllowListElement{rbac.AllowListAll()}`

`‎coderd/rbac/astvalue.go‎`

Lines changed: 16 additions & 9 deletions

Original file line number	Diff line number	Diff line change
`@@ -157,9 +157,20 @@ func (role Role) regoValue() ast.Value {`
`157`	`157`	`ifrole.cachedRegoValue!=nil {`
`158`	`158`	`returnrole.cachedRegoValue`
`159`	`159`	`}`
`160`		`-orgMap:=ast.NewObject()`
`161`		`-fork,p:=rangerole.Org {`
`162`		`-orgMap.Insert(ast.StringTerm(k),ast.NewTerm(regoSlice(p)))`
	`160`	`+byOrgIDMap:=ast.NewObject()`
	`161`	`+fork,p:=rangerole.ByOrgID {`
	`162`	`+byOrgIDMap.Insert(ast.StringTerm(k),ast.NewTerm(`
	`163`	`+ast.NewObject(`
	`164`	`+[2]*ast.Term{`
	`165`	`+ast.StringTerm("org"),`
	`166`	`+ast.NewTerm(regoSlice(p.Org)),`
	`167`	`+},`
	`168`	`+[2]*ast.Term{`
	`169`	`+ast.StringTerm("member"),`
	`170`	`+ast.NewTerm(regoSlice(p.Member)),`
	`171`	`+},`
	`172`	`+),`
	`173`	`+))`
`163`	`174`	`}`
`164`	`175`	`orgMemberMap:=ast.NewObject()`
`165`	`176`	`fork,p:=rangerole.OrgMember {`
`@@ -170,17 +181,13 @@ func (role Role) regoValue() ast.Value {`
`170`	`181`	`ast.StringTerm("site"),`
`171`	`182`	`ast.NewTerm(regoSlice(role.Site)),`
`172`	`183`	`},`
`173`		`-[2]*ast.Term{`
`174`		`-ast.StringTerm("org"),`
`175`		`-ast.NewTerm(orgMap),`
`176`		`-},`
`177`	`184`	`[2]*ast.Term{`
`178`	`185`	`ast.StringTerm("user"),`
`179`	`186`	`ast.NewTerm(regoSlice(role.User)),`
`180`	`187`	`},`
`181`	`188`	`[2]*ast.Term{`
`182`		`-ast.StringTerm("org_member"),`
`183`		`-ast.NewTerm(orgMemberMap),`
	`189`	`+ast.StringTerm("by_org_id"),`
	`190`	`+ast.NewTerm(byOrgIDMap),`
`184`	`191`	`},`
`185`	`192`	`)`
`186`	`193`	`}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitfd71845

File tree

14 files changed

14 files changed

`‎coderd/database/db2sdk/db2sdk.go‎`

`‎coderd/database/dbauthz/dbauthz.go‎`

`‎coderd/database/modelmethods.go‎`

`‎coderd/rbac/astvalue.go‎`

0 commit comments