Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

chore: implement 'use' verb to template object,read has less scope now#16075

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
Emyrk merged 14 commits intomainfromstevenmasley/use_template
Jan 17, 2025

Conversation

Emyrk
Copy link
Member

@EmyrkEmyrk commentedJan 8, 2025
edited
Loading

Closes#15891

Templateuse is now a verb.

  • Template admins canuse all templates (org template admins same in org)
  • Members get theuse perm from theeveryone group in thegroup_acl.

use.template permission is now checkedwhen creating a workspace. If you already have a workspace, you are able to start/stop/delete/etc the workspace even withoutuse.template.

})

// Auditors cannot "use" templates, they can only read them.
t.Run("Auditor",func(t*testing.T) {
Copy link
MemberAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

This passes without an error onmain. Now auditors get a 403 Forbidden if they do not haveuse perms from somewhere else

spikecurtis reacted with thumbs up emoji
@EmyrkEmyrk marked this pull request as ready for reviewJanuary 9, 2025 17:56
Comment on lines +699 to +707
funcTemplateRoleActions(role codersdk.TemplateRole) []policy.Action {
switchrole {
casecodersdk.TemplateRoleAdmin:
return []policy.Action{policy.WildcardSymbol}
casecodersdk.TemplateRoleUse:
return []policy.Action{policy.ActionRead,policy.ActionUse}
}
return []policy.Action{}
}
Copy link
MemberAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I wanted to place this incodersdk, but then I'd have to importpolicy. And we already havecodersdk.RBACAction.

TemplateRole should probably be a database enum. At present it only exists incodersdk.

-- Instead of trying to write a complicated SQL query to update the JSONB
-- object, a string replace is much simpler and easier to understand.
-- Both pieces of text are JSON arrays, so this safe to do.
group_acl= replace(group_acl::text,'["read"]','["read", "use"]')::jsonb,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Is it possible to have ACLs like["read", "update"] in this list? Wouldn't those need to be updated?

Copy link
MemberAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

No it is not. The only values a user can pass in is in this enum list:
https://github.com/coder/coder/blob/main/codersdk/templates.go#L169-L176

Theadmin role sets['*']. So we only have 2 cases in the database today

@Emyrk
Copy link
MemberAuthor

This feels very fragile. This seems to be the only prod code path that creates a workspace, but there isn't anything enforcing this. If we add a new API endpoint, or if some other existing action can lead to a workspace being created, we could forget this check.

The db.InsertWorkspace call includes the template in its parameters, so we should be able to move this check to the dbauth layer where it is harder to accidentally omit.

Thedb.InsertWorkspace does require an extra db call to fetch the template again, but we do that in other places. I'll add theuse check indb.InsertWorkspace.

I am also keeping the check in the api call to fail fast if the permission is missing. Not having to do all the build work if it will inevitably fail.

Comment on lines +3161 to +3171
tpl,err:=q.GetTemplateByID(ctx,arg.TemplateID)
iferr!=nil {
return database.WorkspaceTable{},xerrors.Errorf("verify template by id: %w",err)
}
Copy link
MemberAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

This does check the templateread perm again, but we cache all authz requests perctx. So this check is going to be a cache lookup assuming it came from a normal code path.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Do we cache the resources themselves, or just the authz decisions?

Copy link
MemberAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

We only cache the authz decisions. The template fetch will happen again unfortunately (from a performance POV).

@EmyrkEmyrkforce-pushed thestevenmasley/use_template branch fromffee414 to36d329cCompareJanuary 13, 2025 12:44
Copy link
Contributor

@spikecurtisspikecurtis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

LGTM

Comment on lines +3161 to +3171
tpl,err:=q.GetTemplateByID(ctx,arg.TemplateID)
iferr!=nil {
return database.WorkspaceTable{},xerrors.Errorf("verify template by id: %w",err)
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Do we cache the resources themselves, or just the authz decisions?

@EmyrkEmyrk changed the titlechore: add 'use' verb to template objectchore: implement 'use' verb to template object,read has less scope nowJan 17, 2025
@EmyrkEmyrk merged commitf34e6fd intomainJan 17, 2025
35 of 37 checks passed
@EmyrkEmyrk deleted the stevenmasley/use_template branchJanuary 17, 2025 17:55
@github-actionsgithub-actionsbot locked and limited conversation to collaboratorsJan 17, 2025
Sign up for freeto subscribe to this conversation on GitHub. Already have an account?Sign in.

Reviewers

@spikecurtisspikecurtisspikecurtis approved these changes

Assignees

@EmyrkEmyrk

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Auditor Role is able to read all templates, meaning they can create a workspace from any template

2 participants

@Emyrk@spikecurtis
[8]ページ先頭
©2009-2025 Movatter.jp