Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

feat: add prebuilt_workspace type and embed behavior to rego policy#18079

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Closed
Emyrk wants to merge3 commits intomainfromstevenmasley/prebuild_policy
Closed
Show file tree
Hide file tree
Changes fromall commits
Commits
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 33 additions & 0 deletionscoderd/rbac/authz_internal_test.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -712,6 +712,39 @@ func TestAuthorizeDomain(t *testing.T) {

{resource: ResourceWorkspace.WithOwner("not-me")},
}))

// Prebuild
prebuildUserID := uuid.MustParse("c42fdf75-3097-471c-8c33-fb52454d81c0").String()
prebuilder := Subject{
ID: prebuildUserID,
Scope: must(ExpandScope(ScopeAll)),
Roles: Roles{
{
Identifier: RoleIdentifier{Name: "Prebuilder"},
Site: []Permission{},
Org: map[string][]Permission{
defOrg.String(): Permissions(map[string][]policy.Action{
ResourcePrebuiltWorkspace.Type: ResourcePrebuiltWorkspace.AvailableActions(),
}),
},
User: []Permission{},
},
},
}

testAuthorize(t, "AllWorkspaceActions", prebuilder,
cases(func(c authTestCase) authTestCase {
c.actions = ResourceWorkspace.AvailableActions()
return c
}, []authTestCase{
// Prebuilder cannot access all workspaces
{allow: false, resource: ResourceWorkspace.InOrg(defOrg).WithOwner(user.ID)},
// They can access their workspaces because of the prebuild user ID
{allow: true, resource: ResourceWorkspace.InOrg(defOrg).WithOwner(prebuildUserID)},
// Also the prebuild type, although this should never be used directly.
{allow: true, resource: ResourcePrebuiltWorkspace.InOrg(defOrg).WithOwner(prebuildUserID)},
}),
)
}

// TestAuthorizeLevels ensures level overrides are acting appropriately
Expand Down
127 changes: 93 additions & 34 deletionscoderd/rbac/input.json
View file
Open in desktop
Original file line numberDiff line numberDiff line change
@@ -1,46 +1,105 @@
{
"action": "never-match-action",
"object": {
"id": "9046b041-58ed-47a3-9c3a-de302577875a",
"owner": "00000000-0000-0000-0000-000000000000",
"org_owner": "bf7b72bd-a2b1-4ef2-962c-1d698e0483f6",
"type": "workspace",
"acl_user_list": {
"f041847d-711b-40da-a89a-ede39f70dc7f": ["create"]
},
"acl_group_list": {}
"action":"create",
"object":{
"id":"",
"owner":"c42fdf75-3097-471c-8c33-fb52454d81c0",
"org_owner":"915066be-d016-4993-9f16-fe40b083ab98",
"any_org":false,
"type":"workspace",
"acl_user_list":null,
"acl_group_list":null
},
"subject":{
"id": "10d03e62-7703-4df5-a358-4f76577d4e2f",
"roles":[
"subject":{
"id":"c42fdf75-3097-471c-8c33-fb52454d81c0",
"roles":[
{
"name": "owner",
"display_name": "Owner",
"site": [
{
"negate": false,
"resource_type": "*",
"action": "*"
}
"name":"Prebuilder",
"display_name":"",
"site":[

],
"org": {},
"user": []
"org":{
"915066be-d016-4993-9f16-fe40b083ab98":[
{
"negate":false,
"resource_type":"prebuilt_workspace",
"action":"read"
},
{
"negate":false,
"resource_type":"prebuilt_workspace",
"action":"update"
},
{
"negate":false,
"resource_type":"prebuilt_workspace",
"action":"delete"
},
{
"negate":false,
"resource_type":"prebuilt_workspace",
"action":"start"
},
{
"negate":false,
"resource_type":"prebuilt_workspace",
"action":"ssh"
},
{
"negate":false,
"resource_type":"prebuilt_workspace",
"action":"application_connect"
},
{
"negate":false,
"resource_type":"prebuilt_workspace",
"action":"stop"
},
{
"negate":false,
"resource_type":"prebuilt_workspace",
"action":"create_agent"
},
{
"negate":false,
"resource_type":"prebuilt_workspace",
"action":"delete_agent"
},
{
"negate":false,
"resource_type":"prebuilt_workspace",
"action":"create"
}
]
},
"user":[

]
}
],
"groups": ["b617a647-b5d0-4cbe-9e40-26f89710bf18"],
"scope": {
"name": "Scope_all",
"display_name": "All operations",
"site": [
"groups":null,
"scope":{
"name":{
"Name":"Scope_all",
"OrganizationID":"00000000-0000-0000-0000-000000000000"
},
"display_name":"All operations",
"site":[
{
"negate":false,
"resource_type":"*",
"action":"*"
"negate":false,
"resource_type":"*",
"action":"*"
}
],
"org": {},
"user": [],
"allow_list": ["*"]
"org":{

},
"user":[

],
"allow_list":[
"*"
]
}
}
}
17 changes: 17 additions & 0 deletionscoderd/rbac/object_gen.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more abouthow customized files appear on GitHub.

107 changes: 91 additions & 16 deletionscoderd/rbac/policy.rego
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -61,24 +61,55 @@ number(set) := c if {
c := 1
}


prebuild_workspace_type := "prebuilt_workspace"
default_object_set := [input.object.type, "*"]
is_prebuild_workspace if {
input.object.type = "workspace"
input.object.owner = "c42fdf75-3097-471c-8c33-fb52454d81c0"
}

# site, org, and user rules are all similar. Each rule should return a number
# from [-1, 1]. The number corresponds to "negative", "abstain", and "positive"
# for the given level. See the 'allow' rules for how these numbers are used.
default site := 0

site := site_allow(input.subject.roles)
site := num if {
not is_prebuild_workspace
num := site_allow(input.subject.roles, default_object_set)
}

site := num if {
is_prebuild_workspace
num := number([
site_allow(input.subject.roles, default_object_set),
site_allow(input.subject.roles, [prebuild_workspace_type])
])
}

default scope_site := 0

scope_site := site_allow([input.subject.scope])

site_allow(roles) := num if {
scope_site := num if {
not is_prebuild_workspace
num := site_allow(input.subject.scope, default_object_set)
}

scope_site := num if {
is_prebuild_workspace
num := number([
site_allow(input.subject.scope, default_object_set),
site_allow(input.subject.scope, [prebuild_workspace_type])
])
}

site_allow(roles, object_set) := num if {
# allow is a set of boolean values without duplicates.
allow := {x |
# Iterate over all site permissions in all roles
perm := roles[_].site[_]
perm.action in [input.action, "*"]
perm.resource_type in[input.object.type, "*"]
perm.resource_type inobject_set

# x is either 'true' or 'false' if a matching permission exists.
x := bool_flip(perm.negate)
Expand All@@ -95,11 +126,33 @@ org_members := {orgID |
# that the actor is a member of.
default org := 0

org := org_allow(input.subject.roles)
org := num if {
not is_prebuild_workspace
num := org_allow(input.subject.roles, default_object_set)
}

org := num if {
is_prebuild_workspace
num := number([
org_allow(input.subject.roles, default_object_set),
org_allow(input.subject.roles, [prebuild_workspace_type])
])
}

default scope_org := 0

scope_org := org_allow([input.scope])
scope_org := num if {
not is_prebuild_workspace
num := org_allow(input.subject.scope, default_object_set)
}

scope_org := num if {
is_prebuild_workspace
num := number([
org_allow(input.subject.scope, default_object_set),
org_allow(input.subject.scope, [prebuild_workspace_type])
])
}

# org_allow_set is a helper function that iterates over all orgs that the actor
# is a member of. For each organization it sets the numerical allow value
Expand All@@ -111,24 +164,24 @@ scope_org := org_allow([input.scope])
# The reason we calculate this for all orgs, and not just the input.object.org_owner
# is that sometimes the input.object.org_owner is unknown. In those cases
# we have a list of org_ids that can we use in a SQL 'WHERE' clause.
org_allow_set(roles) := allow_set if {
org_allow_set(roles, object_set) := allow_set if {
allow_set := {id: num |
id := org_members[_]
set := {x |
perm := roles[_].org[id][_]
perm.action in [input.action, "*"]
perm.resource_type in[input.object.type, "*"]
perm.resource_type inobject_set
x := bool_flip(perm.negate)
}
num := number(set)
}
}

org_allow(roles) := num if {
org_allow(roles, object_set) := num if {
# If the object has "any_org" set to true, then use the other
# org_allow block.
not input.object.any_org
allow := org_allow_set(roles)
allow := org_allow_set(roles, object_set)

# Return only the org value of the input's org.
# The reason why we do not do this up front, is that we need to make sure
Expand All@@ -144,9 +197,9 @@ org_allow(roles) := num if {
# This is useful for UI elements when we want to conclude, "Can the user create
# a new template in any organization?"
# It is easier than iterating over every organization the user is apart of.
org_allow(roles) := num if {
org_allow(roles, object_set) := num if {
input.object.any_org # if this is false, this code block is not used
allow := org_allow_set(roles)
allow := org_allow_set(roles, object_set)

# allow is a map of {"<org_id>": <number>}. We only care about values
# that are 1, and ignore the rest.
Expand DownExpand Up@@ -195,19 +248,41 @@ org_ok if {
# the user is apart of the org (if the object has an org).
default user := 0

user := user_allow(input.subject.roles)
user := num if {
not is_prebuild_workspace
num := user_allow(input.subject.roles, default_object_set)
}

user := num if {
is_prebuild_workspace
num := number([
user_allow(input.subject.roles, default_object_set),
user_allow(input.subject.roles, [prebuild_workspace_type])
])
}

default user_scope := 0

scope_user := user_allow([input.scope])
scope_user := num if {
not is_prebuild_workspace
num := user_allow(input.subject.scope, default_object_set)
}

scope_user := num if {
is_prebuild_workspace
num := number([
user_allow(input.subject.scope, default_object_set),
user_allow(input.subject.scope, [prebuild_workspace_type])
])
}

user_allow(roles) := num if {
user_allow(roles, object_set) := num if {
input.object.owner != ""
input.subject.id = input.object.owner
allow := {x |
perm := roles[_].user[_]
perm.action in [input.action, "*"]
perm.resource_type in[input.object.type, "*"]
perm.resource_type inobject_set
x := bool_flip(perm.negate)
}
num := number(allow)
Expand Down
Loading
Loading
[8]ページ先頭
©2009-2025 Movatter.jp