Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

chore: refactor roles to support multiple permission sets scoped by org id#20186

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Open
aslilac wants to merge1 commit intomain
base:main
Choose a base branch
Loading
fromlilac/by-org-id
Open
Show file tree
Hide file tree
Changes fromall commits
Commits
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletionscoderd/database/db2sdk/db2sdk.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -693,13 +693,13 @@ func SlimRoleFromName(name string) codersdk.SlimRole {
func RBACRole(role rbac.Role) codersdk.Role {
slim := SlimRole(role)

orgPerms := role.Org[slim.OrganizationID]
orgPerms := role.ByOrgID[slim.OrganizationID]
return codersdk.Role{
Name: slim.Name,
OrganizationID: slim.OrganizationID,
DisplayName: slim.DisplayName,
SitePermissions: List(role.Site, RBACPermission),
OrganizationPermissions: List(orgPerms, RBACPermission),
OrganizationPermissions: List(orgPerms.Org, RBACPermission),
UserPermissions: List(role.User, RBACPermission),
}
}
Expand Down
66 changes: 33 additions & 33 deletionscoderd/database/dbauthz/dbauthz.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -232,8 +232,8 @@ var (
// Provisionerd creates usage events
rbac.ResourceUsageEvent.Type: {policy.ActionCreate},
}),
Org:map[string][]rbac.Permission{},
User: []rbac.Permission{},
User:[]rbac.Permission{},
ByOrgID: map[string]rbac.OrgPermissions{},
},
}),
Scope: rbac.ScopeAll,
Expand All@@ -257,8 +257,8 @@ var (
rbac.ResourceWorkspace.Type: {policy.ActionDelete, policy.ActionRead, policy.ActionUpdate, policy.ActionWorkspaceStart, policy.ActionWorkspaceStop},
rbac.ResourceWorkspaceDormant.Type: {policy.ActionDelete, policy.ActionRead, policy.ActionUpdate, policy.ActionWorkspaceStop},
}),
Org:map[string][]rbac.Permission{},
User: []rbac.Permission{},
User:[]rbac.Permission{},
ByOrgID: map[string]rbac.OrgPermissions{},
},
}),
Scope: rbac.ScopeAll,
Expand All@@ -279,8 +279,8 @@ var (
rbac.ResourceWorkspace.Type: {policy.ActionRead, policy.ActionUpdate},
rbac.ResourceProvisionerJobs.Type: {policy.ActionRead, policy.ActionUpdate},
}),
Org:map[string][]rbac.Permission{},
User: []rbac.Permission{},
User:[]rbac.Permission{},
ByOrgID: map[string]rbac.OrgPermissions{},
},
}),
Scope: rbac.ScopeAll,
Expand All@@ -298,8 +298,8 @@ var (
Site: rbac.Permissions(map[string][]policy.Action{
rbac.ResourceCryptoKey.Type: {policy.WildcardSymbol},
}),
Org:map[string][]rbac.Permission{},
User: []rbac.Permission{},
User:[]rbac.Permission{},
ByOrgID: map[string]rbac.OrgPermissions{},
},
}),
Scope: rbac.ScopeAll,
Expand All@@ -317,8 +317,8 @@ var (
Site: rbac.Permissions(map[string][]policy.Action{
rbac.ResourceCryptoKey.Type: {policy.WildcardSymbol},
}),
Org:map[string][]rbac.Permission{},
User: []rbac.Permission{},
User:[]rbac.Permission{},
ByOrgID: map[string]rbac.OrgPermissions{},
},
}),
Scope: rbac.ScopeAll,
Expand All@@ -335,8 +335,8 @@ var (
Site: rbac.Permissions(map[string][]policy.Action{
rbac.ResourceConnectionLog.Type: {policy.ActionUpdate, policy.ActionRead},
}),
Org:map[string][]rbac.Permission{},
User: []rbac.Permission{},
User:[]rbac.Permission{},
ByOrgID: map[string]rbac.OrgPermissions{},
},
}),
Scope: rbac.ScopeAll,
Expand All@@ -356,8 +356,8 @@ var (
rbac.ResourceWebpushSubscription.Type: {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
rbac.ResourceDeploymentConfig.Type: {policy.ActionRead, policy.ActionUpdate}, // To read and upsert VAPID keys
}),
Org:map[string][]rbac.Permission{},
User: []rbac.Permission{},
User:[]rbac.Permission{},
ByOrgID: map[string]rbac.OrgPermissions{},
},
}),
Scope: rbac.ScopeAll,
Expand All@@ -375,8 +375,8 @@ var (
// The workspace monitor needs to be able to update monitors
rbac.ResourceWorkspaceAgentResourceMonitor.Type: {policy.ActionUpdate},
}),
Org:map[string][]rbac.Permission{},
User: []rbac.Permission{},
User:[]rbac.Permission{},
ByOrgID: map[string]rbac.OrgPermissions{},
},
}),
Scope: rbac.ScopeAll,
Expand All@@ -392,12 +392,12 @@ var (
Identifier: rbac.RoleIdentifier{Name: "subagentapi"},
DisplayName: "Sub Agent API",
Site: []rbac.Permission{},
Org: map[string][]rbac.Permission{
orgID.String(): {},
},
User: rbac.Permissions(map[string][]policy.Action{
rbac.ResourceWorkspace.Type: {policy.ActionRead, policy.ActionUpdate, policy.ActionCreateAgent, policy.ActionDeleteAgent},
}),
ByOrgID: map[string]rbac.OrgPermissions{
orgID.String(): {},
},
},
}),
Scope: rbac.ScopeAll,
Expand DownExpand Up@@ -436,8 +436,8 @@ var (
rbac.ResourceOauth2App.Type: {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
rbac.ResourceOauth2AppSecret.Type: {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
}),
Org:map[string][]rbac.Permission{},
User: []rbac.Permission{},
User:[]rbac.Permission{},
ByOrgID: map[string]rbac.OrgPermissions{},
},
}),
Scope: rbac.ScopeAll,
Expand All@@ -454,8 +454,8 @@ var (
Site: rbac.Permissions(map[string][]policy.Action{
rbac.ResourceProvisionerDaemon.Type: {policy.ActionRead},
}),
Org:map[string][]rbac.Permission{},
User: []rbac.Permission{},
User:[]rbac.Permission{},
ByOrgID: map[string]rbac.OrgPermissions{},
},
}),
Scope: rbac.ScopeAll,
Expand DownExpand Up@@ -531,8 +531,8 @@ var (
Site: rbac.Permissions(map[string][]policy.Action{
rbac.ResourceFile.Type: {policy.ActionRead},
}),
Org:map[string][]rbac.Permission{},
User: []rbac.Permission{},
User:[]rbac.Permission{},
ByOrgID: map[string]rbac.OrgPermissions{},
},
}),
Scope: rbac.ScopeAll,
Expand All@@ -552,8 +552,8 @@ var (
// reads/processes them.
rbac.ResourceUsageEvent.Type: {policy.ActionRead, policy.ActionUpdate},
}),
Org:map[string][]rbac.Permission{},
User: []rbac.Permission{},
User:[]rbac.Permission{},
ByOrgID: map[string]rbac.OrgPermissions{},
},
}),
Scope: rbac.ScopeAll,
Expand All@@ -576,8 +576,8 @@ var (
rbac.ResourceApiKey.Type: {policy.ActionRead}, // Validate API keys.
rbac.ResourceAibridgeInterception.Type: {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate},
}),
Org:map[string][]rbac.Permission{},
User: []rbac.Permission{},
User:[]rbac.Permission{},
ByOrgID: map[string]rbac.OrgPermissions{},
},
}),
Scope: rbac.ScopeAll,
Expand DownExpand Up@@ -1253,13 +1253,13 @@ func (q *querier) customRoleCheck(ctx context.Context, role database.CustomRole)
return xerrors.Errorf("invalid role: %w", err)
}

if len(rbacRole.Org) > 0 && len(rbacRole.Site) > 0 {
if len(rbacRole.ByOrgID) > 0 && len(rbacRole.Site) > 0 {
// This is a choice to keep roles simple. If we allow mixing site and org scoped perms, then knowing who can
// do what gets more complicated.
return xerrors.Errorf("invalid custom role, cannot assign both org and site permissions at the same time")
}

if len(rbacRole.Org) > 1 {
if len(rbacRole.ByOrgID) > 1 {
// Again to avoid more complexity in our roles
return xerrors.Errorf("invalid custom role, cannot assign permissions to more than 1 org at a time")
}
Expand All@@ -1272,8 +1272,8 @@ func (q *querier) customRoleCheck(ctx context.Context, role database.CustomRole)
}
}

for orgID, perms := range rbacRole.Org {
for _, orgPerm := range perms {
for orgID, perms := range rbacRole.ByOrgID {
for _, orgPerm := range perms.Org {
err := q.customRoleEscalationCheck(ctx, act, orgPerm, rbac.Object{OrgID: orgID, Type: orgPerm.ResourceType})
if err != nil {
return xerrors.Errorf("org=%q: %w", orgID, err)
Expand Down
15 changes: 9 additions & 6 deletionscoderd/database/modelmethods.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -170,8 +170,8 @@ func (s APIKeyScopes) Expand() (rbac.Scope, error) {
// Identifier is informational; not used in policy evaluation.
Identifier: rbac.RoleIdentifier{Name: "Scope_Multiple"},
Site: nil,
Org: map[string][]rbac.Permission{},
User: nil,
ByOrgID: map[string]rbac.OrgPermissions{},
}

// Track allow list union, collapsing to wildcard if any child is wildcard.
Expand All@@ -186,8 +186,10 @@ func (s APIKeyScopes) Expand() (rbac.Scope, error) {

// Merge role permissions: union by simple concatenation.
merged.Site = append(merged.Site, expanded.Site...)
for orgID, perms := range expanded.Org {
merged.Org[orgID] = append(merged.Org[orgID], perms...)
for orgID, perms := range expanded.ByOrgID {
orgPerms := merged.ByOrgID[orgID]
orgPerms.Org = append(orgPerms.Org, perms.Org...)
merged.ByOrgID[orgID] = orgPerms
}
merged.User = append(merged.User, expanded.User...)

Expand All@@ -205,10 +207,11 @@ func (s APIKeyScopes) Expand() (rbac.Scope, error) {

// De-duplicate permissions across Site/Org/User
merged.Site = rbac.DeduplicatePermissions(merged.Site)
for orgID, perms := range merged.Org {
merged.Org[orgID] = rbac.DeduplicatePermissions(perms)
}
merged.User = rbac.DeduplicatePermissions(merged.User)
for orgID, perms := range merged.ByOrgID {
perms.Org = rbac.DeduplicatePermissions(perms.Org)
merged.ByOrgID[orgID] = perms
}

if allowAll || len(allowSet) == 0 {
merged.AllowIDList = []rbac.AllowListElement{rbac.AllowListAll()}
Expand Down
21 changes: 14 additions & 7 deletionscoderd/rbac/astvalue.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -157,23 +157,30 @@ func (role Role) regoValue() ast.Value {
if role.cachedRegoValue != nil {
return role.cachedRegoValue
}
orgMap := ast.NewObject()
for k, p := range role.Org {
orgMap.Insert(ast.StringTerm(k), ast.NewTerm(regoSlice(p)))
byOrgIDMap := ast.NewObject()
for k, p := range role.ByOrgID {
byOrgIDMap.Insert(ast.StringTerm(k), ast.NewTerm(
ast.NewObject(
[2]*ast.Term{
ast.StringTerm("org"),
ast.NewTerm(regoSlice(p.Org)),
},
),
))
}
return ast.NewObject(
[2]*ast.Term{
ast.StringTerm("site"),
ast.NewTerm(regoSlice(role.Site)),
},
[2]*ast.Term{
ast.StringTerm("org"),
ast.NewTerm(orgMap),
},
[2]*ast.Term{
ast.StringTerm("user"),
ast.NewTerm(regoSlice(role.User)),
},
[2]*ast.Term{
ast.StringTerm("by_org_id"),
ast.NewTerm(byOrgIDMap),
},
)
}

Expand Down
48 changes: 27 additions & 21 deletionscoderd/rbac/authz_internal_test.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -633,20 +633,22 @@ func TestAuthorizeDomain(t *testing.T) {
{
Identifier: RoleIdentifier{Name: "ReadOnlyOrgAndUser"},
Site: []Permission{},
Org: map[string][]Permission{
defOrg.String(): {{
Negate: false,
ResourceType: "*",
Action: policy.ActionRead,
}},
},
User: []Permission{
{
Negate: false,
ResourceType: "*",
Action: policy.ActionRead,
},
},
ByOrgID: map[string]OrgPermissions{
defOrg.String(): {
Org: []Permission{{
Negate: false,
ResourceType: "*",
Action: policy.ActionRead,
}},
},
},
},
},
}
Expand DownExpand Up@@ -726,12 +728,14 @@ func TestAuthorizeLevels(t *testing.T) {
must(RoleByName(RoleOwner())),
{
Identifier: RoleIdentifier{Name: "org-deny:", OrganizationID: defOrg},
Org: map[string][]Permission{
ByOrgID: map[string]OrgPermissions{
defOrg.String(): {
{
Negate: true,
ResourceType: "*",
Action: "*",
Org: []Permission{
{
Negate: true,
ResourceType: "*",
Action: "*",
},
},
},
},
Expand DownExpand Up@@ -926,8 +930,8 @@ func TestAuthorizeScope(t *testing.T) {
// Only read access for workspaces.
ResourceWorkspace.Type: {policy.ActionRead},
}),
Org:map[string][]Permission{},
User: []Permission{},
User:[]Permission{},
ByOrgID: map[string]OrgPermissions{},
},
AllowIDList: []AllowListElement{{Type: ResourceWorkspace.Type, ID: workspaceID.String()}},
},
Expand DownExpand Up@@ -1015,8 +1019,8 @@ func TestAuthorizeScope(t *testing.T) {
// Only read access for workspaces.
ResourceWorkspace.Type: {policy.ActionCreate},
}),
Org:map[string][]Permission{},
User: []Permission{},
User:[]Permission{},
ByOrgID: map[string]OrgPermissions{},
},
// Empty string allow_list is allowed for actions like 'create'
AllowIDList: []AllowListElement{{
Expand DownExpand Up@@ -1138,14 +1142,16 @@ func TestAuthorizeScope(t *testing.T) {
},
DisplayName: "OrgAndUserScope",
Site: nil,
Org: map[string][]Permission{
defOrg.String(): Permissions(map[string][]policy.Action{
ResourceWorkspace.Type: {policy.ActionRead},
}),
},
User: Permissions(map[string][]policy.Action{
ResourceUser.Type: {policy.ActionRead},
}),
ByOrgID: map[string]OrgPermissions{
defOrg.String(): {
Org: Permissions(map[string][]policy.Action{
ResourceWorkspace.Type: {policy.ActionRead},
}),
},
},
},
AllowIDList: []AllowListElement{AllowListAll()},
},
Expand Down
Loading
Loading
[8]ページ先頭
©2009-2025 Movatter.jp