- Notifications
You must be signed in to change notification settings - Fork928
feat: add template RBAC/groups#4235
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Merged
Changes fromall commits
Commits
Show all changes
161 commits Select commitHold shift + click to select a range
5a47132 feat: Add ACL list support to rego objects
Emyrk03f69bf Add unit tests
Emyrk91a358d Rename ACL list
Emyrk8f837b7 Flip rego json to key by user id
Emyrk8378c9b feat: add template ACL
sreya54a0d13 add down migration
sreya72ea751 remove unused file
sreyad533a16 undo insert templates query change
sreyaf56fcf9 add patch endpoint tests
sreyaf162694 Unit test use shadowed copied value
Emyrkea25c08 Allow wildcards for ACL list
Emyrk5a081eb fix authorize bug
sreya072b3e4 feat: Allow filter to accept objects of multiple types
Emyrk205c36c add support for private templates
sreyaba32928 go.mod
sreya5c6344f Merge branch 'main' into resource_acl_list
sreyaef15908 fix rbac merge woes
sreya8ab5200 update migration
sreyac040e8e fix workspaces_test
sreya1f4ceee remove sqlx
sreya7cc71e1 fix audit
sreya131d5ed fix lint
sreya8c3ee6a Revert "remove sqlx"
sreyafe2af91 add test for list templates
sreya0218c4e fix error msg
sreya6883106 fix sqlx woes
sreya4fbd9be fix lint
sreyac96a6ca fix audit
sreya57ba8b3 make gen
sreyac66d247 Merge branch 'main' into resource_acl_list
sreya0af367a fix merge woes
sreyaf6c3f51 fix test template
sreya6e72286 fmt
sreya44bcbde Add base layout
BrunoQuaresma0f80beb Add table
BrunoQuaresmad274d62 Add search user
BrunoQuaresma943c76b Add user role
BrunoQuaresma7f7f1d3 Add update and delete
BrunoQuaresma967a1a9 Fix summary view
BrunoQuaresma1324991 Merge branch 'resource_acl_list' of github.com:coder/coder into resou…
BrunoQuaresmabd34d20 Merge branch 'resource_acl_list' of github.com:coder/coder into resou…
sreya5982dd3 add schema for groups
sreyac759d99 add skeleton for group API routes
sreya4169569 add create group endpoint
sreyaa8943c9 add group httpmw
sreya9fbc15f add patch group endpoint
sreyabaaf445 add test pkg for opening database
sreya4f1a308 test: Add unit test to exercise roles query with multiple orgs
Emyrkf98c3b7 feat: Add group support to rego policy
Emyrk930cdf6 Add query to include group fetch
Emyrkb26cd97 Fix auth query
Emyrkbf13f37 add patch group endpoint w/ tests
sreyaeea0aee add get group endpoint w/ tests
sreyad70911b add groups endpoint with tests
sreyaba1953a Add groups to rego objects
Emyrk7544e37 fix: Group ACL list fixed
Emyrkff9d968 add delete group endpoint
sreya7f2de03 Merge branch 'groups' of github.com:coder/coder into groups
sreya8cf12e9 Merge remote-tracking branch 'origin/main' into groups
Emyrkea84bc6 Fix authorize calls for group endpoints
Emyrkf28156f Merge remote-tracking branch 'origin/main' into groups
Emyrk759bddf Fix FE errors
BrunoQuaresma0e2cb22 Fix migration name
BrunoQuaresma41b79b6 Scopes broke ACL. Fixing unit tests.
Emyrk7297c3c fix: Fix acl list rego policy
Emyrkdc65257 Remove need to be in the org for the group to work in the rego
Emyrkd50a0c5 Add group ACL unit test
Emyrk7375484 update uuid -> id
sreyad70664d make gen
sreya3dac95a Add index page for groups
BrunoQuaresma5ac06fb Merge branch 'groups' of github.com:coder/coder into groups
BrunoQuaresma2c4fd8d Add create group page
BrunoQuaresmacb1464f Remove filter's ability to filter multiple object types
Emyrkc2e1196 Merge remote-tracking branch 'origin/main' into groups
Emyrkafe328b groups changes
sreya85e05c3 Merge branch 'groups' of github.com:coder/coder into groups
BrunoQuaresmae0ea8ec Add user auto complete component
BrunoQuaresma82b1faf add groups acl
sreya6505039 Add member to the group
BrunoQuaresma7e98ca8 Refactor loader
BrunoQuaresma4bb1e5f Add empty state
BrunoQuaresmacba7065 Remove members from group
BrunoQuaresmad6b7f42 Merge branch 'main' of github.com:coder/coder into groups
BrunoQuaresma9dee125 Fix migrations
BrunoQuaresma883b28c Merge branch 'groups' of github.com:coder/coder into groups
sreyaa27d364 Update autocomplete and update verbiage
BrunoQuaresma11690bc Adjust autocomplete height
BrunoQuaresmac18379e Merge branch 'groups' of github.com:coder/coder into groups
sreya53ff126 prevent duplicate group adds
sreya5180608 Delete a group
BrunoQuaresma7770498 Merge branch 'groups' of github.com:coder/coder into groups
BrunoQuaresma9aa686b Add group settings
BrunoQuaresma5e956c1 Fix loader
BrunoQuaresmad08bd75 Add implied all_users to org members
Emyrk876a7c7 Move groups to users page with tabs
BrunoQuaresma9c9e9c0 Improve groups table
BrunoQuaresma3ee20a3 add all users group
sreya3ea5793 add endpoints for patching template groups
sreyafc4c275 Merge branch 'groups' of github.com:coder/coder into groups
sreya6379c7b make gen
sreya6aa1712 Merge branch 'main' into groups
sreyab0fc388 fix tests
sreya7d1ce8b fix migration
sreya200ea81 fix migration (again)
sreya9f344fc feat: move groups/template RBAC to enterprise folder (#4236)
sreyab763bc2 chore: update TemplateRole names (#4248)
sreya0ba4465 add custom group access test (#4254)
sreya9662a3b refactor all users to behave the same as any other group (#4266)
sreya58679e5 filter deleted/suspended users (#4271)
sreya248a3f3 Update FE to use Template ACL and Groups (#4267)
BrunoQuaresmaa0c8571 Merge branch 'main' of github.com:coder/coder into groups
BrunoQuaresma08805b3 allow org members to read all groups (#4277)
sreya845d81f populate template acl group with members (#4279)
sreya564928e chore: Minor rego optimization by removing excessive queries (#4275)
Emyrk38cce76 feat: Add resource_id option to authcheck (#4278)
Emyrkdac034f Merge branch 'main' of github.com:coder/coder into groups
BrunoQuaresmaa59138a Add group for authcheck
Emyrka50af85 chore: Update permissions (#4337)
BrunoQuaresma993ee32 filter deleted/suspended users for groups (#4343)
sreyaa52203d rm extraneous filter (#4272)
sreyabfa35e3 merge main into groups (#4349)
sreya1c461f7 add groups to license entitlements (#4345)
sreyac5ecbf4 omit all users from groups endpoint (#4350)
sreyaf0f5a93 Add paywall into the entitlements
BrunoQuaresmaefd1ed2 Merge remote-tracking branch 'origin/main' into groups
Emyrkcbaafca Fix rego -> SQL in acl cases with string literals
Emyrkf20b783 Merge branch 'main' of github.com:coder/coder into groups
BrunoQuaresmacc2138d Use rego to eval, not custom
Emyrkfd0b43a Fix Navbar tests
BrunoQuaresma5997317 Fix UsersPage test
BrunoQuaresma0cf3784 Merge branch 'groups' of github.com:coder/coder into groups
BrunoQuaresma7c76bc0 Fix Template tests
BrunoQuaresmab77eeaf Regenerate types
BrunoQuaresma0afc361 Remove type generation
BrunoQuaresma461cb8a Switch to NoACL config as those columns do not exist
Emyrk620c384 Fix service extension
BrunoQuaresmae7f72af Merge branch 'groups' of github.com:coder/coder into groups
BrunoQuaresmab920801 fix lint
sreya9bfa415 add test for creating a forbidden template (#4371)
sreya22db0d2 migrate existing templates (#4353)
sreyae0c90ef Fix routes
BrunoQuaresmaf0fd9a0 Add GroupsPage storybook
BrunoQuaresma20670f1 Add CreateGroupPage stories
BrunoQuaresma09c6771 Add Settings Group Page stories
BrunoQuaresmaf8a7b7e Add template permissions stories
BrunoQuaresmab86abcf Fix FE
BrunoQuaresma510287b Fix repetitive results
BrunoQuaresma21af86e feat: Allow users to make files (#4423)
Emyrk9e199d3 add test for template rbac admin pushing template version (#4438)
sreyab101ae7 merge main into groups (#4439)
sreyad715ea6 Revert "merge main into groups (#4439)"
sreya413b6e1 merge main
sreya85d0643 fix coderd/license
sreya262bb45 fix license woes
sreyaa5c6848 remove migration conflict
sreyaa69c018 fix tests
sreya1809d3e fix merge conflict
sreya21c078b fix ts lint
sreyac8f6afd make fmt
sreyaad02da0 delete old files
sreya35aef1b Fix types
BrunoQuaresmaFile filter
Filter by extension
Conversations
Failed to load comments.
Loading
Uh oh!
There was an error while loading.Please reload this page.
Jump to
Jump to file
Failed to load files.
Loading
Uh oh!
There was an error while loading.Please reload this page.
Diff view
Diff view
There are no files selected for viewing
2 changes: 2 additions & 0 deletionscoderd/audit.go
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
91 changes: 80 additions & 11 deletionscoderd/authorize.go
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -4,6 +4,8 @@ import ( | ||
| "fmt" | ||
| "net/http" | ||
| "github.com/google/uuid" | ||
| "golang.org/x/xerrors" | ||
| "cdr.dev/slog" | ||
| @@ -18,7 +20,7 @@ import ( | ||
| // This is faster than calling Authorize() on each object. | ||
| func AuthorizeFilter[O rbac.Objecter](h *HTTPAuthorizer, r *http.Request, action rbac.Action, objects []O) ([]O, error) { | ||
| roles := httpmw.UserAuthorization(r) | ||
| objects, err := rbac.Filter(r.Context(), h.Authorizer, roles.ID.String(), roles.Roles, roles.Scope.ToRBAC(),roles.Groups,action, objects) | ||
| if err != nil { | ||
| // Log the error as Filter should not be erroring. | ||
| h.Logger.Error(r.Context(), "filter failed", | ||
| @@ -63,7 +65,7 @@ func (api *API) Authorize(r *http.Request, action rbac.Action, object rbac.Objec | ||
| //} | ||
| func (h *HTTPAuthorizer) Authorize(r *http.Request, action rbac.Action, object rbac.Objecter) bool { | ||
| roles := httpmw.UserAuthorization(r) | ||
| err := h.Authorizer.ByRoleName(r.Context(), roles.ID.String(), roles.Roles, roles.Scope.ToRBAC(),roles.Groups,action, object.RBACObject()) | ||
| if err != nil { | ||
| // Log the errors for debugging | ||
| internalError := new(rbac.UnauthorizedError) | ||
| @@ -95,7 +97,7 @@ func (h *HTTPAuthorizer) Authorize(r *http.Request, action rbac.Action, object r | ||
| // Note the authorization is only for the given action and object type. | ||
| func (h *HTTPAuthorizer) AuthorizeSQLFilter(r *http.Request, action rbac.Action, objectType string) (rbac.AuthorizeFilter, error) { | ||
| roles := httpmw.UserAuthorization(r) | ||
| prepared, err := h.Authorizer.PrepareByRoleName(r.Context(), roles.ID.String(), roles.Roles, roles.Scope.ToRBAC(),roles.Groups,action, objectType) | ||
| if err != nil { | ||
| return nil, xerrors.Errorf("prepare filter: %w", err) | ||
| } | ||
| @@ -127,6 +129,28 @@ func (api *API) checkAuthorization(rw http.ResponseWriter, r *http.Request) { | ||
| ) | ||
| response := make(codersdk.AuthorizationResponse) | ||
| // Prevent using too many resources by ID. This prevents database abuse | ||
| // from this endpoint. This also prevents misuse of this endpoint, as | ||
| // resource_id should be used for single objects, not for a list of them. | ||
| var ( | ||
| idFetch int | ||
| maxFetch = 10 | ||
| ) | ||
| for _, v := range params.Checks { | ||
| if v.Object.ResourceID != "" { | ||
| idFetch++ | ||
| } | ||
| } | ||
| if idFetch > maxFetch { | ||
| httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{ | ||
| Message: fmt.Sprintf( | ||
| "Endpoint only supports using \"resource_id\" field %d times, found %d usages. Remove %d objects with this field set.", | ||
| maxFetch, idFetch, idFetch-maxFetch, | ||
| ), | ||
| }) | ||
| return | ||
| } | ||
| for k, v := range params.Checks { | ||
| if v.Object.ResourceType == "" { | ||
| httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{ | ||
| @@ -135,15 +159,60 @@ func (api *API) checkAuthorization(rw http.ResponseWriter, r *http.Request) { | ||
| return | ||
| } | ||
| obj := rbac.Object{ | ||
| Owner: v.Object.OwnerID, | ||
| OrgID: v.Object.OrganizationID, | ||
| Type: v.Object.ResourceType, | ||
| } | ||
| if obj.Owner == "me" { | ||
| obj.Owner = auth.ID.String() | ||
| } | ||
| // If a resource ID is specified, fetch that specific resource. | ||
| if v.Object.ResourceID != "" { | ||
| id, err := uuid.Parse(v.Object.ResourceID) | ||
| if err != nil { | ||
| httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{ | ||
| Message: fmt.Sprintf("Object %q id is not a valid uuid.", v.Object.ResourceID), | ||
| Validations: []codersdk.ValidationError{{Field: "resource_id", Detail: err.Error()}}, | ||
| }) | ||
| return | ||
| } | ||
| var dbObj rbac.Objecter | ||
| var dbErr error | ||
| // Only support referencing some resources by ID. | ||
| switch v.Object.ResourceType { | ||
| case rbac.ResourceWorkspaceExecution.Type: | ||
| wrkSpace, err := api.Database.GetWorkspaceByID(ctx, id) | ||
| if err == nil { | ||
| dbObj = wrkSpace.ExecutionRBAC() | ||
| } | ||
| dbErr = err | ||
| case rbac.ResourceWorkspace.Type: | ||
| dbObj, dbErr = api.Database.GetWorkspaceByID(ctx, id) | ||
| case rbac.ResourceTemplate.Type: | ||
| dbObj, dbErr = api.Database.GetTemplateByID(ctx, id) | ||
| case rbac.ResourceUser.Type: | ||
| dbObj, dbErr = api.Database.GetUserByID(ctx, id) | ||
| case rbac.ResourceGroup.Type: | ||
| dbObj, dbErr = api.Database.GetGroupByID(ctx, id) | ||
| default: | ||
| httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{ | ||
| Message: fmt.Sprintf("Object type %q does not support \"resource_id\" field.", v.Object.ResourceType), | ||
| Validations: []codersdk.ValidationError{{Field: "resource_type", Detail: err.Error()}}, | ||
| }) | ||
| return | ||
| } | ||
Comment on lines +185 to +206 There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others.Learn more. Non-blocking: we could probably fetch by multiple IDs instead for performance. Not sure how frequently this case is hit though... | ||
| if dbErr != nil { | ||
| // 404 or unauthorized is false | ||
| response[k] = false | ||
| continue | ||
| } | ||
| obj = dbObj.RBACObject() | ||
| } | ||
| err := api.Authorizer.ByRoleName(r.Context(), auth.ID.String(), auth.Roles, auth.Scope.ToRBAC(), auth.Groups, rbac.Action(v.Action), obj) | ||
| response[k] = err == nil | ||
| } | ||
51 changes: 34 additions & 17 deletionscoderd/authorize_test.go
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
1 change: 1 addition & 0 deletionscoderd/coderd.go
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
14 changes: 9 additions & 5 deletionscoderd/coderdtest/authorize.go
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
27 changes: 3 additions & 24 deletionscoderd/coderdtest/coderdtest.go
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
Oops, something went wrong.
Uh oh!
There was an error while loading.Please reload this page.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.