feat: Implement allow_list for scopes for resource specific permissions (#5769)

* feat: Implement allow_list for scopes for resource specific permissions Feature that adds an allow_list for scopes to specify particular resources. This enables workspace agent tokens to use the same RBAC system as users. - Add ID to compileSQL matchers * Plumb through WithID on rbac objects * Rename Scope -> ScopeName * Update input.json with scope allow_list Co-authored-by: Cian Johnston <cian@coder.com>
2025-07-03 16:13:58 +00:00 · 2023-01-19 13:41:36 -06:00
parent f0df0686f9
commit 08cce81ac8
25 changed files with 445 additions and 153 deletions
--- a/coderd/rbac/object.go
+++ b/coderd/rbac/object.go
@ -158,6 +158,8 @@ var (
 // that represents the set of workspaces you are trying to get access too.
 // Do not export this type, as it can be created from a resource type constant.
 type Object struct {
+	// ID is the resource's uuid
+	ID    string `json:"id"`
 	Owner string `json:"owner"`
 	// OrgID specifies which org the object is a part of.
 	OrgID string `json:"org_owner"`
@ -184,9 +186,32 @@ func (z Object) All() Object {
 	}
 }

+func (z Object) WithIDString(id string) Object {
+	return Object{
+		ID:           id,
+		Owner:        z.Owner,
+		OrgID:        z.OrgID,
+		Type:         z.Type,
+		ACLUserList:  z.ACLUserList,
+		ACLGroupList: z.ACLGroupList,
+	}
+}
+
+func (z Object) WithID(id uuid.UUID) Object {
+	return Object{
+		ID:           id.String(),
+		Owner:        z.Owner,
+		OrgID:        z.OrgID,
+		Type:         z.Type,
+		ACLUserList:  z.ACLUserList,
+		ACLGroupList: z.ACLGroupList,
+	}
+}
+
 // InOrg adds an org OwnerID to the resource
 func (z Object) InOrg(orgID uuid.UUID) Object {
 	return Object{
+		ID:           z.ID,
 		Owner:        z.Owner,
 		OrgID:        orgID.String(),
 		Type:         z.Type,
@ -198,6 +223,7 @@ func (z Object) InOrg(orgID uuid.UUID) Object {
 // WithOwner adds an OwnerID to the resource
 func (z Object) WithOwner(ownerID string) Object {
 	return Object{
+		ID:           z.ID,
 		Owner:        ownerID,
 		OrgID:        z.OrgID,
 		Type:         z.Type,
@ -209,6 +235,7 @@ func (z Object) WithOwner(ownerID string) Object {
 // WithACLUserList adds an ACL list to a given object
 func (z Object) WithACLUserList(acl map[string][]Action) Object {
 	return Object{
+		ID:           z.ID,
 		Owner:        z.Owner,
 		OrgID:        z.OrgID,
 		Type:         z.Type,
@ -219,6 +246,7 @@ func (z Object) WithACLUserList(acl map[string][]Action) Object {

 func (z Object) WithGroupACL(groups map[string][]Action) Object {
 	return Object{
+		ID:           z.ID,
 		Owner:        z.Owner,
 		OrgID:        z.OrgID,
 		Type:         z.Type,