synced/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2025-07-03 16:13:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: remove site wide perms from creating a workspace (#17296)

Browse Source 
Creating a workspace required `read` on site wide `user`. 
Only organization permissions should be required.
This commit is contained in:
Steven Masley
2025-04-09 14:35:43 -05:00
committed by GitHub
parent a03a54dd14
commit 0b58798a1a
8 changed files with 392 additions and 135 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
coderd/coderdtest/authorize.go
View File

@ -81,7 +81,7 @@ func AssertRBAC(t *testing.T, api *coderd.API, client *codersdk.Client) RBACAsse
// Note that duplicate rbac calls are handled by the rbac.Cacher(), but
// will be recorded twice. So AllCalls() returns calls regardless if they
// were returned from the cached or not.
func (a RBACAsserter) AllCalls() []AuthCall {
func (a RBACAsserter) AllCalls() AuthCalls {
return a.Recorder.AllCalls(&a.Subject)
}
@ -140,8 +140,11 @@ func (a RBACAsserter) Reset() RBACAsserter {
return a
}
type AuthCalls []AuthCall
type AuthCall struct {
rbac.AuthCall
Err error
asserted bool
// callers is a small stack trace for debugging.
@ -252,7 +255,7 @@ func (r *RecordingAuthorizer) AssertActor(t *testing.T, actor rbac.Subject, did
}
// recordAuthorize is the internal method that records the Authorize() call.
func (r *RecordingAuthorizer) recordAuthorize(subject rbac.Subject, action policy.Action, object rbac.Object) {
func (r *RecordingAuthorizer) recordAuthorize(subject rbac.Subject, action policy.Action, object rbac.Object, authzErr error) {
r.Lock()
defer r.Unlock()
@ -262,6 +265,7 @@ func (r *RecordingAuthorizer) recordAuthorize(subject rbac.Subject, action polic
Action: action,
Object: object,
},
Err: authzErr,
callers: []string{
// This is a decent stack trace for debugging.
// Some dbauthz calls are a bit nested, so we skip a few.
@ -288,11 +292,12 @@ func caller(skip int) string {
}
func (r *RecordingAuthorizer) Authorize(ctx context.Context, subject rbac.Subject, action policy.Action, object rbac.Object) error {
r.recordAuthorize(subject, action, object)
if r.Wrapped == nil {
panic("Developer error: RecordingAuthorizer.Wrapped is nil")
}
return r.Wrapped.Authorize(ctx, subject, action, object)
authzErr := r.Wrapped.Authorize(ctx, subject, action, object)
r.recordAuthorize(subject, action, object, authzErr)
return authzErr
}
func (r *RecordingAuthorizer) Prepare(ctx context.Context, subject rbac.Subject, action policy.Action, objectType string) (rbac.PreparedAuthorized, error) {
@ -339,10 +344,11 @@ func (s *PreparedRecorder) Authorize(ctx context.Context, object rbac.Object) er
s.rw.Lock()
defer s.rw.Unlock()
authzErr := s.prepped.Authorize(ctx, object)
if !s.usingSQL {
s.rec.recordAuthorize(s.subject, s.action, object)
s.rec.recordAuthorize(s.subject, s.action, object, authzErr)
}
return s.prepped.Authorize(ctx, object)
return authzErr
}
func (s *PreparedRecorder) CompileToSQL(ctx context.Context, cfg regosql.ConvertConfig) (string, error) {