feat: add template RBAC/groups (#4235)

2025-07-03 16:13:58 +00:00 · 2022-10-10 15:37:06 -05:00
parent 2687e3db49
commit 3120c94c22
122 changed files with 8088 additions and 1062 deletions
--- a/coderd/rbac/object.go
+++ b/coderd/rbac/object.go
@ -54,6 +54,14 @@ var (
 		Type: "template",
 	}

+	// ResourceGroup CRUD. Org admins only.
+	//	create/delete = Make or delete a new group.
+	//	update = Update the name or members of a group.
+	//	read = Read groups and their members.
+	ResourceGroup = Object{
+		Type: "group",
+	}
+
 	ResourceFile = Object{
 		Type: "file",
 	}
@ -152,7 +160,9 @@ type Object struct {

 	// Type is "workspace", "project", "app", etc
 	Type string `json:"type"`
-	// TODO: SharedUsers?
+
+	ACLUserList  map[string][]Action ` json:"acl_user_list"`
+	ACLGroupList map[string][]Action ` json:"acl_group_list"`
 }

 func (z Object) RBACObject() Object {
@ -162,26 +172,53 @@ func (z Object) RBACObject() Object {
 // All returns an object matching all resources of the same type.
 func (z Object) All() Object {
 	return Object{
-		Owner: "",
-		OrgID: "",
-		Type:  z.Type,
+		Owner:        "",
+		OrgID:        "",
+		Type:         z.Type,
+		ACLUserList:  map[string][]Action{},
+		ACLGroupList: map[string][]Action{},
 	}
 }

 // InOrg adds an org OwnerID to the resource
 func (z Object) InOrg(orgID uuid.UUID) Object {
 	return Object{
-		Owner: z.Owner,
-		OrgID: orgID.String(),
-		Type:  z.Type,
+		Owner:        z.Owner,
+		OrgID:        orgID.String(),
+		Type:         z.Type,
+		ACLUserList:  z.ACLUserList,
+		ACLGroupList: z.ACLGroupList,
 	}
 }

 // WithOwner adds an OwnerID to the resource
 func (z Object) WithOwner(ownerID string) Object {
 	return Object{
-		Owner: ownerID,
-		OrgID: z.OrgID,
-		Type:  z.Type,
+		Owner:        ownerID,
+		OrgID:        z.OrgID,
+		Type:         z.Type,
+		ACLUserList:  z.ACLUserList,
+		ACLGroupList: z.ACLGroupList,
+	}
+}
+
+// WithACLUserList adds an ACL list to a given object
+func (z Object) WithACLUserList(acl map[string][]Action) Object {
+	return Object{
+		Owner:        z.Owner,
+		OrgID:        z.OrgID,
+		Type:         z.Type,
+		ACLUserList:  acl,
+		ACLGroupList: z.ACLGroupList,
+	}
+}
+
+func (z Object) WithGroupACL(groups map[string][]Action) Object {
+	return Object{
+		Owner:        z.Owner,
+		OrgID:        z.OrgID,
+		Type:         z.Type,
+		ACLUserList:  z.ACLUserList,
+		ACLGroupList: groups,
 	}
 }