feat: provide endpoint to lock/unlock workspace (#8239)

2025-07-03 16:13:58 +00:00 · 2023-06-28 16:12:49 -05:00
parent 72e83df578
commit 749307ef08
31 changed files with 577 additions and 51 deletions
--- a/coderd/rbac/object.go
+++ b/coderd/rbac/object.go
@ -28,6 +28,21 @@ var (
 		Type: "workspace",
 	}

+	// ResourceWorkspaceBuild refers to permissions necessary to
+	// insert a workspace build job.
+	// create/delete = ?
+	// read = read workspace builds
+	// update = insert/update workspace builds.
+	ResourceWorkspaceBuild = Object{
+		Type: "workspace_build",
+	}
+
+	// ResourceWorkspaceLocked is returned if a workspace is locked.
+	// It grants restricted permissions on workspace builds.
+	ResourceWorkspaceLocked = Object{
+		Type: "workspace_locked",
+	}
+
 	// ResourceWorkspaceProxy CRUD. Org
 	//	create/delete = make or delete proxies
 	// 	read = read proxy urls
--- a/coderd/rbac/object_gen.go
+++ b/coderd/rbac/object_gen.go
@ -25,7 +25,9 @@ func AllResources() []Object {
 		ResourceWildcard,
 		ResourceWorkspace,
 		ResourceWorkspaceApplicationConnect,
+		ResourceWorkspaceBuild,
 		ResourceWorkspaceExecution,
+		ResourceWorkspaceLocked,
 		ResourceWorkspaceProxy,
 	}
 }
--- a/coderd/rbac/roles.go
+++ b/coderd/rbac/roles.go
@ -121,7 +121,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 		opts = &RoleOptions{}
 	}

-	var ownerAndAdminExceptions []Object
+	ownerAndAdminExceptions := []Object{ResourceWorkspaceLocked}
 	if opts.NoOwnerWorkspaceExec {
 		ownerAndAdminExceptions = append(ownerAndAdminExceptions,
 			ResourceWorkspaceExecution,
@ -152,7 +152,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 			ResourceProvisionerDaemon.Type: {ActionRead},
 		}),
 		Org:  map[string][]Permission{},
-		User: allPermsExcept(),
+		User: allPermsExcept(ResourceWorkspaceLocked),
 	}.withCachedRegoValue()

 	auditorRole := Role{
@ -234,7 +234,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 				Site:        []Permission{},
 				Org: map[string][]Permission{
 					// Org admins should not have workspace exec perms.
-					organizationID: allPermsExcept(ResourceWorkspaceExecution),
+					organizationID: allPermsExcept(ResourceWorkspaceExecution, ResourceWorkspaceLocked),
 				},
 				User: []Permission{},
 			}
--- a/coderd/rbac/roles_test.go
+++ b/coderd/rbac/roles_test.go
@ -318,6 +318,24 @@ func TestRolePermissions(t *testing.T) {
 				false: {memberMe, otherOrgAdmin, otherOrgMember, templateAdmin},
 			},
 		},
+		{
+			Name:     "WorkspaceLocked",
+			Actions:  rbac.AllActions(),
+			Resource: rbac.ResourceWorkspaceLocked.WithID(uuid.New()).InOrg(orgID).WithOwner(memberMe.Actor.ID),
+			AuthorizeMap: map[bool][]authSubject{
+				true:  {},
+				false: {memberMe, orgAdmin, userAdmin, otherOrgAdmin, otherOrgMember, orgMemberMe, owner, templateAdmin},
+			},
+		},
+		{
+			Name:     "WorkspaceBuild",
+			Actions:  rbac.AllActions(),
+			Resource: rbac.ResourceWorkspaceBuild.WithID(uuid.New()).InOrg(orgID).WithOwner(memberMe.Actor.ID),
+			AuthorizeMap: map[bool][]authSubject{
+				true:  {owner, orgAdmin, orgMemberMe},
+				false: {userAdmin, otherOrgAdmin, otherOrgMember, templateAdmin, memberMe},
+			},
+		},
 	}

 	for _, c := range testCases {