chore: Implement standard rbac.Subject to be reused everywhere (#5881)

* chore: Implement standard rbac.Subject to be reused everywhere An rbac subject is created in multiple spots because of the way we expand roles, scopes, etc. This difference in use creates a list of arguments which is unwieldy. Use of the expander interface lets us conform to a single subject in every case
2025-07-13 21:36:50 +00:00 · 2023-01-26 14:42:54 -06:00
parent 5c54d8b8cd
commit b0a16150a3
18 changed files with 465 additions and 371 deletions
--- a/coderd/rbac/role.go
+++ b/coderd/rbac/role.go
@ -1,5 +1,20 @@
 package rbac

+// ExpandableRoles is any type that can be expanded into a []Role. This is implemented
+// as an interface so we can have RoleNames for user defined roles, and implement
+// custom ExpandableRoles for system type users (eg autostart/autostop system role).
+// We want a clear divide between the two types of roles so users have no codepath
+// to interact or assign system roles.
+//
+// Note: We may also want to do the same thing with scopes to allow custom scope
+// support unavailable to the user. Eg: Scope to a single resource.
+type ExpandableRoles interface {
+	Expand() ([]Role, error)
+	// Names is for logging and tracing purposes, we want to know the human
+	// names of the expanded roles.
+	Names() []string
+}
+
 // Permission is the format passed into the rego.
 type Permission struct {
 	// Negate makes this a negative permission
@ -27,3 +42,17 @@ type Role struct {
 	Org  map[string][]Permission `json:"org"`
 	User []Permission            `json:"user"`
 }
+
+type Roles []Role
+
+func (roles Roles) Expand() ([]Role, error) {
+	return roles, nil
+}
+
+func (roles Roles) Names() []string {
+	names := make([]string, 0, len(roles))
+	for _, r := range roles {
+		return append(names, r.Name)
+	}
+	return names
+}