chore: merge provisioner key and provisioner permissions (#16628)

Provisioner key permissions were never any different than provisioners.
Merging them for a cleaner permission story until they are required (if
ever) to be seperate.

This removed `ResourceProvisionerKey` from RBAC and just uses the
existing `ResourceProvisioner`.
This commit is contained in:
Steven Masley
2025-02-24 13:31:11 -06:00
committed by GitHub
parent 8f33c6d8d1
commit e005e4e51d
14 changed files with 34 additions and 62 deletions

View File

@ -147,9 +147,13 @@ func (api *API) putOrgRoles(rw http.ResponseWriter, r *http.Request) {
UUID: organization.ID,
Valid: true,
},
SitePermissions: db2sdk.List(req.SitePermissions, sdkPermissionToDB),
OrgPermissions: db2sdk.List(req.OrganizationPermissions, sdkPermissionToDB),
UserPermissions: db2sdk.List(req.UserPermissions, sdkPermissionToDB),
// Invalid permissions are filtered out. If this is changed
// to throw an error, then the story of a previously valid role
// now being invalid has to be addressed. Coder can change permissions,
// objects, and actions at any time.
SitePermissions: db2sdk.List(filterInvalidPermissions(req.SitePermissions), sdkPermissionToDB),
OrgPermissions: db2sdk.List(filterInvalidPermissions(req.OrganizationPermissions), sdkPermissionToDB),
UserPermissions: db2sdk.List(filterInvalidPermissions(req.UserPermissions), sdkPermissionToDB),
})
if httpapi.Is404Error(err) {
httpapi.ResourceNotFound(rw)
@ -247,6 +251,23 @@ func (api *API) deleteOrgRole(rw http.ResponseWriter, r *http.Request) {
httpapi.Write(ctx, rw, http.StatusNoContent, nil)
}
func filterInvalidPermissions(permissions []codersdk.Permission) []codersdk.Permission {
// Filter out any invalid permissions
var validPermissions []codersdk.Permission
for _, permission := range permissions {
err := rbac.Permission{
Negate: permission.Negate,
ResourceType: string(permission.ResourceType),
Action: policy.Action(permission.Action),
}.Valid()
if err != nil {
continue
}
validPermissions = append(validPermissions, permission)
}
return validPermissions
}
func sdkPermissionToDB(p codersdk.Permission) database.CustomRolePermission {
return database.CustomRolePermission{
Negate: p.Negate,