mirror of
https://github.com/coder/coder.git
synced 2025-07-03 16:13:58 +00:00
chore: break down dbauthz.System into smaller roles (#6218)
- rbac: export rbac.Permissions - dbauthz: move GetDeploymentDAUs, GetTemplateDAUs, GetTemplateAverageBuildTime from querier.go to system.go and removes auth checks - dbauthz: remove AsSystem(), add individual roles for autostart, provisionerd, add restricted system role for everything else
This commit is contained in:
Cian Johnston
GitHub
@ -811,7 +811,7 @@ func TestAuthorizeScope(t *testing.T) {
|
||||
Role: Role{
|
||||
Name: "workspace_agent",
|
||||
DisplayName: "Workspace Agent",
|
||||
Site: permissions(map[string][]Action{
|
||||
Site: Permissions(map[string][]Action{
|
||||
// Only read access for workspaces.
|
||||
ResourceWorkspace.Type: {ActionRead},
|
||||
}),
|
||||
@ -900,7 +900,7 @@ func TestAuthorizeScope(t *testing.T) {
|
||||
Role: Role{
|
||||
Name: "create_workspace",
|
||||
DisplayName: "Create Workspace",
|
||||
Site: permissions(map[string][]Action{
|
||||
Site: Permissions(map[string][]Action{
|
||||
// Only read access for workspaces.
|
||||
ResourceWorkspace.Type: {ActionCreate},
|
||||
}),
|
||||
|
||||
@ -77,7 +77,7 @@ var (
|
||||
return Role{
|
||||
Name: owner,
|
||||
DisplayName: "Owner",
|
||||
Site: permissions(map[string][]Action{
|
||||
Site: Permissions(map[string][]Action{
|
||||
ResourceWildcard.Type: {WildcardSymbol},
|
||||
}),
|
||||
Org: map[string][]Permission{},
|
||||
@ -90,7 +90,7 @@ var (
|
||||
return Role{
|
||||
Name: member,
|
||||
DisplayName: "",
|
||||
Site: permissions(map[string][]Action{
|
||||
Site: Permissions(map[string][]Action{
|
||||
// All users can read all other users and know they exist.
|
||||
ResourceUser.Type: {ActionRead},
|
||||
ResourceRoleAssignment.Type: {ActionRead},
|
||||
@ -98,7 +98,7 @@ var (
|
||||
ResourceProvisionerDaemon.Type: {ActionRead},
|
||||
}),
|
||||
Org: map[string][]Permission{},
|
||||
User: permissions(map[string][]Action{
|
||||
User: Permissions(map[string][]Action{
|
||||
ResourceWildcard.Type: {WildcardSymbol},
|
||||
}),
|
||||
}
|
||||
@ -111,7 +111,7 @@ var (
|
||||
return Role{
|
||||
Name: auditor,
|
||||
DisplayName: "Auditor",
|
||||
Site: permissions(map[string][]Action{
|
||||
Site: Permissions(map[string][]Action{
|
||||
// Should be able to read all template details, even in orgs they
|
||||
// are not in.
|
||||
ResourceTemplate.Type: {ActionRead},
|
||||
@ -126,7 +126,7 @@ var (
|
||||
return Role{
|
||||
Name: templateAdmin,
|
||||
DisplayName: "Template Admin",
|
||||
Site: permissions(map[string][]Action{
|
||||
Site: Permissions(map[string][]Action{
|
||||
ResourceTemplate.Type: {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
|
||||
// CRUD all files, even those they did not upload.
|
||||
ResourceFile.Type: {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
|
||||
@ -145,7 +145,7 @@ var (
|
||||
return Role{
|
||||
Name: userAdmin,
|
||||
DisplayName: "User Admin",
|
||||
Site: permissions(map[string][]Action{
|
||||
Site: Permissions(map[string][]Action{
|
||||
ResourceRoleAssignment.Type: {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
|
||||
ResourceUser.Type: {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
|
||||
// Full perms to manage org members
|
||||
@ -430,9 +430,9 @@ func roleSplit(role string) (name string, orgID string, err error) {
|
||||
return arr[0], "", nil
|
||||
}
|
||||
|
||||
// permissions is just a helper function to make building roles that list out resources
|
||||
// Permissions is just a helper function to make building roles that list out resources
|
||||
// and actions a bit easier.
|
||||
func permissions(perms map[string][]Action) []Permission {
|
||||
func Permissions(perms map[string][]Action) []Permission {
|
||||
list := make([]Permission, 0, len(perms))
|
||||
for k, actions := range perms {
|
||||
for _, act := range actions {
|
||||
|
||||
@ -79,7 +79,7 @@ var builtinScopes = map[ScopeName]Scope{
|
||||
Role: Role{
|
||||
Name: fmt.Sprintf("Scope_%s", ScopeAll),
|
||||
DisplayName: "All operations",
|
||||
Site: permissions(map[string][]Action{
|
||||
Site: Permissions(map[string][]Action{
|
||||
ResourceWildcard.Type: {WildcardSymbol},
|
||||
}),
|
||||
Org: map[string][]Permission{},
|
||||
@ -92,7 +92,7 @@ var builtinScopes = map[ScopeName]Scope{
|
||||
Role: Role{
|
||||
Name: fmt.Sprintf("Scope_%s", ScopeApplicationConnect),
|
||||
DisplayName: "Ability to connect to applications",
|
||||
Site: permissions(map[string][]Action{
|
||||
Site: Permissions(map[string][]Action{
|
||||
ResourceWorkspaceApplicationConnect.Type: {ActionCreate},
|
||||
}),
|
||||
Org: map[string][]Permission{},
|
||||
|
||||
Reference in New Issue
Block a user