- rbac: export rbac.Permissions
- dbauthz: move GetDeploymentDAUs, GetTemplateDAUs,
GetTemplateAverageBuildTime from querier.go to system.go
and removes auth checks
- dbauthz: remove AsSystem(), add individual roles for
autostart, provisionerd, add restricted system role for
everything else
The authz library returns a 404 if the authorization fails. If the
context is cancelled, then a 404 message is inaccurate.
Add a unit test to ensure context cancelled errors are raised
properly
feat: Add initial AuthzQuerier implementation
- Adds package database/dbauthz that adds a database.Store implementation where each method goes through AuthZ checks
- Implements all database.Store methods on AuthzQuerier
- Updates and fixes unit tests where required
- Updates coderd initialization to use AuthzQuerier if codersdk.ExperimentAuthzQuerier is enabled
* chore: Force license uuids to not be null
* All unit tests generate uuids for licenses
* Update migration files to new numbers
* Put migration in transaction
* chore: Use dbgen in unit test
- organizationparam_test
- templateparam_test
* Use dbgen in all unit tests vs insert methods
* fixup! Use dbgen in all unit tests vs insert methods
---------
Co-authored-by: Cian Johnston <cian@coder.com>
* added migration for api key resource
* sort of working
* auditing login
* passing the correct user id
* added and fixed tests
* gen documentation
* formatting and lint
* lint
* audit Github oauth and write tests
* audit oauth and write tests
* added defer fn for login error auditing
* fixed test
* feat: audit logout (#5998)
* Update coderd/userauth.go
Co-authored-by: Steven Masley <Emyrk@users.noreply.github.com>
* fix test
* bypassing diff generation if login/logout
* lint
---------
Co-authored-by: Steven Masley <Emyrk@users.noreply.github.com>
* fix: index template versions by template and name
We were incorrectly returning template versions by name relative
to organizations. This could result in an incorrect version being
returned if multiple templates had versions with the same name.
* Fix auth referencing
* Fix route location
* Fix authorize route name
* Fix previous call
* Fix authorize route name
* chore: Update sqlc to v1.16.0
* chore: Fix cases where types became Null-types
* chore: Set parameter_schemas default_destination_scheme and default_source_scheme to NOT NULL
* chore: Add enum validation to database fake
* chore: Fix all tests that skipping enum values
* fix: Use correct err in providionerdserver audit log failure log
* feat: Implement allow_list for scopes for resource specific permissions
Feature that adds an allow_list for scopes to specify particular resources.
This enables workspace agent tokens to use the same RBAC system as users.
- Add ID to compileSQL matchers
* Plumb through WithID on rbac objects
* Rename Scope -> ScopeName
* Update input.json with scope allow_list
Co-authored-by: Cian Johnston <cian@coder.com>
* added AuditableGroup type
* added json tags
* Anonymizing gGroup struct
* adding support on the FE for nested group diffs
* added type for GroupMember
* Update coderd/database/modelmethods.go
Co-authored-by: Steven Masley <Emyrk@users.noreply.github.com>
* Update coderd/database/modelmethods.go
Co-authored-by: Steven Masley <Emyrk@users.noreply.github.com>
* fetching group members in group.delete
* passing through right error
* broke out into util function and added tests
Co-authored-by: Steven Masley <Emyrk@users.noreply.github.com>
* chore: More complete tracing for RBAC functions
* Add input.json as example rbac input for rego cli
The input.json is required to play with the rego cli and debug
the policy without golang. It is good to have an example to run
the commands in the readme.md
* Add span events to capture authorize and prepared results
* chore: Add prometheus metrics to rbac authorizer
* feat: enable enterprise users to specify a custom logo
This adds a field in deployment settings that allows users to specify
the URL to a custom logo that will display in the dashboard.
This also groups service banner into a new appearance settings page.
It adds a Fieldset component to allow for modular fields moving forward.
* Fix tests
* fix: No org admins until organizations are in the UI
Until organizations have management UI, we should not set any org
admins. This goes around the site wide perms transparently and
is confusing to users.
Default user is no longer an org admin, so the demotion test makes
no sense
