mirror of
https://github.com/coder/coder.git
synced 2025-07-06 15:41:45 +00:00
013f028e55
* feat: Add app support This adds apps as a property to a workspace agent. The resource is added to the Terraform provider here: https://github.com/coder/terraform-provider-coder/pull/17 Apps will be opened in the dashboard or via the CLI with `coder open <name>`. If `command` is specified, a terminal will appear locally and in the web. If `target` is specified, the browser will open to an exposed instance of that target. * Compare fields in apps test * Update Terraform provider to use relative path * Add some basic structure for routing * chore: Remove interface from coderd and lift API surface Abstracting coderd into an interface added misdirection because the interface was never intended to be fulfilled outside of a single implementation. This lifts the abstraction, and attaches all handlers to a root struct named `*coderd.API`. * Add basic proxy logic * Add proxying based on path * Add app proxying for wildcards * Add wsconncache * fix: Race when writing to a closed pipe This is such an intermittent race it's difficult to track, but regardless this is an improvement to the code. * fix: Race when writing to a closed pipe This is such an intermittent race it's difficult to track, but regardless this is an improvement to the code. * fix: Race when writing to a closed pipe This is such an intermittent race it's difficult to track, but regardless this is an improvement to the code. * fix: Race when writing to a closed pipe This is such an intermittent race it's difficult to track, but regardless this is an improvement to the code. * Add workspace route proxying endpoint - Makes the workspace conn cache concurrency-safe - Reduces unnecessary open checks in `peer.Channel` - Fixes the use of a temporary context when dialing a workspace agent * Add embed errors * chore: Refactor site to improve testing It was difficult to develop this package due to the embed build tag being mandatory on the tests. The logic to test doesn't require any embedded files. * Add test for error handler * Remove unused access url * Add RBAC tests * Fix dial agent syntax * Fix linting errors * Fix gen * Fix icon required * Adjust migration number * Fix proxy error status code * Fix empty db lookup
164 lines
4.3 KiB
Go
164 lines
4.3 KiB
Go
package rbac
|
|
|
|
import (
|
|
"github.com/google/uuid"
|
|
)
|
|
|
|
const WildcardSymbol = "*"
|
|
|
|
// Objecter returns the RBAC object for itself.
|
|
type Objecter interface {
|
|
RBACObject() Object
|
|
}
|
|
|
|
// Resources are just typed objects. Making resources this way allows directly
|
|
// passing them into an Authorize function and use the chaining api.
|
|
var (
|
|
// ResourceWorkspace CRUD. Org + User owner
|
|
// create/delete = make or delete workspaces
|
|
// read = access workspace
|
|
// update = edit workspace variables
|
|
ResourceWorkspace = Object{
|
|
Type: "workspace",
|
|
}
|
|
|
|
// ResourceTemplate CRUD. Org owner only.
|
|
// create/delete = Make or delete a new template
|
|
// update = Update the template, make new template versions
|
|
// read = read the template and all versions associated
|
|
ResourceTemplate = Object{
|
|
Type: "template",
|
|
}
|
|
|
|
ResourceFile = Object{
|
|
Type: "file",
|
|
}
|
|
|
|
ResourceProvisionerDaemon = Object{
|
|
Type: "provisioner_daemon",
|
|
}
|
|
|
|
// ResourceOrganization CRUD. Has an org owner on all but 'create'.
|
|
// create/delete = make or delete organizations
|
|
// read = view org information (Can add user owner for read)
|
|
// update = ??
|
|
ResourceOrganization = Object{
|
|
Type: "organization",
|
|
}
|
|
|
|
// ResourceRoleAssignment might be expanded later to allow more granular permissions
|
|
// to modifying roles. For now, this covers all possible roles, so having this permission
|
|
// allows granting/deleting **ALL** roles.
|
|
// Never has an owner or org.
|
|
// create = Assign roles
|
|
// update = ??
|
|
// read = View available roles to assign
|
|
// delete = Remove role
|
|
ResourceRoleAssignment = Object{
|
|
Type: "assign_role",
|
|
}
|
|
|
|
// ResourceOrgRoleAssignment is just like ResourceRoleAssignment but for organization roles.
|
|
ResourceOrgRoleAssignment = Object{
|
|
Type: "assign_org_role",
|
|
}
|
|
|
|
// ResourceAPIKey is owned by a user.
|
|
// create = Create a new api key for user
|
|
// update = ??
|
|
// read = View api key
|
|
// delete = Delete api key
|
|
ResourceAPIKey = Object{
|
|
Type: "api_key",
|
|
}
|
|
|
|
// ResourceUser is the user in the 'users' table.
|
|
// ResourceUser never has any owners or in an org, as it's site wide.
|
|
// create/delete = make or delete a new user.
|
|
// read = view all 'user' table data
|
|
// update = update all 'user' table data
|
|
ResourceUser = Object{
|
|
Type: "user",
|
|
}
|
|
|
|
// ResourceUserData is any data associated with a user. A user has control
|
|
// over their data (profile, password, etc). So this resource has an owner.
|
|
ResourceUserData = Object{
|
|
Type: "user_data",
|
|
}
|
|
|
|
// ResourceOrganizationMember is a user's membership in an organization.
|
|
// Has ONLY an organization owner. The resource ID is the user's ID
|
|
// create/delete = Create/delete member from org.
|
|
// update = Update organization member
|
|
// read = View member
|
|
ResourceOrganizationMember = Object{
|
|
Type: "organization_member",
|
|
}
|
|
|
|
// ResourceWildcard represents all resource types
|
|
ResourceWildcard = Object{
|
|
Type: WildcardSymbol,
|
|
}
|
|
)
|
|
|
|
// Object is used to create objects for authz checks when you have none in
|
|
// hand to run the check on.
|
|
// An example is if you want to list all workspaces, you can create a Object
|
|
// that represents the set of workspaces you are trying to get access too.
|
|
// Do not export this type, as it can be created from a resource type constant.
|
|
type Object struct {
|
|
ResourceID string `json:"id"`
|
|
Owner string `json:"owner"`
|
|
// OrgID specifies which org the object is a part of.
|
|
OrgID string `json:"org_owner"`
|
|
|
|
// Type is "workspace", "project", "app", etc
|
|
Type string `json:"type"`
|
|
// TODO: SharedUsers?
|
|
}
|
|
|
|
func (z Object) RBACObject() Object {
|
|
return z
|
|
}
|
|
|
|
// All returns an object matching all resources of the same type.
|
|
func (z Object) All() Object {
|
|
return Object{
|
|
ResourceID: "",
|
|
Owner: "",
|
|
OrgID: "",
|
|
Type: z.Type,
|
|
}
|
|
}
|
|
|
|
// InOrg adds an org OwnerID to the resource
|
|
func (z Object) InOrg(orgID uuid.UUID) Object {
|
|
return Object{
|
|
ResourceID: z.ResourceID,
|
|
Owner: z.Owner,
|
|
OrgID: orgID.String(),
|
|
Type: z.Type,
|
|
}
|
|
}
|
|
|
|
// WithOwner adds an OwnerID to the resource
|
|
func (z Object) WithOwner(ownerID string) Object {
|
|
return Object{
|
|
ResourceID: z.ResourceID,
|
|
Owner: ownerID,
|
|
OrgID: z.OrgID,
|
|
Type: z.Type,
|
|
}
|
|
}
|
|
|
|
// WithID adds a ResourceID to the resource
|
|
func (z Object) WithID(resourceID string) Object {
|
|
return Object{
|
|
ResourceID: resourceID,
|
|
Owner: z.Owner,
|
|
OrgID: z.OrgID,
|
|
Type: z.Type,
|
|
}
|
|
}
|