8000 chore: implement 'use' verb to template object, `read` has less scope… · coder/coder@f34e6fd · GitHub
[go: up one dir, main page]

Skip to content

Commit f34e6fd

Browse files
authored
chore: implement 'use' verb to template object, read has less scope now (#16075)
Template `use` is now a verb. - Template admins can `use` all templates (org template admins same in org) - Members get the `use` perm from the `everyone` group in the `group_acl`.
1 parent 3217cb8 commit f34e6fd

File tree

17 files changed

+128
-28
lines changed

17 files changed

+128
-28
lines changed

coderd/database/db2sdk/db2sdk.go

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@ import (
1717

1818
"github.com/coder/coder/v2/coderd/database"
1919
"github.com/coder/coder/v2/coderd/rbac"
20+
"github.com/coder/coder/v2/coderd/rbac/policy"
2021
"github.com/coder/coder/v2/coderd/render"
2122
"github.com/coder/coder/v2/coderd/workspaceapps/appurl"
2223
"github.com/coder/coder/v2/codersdk"
@@ -694,3 +695,13 @@ func MatchedProvisioners(provisionerDaemons []database.ProvisionerDaemon, now ti
694695
}
695696
return matched
696697
}
698+
699+
func TemplateRoleActions(role codersdk.TemplateRole) []policy.Action {
700+
switch role {
701+
case codersdk.TemplateRoleAdmin:
702+
return []policy.Action{policy.WildcardSymbol}
703+
case codersdk.TemplateRoleUse:
704+
return []policy.Action{policy.ActionRead, policy.ActionUse}
705+
}
706+
return []policy.Action{}
707+
}

coderd/database/dbauthz/dbauthz.go

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3169,6 +3169,14 @@ func (q *querier) InsertUserLink(ctx context.Context, arg database.InsertUserLin
31693169

31703170
func (q *querier) InsertWorkspace(ctx context.Context, arg database.InsertWorkspaceParams) (database.WorkspaceTable, error) {
31713171
obj := rbac.ResourceWorkspace.WithOwner(arg.OwnerID.String()).InOrg(arg.OrganizationID)
3172+
tpl, err := q.GetTemplateByID(ctx, arg.TemplateID)
3173+
if err != nil {
3174+
return database.WorkspaceTable{}, xerrors.Errorf("verify template by id: %w", err)
3175+
}
3176+
if err := q.authorizeContext(ctx, policy.ActionUse, tpl); err != nil {
3177+
return database.WorkspaceTable{}, xerrors.Errorf("use template for workspace: %w", err)
3178+
}
3179+
31723180
return insert(q.log, q.auth, obj, q.db.InsertWorkspace)(ctx, arg)
31733181
}
31743182

coderd/database/dbauthz/dbauthz_test.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2459,7 +2459,7 @@ func (s *MethodTestSuite) TestWorkspace() {
24592459
OrganizationID: o.ID,
24602460
AutomaticUpdates: database.AutomaticUpdatesNever,
24612461
TemplateID: tpl.ID,
2462-
}).Asserts(rbac.ResourceWorkspace.WithOwner(u.ID.String()).InOrg(o.ID), policy.ActionCreate)
2462+
}).Asserts(tpl, policy.ActionRead, tpl, policy.ActionUse, rbac.ResourceWorkspace.WithOwner(u.ID.String()).InOrg(o.ID), policy.ActionCreate)
24632463
}))
24642464
s.Run("Start/InsertWorkspaceBuild", s.Subtest(func(db database.Store, check *expects) {
24652465
u := dbgen.User(s.T(), db, database.User{})

coderd/database/dbgen/dbgen.go

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -20,12 +20,13 @@ import (
2020
"golang.org/x/xerrors"
2121

2222
"github.com/coder/coder/v2/coderd/database"
23+
"github.com/coder/coder/v2/coderd/database/db2sdk"
2324
"github.com/coder/coder/v2/coderd/database/dbauthz"
2425
"github.com/coder/coder/v2/coderd/database/dbtime"
2526
"github.com/coder/coder/v2/coderd/database/provisionerjobs"
2627
"github.com/coder/coder/v2/coderd/database/pubsub"
2728
"github.com/coder/coder/v2/coderd/rbac"
28-
"github.com/coder/coder/v2/coderd/rbac/policy"
29+
"github.com/coder/coder/v2/codersdk"
2930
"github.com/coder/coder/v2/cryptorand"
3031
"github.com/coder/coder/v2/testutil"
3132
)
@@ -75,7 +76,7 @@ func Template(t testing.TB, db database.Store, seed database.Template) database.
7576
if seed.GroupACL == nil {
7677
// By default, all users in the organization can read the template.
7778
seed.GroupACL = database.TemplateACL{
78-
seed.OrganizationID.String(): []policy.Action{policy.ActionRead},
79+
seed.OrganizationID.String(): db2sdk.TemplateRoleActions(codersdk.TemplateRoleUse),
7980
}
8081
}
8182
if seed.UserACL == nil {
Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
UPDATE
2+
templates
3+
SET
4+
group_acl = replace(group_acl::text, '["read", "use"]', '["read"]')::jsonb,
5+
user_acl = replace(user_acl::text, '["read", "use"]', '["read"]')::jsonb
Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
-- With the "use" verb now existing for templates, we need to update the acl's to
2+
-- include "use" where the permissions set ["read"] is present.
3+
-- The other permission set is ["*"] which is unaffected.
4+
5+
UPDATE
6+
templates
7+
SET
8+
-- Instead of trying to write a complicated SQL query to update the JSONB
9+
-- object, a string replace is much simpler and easier to understand.
10+
-- Both pieces of text are JSON arrays, so this safe to do.
11+
group_acl = replace(group_acl::text, '["read"]', '["read", "use"]')::jsonb,
12+
user_acl = replace(user_acl::text, '["read"]', '["read", "use"]')::jsonb

coderd/insights_test.go

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -23,12 +23,12 @@ import (
2323
agentproto "github.com/coder/coder/v2/agent/proto"
2424
"github.com/coder/coder/v2/coderd/coderdtest"
2525
"github.com/coder/coder/v2/coderd/database"
26+
"github.com/coder/coder/v2/coderd/database/db2sdk"
2627
"github.com/coder/coder/v2/coderd/database/dbauthz"
2728
"github.com/coder/coder/v2/coderd/database/dbgen"
2829
"github.com/coder/coder/v2/coderd/database/dbrollup"
2930
"github.com/coder/coder/v2/coderd/database/dbtestutil"
3031
"github.com/coder/coder/v2/coderd/rbac"
31-
"github.com/coder/coder/v2/coderd/rbac/policy"
3232
"github.com/coder/coder/v2/coderd/workspaceapps"
3333
"github.com/coder/coder/v2/coderd/workspacestats"
3434
"github.com/coder/coder/v2/codersdk"
@@ -675,7 +675,7 @@ func TestTemplateInsights_Golden(t *testing.T) {
675675
OrganizationID: firstUser.OrganizationID,
676676
CreatedBy: firstUser.UserID,
677677
GroupACL: database.TemplateACL{
678-
firstUser.OrganizationID.String(): []policy.Action{policy.ActionRead},
678+
firstUser.OrganizationID.String(): db2sdk.TemplateRoleActions(codersdk.TemplateRoleUse),
679679
},
680680
})
681681
err := db.UpdateTemplateVersionByID(context.Background(), database.UpdateTemplateVersionByIDParams{
@@ -1573,7 +1573,7 @@ func TestUserActivityInsights_Golden(t *testing.T) {
15731573
OrganizationID: firstUser.OrganizationID,
15741574
CreatedBy: firstUser.UserID,
15751575
GroupACL: database.TemplateACL{
1576-
firstUser.OrganizationID.String(): []policy.Action{policy.ActionRead},
1576+
firstUser.OrganizationID.String(): db2sdk.TemplateRoleActions(codersdk.TemplateRoleUse),
15771577
},
15781578
})
15791579
err := db.UpdateTemplateVersionByID(context.Background(), database.UpdateTemplateVersionByIDParams{

coderd/rbac/object_gen.go

Lines changed: 1 addition & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/rbac/policy/policy.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -133,8 +133,8 @@ var RBACPermissions = map[string]PermissionDefinition{
133133
},
134134
"template": {
135135
Actions: map[Action]ActionDefinition{
136-
ActionCreate: actDef("create a template"),
137-
// TODO: Create a use permission maybe?
136+
ActionCreate: actDef("create a template"),
137+
ActionUse: actDef("use the template to initially create a workspace, then workspace lifecycle permissions take over"),
138138
ActionRead: actDef("read template"),
139139
ActionUpdate: actDef("update a template"),
140140
ActionDelete: actDef("delete a template"),

coderd/rbac/roles.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -318,7 +318,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
318318
Identifier: RoleTemplateAdmin(),
319319
DisplayName: "Template Admin",
320320
Site: Permissions(map[string][]policy.Action{
321-
ResourceTemplate.Type: {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete, policy.ActionViewInsights},
321+
ResourceTemplate.Type: ResourceTemplate.AvailableActions(),
322322
// CRUD all files, even those they did not upload.
323323
ResourceFile.Type: {policy.ActionCreate, policy.ActionRead},
324324
ResourceWorkspace.Type: {policy.ActionRead},
@@ -476,7 +476,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
476476
Site: []Permission{},
477477
Org: map[string][]Permission{
478478
organizationID.String(): Permissions(map[string][]policy.Action{
479-
ResourceTemplate.Type: {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete, policy.ActionViewInsights},
479+
ResourceTemplate.Type: ResourceTemplate.AvailableActions(),
480480
ResourceFile.Type: {policy.ActionCreate, policy.ActionRead},
481481
ResourceWorkspace.Type: {policy.ActionRead},
482482
// Assigning template perms requires this permission.

0 commit comments

Comments
 (0)
0