8000 feat: Check permissions endpoint by Emyrk · Pull Request #1389 · coder/coder · GitHub
[go: up one dir, main page]
Skip to content

feat: Check permissions endpoint #1389

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 10 commits into from
May 12, 2022
Merged

feat: Check permissions endpoint #1389

Changes from 1 commit
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
fb7adf5
feat: Check permissions endpoint
Emyrk May 11, 2022
e584a16
Make gen
Emyrk May 11, 2022
8530cdf
test: Easy method for assigning roles in unit tests
Emyrk May 11, 2022
85dc6a7
Make actions just a string
Emyrk May 11, 2022
d74eeb4
Handle action type to string
Emyrk May 11, 2022
79c0886
Add usage comments
Emyrk May 11, 2022
899eccc
Make resource type required on the typescript
Emyrk May 11, 2022
9f3e8e4
feat: Support map types for codersdk typescript gen
Emyrk May 12, 2022
210d2c1
Rename to authorization
Emyrk May 12, 2022
9a66d88
Fix sdk url
Emyrk May 12, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Make gen
  • Loading branch information
@Emyrk
Emyrk committed May 11, 2022
commit e584a163153148175531db004e6fe4f1100071c7
50 changes: 35 additions & 15 deletions site/src/api/typesGenerated.ts 8000
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ export interface AgentGitSSHKey {
readonly private_key: string
}

// From codersdk/users.go:100:6
// From codersdk/users.go:123:6
export interface AuthMethods {
readonly password: boolean
readonly github: boolean
Expand All @@ -30,21 +30,21 @@ export interface BuildInfoResponse {
readonly version: string
}

// From codersdk/users.go:41:6
// From codersdk/users.go:43:6
export interface CreateFirstUserRequest {
readonly email: string
readonly username: string
readonly password: string
readonly organization: string
}

// From codersdk/users.go:49:6
// From codersdk/users.go:51:6
export interface CreateFirstUserResponse {
readonly user_id: string
readonly organization_id: string
}

// From codersdk/users.go:95:6
// From codersdk/users.go:118:6
export interface CreateOrganizationRequest {
readonly name: string
}
Expand Down Expand Up @@ -77,7 +77,7 @@ export interface CreateTemplateVersionRequest {
readonly parameter_values: CreateParameterRequest[]
}

// From codersdk/users.go:54:6
// From codersdk/users.go:56:6
export interface CreateUserRequest {
readonly email: string
readonly username: string
Expand All @@ -101,7 +101,7 @@ export interface CreateWorkspaceRequest {
readonly parameter_values: CreateParameterRequest[]
}

// From codersdk/users.go:91:6
// From codersdk/users.go:114:6
export interface GenerateAPIKeyResponse {
readonly key: string
}
Expand All @@ -119,13 +119,13 @@ export interface GoogleInstanceIdentityToken {
readonly json_web_token: string
}

// From codersdk/users.go:80:6
// From codersdk/users.go:103:6
export interface LoginWithPasswordRequest {
readonly email: string
readonly password: string
}

// From codersdk/users.go:86:6
// From codersdk/users.go:109:6
export interface LoginWithPasswordResponse {
readonly session_token: string
}
Expand Down Expand Up @@ -273,17 +273,17 @@ export interface UpdateActiveTemplateVersion {
readonly id: string
}

// From codersdk/users.go:70:6
// From codersdk/users.go:72:6
export interface UpdateRoles {
readonly roles: string[]
}

// From codersdk/users.go:66:6
// From codersdk/users.go:68:6
export interface UpdateUserPasswordRequest {
readonly password: string
}

// From codersdk/users.go:61:6
// From codersdk/users.go:63:6
export interface UpdateUserProfileRequest {
readonly email: string
readonly username: string
Expand All @@ -304,7 +304,7 @@ export interface UploadResponse {
readonly hash: string
}

// From codersdk/users.go:31:6
// From codersdk/users.go:33:6
export interface User {
readonly id: string
readonly email: string
Expand All @@ -315,13 +315,33 @@ export interface User {
readonly roles: Role[]
}

// From codersdk/users.go:74:6
// From codersdk/users.go:97:6
export interface UserPermissionCheck {
readonly object: UserPermissionCheckObject
// This is likely an enum in an external package ("github.com/coder/coder/coderd/rbac.Action")
readonly action: string
}

// From codersdk/users.go:81:6
export interface UserPermissionCheckObject {
readonly resource_type?: string
readonly owner_id?: string
readonly organization_id?: string
readonly resource_id?: string
}
Copy link
Contributor 10000
@presleyp presleyp May 11, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you write some docs on how to use this? The example request is helpful but for instance, where do we find the resource type and id, and where does the arbitrary name come in (I think it's the string that keys the record below but having this written somewhere will help when I forget that later lol)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup! Random comment on this, I am going to add the docs to the codersdk struct. These comments are not pulled over to the typescript, but they could in theory be copied over. If that is something that would be helpful, we can pull comments to the typescript too.

I'll link to the docs when I commit them 👍

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@presleyp

coder/codersdk/users.go

Lines 81 to 127 in 79c0886

// UserPermissionCheckRequest is a structure instead of a map because
// go-playground/validate can only validate structs. If you attempt to pass
// a map into 'httpapi.Read', you will get an invalid type error.
type UserPermissionCheckRequest struct {
// Checks is a map keyed with an arbitrary string to a permission check.
// The key can be any string that is helpful to the caller, and allows
// multiple permission checks to be run in a single request.
// The key ensures that each permission check has the same key in the
// response.
Checks map[string]UserPermissionCheck `json:"checks"`
}
// UserPermissionCheck is used to check if a user can do a given action
// to a given set of objects.
type UserPermissionCheck struct {
// Object can represent a "set" of objects, such as:
// - All workspaces in an organization
// - All workspaces owned by me
// - All workspaces across the entire product
// When defining an object, use the most specific language when possible to
// produce the smallest set. Meaning to set as many fields on 'Object' as
// you can. Example, if you want to check if you can update all workspaces
// owned by 'me', try to also add an 'OrganizationID' to the settings.
// Omitting the 'OrganizationID' could produce the incorrect value, as
// workspaces have both `user` and `organization` owners.
Object UserPermissionCheckObject `json:"object"`
// Action can be 'create', 'read', 'update', or 'delete'
Action string `json:"action"`
}
type UserPermissionCheckObject struct {
// ResourceType is the name of the resource.
// './coderd/rbac/object.go' has the list of valid resource types.
ResourceType string `json:"resource_type,omitempty"`
// OwnerID (optional) is a user_id. It adds the set constraint to all resources owned
// by a given user.
OwnerID string `json:"owner_id,omitempty"`
// OrganizationID (optional) is an organization_id. It adds the set constraint to
// all resources owned by a given organization.
OrganizationID string `json:"organization_id,omitempty"`
// ResourceID (optional) reduces the set to a singular resource. This assigns
// a resource ID to the resource type, eg: a single workspace.
// The rbac library will not fetch the resource from the database, so if you
// are using this option, you should also set the 'OwnerID' and 'OrganizationID'
// if possible. Be as specific as possible using all the fields relevant.
ResourceID string `json:"resource_id,omitempty"`
}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome! And how do I know which resource types are possible, or which resource id a given thing has?

Copy link
Collaborator
@BrunoQuaresma BrunoQuaresma May 11, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately, it is not exported into the TS types but you can see them right here

coder/coderd/rbac/object.go

Lines 11 to 35 in 57bb108

var (
ResourceWorkspace = Object{
Type: "workspace",
}
ResourceTemplate = Object{
Type: "template",
}
// ResourceUserRole might be expanded later to allow more granular permissions
// to modifying roles. For now, this covers all possible roles, so having this permission
// allows granting/deleting **ALL** roles.
ResourceUserRole = Object{
Type: "user_role",
}
ResourceUserPasswordRole = Object{
Type: "user_password",
}
// ResourceWildcard represents all resource types
ResourceWildcard = Object{
Type: WildcardSymbol,
}
)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So eventually the parts of the admin menu will be in there, right? I can see how the resource id of a workspace would be the workspace id, but I was having trouble figuring out how I'd ask if a user can see the Users page, for instance.

Copy link
Collaborator
@BrunoQuaresma BrunoQuaresma May 11, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You eventually can do this:

...
"read-all-users":{
  "object":{
      "resource_type":"users"
  },
  "action":"read"
},

Right now that is not possible because we don't have the resource "users" but I will make that during this ticket #884

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, so that one won't need a resource id. So when I don't specify an owner/org/resource id, I'm asking for everything, but supplying ids can narrow the scope - is that right? Would be nice to have a note on that, although maybe it's more obvious to most people.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@presleyp correct.


// From codersdk/users.go:93:6
export interface UserPermissionCheckRequest {
readonly checks: Record<string, UserPermissionCheck>
}

// From codersdk/users.go:76:6
export interface UserRoles {
readonly roles: string[]
readonly organization_roles: Record<string, string[]>
}

// From codersdk/users.go:23:6
// From codersdk/users.go:25:6
export interface UsersRequest extends Pagination {
readonly search: string
readonly status: string
Expand Down Expand Up @@ -422,7 +442,7 @@ export type ParameterScope = "organization" | "template" | "user" | "workspace"
// From codersdk/provisionerdaemons.go:26:6
export type ProvisionerJobStatus = "canceled" | "canceling" | "failed" | "pending" | "running" | "succeeded"

// From codersdk/users.go:16:6
// From codersdk/users.go:18:6
export type UserStatus = "active" | "suspended"

// From codersdk/workspaceresources.go:15:6
Expand Down
0