Skip to content

Commit 299a54a

Browse files
mafredrimafredri
authored
feat(coderd): add tasks rbac object (coder#20234)
This change adds RBAC for tasks. Updates coder/internal#948 Supersedes coder#20212
1 parent d9f95f2 commit 299a54a

19 files changed

Lines changed: 155 additions & 3 deletions

coderd/apidoc/docs.go

Lines changed: 12 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/apidoc/swagger.json

Lines changed: 12 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/database/dbauthz/dbauthz.go

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -219,7 +219,9 @@ var (
219219
rbac.ResourceUser.Type: {policy.ActionRead, policy.ActionReadPersonal, policy.ActionUpdatePersonal},
220220
rbac.ResourceWorkspaceDormant.Type: {policy.ActionDelete, policy.ActionRead, policy.ActionUpdate, policy.ActionWorkspaceStop},
221221
rbac.ResourceWorkspace.Type: {policy.ActionDelete, policy.ActionRead, policy.ActionUpdate, policy.ActionWorkspaceStart, policy.ActionWorkspaceStop, policy.ActionCreateAgent},
222-
rbac.ResourceApiKey.Type: {policy.WildcardSymbol},
222+
// Provisionerd needs to read and update tasks associated with workspaces.
223+
rbac.ResourceTask.Type: {policy.ActionRead, policy.ActionUpdate},
224+
rbac.ResourceApiKey.Type: {policy.WildcardSymbol},
223225
// When org scoped provisioner credentials are implemented,
224226
// this can be reduced to read a specific org.
225227
rbac.ResourceOrganization.Type: {policy.ActionRead},

coderd/database/dump.sql

Lines changed: 6 additions & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/database/migrations/000378_add_tasks_rbac.down.sql

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
-- Revert Tasks RBAC.
2+
-- No-op: enum values remain to avoid churn. Removing enum values requires
3+
-- doing a create/cast/drop cycle which is intentionally omitted here.

coderd/database/migrations/000378_add_tasks_rbac.up.sql

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
-- Tasks RBAC.
2+
ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'task:create';
3+
ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'task:read';
4+
ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'task:update';
5+
ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'task:delete';
6+
ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'task:*';

coderd/database/modelmethods.go

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -132,6 +132,13 @@ func (w ConnectionLog) RBACObject() rbac.Object {
132132
return obj
133133
}
134134

135+
func (t Task) RBACObject() rbac.Object {
136+
return rbac.ResourceTask.
137+
WithID(t.ID).
138+
WithOwner(t.OwnerID.String()).
139+
InOrg(t.OrganizationID)
140+
}
141+
135142
func (s APIKeyScope) ToRBAC() rbac.ScopeName {
136143
switch s {
137144
case ApiKeyScopeCoderAll:

coderd/database/models.go

Lines changed: 16 additions & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/rbac/object_gen.go

Lines changed: 11 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/rbac/policy/policy.go

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -63,6 +63,13 @@ var workspaceActions = map[Action]ActionDefinition{
6363
ActionDeleteAgent: "delete an existing workspace agent",
6464
}
6565

66+
var taskActions = map[Action]ActionDefinition{
67+
ActionCreate: "create a new task",
68+
ActionRead: "read task data or output to view on the UI or CLI",
69+
ActionUpdate: "edit task settings or send input to an existing task",
70+
ActionDelete: "delete task",
71+
}
72+
6673
// RBACPermissions is indexed by the type
6774
var RBACPermissions = map[string]PermissionDefinition{
6875
// Wildcard is every object, and the action "*" provides all actions.
@@ -86,6 +93,9 @@ var RBACPermissions = map[string]PermissionDefinition{
8693
"workspace": {
8794
Actions: workspaceActions,
8895
},
96+
"task": {
97+
Actions: taskActions,
98+
},
8999
// Dormant workspaces have the same perms as workspaces.
90100
"workspace_dormant": {
91101
Actions: workspaceActions,

0 commit comments

Comments
 (0)