-
Notifications
You must be signed in to change notification settings - Fork 1.3k
Expand file tree
/
Copy pathscopes_catalog.go
More file actions
122 lines (106 loc) · 3.17 KB
/
scopes_catalog.go
File metadata and controls
122 lines (106 loc) · 3.17 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
package rbac
import (
"sort"
"strings"
)
// externalLowLevel is the curated set of low-level scope names exposed to users.
// Any valid resource:action pair not in this set is considered internal-only
// and must not be user-requestable.
var externalLowLevel = map[ScopeName]struct{}{
// Workspaces
"workspace:read": {},
"workspace:create": {},
"workspace:update": {},
"workspace:delete": {},
"workspace:ssh": {},
"workspace:start": {},
"workspace:stop": {},
"workspace:application_connect": {},
"workspace:*": {},
// Templates
"template:read": {},
"template:create": {},
"template:update": {},
"template:delete": {},
"template:use": {},
"template:*": {},
// API keys (self-management)
"api_key:read": {},
"api_key:create": {},
"api_key:update": {},
"api_key:delete": {},
"api_key:*": {},
// Files
"file:read": {},
"file:create": {},
"file:*": {},
// Users
"user:read": {},
"user:read_personal": {},
"user:update_personal": {},
"user.*": {},
// User secrets
"user_secret:read": {},
"user_secret:create": {},
"user_secret:update": {},
"user_secret:delete": {},
"user_secret:*": {},
// Tasks
"task:create": {},
"task:read": {},
"task:update": {},
"task:delete": {},
"task:*": {},
// Organizations
"organization:read": {},
"organization:update": {},
"organization:delete": {},
"organization:*": {},
}
// Public composite coder:* scopes exposed to users.
var externalComposite = map[ScopeName]struct{}{
"coder:workspaces.create": {},
"coder:workspaces.operate": {},
"coder:workspaces.delete": {},
"coder:workspaces.access": {},
"coder:templates.build": {},
"coder:templates.author": {},
"coder:apikeys.manage_self": {},
}
// IsExternalScope returns true if the scope is public, including the
// `all` and `application_connect` special scopes and the curated
// low-level resource:action scopes.
func IsExternalScope(name ScopeName) bool {
switch name {
// Include `all` and `application_connect` for backward compatibility.
case "all", ScopeAll, "application_connect", ScopeApplicationConnect:
return true
}
if _, ok := externalLowLevel[name]; ok {
return true
}
if _, ok := externalComposite[name]; ok {
return true
}
return false
}
// ExternalScopeNames returns a sorted list of all public scopes, which
// includes the `all` and `application_connect` special scopes, curated
// low-level resource:action names, and curated composite coder:* scopes.
func ExternalScopeNames() []string {
names := make([]string, 0, len(externalLowLevel)+len(externalComposite)+2)
names = append(names, string(ScopeAll))
names = append(names, string(ScopeApplicationConnect))
// curated low-level names, filtered for validity
for name := range externalLowLevel {
if _, _, ok := parseLowLevelScope(name); ok {
names = append(names, string(name))
}
}
// curated composite names
for name := range externalComposite {
names = append(names, string(name))
}
sort.Slice(names, func(i, j int) bool { return strings.Compare(names[i], names[j]) < 0 })
return names
}