chore: update rbac

DanielleMaywood · DanielleMaywood · commit 1550cc67322c · 2025-02-14T11:11:05.000Z
diff --git a/coderd/agentapi/resources_monitoring.go b/coderd/agentapi/resources_monitoring.go
@@ -136,7 +136,7 @@ func (a *ResourcesMonitoringAPI) monitorMemory(ctx context.Context, datapoints [
 		debouncedUntil = a.Clock.Now().Add(a.Debounce)
 	}
 
-	err = a.Database.UpdateMemoryResourceMonitor(ctx, database.UpdateMemoryResourceMonitorParams{
+	err = a.Database.UpdateMemoryResourceMonitor(dbauthz.AsResourceMonitor(ctx), database.UpdateMemoryResourceMonitorParams{
 		AgentID:        a.AgentID,
 		State:          newState,
 		UpdatedAt:      dbtime.Time(a.Clock.Now()),
@@ -217,7 +217,7 @@ func (a *ResourcesMonitoringAPI) monitorVolumes(ctx context.Context, datapoints
 			})
 		}
 
-		if err := a.Database.UpdateVolumeResourceMonitor(ctx, database.UpdateVolumeResourceMonitorParams{
+		if err := a.Database.UpdateVolumeResourceMonitor(dbauthz.AsResourceMonitor(ctx), database.UpdateVolumeResourceMonitorParams{
 			AgentID:        a.AgentID,
 			Path:           monitor.Path,
 			State:          newState,
diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go
@@ -289,6 +289,24 @@ var (
 		Scope: rbac.ScopeAll,
 	}.WithCachedASTValue()
 
+	subjectResourceMonitor = rbac.Subject{
+		FriendlyName: "Resource Monitor",
+		ID:           uuid.Nil.String(),
+		Roles: rbac.Roles([]rbac.Role{
+			{
+				Identifier:  rbac.RoleIdentifier{Name: "resourcemonitor"},
+				DisplayName: "Resource Monitor",
+				Site: rbac.Permissions(map[string][]policy.Action{
+					// The workspace monitor needs to be able to update monitors
+					rbac.ResourceWorkspaceAgentResourceMonitor.Type: {policy.ActionUpdate},
+				}),
+				Org:  map[string][]rbac.Permission{},
+				User: []rbac.Permission{},
+			},
+		}),
+		Scope: rbac.ScopeAll,
+	}.WithCachedASTValue()
+
 	subjectSystemRestricted = rbac.Subject{
 		FriendlyName: "System",
 		ID:           uuid.Nil.String(),
@@ -376,6 +394,12 @@ func AsNotifier(ctx context.Context) context.Context {
 	return context.WithValue(ctx, authContextKey{}, subjectNotifier)
 }
 
+// AsResourceMonitor returns a context with an actor that has permissions required for
+// updating resource monitors.
+func AsResourceMonitor(ctx context.Context) context.Context {
+	return context.WithValue(ctx, authContextKey{}, subjectResourceMonitor)
+}
+
 // AsSystemRestricted returns a context with an actor that has permissions
 // required for various system operations (login, logout, metrics cache).
 func AsSystemRestricted(ctx context.Context) context.Context {
diff --git a/coderd/rbac/object_gen.go b/coderd/rbac/object_gen.go
diff --git a/coderd/rbac/policy/policy.go b/coderd/rbac/policy/policy.go
@@ -306,6 +306,7 @@ var RBACPermissions = map[string]PermissionDefinition{
 		Actions: map[Action]ActionDefinition{
 			ActionRead:   actDef("read workspace agent resource monitor"),
 			ActionCreate: actDef("create workspace agent resource monitor"),
+			ActionUpdate: actDef("update workspace agent resource monitor"),
 		},
 	},
 }
diff --git a/coderd/rbac/roles_test.go b/coderd/rbac/roles_test.go
@@ -779,7 +779,7 @@ func TestRolePermissions(t *testing.T) {
 		},
 		{
 			Name:     "ResourceMonitor",
-			Actions:  []policy.Action{policy.ActionRead, policy.ActionCreate},
+			Actions:  []policy.Action{policy.ActionRead, policy.ActionCreate, policy.ActionUpdate},
 			Resource: rbac.ResourceWorkspaceAgentResourceMonitor,
 			AuthorizeMap: map[bool][]hasAuthSubjects{
 				true: {owner},
diff --git a/codersdk/rbacresources_gen.go b/codersdk/rbacresources_gen.go
diff --git a/site/src/api/rbacresourcesGenerated.ts b/site/src/api/rbacresourcesGenerated.ts
@@ -171,6 +171,7 @@ export const RBACResourceActions: Partial<
 	workspace_agent_resource_monitor: {
 		create: "create workspace agent resource monitor",
 		read: "read workspace agent resource monitor",
+		update: "update workspace agent resource monitor",
 	},
 	workspace_dormant: {
 		application_connect: "connect to workspace apps via browser",

Original file line number	Diff line number	Diff line change
`@@ -306,6 +306,7 @@ var RBACPermissions = map[string]PermissionDefinition{`
`306`	`306`	`Actions: map[Action]ActionDefinition{`
`307`	`307`	`ActionRead: actDef("read workspace agent resource monitor"),`
`308`	`308`	`ActionCreate: actDef("create workspace agent resource monitor"),`
	`309`	`+ ActionUpdate: actDef("update workspace agent resource monitor"),`
`309`	`310`	`},`
`310`	`311`	`},`
`311`	`312`	`}`
Original file line number	Diff line number	Diff line change
`@@ -779,7 +779,7 @@ func TestRolePermissions(t *testing.T) {`
`779`	`779`	`},`
`780`	`780`	`{`
`781`	`781`	`Name: "ResourceMonitor",`
`782`		`- Actions: []policy.Action{policy.ActionRead, policy.ActionCreate},`
	`782`	`+ Actions: []policy.Action{policy.ActionRead, policy.ActionCreate, policy.ActionUpdate},`
`783`	`783`	`Resource: rbac.ResourceWorkspaceAgentResourceMonitor,`
`784`	`784`	`AuthorizeMap: map[bool][]hasAuthSubjects{`
`785`	`785`	`true: {owner},`