Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit bb62a7c

Browse files
evgeniy-scherbinaevgeniy-scherbina
committed
fix: redefine RBAC permissions for prebuilds
1 parent 3e52186 commit bb62a7c

File tree

5 files changed

+20
-18
lines changed

5 files changed

+20
-18
lines changed

coderd/database/dbauthz/dbauthz.go

Lines changed: 12 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -372,13 +372,12 @@ var (
372372
DisplayName: "Coder",
373373
Site: rbac.Permissions(map[string][]policy.Action{
374374
// May use template, read template-related info, & insert template-related resources (preset prebuilds).
375-
rbac.ResourceTemplate.Type: {policy.ActionRead, policy.ActionUpdate, policy.ActionUse},
375+
rbac.ResourceTemplate.Type: {policy.ActionRead, policy.ActionUpdate, policy.ActionUse, policy.ActionViewInsights},
376376
// May CRUD workspaces, and start/stop them.
377377
rbac.ResourceWorkspace.Type: {
378378
policy.ActionCreate, policy.ActionDelete, policy.ActionRead, policy.ActionUpdate,
379379
policy.ActionWorkspaceStart, policy.ActionWorkspaceStop,
380380
},
381-
rbac.ResourceSystem.Type: {policy.ActionRead},
382381
}),
383382
},
384383
}),
@@ -1185,7 +1184,7 @@ func (q *querier) CleanTailnetTunnels(ctx context.Context) error {
11851184
}
11861185

11871186
func (q *querier) CountInProgressPrebuilds(ctx context.Context) ([]database.CountInProgressPrebuildsRow, error) {
1188-
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceSystem); err != nil {
1187+
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceWorkspace.All()); err != nil {
11891188
return nil, err
11901189
}
11911190
return q.db.CountInProgressPrebuilds(ctx)
@@ -2135,7 +2134,9 @@ func (q *querier) GetParameterSchemasByJobID(ctx context.Context, jobID uuid.UUI
21352134
}
21362135

21372136
func (q *querier) GetPrebuildMetrics(ctx context.Context) ([]database.GetPrebuildMetricsRow, error) {
2138-
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceSystem); err != nil {
2137+
// GetPrebuildMetrics returns metrics related to prebuilt workspaces,
2138+
// such as the number of created and failed prebuilt workspaces.
2139+
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceWorkspace.All()); err != nil {
21392140
return nil, err
21402141
}
21412142
return q.db.GetPrebuildMetrics(ctx)
@@ -2174,7 +2175,8 @@ func (q *querier) GetPresetParametersByTemplateVersionID(ctx context.Context, te
21742175
}
21752176

21762177
func (q *querier) GetPresetsBackoff(ctx context.Context, lookback time.Time) ([]database.GetPresetsBackoffRow, error) {
2177-
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceSystem); err != nil {
2178+
// GetPresetsBackoff returns a list of template version presets along with metadata such as the number of failed prebuilds.
2179+
if err := q.authorizeContext(ctx, policy.ActionViewInsights, rbac.ResourceTemplate.All()); err != nil {
21782180
return nil, err
21792181
}
21802182
return q.db.GetPresetsBackoff(ctx, lookback)
@@ -2331,7 +2333,8 @@ func (q *querier) GetReplicasUpdatedAfter(ctx context.Context, updatedAt time.Ti
23312333
}
23322334

23332335
func (q *querier) GetRunningPrebuiltWorkspaces(ctx context.Context) ([]database.GetRunningPrebuiltWorkspacesRow, error) {
2334-
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceSystem); err != nil {
2336+
// This query returns only prebuilt workspaces, but we decided to require permissions for all workspaces.
2337+
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceWorkspace.All()); err != nil {
23352338
return nil, err
23362339
}
23372340
return q.db.GetRunningPrebuiltWorkspaces(ctx)
@@ -2462,10 +2465,9 @@ func (q *querier) GetTemplateParameterInsights(ctx context.Context, arg database
24622465
}
24632466

24642467
func (q *querier) GetTemplatePresetsWithPrebuilds(ctx context.Context, templateID uuid.NullUUID) ([]database.GetTemplatePresetsWithPrebuildsRow, error) {
2465-
// Although this fetches presets. It filters them by prebuilds and is only of use to the prebuild system.
2466-
// As such, we authorize this in line with other prebuild queries, not with other preset queries.
2467-
2468-
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceSystem); err != nil {
2468+
// GetTemplatePresetsWithPrebuilds retrieves template versions with configured presets and prebuilds.
2469+
// Presets and prebuilds are part of the template, so if you can access templates - you can access them as well.
2470+
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceTemplate.All()); err != nil {
24692471
return nil, err
24702472
}
24712473
return q.db.GetTemplatePresetsWithPrebuilds(ctx, templateID)

coderd/database/dbauthz/dbauthz_test.go

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -4831,28 +4831,28 @@ func (s *MethodTestSuite) TestPrebuilds() {
48314831
}))
48324832
s.Run("GetPrebuildMetrics", s.Subtest(func(_ database.Store, check *expects) {
48334833
check.Args().
4834-
Asserts(rbac.ResourceSystem, policy.ActionRead).
4834+
Asserts(rbac.ResourceWorkspace.All(), policy.ActionRead).
48354835
ErrorsWithInMemDB(dbmem.ErrUnimplemented)
48364836
}))
48374837
s.Run("CountInProgressPrebuilds", s.Subtest(func(_ database.Store, check *expects) {
48384838
check.Args().
4839-
Asserts(rbac.ResourceSystem, policy.ActionRead).
4839+
Asserts(rbac.ResourceWorkspace.All(), policy.ActionRead).
48404840
ErrorsWithInMemDB(dbmem.ErrUnimplemented)
48414841
}))
48424842
s.Run("GetPresetsBackoff", s.Subtest(func(_ database.Store, check *expects) {
48434843
check.Args(time.Time{}).
4844-
Asserts(rbac.ResourceSystem, policy.ActionRead).
4844+
Asserts(rbac.ResourceTemplate.All(), policy.ActionViewInsights).
48454845
ErrorsWithInMemDB(dbmem.ErrUnimplemented)
48464846
}))
48474847
s.Run("GetRunningPrebuiltWorkspaces", s.Subtest(func(_ database.Store, check *expects) {
48484848
check.Args().
4849-
Asserts(rbac.ResourceSystem, policy.ActionRead).
4849+
Asserts(rbac.ResourceWorkspace.All(), policy.ActionRead).
48504850
ErrorsWithInMemDB(dbmem.ErrUnimplemented)
48514851
}))
48524852
s.Run("GetTemplatePresetsWithPrebuilds", s.Subtest(func(db database.Store, check *expects) {
48534853
user := dbgen.User(s.T(), db, database.User{})
48544854
check.Args(uuid.NullUUID{UUID: user.ID, Valid: true}).
4855-
Asserts(rbac.ResourceSystem, policy.ActionRead).
4855+
Asserts(rbac.ResourceTemplate.All(), policy.ActionRead).
48564856
ErrorsWithInMemDB(dbmem.ErrUnimplemented)
48574857
}))
48584858
s.Run("GetPresetByID", s.Subtest(func(db database.Store, check *expects) {

coderd/database/querier.go

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/database/queries.sql.go

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/database/queries/prebuilds.sql

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@ WHERE w.id IN (
2020
RETURNING w.id, w.name;
2121

2222
-- name: GetTemplatePresetsWithPrebuilds :many
23-
-- GetTemplatePresetsWithPrebuilds retrieves template versions with configured presets.
23+
-- GetTemplatePresetsWithPrebuilds retrieves template versions with configured presets and prebuilds.
2424
-- It also returns the number of desired instances for each preset.
2525
-- If template_id is specified, only template versions associated with that template will be returned.
2626
SELECT

0 commit comments

Comments
 (0)