README
¶
Authz
Package rbac implements Role-Based Access Control for Coder.
See USAGE.md for a hands-on approach to using this package.
Overview
Authorization defines what permission a subject has to perform actions to objects:
- Permission is binary: yes (allowed) or no (denied).
- Subject in this case is anything that implements interface
rbac.Subject. - Action here is an enumerated list of actions. Actions can differ for each object type. They typically read like,
Create,Read,Update,Delete, etc. - Object here is anything that implements
rbac.Object.
Permission Structure
A permission is a rule that grants or denies access for a subject to perform an action on a object. A permission is always applied at a given level:
- site level applies to all objects in a given Coder deployment.
- org level applies to all objects that have an organization owner (
org_owner) - user level applies to all objects that have an owner with the same ID as the subject.
Permissions at a higher level always override permissions at a lower level.
The effect of a permission can be:
- positive (allows)
- negative (denies)
- abstain (neither allows or denies, not applicable)
Negative permissions always override positive permissions at the same level. Both negative and positive permissions override abstain at the same level.
This can be represented by the following truth table, where Y represents positive, N represents negative, and _ represents abstain:
| Action | Positive | Negative | Result |
|---|---|---|---|
| read | Y | _ | Y |
| read | Y | N | N |
| read | _ | _ | _ |
| read | _ | N | N |
Permission Representation
Permissions are represented in string format as <sign>?<level>.<object>.<id>.<action>, where:
negatedcan be either+or-. If it is omitted, sign is assumed to be+.levelis eithersite,org, oruser.objectis any valid resource type.idis any valid UUID v4.idis included in the permission syntax, however only scopes may useidto specify a specific object.actionis typicallycreate,read,modify,delete, but you can define other verbs as needed.
Example Permissions
+site.app.*.read: allowed to perform thereadaction against all objects of typeappin a given Coder deployment.-user.workspace.*.create: user is not allowed to create workspaces.
Roles
A role is a set of permissions. When evaluating a role's permission to form an action, all the relevant permissions for the role are combined at each level. Permissions at a higher level override permissions at a lower level.
The following table shows the per-level role evaluation. Y indicates that the role provides positive permissions, N indicates the role provides negative permissions, and indicates the role does not provide positive or negative permissions. YN indicates that the value in the cell does not matter for the access result.
| Role (example) | Site | Org | User | Result |
|---|---|---|---|---|
| site-admin | Y | YN_ | YN_ | Y |
| no-permission | N | YN_ | YN_ | N |
| org-admin | _ | Y | YN_ | Y |
| non-org-member | _ | N | YN_ | N |
| user | _ | _ | Y | Y |
| _ | _ | N | N | |
| unauthenticated | _ | _ | _ | N |
Scopes
Scopes can restrict a given set of permissions. The format of a scope matches a role with the addition of a list of resource ids. For a authorization call to be successful, the subject's roles and the subject's scopes must both allow the action. This means the resulting permissions is the intersection of the subject's roles and the subject's scopes.
An example to give a readonly token is to grant a readonly scope across all resources +site.*.*.read. The intersection with the user's permissions will be the readonly set of their permissions.
Resource IDs
There exists use cases that require specifying a specific resource. If resource IDs are allowed in the roles, then there is an unbounded set of resource IDs that be added to an "allow_list", as the number of roles a user can have is unbounded. This also adds a level of complexity to the role evaluation logic that has large costs at scale.
The use case for specifying this type of permission in a role is limited, and does not justify the extra cost. To solve this for the remaining cases (eg. workspace agent tokens), we can apply an allow_list on a scope. For most cases, the allow_list will just be ["*"] which means the scope is allowed to be applied to any resource. This adds negligible cost to the role evaluation logic and 0 cost to partial evaluations.
Example of a scope for a workspace agent token, using an allow_list containing a single resource id.
"scope": {
"name": "workspace_agent",
"display_name": "Workspace_Agent",
// The ID of the given workspace the agent token correlates to.
"allow_list": ["10d03e62-7703-4df5-a358-4f76577d4e2f"],
"site": [/* ... perms ... */],
"org": {/* ... perms ... */},
"user": [/* ... perms ... */]
}
OPA (Open Policy Agent)
Open Policy Agent (OPA) is an open source tool used to define and enforce policies.
Policies are written in a high-level, declarative language called Rego.
Coder’s RBAC rules are defined in the policy.rego file under the authz package.
When OPA evaluates policies, it binds input data to a global variable called input.
In the rbac package, this structured data is defined as JSON and contains the action, object and subject (see regoInputValue in astvalue.go).
OPA evaluates whether the subject is allowed to perform the action on the object across three levels: site, org, and user.
This is determined by the final rule allow, which aggregates the results of multiple rules to decide if the user has the necessary permissions.
Similarly to the input, OPA produces structured output data, which includes the allow variable as part of the evaluation result.
Authorization succeeds only if allow explicitly evaluates to true. If no allow is returned, it is considered unauthorized.
To learn more about OPA and Rego, see https://www.openpolicyagent.org/docs.
Application and Database Integration
rbac/authz.go– Application layer integration: provides the core authorization logic that integrates with Rego for policy evaluation.database/dbauthz/dbauthz.go– Database layer integration: wraps the database layer with authorization checks to enforce access control.
There are two types of evaluation in OPA:
- Full evaluation: Produces a decision that can be enforced.
This is the default evaluation mode, where OPA evaluates the policy using
inputdata that contains all known values and returns output data with theallowvariable. - Partial evaluation: Produces a new policy that can be evaluated later when the unknowns become known.
This is an optimization in OPA where it evaluates as much of the policy as possible without resolving expressions that depend on unknown values from the
input. To learn more about partial evaluation, see this OPA blog post.
Application of Full and Partial evaluation in rbac package:
- Full Evaluation is handled by the
RegoAuthorizer.Authorize()method inauthz.go. This method determines whether a subject (user) can perform a specific action on an object. It performs a full evaluation of the Rego policy, which returns theallowvariable to decide whether access is granted (true) or denied (falseor undefined). - Partial Evaluation is handled by the
RegoAuthorizer.Prepare()method inauthz.go. This method compiles OPA’s partial evaluation queries intoSQL WHEREclauses. These clauses are then used to enforce authorization directly in database queries, rather than in application code.
Authorization Patterns:
- Fetch-then-authorize: an object is first retrieved from the database, and a single authorization check is performed using full evaluation via
Authorize(). - Authorize-while-fetching: Partial evaluation via
Prepare()is used to inject SQL filters directly into queries, allowing efficient authorization of many objects of the same type.dbauthzmethods that enforce authorization directly in the SQL query are prefixed withAuthorized, for example,GetAuthorizedWorkspaces.
Testing
- OPA Playground: https://play.openpolicyagent.org/
- OPA CLI (
opa eval): useful for experimenting with different inputs and understanding how the policy behaves under various conditions.opa evalreturns the constraints that must be satisfied for a rule to evaluate totrue.opa evalrequires aninput.jsonfile containing the input data to run the policy against. You can generate this file using the gen_input.go script. Note: the script currently produces a fixed input. You may need to tweak it for your specific use case.
Full Evaluation
opa eval --format=pretty "data.authz.allow" -d policy.rego -i input.json
This command fully evaluates the policy in the policy.rego file using the input data from input.json, and returns the result of the allow variable:
data.authz.allowaccesses theallowrule within theauthzpackage.data.authzon its own would return the entire output object of the package.
This command answers the question: “Is the user allowed?”
Partial Evaluation
opa eval --partial --format=pretty 'data.authz.allow' -d policy.rego --unknowns input.object.id --unknowns input.object.owner --unknowns input.object.org_owner --unknowns input.object.acl_user_list --unknowns input.object.acl_group_list -i input.json
This command performs a partial evaluation of the policy, specifying a set of unknown input parameters.
The result is a set of partial queries that can be converted into SQL WHERE clauses and injected into SQL queries.
This command answers the question: “What conditions must be met for the user to be allowed?”
Benchmarking
Benchmark tests to evaluate the performance of full and partial evaluation can be found in authz_test.go.
You can run these tests with the -bench flag, for example:
go test -bench=BenchmarkRBACFilter -run=^$
To capture memory and CPU profiles, use the following flags:
-memprofile memprofile.out-cpuprofile cpuprofile.out
The script benchmark_authz.sh runs the authz benchmark tests on the current Git branch or compares benchmark results between two branches using benchstat.
benchstat compares the performance of a baseline benchmark against a new benchmark result and highlights any statistically significant differences.
-
To run benchmark on the current branch:
benchmark_authz.sh --single -
To compare benchmarks between 2 branches:
benchmark_authz.sh --compare main prebuild_policy
Documentation
¶
Overview ¶
Code generated by typegen/main.go. DO NOT EDIT.
Code generated by: go run ./scripts/typegen rbac scopenames; DO NOT EDIT.
Index ¶
- Constants
- Variables
- func AllActions() []policy.Action
- func CanAssignRole(subjectHasRoles ExpandableRoles, assignedRole RoleIdentifier) bool
- func ChangeRoleSet(from []RoleIdentifier, to []RoleIdentifier) (added []RoleIdentifier, removed []RoleIdentifier)
- func CompositeScopeNames() []string
- func ConfigWithACL() regosql.ConvertConfig
- func ConfigWithoutACL() regosql.ConvertConfig
- func ConfigWorkspaces() regosql.ConvertConfig
- func ExternalScopeNames() []string
- func Filter[O Objecter](ctx context.Context, auth Authorizer, subject Subject, action policy.Action, ...) ([]O, error)
- func IsExternalScope(name ScopeName) bool
- func IsUnauthorizedError(err error) bool
- func ParseResourceAction(scope string) (resource string, action string, ok bool)
- func ReloadBuiltinRoles(opts *RoleOptions)
- func ReservedRoleName(name string) bool
- func RoleOrgAdmin() string
- func RoleOrgAuditor() string
- func RoleOrgMember() string
- func RoleOrgTemplateAdmin() string
- func RoleOrgUserAdmin() string
- func RoleOrgWorkspaceCreationBan() string
- func WithAuthzCheckRecorder(ctx context.Context) context.Context
- type AllowListElement
- type AuthCall
- type AuthorizeFilter
- type Authorizer
- type AuthzCheckRecorder
- type ExpandableRoles
- type ExpandableScope
- type Object
- func (z Object) All() Object
- func (z Object) AnyOrganization() Object
- func (z Object) AvailableActions() []policy.Action
- func (z Object) Equal(b Object) bool
- func (z Object) InOrg(orgID uuid.UUID) Object
- func (z Object) RBACObject() Object
- func (z Object) String() string
- func (z Object) ValidAction(action policy.Action) error
- func (z Object) WithACLUserList(acl map[string][]policy.Action) Object
- func (z Object) WithGroupACL(groups map[string][]policy.Action) Object
- func (z Object) WithID(id uuid.UUID) Object
- func (z Object) WithIDString(id string) Object
- func (z Object) WithOwner(ownerID string) Object
- type Objecter
- type PartialAuthorizer
- type Permission
- type PreparedAuthorized
- type RegoAuthorizer
- type Role
- type RoleIdentifier
- func CustomOrganizationRole(orgID uuid.UUID) RoleIdentifier
- func CustomSiteRole() RoleIdentifier
- func RoleAuditor() RoleIdentifier
- func RoleMember() RoleIdentifier
- func RoleNameFromString(input string) (RoleIdentifier, error)
- func RoleOwner() RoleIdentifier
- func RoleTemplateAdmin() RoleIdentifier
- func RoleUserAdmin() RoleIdentifier
- func ScopedRoleOrgAdmin(organizationID uuid.UUID) RoleIdentifier
- func ScopedRoleOrgAuditor(organizationID uuid.UUID) RoleIdentifier
- func ScopedRoleOrgMember(organizationID uuid.UUID) RoleIdentifier
- func ScopedRoleOrgTemplateAdmin(organizationID uuid.UUID) RoleIdentifier
- func ScopedRoleOrgUserAdmin(organizationID uuid.UUID) RoleIdentifier
- func ScopedRoleOrgWorkspaceCreationBan(organizationID uuid.UUID) RoleIdentifier
- type RoleIdentifiers
- type RoleOptions
- type Roles
- type Scope
- type ScopeName
- type Subject
- type SubjectType
- type UnauthorizedError
- func (*UnauthorizedError) As(target interface{}) bool
- func (e UnauthorizedError) Error() string
- func (e *UnauthorizedError) Input() map[string]interface{}
- func (e *UnauthorizedError) Internal() error
- func (UnauthorizedError) IsUnauthorized() bool
- func (e *UnauthorizedError) Output() rego.ResultSet
- func (e *UnauthorizedError) SetInternal(err error)
- func (e UnauthorizedError) Unwrap() error
- type WorkspaceAgentScopeParams
Constants ¶
const (
SubjectTypeFileReaderID = "acbf0be6-6fed-47b6-8c43-962cb5cab994"
)
Variables ¶
var ( // ResourceWildcard // Valid Actions ResourceWildcard = Object{ Type: "*", } // ResourceAibridgeInterception // Valid Actions // - "ActionCreate" :: create aibridge interceptions & related records // - "ActionRead" :: read aibridge interceptions & related records // - "ActionUpdate" :: update aibridge interceptions & related records ResourceAibridgeInterception = Object{ Type: "aibridge_interception", } // ResourceApiKey // Valid Actions // - "ActionCreate" :: create an api key // - "ActionDelete" :: delete an api key // - "ActionRead" :: read api key details (secrets are not stored) // - "ActionUpdate" :: update an api key, eg expires ResourceApiKey = Object{ Type: "api_key", } // ResourceAssignOrgRole // Valid Actions // - "ActionAssign" :: assign org scoped roles // - "ActionCreate" :: create/delete custom roles within an organization // - "ActionDelete" :: delete roles within an organization // - "ActionRead" :: view what roles are assignable within an organization // - "ActionUnassign" :: unassign org scoped roles // - "ActionUpdate" :: edit custom roles within an organization ResourceAssignOrgRole = Object{ Type: "assign_org_role", } // ResourceAssignRole // Valid Actions // - "ActionAssign" :: assign user roles // - "ActionRead" :: view what roles are assignable // - "ActionUnassign" :: unassign user roles ResourceAssignRole = Object{ Type: "assign_role", } // ResourceAuditLog // Valid Actions // - "ActionCreate" :: create new audit log entries // - "ActionRead" :: read audit logs ResourceAuditLog = Object{ Type: "audit_log", } // ResourceConnectionLog // Valid Actions // - "ActionRead" :: read connection logs // - "ActionUpdate" :: upsert connection log entries ResourceConnectionLog = Object{ Type: "connection_log", } // ResourceCryptoKey // Valid Actions // - "ActionCreate" :: create crypto keys // - "ActionDelete" :: delete crypto keys // - "ActionRead" :: read crypto keys // - "ActionUpdate" :: update crypto keys ResourceCryptoKey = Object{ Type: "crypto_key", } // ResourceDebugInfo // Valid Actions // - "ActionRead" :: access to debug routes ResourceDebugInfo = Object{ Type: "debug_info", } // ResourceDeploymentConfig // Valid Actions // - "ActionRead" :: read deployment config // - "ActionUpdate" :: updating health information ResourceDeploymentConfig = Object{ Type: "deployment_config", } // ResourceDeploymentStats // Valid Actions // - "ActionRead" :: read deployment stats ResourceDeploymentStats = Object{ Type: "deployment_stats", } // ResourceFile // Valid Actions // - "ActionCreate" :: create a file // - "ActionRead" :: read files ResourceFile = Object{ Type: "file", } // ResourceGroup // Valid Actions // - "ActionCreate" :: create a group // - "ActionDelete" :: delete a group // - "ActionRead" :: read groups // - "ActionUpdate" :: update a group ResourceGroup = Object{ Type: "group", } // ResourceGroupMember // Valid Actions // - "ActionRead" :: read group members ResourceGroupMember = Object{ Type: "group_member", } // ResourceIdpsyncSettings // Valid Actions // - "ActionRead" :: read IdP sync settings // - "ActionUpdate" :: update IdP sync settings ResourceIdpsyncSettings = Object{ Type: "idpsync_settings", } // ResourceInboxNotification // Valid Actions // - "ActionCreate" :: create inbox notifications // - "ActionRead" :: read inbox notifications // - "ActionUpdate" :: update inbox notifications ResourceInboxNotification = Object{ Type: "inbox_notification", } // ResourceLicense // Valid Actions // - "ActionCreate" :: create a license // - "ActionDelete" :: delete license // - "ActionRead" :: read licenses ResourceLicense = Object{ Type: "license", } // ResourceNotificationMessage // Valid Actions // - "ActionCreate" :: create notification messages // - "ActionDelete" :: delete notification messages // - "ActionRead" :: read notification messages // - "ActionUpdate" :: update notification messages ResourceNotificationMessage = Object{ Type: "notification_message", } // ResourceNotificationPreference // Valid Actions // - "ActionRead" :: read notification preferences // - "ActionUpdate" :: update notification preferences ResourceNotificationPreference = Object{ Type: "notification_preference", } // ResourceNotificationTemplate // Valid Actions // - "ActionRead" :: read notification templates // - "ActionUpdate" :: update notification templates ResourceNotificationTemplate = Object{ Type: "notification_template", } // ResourceOauth2App // Valid Actions // - "ActionCreate" :: make an OAuth2 app // - "ActionDelete" :: delete an OAuth2 app // - "ActionRead" :: read OAuth2 apps // - "ActionUpdate" :: update the properties of the OAuth2 app ResourceOauth2App = Object{ Type: "oauth2_app", } // ResourceOauth2AppCodeToken // Valid Actions // - "ActionCreate" :: create an OAuth2 app code token // - "ActionDelete" :: delete an OAuth2 app code token // - "ActionRead" :: read an OAuth2 app code token ResourceOauth2AppCodeToken = Object{ Type: "oauth2_app_code_token", } // ResourceOauth2AppSecret // Valid Actions // - "ActionCreate" :: create an OAuth2 app secret // - "ActionDelete" :: delete an OAuth2 app secret // - "ActionRead" :: read an OAuth2 app secret // - "ActionUpdate" :: update an OAuth2 app secret ResourceOauth2AppSecret = Object{ Type: "oauth2_app_secret", } // ResourceOrganization // Valid Actions // - "ActionCreate" :: create an organization // - "ActionDelete" :: delete an organization // - "ActionRead" :: read organizations // - "ActionUpdate" :: update an organization ResourceOrganization = Object{ Type: "organization", } // ResourceOrganizationMember // Valid Actions // - "ActionCreate" :: create an organization member // - "ActionDelete" :: delete member // - "ActionRead" :: read member // - "ActionUpdate" :: update an organization member ResourceOrganizationMember = Object{ Type: "organization_member", } // ResourcePrebuiltWorkspace // Valid Actions // - "ActionDelete" :: delete prebuilt workspace // - "ActionUpdate" :: update prebuilt workspace settings ResourcePrebuiltWorkspace = Object{ Type: "prebuilt_workspace", } // ResourceProvisionerDaemon // Valid Actions // - "ActionCreate" :: create a provisioner daemon/key // - "ActionDelete" :: delete a provisioner daemon/key // - "ActionRead" :: read provisioner daemon // - "ActionUpdate" :: update a provisioner daemon ResourceProvisionerDaemon = Object{ Type: "provisioner_daemon", } // ResourceProvisionerJobs // Valid Actions // - "ActionCreate" :: create provisioner jobs // - "ActionRead" :: read provisioner jobs // - "ActionUpdate" :: update provisioner jobs ResourceProvisionerJobs = Object{ Type: "provisioner_jobs", } // ResourceReplicas // Valid Actions // - "ActionRead" :: read replicas ResourceReplicas = Object{ Type: "replicas", } // ResourceSystem // Valid Actions // - "ActionCreate" :: create system resources // - "ActionDelete" :: delete system resources // - "ActionRead" :: view system resources // - "ActionUpdate" :: update system resources // DEPRECATED: New resources should be created for new things, rather than adding them to System, which has become // an unmanaged collection of things that don't relate to one another. We can't effectively enforce // least privilege access control when unrelated resources are grouped together. ResourceSystem = Object{ Type: "system", } // ResourceTailnetCoordinator // Valid Actions // - "ActionCreate" :: create a Tailnet coordinator // - "ActionDelete" :: delete a Tailnet coordinator // - "ActionRead" :: view info about a Tailnet coordinator // - "ActionUpdate" :: update a Tailnet coordinator ResourceTailnetCoordinator = Object{ Type: "tailnet_coordinator", } // ResourceTemplate // Valid Actions // - "ActionCreate" :: create a template // - "ActionDelete" :: delete a template // - "ActionRead" :: read template // - "ActionUpdate" :: update a template // - "ActionUse" :: use the template to initially create a workspace, then workspace lifecycle permissions take over // - "ActionViewInsights" :: view insights ResourceTemplate = Object{ Type: "template", } // ResourceUsageEvent // Valid Actions // - "ActionCreate" :: create a usage event // - "ActionRead" :: read usage events // - "ActionUpdate" :: update usage events ResourceUsageEvent = Object{ Type: "usage_event", } // ResourceUser // Valid Actions // - "ActionCreate" :: create a new user // - "ActionDelete" :: delete an existing user // - "ActionRead" :: read user data // - "ActionReadPersonal" :: read personal user data like user settings and auth links // - "ActionUpdate" :: update an existing user // - "ActionUpdatePersonal" :: update personal data ResourceUser = Object{ Type: "user", } // ResourceUserSecret // Valid Actions // - "ActionCreate" :: create a user secret // - "ActionDelete" :: delete a user secret // - "ActionRead" :: read user secret metadata and value // - "ActionUpdate" :: update user secret metadata and value ResourceUserSecret = Object{ Type: "user_secret", } // ResourceWebpushSubscription // Valid Actions // - "ActionCreate" :: create webpush subscriptions // - "ActionDelete" :: delete webpush subscriptions // - "ActionRead" :: read webpush subscriptions ResourceWebpushSubscription = Object{ Type: "webpush_subscription", } // ResourceWorkspace // Valid Actions // - "ActionApplicationConnect" :: connect to workspace apps via browser // - "ActionCreate" :: create a new workspace // - "ActionCreateAgent" :: create a new workspace agent // - "ActionDelete" :: delete workspace // - "ActionDeleteAgent" :: delete an existing workspace agent // - "ActionRead" :: read workspace data to view on the UI // - "ActionSSH" :: ssh into a given workspace // - "ActionWorkspaceStart" :: allows starting a workspace // - "ActionWorkspaceStop" :: allows stopping a workspace // - "ActionUpdate" :: edit workspace settings (scheduling, permissions, parameters) ResourceWorkspace = Object{ Type: "workspace", } // ResourceWorkspaceAgentDevcontainers // Valid Actions // - "ActionCreate" :: create workspace agent devcontainers ResourceWorkspaceAgentDevcontainers = Object{ Type: "workspace_agent_devcontainers", } // ResourceWorkspaceAgentResourceMonitor // Valid Actions // - "ActionCreate" :: create workspace agent resource monitor // - "ActionRead" :: read workspace agent resource monitor // - "ActionUpdate" :: update workspace agent resource monitor ResourceWorkspaceAgentResourceMonitor = Object{ Type: "workspace_agent_resource_monitor", } // ResourceWorkspaceDormant // Valid Actions // - "ActionApplicationConnect" :: connect to workspace apps via browser // - "ActionCreate" :: create a new workspace // - "ActionCreateAgent" :: create a new workspace agent // - "ActionDelete" :: delete workspace // - "ActionDeleteAgent" :: delete an existing workspace agent // - "ActionRead" :: read workspace data to view on the UI // - "ActionSSH" :: ssh into a given workspace // - "ActionWorkspaceStart" :: allows starting a workspace // - "ActionWorkspaceStop" :: allows stopping a workspace // - "ActionUpdate" :: edit workspace settings (scheduling, permissions, parameters) ResourceWorkspaceDormant = Object{ Type: "workspace_dormant", } // ResourceWorkspaceProxy // Valid Actions // - "ActionCreate" :: create a workspace proxy // - "ActionDelete" :: delete a workspace proxy // - "ActionRead" :: read and use a workspace proxy // - "ActionUpdate" :: update a workspace proxy ResourceWorkspaceProxy = Object{ Type: "workspace_proxy", } )
Functions ¶
func AllActions ¶
func CanAssignRole ¶
func CanAssignRole(subjectHasRoles ExpandableRoles, assignedRole RoleIdentifier) bool
CanAssignRole is a helper function that returns true if the user can assign the specified role. This also can be used for removing a role. This is a simple implementation for now.
func ChangeRoleSet ¶
func ChangeRoleSet(from []RoleIdentifier, to []RoleIdentifier) (added []RoleIdentifier, removed []RoleIdentifier)
ChangeRoleSet is a helper function that finds the difference of 2 sets of roles. When setting a user's new roles, it is equivalent to adding and removing roles. This set determines the changes, so that the appropriate RBAC checks can be applied using "ActionCreate" and "ActionDelete" for "added" and "removed" roles respectively.
func CompositeScopeNames ¶ added in v2.27.0
func CompositeScopeNames() []string
CompositeScopeNames lists all high-level coder:* names in sorted order.
func ConfigWithACL ¶
func ConfigWithACL() regosql.ConvertConfig
ConfigWithACL is the basic configuration for converting rego to SQL when the object has group and user ACL fields.
func ConfigWithoutACL ¶
func ConfigWithoutACL() regosql.ConvertConfig
ConfigWithoutACL is the basic configuration for converting rego to SQL when the object has no ACL fields.
func ConfigWorkspaces ¶ added in v2.8.0
func ConfigWorkspaces() regosql.ConvertConfig
func ExternalScopeNames ¶ added in v2.27.0
func ExternalScopeNames() []string
ExternalScopeNames returns a sorted list of all public scopes, which includes the `all` and `application_connect` special scopes, curated low-level resource:action names, and curated composite coder:* scopes.
func Filter ¶
func Filter[O Objecter](ctx context.Context, auth Authorizer, subject Subject, action policy.Action, objects []O) ([]O, error)
Filter takes in a list of objects, and will filter the list removing all the elements the subject does not have permission for. All objects must be of the same type.
Ideally the 'CompileToSQL' is used instead for large sets. This cost scales linearly with the number of objects passed in.
func IsExternalScope ¶ added in v2.27.0
IsExternalScope returns true if the scope is public, including the `all` and `application_connect` special scopes and the curated low-level resource:action scopes.
func IsUnauthorizedError ¶
IsUnauthorizedError is a convenience function to check if err is UnauthorizedError. It is equivalent to errors.As(err, &UnauthorizedError{}).
func ParseResourceAction ¶ added in v2.27.0
ParseResourceAction parses a scope string formatted as "<resource>:<action>" and returns the resource and action components. This is the common parsing logic shared between RBAC and database validation.
func ReloadBuiltinRoles ¶
func ReloadBuiltinRoles(opts *RoleOptions)
ReloadBuiltinRoles loads the static roles into the builtInRoles map. This can be called again with a different config to change the behavior.
TODO: @emyrk This would be great if it was instanced to a coderd rather than a global. But that is a much larger refactor right now. Essentially we did not foresee different deployments needing slightly different role permissions.
func ReservedRoleName ¶ added in v2.13.0
ReservedRoleName exists because the database should only allow unique role names, but some roles are built in. So these names are reserved
func RoleOrgAdmin ¶
func RoleOrgAdmin() string
func RoleOrgAuditor ¶ added in v2.14.0
func RoleOrgAuditor() string
func RoleOrgMember ¶
func RoleOrgMember() string
func RoleOrgTemplateAdmin ¶ added in v2.14.0
func RoleOrgTemplateAdmin() string
func RoleOrgUserAdmin ¶ added in v2.14.0
func RoleOrgUserAdmin() string
func RoleOrgWorkspaceCreationBan ¶ added in v2.20.0
func RoleOrgWorkspaceCreationBan() string
Types ¶
type AllowListElement ¶ added in v2.27.0
type AllowListElement struct {
// ID must be a string to allow for the wildcard symbol.
ID string `json:"id"`
Type string `json:"type"`
}
func AllowListAll ¶ added in v2.27.0
func AllowListAll() AllowListElement
func (AllowListElement) String ¶ added in v2.27.0
func (e AllowListElement) String() string
String encodes the allow list element into the canonical database representation "type:id". This avoids fragile manual concatenations scattered across the codebase.
type AuthorizeFilter ¶
type AuthorizeFilter interface {
SQLString() string
}
AuthorizeFilter is a compiled partial query that can be converted to SQL. This allows enforcing the policy on the database side in a WHERE clause.
func Compile ¶
func Compile(cfg regosql.ConvertConfig, pa *PartialAuthorizer) (AuthorizeFilter, error)
type Authorizer ¶
type Authorizer interface {
// Authorize will authorize the given subject to perform the given action
// on the given object. Authorize is pure and deterministic with respect to
// its arguments and the surrounding object.
Authorize(ctx context.Context, subject Subject, action policy.Action, object Object) error
Prepare(ctx context.Context, subject Subject, action policy.Action, objectType string) (PreparedAuthorized, error)
}
func Cacher ¶
func Cacher(authz Authorizer) Authorizer
Cacher returns an Authorizer that can use a cache to short circuit duplicate calls to the Authorizer. This is useful when multiple calls are made to the Authorizer for the same subject, action, and object. This is a GLOBAL cache shared between all requests. If no cache is found on the context, the Authorizer is called as normal.
Cacher is safe for multiple actors.
func NewCachingAuthorizer ¶
func NewCachingAuthorizer(registry prometheus.Registerer) Authorizer
NewCachingAuthorizer returns a new RegoAuthorizer that supports context based caching. To utilize the caching, the context passed to Authorize() must be created with 'WithCacheCtx(ctx)'.
func NewStrictCachingAuthorizer ¶ added in v2.12.0
func NewStrictCachingAuthorizer(registry prometheus.Registerer) Authorizer
NewStrictCachingAuthorizer is mainly just for testing.
func Recorder ¶ added in v2.22.0
func Recorder(authz Authorizer) Authorizer
Recorder returns an Authorizer that records any authorization checks made on the Context provided for the authorization check.
Requires using the RecordAuthzChecks middleware.
type AuthzCheckRecorder ¶ added in v2.22.0
type AuthzCheckRecorder struct {
// contains filtered or unexported fields
}
func GetAuthzCheckRecorder ¶ added in v2.22.0
func GetAuthzCheckRecorder(ctx context.Context) (*AuthzCheckRecorder, bool)
func (*AuthzCheckRecorder) String ¶ added in v2.22.0
func (r *AuthzCheckRecorder) String() string
String serializes all of the checks recorded, using the following syntax:
type ExpandableRoles ¶
type ExpandableRoles interface {
Expand() ([]Role, error)
// Names is for logging and tracing purposes, we want to know the human
// names of the expanded roles.
Names() []RoleIdentifier
}
ExpandableRoles is any type that can be expanded into a []Role. This is implemented as an interface so we can have RoleIdentifiers for user defined roles, and implement custom ExpandableRoles for system type users (eg autostart/autostop system role). We want a clear divide between the two types of roles so users have no codepath to interact or assign system roles.
Note: We may also want to do the same thing with scopes to allow custom scope support unavailable to the user. Eg: Scope to a single resource.
type ExpandableScope ¶
type ExpandableScope interface {
Expand() (Scope, error)
// Name is for logging and tracing purposes, we want to know the human
// name of the scope.
Name() RoleIdentifier
}
type Object ¶
type Object struct {
// ID is the resource's uuid
ID string `json:"id"`
Owner string `json:"owner"`
// OrgID specifies which org the object is a part of.
OrgID string `json:"org_owner"`
// AnyOrgOwner will disregard the org_owner when checking for permissions
// Use this to ask, "Can the actor do this action on any org?" when
// the exact organization is not important or known.
// E.g: The UI should show a "create template" button if the user
// can create a template in any org.
AnyOrgOwner bool `json:"any_org"`
// Type is "workspace", "project", "app", etc
Type string `json:"type"`
ACLUserList map[string][]policy.Action ` json:"acl_user_list"`
ACLGroupList map[string][]policy.Action ` json:"acl_group_list"`
}
Object is used to create objects for authz checks when you have none in hand to run the check on. An example is if you want to list all workspaces, you can create a Object that represents the set of workspaces you are trying to get access too. Do not export this type, as it can be created from a resource type constant.
func ResourceUserObject ¶
ResourceUserObject is a helper function to create a user object for authz checks.
func (Object) AnyOrganization ¶ added in v2.14.0
func (Object) AvailableActions ¶ added in v2.12.0
AvailableActions returns all available actions for a given object. Wildcard is omitted.
func (Object) RBACObject ¶
func (Object) ValidAction ¶ added in v2.12.0
ValidAction checks if the action is valid for the given object type.
func (Object) WithACLUserList ¶
WithACLUserList adds an ACL list to a given object
func (Object) WithIDString ¶
type Objecter ¶
type Objecter interface {
RBACObject() Object
}
Objecter returns the RBAC object for itself.
func AllResources ¶
func AllResources() []Objecter
type PartialAuthorizer ¶
type PartialAuthorizer struct {
// contains filtered or unexported fields
}
PartialAuthorizer is a prepared authorizer with the subject, action, and resource type fields already filled in. This speeds up authorization when authorizing the same type of object numerous times. See rbac.Filter for example usage.
func (*PartialAuthorizer) Authorize ¶
func (pa *PartialAuthorizer) Authorize(ctx context.Context, object Object) error
func (*PartialAuthorizer) CompileToSQL ¶
func (pa *PartialAuthorizer) CompileToSQL(ctx context.Context, cfg regosql.ConvertConfig) (string, error)
CompileToSQL converts the remaining rego queries into SQL WHERE clauses.
type Permission ¶
type Permission struct {
// Negate makes this a negative permission
Negate bool `json:"negate"`
ResourceType string `json:"resource_type"`
Action policy.Action `json:"action"`
}
Permission is the format passed into the rego.
func CompositeSitePermissions ¶ added in v2.27.0
func CompositeSitePermissions(name ScopeName) ([]Permission, bool)
CompositeSitePermissions returns the site-level Permission list for a coder:* scope.
func DeduplicatePermissions ¶ added in v2.27.0
func DeduplicatePermissions(perms []Permission) []Permission
DeduplicatePermissions removes duplicate Permission entries while preserving the original order of the first occurrence for deterministic evaluation.
func Permissions ¶
func Permissions(perms map[string][]policy.Action) []Permission
Permissions is just a helper function to make building roles that list out resources and actions a bit easier.
func (Permission) Valid ¶ added in v2.12.0
func (perm Permission) Valid() error
type PreparedAuthorized ¶
type RegoAuthorizer ¶
type RegoAuthorizer struct {
// contains filtered or unexported fields
}
RegoAuthorizer will use a prepared rego query for performing authorize()
func NewAuthorizer ¶
func NewAuthorizer(registry prometheus.Registerer) *RegoAuthorizer
func (RegoAuthorizer) Authorize ¶
func (a RegoAuthorizer) Authorize(ctx context.Context, subject Subject, action policy.Action, object Object) error
Authorize is the intended function to be used outside this package. It returns `nil` if the subject is authorized to perform the action on the object. If an error is returned, the authorization is denied.
func (RegoAuthorizer) Prepare ¶
func (a RegoAuthorizer) Prepare(ctx context.Context, subject Subject, action policy.Action, objectType string) (PreparedAuthorized, error)
Prepare will partially execute the rego policy leaving the object fields unknown (except for the type). This will vastly speed up performance if batch authorization on the same type of objects is needed.
type Role ¶
type Role struct {
Identifier RoleIdentifier `json:"name"`
// DisplayName is used for UI purposes. If the role has no display name,
// that means the UI should never display it.
DisplayName string `json:"display_name"`
Site []Permission `json:"site"`
// Org is a map of orgid to permissions. We represent orgid as a string.
// We scope the organizations in the role so we can easily combine all the
// roles.
Org map[string][]Permission `json:"org"`
User []Permission `json:"user"`
// contains filtered or unexported fields
}
Role is a set of permissions at multiple levels: - Site level permissions apply EVERYWHERE - Org level permissions apply to EVERYTHING in a given ORG - User level permissions are the lowest This is the type passed into the rego as a json payload. Users of this package should instead **only** use the role names, and this package will expand the role names into their json payloads.
func OrganizationRoles ¶
OrganizationRoles lists all roles that can be applied to an organization user in the given organization. This is the list of available roles, and specific to an organization.
This should be a list in a database, but until then we build the list from the builtins.
func RoleByName ¶
func RoleByName(name RoleIdentifier) (Role, error)
RoleByName returns the permissions associated with a given role name. This allows just the role names to be stored and expanded when required.
This function is exported so that the Display name can be returned to the api. We should maybe make an exported function that returns just the human-readable content of the Role struct (name + display name).
func SiteBuiltInRoles ¶ added in v2.23.0
func SiteBuiltInRoles() []Role
SiteBuiltInRoles lists all roles that can be applied to a user. This is the list of available roles, and not specific to a user
This should be a list in a database, but until then we build the list from the builtins.
type RoleIdentifier ¶ added in v2.13.0
type RoleIdentifier struct {
Name string
// OrganizationID is uuid.Nil for unscoped roles (aka deployment wide)
OrganizationID uuid.UUID
}
RoleIdentifier contains both the name of the role, and any organizational scope. Both fields are required to be globally unique and identifiable.
func CustomOrganizationRole ¶ added in v2.13.0
func CustomOrganizationRole(orgID uuid.UUID) RoleIdentifier
func CustomSiteRole ¶ added in v2.12.0
func CustomSiteRole() RoleIdentifier
func RoleAuditor ¶ added in v2.13.0
func RoleAuditor() RoleIdentifier
func RoleMember ¶
func RoleMember() RoleIdentifier
func RoleNameFromString ¶ added in v2.13.0
func RoleNameFromString(input string) (RoleIdentifier, error)
RoleNameFromString takes a formatted string '<role_name>[:org_id]'.
func RoleOwner ¶
func RoleOwner() RoleIdentifier
func RoleTemplateAdmin ¶
func RoleTemplateAdmin() RoleIdentifier
func RoleUserAdmin ¶
func RoleUserAdmin() RoleIdentifier
func ScopedRoleOrgAdmin ¶ added in v2.13.0
func ScopedRoleOrgAdmin(organizationID uuid.UUID) RoleIdentifier
ScopedRoleOrgAdmin is the org role with the organization ID
func ScopedRoleOrgAuditor ¶ added in v2.14.0
func ScopedRoleOrgAuditor(organizationID uuid.UUID) RoleIdentifier
func ScopedRoleOrgMember ¶ added in v2.13.0
func ScopedRoleOrgMember(organizationID uuid.UUID) RoleIdentifier
ScopedRoleOrgMember is the org role with the organization ID
func ScopedRoleOrgTemplateAdmin ¶ added in v2.14.0
func ScopedRoleOrgTemplateAdmin(organizationID uuid.UUID) RoleIdentifier
func ScopedRoleOrgUserAdmin ¶ added in v2.14.0
func ScopedRoleOrgUserAdmin(organizationID uuid.UUID) RoleIdentifier
func ScopedRoleOrgWorkspaceCreationBan ¶ added in v2.20.0
func ScopedRoleOrgWorkspaceCreationBan(organizationID uuid.UUID) RoleIdentifier
func (RoleIdentifier) IsOrgRole ¶ added in v2.13.0
func (r RoleIdentifier) IsOrgRole() bool
func (*RoleIdentifier) MarshalJSON ¶ added in v2.13.0
func (r *RoleIdentifier) MarshalJSON() ([]byte, error)
func (RoleIdentifier) String ¶ added in v2.13.0
func (r RoleIdentifier) String() string
func (RoleIdentifier) UniqueName ¶ added in v2.13.0
func (r RoleIdentifier) UniqueName() string
func (*RoleIdentifier) UnmarshalJSON ¶ added in v2.13.0
func (r *RoleIdentifier) UnmarshalJSON(data []byte) error
type RoleIdentifiers ¶ added in v2.13.0
type RoleIdentifiers []RoleIdentifier
RoleIdentifiers is a list of user assignable role names. The role names must be in the builtInRoles map. Any non-user assignable roles will generate an error on Expand.
func (RoleIdentifiers) Expand ¶ added in v2.13.0
func (names RoleIdentifiers) Expand() ([]Role, error)
func (RoleIdentifiers) Names ¶ added in v2.13.0
func (names RoleIdentifiers) Names() []RoleIdentifier
type RoleOptions ¶
type RoleOptions struct {
NoOwnerWorkspaceExec bool
}
type Scope ¶
type Scope struct {
Role
AllowIDList []AllowListElement `json:"allow_list"`
}
Scope acts the exact same as a Role with the addition that is can also apply an AllowIDList. Any resource being checked against a Scope will reject any resource that is not in the AllowIDList. To not use an AllowIDList to reject authorization, use a wildcard for the AllowIDList. Eg: 'AllowIDList: []string{WildcardSymbol}'
func ExpandScope ¶
func WorkspaceAgentScope ¶
func WorkspaceAgentScope(params WorkspaceAgentScopeParams) Scope
WorkspaceAgentScope returns a scope that is the same as ScopeAll but can only affect resources in the allow list. Only a scope is returned as the roles should come from the workspace owner.
func (Scope) Name ¶
func (s Scope) Name() RoleIdentifier
type ScopeName ¶
type ScopeName string
const ( ScopeAibridgeInterceptionCreate ScopeName = "aibridge_interception:create" ScopeAibridgeInterceptionRead ScopeName = "aibridge_interception:read" ScopeAibridgeInterceptionUpdate ScopeName = "aibridge_interception:update" ScopeApiKeyCreate ScopeName = "api_key:create" ScopeApiKeyDelete ScopeName = "api_key:delete" ScopeApiKeyRead ScopeName = "api_key:read" ScopeApiKeyUpdate ScopeName = "api_key:update" ScopeAssignOrgRoleAssign ScopeName = "assign_org_role:assign" ScopeAssignOrgRoleCreate ScopeName = "assign_org_role:create" ScopeAssignOrgRoleDelete ScopeName = "assign_org_role:delete" ScopeAssignOrgRoleRead ScopeName = "assign_org_role:read" ScopeAssignOrgRoleUnassign ScopeName = "assign_org_role:unassign" ScopeAssignOrgRoleUpdate ScopeName = "assign_org_role:update" ScopeAssignRoleAssign ScopeName = "assign_role:assign" ScopeAssignRoleRead ScopeName = "assign_role:read" ScopeAssignRoleUnassign ScopeName = "assign_role:unassign" ScopeAuditLogCreate ScopeName = "audit_log:create" ScopeAuditLogRead ScopeName = "audit_log:read" ScopeConnectionLogRead ScopeName = "connection_log:read" ScopeConnectionLogUpdate ScopeName = "connection_log:update" ScopeCryptoKeyCreate ScopeName = "crypto_key:create" ScopeCryptoKeyDelete ScopeName = "crypto_key:delete" ScopeCryptoKeyRead ScopeName = "crypto_key:read" ScopeCryptoKeyUpdate ScopeName = "crypto_key:update" ScopeDebugInfoRead ScopeName = "debug_info:read" ScopeDeploymentConfigRead ScopeName = "deployment_config:read" ScopeDeploymentConfigUpdate ScopeName = "deployment_config:update" ScopeDeploymentStatsRead ScopeName = "deployment_stats:read" ScopeFileCreate ScopeName = "file:create" ScopeFileRead ScopeName = "file:read" ScopeGroupCreate ScopeName = "group:create" ScopeGroupDelete ScopeName = "group:delete" ScopeGroupRead ScopeName = "group:read" ScopeGroupUpdate ScopeName = "group:update" ScopeGroupMemberRead ScopeName = "group_member:read" ScopeIdpsyncSettingsRead ScopeName = "idpsync_settings:read" ScopeIdpsyncSettingsUpdate ScopeName = "idpsync_settings:update" ScopeInboxNotificationCreate ScopeName = "inbox_notification:create" ScopeInboxNotificationRead ScopeName = "inbox_notification:read" ScopeInboxNotificationUpdate ScopeName = "inbox_notification:update" ScopeLicenseCreate ScopeName = "license:create" ScopeLicenseDelete ScopeName = "license:delete" ScopeLicenseRead ScopeName = "license:read" ScopeNotificationMessageCreate ScopeName = "notification_message:create" ScopeNotificationMessageDelete ScopeName = "notification_message:delete" ScopeNotificationMessageRead ScopeName = "notification_message:read" ScopeNotificationMessageUpdate ScopeName = "notification_message:update" ScopeNotificationPreferenceRead ScopeName = "notification_preference:read" ScopeNotificationPreferenceUpdate ScopeName = "notification_preference:update" ScopeNotificationTemplateRead ScopeName = "notification_template:read" ScopeNotificationTemplateUpdate ScopeName = "notification_template:update" ScopeOauth2AppCreate ScopeName = "oauth2_app:create" ScopeOauth2AppDelete ScopeName = "oauth2_app:delete" ScopeOauth2AppRead ScopeName = "oauth2_app:read" ScopeOauth2AppUpdate ScopeName = "oauth2_app:update" ScopeOauth2AppCodeTokenCreate ScopeName = "oauth2_app_code_token:create" ScopeOauth2AppCodeTokenDelete ScopeName = "oauth2_app_code_token:delete" ScopeOauth2AppCodeTokenRead ScopeName = "oauth2_app_code_token:read" ScopeOauth2AppSecretCreate ScopeName = "oauth2_app_secret:create" ScopeOauth2AppSecretDelete ScopeName = "oauth2_app_secret:delete" ScopeOauth2AppSecretRead ScopeName = "oauth2_app_secret:read" ScopeOauth2AppSecretUpdate ScopeName = "oauth2_app_secret:update" ScopeOrganizationCreate ScopeName = "organization:create" ScopeOrganizationDelete ScopeName = "organization:delete" ScopeOrganizationRead ScopeName = "organization:read" ScopeOrganizationUpdate ScopeName = "organization:update" ScopeOrganizationMemberCreate ScopeName = "organization_member:create" ScopeOrganizationMemberDelete ScopeName = "organization_member:delete" ScopeOrganizationMemberRead ScopeName = "organization_member:read" ScopeOrganizationMemberUpdate ScopeName = "organization_member:update" ScopePrebuiltWorkspaceDelete ScopeName = "prebuilt_workspace:delete" ScopePrebuiltWorkspaceUpdate ScopeName = "prebuilt_workspace:update" ScopeProvisionerDaemonCreate ScopeName = "provisioner_daemon:create" ScopeProvisionerDaemonDelete ScopeName = "provisioner_daemon:delete" ScopeProvisionerDaemonRead ScopeName = "provisioner_daemon:read" ScopeProvisionerDaemonUpdate ScopeName = "provisioner_daemon:update" ScopeProvisionerJobsCreate ScopeName = "provisioner_jobs:create" ScopeProvisionerJobsRead ScopeName = "provisioner_jobs:read" ScopeProvisionerJobsUpdate ScopeName = "provisioner_jobs:update" ScopeReplicasRead ScopeName = "replicas:read" ScopeSystemCreate ScopeName = "system:create" ScopeSystemDelete ScopeName = "system:delete" ScopeSystemRead ScopeName = "system:read" ScopeSystemUpdate ScopeName = "system:update" ScopeTailnetCoordinatorCreate ScopeName = "tailnet_coordinator:create" ScopeTailnetCoordinatorDelete ScopeName = "tailnet_coordinator:delete" ScopeTailnetCoordinatorRead ScopeName = "tailnet_coordinator:read" ScopeTailnetCoordinatorUpdate ScopeName = "tailnet_coordinator:update" ScopeTemplateCreate ScopeName = "template:create" ScopeTemplateDelete ScopeName = "template:delete" ScopeTemplateRead ScopeName = "template:read" ScopeTemplateUpdate ScopeName = "template:update" ScopeTemplateUse ScopeName = "template:use" ScopeTemplateViewInsights ScopeName = "template:view_insights" ScopeUsageEventCreate ScopeName = "usage_event:create" ScopeUsageEventRead ScopeName = "usage_event:read" ScopeUsageEventUpdate ScopeName = "usage_event:update" ScopeUserCreate ScopeName = "user:create" ScopeUserDelete ScopeName = "user:delete" ScopeUserRead ScopeName = "user:read" ScopeUserReadPersonal ScopeName = "user:read_personal" ScopeUserUpdate ScopeName = "user:update" ScopeUserUpdatePersonal ScopeName = "user:update_personal" ScopeUserSecretCreate ScopeName = "user_secret:create" ScopeUserSecretDelete ScopeName = "user_secret:delete" ScopeUserSecretRead ScopeName = "user_secret:read" ScopeUserSecretUpdate ScopeName = "user_secret:update" ScopeWebpushSubscriptionCreate ScopeName = "webpush_subscription:create" ScopeWebpushSubscriptionDelete ScopeName = "webpush_subscription:delete" ScopeWebpushSubscriptionRead ScopeName = "webpush_subscription:read" ScopeWorkspaceApplicationConnect ScopeName = "workspace:application_connect" ScopeWorkspaceCreate ScopeName = "workspace:create" ScopeWorkspaceCreateAgent ScopeName = "workspace:create_agent" ScopeWorkspaceDelete ScopeName = "workspace:delete" ScopeWorkspaceDeleteAgent ScopeName = "workspace:delete_agent" ScopeWorkspaceRead ScopeName = "workspace:read" ScopeWorkspaceSsh ScopeName = "workspace:ssh" ScopeWorkspaceStart ScopeName = "workspace:start" ScopeWorkspaceStop ScopeName = "workspace:stop" ScopeWorkspaceUpdate ScopeName = "workspace:update" ScopeWorkspaceAgentDevcontainersCreate ScopeName = "workspace_agent_devcontainers:create" ScopeWorkspaceAgentResourceMonitorCreate ScopeName = "workspace_agent_resource_monitor:create" ScopeWorkspaceAgentResourceMonitorRead ScopeName = "workspace_agent_resource_monitor:read" ScopeWorkspaceAgentResourceMonitorUpdate ScopeName = "workspace_agent_resource_monitor:update" ScopeWorkspaceDormantApplicationConnect ScopeName = "workspace_dormant:application_connect" ScopeWorkspaceDormantCreate ScopeName = "workspace_dormant:create" ScopeWorkspaceDormantCreateAgent ScopeName = "workspace_dormant:create_agent" ScopeWorkspaceDormantDelete ScopeName = "workspace_dormant:delete" ScopeWorkspaceDormantDeleteAgent ScopeName = "workspace_dormant:delete_agent" ScopeWorkspaceDormantRead ScopeName = "workspace_dormant:read" ScopeWorkspaceDormantSsh ScopeName = "workspace_dormant:ssh" ScopeWorkspaceDormantStart ScopeName = "workspace_dormant:start" ScopeWorkspaceDormantStop ScopeName = "workspace_dormant:stop" ScopeWorkspaceDormantUpdate ScopeName = "workspace_dormant:update" ScopeWorkspaceProxyCreate ScopeName = "workspace_proxy:create" ScopeWorkspaceProxyDelete ScopeName = "workspace_proxy:delete" ScopeWorkspaceProxyRead ScopeName = "workspace_proxy:read" ScopeWorkspaceProxyUpdate ScopeName = "workspace_proxy:update" )
func AllScopeNameValues ¶ added in v2.27.0
func AllScopeNameValues() []ScopeName
AllScopeNameValues returns a slice containing all known scope values, including builtin and generated low-level scopes.
func BuiltinScopeNames ¶ added in v2.27.0
func BuiltinScopeNames() []ScopeName
BuiltinScopeNames returns the list of built-in high-level scope names defined in this package (e.g., "all", "application_connect"). The result is sorted for deterministic ordering in code generation and tests.
func (ScopeName) Name ¶
func (name ScopeName) Name() RoleIdentifier
func (ScopeName) Valid ¶ added in v2.27.0
Valid reports whether the ScopeName matches one of the known scope values. This includes both builtin scope names and generated low-level scopes. Builtins are sourced from rbac.BuiltinScopeNames() at generation time to ensure changes in rbac/scopes.go remain in sync here.
type Subject ¶
type Subject struct {
// FriendlyName is entirely optional and is used for logging and debugging
// It is not used in any functional way.
// It is usually the "username" of the user, but it can be the name of the
// external workspace proxy or other service type actor.
FriendlyName string
// Email is entirely optional and is used for logging and debugging
// It is not used in any functional way.
Email string
// Type indicates what kind of subject this is (user, system, provisioner, etc.)
// It is not used in any functional way, only for logging.
Type SubjectType
ID string
Roles ExpandableRoles
Groups []string
Scope ExpandableScope
// contains filtered or unexported fields
}
Subject is a struct that contains all the elements of a subject in an rbac authorize.
func (Subject) RegoValueOk ¶ added in v2.13.0
RegoValueOk is only used for unit testing. There is no easy way to get the error for the unexported method, and this is intentional. Failed rego values can default to the backup json marshal method, so errors are not fatal. Unit tests should be aware when the custom rego marshaller fails.
func (Subject) SafeRoleNames ¶
func (s Subject) SafeRoleNames() []RoleIdentifier
SafeRoleNames prevent nil pointer dereference.
func (Subject) SafeScopeName ¶
SafeScopeName prevent nil pointer dereference.
func (Subject) WithCachedASTValue ¶
WithCachedASTValue can be called if the subject is static. This will compute the ast value once and cache it for future calls.
type SubjectType ¶ added in v2.19.2
type SubjectType string
SubjectType represents the type of subject in the RBAC system.
const ( SubjectTypeUser SubjectType = "user" SubjectTypeProvisionerd SubjectType = "provisionerd" SubjectTypeAutostart SubjectType = "autostart" SubjectTypeConnectionLogger SubjectType = "connection_logger" SubjectTypeJobReaper SubjectType = "job_reaper" SubjectTypeResourceMonitor SubjectType = "resource_monitor" SubjectTypeCryptoKeyRotator SubjectType = "crypto_key_rotator" SubjectTypeCryptoKeyReader SubjectType = "crypto_key_reader" SubjectTypePrebuildsOrchestrator SubjectType = "prebuilds_orchestrator" SubjectTypeSystemReadProvisionerDaemons SubjectType = "system_read_provisioner_daemons" SubjectTypeSystemRestricted SubjectType = "system_restricted" SubjectTypeNotifier SubjectType = "notifier" SubjectTypeSubAgentAPI SubjectType = "sub_agent_api" SubjectTypeFileReader SubjectType = "file_reader" SubjectTypeUsagePublisher SubjectType = "usage_publisher" SubjectAibridged SubjectType = "aibridged" )
type UnauthorizedError ¶
type UnauthorizedError struct {
// contains filtered or unexported fields
}
UnauthorizedError is the error type for authorization errors
func ForbiddenWithInternal ¶
func ForbiddenWithInternal(internal error, subject Subject, action policy.Action, object Object, output rego.ResultSet) *UnauthorizedError
ForbiddenWithInternal creates a new error that will return a simple "forbidden" to the client, logging internally the more detailed message provided.
func (*UnauthorizedError) As ¶
func (*UnauthorizedError) As(target interface{}) bool
As implements the errors.As interface.
func (UnauthorizedError) Error ¶
func (e UnauthorizedError) Error() string
Error implements the error interface.
func (*UnauthorizedError) Input ¶
func (e *UnauthorizedError) Input() map[string]interface{}
func (*UnauthorizedError) Internal ¶
func (e *UnauthorizedError) Internal() error
Internal allows the internal error message to be logged.
func (UnauthorizedError) IsUnauthorized ¶ added in v2.1.5
func (UnauthorizedError) IsUnauthorized() bool
IsUnauthorized implements the IsUnauthorized interface.
func (*UnauthorizedError) Output ¶
func (e *UnauthorizedError) Output() rego.ResultSet
Output contains the results of the Rego query for debugging.
func (*UnauthorizedError) SetInternal ¶
func (e *UnauthorizedError) SetInternal(err error)
func (UnauthorizedError) Unwrap ¶
func (e UnauthorizedError) Unwrap() error
Source Files
¶
Directories
¶
| Path | Synopsis |
|---|---|
|
Package regosql converts rego queries into SQL WHERE clauses.
|
Package regosql converts rego queries into SQL WHERE clauses. |
|
sqltypes
Package sqltypes contains the types used to convert rego queries into SQL.
|
Package sqltypes contains the types used to convert rego queries into SQL. |