diff --git a/coderd/apidoc/docs.go b/coderd/apidoc/docs.go index 289e4c9a3f..b444d50a8c 100644 --- a/coderd/apidoc/docs.go +++ b/coderd/apidoc/docs.go @@ -11530,11 +11530,29 @@ const docTemplate = `{ "enum": [ "all", "application_connect", + "aibridge_interception:*", + "aibridge_interception:create", + "aibridge_interception:read", + "aibridge_interception:update", "api_key:*", "api_key:create", "api_key:delete", "api_key:read", "api_key:update", + "assign_org_role:*", + "assign_org_role:assign", + "assign_org_role:create", + "assign_org_role:delete", + "assign_org_role:read", + "assign_org_role:unassign", + "assign_org_role:update", + "assign_role:*", + "assign_role:assign", + "assign_role:read", + "assign_role:unassign", + "audit_log:*", + "audit_log:create", + "audit_log:read", "coder:all", "coder:apikeys.manage_self", "coder:application_connect", @@ -11544,40 +11562,188 @@ const docTemplate = `{ "coder:workspaces.create", "coder:workspaces.delete", "coder:workspaces.operate", + "connection_log:*", + "connection_log:read", + "connection_log:update", + "crypto_key:*", + "crypto_key:create", + "crypto_key:delete", + "crypto_key:read", + "crypto_key:update", + "debug_info:*", + "debug_info:read", + "deployment_config:*", + "deployment_config:read", + "deployment_config:update", + "deployment_stats:*", + "deployment_stats:read", "file:*", "file:create", "file:read", + "group:*", + "group:create", + "group:delete", + "group:read", + "group:update", + "group_member:*", + "group_member:read", + "idpsync_settings:*", + "idpsync_settings:read", + "idpsync_settings:update", + "inbox_notification:*", + "inbox_notification:create", + "inbox_notification:read", + "inbox_notification:update", + "license:*", + "license:create", + "license:delete", + "license:read", + "notification_message:*", + "notification_message:create", + "notification_message:delete", + "notification_message:read", + "notification_message:update", + "notification_preference:*", + "notification_preference:read", + "notification_preference:update", + "notification_template:*", + "notification_template:read", + "notification_template:update", + "oauth2_app:*", + "oauth2_app:create", + "oauth2_app:delete", + "oauth2_app:read", + "oauth2_app:update", + "oauth2_app_code_token:*", + "oauth2_app_code_token:create", + "oauth2_app_code_token:delete", + "oauth2_app_code_token:read", + "oauth2_app_secret:*", + "oauth2_app_secret:create", + "oauth2_app_secret:delete", + "oauth2_app_secret:read", + "oauth2_app_secret:update", + "organization:*", + "organization:create", + "organization:delete", + "organization:read", + "organization:update", + "organization_member:*", + "organization_member:create", + "organization_member:delete", + "organization_member:read", + "organization_member:update", + "prebuilt_workspace:*", + "prebuilt_workspace:delete", + "prebuilt_workspace:update", + "provisioner_daemon:*", + "provisioner_daemon:create", + "provisioner_daemon:delete", + "provisioner_daemon:read", + "provisioner_daemon:update", + "provisioner_jobs:*", + "provisioner_jobs:create", + "provisioner_jobs:read", + "provisioner_jobs:update", + "replicas:*", + "replicas:read", + "system:*", + "system:create", + "system:delete", + "system:read", + "system:update", + "tailnet_coordinator:*", + "tailnet_coordinator:create", + "tailnet_coordinator:delete", + "tailnet_coordinator:read", + "tailnet_coordinator:update", "template:*", "template:create", "template:delete", "template:read", "template:update", "template:use", + "template:view_insights", + "usage_event:*", + "usage_event:create", + "usage_event:read", + "usage_event:update", + "user:*", + "user:create", + "user:delete", + "user:read", "user:read_personal", + "user:update", "user:update_personal", "user_secret:*", "user_secret:create", "user_secret:delete", "user_secret:read", "user_secret:update", + "webpush_subscription:*", + "webpush_subscription:create", + "webpush_subscription:delete", + "webpush_subscription:read", "workspace:*", "workspace:application_connect", "workspace:create", + "workspace:create_agent", "workspace:delete", + "workspace:delete_agent", "workspace:read", "workspace:ssh", "workspace:start", "workspace:stop", - "workspace:update" + "workspace:update", + "workspace_agent_devcontainers:*", + "workspace_agent_devcontainers:create", + "workspace_agent_resource_monitor:*", + "workspace_agent_resource_monitor:create", + "workspace_agent_resource_monitor:read", + "workspace_agent_resource_monitor:update", + "workspace_dormant:*", + "workspace_dormant:application_connect", + "workspace_dormant:create", + "workspace_dormant:create_agent", + "workspace_dormant:delete", + "workspace_dormant:delete_agent", + "workspace_dormant:read", + "workspace_dormant:ssh", + "workspace_dormant:start", + "workspace_dormant:stop", + "workspace_dormant:update", + "workspace_proxy:*", + "workspace_proxy:create", + "workspace_proxy:delete", + "workspace_proxy:read", + "workspace_proxy:update" ], "x-enum-varnames": [ "APIKeyScopeAll", "APIKeyScopeApplicationConnect", + "APIKeyScopeAibridgeInterceptionAll", + "APIKeyScopeAibridgeInterceptionCreate", + "APIKeyScopeAibridgeInterceptionRead", + "APIKeyScopeAibridgeInterceptionUpdate", "APIKeyScopeApiKeyAll", "APIKeyScopeApiKeyCreate", "APIKeyScopeApiKeyDelete", "APIKeyScopeApiKeyRead", "APIKeyScopeApiKeyUpdate", + "APIKeyScopeAssignOrgRoleAll", + "APIKeyScopeAssignOrgRoleAssign", + "APIKeyScopeAssignOrgRoleCreate", + "APIKeyScopeAssignOrgRoleDelete", + "APIKeyScopeAssignOrgRoleRead", + "APIKeyScopeAssignOrgRoleUnassign", + "APIKeyScopeAssignOrgRoleUpdate", + "APIKeyScopeAssignRoleAll", + "APIKeyScopeAssignRoleAssign", + "APIKeyScopeAssignRoleRead", + "APIKeyScopeAssignRoleUnassign", + "APIKeyScopeAuditLogAll", + "APIKeyScopeAuditLogCreate", + "APIKeyScopeAuditLogRead", "APIKeyScopeCoderAll", "APIKeyScopeCoderApikeysManageSelf", "APIKeyScopeCoderApplicationConnect", @@ -11587,31 +11753,161 @@ const docTemplate = `{ "APIKeyScopeCoderWorkspacesCreate", "APIKeyScopeCoderWorkspacesDelete", "APIKeyScopeCoderWorkspacesOperate", + "APIKeyScopeConnectionLogAll", + "APIKeyScopeConnectionLogRead", + "APIKeyScopeConnectionLogUpdate", + "APIKeyScopeCryptoKeyAll", + "APIKeyScopeCryptoKeyCreate", + "APIKeyScopeCryptoKeyDelete", + "APIKeyScopeCryptoKeyRead", + "APIKeyScopeCryptoKeyUpdate", + "APIKeyScopeDebugInfoAll", + "APIKeyScopeDebugInfoRead", + "APIKeyScopeDeploymentConfigAll", + "APIKeyScopeDeploymentConfigRead", + "APIKeyScopeDeploymentConfigUpdate", + "APIKeyScopeDeploymentStatsAll", + "APIKeyScopeDeploymentStatsRead", "APIKeyScopeFileAll", "APIKeyScopeFileCreate", "APIKeyScopeFileRead", + "APIKeyScopeGroupAll", + "APIKeyScopeGroupCreate", + "APIKeyScopeGroupDelete", + "APIKeyScopeGroupRead", + "APIKeyScopeGroupUpdate", + "APIKeyScopeGroupMemberAll", + "APIKeyScopeGroupMemberRead", + "APIKeyScopeIdpsyncSettingsAll", + "APIKeyScopeIdpsyncSettingsRead", + "APIKeyScopeIdpsyncSettingsUpdate", + "APIKeyScopeInboxNotificationAll", + "APIKeyScopeInboxNotificationCreate", + "APIKeyScopeInboxNotificationRead", + "APIKeyScopeInboxNotificationUpdate", + "APIKeyScopeLicenseAll", + "APIKeyScopeLicenseCreate", + "APIKeyScopeLicenseDelete", + "APIKeyScopeLicenseRead", + "APIKeyScopeNotificationMessageAll", + "APIKeyScopeNotificationMessageCreate", + "APIKeyScopeNotificationMessageDelete", + "APIKeyScopeNotificationMessageRead", + "APIKeyScopeNotificationMessageUpdate", + "APIKeyScopeNotificationPreferenceAll", + "APIKeyScopeNotificationPreferenceRead", + "APIKeyScopeNotificationPreferenceUpdate", + "APIKeyScopeNotificationTemplateAll", + "APIKeyScopeNotificationTemplateRead", + "APIKeyScopeNotificationTemplateUpdate", + "APIKeyScopeOauth2AppAll", + "APIKeyScopeOauth2AppCreate", + "APIKeyScopeOauth2AppDelete", + "APIKeyScopeOauth2AppRead", + "APIKeyScopeOauth2AppUpdate", + "APIKeyScopeOauth2AppCodeTokenAll", + "APIKeyScopeOauth2AppCodeTokenCreate", + "APIKeyScopeOauth2AppCodeTokenDelete", + "APIKeyScopeOauth2AppCodeTokenRead", + "APIKeyScopeOauth2AppSecretAll", + "APIKeyScopeOauth2AppSecretCreate", + "APIKeyScopeOauth2AppSecretDelete", + "APIKeyScopeOauth2AppSecretRead", + "APIKeyScopeOauth2AppSecretUpdate", + "APIKeyScopeOrganizationAll", + "APIKeyScopeOrganizationCreate", + "APIKeyScopeOrganizationDelete", + "APIKeyScopeOrganizationRead", + "APIKeyScopeOrganizationUpdate", + "APIKeyScopeOrganizationMemberAll", + "APIKeyScopeOrganizationMemberCreate", + "APIKeyScopeOrganizationMemberDelete", + "APIKeyScopeOrganizationMemberRead", + "APIKeyScopeOrganizationMemberUpdate", + "APIKeyScopePrebuiltWorkspaceAll", + "APIKeyScopePrebuiltWorkspaceDelete", + "APIKeyScopePrebuiltWorkspaceUpdate", + "APIKeyScopeProvisionerDaemonAll", + "APIKeyScopeProvisionerDaemonCreate", + "APIKeyScopeProvisionerDaemonDelete", + "APIKeyScopeProvisionerDaemonRead", + "APIKeyScopeProvisionerDaemonUpdate", + "APIKeyScopeProvisionerJobsAll", + "APIKeyScopeProvisionerJobsCreate", + "APIKeyScopeProvisionerJobsRead", + "APIKeyScopeProvisionerJobsUpdate", + "APIKeyScopeReplicasAll", + "APIKeyScopeReplicasRead", + "APIKeyScopeSystemAll", + "APIKeyScopeSystemCreate", + "APIKeyScopeSystemDelete", + "APIKeyScopeSystemRead", + "APIKeyScopeSystemUpdate", + "APIKeyScopeTailnetCoordinatorAll", + "APIKeyScopeTailnetCoordinatorCreate", + "APIKeyScopeTailnetCoordinatorDelete", + "APIKeyScopeTailnetCoordinatorRead", + "APIKeyScopeTailnetCoordinatorUpdate", "APIKeyScopeTemplateAll", "APIKeyScopeTemplateCreate", "APIKeyScopeTemplateDelete", "APIKeyScopeTemplateRead", "APIKeyScopeTemplateUpdate", "APIKeyScopeTemplateUse", + "APIKeyScopeTemplateViewInsights", + "APIKeyScopeUsageEventAll", + "APIKeyScopeUsageEventCreate", + "APIKeyScopeUsageEventRead", + "APIKeyScopeUsageEventUpdate", + "APIKeyScopeUserAll", + "APIKeyScopeUserCreate", + "APIKeyScopeUserDelete", + "APIKeyScopeUserRead", "APIKeyScopeUserReadPersonal", + "APIKeyScopeUserUpdate", "APIKeyScopeUserUpdatePersonal", "APIKeyScopeUserSecretAll", "APIKeyScopeUserSecretCreate", "APIKeyScopeUserSecretDelete", "APIKeyScopeUserSecretRead", "APIKeyScopeUserSecretUpdate", + "APIKeyScopeWebpushSubscriptionAll", + "APIKeyScopeWebpushSubscriptionCreate", + "APIKeyScopeWebpushSubscriptionDelete", + "APIKeyScopeWebpushSubscriptionRead", "APIKeyScopeWorkspaceAll", "APIKeyScopeWorkspaceApplicationConnect", "APIKeyScopeWorkspaceCreate", + "APIKeyScopeWorkspaceCreateAgent", "APIKeyScopeWorkspaceDelete", + "APIKeyScopeWorkspaceDeleteAgent", "APIKeyScopeWorkspaceRead", "APIKeyScopeWorkspaceSsh", "APIKeyScopeWorkspaceStart", "APIKeyScopeWorkspaceStop", - "APIKeyScopeWorkspaceUpdate" + "APIKeyScopeWorkspaceUpdate", + "APIKeyScopeWorkspaceAgentDevcontainersAll", + "APIKeyScopeWorkspaceAgentDevcontainersCreate", + "APIKeyScopeWorkspaceAgentResourceMonitorAll", + "APIKeyScopeWorkspaceAgentResourceMonitorCreate", + "APIKeyScopeWorkspaceAgentResourceMonitorRead", + "APIKeyScopeWorkspaceAgentResourceMonitorUpdate", + "APIKeyScopeWorkspaceDormantAll", + "APIKeyScopeWorkspaceDormantApplicationConnect", + "APIKeyScopeWorkspaceDormantCreate", + "APIKeyScopeWorkspaceDormantCreateAgent", + "APIKeyScopeWorkspaceDormantDelete", + "APIKeyScopeWorkspaceDormantDeleteAgent", + "APIKeyScopeWorkspaceDormantRead", + "APIKeyScopeWorkspaceDormantSsh", + "APIKeyScopeWorkspaceDormantStart", + "APIKeyScopeWorkspaceDormantStop", + "APIKeyScopeWorkspaceDormantUpdate", + "APIKeyScopeWorkspaceProxyAll", + "APIKeyScopeWorkspaceProxyCreate", + "APIKeyScopeWorkspaceProxyDelete", + "APIKeyScopeWorkspaceProxyRead", + "APIKeyScopeWorkspaceProxyUpdate" ] }, "codersdk.AddLicenseRequest": { diff --git a/coderd/apidoc/swagger.json b/coderd/apidoc/swagger.json index 4b3d4c86aa..1a222932de 100644 --- a/coderd/apidoc/swagger.json +++ b/coderd/apidoc/swagger.json @@ -10246,11 +10246,29 @@ "enum": [ "all", "application_connect", + "aibridge_interception:*", + "aibridge_interception:create", + "aibridge_interception:read", + "aibridge_interception:update", "api_key:*", "api_key:create", "api_key:delete", "api_key:read", "api_key:update", + "assign_org_role:*", + "assign_org_role:assign", + "assign_org_role:create", + "assign_org_role:delete", + "assign_org_role:read", + "assign_org_role:unassign", + "assign_org_role:update", + "assign_role:*", + "assign_role:assign", + "assign_role:read", + "assign_role:unassign", + "audit_log:*", + "audit_log:create", + "audit_log:read", "coder:all", "coder:apikeys.manage_self", "coder:application_connect", @@ -10260,40 +10278,188 @@ "coder:workspaces.create", "coder:workspaces.delete", "coder:workspaces.operate", + "connection_log:*", + "connection_log:read", + "connection_log:update", + "crypto_key:*", + "crypto_key:create", + "crypto_key:delete", + "crypto_key:read", + "crypto_key:update", + "debug_info:*", + "debug_info:read", + "deployment_config:*", + "deployment_config:read", + "deployment_config:update", + "deployment_stats:*", + "deployment_stats:read", "file:*", "file:create", "file:read", + "group:*", + "group:create", + "group:delete", + "group:read", + "group:update", + "group_member:*", + "group_member:read", + "idpsync_settings:*", + "idpsync_settings:read", + "idpsync_settings:update", + "inbox_notification:*", + "inbox_notification:create", + "inbox_notification:read", + "inbox_notification:update", + "license:*", + "license:create", + "license:delete", + "license:read", + "notification_message:*", + "notification_message:create", + "notification_message:delete", + "notification_message:read", + "notification_message:update", + "notification_preference:*", + "notification_preference:read", + "notification_preference:update", + "notification_template:*", + "notification_template:read", + "notification_template:update", + "oauth2_app:*", + "oauth2_app:create", + "oauth2_app:delete", + "oauth2_app:read", + "oauth2_app:update", + "oauth2_app_code_token:*", + "oauth2_app_code_token:create", + "oauth2_app_code_token:delete", + "oauth2_app_code_token:read", + "oauth2_app_secret:*", + "oauth2_app_secret:create", + "oauth2_app_secret:delete", + "oauth2_app_secret:read", + "oauth2_app_secret:update", + "organization:*", + "organization:create", + "organization:delete", + "organization:read", + "organization:update", + "organization_member:*", + "organization_member:create", + "organization_member:delete", + "organization_member:read", + "organization_member:update", + "prebuilt_workspace:*", + "prebuilt_workspace:delete", + "prebuilt_workspace:update", + "provisioner_daemon:*", + "provisioner_daemon:create", + "provisioner_daemon:delete", + "provisioner_daemon:read", + "provisioner_daemon:update", + "provisioner_jobs:*", + "provisioner_jobs:create", + "provisioner_jobs:read", + "provisioner_jobs:update", + "replicas:*", + "replicas:read", + "system:*", + "system:create", + "system:delete", + "system:read", + "system:update", + "tailnet_coordinator:*", + "tailnet_coordinator:create", + "tailnet_coordinator:delete", + "tailnet_coordinator:read", + "tailnet_coordinator:update", "template:*", "template:create", "template:delete", "template:read", "template:update", "template:use", + "template:view_insights", + "usage_event:*", + "usage_event:create", + "usage_event:read", + "usage_event:update", + "user:*", + "user:create", + "user:delete", + "user:read", "user:read_personal", + "user:update", "user:update_personal", "user_secret:*", "user_secret:create", "user_secret:delete", "user_secret:read", "user_secret:update", + "webpush_subscription:*", + "webpush_subscription:create", + "webpush_subscription:delete", + "webpush_subscription:read", "workspace:*", "workspace:application_connect", "workspace:create", + "workspace:create_agent", "workspace:delete", + "workspace:delete_agent", "workspace:read", "workspace:ssh", "workspace:start", "workspace:stop", - "workspace:update" + "workspace:update", + "workspace_agent_devcontainers:*", + "workspace_agent_devcontainers:create", + "workspace_agent_resource_monitor:*", + "workspace_agent_resource_monitor:create", + "workspace_agent_resource_monitor:read", + "workspace_agent_resource_monitor:update", + "workspace_dormant:*", + "workspace_dormant:application_connect", + "workspace_dormant:create", + "workspace_dormant:create_agent", + "workspace_dormant:delete", + "workspace_dormant:delete_agent", + "workspace_dormant:read", + "workspace_dormant:ssh", + "workspace_dormant:start", + "workspace_dormant:stop", + "workspace_dormant:update", + "workspace_proxy:*", + "workspace_proxy:create", + "workspace_proxy:delete", + "workspace_proxy:read", + "workspace_proxy:update" ], "x-enum-varnames": [ "APIKeyScopeAll", "APIKeyScopeApplicationConnect", + "APIKeyScopeAibridgeInterceptionAll", + "APIKeyScopeAibridgeInterceptionCreate", + "APIKeyScopeAibridgeInterceptionRead", + "APIKeyScopeAibridgeInterceptionUpdate", "APIKeyScopeApiKeyAll", "APIKeyScopeApiKeyCreate", "APIKeyScopeApiKeyDelete", "APIKeyScopeApiKeyRead", "APIKeyScopeApiKeyUpdate", + "APIKeyScopeAssignOrgRoleAll", + "APIKeyScopeAssignOrgRoleAssign", + "APIKeyScopeAssignOrgRoleCreate", + "APIKeyScopeAssignOrgRoleDelete", + "APIKeyScopeAssignOrgRoleRead", + "APIKeyScopeAssignOrgRoleUnassign", + "APIKeyScopeAssignOrgRoleUpdate", + "APIKeyScopeAssignRoleAll", + "APIKeyScopeAssignRoleAssign", + "APIKeyScopeAssignRoleRead", + "APIKeyScopeAssignRoleUnassign", + "APIKeyScopeAuditLogAll", + "APIKeyScopeAuditLogCreate", + "APIKeyScopeAuditLogRead", "APIKeyScopeCoderAll", "APIKeyScopeCoderApikeysManageSelf", "APIKeyScopeCoderApplicationConnect", @@ -10303,31 +10469,161 @@ "APIKeyScopeCoderWorkspacesCreate", "APIKeyScopeCoderWorkspacesDelete", "APIKeyScopeCoderWorkspacesOperate", + "APIKeyScopeConnectionLogAll", + "APIKeyScopeConnectionLogRead", + "APIKeyScopeConnectionLogUpdate", + "APIKeyScopeCryptoKeyAll", + "APIKeyScopeCryptoKeyCreate", + "APIKeyScopeCryptoKeyDelete", + "APIKeyScopeCryptoKeyRead", + "APIKeyScopeCryptoKeyUpdate", + "APIKeyScopeDebugInfoAll", + "APIKeyScopeDebugInfoRead", + "APIKeyScopeDeploymentConfigAll", + "APIKeyScopeDeploymentConfigRead", + "APIKeyScopeDeploymentConfigUpdate", + "APIKeyScopeDeploymentStatsAll", + "APIKeyScopeDeploymentStatsRead", "APIKeyScopeFileAll", "APIKeyScopeFileCreate", "APIKeyScopeFileRead", + "APIKeyScopeGroupAll", + "APIKeyScopeGroupCreate", + "APIKeyScopeGroupDelete", + "APIKeyScopeGroupRead", + "APIKeyScopeGroupUpdate", + "APIKeyScopeGroupMemberAll", + "APIKeyScopeGroupMemberRead", + "APIKeyScopeIdpsyncSettingsAll", + "APIKeyScopeIdpsyncSettingsRead", + "APIKeyScopeIdpsyncSettingsUpdate", + "APIKeyScopeInboxNotificationAll", + "APIKeyScopeInboxNotificationCreate", + "APIKeyScopeInboxNotificationRead", + "APIKeyScopeInboxNotificationUpdate", + "APIKeyScopeLicenseAll", + "APIKeyScopeLicenseCreate", + "APIKeyScopeLicenseDelete", + "APIKeyScopeLicenseRead", + "APIKeyScopeNotificationMessageAll", + "APIKeyScopeNotificationMessageCreate", + "APIKeyScopeNotificationMessageDelete", + "APIKeyScopeNotificationMessageRead", + "APIKeyScopeNotificationMessageUpdate", + "APIKeyScopeNotificationPreferenceAll", + "APIKeyScopeNotificationPreferenceRead", + "APIKeyScopeNotificationPreferenceUpdate", + "APIKeyScopeNotificationTemplateAll", + "APIKeyScopeNotificationTemplateRead", + "APIKeyScopeNotificationTemplateUpdate", + "APIKeyScopeOauth2AppAll", + "APIKeyScopeOauth2AppCreate", + "APIKeyScopeOauth2AppDelete", + "APIKeyScopeOauth2AppRead", + "APIKeyScopeOauth2AppUpdate", + "APIKeyScopeOauth2AppCodeTokenAll", + "APIKeyScopeOauth2AppCodeTokenCreate", + "APIKeyScopeOauth2AppCodeTokenDelete", + "APIKeyScopeOauth2AppCodeTokenRead", + "APIKeyScopeOauth2AppSecretAll", + "APIKeyScopeOauth2AppSecretCreate", + "APIKeyScopeOauth2AppSecretDelete", + "APIKeyScopeOauth2AppSecretRead", + "APIKeyScopeOauth2AppSecretUpdate", + "APIKeyScopeOrganizationAll", + "APIKeyScopeOrganizationCreate", + "APIKeyScopeOrganizationDelete", + "APIKeyScopeOrganizationRead", + "APIKeyScopeOrganizationUpdate", + "APIKeyScopeOrganizationMemberAll", + "APIKeyScopeOrganizationMemberCreate", + "APIKeyScopeOrganizationMemberDelete", + "APIKeyScopeOrganizationMemberRead", + "APIKeyScopeOrganizationMemberUpdate", + "APIKeyScopePrebuiltWorkspaceAll", + "APIKeyScopePrebuiltWorkspaceDelete", + "APIKeyScopePrebuiltWorkspaceUpdate", + "APIKeyScopeProvisionerDaemonAll", + "APIKeyScopeProvisionerDaemonCreate", + "APIKeyScopeProvisionerDaemonDelete", + "APIKeyScopeProvisionerDaemonRead", + "APIKeyScopeProvisionerDaemonUpdate", + "APIKeyScopeProvisionerJobsAll", + "APIKeyScopeProvisionerJobsCreate", + "APIKeyScopeProvisionerJobsRead", + "APIKeyScopeProvisionerJobsUpdate", + "APIKeyScopeReplicasAll", + "APIKeyScopeReplicasRead", + "APIKeyScopeSystemAll", + "APIKeyScopeSystemCreate", + "APIKeyScopeSystemDelete", + "APIKeyScopeSystemRead", + "APIKeyScopeSystemUpdate", + "APIKeyScopeTailnetCoordinatorAll", + "APIKeyScopeTailnetCoordinatorCreate", + "APIKeyScopeTailnetCoordinatorDelete", + "APIKeyScopeTailnetCoordinatorRead", + "APIKeyScopeTailnetCoordinatorUpdate", "APIKeyScopeTemplateAll", "APIKeyScopeTemplateCreate", "APIKeyScopeTemplateDelete", "APIKeyScopeTemplateRead", "APIKeyScopeTemplateUpdate", "APIKeyScopeTemplateUse", + "APIKeyScopeTemplateViewInsights", + "APIKeyScopeUsageEventAll", + "APIKeyScopeUsageEventCreate", + "APIKeyScopeUsageEventRead", + "APIKeyScopeUsageEventUpdate", + "APIKeyScopeUserAll", + "APIKeyScopeUserCreate", + "APIKeyScopeUserDelete", + "APIKeyScopeUserRead", "APIKeyScopeUserReadPersonal", + "APIKeyScopeUserUpdate", "APIKeyScopeUserUpdatePersonal", "APIKeyScopeUserSecretAll", "APIKeyScopeUserSecretCreate", "APIKeyScopeUserSecretDelete", "APIKeyScopeUserSecretRead", "APIKeyScopeUserSecretUpdate", + "APIKeyScopeWebpushSubscriptionAll", + "APIKeyScopeWebpushSubscriptionCreate", + "APIKeyScopeWebpushSubscriptionDelete", + "APIKeyScopeWebpushSubscriptionRead", "APIKeyScopeWorkspaceAll", "APIKeyScopeWorkspaceApplicationConnect", "APIKeyScopeWorkspaceCreate", + "APIKeyScopeWorkspaceCreateAgent", "APIKeyScopeWorkspaceDelete", + "APIKeyScopeWorkspaceDeleteAgent", "APIKeyScopeWorkspaceRead", "APIKeyScopeWorkspaceSsh", "APIKeyScopeWorkspaceStart", "APIKeyScopeWorkspaceStop", - "APIKeyScopeWorkspaceUpdate" + "APIKeyScopeWorkspaceUpdate", + "APIKeyScopeWorkspaceAgentDevcontainersAll", + "APIKeyScopeWorkspaceAgentDevcontainersCreate", + "APIKeyScopeWorkspaceAgentResourceMonitorAll", + "APIKeyScopeWorkspaceAgentResourceMonitorCreate", + "APIKeyScopeWorkspaceAgentResourceMonitorRead", + "APIKeyScopeWorkspaceAgentResourceMonitorUpdate", + "APIKeyScopeWorkspaceDormantAll", + "APIKeyScopeWorkspaceDormantApplicationConnect", + "APIKeyScopeWorkspaceDormantCreate", + "APIKeyScopeWorkspaceDormantCreateAgent", + "APIKeyScopeWorkspaceDormantDelete", + "APIKeyScopeWorkspaceDormantDeleteAgent", + "APIKeyScopeWorkspaceDormantRead", + "APIKeyScopeWorkspaceDormantSsh", + "APIKeyScopeWorkspaceDormantStart", + "APIKeyScopeWorkspaceDormantStop", + "APIKeyScopeWorkspaceDormantUpdate", + "APIKeyScopeWorkspaceProxyAll", + "APIKeyScopeWorkspaceProxyCreate", + "APIKeyScopeWorkspaceProxyDelete", + "APIKeyScopeWorkspaceProxyRead", + "APIKeyScopeWorkspaceProxyUpdate" ] }, "codersdk.AddLicenseRequest": { diff --git a/coderd/database/dump.sql b/coderd/database/dump.sql index 7a4be98b95..b2cac7185b 100644 --- a/coderd/database/dump.sql +++ b/coderd/database/dump.sql @@ -157,7 +157,47 @@ CREATE TYPE api_key_scope AS ENUM ( 'coder:workspaces.access', 'coder:templates.build', 'coder:templates.author', - 'coder:apikeys.manage_self' + 'coder:apikeys.manage_self', + 'aibridge_interception:*', + 'api_key:*', + 'assign_org_role:*', + 'assign_role:*', + 'audit_log:*', + 'connection_log:*', + 'crypto_key:*', + 'debug_info:*', + 'deployment_config:*', + 'deployment_stats:*', + 'file:*', + 'group:*', + 'group_member:*', + 'idpsync_settings:*', + 'inbox_notification:*', + 'license:*', + 'notification_message:*', + 'notification_preference:*', + 'notification_template:*', + 'oauth2_app:*', + 'oauth2_app_code_token:*', + 'oauth2_app_secret:*', + 'organization:*', + 'organization_member:*', + 'prebuilt_workspace:*', + 'provisioner_daemon:*', + 'provisioner_jobs:*', + 'replicas:*', + 'system:*', + 'tailnet_coordinator:*', + 'template:*', + 'usage_event:*', + 'user:*', + 'user_secret:*', + 'webpush_subscription:*', + 'workspace:*', + 'workspace_agent_devcontainers:*', + 'workspace_agent_resource_monitor:*', + 'workspace_dormant:*', + 'workspace_proxy:*' ); CREATE TYPE app_sharing_level AS ENUM ( diff --git a/coderd/database/migrations/000377_add_api_key_scope_wildcards.down.sql b/coderd/database/migrations/000377_add_api_key_scope_wildcards.down.sql new file mode 100644 index 0000000000..a414b39a91 --- /dev/null +++ b/coderd/database/migrations/000377_add_api_key_scope_wildcards.down.sql @@ -0,0 +1,2 @@ +-- No-op: enum values remain to avoid churn. Removing enum values requires +-- doing a create/cast/drop cycle which is intentionally omitted here. diff --git a/coderd/database/migrations/000377_add_api_key_scope_wildcards.up.sql b/coderd/database/migrations/000377_add_api_key_scope_wildcards.up.sql new file mode 100644 index 0000000000..aed5a18a3e --- /dev/null +++ b/coderd/database/migrations/000377_add_api_key_scope_wildcards.up.sql @@ -0,0 +1,42 @@ +-- Add wildcard api_key_scope entries so every RBAC resource has a matching resource:* value. +-- Generated via: CGO_ENABLED=0 go run ./scripts/generate_api_key_scope_enum +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'aibridge_interception:*'; +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'api_key:*'; +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'assign_org_role:*'; +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'assign_role:*'; +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'audit_log:*'; +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'connection_log:*'; +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'crypto_key:*'; +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'debug_info:*'; +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'deployment_config:*'; +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'deployment_stats:*'; +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'file:*'; +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'group:*'; +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'group_member:*'; +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'idpsync_settings:*'; +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'inbox_notification:*'; +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'license:*'; +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'notification_message:*'; +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'notification_preference:*'; +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'notification_template:*'; +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'oauth2_app:*'; +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'oauth2_app_code_token:*'; +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'oauth2_app_secret:*'; +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'organization:*'; +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'organization_member:*'; +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'prebuilt_workspace:*'; +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'provisioner_daemon:*'; +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'provisioner_jobs:*'; +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'replicas:*'; +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'system:*'; +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'tailnet_coordinator:*'; +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'template:*'; +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'usage_event:*'; +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'user:*'; +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'user_secret:*'; +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'webpush_subscription:*'; +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'workspace:*'; +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'workspace_agent_devcontainers:*'; +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'workspace_agent_resource_monitor:*'; +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'workspace_dormant:*'; +ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'workspace_proxy:*'; diff --git a/coderd/database/models.go b/coderd/database/models.go index eecb657edb..06c0e98fe4 100644 --- a/coderd/database/models.go +++ b/coderd/database/models.go @@ -166,6 +166,46 @@ const ( ApiKeyScopeCoderTemplatesbuild APIKeyScope = "coder:templates.build" ApiKeyScopeCoderTemplatesauthor APIKeyScope = "coder:templates.author" ApiKeyScopeCoderApikeysmanageSelf APIKeyScope = "coder:apikeys.manage_self" + ApiKeyScopeAibridgeInterception APIKeyScope = "aibridge_interception:*" + ApiKeyScopeApiKey APIKeyScope = "api_key:*" + ApiKeyScopeAssignOrgRole APIKeyScope = "assign_org_role:*" + ApiKeyScopeAssignRole APIKeyScope = "assign_role:*" + ApiKeyScopeAuditLog APIKeyScope = "audit_log:*" + ApiKeyScopeConnectionLog APIKeyScope = "connection_log:*" + ApiKeyScopeCryptoKey APIKeyScope = "crypto_key:*" + ApiKeyScopeDebugInfo APIKeyScope = "debug_info:*" + ApiKeyScopeDeploymentConfig APIKeyScope = "deployment_config:*" + ApiKeyScopeDeploymentStats APIKeyScope = "deployment_stats:*" + ApiKeyScopeFile APIKeyScope = "file:*" + ApiKeyScopeGroup APIKeyScope = "group:*" + ApiKeyScopeGroupMember APIKeyScope = "group_member:*" + ApiKeyScopeIdpsyncSettings APIKeyScope = "idpsync_settings:*" + ApiKeyScopeInboxNotification APIKeyScope = "inbox_notification:*" + ApiKeyScopeLicense APIKeyScope = "license:*" + ApiKeyScopeNotificationMessage APIKeyScope = "notification_message:*" + ApiKeyScopeNotificationPreference APIKeyScope = "notification_preference:*" + ApiKeyScopeNotificationTemplate APIKeyScope = "notification_template:*" + ApiKeyScopeOauth2App APIKeyScope = "oauth2_app:*" + ApiKeyScopeOauth2AppCodeToken APIKeyScope = "oauth2_app_code_token:*" + ApiKeyScopeOauth2AppSecret APIKeyScope = "oauth2_app_secret:*" + ApiKeyScopeOrganization APIKeyScope = "organization:*" + ApiKeyScopeOrganizationMember APIKeyScope = "organization_member:*" + ApiKeyScopePrebuiltWorkspace APIKeyScope = "prebuilt_workspace:*" + ApiKeyScopeProvisionerDaemon APIKeyScope = "provisioner_daemon:*" + ApiKeyScopeProvisionerJobs APIKeyScope = "provisioner_jobs:*" + ApiKeyScopeReplicas APIKeyScope = "replicas:*" + ApiKeyScopeSystem APIKeyScope = "system:*" + ApiKeyScopeTailnetCoordinator APIKeyScope = "tailnet_coordinator:*" + ApiKeyScopeTemplate APIKeyScope = "template:*" + ApiKeyScopeUsageEvent APIKeyScope = "usage_event:*" + ApiKeyScopeUser APIKeyScope = "user:*" + ApiKeyScopeUserSecret APIKeyScope = "user_secret:*" + ApiKeyScopeWebpushSubscription APIKeyScope = "webpush_subscription:*" + ApiKeyScopeWorkspace APIKeyScope = "workspace:*" + ApiKeyScopeWorkspaceAgentDevcontainers APIKeyScope = "workspace_agent_devcontainers:*" + ApiKeyScopeWorkspaceAgentResourceMonitor APIKeyScope = "workspace_agent_resource_monitor:*" + ApiKeyScopeWorkspaceDormant APIKeyScope = "workspace_dormant:*" + ApiKeyScopeWorkspaceProxy APIKeyScope = "workspace_proxy:*" ) func (e *APIKeyScope) Scan(src interface{}) error { @@ -351,7 +391,47 @@ func (e APIKeyScope) Valid() bool { ApiKeyScopeCoderWorkspacesaccess, ApiKeyScopeCoderTemplatesbuild, ApiKeyScopeCoderTemplatesauthor, - ApiKeyScopeCoderApikeysmanageSelf: + ApiKeyScopeCoderApikeysmanageSelf, + ApiKeyScopeAibridgeInterception, + ApiKeyScopeApiKey, + ApiKeyScopeAssignOrgRole, + ApiKeyScopeAssignRole, + ApiKeyScopeAuditLog, + ApiKeyScopeConnectionLog, + ApiKeyScopeCryptoKey, + ApiKeyScopeDebugInfo, + ApiKeyScopeDeploymentConfig, + ApiKeyScopeDeploymentStats, + ApiKeyScopeFile, + ApiKeyScopeGroup, + ApiKeyScopeGroupMember, + ApiKeyScopeIdpsyncSettings, + ApiKeyScopeInboxNotification, + ApiKeyScopeLicense, + ApiKeyScopeNotificationMessage, + ApiKeyScopeNotificationPreference, + ApiKeyScopeNotificationTemplate, + ApiKeyScopeOauth2App, + ApiKeyScopeOauth2AppCodeToken, + ApiKeyScopeOauth2AppSecret, + ApiKeyScopeOrganization, + ApiKeyScopeOrganizationMember, + ApiKeyScopePrebuiltWorkspace, + ApiKeyScopeProvisionerDaemon, + ApiKeyScopeProvisionerJobs, + ApiKeyScopeReplicas, + ApiKeyScopeSystem, + ApiKeyScopeTailnetCoordinator, + ApiKeyScopeTemplate, + ApiKeyScopeUsageEvent, + ApiKeyScopeUser, + ApiKeyScopeUserSecret, + ApiKeyScopeWebpushSubscription, + ApiKeyScopeWorkspace, + ApiKeyScopeWorkspaceAgentDevcontainers, + ApiKeyScopeWorkspaceAgentResourceMonitor, + ApiKeyScopeWorkspaceDormant, + ApiKeyScopeWorkspaceProxy: return true } return false @@ -506,6 +586,46 @@ func AllAPIKeyScopeValues() []APIKeyScope { ApiKeyScopeCoderTemplatesbuild, ApiKeyScopeCoderTemplatesauthor, ApiKeyScopeCoderApikeysmanageSelf, + ApiKeyScopeAibridgeInterception, + ApiKeyScopeApiKey, + ApiKeyScopeAssignOrgRole, + ApiKeyScopeAssignRole, + ApiKeyScopeAuditLog, + ApiKeyScopeConnectionLog, + ApiKeyScopeCryptoKey, + ApiKeyScopeDebugInfo, + ApiKeyScopeDeploymentConfig, + ApiKeyScopeDeploymentStats, + ApiKeyScopeFile, + ApiKeyScopeGroup, + ApiKeyScopeGroupMember, + ApiKeyScopeIdpsyncSettings, + ApiKeyScopeInboxNotification, + ApiKeyScopeLicense, + ApiKeyScopeNotificationMessage, + ApiKeyScopeNotificationPreference, + ApiKeyScopeNotificationTemplate, + ApiKeyScopeOauth2App, + ApiKeyScopeOauth2AppCodeToken, + ApiKeyScopeOauth2AppSecret, + ApiKeyScopeOrganization, + ApiKeyScopeOrganizationMember, + ApiKeyScopePrebuiltWorkspace, + ApiKeyScopeProvisionerDaemon, + ApiKeyScopeProvisionerJobs, + ApiKeyScopeReplicas, + ApiKeyScopeSystem, + ApiKeyScopeTailnetCoordinator, + ApiKeyScopeTemplate, + ApiKeyScopeUsageEvent, + ApiKeyScopeUser, + ApiKeyScopeUserSecret, + ApiKeyScopeWebpushSubscription, + ApiKeyScopeWorkspace, + ApiKeyScopeWorkspaceAgentDevcontainers, + ApiKeyScopeWorkspaceAgentResourceMonitor, + ApiKeyScopeWorkspaceDormant, + ApiKeyScopeWorkspaceProxy, } } diff --git a/codersdk/apikey_scopes_gen.go b/codersdk/apikey_scopes_gen.go index a399a014b4..606a704ae4 100644 --- a/codersdk/apikey_scopes_gen.go +++ b/codersdk/apikey_scopes_gen.go @@ -5,46 +5,194 @@ const ( // Deprecated: use codersdk.APIKeyScopeCoderAll instead. APIKeyScopeAll APIKeyScope = "all" // Deprecated: use codersdk.APIKeyScopeCoderApplicationConnect instead. - APIKeyScopeApplicationConnect APIKeyScope = "application_connect" - APIKeyScopeApiKeyAll APIKeyScope = "api_key:*" - APIKeyScopeApiKeyCreate APIKeyScope = "api_key:create" - APIKeyScopeApiKeyDelete APIKeyScope = "api_key:delete" - APIKeyScopeApiKeyRead APIKeyScope = "api_key:read" - APIKeyScopeApiKeyUpdate APIKeyScope = "api_key:update" - APIKeyScopeCoderAll APIKeyScope = "coder:all" - APIKeyScopeCoderApikeysManageSelf APIKeyScope = "coder:apikeys.manage_self" - APIKeyScopeCoderApplicationConnect APIKeyScope = "coder:application_connect" - APIKeyScopeCoderTemplatesAuthor APIKeyScope = "coder:templates.author" - APIKeyScopeCoderTemplatesBuild APIKeyScope = "coder:templates.build" - APIKeyScopeCoderWorkspacesAccess APIKeyScope = "coder:workspaces.access" - APIKeyScopeCoderWorkspacesCreate APIKeyScope = "coder:workspaces.create" - APIKeyScopeCoderWorkspacesDelete APIKeyScope = "coder:workspaces.delete" - APIKeyScopeCoderWorkspacesOperate APIKeyScope = "coder:workspaces.operate" - APIKeyScopeFileAll APIKeyScope = "file:*" - APIKeyScopeFileCreate APIKeyScope = "file:create" - APIKeyScopeFileRead APIKeyScope = "file:read" - APIKeyScopeTemplateAll APIKeyScope = "template:*" - APIKeyScopeTemplateCreate APIKeyScope = "template:create" - APIKeyScopeTemplateDelete APIKeyScope = "template:delete" - APIKeyScopeTemplateRead APIKeyScope = "template:read" - APIKeyScopeTemplateUpdate APIKeyScope = "template:update" - APIKeyScopeTemplateUse APIKeyScope = "template:use" - APIKeyScopeUserReadPersonal APIKeyScope = "user:read_personal" - APIKeyScopeUserUpdatePersonal APIKeyScope = "user:update_personal" - APIKeyScopeUserSecretAll APIKeyScope = "user_secret:*" - APIKeyScopeUserSecretCreate APIKeyScope = "user_secret:create" - APIKeyScopeUserSecretDelete APIKeyScope = "user_secret:delete" - APIKeyScopeUserSecretRead APIKeyScope = "user_secret:read" - APIKeyScopeUserSecretUpdate APIKeyScope = "user_secret:update" - APIKeyScopeWorkspaceAll APIKeyScope = "workspace:*" - APIKeyScopeWorkspaceApplicationConnect APIKeyScope = "workspace:application_connect" - APIKeyScopeWorkspaceCreate APIKeyScope = "workspace:create" - APIKeyScopeWorkspaceDelete APIKeyScope = "workspace:delete" - APIKeyScopeWorkspaceRead APIKeyScope = "workspace:read" - APIKeyScopeWorkspaceSsh APIKeyScope = "workspace:ssh" - APIKeyScopeWorkspaceStart APIKeyScope = "workspace:start" - APIKeyScopeWorkspaceStop APIKeyScope = "workspace:stop" - APIKeyScopeWorkspaceUpdate APIKeyScope = "workspace:update" + APIKeyScopeApplicationConnect APIKeyScope = "application_connect" + APIKeyScopeAibridgeInterceptionAll APIKeyScope = "aibridge_interception:*" + APIKeyScopeAibridgeInterceptionCreate APIKeyScope = "aibridge_interception:create" + APIKeyScopeAibridgeInterceptionRead APIKeyScope = "aibridge_interception:read" + APIKeyScopeAibridgeInterceptionUpdate APIKeyScope = "aibridge_interception:update" + APIKeyScopeApiKeyAll APIKeyScope = "api_key:*" + APIKeyScopeApiKeyCreate APIKeyScope = "api_key:create" + APIKeyScopeApiKeyDelete APIKeyScope = "api_key:delete" + APIKeyScopeApiKeyRead APIKeyScope = "api_key:read" + APIKeyScopeApiKeyUpdate APIKeyScope = "api_key:update" + APIKeyScopeAssignOrgRoleAll APIKeyScope = "assign_org_role:*" + APIKeyScopeAssignOrgRoleAssign APIKeyScope = "assign_org_role:assign" + APIKeyScopeAssignOrgRoleCreate APIKeyScope = "assign_org_role:create" + APIKeyScopeAssignOrgRoleDelete APIKeyScope = "assign_org_role:delete" + APIKeyScopeAssignOrgRoleRead APIKeyScope = "assign_org_role:read" + APIKeyScopeAssignOrgRoleUnassign APIKeyScope = "assign_org_role:unassign" + APIKeyScopeAssignOrgRoleUpdate APIKeyScope = "assign_org_role:update" + APIKeyScopeAssignRoleAll APIKeyScope = "assign_role:*" + APIKeyScopeAssignRoleAssign APIKeyScope = "assign_role:assign" + APIKeyScopeAssignRoleRead APIKeyScope = "assign_role:read" + APIKeyScopeAssignRoleUnassign APIKeyScope = "assign_role:unassign" + APIKeyScopeAuditLogAll APIKeyScope = "audit_log:*" + APIKeyScopeAuditLogCreate APIKeyScope = "audit_log:create" + APIKeyScopeAuditLogRead APIKeyScope = "audit_log:read" + APIKeyScopeCoderAll APIKeyScope = "coder:all" + APIKeyScopeCoderApikeysManageSelf APIKeyScope = "coder:apikeys.manage_self" + APIKeyScopeCoderApplicationConnect APIKeyScope = "coder:application_connect" + APIKeyScopeCoderTemplatesAuthor APIKeyScope = "coder:templates.author" + APIKeyScopeCoderTemplatesBuild APIKeyScope = "coder:templates.build" + APIKeyScopeCoderWorkspacesAccess APIKeyScope = "coder:workspaces.access" + APIKeyScopeCoderWorkspacesCreate APIKeyScope = "coder:workspaces.create" + APIKeyScopeCoderWorkspacesDelete APIKeyScope = "coder:workspaces.delete" + APIKeyScopeCoderWorkspacesOperate APIKeyScope = "coder:workspaces.operate" + APIKeyScopeConnectionLogAll APIKeyScope = "connection_log:*" + APIKeyScopeConnectionLogRead APIKeyScope = "connection_log:read" + APIKeyScopeConnectionLogUpdate APIKeyScope = "connection_log:update" + APIKeyScopeCryptoKeyAll APIKeyScope = "crypto_key:*" + APIKeyScopeCryptoKeyCreate APIKeyScope = "crypto_key:create" + APIKeyScopeCryptoKeyDelete APIKeyScope = "crypto_key:delete" + APIKeyScopeCryptoKeyRead APIKeyScope = "crypto_key:read" + APIKeyScopeCryptoKeyUpdate APIKeyScope = "crypto_key:update" + APIKeyScopeDebugInfoAll APIKeyScope = "debug_info:*" + APIKeyScopeDebugInfoRead APIKeyScope = "debug_info:read" + APIKeyScopeDeploymentConfigAll APIKeyScope = "deployment_config:*" + APIKeyScopeDeploymentConfigRead APIKeyScope = "deployment_config:read" + APIKeyScopeDeploymentConfigUpdate APIKeyScope = "deployment_config:update" + APIKeyScopeDeploymentStatsAll APIKeyScope = "deployment_stats:*" + APIKeyScopeDeploymentStatsRead APIKeyScope = "deployment_stats:read" + APIKeyScopeFileAll APIKeyScope = "file:*" + APIKeyScopeFileCreate APIKeyScope = "file:create" + APIKeyScopeFileRead APIKeyScope = "file:read" + APIKeyScopeGroupAll APIKeyScope = "group:*" + APIKeyScopeGroupCreate APIKeyScope = "group:create" + APIKeyScopeGroupDelete APIKeyScope = "group:delete" + APIKeyScopeGroupRead APIKeyScope = "group:read" + APIKeyScopeGroupUpdate APIKeyScope = "group:update" + APIKeyScopeGroupMemberAll APIKeyScope = "group_member:*" + APIKeyScopeGroupMemberRead APIKeyScope = "group_member:read" + APIKeyScopeIdpsyncSettingsAll APIKeyScope = "idpsync_settings:*" + APIKeyScopeIdpsyncSettingsRead APIKeyScope = "idpsync_settings:read" + APIKeyScopeIdpsyncSettingsUpdate APIKeyScope = "idpsync_settings:update" + APIKeyScopeInboxNotificationAll APIKeyScope = "inbox_notification:*" + APIKeyScopeInboxNotificationCreate APIKeyScope = "inbox_notification:create" + APIKeyScopeInboxNotificationRead APIKeyScope = "inbox_notification:read" + APIKeyScopeInboxNotificationUpdate APIKeyScope = "inbox_notification:update" + APIKeyScopeLicenseAll APIKeyScope = "license:*" + APIKeyScopeLicenseCreate APIKeyScope = "license:create" + APIKeyScopeLicenseDelete APIKeyScope = "license:delete" + APIKeyScopeLicenseRead APIKeyScope = "license:read" + APIKeyScopeNotificationMessageAll APIKeyScope = "notification_message:*" + APIKeyScopeNotificationMessageCreate APIKeyScope = "notification_message:create" + APIKeyScopeNotificationMessageDelete APIKeyScope = "notification_message:delete" + APIKeyScopeNotificationMessageRead APIKeyScope = "notification_message:read" + APIKeyScopeNotificationMessageUpdate APIKeyScope = "notification_message:update" + APIKeyScopeNotificationPreferenceAll APIKeyScope = "notification_preference:*" + APIKeyScopeNotificationPreferenceRead APIKeyScope = "notification_preference:read" + APIKeyScopeNotificationPreferenceUpdate APIKeyScope = "notification_preference:update" + APIKeyScopeNotificationTemplateAll APIKeyScope = "notification_template:*" + APIKeyScopeNotificationTemplateRead APIKeyScope = "notification_template:read" + APIKeyScopeNotificationTemplateUpdate APIKeyScope = "notification_template:update" + APIKeyScopeOauth2AppAll APIKeyScope = "oauth2_app:*" + APIKeyScopeOauth2AppCreate APIKeyScope = "oauth2_app:create" + APIKeyScopeOauth2AppDelete APIKeyScope = "oauth2_app:delete" + APIKeyScopeOauth2AppRead APIKeyScope = "oauth2_app:read" + APIKeyScopeOauth2AppUpdate APIKeyScope = "oauth2_app:update" + APIKeyScopeOauth2AppCodeTokenAll APIKeyScope = "oauth2_app_code_token:*" + APIKeyScopeOauth2AppCodeTokenCreate APIKeyScope = "oauth2_app_code_token:create" + APIKeyScopeOauth2AppCodeTokenDelete APIKeyScope = "oauth2_app_code_token:delete" + APIKeyScopeOauth2AppCodeTokenRead APIKeyScope = "oauth2_app_code_token:read" + APIKeyScopeOauth2AppSecretAll APIKeyScope = "oauth2_app_secret:*" + APIKeyScopeOauth2AppSecretCreate APIKeyScope = "oauth2_app_secret:create" + APIKeyScopeOauth2AppSecretDelete APIKeyScope = "oauth2_app_secret:delete" + APIKeyScopeOauth2AppSecretRead APIKeyScope = "oauth2_app_secret:read" + APIKeyScopeOauth2AppSecretUpdate APIKeyScope = "oauth2_app_secret:update" + APIKeyScopeOrganizationAll APIKeyScope = "organization:*" + APIKeyScopeOrganizationCreate APIKeyScope = "organization:create" + APIKeyScopeOrganizationDelete APIKeyScope = "organization:delete" + APIKeyScopeOrganizationRead APIKeyScope = "organization:read" + APIKeyScopeOrganizationUpdate APIKeyScope = "organization:update" + APIKeyScopeOrganizationMemberAll APIKeyScope = "organization_member:*" + APIKeyScopeOrganizationMemberCreate APIKeyScope = "organization_member:create" + APIKeyScopeOrganizationMemberDelete APIKeyScope = "organization_member:delete" + APIKeyScopeOrganizationMemberRead APIKeyScope = "organization_member:read" + APIKeyScopeOrganizationMemberUpdate APIKeyScope = "organization_member:update" + APIKeyScopePrebuiltWorkspaceAll APIKeyScope = "prebuilt_workspace:*" + APIKeyScopePrebuiltWorkspaceDelete APIKeyScope = "prebuilt_workspace:delete" + APIKeyScopePrebuiltWorkspaceUpdate APIKeyScope = "prebuilt_workspace:update" + APIKeyScopeProvisionerDaemonAll APIKeyScope = "provisioner_daemon:*" + APIKeyScopeProvisionerDaemonCreate APIKeyScope = "provisioner_daemon:create" + APIKeyScopeProvisionerDaemonDelete APIKeyScope = "provisioner_daemon:delete" + APIKeyScopeProvisionerDaemonRead APIKeyScope = "provisioner_daemon:read" + APIKeyScopeProvisionerDaemonUpdate APIKeyScope = "provisioner_daemon:update" + APIKeyScopeProvisionerJobsAll APIKeyScope = "provisioner_jobs:*" + APIKeyScopeProvisionerJobsCreate APIKeyScope = "provisioner_jobs:create" + APIKeyScopeProvisionerJobsRead APIKeyScope = "provisioner_jobs:read" + APIKeyScopeProvisionerJobsUpdate APIKeyScope = "provisioner_jobs:update" + APIKeyScopeReplicasAll APIKeyScope = "replicas:*" + APIKeyScopeReplicasRead APIKeyScope = "replicas:read" + APIKeyScopeSystemAll APIKeyScope = "system:*" + APIKeyScopeSystemCreate APIKeyScope = "system:create" + APIKeyScopeSystemDelete APIKeyScope = "system:delete" + APIKeyScopeSystemRead APIKeyScope = "system:read" + APIKeyScopeSystemUpdate APIKeyScope = "system:update" + APIKeyScopeTailnetCoordinatorAll APIKeyScope = "tailnet_coordinator:*" + APIKeyScopeTailnetCoordinatorCreate APIKeyScope = "tailnet_coordinator:create" + APIKeyScopeTailnetCoordinatorDelete APIKeyScope = "tailnet_coordinator:delete" + APIKeyScopeTailnetCoordinatorRead APIKeyScope = "tailnet_coordinator:read" + APIKeyScopeTailnetCoordinatorUpdate APIKeyScope = "tailnet_coordinator:update" + APIKeyScopeTemplateAll APIKeyScope = "template:*" + APIKeyScopeTemplateCreate APIKeyScope = "template:create" + APIKeyScopeTemplateDelete APIKeyScope = "template:delete" + APIKeyScopeTemplateRead APIKeyScope = "template:read" + APIKeyScopeTemplateUpdate APIKeyScope = "template:update" + APIKeyScopeTemplateUse APIKeyScope = "template:use" + APIKeyScopeTemplateViewInsights APIKeyScope = "template:view_insights" + APIKeyScopeUsageEventAll APIKeyScope = "usage_event:*" + APIKeyScopeUsageEventCreate APIKeyScope = "usage_event:create" + APIKeyScopeUsageEventRead APIKeyScope = "usage_event:read" + APIKeyScopeUsageEventUpdate APIKeyScope = "usage_event:update" + APIKeyScopeUserAll APIKeyScope = "user:*" + APIKeyScopeUserCreate APIKeyScope = "user:create" + APIKeyScopeUserDelete APIKeyScope = "user:delete" + APIKeyScopeUserRead APIKeyScope = "user:read" + APIKeyScopeUserReadPersonal APIKeyScope = "user:read_personal" + APIKeyScopeUserUpdate APIKeyScope = "user:update" + APIKeyScopeUserUpdatePersonal APIKeyScope = "user:update_personal" + APIKeyScopeUserSecretAll APIKeyScope = "user_secret:*" + APIKeyScopeUserSecretCreate APIKeyScope = "user_secret:create" + APIKeyScopeUserSecretDelete APIKeyScope = "user_secret:delete" + APIKeyScopeUserSecretRead APIKeyScope = "user_secret:read" + APIKeyScopeUserSecretUpdate APIKeyScope = "user_secret:update" + APIKeyScopeWebpushSubscriptionAll APIKeyScope = "webpush_subscription:*" + APIKeyScopeWebpushSubscriptionCreate APIKeyScope = "webpush_subscription:create" + APIKeyScopeWebpushSubscriptionDelete APIKeyScope = "webpush_subscription:delete" + APIKeyScopeWebpushSubscriptionRead APIKeyScope = "webpush_subscription:read" + APIKeyScopeWorkspaceAll APIKeyScope = "workspace:*" + APIKeyScopeWorkspaceApplicationConnect APIKeyScope = "workspace:application_connect" + APIKeyScopeWorkspaceCreate APIKeyScope = "workspace:create" + APIKeyScopeWorkspaceCreateAgent APIKeyScope = "workspace:create_agent" + APIKeyScopeWorkspaceDelete APIKeyScope = "workspace:delete" + APIKeyScopeWorkspaceDeleteAgent APIKeyScope = "workspace:delete_agent" + APIKeyScopeWorkspaceRead APIKeyScope = "workspace:read" + APIKeyScopeWorkspaceSsh APIKeyScope = "workspace:ssh" + APIKeyScopeWorkspaceStart APIKeyScope = "workspace:start" + APIKeyScopeWorkspaceStop APIKeyScope = "workspace:stop" + APIKeyScopeWorkspaceUpdate APIKeyScope = "workspace:update" + APIKeyScopeWorkspaceAgentDevcontainersAll APIKeyScope = "workspace_agent_devcontainers:*" + APIKeyScopeWorkspaceAgentDevcontainersCreate APIKeyScope = "workspace_agent_devcontainers:create" + APIKeyScopeWorkspaceAgentResourceMonitorAll APIKeyScope = "workspace_agent_resource_monitor:*" + APIKeyScopeWorkspaceAgentResourceMonitorCreate APIKeyScope = "workspace_agent_resource_monitor:create" + APIKeyScopeWorkspaceAgentResourceMonitorRead APIKeyScope = "workspace_agent_resource_monitor:read" + APIKeyScopeWorkspaceAgentResourceMonitorUpdate APIKeyScope = "workspace_agent_resource_monitor:update" + APIKeyScopeWorkspaceDormantAll APIKeyScope = "workspace_dormant:*" + APIKeyScopeWorkspaceDormantApplicationConnect APIKeyScope = "workspace_dormant:application_connect" + APIKeyScopeWorkspaceDormantCreate APIKeyScope = "workspace_dormant:create" + APIKeyScopeWorkspaceDormantCreateAgent APIKeyScope = "workspace_dormant:create_agent" + APIKeyScopeWorkspaceDormantDelete APIKeyScope = "workspace_dormant:delete" + APIKeyScopeWorkspaceDormantDeleteAgent APIKeyScope = "workspace_dormant:delete_agent" + APIKeyScopeWorkspaceDormantRead APIKeyScope = "workspace_dormant:read" + APIKeyScopeWorkspaceDormantSsh APIKeyScope = "workspace_dormant:ssh" + APIKeyScopeWorkspaceDormantStart APIKeyScope = "workspace_dormant:start" + APIKeyScopeWorkspaceDormantStop APIKeyScope = "workspace_dormant:stop" + APIKeyScopeWorkspaceDormantUpdate APIKeyScope = "workspace_dormant:update" + APIKeyScopeWorkspaceProxyAll APIKeyScope = "workspace_proxy:*" + APIKeyScopeWorkspaceProxyCreate APIKeyScope = "workspace_proxy:create" + APIKeyScopeWorkspaceProxyDelete APIKeyScope = "workspace_proxy:delete" + APIKeyScopeWorkspaceProxyRead APIKeyScope = "workspace_proxy:read" + APIKeyScopeWorkspaceProxyUpdate APIKeyScope = "workspace_proxy:update" ) // PublicAPIKeyScopes lists all public low-level API key scopes. diff --git a/docs/reference/api/schemas.md b/docs/reference/api/schemas.md index 33cb280ae1..c121096b09 100644 --- a/docs/reference/api/schemas.md +++ b/docs/reference/api/schemas.md @@ -711,49 +711,197 @@ #### Enumerated Values -| Value | -|---------------------------------| -| `all` | -| `application_connect` | -| `api_key:*` | -| `api_key:create` | -| `api_key:delete` | -| `api_key:read` | -| `api_key:update` | -| `coder:all` | -| `coder:apikeys.manage_self` | -| `coder:application_connect` | -| `coder:templates.author` | -| `coder:templates.build` | -| `coder:workspaces.access` | -| `coder:workspaces.create` | -| `coder:workspaces.delete` | -| `coder:workspaces.operate` | -| `file:*` | -| `file:create` | -| `file:read` | -| `template:*` | -| `template:create` | -| `template:delete` | -| `template:read` | -| `template:update` | -| `template:use` | -| `user:read_personal` | -| `user:update_personal` | -| `user_secret:*` | -| `user_secret:create` | -| `user_secret:delete` | -| `user_secret:read` | -| `user_secret:update` | -| `workspace:*` | -| `workspace:application_connect` | -| `workspace:create` | -| `workspace:delete` | -| `workspace:read` | -| `workspace:ssh` | -| `workspace:start` | -| `workspace:stop` | -| `workspace:update` | +| Value | +|-------------------------------------------| +| `all` | +| `application_connect` | +| `aibridge_interception:*` | +| `aibridge_interception:create` | +| `aibridge_interception:read` | +| `aibridge_interception:update` | +| `api_key:*` | +| `api_key:create` | +| `api_key:delete` | +| `api_key:read` | +| `api_key:update` | +| `assign_org_role:*` | +| `assign_org_role:assign` | +| `assign_org_role:create` | +| `assign_org_role:delete` | +| `assign_org_role:read` | +| `assign_org_role:unassign` | +| `assign_org_role:update` | +| `assign_role:*` | +| `assign_role:assign` | +| `assign_role:read` | +| `assign_role:unassign` | +| `audit_log:*` | +| `audit_log:create` | +| `audit_log:read` | +| `coder:all` | +| `coder:apikeys.manage_self` | +| `coder:application_connect` | +| `coder:templates.author` | +| `coder:templates.build` | +| `coder:workspaces.access` | +| `coder:workspaces.create` | +| `coder:workspaces.delete` | +| `coder:workspaces.operate` | +| `connection_log:*` | +| `connection_log:read` | +| `connection_log:update` | +| `crypto_key:*` | +| `crypto_key:create` | +| `crypto_key:delete` | +| `crypto_key:read` | +| `crypto_key:update` | +| `debug_info:*` | +| `debug_info:read` | +| `deployment_config:*` | +| `deployment_config:read` | +| `deployment_config:update` | +| `deployment_stats:*` | +| `deployment_stats:read` | +| `file:*` | +| `file:create` | +| `file:read` | +| `group:*` | +| `group:create` | +| `group:delete` | +| `group:read` | +| `group:update` | +| `group_member:*` | +| `group_member:read` | +| `idpsync_settings:*` | +| `idpsync_settings:read` | +| `idpsync_settings:update` | +| `inbox_notification:*` | +| `inbox_notification:create` | +| `inbox_notification:read` | +| `inbox_notification:update` | +| `license:*` | +| `license:create` | +| `license:delete` | +| `license:read` | +| `notification_message:*` | +| `notification_message:create` | +| `notification_message:delete` | +| `notification_message:read` | +| `notification_message:update` | +| `notification_preference:*` | +| `notification_preference:read` | +| `notification_preference:update` | +| `notification_template:*` | +| `notification_template:read` | +| `notification_template:update` | +| `oauth2_app:*` | +| `oauth2_app:create` | +| `oauth2_app:delete` | +| `oauth2_app:read` | +| `oauth2_app:update` | +| `oauth2_app_code_token:*` | +| `oauth2_app_code_token:create` | +| `oauth2_app_code_token:delete` | +| `oauth2_app_code_token:read` | +| `oauth2_app_secret:*` | +| `oauth2_app_secret:create` | +| `oauth2_app_secret:delete` | +| `oauth2_app_secret:read` | +| `oauth2_app_secret:update` | +| `organization:*` | +| `organization:create` | +| `organization:delete` | +| `organization:read` | +| `organization:update` | +| `organization_member:*` | +| `organization_member:create` | +| `organization_member:delete` | +| `organization_member:read` | +| `organization_member:update` | +| `prebuilt_workspace:*` | +| `prebuilt_workspace:delete` | +| `prebuilt_workspace:update` | +| `provisioner_daemon:*` | +| `provisioner_daemon:create` | +| `provisioner_daemon:delete` | +| `provisioner_daemon:read` | +| `provisioner_daemon:update` | +| `provisioner_jobs:*` | +| `provisioner_jobs:create` | +| `provisioner_jobs:read` | +| `provisioner_jobs:update` | +| `replicas:*` | +| `replicas:read` | +| `system:*` | +| `system:create` | +| `system:delete` | +| `system:read` | +| `system:update` | +| `tailnet_coordinator:*` | +| `tailnet_coordinator:create` | +| `tailnet_coordinator:delete` | +| `tailnet_coordinator:read` | +| `tailnet_coordinator:update` | +| `template:*` | +| `template:create` | +| `template:delete` | +| `template:read` | +| `template:update` | +| `template:use` | +| `template:view_insights` | +| `usage_event:*` | +| `usage_event:create` | +| `usage_event:read` | +| `usage_event:update` | +| `user:*` | +| `user:create` | +| `user:delete` | +| `user:read` | +| `user:read_personal` | +| `user:update` | +| `user:update_personal` | +| `user_secret:*` | +| `user_secret:create` | +| `user_secret:delete` | +| `user_secret:read` | +| `user_secret:update` | +| `webpush_subscription:*` | +| `webpush_subscription:create` | +| `webpush_subscription:delete` | +| `webpush_subscription:read` | +| `workspace:*` | +| `workspace:application_connect` | +| `workspace:create` | +| `workspace:create_agent` | +| `workspace:delete` | +| `workspace:delete_agent` | +| `workspace:read` | +| `workspace:ssh` | +| `workspace:start` | +| `workspace:stop` | +| `workspace:update` | +| `workspace_agent_devcontainers:*` | +| `workspace_agent_devcontainers:create` | +| `workspace_agent_resource_monitor:*` | +| `workspace_agent_resource_monitor:create` | +| `workspace_agent_resource_monitor:read` | +| `workspace_agent_resource_monitor:update` | +| `workspace_dormant:*` | +| `workspace_dormant:application_connect` | +| `workspace_dormant:create` | +| `workspace_dormant:create_agent` | +| `workspace_dormant:delete` | +| `workspace_dormant:delete_agent` | +| `workspace_dormant:read` | +| `workspace_dormant:ssh` | +| `workspace_dormant:start` | +| `workspace_dormant:stop` | +| `workspace_dormant:update` | +| `workspace_proxy:*` | +| `workspace_proxy:create` | +| `workspace_proxy:delete` | +| `workspace_proxy:read` | +| `workspace_proxy:update` | ## codersdk.AddLicenseRequest diff --git a/scripts/apikeyscopesgen/main.go b/scripts/apikeyscopesgen/main.go index 988c4cb2f0..b2c74c72c0 100644 --- a/scripts/apikeyscopesgen/main.go +++ b/scripts/apikeyscopesgen/main.go @@ -25,8 +25,8 @@ func main() { } func generate() ([]byte, error) { - names := rbac.ExternalScopeNames() - slices.Sort(names) + allNames := collectAllScopeNames() + publicNames := rbac.ExternalScopeNames() var b bytes.Buffer if _, err := b.WriteString("// Code generated by scripts/apikeyscopesgen. DO NOT EDIT.\n"); err != nil { @@ -61,13 +61,9 @@ func generate() ([]byte, error) { if _, err := b.WriteString("\tAPIKeyScopeApplicationConnect APIKeyScope = \"application_connect\"\n"); err != nil { return nil, err } - for _, n := range names { - res, act := splitRA(n) - if act == policy.WildcardSymbol { - act = "All" - } - constName := fmt.Sprintf("APIKeyScope%s%s", pascal(res), pascal(act)) - if _, err := fmt.Fprintf(&b, "\t%s APIKeyScope = \"%s\"\n", constName, n); err != nil { + for _, name := range allNames { + constName := constNameForScope(name) + if _, err := fmt.Fprintf(&b, "\t%s APIKeyScope = \"%s\"\n", constName, name); err != nil { return nil, err } } @@ -82,12 +78,8 @@ func generate() ([]byte, error) { if _, err := b.WriteString("var PublicAPIKeyScopes = []APIKeyScope{\n"); err != nil { return nil, err } - for _, n := range names { - res, act := splitRA(n) - if act == policy.WildcardSymbol { - act = "All" - } - constName := fmt.Sprintf("APIKeyScope%s%s", pascal(res), pascal(act)) + for _, name := range publicNames { + constName := constNameForScope(name) if _, err := fmt.Fprintf(&b, "\t%s,\n", constName); err != nil { return nil, err } @@ -99,6 +91,54 @@ func generate() ([]byte, error) { return format.Source(b.Bytes()) } +func collectAllScopeNames() []string { + seen := make(map[string]struct{}) + var names []string + add := func(name string) { + if name == "" { + return + } + if _, ok := seen[name]; ok { + return + } + seen[name] = struct{}{} + names = append(names, name) + } + + for resource, def := range policy.RBACPermissions { + if resource == policy.WildcardSymbol { + continue + } + add(resource + ":" + policy.WildcardSymbol) + for action := range def.Actions { + add(resource + ":" + string(action)) + } + } + + for _, name := range rbac.CompositeScopeNames() { + add(name) + } + + for _, name := range rbac.BuiltinScopeNames() { + s := string(name) + if !strings.Contains(s, ":") { + continue + } + add(s) + } + + slices.Sort(names) + return names +} + +func constNameForScope(name string) string { + resource, action := splitRA(name) + if action == policy.WildcardSymbol { + action = "All" + } + return fmt.Sprintf("APIKeyScope%s%s", pascal(resource), pascal(action)) +} + func splitRA(name string) (resource string, action string) { parts := strings.SplitN(name, ":", 2) if len(parts) != 2 { diff --git a/scripts/check-scopes/main.go b/scripts/check-scopes/main.go index e79be506ae..56ba0d4657 100644 --- a/scripts/check-scopes/main.go +++ b/scripts/check-scopes/main.go @@ -58,23 +58,37 @@ func main() { os.Exit(1) } -// expectedFromRBAC returns the set of : pairs derived from RBACPermissions. +// expectedFromRBAC returns the set of scope names the DB enum must support. func expectedFromRBAC() map[string]struct{} { want := make(map[string]struct{}) - // Low-level : + add := func(name string) { + if name == "" { + return + } + want[name] = struct{}{} + } + // Low-level : and synthesized :* wildcards for resource, def := range policy.RBACPermissions { if resource == policy.WildcardSymbol { // Ignore wildcard entry; it has no concrete : pairs. continue } + add(resource + ":" + policy.WildcardSymbol) for action := range def.Actions { - key := resource + ":" + string(action) - want[key] = struct{}{} + add(resource + ":" + string(action)) } } // Composite coder:* names for _, n := range rbac.CompositeScopeNames() { - want[n] = struct{}{} + add(n) + } + // Built-in coder-prefixed scopes such as coder:all + for _, n := range rbac.BuiltinScopeNames() { + s := string(n) + if !strings.Contains(s, ":") { + continue + } + add(s) } return want } diff --git a/scripts/generate_api_key_scope_enum/main.go b/scripts/generate_api_key_scope_enum/main.go deleted file mode 100644 index 130dd86533..0000000000 --- a/scripts/generate_api_key_scope_enum/main.go +++ /dev/null @@ -1,32 +0,0 @@ -package main - -import ( - "fmt" - "sort" - - "github.com/coder/coder/v2/coderd/rbac" - "github.com/coder/coder/v2/coderd/rbac/policy" -) - -func main() { - seen := map[string]struct{}{} - var vals []string - for resource, def := range policy.RBACPermissions { - if resource == policy.WildcardSymbol { - continue - } - for action := range def.Actions { - vals = append(vals, fmt.Sprintf("%s:%s", resource, action)) - } - } - // Include composite coder:* scopes as first-class enum values - vals = append(vals, rbac.CompositeScopeNames()...) - sort.Strings(vals) - for _, v := range vals { - if _, ok := seen[v]; ok { - continue - } - seen[v] = struct{}{} - _, _ = fmt.Printf("ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS '%s';\n", v) - } -} diff --git a/site/src/api/typesGenerated.ts b/site/src/api/typesGenerated.ts index e7c612078b..0352ce1c97 100644 --- a/site/src/api/typesGenerated.ts +++ b/site/src/api/typesGenerated.ts @@ -112,6 +112,10 @@ export interface APIKey { // From codersdk/apikey.go export type APIKeyScope = + | "aibridge_interception:*" + | "aibridge_interception:create" + | "aibridge_interception:read" + | "aibridge_interception:update" | "all" | "api_key:*" | "api_key:create" @@ -119,6 +123,20 @@ export type APIKeyScope = | "api_key:read" | "api_key:update" | "application_connect" + | "assign_org_role:*" + | "assign_org_role:assign" + | "assign_org_role:create" + | "assign_org_role:delete" + | "assign_org_role:read" + | "assign_org_role:unassign" + | "assign_org_role:update" + | "assign_role:*" + | "assign_role:assign" + | "assign_role:read" + | "assign_role:unassign" + | "audit_log:*" + | "audit_log:create" + | "audit_log:read" | "coder:all" | "coder:apikeys.manage_self" | "coder:application_connect" @@ -128,26 +146,156 @@ export type APIKeyScope = | "coder:workspaces.create" | "coder:workspaces.delete" | "coder:workspaces.operate" + | "connection_log:*" + | "connection_log:read" + | "connection_log:update" + | "crypto_key:*" + | "crypto_key:create" + | "crypto_key:delete" + | "crypto_key:read" + | "crypto_key:update" + | "debug_info:*" + | "debug_info:read" + | "deployment_config:*" + | "deployment_config:read" + | "deployment_config:update" + | "deployment_stats:*" + | "deployment_stats:read" | "file:*" | "file:create" | "file:read" + | "group:*" + | "group:create" + | "group:delete" + | "group_member:*" + | "group_member:read" + | "group:read" + | "group:update" + | "idpsync_settings:*" + | "idpsync_settings:read" + | "idpsync_settings:update" + | "inbox_notification:*" + | "inbox_notification:create" + | "inbox_notification:read" + | "inbox_notification:update" + | "license:*" + | "license:create" + | "license:delete" + | "license:read" + | "notification_message:*" + | "notification_message:create" + | "notification_message:delete" + | "notification_message:read" + | "notification_message:update" + | "notification_preference:*" + | "notification_preference:read" + | "notification_preference:update" + | "notification_template:*" + | "notification_template:read" + | "notification_template:update" + | "oauth2_app:*" + | "oauth2_app_code_token:*" + | "oauth2_app_code_token:create" + | "oauth2_app_code_token:delete" + | "oauth2_app_code_token:read" + | "oauth2_app:create" + | "oauth2_app:delete" + | "oauth2_app:read" + | "oauth2_app_secret:*" + | "oauth2_app_secret:create" + | "oauth2_app_secret:delete" + | "oauth2_app_secret:read" + | "oauth2_app_secret:update" + | "oauth2_app:update" + | "organization:*" + | "organization:create" + | "organization:delete" + | "organization_member:*" + | "organization_member:create" + | "organization_member:delete" + | "organization_member:read" + | "organization_member:update" + | "organization:read" + | "organization:update" + | "prebuilt_workspace:*" + | "prebuilt_workspace:delete" + | "prebuilt_workspace:update" + | "provisioner_daemon:*" + | "provisioner_daemon:create" + | "provisioner_daemon:delete" + | "provisioner_daemon:read" + | "provisioner_daemon:update" + | "provisioner_jobs:*" + | "provisioner_jobs:create" + | "provisioner_jobs:read" + | "provisioner_jobs:update" + | "replicas:*" + | "replicas:read" + | "system:*" + | "system:create" + | "system:delete" + | "system:read" + | "system:update" + | "tailnet_coordinator:*" + | "tailnet_coordinator:create" + | "tailnet_coordinator:delete" + | "tailnet_coordinator:read" + | "tailnet_coordinator:update" | "template:*" | "template:create" | "template:delete" | "template:read" | "template:update" | "template:use" + | "template:view_insights" + | "usage_event:*" + | "usage_event:create" + | "usage_event:read" + | "usage_event:update" + | "user:*" + | "user:create" + | "user:delete" + | "user:read" | "user:read_personal" | "user_secret:*" | "user_secret:create" | "user_secret:delete" | "user_secret:read" | "user_secret:update" + | "user:update" | "user:update_personal" + | "webpush_subscription:*" + | "webpush_subscription:create" + | "webpush_subscription:delete" + | "webpush_subscription:read" + | "workspace_agent_devcontainers:*" + | "workspace_agent_devcontainers:create" + | "workspace_agent_resource_monitor:*" + | "workspace_agent_resource_monitor:create" + | "workspace_agent_resource_monitor:read" + | "workspace_agent_resource_monitor:update" | "workspace:*" | "workspace:application_connect" | "workspace:create" + | "workspace:create_agent" | "workspace:delete" + | "workspace:delete_agent" + | "workspace_dormant:*" + | "workspace_dormant:application_connect" + | "workspace_dormant:create" + | "workspace_dormant:create_agent" + | "workspace_dormant:delete" + | "workspace_dormant:delete_agent" + | "workspace_dormant:read" + | "workspace_dormant:ssh" + | "workspace_dormant:start" + | "workspace_dormant:stop" + | "workspace_dormant:update" + | "workspace_proxy:*" + | "workspace_proxy:create" + | "workspace_proxy:delete" + | "workspace_proxy:read" + | "workspace_proxy:update" | "workspace:read" | "workspace:ssh" | "workspace:start" @@ -155,6 +303,10 @@ export type APIKeyScope = | "workspace:update"; export const APIKeyScopes: APIKeyScope[] = [ + "aibridge_interception:*", + "aibridge_interception:create", + "aibridge_interception:read", + "aibridge_interception:update", "all", "api_key:*", "api_key:create", @@ -162,6 +314,20 @@ export const APIKeyScopes: APIKeyScope[] = [ "api_key:read", "api_key:update", "application_connect", + "assign_org_role:*", + "assign_org_role:assign", + "assign_org_role:create", + "assign_org_role:delete", + "assign_org_role:read", + "assign_org_role:unassign", + "assign_org_role:update", + "assign_role:*", + "assign_role:assign", + "assign_role:read", + "assign_role:unassign", + "audit_log:*", + "audit_log:create", + "audit_log:read", "coder:all", "coder:apikeys.manage_self", "coder:application_connect", @@ -171,26 +337,156 @@ export const APIKeyScopes: APIKeyScope[] = [ "coder:workspaces.create", "coder:workspaces.delete", "coder:workspaces.operate", + "connection_log:*", + "connection_log:read", + "connection_log:update", + "crypto_key:*", + "crypto_key:create", + "crypto_key:delete", + "crypto_key:read", + "crypto_key:update", + "debug_info:*", + "debug_info:read", + "deployment_config:*", + "deployment_config:read", + "deployment_config:update", + "deployment_stats:*", + "deployment_stats:read", "file:*", "file:create", "file:read", + "group:*", + "group:create", + "group:delete", + "group_member:*", + "group_member:read", + "group:read", + "group:update", + "idpsync_settings:*", + "idpsync_settings:read", + "idpsync_settings:update", + "inbox_notification:*", + "inbox_notification:create", + "inbox_notification:read", + "inbox_notification:update", + "license:*", + "license:create", + "license:delete", + "license:read", + "notification_message:*", + "notification_message:create", + "notification_message:delete", + "notification_message:read", + "notification_message:update", + "notification_preference:*", + "notification_preference:read", + "notification_preference:update", + "notification_template:*", + "notification_template:read", + "notification_template:update", + "oauth2_app:*", + "oauth2_app_code_token:*", + "oauth2_app_code_token:create", + "oauth2_app_code_token:delete", + "oauth2_app_code_token:read", + "oauth2_app:create", + "oauth2_app:delete", + "oauth2_app:read", + "oauth2_app_secret:*", + "oauth2_app_secret:create", + "oauth2_app_secret:delete", + "oauth2_app_secret:read", + "oauth2_app_secret:update", + "oauth2_app:update", + "organization:*", + "organization:create", + "organization:delete", + "organization_member:*", + "organization_member:create", + "organization_member:delete", + "organization_member:read", + "organization_member:update", + "organization:read", + "organization:update", + "prebuilt_workspace:*", + "prebuilt_workspace:delete", + "prebuilt_workspace:update", + "provisioner_daemon:*", + "provisioner_daemon:create", + "provisioner_daemon:delete", + "provisioner_daemon:read", + "provisioner_daemon:update", + "provisioner_jobs:*", + "provisioner_jobs:create", + "provisioner_jobs:read", + "provisioner_jobs:update", + "replicas:*", + "replicas:read", + "system:*", + "system:create", + "system:delete", + "system:read", + "system:update", + "tailnet_coordinator:*", + "tailnet_coordinator:create", + "tailnet_coordinator:delete", + "tailnet_coordinator:read", + "tailnet_coordinator:update", "template:*", "template:create", "template:delete", "template:read", "template:update", "template:use", + "template:view_insights", + "usage_event:*", + "usage_event:create", + "usage_event:read", + "usage_event:update", + "user:*", + "user:create", + "user:delete", + "user:read", "user:read_personal", "user_secret:*", "user_secret:create", "user_secret:delete", "user_secret:read", "user_secret:update", + "user:update", "user:update_personal", + "webpush_subscription:*", + "webpush_subscription:create", + "webpush_subscription:delete", + "webpush_subscription:read", + "workspace_agent_devcontainers:*", + "workspace_agent_devcontainers:create", + "workspace_agent_resource_monitor:*", + "workspace_agent_resource_monitor:create", + "workspace_agent_resource_monitor:read", + "workspace_agent_resource_monitor:update", "workspace:*", "workspace:application_connect", "workspace:create", + "workspace:create_agent", "workspace:delete", + "workspace:delete_agent", + "workspace_dormant:*", + "workspace_dormant:application_connect", + "workspace_dormant:create", + "workspace_dormant:create_agent", + "workspace_dormant:delete", + "workspace_dormant:delete_agent", + "workspace_dormant:read", + "workspace_dormant:ssh", + "workspace_dormant:start", + "workspace_dormant:stop", + "workspace_dormant:update", + "workspace_proxy:*", + "workspace_proxy:create", + "workspace_proxy:delete", + "workspace_proxy:read", + "workspace_proxy:update", "workspace:read", "workspace:ssh", "workspace:start",