shishantbiswas/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2026-06-05 05:58:20 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
mcp-user-headers/dbcrypt-cli
coder/coderd/database/migrations/000512_boundary_session_owner.up.sql
T
Sas Swart a586b7e5e0 feat: add boundary_log rbac resource (#24810) 
RFC: [Bridge ↔ Boundaries Correlation
RFC](https://www.notion.so/coderhq/Gateway-and-Firewall-Correlation-RFC-31ad579be592803aa8b3d48348ccdde9)

Register a dedicated `boundary_log` RBAC resource type with `create`,
`read`, and `delete` actions, replacing the placeholder
`rbac.ResourceAuditLog` and `rbac.ResourceSystem` references previously
used in the dbauthz layer.

Create is granted at user-level so workspace agents can only write logs
owned by their workspace owner, preventing cross-workspace log
fabrication. Delete is restricted to `DBPurge` only; no human role
(including owner) can delete boundary logs.

| Subject | Create (own) | Create (other) | Read (all) | Delete |
|---|---|---|---|---|
| Workspace agent | yes | no | no | no |
| Owner (site admin) | yes (via member) | no | yes | no |
| Auditor | no | no | yes | no |
| DBPurge | no | no | no | yes |

### Changes

- **RBAC policy & resource definition**: add `boundary_log` to
`policy.go` and generate `ResourceBoundaryLog` object, scope constants,
and codersdk/TypeScript types.
- **dbauthz authorization**: replace all
`ResourceAuditLog`/`ResourceSystem` placeholders with
`ResourceBoundaryLog`. `InsertBoundaryLog` and `InsertBoundarySession`
derive the workspace owner from the agent and authorize with
`.WithOwner()` for user-scoped create.
- **Role assignments:**
- **Owner (site):** read only. Excluded from `allPermsExcept` wildcard;
create is inherited from member at user-level.
- **Member (user-level):** create. User-scoped so agents can only write
logs they own.
  - **Auditor (site):** read.
- `boundary_log` is excluded from org-admin, org-member, and
org-service-account `allPermsExcept` calls for consistency with
`ResourceBoundaryUsage`.
- **System subjects:**
- **DB Purge** (`SubjectTypeDBPurge`): delete. The only subject that can
remove boundary logs.
- **Workspace agent scope**: `ResourceBoundaryLog` with wildcard ID in
the agent scope allow-list (necessary for creation since no pre-existing
ID exists). User-level role scoping prevents deployment-wide access.
- **DB migration** (`000510_boundary_log_scopes`): add `boundary_log:*`,
`boundary_log:create`, `boundary_log:delete`, `boundary_log:read` enum
values to `api_key_scope`.
- **Test coverage**: `BoundaryLogCreate` (user-scoped, only matching
owner succeeds), `BoundaryLogDelete` (all human roles denied),
`BoundaryLogRead` (owner + auditor). dbauthz mock tests set up workspace
agent lookups for owner derivation.
- **Generated docs**: update OpenAPI specs, API reference docs, and
frontend type definitions.

---------

Co-authored-by: Muhammad Danish <mdanishkhdev@gmail.com>
Co-authored-by: Coder Agents <coder-agents-review[bot]@users.noreply.github.com>
2026-05-29 12:50:39 +02:00

29 lines
1.3 KiB
SQL
Raw Permalink Blame History

-- Add owner_id to boundary_sessions to avoid expensive JOINs when
-- deriving the workspace owner for RBAC checks during log insertion.
ALTER TABLE boundary_sessions ADD COLUMN owner_id uuid;
COMMENT ON COLUMN boundary_sessions.owner_id IS 'The ID of the user who owns the workspace. NULL if the user has been deleted.';
-- Backfill owner_id from the workspace agent -> workspace -> owner chain.
-- Soft-deleted agents and workspaces are included so that their audit
-- data is preserved.
UPDATE boundary_sessions bs
SET owner_id = w.owner_id
FROM workspace_agents wa
JOIN workspace_resources wr ON wa.resource_id = wr.id
JOIN provisioner_jobs pj ON wr.job_id = pj.id
JOIN workspace_builds wb ON pj.id = wb.job_id
JOIN workspaces w ON wb.workspace_id = w.id
WHERE wa.id = bs.workspace_agent_id
AND pj.type = 'workspace_build';
-- Delete any sessions that could not be backfilled (orphaned data
-- with no resolvable workspace agent or workspace build chain).
DELETE FROM boundary_sessions WHERE owner_id IS NULL;
-- Add FK constraint. SET NULL preserves audit data when a user is
-- hard-deleted; the session and its logs survive with a NULL owner.
ALTER TABLE boundary_sessions
ADD CONSTRAINT boundary_sessions_owner_id_fkey
FOREIGN KEY (owner_id) REFERENCES users(id) ON DELETE SET NULL;
Reference in New Issue View Git Blame Copy Permalink