mirror of
https://github.com/coder/coder.git
synced 2026-06-03 21:18:24 +00:00
Yevhenii Shcherbina
c65996a041
Closes https://github.com/coder/internal/issues/780 ## Summary of changes: - added `user_secrets` table - `user_secrets` table contains `env_name` and `file_path` fields which are not used at the moment, but will be used in later PRs - `user_secrets` table doesn't contain `value_key_id`, I will add it in a separate migration in a dbcrypt PR - on one hand I don't want to add fields which are not used (because it's a risk smth may change in implementation later), on the other hand I don't want to add too many migrations for user secrets table - added unique sql indexes - added sql queries for CRUD operations on user-secrets - introduced new `ResourceUserSecret` resource - basic unit-tests for CRUD ops and authorization behavior - Role updates: - owner: - remove `ResourceUserSecret` from site-wide perms - add `ResourceUserSecret` to user-wide perms - orgAdmin - remove `ResourceUserSecret` from org-wide perms; seems it's not strictly required, because `ResourceUserSecret` is not tied to organization in dbauthz wrappers? - memberRole - no need to change memberRole because it implicitly has access to user-secrets thanks to the `allPermsExcept` - is it enough changes to roles? Main questions: - [ ] We will have 2 migrations for user-secrets: - initial migration (in current PR) - adding `value_key_id` in dbcrypt PR - is this approach reasonable? - [ ] Are changes to roles's permissions are correct? - [ ] Are changes in roles_test.go are correct? --------- Co-authored-by: Steven Masley <Emyrk@users.noreply.github.com>
112 lines
7.2 KiB
Go
112 lines
7.2 KiB
Go
// Code generated by typegen/main.go. DO NOT EDIT.
|
|
package codersdk
|
|
|
|
type RBACResource string
|
|
|
|
const (
|
|
ResourceWildcard RBACResource = "*"
|
|
ResourceApiKey RBACResource = "api_key"
|
|
ResourceAssignOrgRole RBACResource = "assign_org_role"
|
|
ResourceAssignRole RBACResource = "assign_role"
|
|
ResourceAuditLog RBACResource = "audit_log"
|
|
ResourceConnectionLog RBACResource = "connection_log"
|
|
ResourceCryptoKey RBACResource = "crypto_key"
|
|
ResourceDebugInfo RBACResource = "debug_info"
|
|
ResourceDeploymentConfig RBACResource = "deployment_config"
|
|
ResourceDeploymentStats RBACResource = "deployment_stats"
|
|
ResourceFile RBACResource = "file"
|
|
ResourceGroup RBACResource = "group"
|
|
ResourceGroupMember RBACResource = "group_member"
|
|
ResourceIdpsyncSettings RBACResource = "idpsync_settings"
|
|
ResourceInboxNotification RBACResource = "inbox_notification"
|
|
ResourceLicense RBACResource = "license"
|
|
ResourceNotificationMessage RBACResource = "notification_message"
|
|
ResourceNotificationPreference RBACResource = "notification_preference"
|
|
ResourceNotificationTemplate RBACResource = "notification_template"
|
|
ResourceOauth2App RBACResource = "oauth2_app"
|
|
ResourceOauth2AppCodeToken RBACResource = "oauth2_app_code_token"
|
|
ResourceOauth2AppSecret RBACResource = "oauth2_app_secret"
|
|
ResourceOrganization RBACResource = "organization"
|
|
ResourceOrganizationMember RBACResource = "organization_member"
|
|
ResourcePrebuiltWorkspace RBACResource = "prebuilt_workspace"
|
|
ResourceProvisionerDaemon RBACResource = "provisioner_daemon"
|
|
ResourceProvisionerJobs RBACResource = "provisioner_jobs"
|
|
ResourceReplicas RBACResource = "replicas"
|
|
ResourceSystem RBACResource = "system"
|
|
ResourceTailnetCoordinator RBACResource = "tailnet_coordinator"
|
|
ResourceTemplate RBACResource = "template"
|
|
ResourceUser RBACResource = "user"
|
|
ResourceUserSecret RBACResource = "user_secret"
|
|
ResourceWebpushSubscription RBACResource = "webpush_subscription"
|
|
ResourceWorkspace RBACResource = "workspace"
|
|
ResourceWorkspaceAgentDevcontainers RBACResource = "workspace_agent_devcontainers"
|
|
ResourceWorkspaceAgentResourceMonitor RBACResource = "workspace_agent_resource_monitor"
|
|
ResourceWorkspaceDormant RBACResource = "workspace_dormant"
|
|
ResourceWorkspaceProxy RBACResource = "workspace_proxy"
|
|
)
|
|
|
|
type RBACAction string
|
|
|
|
const (
|
|
ActionApplicationConnect RBACAction = "application_connect"
|
|
ActionAssign RBACAction = "assign"
|
|
ActionCreate RBACAction = "create"
|
|
ActionCreateAgent RBACAction = "create_agent"
|
|
ActionDelete RBACAction = "delete"
|
|
ActionDeleteAgent RBACAction = "delete_agent"
|
|
ActionRead RBACAction = "read"
|
|
ActionReadPersonal RBACAction = "read_personal"
|
|
ActionSSH RBACAction = "ssh"
|
|
ActionUnassign RBACAction = "unassign"
|
|
ActionUpdate RBACAction = "update"
|
|
ActionUpdatePersonal RBACAction = "update_personal"
|
|
ActionUse RBACAction = "use"
|
|
ActionViewInsights RBACAction = "view_insights"
|
|
ActionWorkspaceStart RBACAction = "start"
|
|
ActionWorkspaceStop RBACAction = "stop"
|
|
)
|
|
|
|
// RBACResourceActions is the mapping of resources to which actions are valid for
|
|
// said resource type.
|
|
var RBACResourceActions = map[RBACResource][]RBACAction{
|
|
ResourceWildcard: {},
|
|
ResourceApiKey: {ActionCreate, ActionDelete, ActionRead, ActionUpdate},
|
|
ResourceAssignOrgRole: {ActionAssign, ActionCreate, ActionDelete, ActionRead, ActionUnassign, ActionUpdate},
|
|
ResourceAssignRole: {ActionAssign, ActionRead, ActionUnassign},
|
|
ResourceAuditLog: {ActionCreate, ActionRead},
|
|
ResourceConnectionLog: {ActionRead, ActionUpdate},
|
|
ResourceCryptoKey: {ActionCreate, ActionDelete, ActionRead, ActionUpdate},
|
|
ResourceDebugInfo: {ActionRead},
|
|
ResourceDeploymentConfig: {ActionRead, ActionUpdate},
|
|
ResourceDeploymentStats: {ActionRead},
|
|
ResourceFile: {ActionCreate, ActionRead},
|
|
ResourceGroup: {ActionCreate, ActionDelete, ActionRead, ActionUpdate},
|
|
ResourceGroupMember: {ActionRead},
|
|
ResourceIdpsyncSettings: {ActionRead, ActionUpdate},
|
|
ResourceInboxNotification: {ActionCreate, ActionRead, ActionUpdate},
|
|
ResourceLicense: {ActionCreate, ActionDelete, ActionRead},
|
|
ResourceNotificationMessage: {ActionCreate, ActionDelete, ActionRead, ActionUpdate},
|
|
ResourceNotificationPreference: {ActionRead, ActionUpdate},
|
|
ResourceNotificationTemplate: {ActionRead, ActionUpdate},
|
|
ResourceOauth2App: {ActionCreate, ActionDelete, ActionRead, ActionUpdate},
|
|
ResourceOauth2AppCodeToken: {ActionCreate, ActionDelete, ActionRead},
|
|
ResourceOauth2AppSecret: {ActionCreate, ActionDelete, ActionRead, ActionUpdate},
|
|
ResourceOrganization: {ActionCreate, ActionDelete, ActionRead, ActionUpdate},
|
|
ResourceOrganizationMember: {ActionCreate, ActionDelete, ActionRead, ActionUpdate},
|
|
ResourcePrebuiltWorkspace: {ActionDelete, ActionUpdate},
|
|
ResourceProvisionerDaemon: {ActionCreate, ActionDelete, ActionRead, ActionUpdate},
|
|
ResourceProvisionerJobs: {ActionCreate, ActionRead, ActionUpdate},
|
|
ResourceReplicas: {ActionRead},
|
|
ResourceSystem: {ActionCreate, ActionDelete, ActionRead, ActionUpdate},
|
|
ResourceTailnetCoordinator: {ActionCreate, ActionDelete, ActionRead, ActionUpdate},
|
|
ResourceTemplate: {ActionCreate, ActionDelete, ActionRead, ActionUpdate, ActionUse, ActionViewInsights},
|
|
ResourceUser: {ActionCreate, ActionDelete, ActionRead, ActionReadPersonal, ActionUpdate, ActionUpdatePersonal},
|
|
ResourceUserSecret: {ActionCreate, ActionDelete, ActionRead, ActionUpdate},
|
|
ResourceWebpushSubscription: {ActionCreate, ActionDelete, ActionRead},
|
|
ResourceWorkspace: {ActionApplicationConnect, ActionCreate, ActionCreateAgent, ActionDelete, ActionDeleteAgent, ActionRead, ActionSSH, ActionWorkspaceStart, ActionWorkspaceStop, ActionUpdate},
|
|
ResourceWorkspaceAgentDevcontainers: {ActionCreate},
|
|
ResourceWorkspaceAgentResourceMonitor: {ActionCreate, ActionRead, ActionUpdate},
|
|
ResourceWorkspaceDormant: {ActionApplicationConnect, ActionCreate, ActionCreateAgent, ActionDelete, ActionDeleteAgent, ActionRead, ActionSSH, ActionWorkspaceStart, ActionWorkspaceStop, ActionUpdate},
|
|
ResourceWorkspaceProxy: {ActionCreate, ActionDelete, ActionRead, ActionUpdate},
|
|
}
|