mirror of
https://github.com/coder/coder.git
synced 2026-06-05 05:58:20 +00:00
Ethan
08e17a07fc
### Breaking Change (changelog note): > User connections to workspaces, and the opening of workspace apps or ports will no longer create entries in the audit log. Those events will now be included in the 'Connection Log'. Please see the 'Connection Log' page in the dashboard, and the Connection Log [documentation](https://coder.com/docs/admin/monitoring/connection-logs) for details. Those with permission to view the Audit Log will also be able to view the Connection Log. The new Connection Log has the same licensing restrictions as the Audit Log, and requires a Premium Coder deployment. ### Context This is the first PR of a few for moving connection events out of the audit log, and into a new database table and web UI page called the 'Connection Log'. This PR: - Creates the new table - Adds and tests queries for inserting and reading, including reading with an RBAC filter. - Implements the corresponding RBAC changes, such that anyone who can view the audit log can read from the table - Implements, under the enterprise package, a `ConnectionLogger` abstraction to replace the `Auditor` abstraction for these logs. (No-op'd in AGPL, like the `Auditor`) - Routes SSH connection and Workspace App events into the new `ConnectionLogger` - Updates all existing tests to check the values of the `ConnectionLogger` instead of the `Auditor`. Future PRs: - Add filtering to the query - Add an enterprise endpoint to query the new table - Write a query to delete old events from the audit log, call it from dbpurge. - Implement a table in the Web UI for viewing connection logs. > [!NOTE] > The PRs in this stack obviously won't be (completely) atomic. Whilst they'll each pass CI, the stack is designed to be merged all at once. I'm splitting them up for the sake of those reviewing, and so changes can be reviewed as early as possible. Despite this, it's really hard to make this PR any smaller than it already is. I'll be keeping it in draft until it's actually ready to merge.
435 lines
12 KiB
Go
435 lines
12 KiB
Go
// Code generated by typegen/main.go. DO NOT EDIT.
|
|
package rbac
|
|
|
|
import "github.com/coder/coder/v2/coderd/rbac/policy"
|
|
|
|
// Objecter returns the RBAC object for itself.
|
|
type Objecter interface {
|
|
RBACObject() Object
|
|
}
|
|
|
|
var (
|
|
// ResourceWildcard
|
|
// Valid Actions
|
|
ResourceWildcard = Object{
|
|
Type: "*",
|
|
}
|
|
|
|
// ResourceApiKey
|
|
// Valid Actions
|
|
// - "ActionCreate" :: create an api key
|
|
// - "ActionDelete" :: delete an api key
|
|
// - "ActionRead" :: read api key details (secrets are not stored)
|
|
// - "ActionUpdate" :: update an api key, eg expires
|
|
ResourceApiKey = Object{
|
|
Type: "api_key",
|
|
}
|
|
|
|
// ResourceAssignOrgRole
|
|
// Valid Actions
|
|
// - "ActionAssign" :: assign org scoped roles
|
|
// - "ActionCreate" :: create/delete custom roles within an organization
|
|
// - "ActionDelete" :: delete roles within an organization
|
|
// - "ActionRead" :: view what roles are assignable within an organization
|
|
// - "ActionUnassign" :: unassign org scoped roles
|
|
// - "ActionUpdate" :: edit custom roles within an organization
|
|
ResourceAssignOrgRole = Object{
|
|
Type: "assign_org_role",
|
|
}
|
|
|
|
// ResourceAssignRole
|
|
// Valid Actions
|
|
// - "ActionAssign" :: assign user roles
|
|
// - "ActionRead" :: view what roles are assignable
|
|
// - "ActionUnassign" :: unassign user roles
|
|
ResourceAssignRole = Object{
|
|
Type: "assign_role",
|
|
}
|
|
|
|
// ResourceAuditLog
|
|
// Valid Actions
|
|
// - "ActionCreate" :: create new audit log entries
|
|
// - "ActionRead" :: read audit logs
|
|
ResourceAuditLog = Object{
|
|
Type: "audit_log",
|
|
}
|
|
|
|
// ResourceConnectionLog
|
|
// Valid Actions
|
|
// - "ActionRead" :: read connection logs
|
|
// - "ActionUpdate" :: upsert connection log entries
|
|
ResourceConnectionLog = Object{
|
|
Type: "connection_log",
|
|
}
|
|
|
|
// ResourceCryptoKey
|
|
// Valid Actions
|
|
// - "ActionCreate" :: create crypto keys
|
|
// - "ActionDelete" :: delete crypto keys
|
|
// - "ActionRead" :: read crypto keys
|
|
// - "ActionUpdate" :: update crypto keys
|
|
ResourceCryptoKey = Object{
|
|
Type: "crypto_key",
|
|
}
|
|
|
|
// ResourceDebugInfo
|
|
// Valid Actions
|
|
// - "ActionRead" :: access to debug routes
|
|
ResourceDebugInfo = Object{
|
|
Type: "debug_info",
|
|
}
|
|
|
|
// ResourceDeploymentConfig
|
|
// Valid Actions
|
|
// - "ActionRead" :: read deployment config
|
|
// - "ActionUpdate" :: updating health information
|
|
ResourceDeploymentConfig = Object{
|
|
Type: "deployment_config",
|
|
}
|
|
|
|
// ResourceDeploymentStats
|
|
// Valid Actions
|
|
// - "ActionRead" :: read deployment stats
|
|
ResourceDeploymentStats = Object{
|
|
Type: "deployment_stats",
|
|
}
|
|
|
|
// ResourceFile
|
|
// Valid Actions
|
|
// - "ActionCreate" :: create a file
|
|
// - "ActionRead" :: read files
|
|
ResourceFile = Object{
|
|
Type: "file",
|
|
}
|
|
|
|
// ResourceGroup
|
|
// Valid Actions
|
|
// - "ActionCreate" :: create a group
|
|
// - "ActionDelete" :: delete a group
|
|
// - "ActionRead" :: read groups
|
|
// - "ActionUpdate" :: update a group
|
|
ResourceGroup = Object{
|
|
Type: "group",
|
|
}
|
|
|
|
// ResourceGroupMember
|
|
// Valid Actions
|
|
// - "ActionRead" :: read group members
|
|
ResourceGroupMember = Object{
|
|
Type: "group_member",
|
|
}
|
|
|
|
// ResourceIdpsyncSettings
|
|
// Valid Actions
|
|
// - "ActionRead" :: read IdP sync settings
|
|
// - "ActionUpdate" :: update IdP sync settings
|
|
ResourceIdpsyncSettings = Object{
|
|
Type: "idpsync_settings",
|
|
}
|
|
|
|
// ResourceInboxNotification
|
|
// Valid Actions
|
|
// - "ActionCreate" :: create inbox notifications
|
|
// - "ActionRead" :: read inbox notifications
|
|
// - "ActionUpdate" :: update inbox notifications
|
|
ResourceInboxNotification = Object{
|
|
Type: "inbox_notification",
|
|
}
|
|
|
|
// ResourceLicense
|
|
// Valid Actions
|
|
// - "ActionCreate" :: create a license
|
|
// - "ActionDelete" :: delete license
|
|
// - "ActionRead" :: read licenses
|
|
ResourceLicense = Object{
|
|
Type: "license",
|
|
}
|
|
|
|
// ResourceNotificationMessage
|
|
// Valid Actions
|
|
// - "ActionCreate" :: create notification messages
|
|
// - "ActionDelete" :: delete notification messages
|
|
// - "ActionRead" :: read notification messages
|
|
// - "ActionUpdate" :: update notification messages
|
|
ResourceNotificationMessage = Object{
|
|
Type: "notification_message",
|
|
}
|
|
|
|
// ResourceNotificationPreference
|
|
// Valid Actions
|
|
// - "ActionRead" :: read notification preferences
|
|
// - "ActionUpdate" :: update notification preferences
|
|
ResourceNotificationPreference = Object{
|
|
Type: "notification_preference",
|
|
}
|
|
|
|
// ResourceNotificationTemplate
|
|
// Valid Actions
|
|
// - "ActionRead" :: read notification templates
|
|
// - "ActionUpdate" :: update notification templates
|
|
ResourceNotificationTemplate = Object{
|
|
Type: "notification_template",
|
|
}
|
|
|
|
// ResourceOauth2App
|
|
// Valid Actions
|
|
// - "ActionCreate" :: make an OAuth2 app
|
|
// - "ActionDelete" :: delete an OAuth2 app
|
|
// - "ActionRead" :: read OAuth2 apps
|
|
// - "ActionUpdate" :: update the properties of the OAuth2 app
|
|
ResourceOauth2App = Object{
|
|
Type: "oauth2_app",
|
|
}
|
|
|
|
// ResourceOauth2AppCodeToken
|
|
// Valid Actions
|
|
// - "ActionCreate" :: create an OAuth2 app code token
|
|
// - "ActionDelete" :: delete an OAuth2 app code token
|
|
// - "ActionRead" :: read an OAuth2 app code token
|
|
ResourceOauth2AppCodeToken = Object{
|
|
Type: "oauth2_app_code_token",
|
|
}
|
|
|
|
// ResourceOauth2AppSecret
|
|
// Valid Actions
|
|
// - "ActionCreate" :: create an OAuth2 app secret
|
|
// - "ActionDelete" :: delete an OAuth2 app secret
|
|
// - "ActionRead" :: read an OAuth2 app secret
|
|
// - "ActionUpdate" :: update an OAuth2 app secret
|
|
ResourceOauth2AppSecret = Object{
|
|
Type: "oauth2_app_secret",
|
|
}
|
|
|
|
// ResourceOrganization
|
|
// Valid Actions
|
|
// - "ActionCreate" :: create an organization
|
|
// - "ActionDelete" :: delete an organization
|
|
// - "ActionRead" :: read organizations
|
|
// - "ActionUpdate" :: update an organization
|
|
ResourceOrganization = Object{
|
|
Type: "organization",
|
|
}
|
|
|
|
// ResourceOrganizationMember
|
|
// Valid Actions
|
|
// - "ActionCreate" :: create an organization member
|
|
// - "ActionDelete" :: delete member
|
|
// - "ActionRead" :: read member
|
|
// - "ActionUpdate" :: update an organization member
|
|
ResourceOrganizationMember = Object{
|
|
Type: "organization_member",
|
|
}
|
|
|
|
// ResourcePrebuiltWorkspace
|
|
// Valid Actions
|
|
// - "ActionDelete" :: delete prebuilt workspace
|
|
// - "ActionUpdate" :: update prebuilt workspace settings
|
|
ResourcePrebuiltWorkspace = Object{
|
|
Type: "prebuilt_workspace",
|
|
}
|
|
|
|
// ResourceProvisionerDaemon
|
|
// Valid Actions
|
|
// - "ActionCreate" :: create a provisioner daemon/key
|
|
// - "ActionDelete" :: delete a provisioner daemon/key
|
|
// - "ActionRead" :: read provisioner daemon
|
|
// - "ActionUpdate" :: update a provisioner daemon
|
|
ResourceProvisionerDaemon = Object{
|
|
Type: "provisioner_daemon",
|
|
}
|
|
|
|
// ResourceProvisionerJobs
|
|
// Valid Actions
|
|
// - "ActionCreate" :: create provisioner jobs
|
|
// - "ActionRead" :: read provisioner jobs
|
|
// - "ActionUpdate" :: update provisioner jobs
|
|
ResourceProvisionerJobs = Object{
|
|
Type: "provisioner_jobs",
|
|
}
|
|
|
|
// ResourceReplicas
|
|
// Valid Actions
|
|
// - "ActionRead" :: read replicas
|
|
ResourceReplicas = Object{
|
|
Type: "replicas",
|
|
}
|
|
|
|
// ResourceSystem
|
|
// Valid Actions
|
|
// - "ActionCreate" :: create system resources
|
|
// - "ActionDelete" :: delete system resources
|
|
// - "ActionRead" :: view system resources
|
|
// - "ActionUpdate" :: update system resources
|
|
// DEPRECATED: New resources should be created for new things, rather than adding them to System, which has become
|
|
// an unmanaged collection of things that don't relate to one another. We can't effectively enforce
|
|
// least privilege access control when unrelated resources are grouped together.
|
|
ResourceSystem = Object{
|
|
Type: "system",
|
|
}
|
|
|
|
// ResourceTailnetCoordinator
|
|
// Valid Actions
|
|
// - "ActionCreate" :: create a Tailnet coordinator
|
|
// - "ActionDelete" :: delete a Tailnet coordinator
|
|
// - "ActionRead" :: view info about a Tailnet coordinator
|
|
// - "ActionUpdate" :: update a Tailnet coordinator
|
|
ResourceTailnetCoordinator = Object{
|
|
Type: "tailnet_coordinator",
|
|
}
|
|
|
|
// ResourceTemplate
|
|
// Valid Actions
|
|
// - "ActionCreate" :: create a template
|
|
// - "ActionDelete" :: delete a template
|
|
// - "ActionRead" :: read template
|
|
// - "ActionUpdate" :: update a template
|
|
// - "ActionUse" :: use the template to initially create a workspace, then workspace lifecycle permissions take over
|
|
// - "ActionViewInsights" :: view insights
|
|
ResourceTemplate = Object{
|
|
Type: "template",
|
|
}
|
|
|
|
// ResourceUser
|
|
// Valid Actions
|
|
// - "ActionCreate" :: create a new user
|
|
// - "ActionDelete" :: delete an existing user
|
|
// - "ActionRead" :: read user data
|
|
// - "ActionReadPersonal" :: read personal user data like user settings and auth links
|
|
// - "ActionUpdate" :: update an existing user
|
|
// - "ActionUpdatePersonal" :: update personal data
|
|
ResourceUser = Object{
|
|
Type: "user",
|
|
}
|
|
|
|
// ResourceWebpushSubscription
|
|
// Valid Actions
|
|
// - "ActionCreate" :: create webpush subscriptions
|
|
// - "ActionDelete" :: delete webpush subscriptions
|
|
// - "ActionRead" :: read webpush subscriptions
|
|
ResourceWebpushSubscription = Object{
|
|
Type: "webpush_subscription",
|
|
}
|
|
|
|
// ResourceWorkspace
|
|
// Valid Actions
|
|
// - "ActionApplicationConnect" :: connect to workspace apps via browser
|
|
// - "ActionCreate" :: create a new workspace
|
|
// - "ActionCreateAgent" :: create a new workspace agent
|
|
// - "ActionDelete" :: delete workspace
|
|
// - "ActionDeleteAgent" :: delete an existing workspace agent
|
|
// - "ActionRead" :: read workspace data to view on the UI
|
|
// - "ActionSSH" :: ssh into a given workspace
|
|
// - "ActionWorkspaceStart" :: allows starting a workspace
|
|
// - "ActionWorkspaceStop" :: allows stopping a workspace
|
|
// - "ActionUpdate" :: edit workspace settings (scheduling, permissions, parameters)
|
|
ResourceWorkspace = Object{
|
|
Type: "workspace",
|
|
}
|
|
|
|
// ResourceWorkspaceAgentDevcontainers
|
|
// Valid Actions
|
|
// - "ActionCreate" :: create workspace agent devcontainers
|
|
ResourceWorkspaceAgentDevcontainers = Object{
|
|
Type: "workspace_agent_devcontainers",
|
|
}
|
|
|
|
// ResourceWorkspaceAgentResourceMonitor
|
|
// Valid Actions
|
|
// - "ActionCreate" :: create workspace agent resource monitor
|
|
// - "ActionRead" :: read workspace agent resource monitor
|
|
// - "ActionUpdate" :: update workspace agent resource monitor
|
|
ResourceWorkspaceAgentResourceMonitor = Object{
|
|
Type: "workspace_agent_resource_monitor",
|
|
}
|
|
|
|
// ResourceWorkspaceDormant
|
|
// Valid Actions
|
|
// - "ActionApplicationConnect" :: connect to workspace apps via browser
|
|
// - "ActionCreate" :: create a new workspace
|
|
// - "ActionCreateAgent" :: create a new workspace agent
|
|
// - "ActionDelete" :: delete workspace
|
|
// - "ActionDeleteAgent" :: delete an existing workspace agent
|
|
// - "ActionRead" :: read workspace data to view on the UI
|
|
// - "ActionSSH" :: ssh into a given workspace
|
|
// - "ActionWorkspaceStart" :: allows starting a workspace
|
|
// - "ActionWorkspaceStop" :: allows stopping a workspace
|
|
// - "ActionUpdate" :: edit workspace settings (scheduling, permissions, parameters)
|
|
ResourceWorkspaceDormant = Object{
|
|
Type: "workspace_dormant",
|
|
}
|
|
|
|
// ResourceWorkspaceProxy
|
|
// Valid Actions
|
|
// - "ActionCreate" :: create a workspace proxy
|
|
// - "ActionDelete" :: delete a workspace proxy
|
|
// - "ActionRead" :: read and use a workspace proxy
|
|
// - "ActionUpdate" :: update a workspace proxy
|
|
ResourceWorkspaceProxy = Object{
|
|
Type: "workspace_proxy",
|
|
}
|
|
)
|
|
|
|
func AllResources() []Objecter {
|
|
return []Objecter{
|
|
ResourceWildcard,
|
|
ResourceApiKey,
|
|
ResourceAssignOrgRole,
|
|
ResourceAssignRole,
|
|
ResourceAuditLog,
|
|
ResourceConnectionLog,
|
|
ResourceCryptoKey,
|
|
ResourceDebugInfo,
|
|
ResourceDeploymentConfig,
|
|
ResourceDeploymentStats,
|
|
ResourceFile,
|
|
ResourceGroup,
|
|
ResourceGroupMember,
|
|
ResourceIdpsyncSettings,
|
|
ResourceInboxNotification,
|
|
ResourceLicense,
|
|
ResourceNotificationMessage,
|
|
ResourceNotificationPreference,
|
|
ResourceNotificationTemplate,
|
|
ResourceOauth2App,
|
|
ResourceOauth2AppCodeToken,
|
|
ResourceOauth2AppSecret,
|
|
ResourceOrganization,
|
|
ResourceOrganizationMember,
|
|
ResourcePrebuiltWorkspace,
|
|
ResourceProvisionerDaemon,
|
|
ResourceProvisionerJobs,
|
|
ResourceReplicas,
|
|
ResourceSystem,
|
|
ResourceTailnetCoordinator,
|
|
ResourceTemplate,
|
|
ResourceUser,
|
|
ResourceWebpushSubscription,
|
|
ResourceWorkspace,
|
|
ResourceWorkspaceAgentDevcontainers,
|
|
ResourceWorkspaceAgentResourceMonitor,
|
|
ResourceWorkspaceDormant,
|
|
ResourceWorkspaceProxy,
|
|
}
|
|
}
|
|
|
|
func AllActions() []policy.Action {
|
|
return []policy.Action{
|
|
policy.ActionApplicationConnect,
|
|
policy.ActionAssign,
|
|
policy.ActionCreate,
|
|
policy.ActionCreateAgent,
|
|
policy.ActionDelete,
|
|
policy.ActionDeleteAgent,
|
|
policy.ActionRead,
|
|
policy.ActionReadPersonal,
|
|
policy.ActionSSH,
|
|
policy.ActionUnassign,
|
|
policy.ActionUpdate,
|
|
policy.ActionUpdatePersonal,
|
|
policy.ActionUse,
|
|
policy.ActionViewInsights,
|
|
policy.ActionWorkspaceStart,
|
|
policy.ActionWorkspaceStop,
|
|
}
|
|
}
|