shishantbiswas/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2026-06-03 13:08:25 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
e94de0bdabcaeed735d468bb6d279d06f8b8b2d1
coder/scripts/check-scopes/README.md
T
Thomas Kosiewski 47c92ad1d2 feat: add public RBAC scope catalog for user-requestable permissions (#19913) 
# Add a curated catalog of public RBAC scopes

This PR introduces a curated catalog of public RBAC scopes that are exposed to users. It adds:

- A `publicLowLevel` map in `scopes_catalog.go` that defines which resource:action pairs are user-requestable
- `IsPublicLowLevel()` function to check if a scope is in the public catalog
- `PublicLowLevelScopeNames()` function that returns a sorted list of public scopes
- Tests to verify the catalog entries are valid and properly sorted
- Updated documentation in the check-scopes README to clarify that public scopes should be added to this catalog

This change helps distinguish between internal-only scopes and those that should be exposed to users in the API.
2025-09-26 11:30:28 +02:00

45 lines
1.1 KiB
Markdown
Raw Blame History

# check-scopes
Validates that the DB enum `api_key_scope` contains every `<resource>:<action>` derived from `coderd/rbac/policy/RBACPermissions`.
- Exits 0 when all scopes are present in `coderd/database/dump.sql`.
- Exits 1 and prints missing values with suggested `ALTER TYPE` statements otherwise.
## Usage
Ensure the schema dump is up-to-date, then run the check:
```sh
make -B gen/db # forces DB dump regeneration
make lint/check-scopes
```
Or directly:
```sh
go run ./tools/check-scopes
```
Optional flags:
- `-dump path` — override path to `dump.sql` (default `coderd/database/dump.sql`).
## Remediation
When the tool reports missing values:
1. Create a DB migration extending the enum, e.g.:
```sql
ALTER TYPE api_key_scope ADD VALUE IF NOT EXISTS 'template:view_insights';
```
2. Regenerate and re-run:
```sh
make -B gen/db && make lint/check-scopes
```
3. Decide whether each new scope is public (exposed in the catalog) or internal-only.
- If public, add it to the curated map in `coderd/rbac/scopes_catalog.go` (`externalLowLevel`) so it appears in the public catalog and can be requested by users.
Reference in New Issue View Git Blame Copy Permalink