MCPcopy Index your code
hub / github.com/coder/coder / ReloadBuiltinRoles

Function ReloadBuiltinRoles

coderd/rbac/roles.go:263–626  ·  view source on GitHub ↗

ReloadBuiltinRoles loads the static roles into the builtInRoles map. This can be called again with a different config to change the behavior. TODO: @emyrk This would be great if it was instanced to a coderd rather than a global. But that is a much larger refactor right now. Essentially we did not f

(opts *RoleOptions)

Source from the content-addressed store, hash-verified

261// Essentially we did not foresee different deployments needing slightly
262// different role permissions.
263func ReloadBuiltinRoles(opts *RoleOptions) {
264 if opts == nil {
265 opts = &RoleOptions{}
266 }
267
268 denyPermissions := []Permission{}
269 if opts.NoWorkspaceSharing {
270 denyPermissions = append(denyPermissions, Permission{
271 Negate: true,
272 ResourceType: ResourceWorkspace.Type,
273 Action: policy.ActionShare,
274 })
275 }
276 if opts.NoChatSharing {
277 denyPermissions = append(denyPermissions, Permission{
278 Negate: true,
279 ResourceType: ResourceChat.Type,
280 Action: policy.ActionShare,
281 })
282 }
283
284 ownerWorkspaceActions := ResourceWorkspace.AvailableActions()
285 if opts.NoOwnerWorkspaceExec {
286 // Remove ssh and application connect from the owner role. This
287 // prevents owners from have exec access to all workspaces.
288 ownerWorkspaceActions = slice.Omit(
289 ownerWorkspaceActions,
290 policy.ActionApplicationConnect, policy.ActionSSH,
291 )
292 }
293
294 // Static roles that never change should be allocated in a closure.
295 // This is to ensure these data structures are only allocated once and not
296 // on every authorize call. 'withCachedRegoValue' can be used as well to
297 // preallocate the rego value that is used by the rego eval engine.
298 ownerRole := Role{
299 Identifier: RoleOwner(),
300 DisplayName: "Owner",
301 Site: append(
302 // Workspace dormancy and workspace are omitted.
303 // Workspace is specifically handled based on the opts.NoOwnerWorkspaceExec.
304 // Owners can inspect and delete personal skills for operability and
305 // abuse handling, but cannot create or edit user-authored instructions.
306 allPermsExcept(ResourceWorkspaceDormant, ResourcePrebuiltWorkspace, ResourceWorkspace, ResourceUserSecret, ResourceUserSkill, ResourceUsageEvent, ResourceBoundaryUsage, ResourceAiSeat),
307 // This adds back in the Workspace permissions.
308 Permissions(map[string][]policy.Action{
309 ResourceWorkspace.Type: ownerWorkspaceActions,
310 ResourceWorkspaceDormant.Type: {policy.ActionRead, policy.ActionDelete, policy.ActionCreate, policy.ActionUpdate, policy.ActionWorkspaceStop, policy.ActionCreateAgent, policy.ActionDeleteAgent, policy.ActionUpdateAgent},
311 ResourceUserSkill.Type: {policy.ActionRead, policy.ActionDelete},
312 // PrebuiltWorkspaces are a subset of Workspaces.
313 // Explicitly setting PrebuiltWorkspace permissions for clarity.
314 // Note: even without PrebuiltWorkspace permissions, access is still granted via Workspace permissions.
315 ResourcePrebuiltWorkspace.Type: {policy.ActionUpdate, policy.ActionDelete},
316 })...,
317 ),
318 User: []Permission{},
319 ByOrgID: map[string]OrgPermissions{},
320 }.withCachedRegoValue()

Callers 6

NewFunction · 0.92
TestChatSharingDisabledFunction · 0.92
TestOwnerExecFunction · 0.92
initFunction · 0.85

Calls 11

OmitFunction · 0.92
RoleOwnerFunction · 0.85
allPermsExceptFunction · 0.85
PermissionsFunction · 0.85
RoleMemberFunction · 0.85
RoleAuditorFunction · 0.85
RoleTemplateAdminFunction · 0.85
RoleUserAdminFunction · 0.85
AvailableActionsMethod · 0.80
withCachedRegoValueMethod · 0.80
StringMethod · 0.45

Tested by 4

TestChatSharingDisabledFunction · 0.74
TestOwnerExecFunction · 0.74