ReloadBuiltinRoles loads the static roles into the builtInRoles map. This can be called again with a different config to change the behavior. TODO: @emyrk This would be great if it was instanced to a coderd rather than a global. But that is a much larger refactor right now. Essentially we did not f
(opts *RoleOptions)
| 261 | // Essentially we did not foresee different deployments needing slightly |
| 262 | // different role permissions. |
| 263 | func ReloadBuiltinRoles(opts *RoleOptions) { |
| 264 | if opts == nil { |
| 265 | opts = &RoleOptions{} |
| 266 | } |
| 267 | |
| 268 | denyPermissions := []Permission{} |
| 269 | if opts.NoWorkspaceSharing { |
| 270 | denyPermissions = append(denyPermissions, Permission{ |
| 271 | Negate: true, |
| 272 | ResourceType: ResourceWorkspace.Type, |
| 273 | Action: policy.ActionShare, |
| 274 | }) |
| 275 | } |
| 276 | if opts.NoChatSharing { |
| 277 | denyPermissions = append(denyPermissions, Permission{ |
| 278 | Negate: true, |
| 279 | ResourceType: ResourceChat.Type, |
| 280 | Action: policy.ActionShare, |
| 281 | }) |
| 282 | } |
| 283 | |
| 284 | ownerWorkspaceActions := ResourceWorkspace.AvailableActions() |
| 285 | if opts.NoOwnerWorkspaceExec { |
| 286 | // Remove ssh and application connect from the owner role. This |
| 287 | // prevents owners from have exec access to all workspaces. |
| 288 | ownerWorkspaceActions = slice.Omit( |
| 289 | ownerWorkspaceActions, |
| 290 | policy.ActionApplicationConnect, policy.ActionSSH, |
| 291 | ) |
| 292 | } |
| 293 | |
| 294 | // Static roles that never change should be allocated in a closure. |
| 295 | // This is to ensure these data structures are only allocated once and not |
| 296 | // on every authorize call. 'withCachedRegoValue' can be used as well to |
| 297 | // preallocate the rego value that is used by the rego eval engine. |
| 298 | ownerRole := Role{ |
| 299 | Identifier: RoleOwner(), |
| 300 | DisplayName: "Owner", |
| 301 | Site: append( |
| 302 | // Workspace dormancy and workspace are omitted. |
| 303 | // Workspace is specifically handled based on the opts.NoOwnerWorkspaceExec. |
| 304 | // Owners can inspect and delete personal skills for operability and |
| 305 | // abuse handling, but cannot create or edit user-authored instructions. |
| 306 | allPermsExcept(ResourceWorkspaceDormant, ResourcePrebuiltWorkspace, ResourceWorkspace, ResourceUserSecret, ResourceUserSkill, ResourceUsageEvent, ResourceBoundaryUsage, ResourceAiSeat), |
| 307 | // This adds back in the Workspace permissions. |
| 308 | Permissions(map[string][]policy.Action{ |
| 309 | ResourceWorkspace.Type: ownerWorkspaceActions, |
| 310 | ResourceWorkspaceDormant.Type: {policy.ActionRead, policy.ActionDelete, policy.ActionCreate, policy.ActionUpdate, policy.ActionWorkspaceStop, policy.ActionCreateAgent, policy.ActionDeleteAgent, policy.ActionUpdateAgent}, |
| 311 | ResourceUserSkill.Type: {policy.ActionRead, policy.ActionDelete}, |
| 312 | // PrebuiltWorkspaces are a subset of Workspaces. |
| 313 | // Explicitly setting PrebuiltWorkspace permissions for clarity. |
| 314 | // Note: even without PrebuiltWorkspace permissions, access is still granted via Workspace permissions. |
| 315 | ResourcePrebuiltWorkspace.Type: {policy.ActionUpdate, policy.ActionDelete}, |
| 316 | })..., |
| 317 | ), |
| 318 | User: []Permission{}, |
| 319 | ByOrgID: map[string]OrgPermissions{}, |
| 320 | }.withCachedRegoValue() |