WorkspaceAgentScope returns a scope that is the same as ScopeAll but can only affect resources in the allow list. Only a scope is returned as the roles should come from the workspace owner.
(params WorkspaceAgentScopeParams)
| 24 | // affect resources in the allow list. Only a scope is returned as the roles |
| 25 | // should come from the workspace owner. |
| 26 | func WorkspaceAgentScope(params WorkspaceAgentScopeParams) Scope { |
| 27 | if params.WorkspaceID == uuid.Nil || params.OwnerID == uuid.Nil || params.TemplateID == uuid.Nil || params.VersionID == uuid.Nil { |
| 28 | panic("all uuids must be non-nil, this is a developer error") |
| 29 | } |
| 30 | |
| 31 | var ( |
| 32 | scope Scope |
| 33 | err error |
| 34 | ) |
| 35 | if params.BlockUserData { |
| 36 | scope, err = ScopeNoUserData.Expand() |
| 37 | } else { |
| 38 | scope, err = ScopeAll.Expand() |
| 39 | } |
| 40 | if err != nil { |
| 41 | panic("failed to expand scope, this should never happen") |
| 42 | } |
| 43 | |
| 44 | // Include task in the allow list if the workspace has an associated task. |
| 45 | var extraAllowList []AllowListElement |
| 46 | if params.TaskID.Valid { |
| 47 | extraAllowList = append(extraAllowList, AllowListElement{ |
| 48 | Type: ResourceTask.Type, |
| 49 | ID: params.TaskID.UUID.String(), |
| 50 | }) |
| 51 | } |
| 52 | |
| 53 | return Scope{ |
| 54 | // TODO: We want to limit the role too to be extra safe. |
| 55 | // Even though the allowlist blocks anything else, it is still good |
| 56 | // incase we change the behavior of the allowlist. The allowlist is new |
| 57 | // and evolving. |
| 58 | Role: scope.Role, |
| 59 | |
| 60 | // Limit the agent to only be able to access the singular workspace and |
| 61 | // the template/version it was created from. Add additional resources here |
| 62 | // as needed, but do not add more workspace or template resource ids. |
| 63 | AllowIDList: append([]AllowListElement{ |
| 64 | {Type: ResourceWorkspace.Type, ID: params.WorkspaceID.String()}, |
| 65 | {Type: ResourceTemplate.Type, ID: params.TemplateID.String()}, |
| 66 | {Type: ResourceTemplate.Type, ID: params.VersionID.String()}, |
| 67 | {Type: ResourceUser.Type, ID: params.OwnerID.String()}, |
| 68 | }, extraAllowList...), |
| 69 | } |
| 70 | } |
| 71 | |
| 72 | const ( |
| 73 | ScopeAll ScopeName = "coder:all" |
no test coverage detected