From dc7a902f5d9e77c52a560d74eb0e1d819c544529 Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Wed, 23 Jul 2025 13:36:51 -0500 Subject: [PATCH 1/2] chore: remove actDef function, had no value --- coderd/rbac/policy/policy.go | 252 +++++++++++++++++------------------ 1 file changed, 120 insertions(+), 132 deletions(-) diff --git a/coderd/rbac/policy/policy.go b/coderd/rbac/policy/policy.go index a10abfb9605ca..8f05bbdbe544f 100644 --- a/coderd/rbac/policy/policy.go +++ b/coderd/rbac/policy/policy.go @@ -40,39 +40,27 @@ type PermissionDefinition struct { Comment string } -type ActionDefinition struct { - // Human friendly description to explain the action. - Description string -} - -func (d ActionDefinition) String() string { - return d.Description -} - -func actDef(description string) ActionDefinition { - return ActionDefinition{ - Description: description, - } -} +// Human friendly description to explain the action. +type ActionDefinition string var workspaceActions = map[Action]ActionDefinition{ - ActionCreate: actDef("create a new workspace"), - ActionRead: actDef("read workspace data to view on the UI"), + ActionCreate: "create a new workspace", + ActionRead: "read workspace data to view on the UI", // TODO: Make updates more granular - ActionUpdate: actDef("edit workspace settings (scheduling, permissions, parameters)"), - ActionDelete: actDef("delete workspace"), + ActionUpdate: "edit workspace settings (scheduling, permissions, parameters)", + ActionDelete: "delete workspace", // Workspace provisioning. Start & stop are different so dormant workspaces can be // stopped, but not stared. - ActionWorkspaceStart: actDef("allows starting a workspace"), - ActionWorkspaceStop: actDef("allows stopping a workspace"), + ActionWorkspaceStart: "allows starting a workspace", + ActionWorkspaceStop: "allows stopping a workspace", // Running a workspace - ActionSSH: actDef("ssh into a given workspace"), - ActionApplicationConnect: actDef("connect to workspace apps via browser"), + ActionSSH: "ssh into a given workspace", + ActionApplicationConnect: "connect to workspace apps via browser", - ActionCreateAgent: actDef("create a new workspace agent"), - ActionDeleteAgent: actDef("delete an existing workspace agent"), + ActionCreateAgent: "create a new workspace agent", + ActionDeleteAgent: "delete an existing workspace agent", } // RBACPermissions is indexed by the type @@ -86,13 +74,13 @@ var RBACPermissions = map[string]PermissionDefinition{ "user": { Actions: map[Action]ActionDefinition{ // Actions deal with site wide user objects. - ActionRead: actDef("read user data"), - ActionCreate: actDef("create a new user"), - ActionUpdate: actDef("update an existing user"), - ActionDelete: actDef("delete an existing user"), + ActionRead: "read user data", + ActionCreate: "create a new user", + ActionUpdate: "update an existing user", + ActionDelete: "delete an existing user", - ActionReadPersonal: actDef("read personal user data like user settings and auth links"), - ActionUpdatePersonal: actDef("update personal data"), + ActionReadPersonal: "read personal user data like user settings and auth links", + ActionUpdatePersonal: "update personal data", }, }, "workspace": { @@ -112,126 +100,126 @@ var RBACPermissions = map[string]PermissionDefinition{ // If the user lacks prebuilt_workspace update or delete permissions, // the authorization will always fall back to the corresponding permissions on workspace. Actions: map[Action]ActionDefinition{ - ActionUpdate: actDef("update prebuilt workspace settings"), - ActionDelete: actDef("delete prebuilt workspace"), + ActionUpdate: "update prebuilt workspace settings", + ActionDelete: "delete prebuilt workspace", }, }, "workspace_proxy": { Actions: map[Action]ActionDefinition{ - ActionCreate: actDef("create a workspace proxy"), - ActionDelete: actDef("delete a workspace proxy"), - ActionUpdate: actDef("update a workspace proxy"), - ActionRead: actDef("read and use a workspace proxy"), + ActionCreate: "create a workspace proxy", + ActionDelete: "delete a workspace proxy", + ActionUpdate: "update a workspace proxy", + ActionRead: "read and use a workspace proxy", }, }, "license": { Actions: map[Action]ActionDefinition{ - ActionCreate: actDef("create a license"), - ActionRead: actDef("read licenses"), - ActionDelete: actDef("delete license"), + ActionCreate: "create a license", + ActionRead: "read licenses", + ActionDelete: "delete license", // Licenses are immutable, so update makes no sense }, }, "audit_log": { Actions: map[Action]ActionDefinition{ - ActionRead: actDef("read audit logs"), - ActionCreate: actDef("create new audit log entries"), + ActionRead: "read audit logs", + ActionCreate: "create new audit log entries", }, }, "connection_log": { Actions: map[Action]ActionDefinition{ - ActionRead: actDef("read connection logs"), - ActionUpdate: actDef("upsert connection log entries"), + ActionRead: "read connection logs", + ActionUpdate: "upsert connection log entries", }, }, "deployment_config": { Actions: map[Action]ActionDefinition{ - ActionRead: actDef("read deployment config"), - ActionUpdate: actDef("updating health information"), + ActionRead: "read deployment config", + ActionUpdate: "updating health information", }, }, "deployment_stats": { Actions: map[Action]ActionDefinition{ - ActionRead: actDef("read deployment stats"), + ActionRead: "read deployment stats", }, }, "replicas": { Actions: map[Action]ActionDefinition{ - ActionRead: actDef("read replicas"), + ActionRead: "read replicas", }, }, "template": { Actions: map[Action]ActionDefinition{ - ActionCreate: actDef("create a template"), - ActionUse: actDef("use the template to initially create a workspace, then workspace lifecycle permissions take over"), - ActionRead: actDef("read template"), - ActionUpdate: actDef("update a template"), - ActionDelete: actDef("delete a template"), - ActionViewInsights: actDef("view insights"), + ActionCreate: "create a template", + ActionUse: "use the template to initially create a workspace, then workspace lifecycle permissions take over", + ActionRead: "read template", + ActionUpdate: "update a template", + ActionDelete: "delete a template", + ActionViewInsights: "view insights", }, }, "group": { Actions: map[Action]ActionDefinition{ - ActionCreate: actDef("create a group"), - ActionRead: actDef("read groups"), - ActionDelete: actDef("delete a group"), - ActionUpdate: actDef("update a group"), + ActionCreate: "create a group", + ActionRead: "read groups", + ActionDelete: "delete a group", + ActionUpdate: "update a group", }, }, "group_member": { Actions: map[Action]ActionDefinition{ - ActionRead: actDef("read group members"), + ActionRead: "read group members", }, }, "file": { Actions: map[Action]ActionDefinition{ - ActionCreate: actDef("create a file"), - ActionRead: actDef("read files"), + ActionCreate: "create a file", + ActionRead: "read files", }, }, "provisioner_daemon": { Actions: map[Action]ActionDefinition{ - ActionCreate: actDef("create a provisioner daemon/key"), + ActionCreate: "create a provisioner daemon/key", // TODO: Move to use? - ActionRead: actDef("read provisioner daemon"), - ActionUpdate: actDef("update a provisioner daemon"), - ActionDelete: actDef("delete a provisioner daemon/key"), + ActionRead: "read provisioner daemon", + ActionUpdate: "update a provisioner daemon", + ActionDelete: "delete a provisioner daemon/key", }, }, "provisioner_jobs": { Actions: map[Action]ActionDefinition{ - ActionRead: actDef("read provisioner jobs"), - ActionUpdate: actDef("update provisioner jobs"), - ActionCreate: actDef("create provisioner jobs"), + ActionRead: "read provisioner jobs", + ActionUpdate: "update provisioner jobs", + ActionCreate: "create provisioner jobs", }, }, "organization": { Actions: map[Action]ActionDefinition{ - ActionCreate: actDef("create an organization"), - ActionRead: actDef("read organizations"), - ActionUpdate: actDef("update an organization"), - ActionDelete: actDef("delete an organization"), + ActionCreate: "create an organization", + ActionRead: "read organizations", + ActionUpdate: "update an organization", + ActionDelete: "delete an organization", }, }, "organization_member": { Actions: map[Action]ActionDefinition{ - ActionCreate: actDef("create an organization member"), - ActionRead: actDef("read member"), - ActionUpdate: actDef("update an organization member"), - ActionDelete: actDef("delete member"), + ActionCreate: "create an organization member", + ActionRead: "read member", + ActionUpdate: "update an organization member", + ActionDelete: "delete member", }, }, "debug_info": { Actions: map[Action]ActionDefinition{ - ActionRead: actDef("access to debug routes"), + ActionRead: "access to debug routes", }, }, "system": { Actions: map[Action]ActionDefinition{ - ActionCreate: actDef("create system resources"), - ActionRead: actDef("view system resources"), - ActionUpdate: actDef("update system resources"), - ActionDelete: actDef("delete system resources"), + ActionCreate: "create system resources", + ActionRead: "view system resources", + ActionUpdate: "update system resources", + ActionDelete: "delete system resources", }, Comment: ` // DEPRECATED: New resources should be created for new things, rather than adding them to System, which has become @@ -240,119 +228,119 @@ var RBACPermissions = map[string]PermissionDefinition{ }, "api_key": { Actions: map[Action]ActionDefinition{ - ActionCreate: actDef("create an api key"), - ActionRead: actDef("read api key details (secrets are not stored)"), - ActionDelete: actDef("delete an api key"), - ActionUpdate: actDef("update an api key, eg expires"), + ActionCreate: "create an api key", + ActionRead: "read api key details (secrets are not stored)", + ActionDelete: "delete an api key", + ActionUpdate: "update an api key, eg expires", }, }, "tailnet_coordinator": { Actions: map[Action]ActionDefinition{ - ActionCreate: actDef("create a Tailnet coordinator"), - ActionRead: actDef("view info about a Tailnet coordinator"), - ActionUpdate: actDef("update a Tailnet coordinator"), - ActionDelete: actDef("delete a Tailnet coordinator"), + ActionCreate: "create a Tailnet coordinator", + ActionRead: "view info about a Tailnet coordinator", + ActionUpdate: "update a Tailnet coordinator", + ActionDelete: "delete a Tailnet coordinator", }, }, "assign_role": { Actions: map[Action]ActionDefinition{ - ActionAssign: actDef("assign user roles"), - ActionUnassign: actDef("unassign user roles"), - ActionRead: actDef("view what roles are assignable"), + ActionAssign: "assign user roles", + ActionUnassign: "unassign user roles", + ActionRead: "view what roles are assignable", }, }, "assign_org_role": { Actions: map[Action]ActionDefinition{ - ActionAssign: actDef("assign org scoped roles"), - ActionUnassign: actDef("unassign org scoped roles"), - ActionCreate: actDef("create/delete custom roles within an organization"), - ActionRead: actDef("view what roles are assignable within an organization"), - ActionUpdate: actDef("edit custom roles within an organization"), - ActionDelete: actDef("delete roles within an organization"), + ActionAssign: "assign org scoped roles", + ActionUnassign: "unassign org scoped roles", + ActionCreate: "create/delete custom roles within an organization", + ActionRead: "view what roles are assignable within an organization", + ActionUpdate: "edit custom roles within an organization", + ActionDelete: "delete roles within an organization", }, }, "oauth2_app": { Actions: map[Action]ActionDefinition{ - ActionCreate: actDef("make an OAuth2 app"), - ActionRead: actDef("read OAuth2 apps"), - ActionUpdate: actDef("update the properties of the OAuth2 app"), - ActionDelete: actDef("delete an OAuth2 app"), + ActionCreate: "make an OAuth2 app", + ActionRead: "read OAuth2 apps", + ActionUpdate: "update the properties of the OAuth2 app", + ActionDelete: "delete an OAuth2 app", }, }, "oauth2_app_secret": { Actions: map[Action]ActionDefinition{ - ActionCreate: actDef("create an OAuth2 app secret"), - ActionRead: actDef("read an OAuth2 app secret"), - ActionUpdate: actDef("update an OAuth2 app secret"), - ActionDelete: actDef("delete an OAuth2 app secret"), + ActionCreate: "create an OAuth2 app secret", + ActionRead: "read an OAuth2 app secret", + ActionUpdate: "update an OAuth2 app secret", + ActionDelete: "delete an OAuth2 app secret", }, }, "oauth2_app_code_token": { Actions: map[Action]ActionDefinition{ - ActionCreate: actDef("create an OAuth2 app code token"), - ActionRead: actDef("read an OAuth2 app code token"), - ActionDelete: actDef("delete an OAuth2 app code token"), + ActionCreate: "create an OAuth2 app code token", + ActionRead: "read an OAuth2 app code token", + ActionDelete: "delete an OAuth2 app code token", }, }, "notification_message": { Actions: map[Action]ActionDefinition{ - ActionCreate: actDef("create notification messages"), - ActionRead: actDef("read notification messages"), - ActionUpdate: actDef("update notification messages"), - ActionDelete: actDef("delete notification messages"), + ActionCreate: "create notification messages", + ActionRead: "read notification messages", + ActionUpdate: "update notification messages", + ActionDelete: "delete notification messages", }, }, "notification_template": { Actions: map[Action]ActionDefinition{ - ActionRead: actDef("read notification templates"), - ActionUpdate: actDef("update notification templates"), + ActionRead: "read notification templates", + ActionUpdate: "update notification templates", }, }, "notification_preference": { Actions: map[Action]ActionDefinition{ - ActionRead: actDef("read notification preferences"), - ActionUpdate: actDef("update notification preferences"), + ActionRead: "read notification preferences", + ActionUpdate: "update notification preferences", }, }, "webpush_subscription": { Actions: map[Action]ActionDefinition{ - ActionCreate: actDef("create webpush subscriptions"), - ActionRead: actDef("read webpush subscriptions"), - ActionDelete: actDef("delete webpush subscriptions"), + ActionCreate: "create webpush subscriptions", + ActionRead: "read webpush subscriptions", + ActionDelete: "delete webpush subscriptions", }, }, "inbox_notification": { Actions: map[Action]ActionDefinition{ - ActionCreate: actDef("create inbox notifications"), - ActionRead: actDef("read inbox notifications"), - ActionUpdate: actDef("update inbox notifications"), + ActionCreate: "create inbox notifications", + ActionRead: "read inbox notifications", + ActionUpdate: "update inbox notifications", }, }, "crypto_key": { Actions: map[Action]ActionDefinition{ - ActionRead: actDef("read crypto keys"), - ActionUpdate: actDef("update crypto keys"), - ActionDelete: actDef("delete crypto keys"), - ActionCreate: actDef("create crypto keys"), + ActionRead: "read crypto keys", + ActionUpdate: "update crypto keys", + ActionDelete: "delete crypto keys", + ActionCreate: "create crypto keys", }, }, // idpsync_settings should always be org scoped "idpsync_settings": { Actions: map[Action]ActionDefinition{ - ActionRead: actDef("read IdP sync settings"), - ActionUpdate: actDef("update IdP sync settings"), + ActionRead: "read IdP sync settings", + ActionUpdate: "update IdP sync settings", }, }, "workspace_agent_resource_monitor": { Actions: map[Action]ActionDefinition{ - ActionRead: actDef("read workspace agent resource monitor"), - ActionCreate: actDef("create workspace agent resource monitor"), - ActionUpdate: actDef("update workspace agent resource monitor"), + ActionRead: "read workspace agent resource monitor", + ActionCreate: "create workspace agent resource monitor", + ActionUpdate: "update workspace agent resource monitor", }, }, "workspace_agent_devcontainers": { Actions: map[Action]ActionDefinition{ - ActionCreate: actDef("create workspace agent devcontainers"), + ActionCreate: "create workspace agent devcontainers", }, }, } From ff10bea5f5d05a318ab8a9bc56907ba93a9e8319 Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Wed, 23 Jul 2025 13:45:56 -0500 Subject: [PATCH 2/2] fix gen --- scripts/typegen/rbacobject.gotmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/typegen/rbacobject.gotmpl b/scripts/typegen/rbacobject.gotmpl index ee89a8801eaca..37aec00dc8b83 100644 --- a/scripts/typegen/rbacobject.gotmpl +++ b/scripts/typegen/rbacobject.gotmpl @@ -14,7 +14,7 @@ var ( // Resource{{ $Name }} // Valid Actions {{- range $action, $value := .Actions }} - // - "{{ actionEnum $action }}" :: {{ $value.Description }} + // - "{{ actionEnum $action }}" :: {{ $value }} {{- end }} {{- .Comment }} Resource{{ $Name }} = Object {