2022-09-22 22:30:32 +00:00
package codersdk
import (
"context"
"encoding/json"
"net/http"
)
type AuthorizationResponse map [ string ] bool
// AuthorizationRequest is a structure instead of a map because
// go-playground/validate can only validate structs. If you attempt to pass
2022-12-21 14:37:30 +00:00
// a map into `httpapi.Read`, you will get an invalid type error.
2022-09-22 22:30:32 +00:00
type AuthorizationRequest struct {
// Checks is a map keyed with an arbitrary string to a permission check.
// The key can be any string that is helpful to the caller, and allows
// multiple permission checks to be run in a single request.
// The key ensures that each permission check has the same key in the
// response.
Checks map [ string ] AuthorizationCheck ` json:"checks" `
}
2022-12-21 14:37:30 +00:00
// AuthorizationCheck is used to check if the currently authenticated user (or the specified user) can do a given action to a given set of objects.
//
// @Description AuthorizationCheck is used to check if the currently authenticated user (or the specified user) can do a given action to a given set of objects.
2022-09-22 22:30:32 +00:00
type AuthorizationCheck struct {
2023-01-10 14:47:08 +00:00
// Object can represent a "set" of objects, such as: all workspaces in an organization, all workspaces owned by me, and all workspaces across the entire product.
2022-09-22 22:30:32 +00:00
// When defining an object, use the most specific language when possible to
// produce the smallest set. Meaning to set as many fields on 'Object' as
// you can. Example, if you want to check if you can update all workspaces
// owned by 'me', try to also add an 'OrganizationID' to the settings.
// Omitting the 'OrganizationID' could produce the incorrect value, as
// workspaces have both `user` and `organization` owners.
Object AuthorizationObject ` json:"object" `
2024-05-15 16:09:42 +00:00
Action RBACAction ` json:"action" enums:"create,read,update,delete" `
2022-09-22 22:30:32 +00:00
}
2022-12-21 14:37:30 +00:00
// AuthorizationObject can represent a "set" of objects, such as: all workspaces in an organization, all workspaces owned by me,
// all workspaces across the entire product.
//
// @Description AuthorizationObject can represent a "set" of objects, such as: all workspaces in an organization, all workspaces owned by me,
// @Description all workspaces across the entire product.
2022-09-22 22:30:32 +00:00
type AuthorizationObject struct {
// ResourceType is the name of the resource.
2022-12-21 14:37:30 +00:00
// `./coderd/rbac/object.go` has the list of valid resource types.
2023-04-11 13:57:23 +00:00
ResourceType RBACResource ` json:"resource_type" `
2022-12-21 14:37:30 +00:00
// OwnerID (optional) adds the set constraint to all resources owned by a given user.
2022-09-22 22:30:32 +00:00
OwnerID string ` json:"owner_id,omitempty" `
2022-12-21 14:37:30 +00:00
// OrganizationID (optional) adds the set constraint to all resources owned by a given organization.
2022-09-22 22:30:32 +00:00
OrganizationID string ` json:"organization_id,omitempty" `
// ResourceID (optional) reduces the set to a singular resource. This assigns
// a resource ID to the resource type, eg: a single workspace.
// The rbac library will not fetch the resource from the database, so if you
2022-12-22 14:53:14 +00:00
// are using this option, you should also set the owner ID and organization ID
2022-09-22 22:30:32 +00:00
// if possible. Be as specific as possible using all the fields relevant.
ResourceID string ` json:"resource_id,omitempty" `
}
2023-01-29 21:47:24 +00:00
// AuthCheck allows the authenticated user to check if they have the given permissions
// to a set of resources.
func ( c * Client ) AuthCheck ( ctx context . Context , req AuthorizationRequest ) ( AuthorizationResponse , error ) {
2022-09-22 22:30:32 +00:00
res , err := c . Request ( ctx , http . MethodPost , "/api/v2/authcheck" , req )
if err != nil {
return nil , err
}
defer res . Body . Close ( )
if res . StatusCode != http . StatusOK {
2023-01-29 21:47:24 +00:00
return AuthorizationResponse { } , ReadBodyAsError ( res )
2022-09-22 22:30:32 +00:00
}
var resp AuthorizationResponse
return resp , json . NewDecoder ( res . Body ) . Decode ( & resp )
}