coder/coderd/rbac/README.md

# Authz

Package `authz` implements AuthoriZation for Coder.

## Overview

Authorization defines what **permission** a **subject** has to perform **actions** to **objects**:

- **Permission** is binary: _yes_ (allowed) or _no_ (denied).
- **Subject** in this case is anything that implements interface `authz.Subject`.
- **Action** here is an enumerated list of actions, but we stick to `Create`, `Read`, `Update`, and `Delete` here.
- **Object** here is anything that implements `authz.Object`.

## Permission Structure

A **permission** is a rule that grants or denies access for a **subject** to perform an **action** on a **object**.
A **permission** is always applied at a given **level**:

- **site** level applies to all objects in a given Coder deployment.
- **org** level applies to all objects that have an organization owner (`org_owner`)
- **user** level applies to all objects that have an owner with the same ID as the subject.

**Permissions** at a higher **level** always override permissions at a **lower** level.

The effect of a **permission** can be:

- **positive** (allows)
- **negative** (denies)
- **abstain** (neither allows or denies, not applicable)

**Negative** permissions **always** override **positive** permissions at the same level.
Both **negative** and **positive** permissions override **abstain** at the same level.

This can be represented by the following truth table, where Y represents _positive_, N represents _negative_, and \_ represents _abstain_:

| Action | Positive | Negative | Result |
| ------ | -------- | -------- | ------ |
| read   | Y        | \_       | Y      |
| read   | Y        | N        | N      |
| read   | \_       | \_       | \_     |
| read   | \_       | N        | Y      |

## Permission Representation

**Permissions** are represented in string format as `<sign>?<level>.<object>.<id>.<action>`, where:

- `negated` can be either `+` or `-`. If it is omitted, sign is assumed to be `+`.
- `level` is either `site`, `org`, or `user`.
- `object` is any valid resource type.
- `id` is any valid UUID v4.
- `action` is `create`, `read`, `modify`, or `delete`.

## Example Permissions

- `+site.*.*.read`: allowed to perform the `read` action against all objects of type `app` in a given Coder deployment.
- `-user.workspace.*.create`: user is not allowed to create workspaces.

## Roles

A _role_ is a set of permissions. When evaluating a role's permission to form an action, all the relevant permissions for the role are combined at each level. Permissions at a higher level override permissions at a lower level.

The following table shows the per-level role evaluation.
Y indicates that the role provides positive permissions, N indicates the role provides negative permissions, and _ indicates the role does not provide positive or negative permissions. YN_ indicates that the value in the cell does not matter for the access result.

| Role (example)  | Site | Org  | User | Result |
| --------------- | ---- | ---- | ---- | ------ |
| site-admin      | Y    | YN\_ | YN\_ | Y      |
| no-permission   | N    | YN\_ | YN\_ | N      |
| org-admin       | \_   | Y    | YN\_ | Y      |
| non-org-member  | \_   | N    | YN\_ | N      |
| user            | \_   | \_   | Y    | Y      |
|                 | \_   | \_   | N    | N      |
| unauthenticated | \_   | \_   | \_   | N      |
feat: Add RBAC package for managing user permissions (#929) This PR adds an RBAC package for managing using permissions: - The top-level `authz.Authorize` function is the main user-facing entrypoint to the package. - Actual permission evaluation is handled in `policy.rego`. - Unit tests for `authz.Authorize` are in `authz_test.go` - Documentation for the package is in `README.md`. Co-authored-by: Cian Johnston <cian@coder.com> 2022-04-13 13:35:35 +00:00			`# Authz`

			Package `authz` implements AuthoriZation for Coder.

			`## Overview`

			`Authorization defines what permission a subject has to perform actions to objects:`
chore: Improve project-wide prettier formatting and ignored files (#5505) * chore: Improve project-wide prettier formatting and ignored files * chore: `Run make fmt/prettier` * Fix gitignore for `.vscode` folder so that ! works * Add comment in `.prettierrc.yaml` to explain `.editorconfig` * Remove scripts/apidocgen/markdown-template/README.md * Use `yq` for processing prettierrc, update lib.sh dependency check * Add `yq` to Dockerfile and Nix 2023-01-03 13:11:13 +00:00
			`- Permission is binary: _yes_ (allowed) or _no_ (denied).`
feat: Add RBAC package for managing user permissions (#929) This PR adds an RBAC package for managing using permissions: - The top-level `authz.Authorize` function is the main user-facing entrypoint to the package. - Actual permission evaluation is handled in `policy.rego`. - Unit tests for `authz.Authorize` are in `authz_test.go` - Documentation for the package is in `README.md`. Co-authored-by: Cian Johnston <cian@coder.com> 2022-04-13 13:35:35 +00:00			- Subject in this case is anything that implements interface `authz.Subject`.
			- Action here is an enumerated list of actions, but we stick to `Create`, `Read`, `Update`, and `Delete` here.
			- Object here is anything that implements `authz.Object`.

			`## Permission Structure`

			`A permission is a rule that grants or denies access for a subject to perform an action on a object.`
			`A permission is always applied at a given level:`

			`- site level applies to all objects in a given Coder deployment.`
			- org level applies to all objects that have an organization owner (`org_owner`)
			`- user level applies to all objects that have an owner with the same ID as the subject.`

			`Permissions at a higher level always override permissions at a lower level.`

			`The effect of a permission can be:`
chore: Improve project-wide prettier formatting and ignored files (#5505) * chore: Improve project-wide prettier formatting and ignored files * chore: `Run make fmt/prettier` * Fix gitignore for `.vscode` folder so that ! works * Add comment in `.prettierrc.yaml` to explain `.editorconfig` * Remove scripts/apidocgen/markdown-template/README.md * Use `yq` for processing prettierrc, update lib.sh dependency check * Add `yq` to Dockerfile and Nix 2023-01-03 13:11:13 +00:00
feat: Add RBAC package for managing user permissions (#929) This PR adds an RBAC package for managing using permissions: - The top-level `authz.Authorize` function is the main user-facing entrypoint to the package. - Actual permission evaluation is handled in `policy.rego`. - Unit tests for `authz.Authorize` are in `authz_test.go` - Documentation for the package is in `README.md`. Co-authored-by: Cian Johnston <cian@coder.com> 2022-04-13 13:35:35 +00:00			`- positive (allows)`
			`- negative (denies)`
			`- abstain (neither allows or denies, not applicable)`

			`Negative permissions always override positive permissions at the same level.`
			`Both negative and positive permissions override abstain at the same level.`

chore: Improve project-wide prettier formatting and ignored files (#5505) * chore: Improve project-wide prettier formatting and ignored files * chore: `Run make fmt/prettier` * Fix gitignore for `.vscode` folder so that ! works * Add comment in `.prettierrc.yaml` to explain `.editorconfig` * Remove scripts/apidocgen/markdown-template/README.md * Use `yq` for processing prettierrc, update lib.sh dependency check * Add `yq` to Dockerfile and Nix 2023-01-03 13:11:13 +00:00			`This can be represented by the following truth table, where Y represents _positive_, N represents _negative_, and \_ represents _abstain_:`
feat: Add RBAC package for managing user permissions (#929) This PR adds an RBAC package for managing using permissions: - The top-level `authz.Authorize` function is the main user-facing entrypoint to the package. - Actual permission evaluation is handled in `policy.rego`. - Unit tests for `authz.Authorize` are in `authz_test.go` - Documentation for the package is in `README.md`. Co-authored-by: Cian Johnston <cian@coder.com> 2022-04-13 13:35:35 +00:00
			`\| Action \| Positive \| Negative \| Result \|`
chore: Improve project-wide prettier formatting and ignored files (#5505) * chore: Improve project-wide prettier formatting and ignored files * chore: `Run make fmt/prettier` * Fix gitignore for `.vscode` folder so that ! works * Add comment in `.prettierrc.yaml` to explain `.editorconfig` * Remove scripts/apidocgen/markdown-template/README.md * Use `yq` for processing prettierrc, update lib.sh dependency check * Add `yq` to Dockerfile and Nix 2023-01-03 13:11:13 +00:00			`\| ------ \| -------- \| -------- \| ------ \|`
			`\| read \| Y \| \_ \| Y \|`
feat: Add RBAC package for managing user permissions (#929) This PR adds an RBAC package for managing using permissions: - The top-level `authz.Authorize` function is the main user-facing entrypoint to the package. - Actual permission evaluation is handled in `policy.rego`. - Unit tests for `authz.Authorize` are in `authz_test.go` - Documentation for the package is in `README.md`. Co-authored-by: Cian Johnston <cian@coder.com> 2022-04-13 13:35:35 +00:00			`\| read \| Y \| N \| N \|`
chore: Improve project-wide prettier formatting and ignored files (#5505) * chore: Improve project-wide prettier formatting and ignored files * chore: `Run make fmt/prettier` * Fix gitignore for `.vscode` folder so that ! works * Add comment in `.prettierrc.yaml` to explain `.editorconfig` * Remove scripts/apidocgen/markdown-template/README.md * Use `yq` for processing prettierrc, update lib.sh dependency check * Add `yq` to Dockerfile and Nix 2023-01-03 13:11:13 +00:00			`\| read \| \_ \| \_ \| \_ \|`
			`\| read \| \_ \| N \| Y \|`
feat: Add RBAC package for managing user permissions (#929) This PR adds an RBAC package for managing using permissions: - The top-level `authz.Authorize` function is the main user-facing entrypoint to the package. - Actual permission evaluation is handled in `policy.rego`. - Unit tests for `authz.Authorize` are in `authz_test.go` - Documentation for the package is in `README.md`. Co-authored-by: Cian Johnston <cian@coder.com> 2022-04-13 13:35:35 +00:00
			`## Permission Representation`

			Permissions are represented in string format as `<sign>?<level>.<object>.<id>.<action>`, where:

			- `negated` can be either `+` or `-`. If it is omitted, sign is assumed to be `+`.
			- `level` is either `site`, `org`, or `user`.
			- `object` is any valid resource type.
			- `id` is any valid UUID v4.
			- `action` is `create`, `read`, `modify`, or `delete`.

			`## Example Permissions`

feat: Add workspace application support (#1773) * feat: Add app support This adds apps as a property to a workspace agent. The resource is added to the Terraform provider here: https://github.com/coder/terraform-provider-coder/pull/17 Apps will be opened in the dashboard or via the CLI with `coder open <name>`. If `command` is specified, a terminal will appear locally and in the web. If `target` is specified, the browser will open to an exposed instance of that target. * Compare fields in apps test * Update Terraform provider to use relative path * Add some basic structure for routing * chore: Remove interface from coderd and lift API surface Abstracting coderd into an interface added misdirection because the interface was never intended to be fulfilled outside of a single implementation. This lifts the abstraction, and attaches all handlers to a root struct named `coderd.API`. Add basic proxy logic * Add proxying based on path * Add app proxying for wildcards * Add wsconncache * fix: Race when writing to a closed pipe This is such an intermittent race it's difficult to track, but regardless this is an improvement to the code. * fix: Race when writing to a closed pipe This is such an intermittent race it's difficult to track, but regardless this is an improvement to the code. * fix: Race when writing to a closed pipe This is such an intermittent race it's difficult to track, but regardless this is an improvement to the code. * fix: Race when writing to a closed pipe This is such an intermittent race it's difficult to track, but regardless this is an improvement to the code. * Add workspace route proxying endpoint - Makes the workspace conn cache concurrency-safe - Reduces unnecessary open checks in `peer.Channel` - Fixes the use of a temporary context when dialing a workspace agent * Add embed errors * chore: Refactor site to improve testing It was difficult to develop this package due to the embed build tag being mandatory on the tests. The logic to test doesn't require any embedded files. * Add test for error handler * Remove unused access url * Add RBAC tests * Fix dial agent syntax * Fix linting errors * Fix gen * Fix icon required * Adjust migration number * Fix proxy error status code * Fix empty db lookup 2022-06-04 20:13:37 +00:00			- `+site...read`: allowed to perform the `read` action against all objects of type `app` in a given Coder deployment.
feat: Add RBAC package for managing user permissions (#929) This PR adds an RBAC package for managing using permissions: - The top-level `authz.Authorize` function is the main user-facing entrypoint to the package. - Actual permission evaluation is handled in `policy.rego`. - Unit tests for `authz.Authorize` are in `authz_test.go` - Documentation for the package is in `README.md`. Co-authored-by: Cian Johnston <cian@coder.com> 2022-04-13 13:35:35 +00:00			- `-user.workspace.*.create`: user is not allowed to create workspaces.

			`## Roles`

chore: Improve project-wide prettier formatting and ignored files (#5505) * chore: Improve project-wide prettier formatting and ignored files * chore: `Run make fmt/prettier` * Fix gitignore for `.vscode` folder so that ! works * Add comment in `.prettierrc.yaml` to explain `.editorconfig` * Remove scripts/apidocgen/markdown-template/README.md * Use `yq` for processing prettierrc, update lib.sh dependency check * Add `yq` to Dockerfile and Nix 2023-01-03 13:11:13 +00:00			`A _role_ is a set of permissions. When evaluating a role's permission to form an action, all the relevant permissions for the role are combined at each level. Permissions at a higher level override permissions at a lower level.`
feat: Add RBAC package for managing user permissions (#929) This PR adds an RBAC package for managing using permissions: - The top-level `authz.Authorize` function is the main user-facing entrypoint to the package. - Actual permission evaluation is handled in `policy.rego`. - Unit tests for `authz.Authorize` are in `authz_test.go` - Documentation for the package is in `README.md`. Co-authored-by: Cian Johnston <cian@coder.com> 2022-04-13 13:35:35 +00:00
			`The following table shows the per-level role evaluation.`
			`Y indicates that the role provides positive permissions, N indicates the role provides negative permissions, and _ indicates the role does not provide positive or negative permissions. YN_ indicates that the value in the cell does not matter for the access result.`

chore: Improve project-wide prettier formatting and ignored files (#5505) * chore: Improve project-wide prettier formatting and ignored files * chore: `Run make fmt/prettier` * Fix gitignore for `.vscode` folder so that ! works * Add comment in `.prettierrc.yaml` to explain `.editorconfig` * Remove scripts/apidocgen/markdown-template/README.md * Use `yq` for processing prettierrc, update lib.sh dependency check * Add `yq` to Dockerfile and Nix 2023-01-03 13:11:13 +00:00			`\| Role (example) \| Site \| Org \| User \| Result \|`
			`\| --------------- \| ---- \| ---- \| ---- \| ------ \|`
			`\| site-admin \| Y \| YN\_ \| YN\_ \| Y \|`
			`\| no-permission \| N \| YN\_ \| YN\_ \| N \|`
			`\| org-admin \| \_ \| Y \| YN\_ \| Y \|`
			`\| non-org-member \| \_ \| N \| YN\_ \| N \|`
			`\| user \| \_ \| \_ \| Y \| Y \|`
			`\| \| \_ \| \_ \| N \| N \|`
			`\| unauthenticated \| \_ \| \_ \| \_ \| N \|`