mirror of https://github.com/coder/coder.git
59 lines
2.1 KiB
Go
59 lines
2.1 KiB
Go
package rbac
|
|
|
|
// ExpandableRoles is any type that can be expanded into a []Role. This is implemented
|
|
// as an interface so we can have RoleNames for user defined roles, and implement
|
|
// custom ExpandableRoles for system type users (eg autostart/autostop system role).
|
|
// We want a clear divide between the two types of roles so users have no codepath
|
|
// to interact or assign system roles.
|
|
//
|
|
// Note: We may also want to do the same thing with scopes to allow custom scope
|
|
// support unavailable to the user. Eg: Scope to a single resource.
|
|
type ExpandableRoles interface {
|
|
Expand() ([]Role, error)
|
|
// Names is for logging and tracing purposes, we want to know the human
|
|
// names of the expanded roles.
|
|
Names() []string
|
|
}
|
|
|
|
// Permission is the format passed into the rego.
|
|
type Permission struct {
|
|
// Negate makes this a negative permission
|
|
Negate bool `json:"negate"`
|
|
ResourceType string `json:"resource_type"`
|
|
Action Action `json:"action"`
|
|
}
|
|
|
|
// Role is a set of permissions at multiple levels:
|
|
// - Site level permissions apply EVERYWHERE
|
|
// - Org level permissions apply to EVERYTHING in a given ORG
|
|
// - User level permissions are the lowest
|
|
// This is the type passed into the rego as a json payload.
|
|
// Users of this package should instead **only** use the role names, and
|
|
// this package will expand the role names into their json payloads.
|
|
type Role struct {
|
|
Name string `json:"name"`
|
|
// DisplayName is used for UI purposes. If the role has no display name,
|
|
// that means the UI should never display it.
|
|
DisplayName string `json:"display_name"`
|
|
Site []Permission `json:"site"`
|
|
// Org is a map of orgid to permissions. We represent orgid as a string.
|
|
// We scope the organizations in the role so we can easily combine all the
|
|
// roles.
|
|
Org map[string][]Permission `json:"org"`
|
|
User []Permission `json:"user"`
|
|
}
|
|
|
|
type Roles []Role
|
|
|
|
func (roles Roles) Expand() ([]Role, error) {
|
|
return roles, nil
|
|
}
|
|
|
|
func (roles Roles) Names() []string {
|
|
names := make([]string, 0, len(roles))
|
|
for _, r := range roles {
|
|
return append(names, r.Name)
|
|
}
|
|
return names
|
|
}
|