chore: merge provisioner key and provisioner permissions (coder#16628)

Provisioner key permissions were never any different than provisioners.
Merging them for a cleaner permission story until they are required (if
ever) to be seperate.

This removed `ResourceProvisionerKey` from RBAC and just uses the
existing `ResourceProvisioner`.

Author: Emyrk

coderd/apidoc/docs.go

@@ -324,7 +324,6 @@ var (
 					rbac.ResourceOrganization.Type:           {policy.ActionCreate, policy.ActionRead},
 					rbac.ResourceOrganizationMember.Type:     {policy.ActionCreate, policy.ActionDelete, policy.ActionRead},
 					rbac.ResourceProvisionerDaemon.Type:      {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate},
-					rbac.ResourceProvisionerKeys.Type:        {policy.ActionCreate, policy.ActionRead, policy.ActionDelete},
 					rbac.ResourceUser.Type:                   rbac.ResourceUser.AvailableActions(),
 					rbac.ResourceWorkspaceDormant.Type:       {policy.ActionUpdate, policy.ActionDelete, policy.ActionWorkspaceStop},
 					rbac.ResourceWorkspace.Type:              {policy.ActionUpdate, policy.ActionDelete, policy.ActionWorkspaceStart, policy.ActionWorkspaceStop, policy.ActionSSH},
@@ -3192,7 +3191,7 @@ func (q *querier) InsertProvisionerJobTimings(ctx context.Context, arg database.
 }
 
 func (q *querier) InsertProvisionerKey(ctx context.Context, arg database.InsertProvisionerKeyParams) (database.ProvisionerKey, error) {
-	return insert(q.log, q.auth, rbac.ResourceProvisionerKeys.InOrg(arg.OrganizationID).WithID(arg.ID), q.db.InsertProvisionerKey)(ctx, arg)
+	return insert(q.log, q.auth, rbac.ResourceProvisionerDaemon.InOrg(arg.OrganizationID).WithID(arg.ID), q.db.InsertProvisionerKey)(ctx, arg)
 }
 
 func (q *querier) InsertReplica(ctx context.Context, arg database.InsertReplicaParams) (database.Replica, error) {

coderd/apidoc/swagger.json

@@ -277,8 +277,10 @@ func (p GetEligibleProvisionerDaemonsByProvisionerJobIDsRow) RBACObject() rbac.O
 	return p.ProvisionerDaemon.RBACObject()
 }
 
+// RBACObject for a provisioner key is the same as a provisioner daemon.
+// Keys == provisioners from a RBAC perspective.
 func (p ProvisionerKey) RBACObject() rbac.Object {
-	return rbac.ResourceProvisionerKeys.
+	return rbac.ResourceProvisionerDaemon.
 		WithID(p.ID).
 		InOrg(p.OrganizationID)
 }

coderd/database/dbauthz/dbauthz.go

@@ -162,25 +162,18 @@ var RBACPermissions = map[string]PermissionDefinition{
 	},
 	"provisioner_daemon": {
 		Actions: map[Action]ActionDefinition{
-			ActionCreate: actDef("create a provisioner daemon"),
+			ActionCreate: actDef("create a provisioner daemon/key"),
 			// TODO: Move to use?
 			ActionRead:   actDef("read provisioner daemon"),
 			ActionUpdate: actDef("update a provisioner daemon"),
-			ActionDelete: actDef("delete a provisioner daemon"),
+			ActionDelete: actDef("delete a provisioner daemon/key"),
 		},
 	},
 	"provisioner_jobs": {
 		Actions: map[Action]ActionDefinition{
 			ActionRead: actDef("read provisioner jobs"),
 		},
 	},
-	"provisioner_keys": {
-		Actions: map[Action]ActionDefinition{
-			ActionCreate: actDef("create a provisioner key"),
-			ActionRead:   actDef("read provisioner keys"),
-			ActionDelete: actDef("delete a provisioner key"),
-		},
-	},
 	"organization": {
 		Actions: map[Action]ActionDefinition{
 			ActionCreate: actDef("create an organization"),

coderd/database/modelmethods.go

@@ -556,15 +556,6 @@ func TestRolePermissions(t *testing.T) {
 				false: {setOtherOrg, memberMe, userAdmin, orgUserAdmin, orgAuditor},
 			},
 		},
-		{
-			Name:     "ProvisionerKeys",
-			Actions:  []policy.Action{policy.ActionCreate, policy.ActionRead, policy.ActionDelete},
-			Resource: rbac.ResourceProvisionerKeys.InOrg(orgID),
-			AuthorizeMap: map[bool][]hasAuthSubjects{
-				true:  {owner, orgAdmin},
-				false: {setOtherOrg, memberMe, orgMemberMe, userAdmin, templateAdmin, orgTemplateAdmin, orgUserAdmin, orgAuditor},
-			},
-		},
 		{
 			Name:     "ProvisionerJobs",
 			Actions:  []policy.Action{policy.ActionRead},

coderd/rbac/object_gen.go

@@ -147,9 +147,13 @@ func (api *API) putOrgRoles(rw http.ResponseWriter, r *http.Request) {
 			UUID:  organization.ID,
 			Valid: true,
 		},
-		SitePermissions: db2sdk.List(req.SitePermissions, sdkPermissionToDB),
-		OrgPermissions:  db2sdk.List(req.OrganizationPermissions, sdkPermissionToDB),
-		UserPermissions: db2sdk.List(req.UserPermissions, sdkPermissionToDB),
+		// Invalid permissions are filtered out. If this is changed
+		// to throw an error, then the story of a previously valid role
+		// now being invalid has to be addressed. Coder can change permissions,
+		// objects, and actions at any time.
+		SitePermissions: db2sdk.List(filterInvalidPermissions(req.SitePermissions), sdkPermissionToDB),
+		OrgPermissions:  db2sdk.List(filterInvalidPermissions(req.OrganizationPermissions), sdkPermissionToDB),
+		UserPermissions: db2sdk.List(filterInvalidPermissions(req.UserPermissions), sdkPermissionToDB),
 	})
 	if httpapi.Is404Error(err) {
 		httpapi.ResourceNotFound(rw)
@@ -247,6 +251,23 @@ func (api *API) deleteOrgRole(rw http.ResponseWriter, r *http.Request) {
 	httpapi.Write(ctx, rw, http.StatusNoContent, nil)
 }
 
+func filterInvalidPermissions(permissions []codersdk.Permission) []codersdk.Permission {
+	// Filter out any invalid permissions
+	var validPermissions []codersdk.Permission
+	for _, permission := range permissions {
+		err := rbac.Permission{
+			Negate:       permission.Negate,
+			ResourceType: string(permission.ResourceType),
+			Action:       policy.Action(permission.Action),
+		}.Valid()
+		if err != nil {
+			continue
+		}
+		validPermissions = append(validPermissions, permission)
+	}
+	return validPermissions
+}
+
 func sdkPermissionToDB(p codersdk.Permission) database.CustomRolePermission {
 	return database.CustomRolePermission{
 		Negate:       p.Negate,

coderd/rbac/policy/policy.go

@@ -114,19 +114,14 @@ export const RBACResourceActions: Partial<
 		update: "update an organization member",
 	},
 	provisioner_daemon: {
-		create: "create a provisioner daemon",
-		delete: "delete a provisioner daemon",
+		create: "create a provisioner daemon/key",
+		delete: "delete a provisioner daemon/key",
 		read: "read provisioner daemon",
 		update: "update a provisioner daemon",
 	},
 	provisioner_jobs: {
 		read: "read provisioner jobs",
 	},
-	provisioner_keys: {
-		create: "create a provisioner key",
-		delete: "delete a provisioner key",
-		read: "read provisioner keys",
-	},
 	replicas: {
 		read: "read replicas",
 	},

coderd/rbac/roles_test.go

@@ -101,11 +101,6 @@ export const MockRoles: (AssignableRoles | Role)[] = [
 				resource_type: "provisioner_daemon",
 				action: "*" as RBACAction,
 			},
-			{
-				negate: false,
-				resource_type: "provisioner_keys",
-				action: "*" as RBACAction,
-			},
 			{
 				negate: false,
 				resource_type: "replicas",