mirror of
https://github.com/gitpod-io/gitpod.git
synced 2025-12-08 17:36:30 +00:00
117 lines
3.5 KiB
TypeScript
117 lines
3.5 KiB
TypeScript
/**
|
|
* Copyright (c) 2020 Gitpod GmbH. All rights reserved.
|
|
* Licensed under the GNU Affero General Public License (AGPL).
|
|
* See License-AGPL.txt in the project root for license information.
|
|
*/
|
|
|
|
|
|
// see below for explanation
|
|
export const Permissions = {
|
|
"monitor": undefined,
|
|
"enforcement": undefined,
|
|
"privileged-ws": undefined,
|
|
"registry-access": undefined,
|
|
"admin-users": undefined,
|
|
"admin-workspaces": undefined,
|
|
"admin-api": undefined,
|
|
"ide-settings": undefined,
|
|
"new-workspace-cluster": undefined,
|
|
"teams-and-projects": undefined,
|
|
};
|
|
export type PermissionName = keyof (typeof Permissions);
|
|
export const Roles = {"devops": undefined, "viewer": undefined, "admin": undefined };
|
|
export type RoleName = keyof (typeof Roles);
|
|
export type RoleOrPermission = RoleName | PermissionName;
|
|
|
|
export namespace RoleName {
|
|
export const is = (o: any): o is RoleName => {
|
|
return typeof(o) === 'string'
|
|
&& Role.all().some(r => r.name === o);
|
|
}
|
|
}
|
|
|
|
export interface Role {
|
|
name: RoleName,
|
|
permissions: PermissionName[],
|
|
}
|
|
|
|
export namespace Permission {
|
|
/** The permission to monitor the (live) state of a Gitpod installation */
|
|
export const MONITOR: PermissionName = "monitor";
|
|
|
|
/** The permission for actions like block user, stop workspace, etc. */
|
|
export const ENFORCEMENT: PermissionName = "enforcement";
|
|
|
|
/** The permission for registry access (start workspaces referencing gitpod-internal Docker images) */
|
|
export const REGISTRY_ACCESS: PermissionName = "registry-access";
|
|
|
|
/** The permission for accessing all user data */
|
|
export const ADMIN_USERS: PermissionName = "admin-users";
|
|
|
|
/** The permission for accessing all workspace data */
|
|
export const ADMIN_WORKSPACES: PermissionName = "admin-workspaces";
|
|
|
|
/** The permission to access the admin API */
|
|
export const ADMIN_API: PermissionName = "admin-api";
|
|
|
|
/** The permission to access the IDE settings */
|
|
export const IDE_SETTINGS: PermissionName = "ide-settings";
|
|
|
|
export const is = (o: any): o is PermissionName => {
|
|
return typeof(o) === 'string'
|
|
&& Permission.all().some(p => p === o);
|
|
}
|
|
|
|
export const all = (): PermissionName[] => {
|
|
return Object.keys(Permission)
|
|
.map(k => (Permission as any)[k])
|
|
.filter(k => typeof(k) === 'string');
|
|
};
|
|
}
|
|
|
|
export namespace Role {
|
|
/** The default role for all Gitpod developers */
|
|
export const DEVOPS: Role = {
|
|
name: "devops",
|
|
permissions: [
|
|
Permission.MONITOR,
|
|
Permission.ENFORCEMENT,
|
|
Permission.REGISTRY_ACCESS,
|
|
Permission.IDE_SETTINGS
|
|
]
|
|
};
|
|
|
|
/** A role for people that are allowed to view Gitpod internals */
|
|
export const VIEWER: Role = {
|
|
name: "viewer",
|
|
permissions: [
|
|
Permission.MONITOR,
|
|
Permission.REGISTRY_ACCESS,
|
|
]
|
|
};
|
|
|
|
export const ADMIN: Role = {
|
|
name: "admin",
|
|
permissions: [
|
|
Permission.ADMIN_USERS,
|
|
Permission.ADMIN_WORKSPACES,
|
|
Permission.ADMIN_API,
|
|
Permission.ENFORCEMENT,
|
|
]
|
|
}
|
|
|
|
export const getByName = (name: RoleName): Role => {
|
|
const result = Role.all().find(r => r.name === name)
|
|
if (!result) {
|
|
throw Error("Unknown RoleName: " + name);
|
|
}
|
|
return result;
|
|
};
|
|
|
|
export const all = (): Role[] => {
|
|
return Object.keys(Role)
|
|
.map(k => (Role as any)[k])
|
|
.filter(k => typeof(k) === 'object');
|
|
};
|
|
}
|