OPA/Policy: ensure scope and allow-list checks

Description

- Confirm and, if necessary, adjust `coderd/rbac/policy.rego` to require both role allow and scope allow. Ensure allow-list membership is enforced for reads/updates/deletes, but not for creates (no ID at creation time), matching the RFC.

Progress

- PR #19748 updated `policy.rego` and RBAC to a typed `{type,id}` allow-list, added wildcard handling (`(*,*)`, `(type,*)`), and included unit tests (`TestScopeAllowList`).

Remaining work

- Explicitly verify and add tests that create operations bypass allow-list ID checks while read/update/delete enforce membership.
- Add deny-by-default tests when scope is missing; cover list endpoints where applicable.
- Ensure all subject construction paths now provide typed allow-lists; update docs/README for policy changes.

Key files/areas

- `coderd/rbac/policy.rego` and unit tests.

Acceptance criteria

- Policy tests prove deny-by-default when scope is missing and allow-list excludes the resource.
- Create operations bypass allow-list ID checks; other verbs require matching IDs.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

OPA/Policy: ensure scope and allow-list checks #19852

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

OPA/Policy: ensure scope and allow-list checks #19852

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions