NotificationsYou must be signed in to change notification settings
Fork914
Star10.1k

Commit1d1070d

authored

chore: ensure proper rbac permissions on 'Acquire' file in the cache (#18348)

The file cache was caching the `Unauthorized` errors if a user withoutthe right perms opened the file first. So all future opens would fail.Now the cache always opens with a subject that can read files. And authzis checked on the Acquire per user.

1 parentd83706b commit1d1070dCopy full SHA for 1d1070d

File tree

16 files changed

+218

-51

lines changed

coderd
- authorize.go
- coderd.go
- coderdtest
  - authorize.go
- database/dbauthz
  - dbauthz.go
- files
  - cache.go
  - cache_test.go
- httpmw
- identityprovider
  - middleware.go
- parameters.go
- rbac
  - authz.go
- roles.go
- users.go
enterprise/coderd
- provisionerdaemons.go

16 files changed

+218

-51

lines changed

`‎coderd/authorize.go`

Lines changed: 4 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,7 @@ import (`
`19`	`19`	`// objects that the user is authorized to perform the given action on.`
`20`	`20`	`// This is faster than calling Authorize() on each object.`
`21`	`21`	`funcAuthorizeFilter[O rbac.Objecter](hHTTPAuthorizer,rhttp.Request,action policy.Action,objects []O) ([]O,error) {`
`22`		`-roles:=httpmw.UserAuthorization(r)`
	`22`	`+roles:=httpmw.UserAuthorization(r.Context())`
`23`	`23`	`objects,err:=rbac.Filter(r.Context(),h.Authorizer,roles,action,objects)`
`24`	`24`	`iferr!=nil {`
`25`	`25`	`// Log the error as Filter should not be erroring.`
`@@ -65,7 +65,7 @@ func (api API) Authorize(r http.Request, action policy.Action, object rbac.Obj`
`65`	`65`	`//return`
`66`	`66`	`//}`
`67`	`67`	`func (hHTTPAuthorizer)Authorize(rhttp.Request,action policy.Action,object rbac.Objecter)bool {`
`68`		`-roles:=httpmw.UserAuthorization(r)`
	`68`	`+roles:=httpmw.UserAuthorization(r.Context())`
`69`	`69`	`err:=h.Authorizer.Authorize(r.Context(),roles,action,object.RBACObject())`
`70`	`70`	`iferr!=nil {`
`71`	`71`	`// Log the errors for debugging`
`@@ -97,7 +97,7 @@ func (h HTTPAuthorizer) Authorize(r http.Request, action policy.Action, object`
`97`	`97`	`// call 'Authorize()' on the returned objects.`
`98`	`98`	`// Note the authorization is only for the given action and object type.`
`99`	`99`	`func (hHTTPAuthorizer)AuthorizeSQLFilter(rhttp.Request,action policy.Action,objectTypestring) (rbac.PreparedAuthorized,error) {`
`100`		`-roles:=httpmw.UserAuthorization(r)`
	`100`	`+roles:=httpmw.UserAuthorization(r.Context())`
`101`	`101`	`prepared,err:=h.Authorizer.Prepare(r.Context(),roles,action,objectType)`
`102`	`102`	`iferr!=nil {`
`103`	`103`	`returnnil,xerrors.Errorf("prepare filter: %w",err)`
`@@ -120,7 +120,7 @@ func (h HTTPAuthorizer) AuthorizeSQLFilter(r http.Request, action policy.Actio`
`120`	`120`	`// @Router /authcheck [post]`
`121`	`121`	`func (apiAPI)checkAuthorization(rw http.ResponseWriter,rhttp.Request) {`
`122`	`122`	`ctx:=r.Context()`
`123`		`-auth:=httpmw.UserAuthorization(r)`
	`123`	`+auth:=httpmw.UserAuthorization(r.Context())`
`124`	`124`
`125`	`125`	`varparams codersdk.AuthorizationRequest`
`126`	`126`	`if!httpapi.Read(ctx,rw,r,&params) {`

`‎coderd/coderd.go`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -572,7 +572,7 @@ func New(options Options) API {`
`572`	`572`	`TemplateScheduleStore:options.TemplateScheduleStore,`
`573`	`573`	`UserQuietHoursScheduleStore:options.UserQuietHoursScheduleStore,`
`574`	`574`	`AccessControlStore:options.AccessControlStore,`
`575`		`-FileCache:files.NewFromStore(options.Database,options.PrometheusRegistry),`
	`575`	`+FileCache:files.NewFromStore(options.Database,options.PrometheusRegistry,options.Authorizer),`
`576`	`576`	`Experiments:experiments,`
`577`	`577`	`WebpushDispatcher:options.WebPushDispatcher,`
`578`	`578`	`healthCheckGroup:&singleflight.Group[string,*healthsdk.HealthcheckReport]{},`

`‎coderd/coderdtest/authorize.go`

Lines changed: 5 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -234,6 +234,10 @@ func (r RecordingAuthorizer) AssertOutOfOrder(t testing.T, actor rbac.Subject,`
`234`	`234`	`// AssertActor asserts in order. If the order of authz calls does not match,`
`235`	`235`	`// this will fail.`
`236`	`236`	`func (rRecordingAuthorizer)AssertActor(ttesting.T,actor rbac.Subject,did...ActionObjectPair) {`
	`237`	`+r.AssertActorID(t,actor.ID,did...)`
	`238`	`+}`
	`239`	`+`
	`240`	`+func (rRecordingAuthorizer)AssertActorID(ttesting.T,idstring,did...ActionObjectPair) {`
`237`	`241`	`r.Lock()`
`238`	`242`	`deferr.Unlock()`
`239`	`243`	`ptr:=0`
`@@ -242,7 +246,7 @@ func (r RecordingAuthorizer) AssertActor(t testing.T, actor rbac.Subject, did`
`242`	`246`	`// Finished all assertions`
`243`	`247`	`return`
`244`	`248`	`}`
`245`		`-ifcall.Actor.ID==actor.ID {`
	`249`	`+ifcall.Actor.ID==id {`
`246`	`250`	`action,object:=did[ptr].Action,did[ptr].Object`
`247`	`251`	`assert.Equalf(t,action,call.Action,"assert action %d",ptr)`
`248`	`252`	`assert.Equalf(t,object,call.Object,"assert object %d",ptr)`

`‎coderd/database/dbauthz/dbauthz.go`

Lines changed: 23 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -432,6 +432,25 @@ var (`
`432`	`432`	`}),`
`433`	`433`	`Scope:rbac.ScopeAll,`
`434`	`434`	`}.WithCachedASTValue()`
	`435`	`+`
	`436`	`+subjectFileReader= rbac.Subject{`
	`437`	`+Type:rbac.SubjectTypeFileReader,`
	`438`	`+FriendlyName:"Can Read All Files",`
	`439`	`+// Arbitrary uuid to have a unique ID for this subject.`
	`440`	`+ID:rbac.SubjectTypeFileReaderID,`
	`441`	`+Roles:rbac.Roles([]rbac.Role{`
	`442`	`+{`
	`443`	`+Identifier: rbac.RoleIdentifier{Name:"file-reader"},`
	`444`	`+DisplayName:"FileReader",`
	`445`	`+Site:rbac.Permissions(map[string][]policy.Action{`
	`446`	`+rbac.ResourceFile.Type: {policy.ActionRead},`
	`447`	`+}),`
	`448`	`+Org:map[string][]rbac.Permission{},`
	`449`	`+User: []rbac.Permission{},`
	`450`	`+},`
	`451`	`+}),`
	`452`	`+Scope:rbac.ScopeAll,`
	`453`	`+}.WithCachedASTValue()`
`435`	`454`	`)`
`436`	`455`
`437`	`456`	`// AsProvisionerd returns a context with an actor that has permissions required`
`@@ -498,6 +517,10 @@ func AsPrebuildsOrchestrator(ctx context.Context) context.Context {`
`498`	`517`	`returnAs(ctx,subjectPrebuildsOrchestrator)`
`499`	`518`	`}`
`500`	`519`
	`520`	`+funcAsFileReader(ctx context.Context) context.Context {`
	`521`	`+returnAs(ctx,subjectFileReader)`
	`522`	`+}`
	`523`	`+`
`501`	`524`	`varAsRemoveActor= rbac.Subject{`
`502`	`525`	`ID:"remove-actor",`
`503`	`526`	`}`

`‎coderd/files/cache.go`

Lines changed: 39 additions & 18 deletions

Original file line number	Diff line number	Diff line change
`@@ -13,33 +13,41 @@ import (`
`13`	`13`
`14`	`14`	`archivefs"github.com/coder/coder/v2/archive/fs"`
`15`	`15`	`"github.com/coder/coder/v2/coderd/database"`
	`16`	`+"github.com/coder/coder/v2/coderd/database/dbauthz"`
	`17`	`+"github.com/coder/coder/v2/coderd/rbac"`
	`18`	`+"github.com/coder/coder/v2/coderd/rbac/policy"`
`16`	`19`	`"github.com/coder/coder/v2/coderd/util/lazy"`
`17`	`20`	`)`
`18`	`21`
`19`	`22`	`// NewFromStore returns a file cache that will fetch files from the provided`
`20`	`23`	`// database.`
`21`		`-funcNewFromStore(store database.Store,registerer prometheus.Registerer)*Cache {`
`22`		`-fetch:=func(ctx context.Context,fileID uuid.UUID) (cacheEntryValue,error) {`
`23`		`-file,err:=store.GetFileByID(ctx,fileID)`
	`24`	`+funcNewFromStore(store database.Store,registerer prometheus.Registerer,authz rbac.Authorizer)*Cache {`
	`25`	`+fetch:=func(ctx context.Context,fileID uuid.UUID) (CacheEntryValue,error) {`
	`26`	`+// Make sure the read does not fail due to authorization issues.`
	`27`	`+// Authz is checked on the Acquire call, so this is safe.`
	`28`	`+//nolint:gocritic`
	`29`	`+file,err:=store.GetFileByID(dbauthz.AsFileReader(ctx),fileID)`
`24`	`30`	`iferr!=nil {`
`25`		`-returncacheEntryValue{},xerrors.Errorf("failed to read file from database: %w",err)`
	`31`	`+returnCacheEntryValue{},xerrors.Errorf("failed to read file from database: %w",err)`
`26`	`32`	`}`
`27`	`33`
`28`	`34`	`content:=bytes.NewBuffer(file.Data)`
`29`		`-returncacheEntryValue{`
`30`		`-FS:archivefs.FromTarReader(content),`
`31`		`-size:int64(content.Len()),`
	`35`	`+returnCacheEntryValue{`
	`36`	`+Object:file.RBACObject(),`
	`37`	`+FS:archivefs.FromTarReader(content),`
	`38`	`+Size:int64(content.Len()),`
`32`	`39`	`},nil`
`33`	`40`	`}`
`34`	`41`
`35`		`-returnNew(fetch,registerer)`
	`42`	`+returnNew(fetch,registerer,authz)`
`36`	`43`	`}`
`37`	`44`
`38`		`-funcNew(fetchfetcher,registerer prometheus.Registerer)*Cache {`
	`45`	`+funcNew(fetchfetcher,registerer prometheus.Registerer,authz rbac.Authorizer)*Cache {`
`39`	`46`	`return (&Cache{`
`40`	`47`	`lock: sync.Mutex{},`
`41`	`48`	`data:make(map[uuid.UUID]*cacheEntry),`
`42`	`49`	`fetcher:fetch,`
	`50`	`+authz:authz,`
`43`	`51`	`}).registerMetrics(registerer)`
`44`	`52`	`}`
`45`	`53`
`@@ -101,6 +109,7 @@ type Cache struct {`
`101`	`109`	`lock sync.Mutex`
`102`	`110`	`datamap[uuid.UUID]*cacheEntry`
`103`	`111`	`fetcher`
	`112`	`+authz rbac.Authorizer`
`104`	`113`
`105`	`114`	`// metrics`
`106`	`115`	`cacheMetrics`
`@@ -117,18 +126,19 @@ type cacheMetrics struct {`
`117`	`126`	`totalCacheSize prometheus.Counter`
`118`	`127`	`}`
`119`	`128`
`120`		`-typecacheEntryValuestruct {`
	`129`	`+typeCacheEntryValuestruct {`
`121`	`130`	`fs.FS`
`122`		`-sizeint64`
	`131`	`+Object rbac.Object`
	`132`	`+Sizeint64`
`123`	`133`	`}`
`124`	`134`
`125`	`135`	`typecacheEntrystruct {`
`126`	`136`	`// refCount must only be accessed while the Cache lock is held.`
`127`	`137`	`refCountint`
`128`		`-value*lazy.ValueWithError[cacheEntryValue]`
	`138`	`+value*lazy.ValueWithError[CacheEntryValue]`
`129`	`139`	`}`
`130`	`140`
`131`		`-typefetcherfunc(context.Context, uuid.UUID) (cacheEntryValue,error)`
	`141`	`+typefetcherfunc(context.Context, uuid.UUID) (CacheEntryValue,error)`
`132`	`142`
`133`	`143`	`// Acquire will load the fs.FS for the given file. It guarantees that parallel`
`134`	`144`	`// calls for the same fileID will only result in one fetch, and that parallel`
`@@ -146,22 +156,33 @@ func (c *Cache) Acquire(ctx context.Context, fileID uuid.UUID) (fs.FS, error) {`
`146`	`156`	`c.Release(fileID)`
`147`	`157`	`returnnil,err`
`148`	`158`	`}`
	`159`	`+`
	`160`	`+subject,ok:=dbauthz.ActorFromContext(ctx)`
	`161`	`+if!ok {`
	`162`	`+returnnil,dbauthz.ErrNoActor`
	`163`	`+}`
	`164`	`+// Always check the caller can actually read the file.`
	`165`	`+iferr:=c.authz.Authorize(ctx,subject,policy.ActionRead,it.Object);err!=nil {`
	`166`	`+c.Release(fileID)`
	`167`	`+returnnil,err`
	`168`	`+}`
	`169`	`+`
`149`	`170`	`returnit.FS,err`
`150`	`171`	`}`
`151`	`172`
`152`		`-func (cCache)prepare(ctx context.Context,fileID uuid.UUID)lazy.ValueWithError[cacheEntryValue] {`
	`173`	`+func (cCache)prepare(ctx context.Context,fileID uuid.UUID)lazy.ValueWithError[CacheEntryValue] {`
`153`	`174`	`c.lock.Lock()`
`154`	`175`	`deferc.lock.Unlock()`
`155`	`176`
`156`	`177`	`entry,ok:=c.data[fileID]`
`157`	`178`	`if!ok {`
`158`		`-value:=lazy.NewWithError(func() (cacheEntryValue,error) {`
	`179`	`+value:=lazy.NewWithError(func() (CacheEntryValue,error) {`
`159`	`180`	`val,err:=c.fetcher(ctx,fileID)`
`160`	`181`
`161`	`182`	`// Always add to the cache size the bytes of the file loaded.`
`162`	`183`	`iferr==nil {`
`163`		`-c.currentCacheSize.Add(float64(val.size))`
`164`		`-c.totalCacheSize.Add(float64(val.size))`
	`184`	`+c.currentCacheSize.Add(float64(val.Size))`
	`185`	`+c.totalCacheSize.Add(float64(val.Size))`
`165`	`186`	`}`
`166`	`187`
`167`	`188`	`returnval,err`
`@@ -206,7 +227,7 @@ func (c *Cache) Release(fileID uuid.UUID) {`
`206`	`227`
`207`	`228`	`ev,err:=entry.value.Load()`
`208`	`229`	`iferr==nil {`
`209`		`-c.currentCacheSize.Add(-1*float64(ev.size))`
	`230`	`+c.currentCacheSize.Add(-1*float64(ev.Size))`
`210`	`231`	`}`
`211`	`232`
`212`	`233`	`delete(c.data,fileID)`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit1d1070d

File tree

16 files changed

16 files changed

`‎coderd/authorize.go`

`‎coderd/coderd.go`

`‎coderd/coderdtest/authorize.go`

`‎coderd/database/dbauthz/dbauthz.go`

`‎coderd/files/cache.go`

0 commit comments