NotificationsYou must be signed in to change notification settings
Fork1.1k
Star11.8k

Commitea00e72

authored

feat: add rbac specificity fordbpurge (#21088)

Related to[`internal#1139`](coder/internal#1139)Continuation of#21074 This implements some RBAC role specificity for `dbpurge`, ensuring thatwe follow the least-privileged model for removing data from thedatabase. It is specified as following.```goSite: rbac.Permissions(map[string][]policy.Action{// DeleteOldWorkspaceAgentLogs// DeleteOldWorkspaceAgentStats// DeleteOldProvisionerDaemons// DeleteOldTelemetryLocks// DeleteOldAuditLogConnectionEvents// DeleteOldConnectionLogsrbac.ResourceSystem.Type: {policy.ActionDelete},// DeleteOldNotificationMessagesrbac.ResourceNotificationMessage.Type: {policy.ActionDelete},// ExpirePrebuildsAPIKeys// DeleteExpiredAPIKeysrbac.ResourceApiKey.Type: {policy.ActionDelete},// DeleteOldAIBridgeRecordsrbac.ResourceAibridgeInterception.Type: {policy.ActionDelete},}),```| Position | Pull-request || -------- | ------------ || | [feat: add prometheus observability metrics for`dbpurge`](#21074) || ✅ | [feat: add rbac specificity for`dbpurge`](#21088) |

1 parent00793cc commitea00e72Copy full SHA for ea00e72

File tree

5 files changed

+90

-2

lines changed

coderd
- database
  - dbauthz
    - dbauthz.go
  - dbpurge
    - dbpurge.go
    - dbpurge_test.go
- httpmw/loggermw
  - logger_full.go
- rbac
  - authz.go

5 files changed

+90

-2

lines changed

`‎coderd/database/dbauthz/dbauthz.go‎`

Lines changed: 27 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -616,6 +616,27 @@ var (`
`616`	`616`	`}),`
`617`	`617`	`Scope:rbac.ScopeAll,`
`618`	`618`	`}.WithCachedASTValue()`
	`619`	`+`
	`620`	`+subjectDBPurge= rbac.Subject{`
	`621`	`+Type:rbac.SubjectTypeDBPurge,`
	`622`	`+FriendlyName:"DB Purge",`
	`623`	`+ID:uuid.Nil.String(),`
	`624`	`+Roles:rbac.Roles([]rbac.Role{`
	`625`	`+{`
	`626`	`+Identifier: rbac.RoleIdentifier{Name:"dbpurge"},`
	`627`	`+DisplayName:"DB Purge Daemon",`
	`628`	`+Site:rbac.Permissions(map[string][]policy.Action{`
	`629`	`+rbac.ResourceSystem.Type: {policy.ActionDelete},`
	`630`	`+rbac.ResourceNotificationMessage.Type: {policy.ActionDelete},`
	`631`	`+rbac.ResourceApiKey.Type: {policy.ActionDelete},`
	`632`	`+rbac.ResourceAibridgeInterception.Type: {policy.ActionDelete},`
	`633`	`+}),`
	`634`	`+User: []rbac.Permission{},`
	`635`	`+ByOrgID:map[string]rbac.OrgPermissions{},`
	`636`	`+},`
	`637`	`+}),`
	`638`	`+Scope:rbac.ScopeAll,`
	`639`	`+}.WithCachedASTValue()`
`619`	`640`	`)`
`620`	`641`
`621`	`642`	`// AsProvisionerd returns a context with an actor that has permissions required`
`@@ -710,6 +731,12 @@ func AsAIBridged(ctx context.Context) context.Context {`
`710`	`731`	`returnAs(ctx,subjectAibridged)`
`711`	`732`	`}`
`712`	`733`
	`734`	`+// AsDBPurge returns a context with an actor that has permissions required`
	`735`	`+// for dbpurge to delete old database records.`
	`736`	`+funcAsDBPurge(ctx context.Context) context.Context {`
	`737`	`+returnAs(ctx,subjectDBPurge)`
	`738`	`+}`
	`739`	`+`
`713`	`740`	`varAsRemoveActor= rbac.Subject{`
`714`	`741`	`ID:"remove-actor",`
`715`	`742`	`}`

`‎coderd/database/dbpurge/dbpurge.go‎`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -46,8 +46,8 @@ func New(ctx context.Context, logger slog.Logger, db database.Store, vals *coder`
`46`	`46`	`closed:=make(chanstruct{})`
`47`	`47`
`48`	`48`	`ctx,cancelFunc:=context.WithCancel(ctx)`
`49`		`-//nolint:gocritic //The system purges old db records without user input.`
`50`		`-ctx=dbauthz.AsSystemRestricted(ctx)`
	`49`	`+//nolint:gocritic //Use dbpurge-specific subject with minimal permissions.`
	`50`	`+ctx=dbauthz.AsDBPurge(ctx)`
`51`	`51`
`52`	`52`	`iterationDuration:=prometheus.NewHistogramVec(prometheus.HistogramOpts{`
`53`	`53`	`Namespace:"coderd",`

`‎coderd/database/dbpurge/dbpurge_test.go‎`

Lines changed: 59 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -22,15 +22,18 @@ import (`
`22`	`22`	`"cdr.dev/slog"`
`23`	`23`	`"cdr.dev/slog/sloggers/slogtest"`
`24`	`24`
	`25`	`+"github.com/coder/coder/v2/coderd/coderdtest"`
`25`	`26`	`"github.com/coder/coder/v2/coderd/coderdtest/promhelp"`
`26`	`27`	`"github.com/coder/coder/v2/coderd/database"`
	`28`	`+"github.com/coder/coder/v2/coderd/database/dbauthz"`
`27`	`29`	`"github.com/coder/coder/v2/coderd/database/dbgen"`
`28`	`30`	`"github.com/coder/coder/v2/coderd/database/dbmock"`
`29`	`31`	`"github.com/coder/coder/v2/coderd/database/dbpurge"`
`30`	`32`	`"github.com/coder/coder/v2/coderd/database/dbrollup"`
`31`	`33`	`"github.com/coder/coder/v2/coderd/database/dbtestutil"`
`32`	`34`	`"github.com/coder/coder/v2/coderd/database/dbtime"`
`33`	`35`	`"github.com/coder/coder/v2/coderd/provisionerdserver"`
	`36`	`+"github.com/coder/coder/v2/coderd/rbac"`
`34`	`37`	`"github.com/coder/coder/v2/codersdk"`
`35`	`38`	`"github.com/coder/coder/v2/provisionerd/proto"`
`36`	`39`	`"github.com/coder/coder/v2/provisionersdk"`
`@@ -1631,6 +1634,62 @@ func TestDeleteExpiredAPIKeys(t *testing.T) {`
`1631`	`1634`	`}`
`1632`	`1635`	`}`
`1633`	`1636`
	`1637`	`+funcTestDBPurgeAuthorization(t*testing.T) {`
	`1638`	`+t.Parallel()`
	`1639`	`+`
	`1640`	`+t.Run("DBPurgeActorCanCallPurgeOperations",func(t*testing.T) {`
	`1641`	`+t.Parallel()`
	`1642`	`+`
	`1643`	`+ctx:=testutil.Context(t,testutil.WaitShort)`
	`1644`	`+rawDB,_:=dbtestutil.NewDB(t)`
	`1645`	`+`
	`1646`	`+authz:=rbac.NewAuthorizer(prometheus.NewRegistry())`
	`1647`	`+db:=dbauthz.New(rawDB,authz,testutil.Logger(t),coderdtest.AccessControlStorePointer())`
	`1648`	`+`
	`1649`	`+ctx=dbauthz.AsDBPurge(ctx)`
	`1650`	`+`
	`1651`	`+actor,ok:=dbauthz.ActorFromContext(ctx)`
	`1652`	`+require.True(t,ok,"actor should be present")`
	`1653`	`+require.Equal(t,rbac.SubjectTypeDBPurge,actor.Type,"should be DBPurge type")`
	`1654`	`+require.Contains(t,actor.Roles.Names(), rbac.RoleIdentifier{Name:"dbpurge"},`
	`1655`	`+"should have dbpurge role")`
	`1656`	`+`
	`1657`	`+_,err:=db.DeleteOldWorkspaceAgentLogs(ctx,time.Now().Add(-24*time.Hour))`
	`1658`	`+require.NoError(t,err)`
	`1659`	`+`
	`1660`	`+err=db.DeleteOldWorkspaceAgentStats(ctx)`
	`1661`	`+require.NoError(t,err)`
	`1662`	`+`
	`1663`	`+err=db.DeleteOldProvisionerDaemons(ctx)`
	`1664`	`+require.NoError(t,err)`
	`1665`	`+`
	`1666`	`+err=db.DeleteOldNotificationMessages(ctx)`
	`1667`	`+require.NoError(t,err)`
	`1668`	`+`
	`1669`	`+err=db.ExpirePrebuildsAPIKeys(ctx,time.Now().Add(-24*time.Hour))`
	`1670`	`+require.NoError(t,err)`
	`1671`	`+`
	`1672`	`+params:= database.DeleteExpiredAPIKeysParams{`
	`1673`	`+Before:time.Now().Add(-24*time.Hour),`
	`1674`	`+LimitCount:100,`
	`1675`	`+}`
	`1676`	`+_,err=db.DeleteExpiredAPIKeys(ctx,params)`
	`1677`	`+require.NoError(t,err)`
	`1678`	`+`
	`1679`	`+err=db.DeleteOldAuditLogConnectionEvents(ctx, database.DeleteOldAuditLogConnectionEventsParams{`
	`1680`	`+BeforeTime:time.Now().Add(-24*time.Hour),`
	`1681`	`+LimitCount:100,`
	`1682`	`+})`
	`1683`	`+require.NoError(t,err)`
	`1684`	`+`
	`1685`	`+_,err=db.DeleteOldAuditLogs(ctx, database.DeleteOldAuditLogsParams{`
	`1686`	`+BeforeTime:time.Now().Add(-24*time.Hour),`
	`1687`	`+LimitCount:100,`
	`1688`	`+})`
	`1689`	`+require.NoError(t,err)`
	`1690`	`+})`
	`1691`	`+}`
	`1692`	`+`
`1634`	`1693`	`// ptr is a helper to create a pointer to a value.`
`1635`	`1694`	`funcptr[Tany](vT)*T {`
`1636`	`1695`	`return&v`

`‎coderd/httpmw/loggermw/logger_full.go‎`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -50,6 +50,7 @@ var actorLogOrder = []rbac.SubjectType{`
`50`	`50`	`rbac.SubjectTypeAutostart,`
`51`	`51`	`rbac.SubjectTypeCryptoKeyReader,`
`52`	`52`	`rbac.SubjectTypeCryptoKeyRotator,`
	`53`	`+rbac.SubjectTypeDBPurge,`
`53`	`54`	`rbac.SubjectTypeJobReaper,`
`54`	`55`	`rbac.SubjectTypeNotifier,`
`55`	`56`	`rbac.SubjectTypePrebuildsOrchestrator,`

`‎coderd/rbac/authz.go‎`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -79,6 +79,7 @@ const (`
`79`	`79`	`SubjectTypeFileReaderSubjectType="file_reader"`
`80`	`80`	`SubjectTypeUsagePublisherSubjectType="usage_publisher"`
`81`	`81`	`SubjectAibridgedSubjectType="aibridged"`
	`82`	`+SubjectTypeDBPurgeSubjectType="dbpurge"`
`82`	`83`	`)`
`83`	`84`
`84`	`85`	`const (`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitea00e72

File tree

5 files changed

5 files changed

`‎coderd/database/dbauthz/dbauthz.go‎`

`‎coderd/database/dbpurge/dbpurge.go‎`

`‎coderd/database/dbpurge/dbpurge_test.go‎`

`‎coderd/httpmw/loggermw/logger_full.go‎`

`‎coderd/rbac/authz.go‎`

0 commit comments