NotificationsYou must be signed in to change notification settings
Fork926
Star10.1k

Commit144f374

authored

refactor(dbauthz): add authz for system-level functions (#6513)

- Introduces rbac.ResourceSystem- Grants system.* to system and provisionerd rbac subjects- Updates dbauthz system queries where applicable- coderd: Avoid index out of bounds in api.workspaceBuilds- dbauthz: move GetUsersByIDs out of system, modify RBAC check to ResourceUser- workspaceapps: Add test case for when owner of app is not found

1 parent1db2b12 commit144f374Copy full SHA for 144f374

File tree

17 files changed

+470

-200

lines changed

coderd
- coderd.go
- database/dbauthz
- provisionerjobs.go
- rbac
  - object.go
- updatecheck
  - updatecheck.go
- users.go
- workspaceapps
  - auth.go
  - auth_test.go
- workspaceapps_test.go
- workspacebuilds.go
enterprise
- coderd
  - license
    - license.go
  - provisionerdaemons_test.go
- replicasync
  - replicasync.go

17 files changed

+470

-200

lines changed

`‎coderd/coderd.go`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -795,7 +795,8 @@ func (api *API) CreateInMemoryProvisionerDaemon(ctx context.Context, debounce ti`
`795`	`795`	`}()`
`796`	`796`
`797`	`797`	`name:=namesgenerator.GetRandomName(1)`
`798`		`-daemon,err:=api.Database.InsertProvisionerDaemon(ctx, database.InsertProvisionerDaemonParams{`
	`798`	`+// nolint:gocritic // Inserting a provisioner daemon is a system function.`
	`799`	`+daemon,err:=api.Database.InsertProvisionerDaemon(dbauthz.AsSystemRestricted(ctx), database.InsertProvisionerDaemonParams{`
`799`	`800`	`ID:uuid.New(),`
`800`	`801`	`CreatedAt:database.Now(),`
`801`	`802`	`Name:name,`

`‎coderd/database/dbauthz/dbauthz.go`

Lines changed: 29 additions & 22 deletions

Original file line number	Diff line number	Diff line change
`@@ -115,17 +115,17 @@ func ActorFromContext(ctx context.Context) (rbac.Subject, bool) {`
`115`	`115`	`returna,ok`
`116`	`116`	`}`
`117`	`117`
`118`		`-// AsProvisionerd returns a context with an actor that has permissions required`
`119`		`-// for provisionerd to function.`
`120`		`-funcAsProvisionerd(ctx context.Context) context.Context {`
`121`		`-returncontext.WithValue(ctx,authContextKey{}, rbac.Subject{`
	`118`	`+var (`
	`119`	`+subjectProvisionerd= rbac.Subject{`
`122`	`120`	`ID:uuid.Nil.String(),`
`123`	`121`	`Roles:rbac.Roles([]rbac.Role{`
`124`	`122`	`{`
`125`	`123`	`Name:"provisionerd",`
`126`	`124`	`DisplayName:"Provisioner Daemon",`
`127`	`125`	`Site:rbac.Permissions(map[string][]rbac.Action{`
	`126`	`+// TODO: Add ProvisionerJob resource type.`
`128`	`127`	`rbac.ResourceFile.Type: {rbac.ActionRead},`
	`128`	`+rbac.ResourceSystem.Type: {rbac.WildcardSymbol},`
`129`	`129`	`rbac.ResourceTemplate.Type: {rbac.ActionRead,rbac.ActionUpdate},`
`130`	`130`	`rbac.ResourceUser.Type: {rbac.ActionRead},`
`131`	`131`	`rbac.ResourceWorkspace.Type: {rbac.ActionRead,rbac.ActionUpdate,rbac.ActionDelete},`
`@@ -135,20 +135,15 @@ func AsProvisionerd(ctx context.Context) context.Context {`
`135`	`135`	`},`
`136`	`136`	`}),`
`137`	`137`	`Scope:rbac.ScopeAll,`
`138`		`-},`
`139`		`-)`
`140`		`-}`
`141`		`-`
`142`		`-// AsAutostart returns a context with an actor that has permissions required`
`143`		`-// for autostart to function.`
`144`		`-funcAsAutostart(ctx context.Context) context.Context {`
`145`		`-returncontext.WithValue(ctx,authContextKey{}, rbac.Subject{`
	`138`	`+}`
	`139`	`+subjectAutostart= rbac.Subject{`
`146`	`140`	`ID:uuid.Nil.String(),`
`147`	`141`	`Roles:rbac.Roles([]rbac.Role{`
`148`	`142`	`{`
`149`	`143`	`Name:"autostart",`
`150`	`144`	`DisplayName:"Autostart Daemon",`
`151`	`145`	`Site:rbac.Permissions(map[string][]rbac.Action{`
	`146`	`+rbac.ResourceSystem.Type: {rbac.WildcardSymbol},`
`152`	`147`	`rbac.ResourceTemplate.Type: {rbac.ActionRead,rbac.ActionUpdate},`
`153`	`148`	`rbac.ResourceWorkspace.Type: {rbac.ActionRead,rbac.ActionUpdate},`
`154`	`149`	`}),`
`@@ -157,14 +152,8 @@ func AsAutostart(ctx context.Context) context.Context {`
`157`	`152`	`},`
`158`	`153`	`}),`
`159`	`154`	`Scope:rbac.ScopeAll,`
`160`		`-},`
`161`		`-)`
`162`		`-}`
`163`		`-`
`164`		`-// AsSystemRestricted returns a context with an actor that has permissions`
`165`		`-// required for various system operations (login, logout, metrics cache).`
`166`		`-funcAsSystemRestricted(ctx context.Context) context.Context {`
`167`		`-returncontext.WithValue(ctx,authContextKey{}, rbac.Subject{`
	`155`	`+}`
	`156`	`+subjectSystemRestricted= rbac.Subject{`
`168`	`157`	`ID:uuid.Nil.String(),`
`169`	`158`	`Roles:rbac.Roles([]rbac.Role{`
`170`	`159`	`{`
`@@ -175,6 +164,7 @@ func AsSystemRestricted(ctx context.Context) context.Context {`
`175`	`164`	`rbac.ResourceAPIKey.Type: {rbac.ActionCreate,rbac.ActionUpdate,rbac.ActionDelete},`
`176`	`165`	`rbac.ResourceGroup.Type: {rbac.ActionCreate,rbac.ActionUpdate},`
`177`	`166`	`rbac.ResourceRoleAssignment.Type: {rbac.ActionCreate},`
	`167`	`+rbac.ResourceSystem.Type: {rbac.WildcardSymbol},`
`178`	`168`	`rbac.ResourceOrganization.Type: {rbac.ActionCreate},`
`179`	`169`	`rbac.ResourceOrganizationMember.Type: {rbac.ActionCreate},`
`180`	`170`	`rbac.ResourceOrgRoleAssignment.Type: {rbac.ActionCreate},`
`@@ -187,8 +177,25 @@ func AsSystemRestricted(ctx context.Context) context.Context {`
`187`	`177`	`},`
`188`	`178`	`}),`
`189`	`179`	`Scope:rbac.ScopeAll,`
`190`		`-},`
`191`		`-)`
	`180`	`+}`
	`181`	`+)`
	`182`	`+`
	`183`	`+// AsProvisionerd returns a context with an actor that has permissions required`
	`184`	`+// for provisionerd to function.`
	`185`	`+funcAsProvisionerd(ctx context.Context) context.Context {`
	`186`	`+returncontext.WithValue(ctx,authContextKey{},subjectProvisionerd)`
	`187`	`+}`
	`188`	`+`
	`189`	`+// AsAutostart returns a context with an actor that has permissions required`
	`190`	`+// for autostart to function.`
	`191`	`+funcAsAutostart(ctx context.Context) context.Context {`
	`192`	`+returncontext.WithValue(ctx,authContextKey{},subjectAutostart)`
	`193`	`+}`
	`194`	`+`
	`195`	`+// AsSystemRestricted returns a context with an actor that has permissions`
	`196`	`+// required for various system operations (login, logout, metrics cache).`
	`197`	`+funcAsSystemRestricted(ctx context.Context) context.Context {`
	`198`	`+returncontext.WithValue(ctx,authContextKey{},subjectSystemRestricted)`
`192`	`199`	`}`
`193`	`200`
`194`	`201`	`varAsRemoveActor= rbac.Subject{`

`‎coderd/database/dbauthz/querier.go`

Lines changed: 12 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -963,6 +963,18 @@ func (q *querier) GetUserByID(ctx context.Context, id uuid.UUID) (database.User,`
`963`	`963`	`returnfetch(q.log,q.auth,q.db.GetUserByID)(ctx,id)`
`964`	`964`	`}`
`965`	`965`
	`966`	`+// GetUsersByIDs is only used for usernames on workspace return data.`
	`967`	`+// This function should be replaced by joining this data to the workspace query`
	`968`	`+// itself.`
	`969`	`+func (q*querier)GetUsersByIDs(ctx context.Context,ids []uuid.UUID) ([]database.User,error) {`
	`970`	`+for_,uid:=rangeids {`
	`971`	`+iferr:=q.authorizeContext(ctx,rbac.ActionRead,rbac.ResourceUser.WithID(uid));err!=nil {`
	`972`	`+returnnil,err`
	`973`	`+}`
	`974`	`+}`
	`975`	`+returnq.db.GetUsersByIDs(ctx,ids)`
	`976`	`+}`
	`977`	`+`
`966`	`978`	`func (q*querier)GetAuthorizedUserCount(ctx context.Context,arg database.GetFilteredUserCountParams,prepared rbac.PreparedAuthorized) (int64,error) {`
`967`	`979`	`returnq.db.GetAuthorizedUserCount(ctx,arg,prepared)`
`968`	`980`	`}`

`‎coderd/database/dbauthz/querier_test.go`

Lines changed: 7 additions & 74 deletions

Original file line number	Diff line number	Diff line change
`@@ -282,11 +282,6 @@ func (s *MethodTestSuite) TestProvsionerJob() {`
`282`	`282`	`check.Args(database.UpdateProvisionerJobWithCancelByIDParams{ID:j.ID}).`
`283`	`283`	`Asserts(v.RBACObject(tpl), []rbac.Action{rbac.ActionRead,rbac.ActionUpdate}).Returns()`
`284`	`284`	`}))`
`285`		`-s.Run("GetProvisionerJobsByIDs",s.Subtest(func(db database.Store,check*expects) {`
`286`		`-a:=dbgen.ProvisionerJob(s.T(),db, database.ProvisionerJob{})`
`287`		`-b:=dbgen.ProvisionerJob(s.T(),db, database.ProvisionerJob{})`
`288`		`-check.Args([]uuid.UUID{a.ID,b.ID}).Asserts().Returns(slice.New(a,b))`
`289`		`-}))`
`290`	`285`	`s.Run("GetProvisionerLogsByIDBetween",s.Subtest(func(db database.Store,check*expects) {`
`291`	`286`	`w:=dbgen.Workspace(s.T(),db, database.Workspace{})`
`292`	`287`	`j:=dbgen.ProvisionerJob(s.T(),db, database.ProvisionerJob{`
`@@ -619,22 +614,6 @@ func (s *MethodTestSuite) TestTemplate() {`
`619`	`614`	`})`
`620`	`615`	`check.Args(tv.ID).Asserts(t1,rbac.ActionRead).Returns(tv)`
`621`	`616`	`}))`
`622`		`-s.Run("GetTemplateVersionsByIDs",s.Subtest(func(db database.Store,check*expects) {`
`623`		`-t1:=dbgen.Template(s.T(),db, database.Template{})`
`624`		`-t2:=dbgen.Template(s.T(),db, database.Template{})`
`625`		`-tv1:=dbgen.TemplateVersion(s.T(),db, database.TemplateVersion{`
`626`		`-TemplateID: uuid.NullUUID{UUID:t1.ID,Valid:true},`
`627`		`-})`
`628`		`-tv2:=dbgen.TemplateVersion(s.T(),db, database.TemplateVersion{`
`629`		`-TemplateID: uuid.NullUUID{UUID:t2.ID,Valid:true},`
`630`		`-})`
`631`		`-tv3:=dbgen.TemplateVersion(s.T(),db, database.TemplateVersion{`
`632`		`-TemplateID: uuid.NullUUID{UUID:t2.ID,Valid:true},`
`633`		`-})`
`634`		`-check.Args([]uuid.UUID{tv1.ID,tv2.ID,tv3.ID}).`
`635`		`-Asserts(/t1, rbac.ActionRead, t2, rbac.ActionRead/ ).`
`636`		`-Returns(slice.New(tv1,tv2,tv3))`
`637`		`-}))`
`638`	`617`	`s.Run("GetTemplateVersionsByTemplateID",s.Subtest(func(db database.Store,check*expects) {`
`639`	`618`	`t1:=dbgen.Template(s.T(),db, database.Template{})`
`640`	`619`	`a:=dbgen.TemplateVersion(s.T(),db, database.TemplateVersion{`
`@@ -784,6 +763,13 @@ func (s *MethodTestSuite) TestUser() {`
`784`	`763`	`u:=dbgen.User(s.T(),db, database.User{})`
`785`	`764`	`check.Args(u.ID).Asserts(u,rbac.ActionRead).Returns(u)`
`786`	`765`	`}))`
	`766`	`+s.Run("GetUsersByIDs",s.Subtest(func(db database.Store,check*expects) {`
	`767`	`+a:=dbgen.User(s.T(),db, database.User{CreatedAt:database.Now().Add(-time.Hour)})`
	`768`	`+b:=dbgen.User(s.T(),db, database.User{CreatedAt:database.Now()})`
	`769`	`+check.Args([]uuid.UUID{a.ID,b.ID}).`
	`770`	`+Asserts(a,rbac.ActionRead,b,rbac.ActionRead).`
	`771`	`+Returns(slice.New(a,b))`
	`772`	`+}))`
`787`	`773`	`s.Run("GetAuthorizedUserCount",s.Subtest(func(db database.Store,check*expects) {`
`788`	`774`	`_=dbgen.User(s.T(),db, database.User{})`
`789`	`775`	`check.Args(database.GetFilteredUserCountParams{},emptyPreparedAuthorized{}).Asserts().Returns(int64(1))`
`@@ -803,13 +789,6 @@ func (s *MethodTestSuite) TestUser() {`
`803`	`789`	`b:=dbgen.User(s.T(),db, database.User{CreatedAt:database.Now()})`
`804`	`790`	`check.Args(database.GetUsersParams{}).Asserts(a,rbac.ActionRead,b,rbac.ActionRead)`
`805`	`791`	`}))`
`806`		`-s.Run("GetUsersByIDs",s.Subtest(func(db database.Store,check*expects) {`
`807`		`-a:=dbgen.User(s.T(),db, database.User{CreatedAt:database.Now().Add(-time.Hour)})`
`808`		`-b:=dbgen.User(s.T(),db, database.User{CreatedAt:database.Now()})`
`809`		`-check.Args([]uuid.UUID{a.ID,b.ID}).`
`810`		`-Asserts(/a, rbac.ActionRead, b, rbac.ActionRead/ ).`
`811`		`-Returns(slice.New(a,b))`
`812`		`-}))`
`813`	`792`	`s.Run("InsertUser",s.Subtest(func(db database.Store,check*expects) {`
`814`	`793`	`check.Args(database.InsertUserParams{`
`815`	`794`	`ID:uuid.New(),`
`@@ -977,14 +956,6 @@ func (s *MethodTestSuite) TestWorkspace() {`
`977`	`956`	`agt:=dbgen.WorkspaceAgent(s.T(),db, database.WorkspaceAgent{ResourceID:res.ID})`
`978`	`957`	`check.Args(agt.AuthInstanceID.String).Asserts(ws,rbac.ActionRead).Returns(agt)`
`979`	`958`	`}))`
`980`		`-s.Run("GetWorkspaceAgentsByResourceIDs",s.Subtest(func(db database.Store,check*expects) {`
`981`		`-ws:=dbgen.Workspace(s.T(),db, database.Workspace{})`
`982`		`-build:=dbgen.WorkspaceBuild(s.T(),db, database.WorkspaceBuild{WorkspaceID:ws.ID,JobID:uuid.New()})`
`983`		`-res:=dbgen.WorkspaceResource(s.T(),db, database.WorkspaceResource{JobID:build.JobID})`
`984`		`-agt:=dbgen.WorkspaceAgent(s.T(),db, database.WorkspaceAgent{ResourceID:res.ID})`
`985`		`-check.Args([]uuid.UUID{res.ID}).Asserts(/ws, rbac.ActionRead/ ).`
`986`		`-Returns([]database.WorkspaceAgent{agt})`
`987`		`-}))`
`988`	`959`	`s.Run("UpdateWorkspaceAgentLifecycleStateByID",s.Subtest(func(db database.Store,check*expects) {`
`989`	`960`	`ws:=dbgen.Workspace(s.T(),db, database.Workspace{})`
`990`	`961`	`build:=dbgen.WorkspaceBuild(s.T(),db, database.WorkspaceBuild{WorkspaceID:ws.ID,JobID:uuid.New()})`
`@@ -1026,23 +997,6 @@ func (s *MethodTestSuite) TestWorkspace() {`
`1026`	`997`
`1027`	`998`	`check.Args(agt.ID).Asserts(ws,rbac.ActionRead).Returns(slice.New(a,b))`
`1028`	`999`	`}))`
`1029`		`-s.Run("GetWorkspaceAppsByAgentIDs",s.Subtest(func(db database.Store,check*expects) {`
`1030`		`-aWs:=dbgen.Workspace(s.T(),db, database.Workspace{})`
`1031`		`-aBuild:=dbgen.WorkspaceBuild(s.T(),db, database.WorkspaceBuild{WorkspaceID:aWs.ID,JobID:uuid.New()})`
`1032`		`-aRes:=dbgen.WorkspaceResource(s.T(),db, database.WorkspaceResource{JobID:aBuild.JobID})`
`1033`		`-aAgt:=dbgen.WorkspaceAgent(s.T(),db, database.WorkspaceAgent{ResourceID:aRes.ID})`
`1034`		`-a:=dbgen.WorkspaceApp(s.T(),db, database.WorkspaceApp{AgentID:aAgt.ID})`
`1035`		`-`
`1036`		`-bWs:=dbgen.Workspace(s.T(),db, database.Workspace{})`
`1037`		`-bBuild:=dbgen.WorkspaceBuild(s.T(),db, database.WorkspaceBuild{WorkspaceID:bWs.ID,JobID:uuid.New()})`
`1038`		`-bRes:=dbgen.WorkspaceResource(s.T(),db, database.WorkspaceResource{JobID:bBuild.JobID})`
`1039`		`-bAgt:=dbgen.WorkspaceAgent(s.T(),db, database.WorkspaceAgent{ResourceID:bRes.ID})`
`1040`		`-b:=dbgen.WorkspaceApp(s.T(),db, database.WorkspaceApp{AgentID:bAgt.ID})`
`1041`		`-`
`1042`		`-check.Args([]uuid.UUID{a.AgentID,b.AgentID}).`
`1043`		`-Asserts(/aWs, rbac.ActionRead, bWs, rbac.ActionRead/ ).`
`1044`		`-Returns([]database.WorkspaceApp{a,b})`
`1045`		`-}))`
`1046`	`1000`	`s.Run("GetWorkspaceBuildByID",s.Subtest(func(db database.Store,check*expects) {`
`1047`	`1001`	`ws:=dbgen.Workspace(s.T(),db, database.Workspace{})`
`1048`	`1002`	`build:=dbgen.WorkspaceBuild(s.T(),db, database.WorkspaceBuild{WorkspaceID:ws.ID})`
`@@ -1096,15 +1050,6 @@ func (s *MethodTestSuite) TestWorkspace() {`
`1096`	`1050`	`res:=dbgen.WorkspaceResource(s.T(),db, database.WorkspaceResource{JobID:build.JobID})`
`1097`	`1051`	`check.Args(res.ID).Asserts(ws,rbac.ActionRead).Returns(res)`
`1098`	`1052`	`}))`
`1099`		`-s.Run("GetWorkspaceResourceMetadataByResourceIDs",s.Subtest(func(db database.Store,check*expects) {`
`1100`		`-ws:=dbgen.Workspace(s.T(),db, database.Workspace{})`
`1101`		`-build:=dbgen.WorkspaceBuild(s.T(),db, database.WorkspaceBuild{WorkspaceID:ws.ID,JobID:uuid.New()})`
`1102`		`-_=dbgen.ProvisionerJob(s.T(),db, database.ProvisionerJob{ID:build.JobID,Type:database.ProvisionerJobTypeWorkspaceBuild})`
`1103`		`-a:=dbgen.WorkspaceResource(s.T(),db, database.WorkspaceResource{JobID:build.JobID})`
`1104`		`-b:=dbgen.WorkspaceResource(s.T(),db, database.WorkspaceResource{JobID:build.JobID})`
`1105`		`-check.Args([]uuid.UUID{a.ID,b.ID}).`
`1106`		`-Asserts(/ws, []rbac.Action{rbac.ActionRead, rbac.ActionRead}/ )`
`1107`		`-}))`
`1108`	`1053`	`s.Run("Build/GetWorkspaceResourcesByJobID",s.Subtest(func(db database.Store,check*expects) {`
`1109`	`1054`	`ws:=dbgen.Workspace(s.T(),db, database.Workspace{})`
`1110`	`1055`	`build:=dbgen.WorkspaceBuild(s.T(),db, database.WorkspaceBuild{WorkspaceID:ws.ID,JobID:uuid.New()})`
`@@ -1117,18 +1062,6 @@ func (s *MethodTestSuite) TestWorkspace() {`
`1117`	`1062`	`job:=dbgen.ProvisionerJob(s.T(),db, database.ProvisionerJob{ID:v.JobID,Type:database.ProvisionerJobTypeTemplateVersionImport})`
`1118`	`1063`	`check.Args(job.ID).Asserts(v.RBACObject(tpl), []rbac.Action{rbac.ActionRead,rbac.ActionRead}).Returns([]database.WorkspaceResource{})`
`1119`	`1064`	`}))`
`1120`		`-s.Run("GetWorkspaceResourcesByJobIDs",s.Subtest(func(db database.Store,check*expects) {`
`1121`		`-tpl:=dbgen.Template(s.T(),db, database.Template{})`
`1122`		`-v:=dbgen.TemplateVersion(s.T(),db, database.TemplateVersion{TemplateID: uuid.NullUUID{UUID:tpl.ID,Valid:true},JobID:uuid.New()})`
`1123`		`-tJob:=dbgen.ProvisionerJob(s.T(),db, database.ProvisionerJob{ID:v.JobID,Type:database.ProvisionerJobTypeTemplateVersionImport})`
`1124`		`-`
`1125`		`-ws:=dbgen.Workspace(s.T(),db, database.Workspace{})`
`1126`		`-build:=dbgen.WorkspaceBuild(s.T(),db, database.WorkspaceBuild{WorkspaceID:ws.ID,JobID:uuid.New()})`
`1127`		`-wJob:=dbgen.ProvisionerJob(s.T(),db, database.ProvisionerJob{ID:build.JobID,Type:database.ProvisionerJobTypeWorkspaceBuild})`
`1128`		`-check.Args([]uuid.UUID{tJob.ID,wJob.ID}).`
`1129`		`-Asserts(/v.RBACObject(tpl), rbac.ActionRead, ws, rbac.ActionRead/ ).`
`1130`		`-Returns([]database.WorkspaceResource{})`
`1131`		`-}))`
`1132`	`1065`	`s.Run("InsertWorkspace",s.Subtest(func(db database.Store,check*expects) {`
`1133`	`1066`	`u:=dbgen.User(s.T(),db, database.User{})`
`1134`	`1067`	`o:=dbgen.Organization(s.T(),db, database.Organization{})`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit144f374

File tree

17 files changed

17 files changed

`‎coderd/coderd.go`

`‎coderd/database/dbauthz/dbauthz.go`

`‎coderd/database/dbauthz/querier.go`

`‎coderd/database/dbauthz/querier_test.go`

0 commit comments