NotificationsYou must be signed in to change notification settings
Fork1.1k
Star11.4k

Commit38e5b96

authored

chore: Rbac errors should be returned, and not hidden behind 404 (#7122)

* chore: Rbac errors should be returned, and not hidden behind 404SqlErrNoRows was hiding actual errors* Replace sql.ErrNoRow checks* Remove sql err no rows check from dbauthz test* Fix to use dbauthz system user

1 parentfa64c58 commit38e5b96Copy full SHA for 38e5b96

File tree

23 files changed

+50

-72

lines changed

coderd
enterprise/coderd
- groups.go
- licenses.go

23 files changed

+50

-72

lines changed

`‎coderd/apikey.go‎`

Lines changed: 3 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -3,8 +3,6 @@ package coderd`
`3`	`3`	`import (`
`4`	`4`	`"context"`
`5`	`5`	`"crypto/sha256"`
`6`		`-"database/sql"`
`7`		`-"errors"`
`8`	`6`	`"fmt"`
`9`	`7`	`"net"`
`10`	`8`	`"net/http"`
`@@ -167,7 +165,7 @@ func (api API) apiKeyByID(rw http.ResponseWriter, r http.Request) {`
`167`	`165`
`168`	`166`	`keyID:=chi.URLParam(r,"keyid")`
`169`	`167`	`key,err:=api.Database.GetAPIKeyByID(ctx,keyID)`
`170`		`-iferrors.Is(err,sql.ErrNoRows) {`
	`168`	`+ifhttpapi.Is404Error(err) {`
`171`	`169`	`httpapi.ResourceNotFound(rw)`
`172`	`170`	`return`
`173`	`171`	`}`
`@@ -202,7 +200,7 @@ func (api API) apiKeyByName(rw http.ResponseWriter, r http.Request) {`
`202`	`200`	`TokenName:tokenName,`
`203`	`201`	`UserID:user.ID,`
`204`	`202`	`})`
`205`		`-iferrors.Is(err,sql.ErrNoRows) {`
	`203`	`+ifhttpapi.Is404Error(err) {`
`206`	`204`	`httpapi.ResourceNotFound(rw)`
`207`	`205`	`return`
`208`	`206`	`}`
`@@ -323,7 +321,7 @@ func (api API) deleteAPIKey(rw http.ResponseWriter, r http.Request) {`
`323`	`321`	`defercommitAudit()`
`324`	`322`
`325`	`323`	`err=api.Database.DeleteAPIKeyByID(ctx,keyID)`
`326`		`-iferrors.Is(err,sql.ErrNoRows) {`
	`324`	`+ifhttpapi.Is404Error(err) {`
`327`	`325`	`httpapi.ResourceNotFound(rw)`
`328`	`326`	`return`
`329`	`327`	`}`

`‎coderd/database/dbauthz/dbauthz.go‎`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -34,8 +34,8 @@ func (e NotAuthorizedError) Error() string {`
`34`	`34`
`35`	`35`	`// Unwrap will always unwrap to a sql.ErrNoRows so the API returns a 404.`
`36`	`36`	`// So 'errors.Is(err, sql.ErrNoRows)' will always be true.`
`37`		`-func (NotAuthorizedError)Unwrap()error {`
`38`		`-returnsql.ErrNoRows`
	`37`	`+func (eNotAuthorizedError)Unwrap()error {`
	`38`	`+returne.Err`
`39`	`39`	`}`
`40`	`40`
`41`	`41`	`funcIsNotAuthorizedError(errerror)bool {`

`‎coderd/database/dbauthz/setup_test.go‎`

Lines changed: 0 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,6 @@ package dbauthz_test`
`2`	`2`
`3`	`3`	`import (`
`4`	`4`	`"context"`
`5`		`-"database/sql"`
`6`	`5`	`"fmt"`
`7`	`6`	`"reflect"`
`8`	`7`	`"sort"`
`@@ -219,7 +218,6 @@ func (s MethodTestSuite) NotAuthorizedErrorTest(ctx context.Context, az coderd`
`219`	`218`	`iferr!=nil\|\|!hasEmptySliceResponse(resp) {`
`220`	`219`	`s.ErrorContainsf(err,"unauthorized","error string should have a good message")`
`221`	`220`	`s.Errorf(err,"method should an error with disallow authz")`
`222`		`-s.ErrorIsf(err,sql.ErrNoRows,"error should match sql.ErrNoRows")`
`223`	`221`	`s.ErrorAs(err,&dbauthz.NotAuthorizedError{},"error should be NotAuthorizedError")`
`224`	`222`	`}`
`225`	`223`	`})`

`‎coderd/files.go‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -126,7 +126,7 @@ func (api API) fileByID(rw http.ResponseWriter, r http.Request) {`
`126`	`126`	`}`
`127`	`127`
`128`	`128`	`file,err:=api.Database.GetFileByID(ctx,id)`
`129`		`-iferrors.Is(err,sql.ErrNoRows) {`
	`129`	`+ifhttpapi.Is404Error(err) {`
`130`	`130`	`httpapi.ResourceNotFound(rw)`
`131`	`131`	`return`
`132`	`132`	`}`

`‎coderd/httpapi/httpapi.go‎`

Lines changed: 13 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,7 @@ package httpapi`
`3`	`3`	`import (`
`4`	`4`	`"bytes"`
`5`	`5`	`"context"`
	`6`	`+"database/sql"`
`6`	`7`	`"encoding/json"`
`7`	`8`	`"errors"`
`8`	`9`	`"flag"`
`@@ -15,6 +16,8 @@ import (`
`15`	`16`	`"github.com/go-playground/validator/v10"`
`16`	`17`	`"golang.org/x/xerrors"`
`17`	`18`
	`19`	`+"github.com/coder/coder/coderd/database/dbauthz"`
	`20`	`+"github.com/coder/coder/coderd/rbac"`
`18`	`21`	`"github.com/coder/coder/coderd/tracing"`
`19`	`22`	`"github.com/coder/coder/codersdk"`
`20`	`23`	`)`
`@@ -80,6 +83,16 @@ func init() {`
`80`	`83`	`}`
`81`	`84`	`}`
`82`	`85`
	`86`	`+// Is404Error returns true if the given error should return a 404 status code.`
	`87`	`+// Both actual 404s and unauthorized errors should return 404s to not leak`
	`88`	`+// information about the existence of resources.`
	`89`	`+funcIs404Error(errerror)bool {`
	`90`	`+iferr==nil {`
	`91`	`+returnfalse`
	`92`	`+}`
	`93`	`+returnxerrors.Is(err,sql.ErrNoRows)\|\|dbauthz.IsNotAuthorizedError(err)\|\|rbac.IsUnauthorizedError(err)`
	`94`	`+}`
	`95`	`+`
`83`	`96`	`// Convenience error functions don't take contexts since their responses are`
`84`	`97`	`// static, it doesn't make much sense to trace them.`
`85`	`98`

`‎coderd/httpmw/groupparam.go‎`

Lines changed: 2 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -2,12 +2,9 @@ package httpmw`
`2`	`2`
`3`	`3`	`import (`
`4`	`4`	`"context"`
`5`		`-"database/sql"`
`6`		`-"errors"`
`7`	`5`	`"net/http"`
`8`	`6`
`9`	`7`	`"github.com/go-chi/chi/v5"`
`10`		`-"golang.org/x/xerrors"`
`11`	`8`
`12`	`9`	`"github.com/coder/coder/coderd/database"`
`13`	`10`	`"github.com/coder/coder/coderd/httpapi"`
`@@ -45,7 +42,7 @@ func ExtractGroupByNameParam(db database.Store) func(http.Handler) http.Handler`
`45`	`42`	`OrganizationID:org.ID,`
`46`	`43`	`Name:name,`
`47`	`44`	`})`
`48`		`-ifxerrors.Is(err,sql.ErrNoRows) {`
	`45`	`+ifhttpapi.Is404Error(err) {`
`49`	`46`	`httpapi.ResourceNotFound(rw)`
`50`	`47`	`return`
`51`	`48`	`}`
`@@ -73,7 +70,7 @@ func ExtractGroupParam(db database.Store) func(http.Handler) http.Handler {`
`73`	`70`	`}`
`74`	`71`
`75`	`72`	`group,err:=db.GetGroupByID(r.Context(),groupID)`
`76`		`-iferrors.Is(err,sql.ErrNoRows) {`
	`73`	`+ifhttpapi.Is404Error(err) {`
`77`	`74`	`httpapi.ResourceNotFound(rw)`
`78`	`75`	`return`
`79`	`76`	`}`

`‎coderd/httpmw/organizationparam.go‎`

Lines changed: 2 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -2,8 +2,6 @@ package httpmw`
`2`	`2`
`3`	`3`	`import (`
`4`	`4`	`"context"`
`5`		`-"database/sql"`
`6`		`-"errors"`
`7`	`5`	`"net/http"`
`8`	`6`
`9`	`7`	`"github.com/coder/coder/coderd/database"`
`@@ -47,7 +45,7 @@ func ExtractOrganizationParam(db database.Store) func(http.Handler) http.Handler`
`47`	`45`	`}`
`48`	`46`
`49`	`47`	`organization,err:=db.GetOrganizationByID(ctx,orgID)`
`50`		`-iferrors.Is(err,sql.ErrNoRows) {`
	`48`	`+ifhttpapi.Is404Error(err) {`
`51`	`49`	`httpapi.ResourceNotFound(rw)`
`52`	`50`	`return`
`53`	`51`	`}`
`@@ -77,7 +75,7 @@ func ExtractOrganizationMemberParam(db database.Store) func(http.Handler) http.H`
`77`	`75`	`OrganizationID:organization.ID,`
`78`	`76`	`UserID:user.ID,`
`79`	`77`	`})`
`80`		`-iferrors.Is(err,sql.ErrNoRows) {`
	`78`	`+ifhttpapi.Is404Error(err) {`
`81`	`79`	`httpapi.ResourceNotFound(rw)`
`82`	`80`	`return`
`83`	`81`	`}`

`‎coderd/httpmw/templateparam.go‎`

Lines changed: 1 addition & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -2,8 +2,6 @@ package httpmw`
`2`	`2`
`3`	`3`	`import (`
`4`	`4`	`"context"`
`5`		`-"database/sql"`
`6`		`-"errors"`
`7`	`5`	`"net/http"`
`8`	`6`
`9`	`7`	`"github.com/go-chi/chi/v5"`
`@@ -34,7 +32,7 @@ func ExtractTemplateParam(db database.Store) func(http.Handler) http.Handler {`
`34`	`32`	`return`
`35`	`33`	`}`
`36`	`34`	`template,err:=db.GetTemplateByID(r.Context(),templateID)`
`37`		`-iferrors.Is(err,sql.ErrNoRows)\|\| (err==nil&&template.Deleted) {`
	`35`	`+ifhttpapi.Is404Error(err)\|\| (err==nil&&template.Deleted) {`
`38`	`36`	`httpapi.ResourceNotFound(rw)`
`39`	`37`	`return`
`40`	`38`	`}`

`‎coderd/httpmw/templateversionparam.go‎`

Lines changed: 1 addition & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,6 @@ package httpmw`
`3`	`3`	`import (`
`4`	`4`	`"context"`
`5`	`5`	`"database/sql"`
`6`		`-"errors"`
`7`	`6`	`"net/http"`
`8`	`7`
`9`	`8`	`"github.com/go-chi/chi/v5"`
`@@ -35,7 +34,7 @@ func ExtractTemplateVersionParam(db database.Store) func(http.Handler) http.Hand`
`35`	`34`	`return`
`36`	`35`	`}`
`37`	`36`	`templateVersion,err:=db.GetTemplateVersionByID(ctx,templateVersionID)`
`38`		`-iferrors.Is(err,sql.ErrNoRows) {`
	`37`	`+ifhttpapi.Is404Error(err) {`
`39`	`38`	`httpapi.ResourceNotFound(rw)`
`40`	`39`	`return`
`41`	`40`	`}`

`‎coderd/httpmw/userparam.go‎`

Lines changed: 1 addition & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -2,11 +2,8 @@ package httpmw`
`2`	`2`
`3`	`3`	`import (`
`4`	`4`	`"context"`
`5`		`-"database/sql"`
`6`	`5`	`"net/http"`
`7`	`6`
`8`		`-"golang.org/x/xerrors"`
`9`		`-`
`10`	`7`	`"github.com/go-chi/chi/v5"`
`11`	`8`	`"github.com/google/uuid"`
`12`	`9`
`@@ -71,7 +68,7 @@ func ExtractUserParam(db database.Store, redirectToLoginOnMe bool) func(http.Han`
`71`	`68`	`}`
`72`	`69`	`//nolint:gocritic // System needs to be able to get user from param.`
`73`	`70`	`user,err=db.GetUserByID(dbauthz.AsSystemRestricted(ctx),apiKey.UserID)`
`74`		`-ifxerrors.Is(err,sql.ErrNoRows) {`
	`71`	`+ifhttpapi.Is404Error(err) {`
`75`	`72`	`httpapi.ResourceNotFound(rw)`
`76`	`73`	`return`
`77`	`74`	`}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit38e5b96

File tree

23 files changed

23 files changed

`‎coderd/apikey.go‎`

`‎coderd/database/dbauthz/dbauthz.go‎`

`‎coderd/database/dbauthz/setup_test.go‎`

`‎coderd/files.go‎`

`‎coderd/httpapi/httpapi.go‎`

`‎coderd/httpmw/groupparam.go‎`

`‎coderd/httpmw/organizationparam.go‎`

`‎coderd/httpmw/templateparam.go‎`

`‎coderd/httpmw/templateversionparam.go‎`

`‎coderd/httpmw/userparam.go‎`

0 commit comments