NotificationsYou must be signed in to change notification settings
Fork927
Star10.1k

Commit46dbb72

committed

chore: push rbac actions to policy package

Moving to support more verbs. It is easier to keep the verbs intheir own package for autogen reasons. Autogen will generate contentin the rbac package. If the verbs are in the rbac package, thenthe autogen can fail if the autogen produces no-valid go code.It's a circular dependency that this commit avoids

1 parentc41d0ef commit46dbb72Copy full SHA for 46dbb72

File tree

52 files changed

+971

-925

lines changed

coderd
- apikey.go
- authorize.go
- coderd.go
- coderdtest
  - authorize.go
  - authorize_test.go
- database
  - dbauthz
  - dbgen
    - dbgen.go
  - dbmetrics
    - dbmetrics.go
  - types.go
- debug.go
- deployment.go
- insights.go
- insights_test.go
- rbac
  - astvalue.go
  - authz.go
  - authz_internal_test.go
  - authz_test.go
  - error.go
  - object.go
  - object_test.go
  - policy
    - policy.go
  - roles.go
  - roles_internal_test.go
  - roles_test.go
  - scopes.go
- roles.go
- templates.go
- templateversions.go
- templateversions_test.go
- users.go
- users_test.go
- workspaceagents.go
- workspaceapps
  - db.go
- workspaceapps.go
- workspacebuilds.go
- workspaces.go
- workspaces_test.go
- wsbuilder
  - wsbuilder.go
enterprise
- coderd
- tailnet
  - pgcoord.go
support
- support.go

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

52 files changed

+971

-925

lines changed

`‎coderd/apikey.go`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,7 @@ import (`
`18`	`18`	`"github.com/coder/coder/v2/coderd/database/dbtime"`
`19`	`19`	`"github.com/coder/coder/v2/coderd/httpapi"`
`20`	`20`	`"github.com/coder/coder/v2/coderd/httpmw"`
`21`		`-"github.com/coder/coder/v2/coderd/rbac"`
	`21`	`+"github.com/coder/coder/v2/coderd/rbac/policy"`
`22`	`22`	`"github.com/coder/coder/v2/coderd/telemetry"`
`23`	`23`	`"github.com/coder/coder/v2/codersdk"`
`24`	`24`	`)`
`@@ -255,7 +255,7 @@ func (api API) tokens(rw http.ResponseWriter, r http.Request) {`
`255`	`255`	`}`
`256`	`256`	`}`
`257`	`257`
`258`		`-keys,err=AuthorizeFilter(api.HTTPAuth,r,rbac.ActionRead,keys)`
	`258`	`+keys,err=AuthorizeFilter(api.HTTPAuth,r,policy.ActionRead,keys)`
`259`	`259`	`iferr!=nil {`
`260`	`260`	`httpapi.Write(ctx,rw,http.StatusInternalServerError, codersdk.Response{`
`261`	`261`	`Message:"Internal error fetching keys.",`

`‎coderd/authorize.go`

Lines changed: 6 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -11,13 +11,14 @@ import (`
`11`	`11`	`"github.com/coder/coder/v2/coderd/httpapi"`
`12`	`12`	`"github.com/coder/coder/v2/coderd/httpmw"`
`13`	`13`	`"github.com/coder/coder/v2/coderd/rbac"`
	`14`	`+"github.com/coder/coder/v2/coderd/rbac/policy"`
`14`	`15`	`"github.com/coder/coder/v2/codersdk"`
`15`	`16`	`)`
`16`	`17`
`17`	`18`	`// AuthorizeFilter takes a list of objects and returns the filtered list of`
`18`	`19`	`// objects that the user is authorized to perform the given action on.`
`19`	`20`	`// This is faster than calling Authorize() on each object.`
`20`		`-funcAuthorizeFilter[O rbac.Objecter](hHTTPAuthorizer,rhttp.Request,actionrbac.Action,objects []O) ([]O,error) {`
	`21`	`+funcAuthorizeFilter[O rbac.Objecter](hHTTPAuthorizer,rhttp.Request,actionpolicy.Action,objects []O) ([]O,error) {`
`21`	`22`	`roles:=httpmw.UserAuthorization(r)`
`22`	`23`	`objects,err:=rbac.Filter(r.Context(),h.Authorizer,roles,action,objects)`
`23`	`24`	`iferr!=nil {`
`@@ -50,7 +51,7 @@ type HTTPAuthorizer struct {`
`50`	`51`	`//httpapi.Forbidden(rw)`
`51`	`52`	`//return`
`52`	`53`	`//}`
`53`		`-func (apiAPI)Authorize(rhttp.Request,actionrbac.Action,object rbac.Objecter)bool {`
	`54`	`+func (apiAPI)Authorize(rhttp.Request,actionpolicy.Action,object rbac.Objecter)bool {`
`54`	`55`	`returnapi.HTTPAuth.Authorize(r,action,object)`
`55`	`56`	`}`
`56`	`57`
`@@ -63,7 +64,7 @@ func (api API) Authorize(r http.Request, action rbac.Action, object rbac.Objec`
`63`	`64`	`//httpapi.Forbidden(rw)`
`64`	`65`	`//return`
`65`	`66`	`//}`
`66`		`-func (hHTTPAuthorizer)Authorize(rhttp.Request,actionrbac.Action,object rbac.Objecter)bool {`
	`67`	`+func (hHTTPAuthorizer)Authorize(rhttp.Request,actionpolicy.Action,object rbac.Objecter)bool {`
`67`	`68`	`roles:=httpmw.UserAuthorization(r)`
`68`	`69`	`err:=h.Authorizer.Authorize(r.Context(),roles,action,object.RBACObject())`
`69`	`70`	`iferr!=nil {`
`@@ -95,7 +96,7 @@ func (h HTTPAuthorizer) Authorize(r http.Request, action rbac.Action, object r`
`95`	`96`	`// from postgres are already authorized, and the caller does not need to`
`96`	`97`	`// call 'Authorize()' on the returned objects.`
`97`	`98`	`// Note the authorization is only for the given action and object type.`
`98`		`-func (hHTTPAuthorizer)AuthorizeSQLFilter(rhttp.Request,actionrbac.Action,objectTypestring) (rbac.PreparedAuthorized,error) {`
	`99`	`+func (hHTTPAuthorizer)AuthorizeSQLFilter(rhttp.Request,actionpolicy.Action,objectTypestring) (rbac.PreparedAuthorized,error) {`
`99`	`100`	`roles:=httpmw.UserAuthorization(r)`
`100`	`101`	`prepared,err:=h.Authorizer.Prepare(r.Context(),roles,action,objectType)`
`101`	`102`	`iferr!=nil {`
`@@ -219,7 +220,7 @@ func (api API) checkAuthorization(rw http.ResponseWriter, r http.Request) {`
`219`	`220`	`obj=dbObj.RBACObject()`
`220`	`221`	`}`
`221`	`222`
`222`		`-err:=api.Authorizer.Authorize(ctx,auth,rbac.Action(v.Action),obj)`
	`223`	`+err:=api.Authorizer.Authorize(ctx,auth,policy.Action(v.Action),obj)`
`223`	`224`	`response[k]=err==nil`
`224`	`225`	`}`
`225`	`226`

`‎coderd/coderd.go`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -60,6 +60,7 @@ import (`
`60`	`60`	`"github.com/coder/coder/v2/coderd/prometheusmetrics"`
`61`	`61`	`"github.com/coder/coder/v2/coderd/provisionerdserver"`
`62`	`62`	`"github.com/coder/coder/v2/coderd/rbac"`
	`63`	`+"github.com/coder/coder/v2/coderd/rbac/policy"`
`63`	`64`	`"github.com/coder/coder/v2/coderd/schedule"`
`64`	`65`	`"github.com/coder/coder/v2/coderd/telemetry"`
`65`	`66`	`"github.com/coder/coder/v2/coderd/tracing"`
`@@ -1106,7 +1107,7 @@ func New(options Options) API {`
`1106`	`1107`	`// Ensure only owners can access debug endpoints.`
`1107`	`1108`	`func(next http.Handler) http.Handler {`
`1108`	`1109`	`returnhttp.HandlerFunc(func(rw http.ResponseWriter,r*http.Request) {`
`1109`		`-if!api.Authorize(r,rbac.ActionRead,rbac.ResourceDebugInfo) {`
	`1110`	`+if!api.Authorize(r,policy.ActionRead,rbac.ResourceDebugInfo) {`
`1110`	`1111`	`httpapi.ResourceNotFound(rw)`
`1111`	`1112`	`return`
`1112`	`1113`	`}`

`‎coderd/coderdtest/authorize.go`

Lines changed: 15 additions & 14 deletions

Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,7 @@ import (`
`20`	`20`	`"github.com/coder/coder/v2/coderd/database"`
`21`	`21`	`"github.com/coder/coder/v2/coderd/database/dbauthz"`
`22`	`22`	`"github.com/coder/coder/v2/coderd/rbac"`
	`23`	`+"github.com/coder/coder/v2/coderd/rbac/policy"`
`23`	`24`	`"github.com/coder/coder/v2/coderd/rbac/regosql"`
`24`	`25`	`"github.com/coder/coder/v2/codersdk"`
`25`	`26`	`"github.com/coder/coder/v2/cryptorand"`
`@@ -84,7 +85,7 @@ func (a RBACAsserter) AllCalls() []AuthCall {`
`84`	`85`	`// AssertChecked will assert a given rbac check was performed. It does not care`
`85`	`86`	`// about order of checks, or any other checks. This is useful when you do not`
`86`	`87`	`// care about asserting every check that was performed.`
`87`		`-func (aRBACAsserter)AssertChecked(t*testing.T,actionrbac.Action,objects...interface{}) {`
	`88`	`+func (aRBACAsserter)AssertChecked(t*testing.T,actionpolicy.Action,objects...interface{}) {`
`88`	`89`	`converted:=a.convertObjects(t,objects...)`
`89`	`90`	`pairs:=make([]ActionObjectPair,0,len(converted))`
`90`	`91`	`for_,obj:=rangeconverted {`
`@@ -95,7 +96,7 @@ func (a RBACAsserter) AssertChecked(t *testing.T, action rbac.Action, objects ..`
`95`	`96`
`96`	`97`	`// AssertInOrder must be called in the correct order of authz checks. If the objects`
`97`	`98`	`// or actions are not in the correct order, the test will fail.`
`98`		`-func (aRBACAsserter)AssertInOrder(t*testing.T,actionrbac.Action,objects...interface{}) {`
	`99`	`+func (aRBACAsserter)AssertInOrder(t*testing.T,actionpolicy.Action,objects...interface{}) {`
`99`	`100`	`converted:=a.convertObjects(t,objects...)`
`100`	`101`	`pairs:=make([]ActionObjectPair,0,len(converted))`
`101`	`102`	`for_,obj:=rangeconverted {`
`@@ -155,13 +156,13 @@ type RecordingAuthorizer struct {`
`155`	`156`	`}`
`156`	`157`
`157`	`158`	`typeActionObjectPairstruct {`
`158`		`-Actionrbac.Action`
	`159`	`+Actionpolicy.Action`
`159`	`160`	`Object rbac.Object`
`160`	`161`	`}`
`161`	`162`
`162`	`163`	`// Pair is on the RecordingAuthorizer to be easy to find and keep the pkg`
`163`	`164`	`// interface smaller.`
`164`		`-func (*RecordingAuthorizer)Pair(actionrbac.Action,object rbac.Objecter)ActionObjectPair {`
	`165`	`+func (*RecordingAuthorizer)Pair(actionpolicy.Action,object rbac.Objecter)ActionObjectPair {`
`165`	`166`	`returnActionObjectPair{`
`166`	`167`	`Action:action,`
`167`	`168`	`Object:object.RBACObject(),`
`@@ -248,7 +249,7 @@ func (r RecordingAuthorizer) AssertActor(t testing.T, actor rbac.Subject, did`
`248`	`249`	`}`
`249`	`250`
`250`	`251`	`// recordAuthorize is the internal method that records the Authorize() call.`
`251`		`-func (r*RecordingAuthorizer)recordAuthorize(subject rbac.Subject,actionrbac.Action,object rbac.Object) {`
	`252`	`+func (r*RecordingAuthorizer)recordAuthorize(subject rbac.Subject,actionpolicy.Action,object rbac.Object) {`
`252`	`253`	`r.Lock()`
`253`	`254`	`deferr.Unlock()`
`254`	`255`
`@@ -283,15 +284,15 @@ func caller(skip int) string {`
`283`	`284`	`returnstr`
`284`	`285`	`}`
`285`	`286`
`286`		`-func (r*RecordingAuthorizer)Authorize(ctx context.Context,subject rbac.Subject,actionrbac.Action,object rbac.Object)error {`
	`287`	`+func (r*RecordingAuthorizer)Authorize(ctx context.Context,subject rbac.Subject,actionpolicy.Action,object rbac.Object)error {`
`287`	`288`	`r.recordAuthorize(subject,action,object)`
`288`	`289`	`ifr.Wrapped==nil {`
`289`	`290`	`panic("Developer error: RecordingAuthorizer.Wrapped is nil")`
`290`	`291`	`}`
`291`	`292`	`returnr.Wrapped.Authorize(ctx,subject,action,object)`
`292`	`293`	`}`
`293`	`294`
`294`		`-func (r*RecordingAuthorizer)Prepare(ctx context.Context,subject rbac.Subject,actionrbac.Action,objectTypestring) (rbac.PreparedAuthorized,error) {`
	`295`	`+func (r*RecordingAuthorizer)Prepare(ctx context.Context,subject rbac.Subject,actionpolicy.Action,objectTypestring) (rbac.PreparedAuthorized,error) {`
`295`	`296`	`r.RLock()`
`296`	`297`	`deferr.RUnlock()`
`297`	`298`	`ifr.Wrapped==nil {`
`@@ -325,7 +326,7 @@ type PreparedRecorder struct {`
`325`	`326`	`rec*RecordingAuthorizer`
`326`	`327`	`prepped rbac.PreparedAuthorized`
`327`	`328`	`subject rbac.Subject`
`328`		`-actionrbac.Action`
	`329`	`+actionpolicy.Action`
`329`	`330`
`330`	`331`	`rw sync.Mutex`
`331`	`332`	`usingSQLbool`
`@@ -357,11 +358,11 @@ type FakeAuthorizer struct {`
`357`	`358`
`358`	`359`	`var_ rbac.Authorizer= (*FakeAuthorizer)(nil)`
`359`	`360`
`360`		`-func (d*FakeAuthorizer)Authorize(_ context.Context,_ rbac.Subject,_rbac.Action,_ rbac.Object)error {`
	`361`	`+func (d*FakeAuthorizer)Authorize(_ context.Context,_ rbac.Subject,_policy.Action,_ rbac.Object)error {`
`361`	`362`	`returnd.AlwaysReturn`
`362`	`363`	`}`
`363`	`364`
`364`		`-func (d*FakeAuthorizer)Prepare(_ context.Context,subject rbac.Subject,actionrbac.Action,_string) (rbac.PreparedAuthorized,error) {`
	`365`	`+func (d*FakeAuthorizer)Prepare(_ context.Context,subject rbac.Subject,actionpolicy.Action,_string) (rbac.PreparedAuthorized,error) {`
`365`	`366`	`return&fakePreparedAuthorizer{`
`366`	`367`	`Original:d,`
`367`	`368`	`Subject:subject,`
`@@ -377,7 +378,7 @@ type fakePreparedAuthorizer struct {`
`377`	`378`	`sync.RWMutex`
`378`	`379`	`Original*FakeAuthorizer`
`379`	`380`	`Subject rbac.Subject`
`380`		`-Actionrbac.Action`
	`381`	`+Actionpolicy.Action`
`381`	`382`	`}`
`382`	`383`
`383`	`384`	`func (f*fakePreparedAuthorizer)Authorize(ctx context.Context,object rbac.Object)error {`
`@@ -392,7 +393,7 @@ func (*fakePreparedAuthorizer) CompileToSQL(_ context.Context, _ regosql.Convert`
`392`	`393`
`393`	`394`	`// Random rbac helper funcs`
`394`	`395`
`395`		`-funcRandomRBACAction()rbac.Action {`
	`396`	`+funcRandomRBACAction()policy.Action {`
`396`	`397`	`all:=rbac.AllActions()`
`397`	`398`	`returnall[must(cryptorand.Intn(len(all)))]`
`398`	`399`	`}`
`@@ -403,10 +404,10 @@ func RandomRBACObject() rbac.Object {`
`403`	`404`	`Owner:uuid.NewString(),`
`404`	`405`	`OrgID:uuid.NewString(),`
`405`	`406`	`Type:randomRBACType(),`
`406`		`-ACLUserList:map[string][]rbac.Action{`
	`407`	`+ACLUserList:map[string][]policy.Action{`
`407`	`408`	`namesgenerator.GetRandomName(1): {RandomRBACAction()},`
`408`	`409`	`},`
`409`		`-ACLGroupList:map[string][]rbac.Action{`
	`410`	`+ACLGroupList:map[string][]policy.Action{`
`410`	`411`	`namesgenerator.GetRandomName(1): {RandomRBACAction()},`
`411`	`412`	`},`
`412`	`413`	`}`

`‎coderd/coderdtest/authorize_test.go`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,7 @@ import (`
`9`	`9`
`10`	`10`	`"github.com/coder/coder/v2/coderd/coderdtest"`
`11`	`11`	`"github.com/coder/coder/v2/coderd/rbac"`
	`12`	`+"github.com/coder/coder/v2/coderd/rbac/policy"`
`12`	`13`	`)`
`13`	`14`
`14`	`15`	`funcTestAuthzRecorder(t*testing.T) {`
`@@ -101,7 +102,7 @@ func TestAuthzRecorder(t *testing.T) {`
`101`	`102`	`}`
`102`	`103`
`103`	`104`	`// fuzzAuthzPrep has same action and object types for all calls.`
`104`		`-funcfuzzAuthzPrep(t*testing.T,prep rbac.PreparedAuthorized,nint,actionrbac.Action,objectTypestring) []coderdtest.ActionObjectPair {`
	`105`	`+funcfuzzAuthzPrep(t*testing.T,prep rbac.PreparedAuthorized,nint,actionpolicy.Action,objectTypestring) []coderdtest.ActionObjectPair {`
`105`	`106`	`t.Helper()`
`106`	`107`	`pairs:=make([]coderdtest.ActionObjectPair,0,n)`
`107`	`108`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit46dbb72

File tree

52 files changed

Some content is hidden

52 files changed

`‎coderd/apikey.go`

`‎coderd/authorize.go`

`‎coderd/coderd.go`

`‎coderd/coderdtest/authorize.go`

`‎coderd/coderdtest/authorize_test.go`

0 commit comments