NotificationsYou must be signed in to change notification settings
Fork1.1k
Star11.8k

Commit52d65ee

committed

chore: avoid depending on rbac in slim builds

1 parent36224f2 commit52d65eeCopy full SHA for 52d65ee

File tree

9 files changed

+81

-37

lines changed

cli
- testdata
  - coder_users_edit-roles_--help.golden
- usereditroles.go
coderd
- httpapi
- httpmw
  - authz.go
- rbac
  - no_slim.go
  - no_slim_slim.go
docs/reference/cli
- users_edit-roles.md

9 files changed

+81

-37

lines changed

`‎cli/testdata/coder_users_edit-roles_--help.golden‎`

Lines changed: 1 addition & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -8,8 +8,7 @@ USAGE:`
`8`	`8`	`OPTIONS:`
`9`	`9`	`--roles string-array`
`10`	`10`	`A list of roles to give to the user. This removes any existing roles`
`11`		`- the user may have. The available roles are: auditor, member, owner,`
`12`		`- template-admin, user-admin.`
	`11`	`+ the user may have.`
`13`	`12`
`14`	`13`	`-y, --yes bool`
`15`	`14`	`Bypass prompts.`

`‎cli/usereditroles.go‎`

Lines changed: 12 additions & 17 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,40 +1,27 @@`
`1`	`1`	`package cli`
`2`	`2`
`3`	`3`	`import (`
`4`		`-"fmt"`
`5`	`4`	`"slices"`
`6`		`-"sort"`
`7`	`5`	`"strings"`
`8`	`6`
`9`	`7`	`"golang.org/x/xerrors"`
`10`	`8`
`11`	`9`	`"github.com/coder/coder/v2/cli/cliui"`
`12`		`-"github.com/coder/coder/v2/coderd/rbac"`
`13`	`10`	`"github.com/coder/coder/v2/codersdk"`
`14`	`11`	`"github.com/coder/serpent"`
`15`	`12`	`)`
`16`	`13`
`17`	`14`	`func (rRootCmd)userEditRoles()serpent.Command {`
`18`	`15`	`client:=new(codersdk.Client)`
`19`		`-`
`20`		`-roles:=rbac.SiteRoles()`
`21`		`-`
`22`		`-siteRoles:=make([]string,0)`
`23`		`-for_,role:=rangeroles {`
`24`		`-siteRoles=append(siteRoles,role.Identifier.Name)`
`25`		`-}`
`26`		`-sort.Strings(siteRoles)`
`27`		`-`
`28`	`16`	`vargivenRoles []string`
`29`		`-`
`30`	`17`	`cmd:=&serpent.Command{`
`31`	`18`	`Use:"edit-roles <username\|user_id>",`
`32`	`19`	`Short:"Edit a user's roles by username or id",`
`33`	`20`	`Options: []serpent.Option{`
`34`	`21`	`cliui.SkipPromptOption(),`
`35`	`22`	`{`
`36`	`23`	`Name:"roles",`
`37`		`-Description:fmt.Sprintf("A list of roles to give to the user. This removes any existing roles the user may have. The available roles are: %s.",strings.Join(siteRoles,", ")),`
	`24`	`+Description:"A list of roles to give to the user. This removes any existing roles the user may have.",`
`38`	`25`	`Flag:"roles",`
`39`	`26`	`Value:serpent.StringArrayOf(&givenRoles),`
`40`	`27`	`},`
`@@ -52,13 +39,21 @@ func (r RootCmd) userEditRoles() serpent.Command {`
`52`	`39`	`iferr!=nil {`
`53`	`40`	`returnxerrors.Errorf("fetch user roles: %w",err)`
`54`	`41`	`}`
	`42`	`+siteRoles,err:=client.ListSiteRoles(ctx)`
	`43`	`+iferr!=nil {`
	`44`	`+returnxerrors.Errorf("fetch site roles: %w",err)`
	`45`	`+}`
	`46`	`+siteRoleNames:=make([]string,0,len(siteRoles))`
	`47`	`+for_,role:=rangesiteRoles {`
	`48`	`+siteRoleNames=append(siteRoleNames,role.Name)`
	`49`	`+}`
`55`	`50`
`56`	`51`	`varselectedRoles []string`
`57`	`52`	`iflen(givenRoles)>0 {`
`58`	`53`	`// Make sure all of the given roles are valid site roles`
`59`	`54`	`for_,givenRole:=rangegivenRoles {`
`60`		`-if!slices.Contains(siteRoles,givenRole) {`
`61`		`-siteRolesPretty:=strings.Join(siteRoles,", ")`
	`55`	`+if!slices.Contains(siteRoleNames,givenRole) {`
	`56`	`+siteRolesPretty:=strings.Join(siteRoleNames,", ")`
`62`	`57`	`returnxerrors.Errorf("The role %s is not valid. Please use one or more of the following roles: %s\n",givenRole,siteRolesPretty)`
`63`	`58`	`}`
`64`	`59`	`}`
`@@ -67,7 +62,7 @@ func (r RootCmd) userEditRoles() serpent.Command {`
`67`	`62`	`}else {`
`68`	`63`	`selectedRoles,err=cliui.MultiSelect(inv, cliui.MultiSelectOptions{`
`69`	`64`	`Message:"Select the roles you'd like to assign to the user",`
`70`		`-Options:siteRoles,`
	`65`	`+Options:siteRoleNames,`
`71`	`66`	`Defaults:userRoles.Roles,`
`72`	`67`	`})`
`73`	`68`	`iferr!=nil {`

`‎coderd/httpapi/authz.go‎`

Lines changed: 28 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,28 @@`
	`1`	`+//go:build !slim`
	`2`	`+`
	`3`	`+package httpapi`
	`4`	`+`
	`5`	`+import (`
	`6`	`+"context"`
	`7`	`+"net/http"`
	`8`	`+`
	`9`	`+"github.com/coder/coder/v2/coderd/rbac"`
	`10`	`+)`
	`11`	`+`
	`12`	`+// This is defined separately in slim builds to avoid importing the rbac`
	`13`	`+// package, which is a large dependency.`
	`14`	`+funcSetAuthzCheckRecorderHeader(ctx context.Context,rw http.ResponseWriter) {`
	`15`	`+ifrec,ok:=rbac.GetAuthzCheckRecorder(ctx);ok {`
	`16`	`+// If you're here because you saw this header in a response, and you're`
	`17`	`+// trying to investigate the code, here are a couple of notable things`
	`18`	`+// for you to know:`
	`19`	+// - If any of the checks are `false`, they might not represent the whole
	`20`	`+// picture. There could be additional checks that weren't performed,`
	`21`	`+// because processing stopped after the failure.`
	`22`	+// - The checks are recorded by the `authzRecorder` type, which is
	`23`	`+// configured on server startup for development and testing builds.`
	`24`	`+// - If this header is missing from a response, make sure the response is`
	`25`	+// being written by calling `httpapi.Write`!
	`26`	`+rw.Header().Set("x-authz-checks",rec.String())`
	`27`	`+}`
	`28`	`+}`

`‎coderd/httpapi/authz_slim.go‎`

Lines changed: 13 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,13 @@`
	`1`	`+//go:build slim`
	`2`	`+`
	`3`	`+package httpapi`
	`4`	`+`
	`5`	`+import (`
	`6`	`+"context"`
	`7`	`+"net/http"`
	`8`	`+)`
	`9`	`+`
	`10`	`+funcSetAuthzCheckRecorderHeader(ctx context.Context,rw http.ResponseWriter) {`
	`11`	`+// There's no RBAC on the agent API, so this is separately defined to`
	`12`	`+// avoid importing the RBAC package, which is a large dependency.`
	`13`	`+}`

`‎coderd/httpapi/httpapi.go‎`

Lines changed: 2 additions & 17 deletions

Original file line number	Diff line number	Diff line change
`@@ -20,7 +20,6 @@ import (`
`20`	`20`	`"github.com/coder/websocket/wsjson"`
`21`	`21`
`22`	`22`	`"github.com/coder/coder/v2/coderd/httpapi/httpapiconstraints"`
`23`		`-"github.com/coder/coder/v2/coderd/rbac"`
`24`	`23`	`"github.com/coder/coder/v2/coderd/tracing"`
`25`	`24`	`"github.com/coder/coder/v2/codersdk"`
`26`	`25`	`)`
`@@ -199,19 +198,7 @@ func Write(ctx context.Context, rw http.ResponseWriter, status int, response int`
`199`	`198`	`_,span:=tracing.StartSpan(ctx)`
`200`	`199`	`deferspan.End()`
`201`	`200`
`202`		`-ifrec,ok:=rbac.GetAuthzCheckRecorder(ctx);ok {`
`203`		`-// If you're here because you saw this header in a response, and you're`
`204`		`-// trying to investigate the code, here are a couple of notable things`
`205`		`-// for you to know:`
`206`		-// - If any of the checks are `false`, they might not represent the whole
`207`		`-// picture. There could be additional checks that weren't performed,`
`208`		`-// because processing stopped after the failure.`
`209`		-// - The checks are recorded by the `authzRecorder` type, which is
`210`		`-// configured on server startup for development and testing builds.`
`211`		`-// - If this header is missing from a response, make sure the response is`
`212`		-// being written by calling `httpapi.Write`!
`213`		`-rw.Header().Set("x-authz-checks",rec.String())`
`214`		`-}`
	`201`	`+SetAuthzCheckRecorderHeader(ctx,rw)`
`215`	`202`
`216`	`203`	`rw.Header().Set("Content-Type","application/json; charset=utf-8")`
`217`	`204`	`rw.WriteHeader(status)`
`@@ -228,9 +215,7 @@ func WriteIndent(ctx context.Context, rw http.ResponseWriter, status int, respon`
`228`	`215`	`_,span:=tracing.StartSpan(ctx)`
`229`	`216`	`deferspan.End()`
`230`	`217`
`231`		`-ifrec,ok:=rbac.GetAuthzCheckRecorder(ctx);ok {`
`232`		`-rw.Header().Set("x-authz-checks",rec.String())`
`233`		`-}`
	`218`	`+SetAuthzCheckRecorderHeader(ctx,rw)`
`234`	`219`
`235`	`220`	`rw.Header().Set("Content-Type","application/json; charset=utf-8")`
`236`	`221`	`rw.WriteHeader(status)`

`‎coderd/httpmw/authz.go‎`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,5 @@`
	`1`	`+//go:build !slim`
	`2`	`+`
`1`	`3`	`package httpmw`
`2`	`4`
`3`	`5`	`import (`

`‎coderd/rbac/no_slim.go‎`

Lines changed: 8 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,8 @@`
	`1`	`+package rbac`
	`2`	`+`
	`3`	`+const (`
	`4`	`+// This declaration protects against imports in slim builds, see`
	`5`	`+// no_slim_slim.go.`
	`6`	`+//nolint:revive,unused`
	`7`	`+_DO_NOT_IMPORT_THIS_PACKAGE_IN_SLIM_BUILDS="DO_NOT_IMPORT_THIS_PACKAGE_IN_SLIM_BUILDS"`
	`8`	`+)`

`‎coderd/rbac/no_slim_slim.go‎`

Lines changed: 14 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,14 @@`
	`1`	`+//go:build slim`
	`2`	`+`
	`3`	`+package rbac`
	`4`	`+`
	`5`	`+const (`
	`6`	`+// This re-declaration will result in a compilation error and is present to`
	`7`	`+// prevent increasing the slim binary size by importing this package,`
	`8`	`+// directly or indirectly.`
	`9`	`+//`
	`10`	`+// no_slim_slim.go:7:2: _DO_NOT_IMPORT_THIS_PACKAGE_IN_SLIM_BUILDS redeclared in this block`
	`11`	`+// no_slim.go:4:2: other declaration of _DO_NOT_IMPORT_THIS_PACKAGE_IN_SLIM_BUILDS`
	`12`	`+//nolint:revive,unused`
	`13`	`+_DO_NOT_IMPORT_THIS_PACKAGE_IN_SLIM_BUILDS="DO_NOT_IMPORT_THIS_PACKAGE_IN_SLIM_BUILDS"`
	`14`	`+)`

`‎docs/reference/cli/users_edit-roles.md‎`

Lines changed: 1 addition & 1 deletion

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit52d65ee

File tree

9 files changed

9 files changed

`‎cli/testdata/coder_users_edit-roles_--help.golden‎`

`‎cli/usereditroles.go‎`

`‎coderd/httpapi/authz.go‎`

`‎coderd/httpapi/authz_slim.go‎`

`‎coderd/httpapi/httpapi.go‎`

`‎coderd/httpmw/authz.go‎`

`‎coderd/rbac/no_slim.go‎`

`‎coderd/rbac/no_slim_slim.go‎`

`‎docs/reference/cli/users_edit-roles.md‎`

0 commit comments