NotificationsYou must be signed in to change notification settings
Fork928
Star10.1k

Commit6fb8aff

authored

feat: Add initial AuthzQuerier implementation (#5919)

feat: Add initial AuthzQuerier implementation- Adds package database/dbauthz that adds a database.Store implementation where each method goes through AuthZ checks- Implements all database.Store methods on AuthzQuerier- Updates and fixes unit tests where required- Updates coderd initialization to use AuthzQuerier if codersdk.ExperimentAuthzQuerier is enabled

1 parentebdfdc7 commit6fb8affCopy full SHA for 6fb8aff

File tree

59 files changed

+5013

-136

lines changed

coderd
- activitybump.go
- authorize.go
- autobuild/executor
  - lifecycle_executor.go
- coderd.go
- coderdtest
  - authorize.go
  - authorize_test.go
  - coderdtest.go
- database
  - dbauthz
  - dbfake
    - databasefake.go
  - dbgen
    - generator.go
    - generator_test.go
  - modelmethods.go
  - querier.go
  - queries
    - licenses.sql
    - workspaces.sql
  - queries.sql.go
- files.go
- httpmw
  - apikey.go
  - authz.go
  - authz_test.go
  - userparam.go
  - workspaceagent.go
  - workspaceagent_test.go
- members.go
- metricscache
  - metricscache.go
- provisionerdserver
  - provisionerdserver.go
- provisionerjobs.go
- rbac
  - authz_internal_test.go
  - builtin.go
  - builtin_internal_test.go
  - builtin_test.go
  - error.go
  - error_test.go
  - scopes.go
- roles.go
- roles_test.go
- templates.go
- userauth.go
- users.go
- users_test.go
- util/slice
  - slice.go
- workspaceagents.go
- workspaceapps.go
- workspaceresourceauth.go
- workspaces.go
enterprise/coderd
- coderd.go
- coderd_test.go
- coderdenttest
  - coderdenttest_test.go
- scim.go
- templates_test.go
provisionerd/runner
- runner.go
scripts
- rules.go

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

59 files changed

+5013

-136

lines changed

`‎coderd/activitybump.go`

Lines changed: 8 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -15,10 +15,10 @@ import (`
`15`	`15`
`16`	`16`	`// activityBumpWorkspace automatically bumps the workspace's auto-off timer`
`17`	`17`	`// if it is set to expire soon.`
`18`		`-funcactivityBumpWorkspace(log slog.Logger,db database.Store,workspaceID uuid.UUID) {`
	`18`	`+funcactivityBumpWorkspace(ctx context.Context,log slog.Logger,db database.Store,workspaceID uuid.UUID) {`
`19`	`19`	`// We set a short timeout so if the app is under load, these`
`20`	`20`	`// low priority operations fail first.`
`21`		`-ctx,cancel:=context.WithTimeout(context.Background(),time.Second*15)`
	`21`	`+ctx,cancel:=context.WithTimeout(ctx,time.Second*15)`
`22`	`22`	`defercancel()`
`23`	`23`
`24`	`24`	`err:=db.InTx(func(s database.Store)error {`
`@@ -82,9 +82,12 @@ func activityBumpWorkspace(log slog.Logger, db database.Store, workspaceID uuid.`
`82`	`82`	`returnnil`
`83`	`83`	`},nil)`
`84`	`84`	`iferr!=nil {`
`85`		`-log.Error(ctx,"bump failed",slog.Error(err),`
`86`		`-slog.F("workspace_id",workspaceID),`
`87`		`-)`
	`85`	`+if!xerrors.Is(err,context.Canceled) {`
	`86`	`+// Bump will fail if the context is cancelled, but this is ok.`
	`87`	`+log.Error(ctx,"bump failed",slog.Error(err),`
	`88`	`+slog.F("workspace_id",workspaceID),`
	`89`	`+)`
	`90`	`+}`
`88`	`91`	`return`
`89`	`92`	`}`
`90`	`93`

`‎coderd/authorize.go`

Lines changed: 22 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -51,6 +51,28 @@ type HTTPAuthorizer struct {`
`51`	`51`	`//return`
`52`	`52`	`//}`
`53`	`53`	`func (apiAPI)Authorize(rhttp.Request,action rbac.Action,object rbac.Objecter)bool {`
	`54`	`+// The experiment does not replace ALL rbac checks, but does replace most.`
	`55`	`+// This statement aborts early on the checks that will be removed in the`
	`56`	`+// future when this experiment is default.`
	`57`	`+ifapi.Experiments.Enabled(codersdk.ExperimentAuthzQuerier) {`
	`58`	`+// Some resource types do not interact with the persistent layer and`
	`59`	`+// we need to keep these checks happening in the API layer.`
	`60`	`+switchobject.RBACObject().Type {`
	`61`	`+caserbac.ResourceWorkspaceExecution.Type:`
	`62`	`+// This is not a db resource, always in API layer`
	`63`	`+caserbac.ResourceDeploymentConfig.Type:`
	`64`	`+// For metric cache items like DAU, we do not hit the DB.`
	`65`	`+// Some db actions are in asserted in the authz layer.`
	`66`	`+caserbac.ResourceReplicas.Type:`
	`67`	`+// Replica rbac is checked for adding and removing replicas.`
	`68`	`+caserbac.ResourceProvisionerDaemon.Type:`
	`69`	`+// Provisioner rbac is checked for adding and removing provisioners.`
	`70`	`+caserbac.ResourceDebugInfo.Type:`
	`71`	`+// This is not a db resource, always in API layer.`
	`72`	`+default:`
	`73`	`+returntrue`
	`74`	`+}`
	`75`	`+}`
`54`	`76`	`returnapi.HTTPAuth.Authorize(r,action,object)`
`55`	`77`	`}`
`56`	`78`

`‎coderd/autobuild/executor/lifecycle_executor.go`

Lines changed: 3 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,7 @@ import (`
`12`	`12`	`"cdr.dev/slog"`
`13`	`13`	`"github.com/coder/coder/coderd/autobuild/schedule"`
`14`	`14`	`"github.com/coder/coder/coderd/database"`
	`15`	`+"github.com/coder/coder/coderd/database/dbauthz"`
`15`	`16`	`)`
`16`	`17`
`17`	`18`	`// Executor automatically starts or stops workspaces.`
`@@ -33,7 +34,8 @@ type Stats struct {`
`33`	`34`	`// New returns a new autobuild executor.`
`34`	`35`	`funcNew(ctx context.Context,db database.Store,log slog.Logger,tick<-chan time.Time)*Executor {`
`35`	`36`	`le:=&Executor{`
`36`		`-ctx:ctx,`
	`37`	`+//nolint:gocritic // TODO: make an autostart role instead of using System`
	`38`	`+ctx:dbauthz.AsSystem(ctx),`
`37`	`39`	`db:db,`
`38`	`40`	`tick:tick,`
`39`	`41`	`log:log,`

`‎coderd/coderd.go`

Lines changed: 20 additions & 14 deletions

Original file line number	Diff line number	Diff line change
`@@ -42,6 +42,7 @@ import (`
`42`	`42`	`"github.com/coder/coder/coderd/audit"`
`43`	`43`	`"github.com/coder/coder/coderd/awsidentity"`
`44`	`44`	`"github.com/coder/coder/coderd/database"`
	`45`	`+"github.com/coder/coder/coderd/database/dbauthz"`
`45`	`46`	`"github.com/coder/coder/coderd/database/dbtype"`
`46`	`47`	`"github.com/coder/coder/coderd/gitauth"`
`47`	`48`	`"github.com/coder/coder/coderd/gitsshkey"`
`@@ -157,13 +158,6 @@ func New(options Options) API {`
`157`	`158`	`options=&Options{}`
`158`	`159`	`}`
`159`	`160`	`experiments:=initExperiments(options.Logger,options.DeploymentConfig.Experiments.Value,options.DeploymentConfig.Experimental.Value)`
`160`		`-// TODO: remove this once we promote authz_querier out of experiments.`
`161`		`-ifexperiments.Enabled(codersdk.ExperimentAuthzQuerier) {`
`162`		`-panic("Coming soon!")`
`163`		`-// if _, ok := (options.Database).(*authzquery.AuthzQuerier); !ok {`
`164`		`-// options.Database = authzquery.NewAuthzQuerier(options.Database, options.Authorizer)`
`165`		`-// }`
`166`		`-}`
`167`	`161`	`ifoptions.AppHostname!=""&&options.AppHostnameRegex==nil\|\|options.AppHostname==""&&options.AppHostnameRegex!=nil {`
`168`	`162`	`panic("coderd: both AppHostname and AppHostnameRegex must be set or unset")`
`169`	`163`	`}`
`@@ -204,6 +198,14 @@ func New(options Options) API {`
`204`	`198`	`ifoptions.Auditor==nil {`
`205`	`199`	`options.Auditor=audit.NewNop()`
`206`	`200`	`}`
	`201`	`+// TODO: remove this once we promote authz_querier out of experiments.`
	`202`	`+ifexperiments.Enabled(codersdk.ExperimentAuthzQuerier) {`
	`203`	`+options.Database=dbauthz.New(`
	`204`	`+options.Database,`
	`205`	`+options.Authorizer,`
	`206`	`+options.Logger.Named("authz_querier"),`
	`207`	`+)`
	`208`	`+}`
`207`	`209`	`ifoptions.SetUserGroups==nil {`
`208`	`210`	`options.SetUserGroups=func(context.Context, database.Store, uuid.UUID, []string)error {returnnil }`
`209`	`211`	`}`
`@@ -304,8 +306,10 @@ func New(options Options) API {`
`304`	`306`	`DisableSessionExpiryRefresh:options.DeploymentConfig.DisableSessionExpiryRefresh.Value,`
`305`	`307`	`Optional:true,`
`306`	`308`	`}),`
`307`		`-httpmw.ExtractUserParam(api.Database,false),`
`308`		`-httpmw.ExtractWorkspaceAndAgentParam(api.Database),`
	`309`	`+httpmw.AsAuthzSystem(`
	`310`	`+httpmw.ExtractUserParam(api.Database,false),`
	`311`	`+httpmw.ExtractWorkspaceAndAgentParam(api.Database),`
	`312`	`+),`
`309`	`313`	`),`
`310`	`314`	`// Build-Version is helpful for debugging.`
`311`	`315`	`func(next http.Handler) http.Handler {`
`@@ -332,11 +336,13 @@ func New(options Options) API {`
`332`	`336`	`DisableSessionExpiryRefresh:options.DeploymentConfig.DisableSessionExpiryRefresh.Value,`
`333`	`337`	`Optional:true,`
`334`	`338`	`}),`
`335`		`-// Redirect to the login page if the user tries to open an app with`
`336`		`-// "me" as the username and they are not logged in.`
`337`		`-httpmw.ExtractUserParam(api.Database,true),`
`338`		`-// Extracts the <workspace.agent> from the url`
`339`		`-httpmw.ExtractWorkspaceAndAgentParam(api.Database),`
	`339`	`+httpmw.AsAuthzSystem(`
	`340`	`+// Redirect to the login page if the user tries to open an app with`
	`341`	`+// "me" as the username and they are not logged in.`
	`342`	`+httpmw.ExtractUserParam(api.Database,true),`
	`343`	`+// Extracts the <workspace.agent> from the url`
	`344`	`+httpmw.ExtractWorkspaceAndAgentParam(api.Database),`
	`345`	`+),`
`340`	`346`	`)`
`341`	`347`	`r.HandleFunc("/*",api.workspaceAppsProxyPath)`
`342`	`348`	`}`

`‎coderd/coderdtest/authorize.go`

Lines changed: 6 additions & 11 deletions

Original file line number	Diff line number	Diff line change
`@@ -12,16 +12,16 @@ import (`
`12`	`12`	`"testing"`
`13`	`13`	`"time"`
`14`	`14`
`15`		`-"github.com/coder/coder/cryptorand"`
`16`	`15`	`"github.com/go-chi/chi/v5"`
`17`	`16`	`"github.com/google/uuid"`
`18`	`17`	`"github.com/moby/moby/pkg/namesgenerator"`
`19`	`18`	`"github.com/stretchr/testify/assert"`
`20`	`19`	`"github.com/stretchr/testify/require"`
`21`	`20`	`"golang.org/x/xerrors"`
`22`	`21`
	`22`	`+"github.com/coder/coder/cryptorand"`
	`23`	`+`
`23`	`24`	`"github.com/coder/coder/coderd"`
`24`		`-"github.com/coder/coder/coderd/database/dbfake"`
`25`	`25`	`"github.com/coder/coder/coderd/rbac"`
`26`	`26`	`"github.com/coder/coder/coderd/rbac/regosql"`
`27`	`27`	`"github.com/coder/coder/codersdk"`
`@@ -30,12 +30,6 @@ import (`
`30`	`30`	`)`
`31`	`31`
`32`	`32`	`funcAGPLRoutes(a*AuthTester) (map[string]string,map[string]RouteCheck) {`
`33`		`-// For any route using SQL filters, we need to know if the database is an`
`34`		`-// in memory fake. This is because the in memory fake does not use SQL, and`
`35`		`-// still uses rego. So this boolean indicates how to assert the expected`
`36`		`-// behavior.`
`37`		`-_,isMemoryDB:=a.api.Database.(dbfake.FakeDatabase)`
`38`		`-`
`39`	`33`	`// Some quick reused objects`
`40`	`34`	`workspaceRBACObj:=rbac.ResourceWorkspace.WithID(a.Workspace.ID).InOrg(a.Organization.ID).WithOwner(a.Workspace.OwnerID.String())`
`41`	`35`	`workspaceExecObj:=rbac.ResourceWorkspaceExecution.WithID(a.Workspace.ID).InOrg(a.Organization.ID).WithOwner(a.Workspace.OwnerID.String())`
`@@ -269,16 +263,17 @@ func AGPLRoutes(a *AuthTester) (map[string]string, map[string]RouteCheck) {`
`269`	`263`	`"POST:/api/v2/workspaces/{workspace}/builds": {StatusCode:http.StatusBadRequest,NoAuthorize:true},`
`270`	`264`	`"POST:/api/v2/organizations/{organization}/templateversions": {StatusCode:http.StatusBadRequest,NoAuthorize:true},`
`271`	`265`
`272`		`-// Endpoints that use the SQLQuery filter.`
	`266`	`+// For any route using SQL filters, we do not check authorization.`
	`267`	`+// This is because the in memory fake does not use SQL.`
`273`	`268`	`"GET:/api/v2/workspaces/": {`
`274`	`269`	`StatusCode:http.StatusOK,`
`275`		`-NoAuthorize:!isMemoryDB,`
	`270`	`+NoAuthorize:true,`
`276`	`271`	`AssertAction:rbac.ActionRead,`
`277`	`272`	`AssertObject:rbac.ResourceWorkspace,`
`278`	`273`	`},`
`279`	`274`	`"GET:/api/v2/organizations/{organization}/templates": {`
`280`	`275`	`StatusCode:http.StatusOK,`
`281`		`-NoAuthorize:!isMemoryDB,`
	`276`	`+NoAuthorize:true,`
`282`	`277`	`AssertAction:rbac.ActionRead,`
`283`	`278`	`AssertObject:rbac.ResourceTemplate,`
`284`	`279`	`},`

`‎coderd/coderdtest/authorize_test.go`

Lines changed: 6 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -2,15 +2,21 @@ package coderdtest_test`
`2`	`2`
`3`	`3`	`import (`
`4`	`4`	`"context"`
	`5`	`+"os"`
	`6`	`+"strings"`
`5`	`7`	`"testing"`
`6`	`8`
`7`	`9`	`"github.com/stretchr/testify/require"`
`8`	`10`
`9`	`11`	`"github.com/coder/coder/coderd/coderdtest"`
`10`	`12`	`"github.com/coder/coder/coderd/rbac"`
	`13`	`+"github.com/coder/coder/codersdk"`
`11`	`14`	`)`
`12`	`15`
`13`	`16`	`funcTestAuthorizeAllEndpoints(t*testing.T) {`
	`17`	`+ifstrings.Contains(os.Getenv("CODER_EXPERIMENTS_TEST"),string(codersdk.ExperimentAuthzQuerier)) {`
	`18`	`+t.Skip("Skipping TestAuthorizeAllEndpoints for authz_querier experiment")`
	`19`	`+}`
`14`	`20`	`t.Parallel()`
`15`	`21`	`client,_,api:=coderdtest.NewWithAPI(t,&coderdtest.Options{`
`16`	`22`	`// Required for any subdomain-based proxy tests to pass.`

`‎coderd/coderdtest/coderdtest.go`

Lines changed: 9 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -35,6 +35,7 @@ import (`
`35`	`35`	`"github.com/golang-jwt/jwt"`
`36`	`36`	`"github.com/google/uuid"`
`37`	`37`	`"github.com/moby/moby/pkg/namesgenerator"`
	`38`	`+"github.com/prometheus/client_golang/prometheus"`
`38`	`39`	`"github.com/spf13/afero"`
`39`	`40`	`"github.com/spf13/pflag"`
`40`	`41`	`"github.com/stretchr/testify/assert"`
`@@ -58,6 +59,7 @@ import (`
`58`	`59`	`"github.com/coder/coder/coderd/autobuild/executor"`
`59`	`60`	`"github.com/coder/coder/coderd/awsidentity"`
`60`	`61`	`"github.com/coder/coder/coderd/database"`
	`62`	`+"github.com/coder/coder/coderd/database/dbauthz"`
`61`	`63`	`"github.com/coder/coder/coderd/database/dbtestutil"`
`62`	`64`	`"github.com/coder/coder/coderd/gitauth"`
`63`	`65`	`"github.com/coder/coder/coderd/gitsshkey"`
`@@ -179,12 +181,13 @@ func NewOptions(t testing.T, options Options) (func(http.Handler), context.Can`
`179`	`181`	`options.Database,options.Pubsub=dbtestutil.NewDB(t)`
`180`	`182`	`}`
`181`	`183`	`// TODO: remove this once we're ready to enable authz querier by default.`
`182`		`-ifstrings.Contains(os.Getenv("CODER_EXPERIMENTS_TEST"),"authz_querier") {`
`183`		`-panic("Coming soon!")`
`184`		`-// if options.Authorizer != nil {`
`185`		`-// options.Authorizer = &RecordingAuthorizer{}`
`186`		`-// }`
`187`		`-// options.Database = authzquery.NewAuthzQuerier(options.Database, options.Authorizer)`
	`184`	`+ifstrings.Contains(os.Getenv("CODER_EXPERIMENTS_TEST"),string(codersdk.ExperimentAuthzQuerier)) {`
	`185`	`+ifoptions.Authorizer==nil {`
	`186`	`+options.Authorizer=&RecordingAuthorizer{`
	`187`	`+Wrapped:rbac.NewAuthorizer(prometheus.NewRegistry()),`
	`188`	`+}`
	`189`	`+}`
	`190`	`+options.Database=dbauthz.New(options.Database,options.Authorizer,slogtest.Make(t,nil).Leveled(slog.LevelDebug))`
`188`	`191`	`}`
`189`	`192`	`ifoptions.DeploymentConfig==nil {`
`190`	`193`	`options.DeploymentConfig=DeploymentConfig(t)`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit6fb8aff

File tree

59 files changed

Some content is hidden

59 files changed

`‎coderd/activitybump.go`

`‎coderd/authorize.go`

`‎coderd/autobuild/executor/lifecycle_executor.go`

`‎coderd/coderd.go`

`‎coderd/coderdtest/authorize.go`

`‎coderd/coderdtest/authorize_test.go`

`‎coderd/coderdtest/coderdtest.go`

0 commit comments