Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit86f0f39

Browse files
authored
chore: make authz recorder opt in (#20310)
The authz recorder is causing a lot of memory to be allocated, and is amemory leak for websocket connections.This change makes it opt-in on a per request basis (ontop of `isDev`).To get the authz headers, use `Copy as cURL` on chrome and append theheader `x-authz-checks=true`.
1 parent650dc86 commit86f0f39

File tree

8 files changed

+43
-7
lines changed

8 files changed

+43
-7
lines changed

‎coderd/apidoc/docs.go‎

Lines changed: 3 additions & 0 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

‎coderd/apidoc/swagger.json‎

Lines changed: 3 additions & 0 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

‎coderd/coderd.go‎

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -493,7 +493,7 @@ func New(options *Options) *API {
493493
// We add this middleware early, to make sure that authorization checks made
494494
// by other middleware get recorded.
495495
ifbuildinfo.IsDev() {
496-
r.Use(httpmw.RecordAuthzChecks)
496+
r.Use(httpmw.RecordAuthzChecks(options.DeploymentValues.EnableAuthzRecording.Value()))
497497
}
498498

499499
ctx,cancel:=context.WithCancel(context.Background())

‎coderd/httpmw/authz.go‎

Lines changed: 17 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@ package httpmw
44

55
import (
66
"net/http"
7+
"strconv"
78

89
"github.com/go-chi/chi/v5"
910

@@ -39,14 +40,24 @@ func AsAuthzSystem(mws ...func(http.Handler) http.Handler) func(http.Handler) ht
3940
}
4041
}
4142

42-
// RecordAuthzChecks enables recording allofthe authorization checks that
43+
// RecordAuthzChecks enables recording all the authorization checks that
4344
// occurred in the processing of a request. This is mostly helpful for debugging
4445
// and understanding what permissions are required for a given action.
4546
//
47+
// Can either be toggled on by a deployment wide configuration value, or opt-in on
48+
// a per-request basis by setting the `x-record-authz-checks` header to a truthy value.
49+
//
4650
// Requires using a Recorder Authorizer.
47-
funcRecordAuthzChecks(next http.Handler) http.Handler {
48-
returnhttp.HandlerFunc(func(rw http.ResponseWriter,r*http.Request) {
49-
r=r.WithContext(rbac.WithAuthzCheckRecorder(r.Context()))
50-
next.ServeHTTP(rw,r)
51-
})
51+
//
52+
//nolint:revive
53+
funcRecordAuthzChecks(alwaysbool)func(next http.Handler) http.Handler {
54+
returnfunc(next http.Handler) http.Handler {
55+
returnhttp.HandlerFunc(func(rw http.ResponseWriter,r*http.Request) {
56+
ifenabled,_:=strconv.ParseBool(r.Header.Get("x-record-authz-checks"));enabled||always {
57+
r=r.WithContext(rbac.WithAuthzCheckRecorder(r.Context()))
58+
}
59+
60+
next.ServeHTTP(rw,r)
61+
})
62+
}
5263
}

‎codersdk/deployment.go‎

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -487,6 +487,7 @@ type DeploymentValues struct {
487487
SessionsSessionLifetime`json:"session_lifetime,omitempty" typescript:",notnull"`
488488
DisablePasswordAuth serpent.Bool`json:"disable_password_auth,omitempty" typescript:",notnull"`
489489
SupportSupportConfig`json:"support,omitempty" typescript:",notnull"`
490+
EnableAuthzRecording serpent.Bool`json:"enable_authz_recording,omitempty" typescript:",notnull"`
490491
ExternalAuthConfigs serpent.Struct[[]ExternalAuthConfig]`json:"external_auth,omitempty" typescript:",notnull"`
491492
SSHConfigSSHConfig`json:"config_ssh,omitempty" typescript:",notnull"`
492493
WgtunnelHost serpent.String`json:"wgtunnel_host,omitempty" typescript:",notnull"`
@@ -3293,6 +3294,19 @@ Write out the current server config as YAML to stdout.`,
32933294
YAML:"key",
32943295
Hidden:true,
32953296
},
3297+
{
3298+
Name:"Enable Authorization Recordings",
3299+
Description:"All api requests will have a header including all authorization calls made during the request. "+
3300+
"This is used for debugging purposes and only available for dev builds.",
3301+
Required:false,
3302+
Flag:"enable-authz-recordings",
3303+
Env:"CODER_ENABLE_AUTHZ_RECORDINGS",
3304+
Default:"false",
3305+
Value:&c.EnableAuthzRecording,
3306+
// Do not show this option ever. It is a developer tool only, and not to be
3307+
// used externally.
3308+
Hidden:true,
3309+
},
32963310
}
32973311

32983312
returnopts

‎docs/reference/api/general.md‎

Lines changed: 1 addition & 0 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

‎docs/reference/api/schemas.md‎

Lines changed: 3 additions & 0 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

‎site/src/api/typesGenerated.ts‎

Lines changed: 1 addition & 0 deletions
Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp