Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit9f50b1b

Browse files
committed
chore: push rbac actions to policy package
Moving to support more verbs. It is easier to keep the verbs intheir own package for autogen reasons. Autogen will generate contentin the rbac package. If the verbs are in the rbac package, thenthe autogen can fail if the autogen produces no-valid go code.It's a circular dependency that this commit avoids
1 parentc41d0ef commit9f50b1b

File tree

52 files changed

+970
-925
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

52 files changed

+970
-925
lines changed

‎coderd/apikey.go‎

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@ import (
1818
"github.com/coder/coder/v2/coderd/database/dbtime"
1919
"github.com/coder/coder/v2/coderd/httpapi"
2020
"github.com/coder/coder/v2/coderd/httpmw"
21-
"github.com/coder/coder/v2/coderd/rbac"
21+
"github.com/coder/coder/v2/coderd/rbac/policy"
2222
"github.com/coder/coder/v2/coderd/telemetry"
2323
"github.com/coder/coder/v2/codersdk"
2424
)
@@ -255,7 +255,7 @@ func (api *API) tokens(rw http.ResponseWriter, r *http.Request) {
255255
}
256256
}
257257

258-
keys,err=AuthorizeFilter(api.HTTPAuth,r,rbac.ActionRead,keys)
258+
keys,err=AuthorizeFilter(api.HTTPAuth,r,policy.ActionRead,keys)
259259
iferr!=nil {
260260
httpapi.Write(ctx,rw,http.StatusInternalServerError, codersdk.Response{
261261
Message:"Internal error fetching keys.",

‎coderd/authorize.go‎

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -11,13 +11,14 @@ import (
1111
"github.com/coder/coder/v2/coderd/httpapi"
1212
"github.com/coder/coder/v2/coderd/httpmw"
1313
"github.com/coder/coder/v2/coderd/rbac"
14+
"github.com/coder/coder/v2/coderd/rbac/policy"
1415
"github.com/coder/coder/v2/codersdk"
1516
)
1617

1718
// AuthorizeFilter takes a list of objects and returns the filtered list of
1819
// objects that the user is authorized to perform the given action on.
1920
// This is faster than calling Authorize() on each object.
20-
funcAuthorizeFilter[O rbac.Objecter](h*HTTPAuthorizer,r*http.Request,actionrbac.Action,objects []O) ([]O,error) {
21+
funcAuthorizeFilter[O rbac.Objecter](h*HTTPAuthorizer,r*http.Request,actionpolicy.Action,objects []O) ([]O,error) {
2122
roles:=httpmw.UserAuthorization(r)
2223
objects,err:=rbac.Filter(r.Context(),h.Authorizer,roles,action,objects)
2324
iferr!=nil {
@@ -50,7 +51,7 @@ type HTTPAuthorizer struct {
5051
//httpapi.Forbidden(rw)
5152
//return
5253
//}
53-
func (api*API)Authorize(r*http.Request,actionrbac.Action,object rbac.Objecter)bool {
54+
func (api*API)Authorize(r*http.Request,actionpolicy.Action,object rbac.Objecter)bool {
5455
returnapi.HTTPAuth.Authorize(r,action,object)
5556
}
5657

@@ -63,7 +64,7 @@ func (api *API) Authorize(r *http.Request, action rbac.Action, object rbac.Objec
6364
//httpapi.Forbidden(rw)
6465
//return
6566
//}
66-
func (h*HTTPAuthorizer)Authorize(r*http.Request,actionrbac.Action,object rbac.Objecter)bool {
67+
func (h*HTTPAuthorizer)Authorize(r*http.Request,actionpolicy.Action,object rbac.Objecter)bool {
6768
roles:=httpmw.UserAuthorization(r)
6869
err:=h.Authorizer.Authorize(r.Context(),roles,action,object.RBACObject())
6970
iferr!=nil {
@@ -95,7 +96,7 @@ func (h *HTTPAuthorizer) Authorize(r *http.Request, action rbac.Action, object r
9596
// from postgres are already authorized, and the caller does not need to
9697
// call 'Authorize()' on the returned objects.
9798
// Note the authorization is only for the given action and object type.
98-
func (h*HTTPAuthorizer)AuthorizeSQLFilter(r*http.Request,actionrbac.Action,objectTypestring) (rbac.PreparedAuthorized,error) {
99+
func (h*HTTPAuthorizer)AuthorizeSQLFilter(r*http.Request,actionpolicy.Action,objectTypestring) (rbac.PreparedAuthorized,error) {
99100
roles:=httpmw.UserAuthorization(r)
100101
prepared,err:=h.Authorizer.Prepare(r.Context(),roles,action,objectType)
101102
iferr!=nil {
@@ -219,7 +220,7 @@ func (api *API) checkAuthorization(rw http.ResponseWriter, r *http.Request) {
219220
obj=dbObj.RBACObject()
220221
}
221222

222-
err:=api.Authorizer.Authorize(ctx,auth,rbac.Action(v.Action),obj)
223+
err:=api.Authorizer.Authorize(ctx,auth,policy.Action(v.Action),obj)
223224
response[k]=err==nil
224225
}
225226

‎coderd/coderd.go‎

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -60,6 +60,7 @@ import (
6060
"github.com/coder/coder/v2/coderd/prometheusmetrics"
6161
"github.com/coder/coder/v2/coderd/provisionerdserver"
6262
"github.com/coder/coder/v2/coderd/rbac"
63+
"github.com/coder/coder/v2/coderd/rbac/policy"
6364
"github.com/coder/coder/v2/coderd/schedule"
6465
"github.com/coder/coder/v2/coderd/telemetry"
6566
"github.com/coder/coder/v2/coderd/tracing"
@@ -1106,7 +1107,7 @@ func New(options *Options) *API {
11061107
// Ensure only owners can access debug endpoints.
11071108
func(next http.Handler) http.Handler {
11081109
returnhttp.HandlerFunc(func(rw http.ResponseWriter,r*http.Request) {
1109-
if!api.Authorize(r,rbac.ActionRead,rbac.ResourceDebugInfo) {
1110+
if!api.Authorize(r,policy.ActionRead,rbac.ResourceDebugInfo) {
11101111
httpapi.ResourceNotFound(rw)
11111112
return
11121113
}

‎coderd/coderdtest/authorize.go‎

Lines changed: 15 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,7 @@ import (
2020
"github.com/coder/coder/v2/coderd/database"
2121
"github.com/coder/coder/v2/coderd/database/dbauthz"
2222
"github.com/coder/coder/v2/coderd/rbac"
23+
"github.com/coder/coder/v2/coderd/rbac/policy"
2324
"github.com/coder/coder/v2/coderd/rbac/regosql"
2425
"github.com/coder/coder/v2/codersdk"
2526
"github.com/coder/coder/v2/cryptorand"
@@ -84,7 +85,7 @@ func (a RBACAsserter) AllCalls() []AuthCall {
8485
// AssertChecked will assert a given rbac check was performed. It does not care
8586
// about order of checks, or any other checks. This is useful when you do not
8687
// care about asserting every check that was performed.
87-
func (aRBACAsserter)AssertChecked(t*testing.T,actionrbac.Action,objects...interface{}) {
88+
func (aRBACAsserter)AssertChecked(t*testing.T,actionpolicy.Action,objects...interface{}) {
8889
converted:=a.convertObjects(t,objects...)
8990
pairs:=make([]ActionObjectPair,0,len(converted))
9091
for_,obj:=rangeconverted {
@@ -95,7 +96,7 @@ func (a RBACAsserter) AssertChecked(t *testing.T, action rbac.Action, objects ..
9596

9697
// AssertInOrder must be called in the correct order of authz checks. If the objects
9798
// or actions are not in the correct order, the test will fail.
98-
func (aRBACAsserter)AssertInOrder(t*testing.T,actionrbac.Action,objects...interface{}) {
99+
func (aRBACAsserter)AssertInOrder(t*testing.T,actionpolicy.Action,objects...interface{}) {
99100
converted:=a.convertObjects(t,objects...)
100101
pairs:=make([]ActionObjectPair,0,len(converted))
101102
for_,obj:=rangeconverted {
@@ -155,13 +156,13 @@ type RecordingAuthorizer struct {
155156
}
156157

157158
typeActionObjectPairstruct {
158-
Actionrbac.Action
159+
Actionpolicy.Action
159160
Object rbac.Object
160161
}
161162

162163
// Pair is on the RecordingAuthorizer to be easy to find and keep the pkg
163164
// interface smaller.
164-
func (*RecordingAuthorizer)Pair(actionrbac.Action,object rbac.Objecter)ActionObjectPair {
165+
func (*RecordingAuthorizer)Pair(actionpolicy.Action,object rbac.Objecter)ActionObjectPair {
165166
returnActionObjectPair{
166167
Action:action,
167168
Object:object.RBACObject(),
@@ -248,7 +249,7 @@ func (r *RecordingAuthorizer) AssertActor(t *testing.T, actor rbac.Subject, did
248249
}
249250

250251
// recordAuthorize is the internal method that records the Authorize() call.
251-
func (r*RecordingAuthorizer)recordAuthorize(subject rbac.Subject,actionrbac.Action,object rbac.Object) {
252+
func (r*RecordingAuthorizer)recordAuthorize(subject rbac.Subject,actionpolicy.Action,object rbac.Object) {
252253
r.Lock()
253254
deferr.Unlock()
254255

@@ -283,15 +284,15 @@ func caller(skip int) string {
283284
returnstr
284285
}
285286

286-
func (r*RecordingAuthorizer)Authorize(ctx context.Context,subject rbac.Subject,actionrbac.Action,object rbac.Object)error {
287+
func (r*RecordingAuthorizer)Authorize(ctx context.Context,subject rbac.Subject,actionpolicy.Action,object rbac.Object)error {
287288
r.recordAuthorize(subject,action,object)
288289
ifr.Wrapped==nil {
289290
panic("Developer error: RecordingAuthorizer.Wrapped is nil")
290291
}
291292
returnr.Wrapped.Authorize(ctx,subject,action,object)
292293
}
293294

294-
func (r*RecordingAuthorizer)Prepare(ctx context.Context,subject rbac.Subject,actionrbac.Action,objectTypestring) (rbac.PreparedAuthorized,error) {
295+
func (r*RecordingAuthorizer)Prepare(ctx context.Context,subject rbac.Subject,actionpolicy.Action,objectTypestring) (rbac.PreparedAuthorized,error) {
295296
r.RLock()
296297
deferr.RUnlock()
297298
ifr.Wrapped==nil {
@@ -325,7 +326,7 @@ type PreparedRecorder struct {
325326
rec*RecordingAuthorizer
326327
prepped rbac.PreparedAuthorized
327328
subject rbac.Subject
328-
actionrbac.Action
329+
actionpolicy.Action
329330

330331
rw sync.Mutex
331332
usingSQLbool
@@ -357,11 +358,11 @@ type FakeAuthorizer struct {
357358

358359
var_ rbac.Authorizer= (*FakeAuthorizer)(nil)
359360

360-
func (d*FakeAuthorizer)Authorize(_ context.Context,_ rbac.Subject,_rbac.Action,_ rbac.Object)error {
361+
func (d*FakeAuthorizer)Authorize(_ context.Context,_ rbac.Subject,_policy.Action,_ rbac.Object)error {
361362
returnd.AlwaysReturn
362363
}
363364

364-
func (d*FakeAuthorizer)Prepare(_ context.Context,subject rbac.Subject,actionrbac.Action,_string) (rbac.PreparedAuthorized,error) {
365+
func (d*FakeAuthorizer)Prepare(_ context.Context,subject rbac.Subject,actionpolicy.Action,_string) (rbac.PreparedAuthorized,error) {
365366
return&fakePreparedAuthorizer{
366367
Original:d,
367368
Subject:subject,
@@ -377,7 +378,7 @@ type fakePreparedAuthorizer struct {
377378
sync.RWMutex
378379
Original*FakeAuthorizer
379380
Subject rbac.Subject
380-
Actionrbac.Action
381+
Actionpolicy.Action
381382
}
382383

383384
func (f*fakePreparedAuthorizer)Authorize(ctx context.Context,object rbac.Object)error {
@@ -392,7 +393,7 @@ func (*fakePreparedAuthorizer) CompileToSQL(_ context.Context, _ regosql.Convert
392393

393394
// Random rbac helper funcs
394395

395-
funcRandomRBACAction()rbac.Action {
396+
funcRandomRBACAction()policy.Action {
396397
all:=rbac.AllActions()
397398
returnall[must(cryptorand.Intn(len(all)))]
398399
}
@@ -403,10 +404,10 @@ func RandomRBACObject() rbac.Object {
403404
Owner:uuid.NewString(),
404405
OrgID:uuid.NewString(),
405406
Type:randomRBACType(),
406-
ACLUserList:map[string][]rbac.Action{
407+
ACLUserList:map[string][]policy.Action{
407408
namesgenerator.GetRandomName(1): {RandomRBACAction()},
408409
},
409-
ACLGroupList:map[string][]rbac.Action{
410+
ACLGroupList:map[string][]policy.Action{
410411
namesgenerator.GetRandomName(1): {RandomRBACAction()},
411412
},
412413
}

‎coderd/coderdtest/authorize_test.go‎

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@ import (
99

1010
"github.com/coder/coder/v2/coderd/coderdtest"
1111
"github.com/coder/coder/v2/coderd/rbac"
12+
"github.com/coder/coder/v2/coderd/rbac/policy"
1213
)
1314

1415
funcTestAuthzRecorder(t*testing.T) {
@@ -101,7 +102,7 @@ func TestAuthzRecorder(t *testing.T) {
101102
}
102103

103104
// fuzzAuthzPrep has same action and object types for all calls.
104-
funcfuzzAuthzPrep(t*testing.T,prep rbac.PreparedAuthorized,nint,actionrbac.Action,objectTypestring) []coderdtest.ActionObjectPair {
105+
funcfuzzAuthzPrep(t*testing.T,prep rbac.PreparedAuthorized,nint,actionpolicy.Action,objectTypestring) []coderdtest.ActionObjectPair {
105106
t.Helper()
106107
pairs:=make([]coderdtest.ActionObjectPair,0,n)
107108

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp