NotificationsYou must be signed in to change notification settings
Fork928
Star10.1k

Commitf0f39b4

authored

chore: break down dbauthz.System into smaller roles (#6218)

- rbac: export rbac.Permissions- dbauthz: move GetDeploymentDAUs, GetTemplateDAUs, GetTemplateAverageBuildTime from querier.go to system.go and removes auth checks- dbauthz: remove AsSystem(), add individual roles for autostart, provisionerd, add restricted system role for everything else

1 parent84da605 commitf0f39b4Copy full SHA for f0f39b4

File tree

25 files changed

+180

-141

lines changed

coderd
- activitybump.go
- autobuild/executor
  - lifecycle_executor.go
- database/dbauthz
- httpmw
- metricscache
  - metricscache.go
- provisionerdserver
  - provisionerdserver.go
- rbac
- userauth.go
- users.go
- workspaceagents.go
- workspaceapps.go
- workspaceresourceauth.go
enterprise/coderd
- coderd_test.go
- scim.go
provisionerd/runner
- runner.go

25 files changed

+180

-141

lines changed

`‎coderd/activitybump.go`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -83,7 +83,7 @@ func activityBumpWorkspace(ctx context.Context, log slog.Logger, db database.Sto`
`83`	`83`	`},nil)`
`84`	`84`	`iferr!=nil {`
`85`	`85`	`if!xerrors.Is(err,context.Canceled) {`
`86`		`-// Bump will fail if the context iscancelled, but this is ok.`
	`86`	`+// Bump will fail if the context iscanceled, but this is ok.`
`87`	`87`	`log.Error(ctx,"bump failed",slog.Error(err),`
`88`	`88`	`slog.F("workspace_id",workspaceID),`
`89`	`89`	`)`

`‎coderd/autobuild/executor/lifecycle_executor.go`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -34,8 +34,8 @@ type Stats struct {`
`34`	`34`	`// New returns a new autobuild executor.`
`35`	`35`	`funcNew(ctx context.Context,db database.Store,log slog.Logger,tick<-chan time.Time)*Executor {`
`36`	`36`	`le:=&Executor{`
`37`		`-//nolint:gocritic //TODO: make an autostart role insteadofusing System`
`38`		`-ctx:dbauthz.AsSystem(ctx),`
	`37`	`+//nolint:gocritic //Autostart has a limited setofpermissions.`
	`38`	`+ctx:dbauthz.AsAutostart(ctx),`
`39`	`39`	`db:db,`
`40`	`40`	`tick:tick,`
`41`	`41`	`log:log,`

`‎coderd/database/dbauthz/dbauthz.go`

Lines changed: 65 additions & 21 deletions

Original file line number	Diff line number	Diff line change
`@@ -46,12 +46,12 @@ func logNotAuthorizedError(ctx context.Context, logger slog.Logger, err error) e`
`46`	`46`	`iferr!=nil&&xerrors.As(err,&internalError) {`
`47`	`47`	`e:=new(topdown.Error)`
`48`	`48`	`ifxerrors.As(err,&e)\|\|e.Code==topdown.CancelErr {`
`49`		`-// For some reason rego changes acancelled context to a topdown.CancelErr. We`
`50`		`-// expect to check forcancelled context errors if the user cancels the request,`
	`49`	`+// For some reason rego changes acanceled context to a topdown.CancelErr. We`
	`50`	`+// expect to check forcanceled context errors if the user cancels the request,`
`51`	`51`	`// so we should change the error to a context.Canceled error.`
`52`	`52`	`//`
`53`	`53`	`// NotAuthorizedError is == to sql.ErrNoRows, which is not correct`
`54`		`-// if it's actually acancelled context.`
	`54`	`+// if it's actually acanceled context.`
`55`	`55`	`internalError.SetInternal(context.Canceled)`
`56`	`56`	`returninternalError`
`57`	`57`	`}`
`@@ -117,29 +117,73 @@ func ActorFromContext(ctx context.Context) (rbac.Subject, bool) {`
`117`	`117`	`returna,ok`
`118`	`118`	`}`
`119`	`119`
`120`		`-// AsSystem returns a context with a system actor. This is used for internal`
`121`		`-// system operations that are not tied to any particular actor.`
`122`		`-// When you use this function, be sure to add a //nolint comment`
`123`		`-// explaining why it is necessary.`
`124`		`-//`
`125`		`-// We trust you have received the usual lecture from the local System`
`126`		`-// Administrator. It usually boils down to these three things:`
`127`		`-// #1) Respect the privacy of others.`
`128`		`-// #2) Think before you type.`
`129`		`-// #3) With great power comes great responsibility.`
`130`		`-funcAsSystem(ctx context.Context) context.Context {`
	`120`	`+// AsProvisionerd returns a context with an actor that has permissions required`
	`121`	`+// for provisionerd to function.`
	`122`	`+funcAsProvisionerd(ctx context.Context) context.Context {`
	`123`	`+returncontext.WithValue(ctx,authContextKey{}, rbac.Subject{`
	`124`	`+ID:uuid.Nil.String(),`
	`125`	`+Roles:rbac.Roles([]rbac.Role{`
	`126`	`+{`
	`127`	`+Name:"provisionerd",`
	`128`	`+DisplayName:"Provisioner Daemon",`
	`129`	`+Site:rbac.Permissions(map[string][]rbac.Action{`
	`130`	`+rbac.ResourceFile.Type: {rbac.ActionRead},`
	`131`	`+rbac.ResourceTemplate.Type: {rbac.ActionRead,rbac.ActionUpdate},`
	`132`	`+rbac.ResourceUser.Type: {rbac.ActionRead},`
	`133`	`+rbac.ResourceWorkspace.Type: {rbac.ActionRead,rbac.ActionUpdate,rbac.ActionDelete},`
	`134`	`+}),`
	`135`	`+Org:map[string][]rbac.Permission{},`
	`136`	`+User: []rbac.Permission{},`
	`137`	`+},`
	`138`	`+}),`
	`139`	`+Scope:rbac.ScopeAll,`
	`140`	`+},`
	`141`	`+)`
	`142`	`+}`
	`143`	`+`
	`144`	`+// AsAutostart returns a context with an actor that has permissions required`
	`145`	`+// for autostart to function.`
	`146`	`+funcAsAutostart(ctx context.Context) context.Context {`
	`147`	`+returncontext.WithValue(ctx,authContextKey{}, rbac.Subject{`
	`148`	`+ID:uuid.Nil.String(),`
	`149`	`+Roles:rbac.Roles([]rbac.Role{`
	`150`	`+{`
	`151`	`+Name:"autostart",`
	`152`	`+DisplayName:"Autostart Daemon",`
	`153`	`+Site:rbac.Permissions(map[string][]rbac.Action{`
	`154`	`+rbac.ResourceTemplate.Type: {rbac.ActionRead,rbac.ActionUpdate},`
	`155`	`+rbac.ResourceWorkspace.Type: {rbac.ActionRead,rbac.ActionUpdate},`
	`156`	`+}),`
	`157`	`+Org:map[string][]rbac.Permission{},`
	`158`	`+User: []rbac.Permission{},`
	`159`	`+},`
	`160`	`+}),`
	`161`	`+Scope:rbac.ScopeAll,`
	`162`	`+},`
	`163`	`+)`
	`164`	`+}`
	`165`	`+`
	`166`	`+// AsSystemRestricted returns a context with an actor that has permissions`
	`167`	`+// required for various system operations (login, logout, metrics cache).`
	`168`	`+funcAsSystemRestricted(ctx context.Context) context.Context {`
`131`	`169`	`returncontext.WithValue(ctx,authContextKey{}, rbac.Subject{`
`132`	`170`	`ID:uuid.Nil.String(),`
`133`	`171`	`Roles:rbac.Roles([]rbac.Role{`
`134`	`172`	`{`
`135`	`173`	`Name:"system",`
`136`		`-DisplayName:"System",`
`137`		`-Site: []rbac.Permission{`
`138`		`-{`
`139`		`-ResourceType:rbac.ResourceWildcard.Type,`
`140`		`-Action:rbac.WildcardSymbol,`
`141`		`-},`
`142`		`-},`
	`174`	`+DisplayName:"Coder",`
	`175`	`+Site:rbac.Permissions(map[string][]rbac.Action{`
	`176`	`+rbac.ResourceWildcard.Type: {rbac.ActionRead},`
	`177`	`+rbac.ResourceAPIKey.Type: {rbac.ActionCreate,rbac.ActionUpdate,rbac.ActionDelete},`
	`178`	`+rbac.ResourceGroup.Type: {rbac.ActionCreate,rbac.ActionUpdate},`
	`179`	`+rbac.ResourceRoleAssignment.Type: {rbac.ActionCreate},`
	`180`	`+rbac.ResourceOrganization.Type: {rbac.ActionCreate},`
	`181`	`+rbac.ResourceOrganizationMember.Type: {rbac.ActionCreate},`
	`182`	`+rbac.ResourceOrgRoleAssignment.Type: {rbac.ActionCreate},`
	`183`	`+rbac.ResourceUser.Type: {rbac.ActionCreate,rbac.ActionUpdate,rbac.ActionDelete},`
	`184`	`+rbac.ResourceUserData.Type: {rbac.ActionCreate,rbac.ActionUpdate},`
	`185`	`+rbac.ResourceWorkspace.Type: {rbac.ActionUpdate},`
	`186`	`+}),`
`143`	`187`	`Org:map[string][]rbac.Permission{},`
`144`	`188`	`User: []rbac.Permission{},`
`145`	`189`	`},`

`‎coderd/database/dbauthz/querier.go`

Lines changed: 0 additions & 26 deletions

Original file line number	Diff line number	Diff line change
`@@ -327,13 +327,6 @@ func (q *querier) GetProvisionerDaemons(ctx context.Context) ([]database.Provisi`
`327`	`327`	`returnfetchWithPostFilter(q.auth,fetch)(ctx,nil)`
`328`	`328`	`}`
`329`	`329`
`330`		`-func (q*querier)GetDeploymentDAUs(ctx context.Context) ([]database.GetDeploymentDAUsRow,error) {`
`331`		`-iferr:=q.authorizeContext(ctx,rbac.ActionRead,rbac.ResourceUser.All());err!=nil {`
`332`		`-returnnil,err`
`333`		`-}`
`334`		`-returnq.db.GetDeploymentDAUs(ctx)`
`335`		`-}`
`336`		`-`
`337`	`330`	`func (q*querier)GetGroupsByOrganizationID(ctx context.Context,organizationID uuid.UUID) ([]database.Group,error) {`
`338`	`331`	`returnfetchWithPostFilter(q.auth,q.db.GetGroupsByOrganizationID)(ctx,organizationID)`
`339`	`332`	`}`
`@@ -622,16 +615,6 @@ func (q *querier) GetPreviousTemplateVersion(ctx context.Context, arg database.G`
`622`	`615`	`returnq.db.GetPreviousTemplateVersion(ctx,arg)`
`623`	`616`	`}`
`624`	`617`
`625`		`-func (q*querier)GetTemplateAverageBuildTime(ctx context.Context,arg database.GetTemplateAverageBuildTimeParams) (database.GetTemplateAverageBuildTimeRow,error) {`
`626`		`-// An actor can read the average build time if they can read the related template.`
`627`		`-// It doesn't make any sense to get the average build time for a template that doesn't`
`628`		`-// exist, so omitting this check here.`
`629`		`-if_,err:=q.GetTemplateByID(ctx,arg.TemplateID.UUID);err!=nil {`
`630`		`-return database.GetTemplateAverageBuildTimeRow{},err`
`631`		`-}`
`632`		`-returnq.db.GetTemplateAverageBuildTime(ctx,arg)`
`633`		`-}`
`634`		`-`
`635`	`618`	`func (q*querier)GetTemplateByID(ctx context.Context,id uuid.UUID) (database.Template,error) {`
`636`	`619`	`returnfetch(q.log,q.auth,q.db.GetTemplateByID)(ctx,id)`
`637`	`620`	`}`
`@@ -640,15 +623,6 @@ func (q *querier) GetTemplateByOrganizationAndName(ctx context.Context, arg data`
`640`	`623`	`returnfetch(q.log,q.auth,q.db.GetTemplateByOrganizationAndName)(ctx,arg)`
`641`	`624`	`}`
`642`	`625`
`643`		`-func (q*querier)GetTemplateDAUs(ctx context.Context,templateID uuid.UUID) ([]database.GetTemplateDAUsRow,error) {`
`644`		`-// An actor can read the DAUs if they can read the related template.`
`645`		`-// Again, it doesn't make sense to get DAUs for a template that doesn't exist.`
`646`		`-if_,err:=q.GetTemplateByID(ctx,templateID);err!=nil {`
`647`		`-returnnil,err`
`648`		`-}`
`649`		`-returnq.db.GetTemplateDAUs(ctx,templateID)`
`650`		`-}`
`651`		`-`
`652`	`626`	`func (q*querier)GetTemplateVersionByID(ctx context.Context,tvid uuid.UUID) (database.TemplateVersion,error) {`
`653`	`627`	`tv,err:=q.db.GetTemplateVersionByID(ctx,tvid)`
`654`	`628`	`iferr!=nil {`

`‎coderd/database/dbauthz/querier_test.go`

Lines changed: 0 additions & 13 deletions

Original file line number	Diff line number	Diff line change
`@@ -540,12 +540,6 @@ func (s *MethodTestSuite) TestTemplate() {`
`540`	`540`	`TemplateID: uuid.NullUUID{UUID:t1.ID,Valid:true},`
`541`	`541`	`}).Asserts(t1,rbac.ActionRead).Returns(b)`
`542`	`542`	`}))`
`543`		`-s.Run("GetTemplateAverageBuildTime",s.Subtest(func(db database.Store,check*expects) {`
`544`		`-t1:=dbgen.Template(s.T(),db, database.Template{})`
`545`		`-check.Args(database.GetTemplateAverageBuildTimeParams{`
`546`		`-TemplateID: uuid.NullUUID{UUID:t1.ID,Valid:true},`
`547`		`-}).Asserts(t1,rbac.ActionRead)`
`548`		`-}))`
`549`	`543`	`s.Run("GetTemplateByID",s.Subtest(func(db database.Store,check*expects) {`
`550`	`544`	`t1:=dbgen.Template(s.T(),db, database.Template{})`
`551`	`545`	`check.Args(t1.ID).Asserts(t1,rbac.ActionRead).Returns(t1)`
`@@ -560,10 +554,6 @@ func (s *MethodTestSuite) TestTemplate() {`
`560`	`554`	`OrganizationID:o1.ID,`
`561`	`555`	`}).Asserts(t1,rbac.ActionRead).Returns(t1)`
`562`	`556`	`}))`
`563`		`-s.Run("GetTemplateDAUs",s.Subtest(func(db database.Store,check*expects) {`
`564`		`-t1:=dbgen.Template(s.T(),db, database.Template{})`
`565`		`-check.Args(t1.ID).Asserts(t1,rbac.ActionRead)`
`566`		`-}))`
`567`	`557`	`s.Run("GetTemplateVersionByJobID",s.Subtest(func(db database.Store,check*expects) {`
`568`	`558`	`t1:=dbgen.Template(s.T(),db, database.Template{})`
`569`	`559`	`tv:=dbgen.TemplateVersion(s.T(),db, database.TemplateVersion{`
`@@ -1220,7 +1210,4 @@ func (s *MethodTestSuite) TestExtraMethods() {`
`1220`	`1210`	`s.NoError(err,"insert provisioner daemon")`
`1221`	`1211`	`check.Args().Asserts(d,rbac.ActionRead)`
`1222`	`1212`	`}))`
`1223`		`-s.Run("GetDeploymentDAUs",s.Subtest(func(db database.Store,check*expects) {`
`1224`		`-check.Args().Asserts(rbac.ResourceUser.All(),rbac.ActionRead)`
`1225`		`-}))`
`1226`	`1213`	`}`

`‎coderd/database/dbauthz/setup_test.go`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -226,8 +226,8 @@ func (s MethodTestSuite) NotAuthorizedErrorTest(ctx context.Context, az coderd`
`226`	`226`	`}`
`227`	`227`	`})`
`228`	`228`
`229`		`-s.Run("Cancelled",func() {`
`230`		`-// Pass in acancelled context`
	`229`	`+s.Run("Canceled",func() {`
	`230`	`+// Pass in acanceled context`
`231`	`231`	`ctx,cancel:=context.WithCancel(ctx)`
`232`	`232`	`cancel()`
`233`	`233`	`az.AlwaysReturn=rbac.ForbiddenWithInternal(&topdown.Error{Code:topdown.CancelErr},`

`‎coderd/database/dbauthz/system.go`

Lines changed: 15 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -96,6 +96,21 @@ func (q *querier) GetTemplates(ctx context.Context) ([]database.Template, error)`
`96`	`96`	`returnq.db.GetTemplates(ctx)`
`97`	`97`	`}`
`98`	`98`
	`99`	`+// Only used by metrics cache.`
	`100`	`+func (q*querier)GetTemplateAverageBuildTime(ctx context.Context,arg database.GetTemplateAverageBuildTimeParams) (database.GetTemplateAverageBuildTimeRow,error) {`
	`101`	`+returnq.db.GetTemplateAverageBuildTime(ctx,arg)`
	`102`	`+}`
	`103`	`+`
	`104`	`+// Only used by metrics cache.`
	`105`	`+func (q*querier)GetTemplateDAUs(ctx context.Context,templateID uuid.UUID) ([]database.GetTemplateDAUsRow,error) {`
	`106`	`+returnq.db.GetTemplateDAUs(ctx,templateID)`
	`107`	`+}`
	`108`	`+`
	`109`	`+// Only used by metrics cache.`
	`110`	`+func (q*querier)GetDeploymentDAUs(ctx context.Context) ([]database.GetDeploymentDAUsRow,error) {`
	`111`	`+returnq.db.GetDeploymentDAUs(ctx)`
	`112`	`+}`
	`113`	`+`
`99`	`114`	`// UpdateWorkspaceBuildCostByID is used by the provisioning system to update the cost of a workspace build.`
`100`	`115`	`func (q*querier)UpdateWorkspaceBuildCostByID(ctx context.Context,arg database.UpdateWorkspaceBuildCostByIDParams) (database.WorkspaceBuild,error) {`
`101`	`116`	`returnq.db.UpdateWorkspaceBuildCostByID(ctx,arg)`

`‎coderd/httpmw/apikey.go`

Lines changed: 6 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -161,7 +161,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {`
`161`	`161`	`}`
`162`	`162`
`163`	`163`	`//nolint:gocritic // System needs to fetch API key to check if it's valid.`
`164`		`-key,err:=cfg.DB.GetAPIKeyByID(dbauthz.AsSystem(ctx),keyID)`
	`164`	`+key,err:=cfg.DB.GetAPIKeyByID(dbauthz.AsSystemRestricted(ctx),keyID)`
`165`	`165`	`iferr!=nil {`
`166`	`166`	`iferrors.Is(err,sql.ErrNoRows) {`
`167`	`167`	`optionalWrite(http.StatusUnauthorized, codersdk.Response{`
`@@ -195,7 +195,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {`
`195`	`195`	`)`
`196`	`196`	`ifkey.LoginType==database.LoginTypeGithub\|\|key.LoginType==database.LoginTypeOIDC {`
`197`	`197`	`//nolint:gocritic // System needs to fetch UserLink to check if it's valid.`
`198`		`-link,err=cfg.DB.GetUserLinkByUserIDLoginType(dbauthz.AsSystem(ctx), database.GetUserLinkByUserIDLoginTypeParams{`
	`198`	`+link,err=cfg.DB.GetUserLinkByUserIDLoginType(dbauthz.AsSystemRestricted(ctx), database.GetUserLinkByUserIDLoginTypeParams{`
`199`	`199`	`UserID:key.UserID,`
`200`	`200`	`LoginType:key.LoginType,`
`201`	`201`	`})`
`@@ -279,7 +279,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {`
`279`	`279`	`}`
`280`	`280`	`ifchanged {`
`281`	`281`	`//nolint:gocritic // System needs to update API Key LastUsed`
`282`		`-err:=cfg.DB.UpdateAPIKeyByID(dbauthz.AsSystem(ctx), database.UpdateAPIKeyByIDParams{`
	`282`	`+err:=cfg.DB.UpdateAPIKeyByID(dbauthz.AsSystemRestricted(ctx), database.UpdateAPIKeyByIDParams{`
`283`	`283`	`ID:key.ID,`
`284`	`284`	`LastUsed:key.LastUsed,`
`285`	`285`	`ExpiresAt:key.ExpiresAt,`
`@@ -296,7 +296,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {`
`296`	`296`	`// then we want to update the relevant oauth fields.`
`297`	`297`	`iflink.UserID!=uuid.Nil {`
`298`	`298`	`// nolint:gocritic`
`299`		`-link,err=cfg.DB.UpdateUserLink(dbauthz.AsSystem(ctx), database.UpdateUserLinkParams{`
	`299`	`+link,err=cfg.DB.UpdateUserLink(dbauthz.AsSystemRestricted(ctx), database.UpdateUserLinkParams{`
`300`	`300`	`UserID:link.UserID,`
`301`	`301`	`LoginType:link.LoginType,`
`302`	`302`	`OAuthAccessToken:link.OAuthAccessToken,`
`@@ -316,7 +316,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {`
`316`	`316`	`// load. We update alongside the UserLink and APIKey since it's`
`317`	`317`	`// easier on the DB to colocate writes.`
`318`	`318`	`// nolint:gocritic`
`319`		`-_,err=cfg.DB.UpdateUserLastSeenAt(dbauthz.AsSystem(ctx), database.UpdateUserLastSeenAtParams{`
	`319`	`+_,err=cfg.DB.UpdateUserLastSeenAt(dbauthz.AsSystemRestricted(ctx), database.UpdateUserLastSeenAtParams{`
`320`	`320`	`ID:key.UserID,`
`321`	`321`	`LastSeenAt:database.Now(),`
`322`	`322`	`UpdatedAt:database.Now(),`
`@@ -334,7 +334,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {`
`334`	`334`	`// The roles are used for RBAC authorize checks, and the status`
`335`	`335`	`// is to block 'suspended' users from accessing the platform.`
`336`	`336`	`// nolint:gocritic`
`337`		`-roles,err:=cfg.DB.GetAuthorizationUserRoles(dbauthz.AsSystem(ctx),key.UserID)`
	`337`	`+roles,err:=cfg.DB.GetAuthorizationUserRoles(dbauthz.AsSystemRestricted(ctx),key.UserID)`
`338`	`338`	`iferr!=nil {`
`339`	`339`	`write(http.StatusUnauthorized, codersdk.Response{`
`340`	`340`	`Message:internalErrorMessage,`

`‎coderd/httpmw/authz.go`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@ func AsAuthzSystem(mws ...func(http.Handler) http.Handler) func(http.Handler) ht`
`28`	`28`	`}`
`29`	`29`
`30`	`30`	`// nolint:gocritic // AsAuthzSystem needs to do this.`
`31`		`-r=r.WithContext(dbauthz.AsSystem(ctx))`
	`31`	`+r=r.WithContext(dbauthz.AsSystemRestricted(ctx))`
`32`	`32`	`chain.Handler(http.HandlerFunc(func(rw http.ResponseWriter,r*http.Request) {`
`33`	`33`	`r=r.WithContext(dbauthz.As(r.Context(),before))`
`34`	`34`	`next.ServeHTTP(rw,r)`

`‎coderd/httpmw/hsts_test.go`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -96,7 +96,7 @@ func TestHSTS(t *testing.T) {`
`96`	`96`	`req:=httptest.NewRequest("GET","/",nil)`
`97`	`97`	`res:=httptest.NewRecorder()`
`98`	`98`	`got.ServeHTTP(res,req)`
`99`		`-`
	`99`	`+`
`100`	`100`	`require.Equal(t,tt.expectHeader,res.Header().Get("Strict-Transport-Security"),"expected header value")`
`101`	`101`	`})`
`102`	`102`	`}`

`‎coderd/httpmw/userparam.go`

Lines changed: 3 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -70,7 +70,7 @@ func ExtractUserParam(db database.Store, redirectToLoginOnMe bool) func(http.Han`
`70`	`70`	`return`
`71`	`71`	`}`
`72`	`72`	`//nolint:gocritic // System needs to be able to get user from param.`
`73`		`-user,err=db.GetUserByID(dbauthz.AsSystem(ctx),apiKey.UserID)`
	`73`	`+user,err=db.GetUserByID(dbauthz.AsSystemRestricted(ctx),apiKey.UserID)`
`74`	`74`	`ifxerrors.Is(err,sql.ErrNoRows) {`
`75`	`75`	`httpapi.ResourceNotFound(rw)`
`76`	`76`	`return`
`@@ -84,7 +84,7 @@ func ExtractUserParam(db database.Store, redirectToLoginOnMe bool) func(http.Han`
`84`	`84`	`}`
`85`	`85`	`}elseifuserID,err:=uuid.Parse(userQuery);err==nil {`
`86`	`86`	`//nolint:gocritic // If the userQuery is a valid uuid`
`87`		`-user,err=db.GetUserByID(dbauthz.AsSystem(ctx),userID)`
	`87`	`+user,err=db.GetUserByID(dbauthz.AsSystemRestricted(ctx),userID)`
`88`	`88`	`iferr!=nil {`
`89`	`89`	`httpapi.Write(ctx,rw,http.StatusBadRequest, codersdk.Response{`
`90`	`90`	`Message:userErrorMessage,`
`@@ -93,7 +93,7 @@ func ExtractUserParam(db database.Store, redirectToLoginOnMe bool) func(http.Han`
`93`	`93`	`}`
`94`	`94`	`}else {`
`95`	`95`	`// nolint:gocritic // Try as a username last`
`96`		`-user,err=db.GetUserByEmailOrUsername(dbauthz.AsSystem(ctx), database.GetUserByEmailOrUsernameParams{`
	`96`	`+user,err=db.GetUserByEmailOrUsername(dbauthz.AsSystemRestricted(ctx), database.GetUserByEmailOrUsernameParams{`
`97`	`97`	`Username:userQuery,`
`98`	`98`	`})`
`99`	`99`	`iferr!=nil {`

`‎coderd/httpmw/workspaceagent.go`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -48,7 +48,7 @@ func ExtractWorkspaceAgent(db database.Store) func(http.Handler) http.Handler {`
`48`	`48`	`return`
`49`	`49`	`}`
`50`	`50`	`//nolint:gocritic // System needs to be able to get workspace agents.`
`51`		`-agent,err:=db.GetWorkspaceAgentByAuthToken(dbauthz.AsSystem(ctx),token)`
	`51`	`+agent,err:=db.GetWorkspaceAgentByAuthToken(dbauthz.AsSystemRestricted(ctx),token)`
`52`	`52`	`iferr!=nil {`
`53`	`53`	`iferrors.Is(err,sql.ErrNoRows) {`
`54`	`54`	`httpapi.Write(ctx,rw,http.StatusUnauthorized, codersdk.Response{`
`@@ -66,7 +66,7 @@ func ExtractWorkspaceAgent(db database.Store) func(http.Handler) http.Handler {`
`66`	`66`	`}`
`67`	`67`
`68`	`68`	`//nolint:gocritic // System needs to be able to get workspace agents.`
`69`		`-subject,err:=getAgentSubject(dbauthz.AsSystem(ctx),db,agent)`
	`69`	`+subject,err:=getAgentSubject(dbauthz.AsSystemRestricted(ctx),db,agent)`
`70`	`70`	`iferr!=nil {`
`71`	`71`	`httpapi.Write(ctx,rw,http.StatusInternalServerError, codersdk.Response{`
`72`	`72`	`Message:"Internal error fetching workspace agent.",`

`‎coderd/metricscache/metricscache.go`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -144,7 +144,7 @@ func countUniqueUsers(rows []database.GetTemplateDAUsRow) int {`
`144`	`144`
`145`	`145`	`func (c*Cache)refresh(ctx context.Context)error {`
`146`	`146`	`//nolint:gocritic // This is a system service.`
`147`		`-ctx=dbauthz.AsSystem(ctx)`
	`147`	`+ctx=dbauthz.AsSystemRestricted(ctx)`
`148`	`148`	`err:=c.database.DeleteOldAgentStats(ctx)`
`149`	`149`	`iferr!=nil {`
`150`	`150`	`returnxerrors.Errorf("delete old stats: %w",err)`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitf0f39b4

File tree

25 files changed

25 files changed

`‎coderd/activitybump.go`

`‎coderd/autobuild/executor/lifecycle_executor.go`

`‎coderd/database/dbauthz/dbauthz.go`

`‎coderd/database/dbauthz/querier.go`

`‎coderd/database/dbauthz/querier_test.go`

`‎coderd/database/dbauthz/setup_test.go`

`‎coderd/database/dbauthz/system.go`

`‎coderd/httpmw/apikey.go`

`‎coderd/httpmw/authz.go`

`‎coderd/httpmw/hsts_test.go`

`‎coderd/httpmw/userparam.go`

`‎coderd/httpmw/workspaceagent.go`

`‎coderd/metricscache/metricscache.go`

0 commit comments