Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

feat: Implement list roles & enforce authorize examples#1273

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
Emyrk merged 16 commits intomainfromstevenmasley/list_roles
May 3, 2022

Conversation

Emyrk
Copy link
Member

@EmyrkEmyrk commentedMay 3, 2022
edited
Loading

This is the first step to enforcing rbac roles for our endpoints. This also adds the endpoints to list the roles available to assign.

@codecov
Copy link

codecovbot commentedMay 3, 2022
edited
Loading

Codecov Report

Merging#1273 (c86c67c) intomain (e530ab2) willincrease coverage by0.11%.
The diff coverage is76.72%.

@@            Coverage Diff             @@##             main    #1273      +/-   ##==========================================+ Coverage   65.96%   66.07%   +0.11%==========================================  Files         277      280       +3       Lines       18230    18384     +154       Branches      216      216              ==========================================+ Hits        12025    12147     +122- Misses       4956     4973      +17- Partials     1249     1264      +15
FlagCoverage Δ
unittest-go-macos-latest53.49% <73.58%> (+0.26%)⬆️
unittest-go-postgres-64.89% <76.72%> (+0.02%)⬆️
unittest-go-ubuntu-latest55.99% <73.58%> (+0.31%)⬆️
unittest-go-windows-202251.92% <73.58%> (+0.27%)⬆️
unittest-js70.69% <ø> (ø)
Impacted FilesCoverage Δ
coderd/rbac/object.go100.00% <ø> (ø)
coderd/httpmw/authorize.go68.18% <68.18%> (ø)
codersdk/roles.go72.72% <72.72%> (ø)
coderd/rbac/builtin.go92.42% <75.00%> (-3.88%)⬇️
coderd/coderd.go94.44% <87.09%> (-1.14%)⬇️
coderd/database/queries.sql.go78.10% <100.00%> (+0.06%)⬆️
coderd/roles.go100.00% <100.00%> (ø)
coderd/workspaceagents.go56.04% <0.00%> (-2.80%)⬇️
provisionerd/provisionerd.go76.17% <0.00%> (-0.54%)⬇️
coderd/provisionerdaemons.go62.98% <0.00%> (-0.51%)⬇️
... and8 more

Continue to review full report at Codecov.

Legend -Click here to learn more
Δ = absolute <relative> (impact),ø = not affected,? = missing data
Powered byCodecov. Last updatee530ab2...c86c67c. Read thecomment docs.

@@ -48,6 +50,7 @@ type Options struct {
SecureAuthCookie bool
SSHKeygenAlgorithm gitsshkey.Algorithm
TURNServer *turnconn.Server
Authorizer *rbac.RegoAuthorizer
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Does this need to be exposed via options? It doesn't seem to be used outside of here.

Copy link
MemberAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I was thinking of making it an interface that is "denyall" or something to trigger in unit tests. But for now, we don't, so I'll drop it fromOptions

Copy link
MemberAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Ah wait yes.@kylecarbs this will be needed if you decide to do the rbacAuthorize() check manually inside the function, instead of the middleware. So this is required.

Copy link
Member

@kylecarbskylecarbsMay 3, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

This could go onapi instead, that way tests couldn't mistakenly pass it viaOptions.

Copy link
MemberAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Right now nothing else is on the api only like that.

coder/coderd/coderd.go

Lines 333 to 338 indb04d67

typeapistruct {
*Options
websocketWaitMutex sync.Mutex
websocketWaitGroup sync.WaitGroup
}

I don't think it'd be bad to pass one in via options 🤷‍♂️

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Oh my bad, I thought there was precedent for this 🤦

If you feel like it's fine I'll defer, but I generally think it's hasty to expose a value unless it needs to be used elsewhere. It's really easy to expose a parameter, but much harder to hide one.

// Authorize will enforce if the user roles can complete the action on the AuthObject.
// The organization and owner are found using the ExtractOrganization and
// ExtractUser middleware if present.
func Authorize(logger slog.Logger, auth *rbac.RegoAuthorizer, action rbac.Action) func(http.Handler) http.Handler {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Authorize feels like action, not something that would return a handler.

What do you think about renaming this toEnforceRBAC?

Copy link
MemberAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I thinkEnforceRBAC is also weak though. I was thinking the packagehttpmw provides enough context, and it does do the actionAuthorize().

Authorize is the correct word for what is happening, as it's not authentication. I feelEnforceRBAC doesn't indicate theobject andaction are included.

Another word that comes to mind is "Access". Idk,EnforceAccess,EnforcePermissions. MaybeEnforceRBAC isn't that bad, just felt odd to me at first.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Fair enough. I'm primarily trying to display that theRBAC package is being leveraged when calling this handle.Enforce is a bit sketchy too.

While it isauthorizing, I'm nervous that this will get conflated with authentication really easily.

Copy link
MemberAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

yea this is classic authorization vs authentication. If you aren't familiar with it, it's easy to mix up.

kylecarbs reacted with thumbs up emoji
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Agreed agreed

@EmyrkEmyrk requested a review fromkylecarbsMay 3, 2022 19:50

// WithRBACObject sets the object for 'Authorize()' for all routes handled
// by this middleware. The important field to set is 'Type'
func WithRBACObject(object rbac.Object) func(http.Handler) http.Handler {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

It might be confusing that this is calledWithRBACObject, but the values arerbac.ResourceX. It could be helpful to make these the same names!

// Authorize will enforce if the user roles can complete the action on the AuthObject.
// The organization and owner are found using the ExtractOrganization and
// ExtractUser middleware if present.
func Authorize(logger slog.Logger, auth *rbac.RegoAuthorizer, action rbac.Action) func(http.Handler) http.Handler {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Agreed agreed

@EmyrkEmyrk merged commitd0293e4 intomainMay 3, 2022
@EmyrkEmyrk deleted the stevenmasley/list_roles branchMay 3, 2022 21:10
@missknissmisskniss added this to theV2 Beta milestoneMay 15, 2022
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Reviewers

@kylecarbskylecarbskylecarbs approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
V2 Beta
Development

Successfully merging this pull request may close these issues.

3 participants
@Emyrk@kylecarbs@misskniss
[8]ページ先頭
©2009-2025 Movatter.jp