May 3, 2022 · May 3, 2022 · May 3, 2022 · May 3, 2022 · May 3, 2022 · May 3, 2022
diff --git a/coderd/coderd.go b/coderd/coderd.go
 "github.com/go-chi/chi/v5"
 "github.com/go-chi/chi/v5/middleware"
 "github.com/pion/webrtc/v3"
 "golang.org/x/xerrors"
 "google.golang.org/api/idtoken"

 chitrace"gopkg.in/DataDog/dd-trace-go.v1/contrib/go-chi/chi.v5"
 "github.com/coder/coder/coderd/gitsshkey"
 "github.com/coder/coder/coderd/httpapi"
 "github.com/coder/coder/coderd/httpmw"
 "github.com/coder/coder/coderd/rbac"
 "github.com/coder/coder/coderd/turnconn"
 "github.com/coder/coder/codersdk"
 "github.com/coder/coder/site"
 SecureAuthCookiebool
 SSHKeygenAlgorithm   gitsshkey.Algorithm
 TURNServer*turnconn.Server
 Authorizer*rbac.RegoAuthorizer
 }

 // New constructs the Coder API into an HTTP handler.
 ifoptions.APIRateLimit==0 {
 options.APIRateLimit=512
 }
 ifoptions.Authorizer==nil {
 varerrerror
 options.Authorizer,err=rbac.NewAuthorizer()
 iferr!=nil {
 // This should never happen, as the unit tests would fail if the
 // default built in authorizer failed.
 panic(xerrors.Errorf("rego authorize panic: %w",err))
 }
 }
 api:=&api{
 Options:options,
 }
 apiKeyMiddleware:=httpmw.ExtractAPIKey(options.Database,&httpmw.OAuth2Configs{
 Github:options.GithubOAuth2Config,
 })

 // TODO: @emyrk we should just move this into 'ExtractAPIKey'.
 authRolesMiddleware:=httpmw.ExtractUserRoles(options.Database)

 authorize:=func(f http.HandlerFunc,actions rbac.Action) http.HandlerFunc {
 returnhttpmw.Authorize(api.Logger,api.Authorizer,actions)(f).ServeHTTP
 }

 r:=chi.NewRouter()

 r.Use(
 r.Use(
 apiKeyMiddleware,
 httpmw.ExtractOrganizationParam(options.Database),
 authRolesMiddleware,
 )
 r.Get("/",api.organization)
 r.Get("/provisionerdaemons",api.provisionerDaemonsByOrganization)
 })
 })
 r.Route("/members",func(r chi.Router) {
 r.Route("/roles",func(r chi.Router) {
 r.Use(httpmw.WithRBACObject(rbac.ResourceUserRole))
 r.Get("/",authorize(api.assignableOrgRoles,rbac.ActionRead))
 })
 r.Route("/{user}",func(r chi.Router) {
 r.Use(
 httpmw.ExtractUserParam(options.Database),
 })
 })
 r.Group(func(r chi.Router) {
 r.Use(apiKeyMiddleware)
 r.Use(
 apiKeyMiddleware,
 authRolesMiddleware,
 )
 r.Post("/",api.postUser)
 r.Get("/",api.users)
 // These routes query information about site wide roles.
 r.Route("/roles",func(r chi.Router) {
 r.Use(httpmw.WithRBACObject(rbac.ResourceUserRole))
 r.Get("/",authorize(api.assignableSiteRoles,rbac.ActionRead))
 })
 r.Route("/{user}",func(r chi.Router) {
 r.Use(httpmw.ExtractUserParam(options.Database))
 r.Get("/",api.userByName)
 r.Put("/profile",api.putUserProfile)
 r.Put("/suspend",api.putUserSuspend)
 // TODO: @emyrk Might want to move these to a /roles group instead of /user.
 //As we include more roles like org roles, it makes less sense to scope these here.
 r.Put("/roles",api.putUserRoles)
 r.Get("/roles",api.userRoles)
 r.Get("/organizations",api.organizationsByUser)
 r.Post("/organizations",api.postOrganizationsByUser)
 // These roles apply to the site wide permissions.
 r.Put("/roles",api.putUserRoles)
 r.Get("/roles",api.userRoles)

 r.Post("/keys",api.postAPIKey)
 r.Route("/organizations",func(r chi.Router) {
 r.Post("/",api.postOrganizationsByUser)
diff --git a/coderd/database/databasefake/databasefake.go b/coderd/database/databasefake/databasefake.go
 returntmp,nil
 }

 func (q*fakeQuerier)GetAllUserRoles(_ context.Context,userID uuid.UUID) (database.GetAllUserRolesRow,error) {
 q.mutex.RLock()
 deferq.mutex.RUnlock()

 varuser*database.User
 roles:=make([]string,0)
 for_,u:=rangeq.users {
 ifu.ID==userID {
 u:=u
 roles=append(roles,u.RBACRoles...)
 user=&u
 break
 }
 }

 for_,mem:=rangeq.organizationMembers {
 ifmem.UserID==userID {
 roles=append(roles,mem.Roles...)
 }
 }

 ifuser==nil {
 return database.GetAllUserRolesRow{},sql.ErrNoRows
 }

 return database.GetAllUserRolesRow{
 ID:userID,
 Username:user.Username,
 Roles:roles,
 },nil
 }

 func (q*fakeQuerier)GetWorkspacesByTemplateID(_ context.Context,arg database.GetWorkspacesByTemplateIDParams) ([]database.Workspace,error) {
 q.mutex.RLock()
 deferq.mutex.RUnlock()
diff --git a/coderd/database/querier.go b/coderd/database/querier.go
diff --git a/coderd/database/queries.sql.go b/coderd/database/queries.sql.go
diff --git a/coderd/database/queries/users.sql b/coderd/database/queries/users.sql
 updated_at= $3
 WHERE
 id= $1 RETURNING*;


 -- name: GetAllUserRoles :one
 SELECT
 -- username is returned just to help for logging purposes
 id, username, array_cat(users.rbac_roles,organization_members.roles) ::text[]AS roles
 FROM
 users
 LEFT JOIN organization_members
 ON id= user_id
 WHERE
    id= @user_id;
diff --git a/coderd/httpmw/authorize.go b/coderd/httpmw/authorize.go
 package httpmw

 import (
 "context"
 "net/http"

 "golang.org/x/xerrors"

 "cdr.dev/slog"
 "github.com/coder/coder/coderd/database"
 "github.com/coder/coder/coderd/httpapi"
 "github.com/coder/coder/coderd/rbac"
 )

 // Authorize will enforce if the user roles can complete the action on the AuthObject.
 // The organization and owner are found using the ExtractOrganization and
 // ExtractUser middleware if present.
 funcAuthorize(logger slog.Logger,auth*rbac.RegoAuthorizer,action rbac.Action)func(http.Handler) http.Handler {
 returnfunc(next http.Handler) http.Handler {
 returnhttp.HandlerFunc(func(rw http.ResponseWriter,r*http.Request) {
 roles:=UserRoles(r)
 object:=rbacObject(r)

 ifobject.Type=="" {
 panic("developer error: auth object has no type")
 }

 // First extract the object's owner and organization if present.
 unknownOrg:=r.Context().Value(organizationParamContextKey{})
 iforganization,castOK:=unknownOrg.(database.Organization);unknownOrg!=nil {
 if!castOK {
 panic("developer error: organization param middleware not provided for authorize")
 }
 object=object.InOrg(organization.ID)
 }

 unknownOwner:=r.Context().Value(userParamContextKey{})
 ifowner,castOK:=unknownOwner.(database.User);unknownOwner!=nil {
 if!castOK {
 panic("developer error: user param middleware not provided for authorize")
 }
 object=object.WithOwner(owner.ID.String())
 }

 err:=auth.AuthorizeByRoleName(r.Context(),roles.ID.String(),roles.Roles,action,object)
 iferr!=nil {
 internalError:=new(rbac.UnauthorizedError)
 ifxerrors.As(err,internalError) {
 logger=logger.With(slog.F("internal",internalError.Internal()))
 }
 // Log information for debugging. This will be very helpful
 // in the early days if we over secure endpoints.
 logger.Warn(r.Context(),"unauthorized",
 slog.F("roles",roles.Roles),
 slog.F("user_id",roles.ID),
 slog.F("username",roles.Username),
 slog.F("route",r.URL.Path),
 slog.F("action",action),
 slog.F("object",object),
 )
 httpapi.Write(rw,http.StatusUnauthorized, httpapi.Response{
 Message:err.Error(),
 })
 return
 }
 next.ServeHTTP(rw,r)
 })
 }
 }

 typeauthObjectKeystruct{}

 // APIKey returns the API key from the ExtractAPIKey handler.
 funcrbacObject(r*http.Request) rbac.Object {
 obj,ok:=r.Context().Value(authObjectKey{}).(rbac.Object)
 if!ok {
 panic("developer error: auth object middleware not provided")
 }
 returnobj
 }

 // WithRBACObject sets the object for 'Authorize()' for all routes handled
 // by this middleware. The important field to set is 'Type'
 funcWithRBACObject(object rbac.Object)func(http.Handler) http.Handler {
 returnfunc(next http.Handler) http.Handler {
 returnhttp.HandlerFunc(func(rw http.ResponseWriter,r*http.Request) {
 ctx:=context.WithValue(r.Context(),authObjectKey{},object)
 next.ServeHTTP(rw,r.WithContext(ctx))
 })
 }
 }

 // User roles are the 'subject' field of Authorize()
 typeuserRolesKeystruct{}

 // UserRoles returns the API key from the ExtractUserRoles handler.
 funcUserRoles(r*http.Request) database.GetAllUserRolesRow {
 apiKey,ok:=r.Context().Value(userRolesKey{}).(database.GetAllUserRolesRow)
 if!ok {
 panic("developer error: user roles middleware not provided")
 }
 returnapiKey
 }

 // ExtractUserRoles requires authentication using a valid API key.
 funcExtractUserRoles(db database.Store)func(http.Handler) http.Handler {
 returnfunc(next http.Handler) http.Handler {
 returnhttp.HandlerFunc(func(rw http.ResponseWriter,r*http.Request) {
 apiKey:=APIKey(r)
 role,err:=db.GetAllUserRoles(r.Context(),apiKey.UserID)
 iferr!=nil {
 httpapi.Write(rw,http.StatusUnauthorized, httpapi.Response{
 Message:"roles not found",
 })
 return
 }

 ctx:=context.WithValue(r.Context(),userRolesKey{},role)
 next.ServeHTTP(rw,r.WithContext(ctx))
 })
 }
 }
Original file line number	Diff line number	Diff line change
Expand Up		@@ -245,6 +245,38 @@ func (q *fakeQuerier) GetUsers(_ context.Context, params database.GetUsersParams
		returntmp,nil
		}

		func (q*fakeQuerier)GetAllUserRoles(_ context.Context,userID uuid.UUID) (database.GetAllUserRolesRow,error) {
		q.mutex.RLock()
		deferq.mutex.RUnlock()

		varuser*database.User
		roles:=make([]string,0)
		for_,u:=rangeq.users {
		ifu.ID==userID {
		u:=u
		roles=append(roles,u.RBACRoles...)
		user=&u
		break
		}
		}

		for_,mem:=rangeq.organizationMembers {
		ifmem.UserID==userID {
		roles=append(roles,mem.Roles...)
		}
		}

		ifuser==nil {
		return database.GetAllUserRolesRow{},sql.ErrNoRows
		}

		return database.GetAllUserRolesRow{
		ID:userID,
		Username:user.Username,
		Roles:roles,
		},nil
		}

		func (q*fakeQuerier)GetWorkspacesByTemplateID(_ context.Context,arg database.GetWorkspacesByTemplateIDParams) ([]database.Workspace,error) {
		q.mutex.RLock()
		deferq.mutex.RUnlock()
Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -122,3 +122,15 @@ SET
		updated_at= $3
		WHERE
		id= $1 RETURNING*;


		-- name: GetAllUserRoles :one
		SELECT
		-- username is returned just to help for logging purposes
		id, username, array_cat(users.rbac_roles,organization_members.roles) ::text[]AS roles
		FROM
		users
		LEFT JOIN organization_members
		ON id= user_id
		WHERE
		id= @user_id;
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,122 @@
		package httpmw

		import (
		"context"
		"net/http"

		"golang.org/x/xerrors"

		"cdr.dev/slog"
		"github.com/coder/coder/coderd/database"
		"github.com/coder/coder/coderd/httpapi"
		"github.com/coder/coder/coderd/rbac"
		)

		// Authorize will enforce if the user roles can complete the action on the AuthObject.
		// The organization and owner are found using the ExtractOrganization and
		// ExtractUser middleware if present.
		funcAuthorize(logger slog.Logger,auth*rbac.RegoAuthorizer,action rbac.Action)func(http.Handler) http.Handler {
Copy link Member kylecarbsMay 3, 2022 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others.Learn more. `Authorize` feels like action, not something that would return a handler. What do you think about renaming this to`EnforceRBAC`? Copy link MemberAuthor EmyrkMay 3, 2022 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others.Learn more. I think`EnforceRBAC` is also weak though. I was thinking the package`httpmw` provides enough context, and it does do the action`Authorize()`. `Authorize` is the correct word for what is happening, as it's not authentication. I feel`EnforceRBAC` doesn't indicate the`object` and`action` are included. Another word that comes to mind is "Access". Idk,`EnforceAccess`,`EnforcePermissions`. Maybe`EnforceRBAC` isn't that bad, just felt odd to me at first. Copy link Member kylecarbsMay 3, 2022 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others.Learn more. Fair enough. I'm primarily trying to display that the`RBAC` package is being leveraged when calling this handle.`Enforce` is a bit sketchy too. While it isauthorizing, I'm nervous that this will get conflated with authentication really easily. Copy link MemberAuthor EmyrkMay 3, 2022 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others.Learn more. yea this is classic authorization vs authentication. If you aren't familiar with it, it's easy to mix up. kylecarbs reacted with thumbs up emoji Copy link Member kylecarbsMay 3, 2022 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others.Learn more. Agreed agreed
		returnfunc(next http.Handler) http.Handler {
		returnhttp.HandlerFunc(func(rw http.ResponseWriter,r*http.Request) {
		roles:=UserRoles(r)
		object:=rbacObject(r)

		ifobject.Type=="" {
		panic("developer error: auth object has no type")
		}

		// First extract the object's owner and organization if present.
		unknownOrg:=r.Context().Value(organizationParamContextKey{})
		iforganization,castOK:=unknownOrg.(database.Organization);unknownOrg!=nil {
		if!castOK {
		panic("developer error: organization param middleware not provided for authorize")
		}
		object=object.InOrg(organization.ID)
		}

		unknownOwner:=r.Context().Value(userParamContextKey{})
		ifowner,castOK:=unknownOwner.(database.User);unknownOwner!=nil {
		if!castOK {
		panic("developer error: user param middleware not provided for authorize")
		}
		object=object.WithOwner(owner.ID.String())
		}

		err:=auth.AuthorizeByRoleName(r.Context(),roles.ID.String(),roles.Roles,action,object)
		iferr!=nil {
		internalError:=new(rbac.UnauthorizedError)
		ifxerrors.As(err,internalError) {
		logger=logger.With(slog.F("internal",internalError.Internal()))
		}
		// Log information for debugging. This will be very helpful
		// in the early days if we over secure endpoints.
		logger.Warn(r.Context(),"unauthorized",
		slog.F("roles",roles.Roles),
		slog.F("user_id",roles.ID),
		slog.F("username",roles.Username),
		slog.F("route",r.URL.Path),
		slog.F("action",action),
		slog.F("object",object),
		)
		httpapi.Write(rw,http.StatusUnauthorized, httpapi.Response{
		Message:err.Error(),
		})
		return
		}
		next.ServeHTTP(rw,r)
		})
		}
		}

		typeauthObjectKeystruct{}

		// APIKey returns the API key from the ExtractAPIKey handler.
		funcrbacObject(r*http.Request) rbac.Object {
		obj,ok:=r.Context().Value(authObjectKey{}).(rbac.Object)
		if!ok {
		panic("developer error: auth object middleware not provided")
		}
		returnobj
		}

		// WithRBACObject sets the object for 'Authorize()' for all routes handled
		// by this middleware. The important field to set is 'Type'
		funcWithRBACObject(object rbac.Object)func(http.Handler) http.Handler {
Copy link Member kylecarbsMay 3, 2022 Choose a reason for hiding this comment The reason will be displayed to describe this comment to others.Learn more. It might be confusing that this is called`WithRBACObject`, but the values are`rbac.ResourceX`. It could be helpful to make these the same names!
		returnfunc(next http.Handler) http.Handler {
		returnhttp.HandlerFunc(func(rw http.ResponseWriter,r*http.Request) {
		ctx:=context.WithValue(r.Context(),authObjectKey{},object)
		next.ServeHTTP(rw,r.WithContext(ctx))
		})
		}
		}

		// User roles are the 'subject' field of Authorize()
		typeuserRolesKeystruct{}

		// UserRoles returns the API key from the ExtractUserRoles handler.
		funcUserRoles(r*http.Request) database.GetAllUserRolesRow {
		apiKey,ok:=r.Context().Value(userRolesKey{}).(database.GetAllUserRolesRow)
		if!ok {
		panic("developer error: user roles middleware not provided")
		}
		returnapiKey
		}

		// ExtractUserRoles requires authentication using a valid API key.
		funcExtractUserRoles(db database.Store)func(http.Handler) http.Handler {
		returnfunc(next http.Handler) http.Handler {
		returnhttp.HandlerFunc(func(rw http.ResponseWriter,r*http.Request) {
		apiKey:=APIKey(r)
		role,err:=db.GetAllUserRoles(r.Context(),apiKey.UserID)
		iferr!=nil {
		httpapi.Write(rw,http.StatusUnauthorized, httpapi.Response{
		Message:"roles not found",
		})
		return
		}

		ctx:=context.WithValue(r.Context(),userRolesKey{},role)
		next.ServeHTTP(rw,r.WithContext(ctx))
		})
		}
		}