Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

chore: push rbac actions to policy package#13274

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
Emyrk merged 1 commit intomainfromstevenmasley/rego_to_policy
May 15, 2024
Merged
Show file tree
Hide file tree
Changes fromall commits
Commits
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletionscoderd/apikey.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -18,7 +18,7 @@ import (
"github.com/coder/coder/v2/coderd/database/dbtime"
"github.com/coder/coder/v2/coderd/httpapi"
"github.com/coder/coder/v2/coderd/httpmw"
"github.com/coder/coder/v2/coderd/rbac"
"github.com/coder/coder/v2/coderd/rbac/policy"
"github.com/coder/coder/v2/coderd/telemetry"
"github.com/coder/coder/v2/codersdk"
)
Expand DownExpand Up@@ -255,7 +255,7 @@ func (api *API) tokens(rw http.ResponseWriter, r *http.Request) {
}
}

keys, err = AuthorizeFilter(api.HTTPAuth, r,rbac.ActionRead, keys)
keys, err = AuthorizeFilter(api.HTTPAuth, r,policy.ActionRead, keys)
if err != nil {
httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
Message: "Internal error fetching keys.",
Expand Down
11 changes: 6 additions & 5 deletionscoderd/authorize.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -11,13 +11,14 @@ import (
"github.com/coder/coder/v2/coderd/httpapi"
"github.com/coder/coder/v2/coderd/httpmw"
"github.com/coder/coder/v2/coderd/rbac"
"github.com/coder/coder/v2/coderd/rbac/policy"
"github.com/coder/coder/v2/codersdk"
)

// AuthorizeFilter takes a list of objects and returns the filtered list of
// objects that the user is authorized to perform the given action on.
// This is faster than calling Authorize() on each object.
func AuthorizeFilter[O rbac.Objecter](h *HTTPAuthorizer, r *http.Request, actionrbac.Action, objects []O) ([]O, error) {
func AuthorizeFilter[O rbac.Objecter](h *HTTPAuthorizer, r *http.Request, actionpolicy.Action, objects []O) ([]O, error) {
roles := httpmw.UserAuthorization(r)
objects, err := rbac.Filter(r.Context(), h.Authorizer, roles, action, objects)
if err != nil {
Expand DownExpand Up@@ -50,7 +51,7 @@ type HTTPAuthorizer struct {
//httpapi.Forbidden(rw)
//return
//}
func (api *API) Authorize(r *http.Request, actionrbac.Action, object rbac.Objecter) bool {
func (api *API) Authorize(r *http.Request, actionpolicy.Action, object rbac.Objecter) bool {
return api.HTTPAuth.Authorize(r, action, object)
}

Expand All@@ -63,7 +64,7 @@ func (api *API) Authorize(r *http.Request, action rbac.Action, object rbac.Objec
//httpapi.Forbidden(rw)
//return
//}
func (h *HTTPAuthorizer) Authorize(r *http.Request, actionrbac.Action, object rbac.Objecter) bool {
func (h *HTTPAuthorizer) Authorize(r *http.Request, actionpolicy.Action, object rbac.Objecter) bool {
roles := httpmw.UserAuthorization(r)
err := h.Authorizer.Authorize(r.Context(), roles, action, object.RBACObject())
if err != nil {
Expand DownExpand Up@@ -95,7 +96,7 @@ func (h *HTTPAuthorizer) Authorize(r *http.Request, action rbac.Action, object r
// from postgres are already authorized, and the caller does not need to
// call 'Authorize()' on the returned objects.
// Note the authorization is only for the given action and object type.
func (h *HTTPAuthorizer) AuthorizeSQLFilter(r *http.Request, actionrbac.Action, objectType string) (rbac.PreparedAuthorized, error) {
func (h *HTTPAuthorizer) AuthorizeSQLFilter(r *http.Request, actionpolicy.Action, objectType string) (rbac.PreparedAuthorized, error) {
roles := httpmw.UserAuthorization(r)
prepared, err := h.Authorizer.Prepare(r.Context(), roles, action, objectType)
if err != nil {
Expand DownExpand Up@@ -219,7 +220,7 @@ func (api *API) checkAuthorization(rw http.ResponseWriter, r *http.Request) {
obj = dbObj.RBACObject()
}

err := api.Authorizer.Authorize(ctx, auth,rbac.Action(v.Action), obj)
err := api.Authorizer.Authorize(ctx, auth,policy.Action(v.Action), obj)
response[k] = err == nil
}

Expand Down
3 changes: 2 additions & 1 deletioncoderd/coderd.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -60,6 +60,7 @@ import (
"github.com/coder/coder/v2/coderd/prometheusmetrics"
"github.com/coder/coder/v2/coderd/provisionerdserver"
"github.com/coder/coder/v2/coderd/rbac"
"github.com/coder/coder/v2/coderd/rbac/policy"
"github.com/coder/coder/v2/coderd/schedule"
"github.com/coder/coder/v2/coderd/telemetry"
"github.com/coder/coder/v2/coderd/tracing"
Expand DownExpand Up@@ -1106,7 +1107,7 @@ func New(options *Options) *API {
// Ensure only owners can access debug endpoints.
func(next http.Handler) http.Handler {
return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
if !api.Authorize(r,rbac.ActionRead, rbac.ResourceDebugInfo) {
if !api.Authorize(r,policy.ActionRead, rbac.ResourceDebugInfo) {
httpapi.ResourceNotFound(rw)
return
}
Expand Down
29 changes: 15 additions & 14 deletionscoderd/coderdtest/authorize.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -20,6 +20,7 @@ import (
"github.com/coder/coder/v2/coderd/database"
"github.com/coder/coder/v2/coderd/database/dbauthz"
"github.com/coder/coder/v2/coderd/rbac"
"github.com/coder/coder/v2/coderd/rbac/policy"
"github.com/coder/coder/v2/coderd/rbac/regosql"
"github.com/coder/coder/v2/codersdk"
"github.com/coder/coder/v2/cryptorand"
Expand DownExpand Up@@ -84,7 +85,7 @@ func (a RBACAsserter) AllCalls() []AuthCall {
// AssertChecked will assert a given rbac check was performed. It does not care
// about order of checks, or any other checks. This is useful when you do not
// care about asserting every check that was performed.
func (a RBACAsserter) AssertChecked(t *testing.T, actionrbac.Action, objects ...interface{}) {
func (a RBACAsserter) AssertChecked(t *testing.T, actionpolicy.Action, objects ...interface{}) {
converted := a.convertObjects(t, objects...)
pairs := make([]ActionObjectPair, 0, len(converted))
for _, obj := range converted {
Expand All@@ -95,7 +96,7 @@ func (a RBACAsserter) AssertChecked(t *testing.T, action rbac.Action, objects ..

// AssertInOrder must be called in the correct order of authz checks. If the objects
// or actions are not in the correct order, the test will fail.
func (a RBACAsserter) AssertInOrder(t *testing.T, actionrbac.Action, objects ...interface{}) {
func (a RBACAsserter) AssertInOrder(t *testing.T, actionpolicy.Action, objects ...interface{}) {
converted := a.convertObjects(t, objects...)
pairs := make([]ActionObjectPair, 0, len(converted))
for _, obj := range converted {
Expand DownExpand Up@@ -155,13 +156,13 @@ type RecordingAuthorizer struct {
}

type ActionObjectPair struct {
Actionrbac.Action
Actionpolicy.Action
Object rbac.Object
}

// Pair is on the RecordingAuthorizer to be easy to find and keep the pkg
// interface smaller.
func (*RecordingAuthorizer) Pair(actionrbac.Action, object rbac.Objecter) ActionObjectPair {
func (*RecordingAuthorizer) Pair(actionpolicy.Action, object rbac.Objecter) ActionObjectPair {
return ActionObjectPair{
Action: action,
Object: object.RBACObject(),
Expand DownExpand Up@@ -248,7 +249,7 @@ func (r *RecordingAuthorizer) AssertActor(t *testing.T, actor rbac.Subject, did
}

// recordAuthorize is the internal method that records the Authorize() call.
func (r *RecordingAuthorizer) recordAuthorize(subject rbac.Subject, actionrbac.Action, object rbac.Object) {
func (r *RecordingAuthorizer) recordAuthorize(subject rbac.Subject, actionpolicy.Action, object rbac.Object) {
r.Lock()
defer r.Unlock()

Expand DownExpand Up@@ -283,15 +284,15 @@ func caller(skip int) string {
return str
}

func (r *RecordingAuthorizer) Authorize(ctx context.Context, subject rbac.Subject, actionrbac.Action, object rbac.Object) error {
func (r *RecordingAuthorizer) Authorize(ctx context.Context, subject rbac.Subject, actionpolicy.Action, object rbac.Object) error {
r.recordAuthorize(subject, action, object)
if r.Wrapped == nil {
panic("Developer error: RecordingAuthorizer.Wrapped is nil")
}
return r.Wrapped.Authorize(ctx, subject, action, object)
}

func (r *RecordingAuthorizer) Prepare(ctx context.Context, subject rbac.Subject, actionrbac.Action, objectType string) (rbac.PreparedAuthorized, error) {
func (r *RecordingAuthorizer) Prepare(ctx context.Context, subject rbac.Subject, actionpolicy.Action, objectType string) (rbac.PreparedAuthorized, error) {
r.RLock()
defer r.RUnlock()
if r.Wrapped == nil {
Expand DownExpand Up@@ -325,7 +326,7 @@ type PreparedRecorder struct {
rec *RecordingAuthorizer
prepped rbac.PreparedAuthorized
subject rbac.Subject
actionrbac.Action
actionpolicy.Action

rw sync.Mutex
usingSQL bool
Expand DownExpand Up@@ -357,11 +358,11 @@ type FakeAuthorizer struct {

var _ rbac.Authorizer = (*FakeAuthorizer)(nil)

func (d *FakeAuthorizer) Authorize(_ context.Context, _ rbac.Subject, _rbac.Action, _ rbac.Object) error {
func (d *FakeAuthorizer) Authorize(_ context.Context, _ rbac.Subject, _policy.Action, _ rbac.Object) error {
return d.AlwaysReturn
}

func (d *FakeAuthorizer) Prepare(_ context.Context, subject rbac.Subject, actionrbac.Action, _ string) (rbac.PreparedAuthorized, error) {
func (d *FakeAuthorizer) Prepare(_ context.Context, subject rbac.Subject, actionpolicy.Action, _ string) (rbac.PreparedAuthorized, error) {
return &fakePreparedAuthorizer{
Original: d,
Subject: subject,
Expand All@@ -377,7 +378,7 @@ type fakePreparedAuthorizer struct {
sync.RWMutex
Original *FakeAuthorizer
Subject rbac.Subject
Actionrbac.Action
Actionpolicy.Action
}

func (f *fakePreparedAuthorizer) Authorize(ctx context.Context, object rbac.Object) error {
Expand All@@ -392,7 +393,7 @@ func (*fakePreparedAuthorizer) CompileToSQL(_ context.Context, _ regosql.Convert

// Random rbac helper funcs

func RandomRBACAction()rbac.Action {
func RandomRBACAction()policy.Action {
all := rbac.AllActions()
return all[must(cryptorand.Intn(len(all)))]
}
Expand All@@ -403,10 +404,10 @@ func RandomRBACObject() rbac.Object {
Owner: uuid.NewString(),
OrgID: uuid.NewString(),
Type: randomRBACType(),
ACLUserList: map[string][]rbac.Action{
ACLUserList: map[string][]policy.Action{
namesgenerator.GetRandomName(1): {RandomRBACAction()},
},
ACLGroupList: map[string][]rbac.Action{
ACLGroupList: map[string][]policy.Action{
namesgenerator.GetRandomName(1): {RandomRBACAction()},
},
}
Expand Down
3 changes: 2 additions & 1 deletioncoderd/coderdtest/authorize_test.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -9,6 +9,7 @@ import (

"github.com/coder/coder/v2/coderd/coderdtest"
"github.com/coder/coder/v2/coderd/rbac"
"github.com/coder/coder/v2/coderd/rbac/policy"
)

func TestAuthzRecorder(t *testing.T) {
Expand DownExpand Up@@ -101,7 +102,7 @@ func TestAuthzRecorder(t *testing.T) {
}

// fuzzAuthzPrep has same action and object types for all calls.
func fuzzAuthzPrep(t *testing.T, prep rbac.PreparedAuthorized, n int, actionrbac.Action, objectType string) []coderdtest.ActionObjectPair {
func fuzzAuthzPrep(t *testing.T, prep rbac.PreparedAuthorized, n int, actionpolicy.Action, objectType string) []coderdtest.ActionObjectPair {
t.Helper()
pairs := make([]coderdtest.ActionObjectPair, 0, n)

Expand Down
Loading
Loading
[8]ページ先頭
©2009-2025 Movatter.jp