- Notifications
You must be signed in to change notification settings - Fork1k
refactor: consolidate template and workspace acl validation#19192
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Merged
Uh oh!
There was an error while loading.Please reload this page.
Merged
Changes fromall commits
Commits
Show all changes
16 commits Select commitHold shift + click to select a range
e30250a refactor: consolidate template and workspace acl validation
aslilace1d3e3c remove unused function
aslilacc978adf hello little paren
aslilac0e108f1 yeah yeah
aslilac3a7c8e6 commit of shame
aslilac7ed357c commit of shame part 2
aslilac468cd79 comments
aslilac5ffa8f9 tests!
aslilac1e10aa0 actually it only yells about dbauthz, which I can just fix huh
aslilace38dceb :)
aslilac03125e3 `IS NULL` is actually fine
aslilacbfe31b8 dbauthz tests
aslilace368606 no you're a foreign key
aslilac5e3f858 more testing
aslilac4a162df lint
aslilac48dd824 nice lil comments
aslilacFile filter
Filter by extension
Conversations
Failed to load comments.
Loading
Uh oh!
There was an error while loading.Please reload this page.
Jump to
Jump to file
Failed to load files.
Loading
Uh oh!
There was an error while loading.Please reload this page.
Diff view
Diff view
There are no files selected for viewing
3 changes: 2 additions & 1 deletioncoderd/coderd.go
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
20 changes: 20 additions & 0 deletionscoderd/database/dbauthz/dbauthz.go
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -5376,6 +5376,26 @@ func (q *querier) UpsertWorkspaceAppAuditSession(ctx context.Context, arg databa | ||
| return q.db.UpsertWorkspaceAppAuditSession(ctx, arg) | ||
| } | ||
| func (q *querier) ValidateGroupIDs(ctx context.Context, groupIDs []uuid.UUID) (database.ValidateGroupIDsRow, error) { | ||
| // This check is probably overly restrictive, but the "correct" check isn't | ||
| // necessarily obvious. It's only used as a verification check for ACLs right | ||
| // now, which are performed as system. | ||
| if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceSystem); err != nil { | ||
| return database.ValidateGroupIDsRow{}, err | ||
| } | ||
aslilac marked this conversation as resolved. Show resolvedHide resolvedUh oh!There was an error while loading.Please reload this page. | ||
| return q.db.ValidateGroupIDs(ctx, groupIDs) | ||
| } | ||
| func (q *querier) ValidateUserIDs(ctx context.Context, userIDs []uuid.UUID) (database.ValidateUserIDsRow, error) { | ||
| // This check is probably overly restrictive, but the "correct" check isn't | ||
| // necessarily obvious. It's only used as a verification check for ACLs right | ||
| // now, which are performed as system. | ||
| if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceSystem); err != nil { | ||
| return database.ValidateUserIDsRow{}, err | ||
| } | ||
| return q.db.ValidateUserIDs(ctx, userIDs) | ||
| } | ||
| func (q *querier) GetAuthorizedTemplates(ctx context.Context, arg database.GetTemplatesWithFilterParams, _ rbac.PreparedAuthorized) ([]database.Template, error) { | ||
| // TODO Delete this function, all GetTemplates should be authorized. For now just call getTemplates on the authz querier. | ||
| return q.GetTemplatesWithFilter(ctx, arg) | ||
9 changes: 9 additions & 0 deletionscoderd/database/dbauthz/dbauthz_test.go
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
14 changes: 14 additions & 0 deletionscoderd/database/dbmetrics/querymetrics.go
Some generated files are not rendered by default. Learn more abouthow customized files appear on GitHub.
Oops, something went wrong.
Uh oh!
There was an error while loading.Please reload this page.
30 changes: 30 additions & 0 deletionscoderd/database/dbmock/dbmock.go
Some generated files are not rendered by default. Learn more abouthow customized files appear on GitHub.
Oops, something went wrong.
Uh oh!
There was an error while loading.Please reload this page.
2 changes: 2 additions & 0 deletionscoderd/database/querier.go
Some generated files are not rendered by default. Learn more abouthow customized files appear on GitHub.
Oops, something went wrong.
Uh oh!
There was an error while loading.Please reload this page.
64 changes: 64 additions & 0 deletionscoderd/database/queries.sql.go
Some generated files are not rendered by default. Learn more abouthow customized files appear on GitHub.
Oops, something went wrong.
Uh oh!
There was an error while loading.Please reload this page.
18 changes: 18 additions & 0 deletionscoderd/database/queries/groups.sql
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
20 changes: 20 additions & 0 deletionscoderd/database/queries/users.sql
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,130 @@ | ||
| package acl | ||
| import ( | ||
| "context" | ||
| "fmt" | ||
| "github.com/google/uuid" | ||
| "github.com/coder/coder/v2/coderd/database" | ||
| "github.com/coder/coder/v2/coderd/database/dbauthz" | ||
| "github.com/coder/coder/v2/codersdk" | ||
| ) | ||
| typeUpdateValidator[Role codersdk.WorkspaceRole| codersdk.TemplateRole]interface { | ||
| // Users should return a map from user UUIDs (as strings) to the role they | ||
| // are being assigned. Additionally, it should return a string that will be | ||
| // used as the field name for the ValidationErrors returned from Validate. | ||
| Users() (map[string]Role,string) | ||
| // Groups should return a map from group UUIDs (as strings) to the role they | ||
| // are being assigned. Additionally, it should return a string that will be | ||
| // used as the field name for the ValidationErrors returned from Validate. | ||
| Groups() (map[string]Role,string) | ||
| // ValidateRole should return an error that will be used in the | ||
| // ValidationError if the role is invalid for the corresponding resource type. | ||
| ValidateRole(roleRole)error | ||
| } | ||
Comment on lines +14 to +26 There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others.Learn more. ❤️ | ||
| funcValidate[Role codersdk.WorkspaceRole| codersdk.TemplateRole]( | ||
| ctx context.Context, | ||
| db database.Store, | ||
| vUpdateValidator[Role], | ||
| ) []codersdk.ValidationError { | ||
| // nolint:gocritic // Validate requires full read access to users and groups | ||
| ctx=dbauthz.AsSystemRestricted(ctx) | ||
| varvalidErrs []codersdk.ValidationError | ||
| groupRoles,groupsField:=v.Groups() | ||
| groupIDs:=make([]uuid.UUID,0,len(groupRoles)) | ||
| foridStr,role:=rangegroupRoles { | ||
| // Validate the provided role names | ||
| iferr:=v.ValidateRole(role);err!=nil { | ||
| validErrs=append(validErrs, codersdk.ValidationError{ | ||
| Field:groupsField, | ||
| Detail:err.Error(), | ||
| }) | ||
| } | ||
| // Validate that the IDs are UUIDs | ||
| id,err:=uuid.Parse(idStr) | ||
| iferr!=nil { | ||
| validErrs=append(validErrs, codersdk.ValidationError{ | ||
| Field:groupsField, | ||
| Detail:fmt.Sprintf("%v is not a valid UUID.",idStr), | ||
| }) | ||
| continue | ||
| } | ||
| // Don't check if the ID exists when setting the role to | ||
| // WorkspaceRoleDeleted or TemplateRoleDeleted. They might've existing at | ||
| // some point and got deleted. If we report that as an error here then they | ||
| // can't be removed. | ||
| ifstring(role)=="" { | ||
| continue | ||
| } | ||
| groupIDs=append(groupIDs,id) | ||
| } | ||
| // Validate that the groups exist | ||
| groupValidation,err:=db.ValidateGroupIDs(ctx,groupIDs) | ||
| iferr!=nil { | ||
| validErrs=append(validErrs, codersdk.ValidationError{ | ||
| Field:groupsField, | ||
| Detail:fmt.Sprintf("failed to validate group IDs: %v",err.Error()), | ||
| }) | ||
| } | ||
| if!groupValidation.Ok { | ||
| for_,id:=rangegroupValidation.InvalidGroupIds { | ||
| validErrs=append(validErrs, codersdk.ValidationError{ | ||
| Field:groupsField, | ||
| Detail:fmt.Sprintf("group with ID %v does not exist",id), | ||
| }) | ||
| } | ||
| } | ||
| userRoles,usersField:=v.Users() | ||
| userIDs:=make([]uuid.UUID,0,len(userRoles)) | ||
| foridStr,role:=rangeuserRoles { | ||
| // Validate the provided role names | ||
| iferr:=v.ValidateRole(role);err!=nil { | ||
| validErrs=append(validErrs, codersdk.ValidationError{ | ||
| Field:usersField, | ||
| Detail:err.Error(), | ||
| }) | ||
| } | ||
| // Validate that the IDs are UUIDs | ||
| id,err:=uuid.Parse(idStr) | ||
| iferr!=nil { | ||
| validErrs=append(validErrs, codersdk.ValidationError{ | ||
| Field:usersField, | ||
| Detail:fmt.Sprintf("%v is not a valid UUID.",idStr), | ||
| }) | ||
| continue | ||
| } | ||
| // Don't check if the ID exists when setting the role to | ||
| // WorkspaceRoleDeleted or TemplateRoleDeleted. They might've existing at | ||
| // some point and got deleted. If we report that as an error here then they | ||
| // can't be removed. | ||
| ifstring(role)=="" { | ||
| continue | ||
| } | ||
| userIDs=append(userIDs,id) | ||
| } | ||
| // Validate that the groups exist | ||
| userValidation,err:=db.ValidateUserIDs(ctx,userIDs) | ||
| iferr!=nil { | ||
| validErrs=append(validErrs, codersdk.ValidationError{ | ||
| Field:usersField, | ||
| Detail:fmt.Sprintf("failed to validate user IDs: %v",err.Error()), | ||
| }) | ||
| } | ||
| if!userValidation.Ok { | ||
| for_,id:=rangeuserValidation.InvalidUserIds { | ||
| validErrs=append(validErrs, codersdk.ValidationError{ | ||
| Field:usersField, | ||
| Detail:fmt.Sprintf("user with ID %v does not exist",id), | ||
| }) | ||
| } | ||
| } | ||
| returnvalidErrs | ||
| } | ||
Oops, something went wrong.
Uh oh!
There was an error while loading.Please reload this page.
Oops, something went wrong.
Uh oh!
There was an error while loading.Please reload this page.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.