Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

chore: make authz recorder opt in#20310

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
Emyrk merged 6 commits intomainfromstevenmasley/opt_in_authz_record
Oct 21, 2025
Merged
Show file tree
Hide file tree
Changes fromall commits
Commits
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletionscoderd/apidoc/docs.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more abouthow customized files appear on GitHub.

3 changes: 3 additions & 0 deletionscoderd/apidoc/swagger.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more abouthow customized files appear on GitHub.

2 changes: 1 addition & 1 deletioncoderd/coderd.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -491,7 +491,7 @@ func New(options *Options) *API {
// We add this middleware early, to make sure that authorization checks made
// by other middleware get recorded.
if buildinfo.IsDev() {
r.Use(httpmw.RecordAuthzChecks)
r.Use(httpmw.RecordAuthzChecks(options.DeploymentValues.EnableAuthzRecording.Value()))
}

ctx, cancel := context.WithCancel(context.Background())
Expand Down
23 changes: 17 additions & 6 deletionscoderd/httpmw/authz.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -4,6 +4,7 @@ package httpmw

import (
"net/http"
"strconv"

"github.com/go-chi/chi/v5"

Expand DownExpand Up@@ -39,14 +40,24 @@ func AsAuthzSystem(mws ...func(http.Handler) http.Handler) func(http.Handler) ht
}
}

// RecordAuthzChecks enables recording allofthe authorization checks that
// RecordAuthzChecks enables recording all the authorization checks that
// occurred in the processing of a request. This is mostly helpful for debugging
// and understanding what permissions are required for a given action.
//
// Can either be toggled on by a deployment wide configuration value, or opt-in on
// a per-request basis by setting the `x-record-authz-checks` header to a truthy value.
//
// Requires using a Recorder Authorizer.
func RecordAuthzChecks(next http.Handler) http.Handler {
return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
r = r.WithContext(rbac.WithAuthzCheckRecorder(r.Context()))
next.ServeHTTP(rw, r)
})
//
//nolint:revive
func RecordAuthzChecks(always bool) func(next http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
if enabled, _ := strconv.ParseBool(r.Header.Get("x-record-authz-checks")); enabled || always {
r = r.WithContext(rbac.WithAuthzCheckRecorder(r.Context()))
}

next.ServeHTTP(rw, r)
})
}
Comment on lines +54 to +62
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

minor suggestion (that maybe would fix what the linter is complaining about?): ifalways == true you could return a version of the handler that doesn't have theif and just always adds the context

but this is also only enabled in dev builds so the performance gain wouldn't really matter. just a thought!

Emyrk reacted with thumbs up emoji
}
14 changes: 14 additions & 0 deletionscodersdk/deployment.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -487,6 +487,7 @@ type DeploymentValues struct {
Sessions SessionLifetime `json:"session_lifetime,omitempty" typescript:",notnull"`
DisablePasswordAuth serpent.Bool `json:"disable_password_auth,omitempty" typescript:",notnull"`
Support SupportConfig `json:"support,omitempty" typescript:",notnull"`
EnableAuthzRecording serpent.Bool `json:"enable_authz_recording,omitempty" typescript:",notnull"`
ExternalAuthConfigs serpent.Struct[[]ExternalAuthConfig] `json:"external_auth,omitempty" typescript:",notnull"`
SSHConfig SSHConfig `json:"config_ssh,omitempty" typescript:",notnull"`
WgtunnelHost serpent.String `json:"wgtunnel_host,omitempty" typescript:",notnull"`
Expand DownExpand Up@@ -3293,6 +3294,19 @@ Write out the current server config as YAML to stdout.`,
YAML: "key",
Hidden: true,
},
{
Name: "Enable Authorization Recordings",
Description: "All api requests will have a header including all authorization calls made during the request. " +
"This is used for debugging purposes and only available for dev builds.",
Required: false,
Flag: "enable-authz-recordings",
Env: "CODER_ENABLE_AUTHZ_RECORDINGS",
Default: "false",
Value: &c.EnableAuthzRecording,
// Do not show this option ever. It is a developer tool only, and not to be
// used externally.
Hidden: true,
},
}

return opts
Expand Down
1 change: 1 addition & 0 deletionsdocs/reference/api/general.md
View file
Open in desktop

Some generated files are not rendered by default. Learn more abouthow customized files appear on GitHub.

3 changes: 3 additions & 0 deletionsdocs/reference/api/schemas.md
View file
Open in desktop

Some generated files are not rendered by default. Learn more abouthow customized files appear on GitHub.

1 change: 1 addition & 0 deletionssite/src/api/typesGenerated.ts
View file
Open in desktop

Some generated files are not rendered by default. Learn more abouthow customized files appear on GitHub.

Loading
[8]ページ先頭
©2009-2025 Movatter.jp