Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

chore: Optimize rego policy input allocations#6135

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
Emyrk merged 8 commits intomainfromstevenmasley/rego_less_alloc
Feb 9, 2023
Merged
Show file tree
Hide file tree
Changes fromall commits
Commits
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletioncoderd/coderdtest/authorize.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -445,7 +445,7 @@ func NewAuthTester(ctx context.Context, t *testing.T, client *codersdk.Client, a
func (a *AuthTester) Test(ctx context.Context, assertRoute map[string]RouteCheck, skipRoutes map[string]string) {
// Always fail auth from this point forward
a.authorizer.Wrapped = &FakeAuthorizer{
AlwaysReturn: rbac.ForbiddenWithInternal(xerrors.New("fake implementation"),nil, nil),
AlwaysReturn: rbac.ForbiddenWithInternal(xerrors.New("fake implementation"),rbac.Subject{}, "", rbac.Object{}, nil),
}

routeMissing := make(map[string]bool)
Expand Down
210 changes: 210 additions & 0 deletionscoderd/rbac/astvalue.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,210 @@
package rbac

import (
"github.com/open-policy-agent/opa/ast"
"golang.org/x/xerrors"
)

// regoInputValue returns a rego input value for the given subject, action, and
// object. This rego input is already parsed and can be used directly in a
// rego query.
func regoInputValue(subject Subject, action Action, object Object) (ast.Value, error) {
regoSubj, err := subject.regoValue()
if err != nil {
return nil, xerrors.Errorf("subject: %w", err)
}

s := [2]*ast.Term{
ast.StringTerm("subject"),
ast.NewTerm(regoSubj),
}
a := [2]*ast.Term{
ast.StringTerm("action"),
ast.StringTerm(string(action)),
}
o := [2]*ast.Term{
ast.StringTerm("object"),
ast.NewTerm(object.regoValue()),
}

input := ast.NewObject(s, a, o)

return input, nil
}

// regoPartialInputValue is the same as regoInputValue but only includes the
// object type. This is for partial evaluations.
func regoPartialInputValue(subject Subject, action Action, objectType string) (ast.Value, error) {
regoSubj, err := subject.regoValue()
if err != nil {
return nil, xerrors.Errorf("subject: %w", err)
}

s := [2]*ast.Term{
ast.StringTerm("subject"),
ast.NewTerm(regoSubj),
}
a := [2]*ast.Term{
ast.StringTerm("action"),
ast.StringTerm(string(action)),
}
o := [2]*ast.Term{
ast.StringTerm("object"),
ast.NewTerm(ast.NewObject(
[2]*ast.Term{
ast.StringTerm("type"),
ast.StringTerm(objectType),
}),
),
}

input := ast.NewObject(s, a, o)

return input, nil
}

// regoValue returns the ast.Object representation of the subject.
func (s Subject) regoValue() (ast.Value, error) {
subjRoles, err := s.Roles.Expand()
if err != nil {
return nil, xerrors.Errorf("expand roles: %w", err)
}

subjScope, err := s.Scope.Expand()
if err != nil {
return nil, xerrors.Errorf("expand scope: %w", err)
}
subj := ast.NewObject(
[2]*ast.Term{
ast.StringTerm("id"),
ast.StringTerm(s.ID),
},
[2]*ast.Term{
ast.StringTerm("roles"),
ast.NewTerm(regoSlice(subjRoles)),
},
[2]*ast.Term{
ast.StringTerm("scope"),
ast.NewTerm(subjScope.regoValue()),
},
[2]*ast.Term{
ast.StringTerm("groups"),
ast.NewTerm(regoSliceString(s.Groups...)),
},
)

return subj, nil
}

func (z Object) regoValue() ast.Value {
userACL := ast.NewObject()
for k, v := range z.ACLUserList {
userACL.Insert(ast.StringTerm(k), ast.NewTerm(regoSlice(v)))
}
grpACL := ast.NewObject()
for k, v := range z.ACLGroupList {
grpACL.Insert(ast.StringTerm(k), ast.NewTerm(regoSlice(v)))
}
return ast.NewObject(
[2]*ast.Term{
ast.StringTerm("id"),
ast.StringTerm(z.ID),
},
[2]*ast.Term{
ast.StringTerm("owner"),
ast.StringTerm(z.Owner),
},
[2]*ast.Term{
ast.StringTerm("org_owner"),
ast.StringTerm(z.OrgID),
},
[2]*ast.Term{
ast.StringTerm("type"),
ast.StringTerm(z.Type),
},
[2]*ast.Term{
ast.StringTerm("acl_user_list"),
ast.NewTerm(userACL),
},
[2]*ast.Term{
ast.StringTerm("acl_group_list"),
ast.NewTerm(grpACL),
},
)
}

func (role Role) regoValue() ast.Value {
orgMap := ast.NewObject()
for k, p := range role.Org {
orgMap.Insert(ast.StringTerm(k), ast.NewTerm(regoSlice(p)))
}
return ast.NewObject(
[2]*ast.Term{
ast.StringTerm("site"),
ast.NewTerm(regoSlice(role.Site)),
},
[2]*ast.Term{
ast.StringTerm("org"),
ast.NewTerm(orgMap),
},
[2]*ast.Term{
ast.StringTerm("user"),
ast.NewTerm(regoSlice(role.User)),
},
)
}

func (s Scope) regoValue() ast.Value {
r, ok := s.Role.regoValue().(ast.Object)
if !ok {
panic("developer error: role is not an object")
}
r.Insert(
ast.StringTerm("allow_list"),
ast.NewTerm(regoSliceString(s.AllowIDList...)),
)
return r
}

func (perm Permission) regoValue() ast.Value {
return ast.NewObject(
[2]*ast.Term{
ast.StringTerm("negate"),
ast.BooleanTerm(perm.Negate),
},
[2]*ast.Term{
ast.StringTerm("resource_type"),
ast.StringTerm(perm.ResourceType),
},
[2]*ast.Term{
ast.StringTerm("action"),
ast.StringTerm(string(perm.Action)),
},
)
}

func (act Action) regoValue() ast.Value {
return ast.StringTerm(string(act)).Value
}

type regoValue interface {
regoValue() ast.Value
}

// regoSlice returns the ast.Array representation of the slice.
// The slice must contain only types that implement the regoValue interface.
func regoSlice[T regoValue](slice []T) *ast.Array {
terms := make([]*ast.Term, len(slice))
for i, v := range slice {
terms[i] = ast.NewTerm(v.regoValue())
}
return ast.NewArray(terms...)
}

func regoSliceString(slice ...string) *ast.Array {
terms := make([]*ast.Term, len(slice))
for i, v := range slice {
terms[i] = ast.StringTerm(v)
}
return ast.NewArray(terms...)
}
26 changes: 5 additions & 21 deletionscoderd/rbac/authz.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
Expand Up@@ -263,34 +263,18 @@ func (a RegoAuthorizer) authorize(ctx context.Context, subject Subject, action A
return xerrors.Errorf("subject must have a scope")
}

subjRoles, err :=subject.Roles.Expand()
astV, err :=regoInputValue(subject, action, object)
if err != nil {
return xerrors.Errorf("expand roles: %w", err)
return xerrors.Errorf("convert input to value: %w", err)
}

subjScope, err :=subject.Scope.Expand()
results, err :=a.query.Eval(ctx, rego.EvalParsedInput(astV))
if err != nil {
return xerrors.Errorf("expand scope: %w", err)
}

input := map[string]interface{}{
"subject": authSubject{
ID: subject.ID,
Roles: subjRoles,
Groups: subject.Groups,
Scope: subjScope,
},
"object": object,
"action": action,
}

results, err := a.query.Eval(ctx, rego.EvalInput(input))
if err != nil {
return ForbiddenWithInternal(xerrors.Errorf("eval rego: %w", err), input, results)
return ForbiddenWithInternal(xerrors.Errorf("eval rego: %w", err), subject, action, object, results)
}

if !results.Allowed() {
return ForbiddenWithInternal(xerrors.Errorf("policy disallows request"),input, results)
return ForbiddenWithInternal(xerrors.Errorf("policy disallows request"),subject, action, object, results)
}
return nil
}
Expand Down
18 changes: 18 additions & 0 deletionscoderd/rbac/builtin.go
View file
Open in desktop
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
package rbac

import (
"sort"
"strings"

"github.com/google/uuid"
Expand DownExpand Up@@ -79,6 +80,8 @@ var (
Site: permissions(map[string][]Action{
ResourceWildcard.Type: {WildcardSymbol},
}),
Org: map[string][]Permission{},
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

review: these had been breaking comparison due to comparing empty vs nil slice

Emyrk reacted with thumbs up emoji
User: []Permission{},
}
},

Expand All@@ -94,6 +97,7 @@ var (
// All users can see the provisioner daemons.
ResourceProvisionerDaemon.Type: {ActionRead},
}),
Org: map[string][]Permission{},
User: permissions(map[string][]Action{
ResourceWildcard.Type: {WildcardSymbol},
}),
Expand All@@ -113,6 +117,8 @@ var (
ResourceTemplate.Type: {ActionRead},
ResourceAuditLog.Type: {ActionRead},
}),
Org: map[string][]Permission{},
User: []Permission{},
}
},

Expand All@@ -128,6 +134,8 @@ var (
// CRUD to provisioner daemons for now.
ResourceProvisionerDaemon.Type: {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
}),
Org: map[string][]Permission{},
User: []Permission{},
}
},

Expand All@@ -142,6 +150,8 @@ var (
ResourceOrganizationMember.Type: {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
ResourceGroup.Type: {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
}),
Org: map[string][]Permission{},
User: []Permission{},
}
},

Expand All@@ -151,6 +161,7 @@ var (
return Role{
Name: roleName(orgAdmin, organizationID),
DisplayName: "Organization Admin",
Site: []Permission{},
Org: map[string][]Permission{
organizationID: {
{
Expand All@@ -160,6 +171,7 @@ var (
},
},
},
User: []Permission{},
}
},

Expand All@@ -169,6 +181,7 @@ var (
return Role{
Name: roleName(orgMember, organizationID),
DisplayName: "",
Site: []Permission{},
Org: map[string][]Permission{
organizationID: {
{
Expand All@@ -192,6 +205,7 @@ var (
},
},
},
User: []Permission{},
}
},
}
Expand DownExpand Up@@ -422,5 +436,9 @@ func permissions(perms map[string][]Action) []Permission {
})
}
}
// Deterministic ordering of permissions
sort.Slice(list, func(i, j int) bool {
return list[i].ResourceType < list[j].ResourceType
})
return list
}
Loading
[8]ページ先頭
©2009-2025 Movatter.jp