chore: more authz/authztest docs

johnstcn · johnstcn · commit e482d2c0a9a3 · 2022-04-06T15:07:18.000Z
diff --git a/coderd/authz/README.md b/coderd/authz/README.md
@@ -4,27 +4,27 @@ Package `authz` implements AuthoriZation for Coder.
 
 ## Overview
 
-Authorization defines what **permission** an **subject** has to perform **actions** to **resources**:
+Authorization defines what **permission** an **subject** has to perform **actions** to **objects**:
 - **Permission** is binary: *yes* (allowed) or *no* (denied).
 - **Subject** in this case is anything that implements interface `authz.Subject`.
 - **Action** here is an enumerated list of actions, but we stick to `Create`, `Read`, `Update`, and `Delete` here.
-- **Resource** here is anything that implements `authz.Resource`.
+- **Object** here is anything that implements `authz.Object`.
 
 ## Permission Structure
 
-A **permission** is a rule that grants or denies access for a **subject** to perform an **action** on a **resource**.
+A **permission** is a rule that grants or denies access for a **subject** to perform an **action** on a **object**.
 A **permission** is always applied at a given **level**:
 
-- **site** level applies to all resources in a given Coder deployment.
-- **org** level applies to all resources that have an organization owner (`org_owner`)
-- **user** level applies to all resources that have an owner with the same ID as the subject.
+- **site** level applies to all objects in a given Coder deployment.
+- **org** level applies to all objects that have an organization owner (`org_owner`)
+- **user** level applies to all objects that have an owner with the same ID as the subject.
 
 **Permissions** at a higher **level** always override permissions at a **lower** level.
 
 The effect of a **permission** can be:
 - **positive** (allows)
 - **negative** (denies)
-- **abstain** (neither allows or denies, but interpreted as deny by default)
+- **abstain** (neither allows or denies, not applicable)
 
 **Negative** permissions **always** override **positive** permissions at the same level.
 Both **negative** and **positive** permissions override **abstain** at the same level.
@@ -41,24 +41,24 @@ This can be represented by the following truth table, where Y represents *positi
 
 ## Permission Representation
 
-**Permissions** are represented in string format as `<sign>?<level>.<resource>.<id>.<action>`, where:
+**Permissions** are represented in string format as `<sign>?<level>.<object>.<id>.<action>`, where:
 
 - `sign` can be either `+` or `-`. If it is omitted, sign is assumed to be `+`.
 - `level` is either `*`, `site`, `org`, or `user`.
-- `resource` is any valid resource type.
+- `object` is any valid resource type.
 - `id` is any valid UUID v4.
 - `action` is `create`, `read`, `modify`, or `delete`.
 
 ## Example Permissions
 
-- `+site.devurl.*.read`: allowed to perform the `read` action against all resources of type `devurl` in a given Coder deployment.
+- `+site.*.*.read`: allowed to perform the `read` action against all objects of type `devurl` in a given Coder deployment.
 - `-user.workspace.*.create`: user is not allowed to create workspaces.
 
 ## Roles
 
 A *role* is a set of permissions. When evaluating a role's permission to form an action, all the relevant permissions for the role are combined at each level. Permissions at a higher level override permissions at a lower level.
 
-The following table shows the per-level role evaluation logic.
+The following table shows the per-level role evaluation.
 Y indicates that the role provides positive permissions, N indicates the role provides negative permissions, and _ indicates the role does not provide positive or negative permissions. YN_ indicates that the value in the cell does not matter for the access result.
 
 | Role (example)  | Site | Org | User | Result |
diff --git a/coderd/authz/authztest/README.md b/coderd/authz/authztest/README.md
@@ -1,19 +1,23 @@
 # Authztest
 Package `authztest` implements _exhaustive_ unit testing for the `authz` package.
+
 ## Why this exists
 The `authz.Authorize` function has three* inputs:
 - Subject (for example, a user or API key)
-- Resource (for example, a workspace or a DevURL)
+- Object (for example, a workspace or a DevURL)
 - Action (for example, read or write).
+
 **Not including the ruleset, which we're keeping static for the moment.*
+
 Normally to test a pure function like this, you'd write a table test with all of the permutations by hand, for example:
+
 ```go
 func Test_Authorize(t *testing.T) {
     ....
     testCases := []struct {
         name string
         subject authz.Subject
-        resource authz.Resource
+        resource authz.Object
         action authz.Action
         expectedError error
     }{
@@ -22,7 +26,7 @@ func Test_Authorize(t *testing.T) {
             subject: &User{ID: "admin"},
             object: &authz.ZObject{
                 OrgOwner: "default",
-                ResourceType: authz.ResourceSiteConfig,
+                ObjectType: authz.ObjectSiteConfig,
             },
             expectedError: nil,
         },
@@ -33,36 +37,63 @@ func Test_Authorize(t *testing.T) {
     }
 }
 ```
+
 This approach is problematic because of the cardinality of the RBAC model.
+
 Recall that the legacy `pkg/access/authorize`:
+
 - Exposes 8 possible actions, 5 possible site-level roles, 4 possible org-level roles, and 24 possible resource types
 - Enforces site-wide versus organization-wide permissions separately
+
 The new authentication model must maintain backward compatibility with this model, whilst allowing additional features such as:
+
 - User-level ownership (which means user-level permission enforcement)
-- Resources shared between users (which means permissions granular down to resource IDs)
+- Objects shared between users (which means permissions granular down to resource IDs)
 - Custom roles
+
 The resulting permissions model ([documented in Notion](https://www.notion.so/coderhq/Workspaces-V2-Authz-RBAC-24fd193386eb4cf79a282a2a69e8f917)) results in a large **finite** solution space in the order of **hundreds of millions**.
-We want to have a high level of confidence that changes to the implementation **do not have unintended side-effects**.
-This means that simply manually writing a set of test cases possibly risks errors slipping through the cracks.
+
+We want to have a high level of confidence that changes to the implementation **do not have unintended side-effects**. This means that simply manually writing a set of test cases possibly risks errors slipping through the cracks.
+
 Instead, we generate (almost) all possible sets of inputs to the library, and ensure that `authz.Authorize` performs as expected.
+
 The actual investigation of the solution space is [documented in Notion](https://www.notion.so/coderhq/Authz-Exhaustive-Testing-7683ea694c6e4c12ab0124439916b13a), but the crucial take-away of that document is:
 - There is a **large** but **finite** number of possible inputs to `authz.Authorize`,
 - The solution space can be broken down into 9 groups, and
 - Most importantly, *each group has the same expected result.*
+
+
 ## Testing Methodology
+
 We group the search space into a number of groups. Each group corresponds to a set of test cases with the same expected result. Each group consists of a set of **impactful** permissions and a set of **noise** permissions.
+
 **Impactful** permissions are the top-level permissions that are expected to override anything else, and should be the only inputs that determine the expected result.
+
 **Noise** is simply a set of additional permissions at a lower level that *should not* be impactful.
+
 For each group, we take the **impactful set** of permissions, and add **noise**, and combine this into a role.
+
 We then take the *set cross-product* of the **impactful set** and the **noise**, and assert that the expected access level of that role to perform a given action.
+
 As some of these sets are quite large, we sample some of the noise to reduce the search space.
+
+We also perform permutation on the **objects** of the test case, explained in [Object Permutations](#object-permutations) 
+
 **Example:**
-`+site:resource:abc123:create` will always override `-user:resource:*:*`, `-user:*:abc123:*`, `-org:resource:*:create`, and so on. All permutations of those sorts of noise permissions should never change the expected result.
+
+`+site:*:*:create` will always override `-user:resource:*:*`, `-user:*:abc123:*`, `-org:resource:*:create`, and so on. All permutations of those sorts of noise permissions should never change the expected result.
+
+
 ## Role Permutations
+
 Recall that we define a permission as a 4-tuple of `(level, resource_type, resource_id, action)` (for example, `(site, workspace, 123, read)`).
+
 A `Set` is a slice of permissions. The search space of all possible permissions is too large, so instead this package allows generating more meaningful sets for testing. This is equivalent to pruning in AI problems: a technique to reduce the size of the search space by removing parts that do not have significance.
-This is the final pruned search space used in authz. Each set is represented by a Y, N, or _. The leftmost set in a row that is not '_' is the impactful set. The impactful set determines the access result. All other sets are non-impactful, and should include the `<nil>` permission.
+
+This is the final pruned search space used in authz. Each set is represented by a Y, N, or \_. The leftmost set in a row that is not '\_' is the impactful set. The impactful set determines the access result. All other sets are non-impactful, and should include the `<nil>` permission.
+
 The resulting search space for a row is the cross product between all sets in said row. `+` indicates the union of two sets. For example, Y+_ indicates the union of all positive permissions and abstain permissions.
+
 | Row | *    | Site | Org  | Org:mem | User | Access |
 |-----|------|------|------|---------|------|--------|
 | W+  | Y+_  | YN_  | YN_  | YN_     | YN_  | Y      |
@@ -77,8 +108,11 @@ The resulting search space for a row is the cross product between all sets in sa
 | U-  | _    | _    | _    | _       | N+Y_ | N      |
 | A+  | _    | _    | _    | _       | Y+_  | Y      |
 | A-  | _    | _    | _    | _       | _    | N      |
+
 Each row in the above table corresponds to a set of role permutations.
+
 There are 12 possible groups of role permutations:
+
 - Case 1 (W+):
     - Impactful set: positive wildcard permissions.
     - Noise: positive, negative, abstain across site, org, org-member, and user levels.
@@ -127,3 +161,20 @@ There are 12 possible groups of role permutations:
     - Impactful set: nil permission.
     - Noise: abstain on user level.
     - Expected result: deny.
+
+
+## Object Permutations
+
+Aside from the test inputs, we also perform permutations on the object. There are 9 possible permuations based on the object, and these 9 test cases all have four distinct possibilities. These are illustrated by the below table:
+
+| # | Owner   | Org-Owner | Result                                 |
+|---|---------|-----------|----------------------------------------|
+| 1 | `me`    | `mem`     | Defer                                  |
+| 2 | `other` | `mem`     | `U+` and `U-` return `false`.          |
+| 3 | `""`    | `mem`     | As above.                              |
+| 4 | `me`    | `non-mem` | `O+`, `O-`, `U+`, `U-` return `false`. |
+| 5 | `other` | `non-mem` | As above.                              |
+| 6 | `other` | `""`      | As above.                              |
+| 7 | `""`    | `non-mem` | As above.                              |
+| 8 | `""`    | `""`      | As above.                              |
+| 9 | ` me`   | `""`      | `O+` and `O-` abstain. Defer to user.  |
