Implement authorize and some basic tests

Emyrk · Emyrk · commit ec2cf097882a · 2022-04-07T10:25:09.000-05:00
diff --git a/coderd/authz/authz.go b/coderd/authz/authz.go
@@ -1,24 +1,48 @@
 package authz
 
 import (
+	"context"
 	"errors"
+	"strings"
 
 	"github.com/coder/coder/coderd/authz/rbac"
 )
 
 var ErrUnauthorized = errors.New("unauthorized")
 
-// TODO: Implement Authorize
-func Authorize(subj Subject, res Object, action rbac.Operation) error {
-	// TODO: Expand subject roles into their permissions as appropriate. Apply scopes.
-
+func Authorize(ctx context.Context, subj Subject, res Object, action rbac.Operation) error {
 	if res.ObjectType == "" {
 		return ErrUnauthorized
 	}
 
+	// Own actions only succeed if the subject owns the resource.
+	if !isAll(action) {
+		// Before we reject this, the user could be an admin with "-all" perms.
+		err := Authorize(ctx, subj, res, rbac.Operation(strings.ReplaceAll(string(action), "-own", "-all")))
+		if err == nil {
+			return nil
+		}
+		if res.Owner != subj.ID() {
+			return ErrUnauthorized
+		}
+	}
+
 	if SiteEnforcer.RolesHavePermission(subj.Roles(), res.ObjectType, action) {
 		return nil
 	}
 
+	if res.OrgOwner != "" {
+		orgRoles, err := subj.OrgRoles(ctx, res.OrgOwner)
+		if err == nil {
+			if OrganizationEnforcer.RolesHavePermission(orgRoles, res.ObjectType, action) {
+				return nil
+			}
+		}
+	}
+
 	return ErrUnauthorized
 }
+
+func isAll(action rbac.Operation) bool {
+	return strings.HasSuffix(string(action), "-all")
+}
diff --git a/coderd/authz/authz_test.go b/coderd/authz/authz_test.go
@@ -1,79 +1,113 @@
 package authz_test
 
 import (
+	"context"
 	"testing"
 
+	"github.com/coder/coder/coderd/authz"
 	"github.com/coder/coder/coderd/authz/rbac"
-
 	"github.com/stretchr/testify/require"
-
-	"github.com/coder/coder/coderd/authz"
 )
 
 func TestAuthorize(t *testing.T) {
 	t.Parallel()
 
-	// testCases := []struct {
-	// 	Subject       authz.Subject
-	// 	Resource      authz.Object
-	// 	Action        rbac.Operation
-	// 	ExpectedError string
-	// }{
-	// 	{
-	// 		Subject: &authz.SubjectTODO{
-	// 			UserID: "user",
-	// 			Site:   []rbac.Role{authz.SiteMember},
-	// 			Org: map[string]rbac.Roles{
-	// 				"default": {authz.OrganizationAdmin},
-	// 			},
-	// 		},
-	// 		Resource: &authz.Object{},
-	// 	},
-	// }
-
-	// user will become an authn object, and can even be a database.User if it
-	// fulfills the interface. Until then, use a placeholder.
-	user := authz.SubjectTODO{
-		UserID: "alice",
-		// No site perms
-		Site: []rbac.Role{authz.SiteMember},
-		Org: map[string]rbac.Roles{
-			// Admin of org "default".
-			"default": {authz.OrganizationAdmin},
+	testCases := []struct {
+		Name          string
+		Subject       authz.Subject
+		Resource      authz.Object
+		Action        rbac.Operation
+		ExpectedError bool
+	}{
+		{
+			Name: "Org admin trying to read all workspace",
+			Subject: &authz.SubjectTODO{
+				UserID: "org-admin",
+				Site:   []rbac.Role{authz.SiteMember},
+				Org: map[string]rbac.Roles{
+					"default": {authz.OrganizationAdmin},
+				},
+			},
+			Resource: authz.Object{
+				ObjectType: authz.Workspaces,
+			},
+			Action:        authz.ReadAll,
+			ExpectedError: true,
+		},
+		{
+			Name: "Org admin read org workspace",
+			Subject: &authz.SubjectTODO{
+				UserID: "org-admin",
+				Site:   []rbac.Role{authz.SiteMember},
+				Org: map[string]rbac.Roles{
+					"default": {authz.OrganizationAdmin},
+				},
+			},
+			Resource: authz.Object{
+				ObjectType: authz.Workspaces,
+				OrgOwner:   "default",
+			},
+			Action: authz.ReadAll,
+		},
+		{
+			Name: "Org admin read someone else's workspace",
+			Subject: &authz.SubjectTODO{
+				UserID: "org-admin",
+				Site:   []rbac.Role{authz.SiteMember},
+				Org: map[string]rbac.Roles{
+					"default": {authz.OrganizationAdmin},
+				},
+			},
+			Resource: authz.Object{
+				Owner:      "org-member",
+				ObjectType: authz.Workspaces,
+				OrgOwner:   "default",
+			},
+			Action: authz.ReadOwn,
+		},
+		{
+			Name: "Org member read their workspace",
+			Subject: &authz.SubjectTODO{
+				UserID: "org-member",
+				Site:   []rbac.Role{authz.SiteMember},
+				Org: map[string]rbac.Roles{
+					"default": {authz.OrganizationMember},
+				},
+			},
+			Resource: authz.Object{
+				Owner:      "org-member",
+				ObjectType: authz.Workspaces,
+				OrgOwner:   "default",
+			},
+			Action: authz.ReadOwn,
+		},
+		{
+			Name: "Site member read their workspace in other org",
+			Subject: &authz.SubjectTODO{
+				UserID: "site-member",
+				Site:   []rbac.Role{authz.SiteMember},
+				Org: map[string]rbac.Roles{
+					"default": {authz.OrganizationMember},
+				},
+			},
+			Resource: authz.Object{
+				Owner:      "site-member",
+				ObjectType: authz.Workspaces,
+				OrgOwner:   "not-default",
+			},
+			Action:        authz.ReadOwn,
+			ExpectedError: true,
 		},
 	}
 
-	// TODO: Uncomment all assertions when implementation is done.
-
-	//nolint:paralleltest
-	t.Run("ReadAllWorkspaces", func(t *testing.T) {
-		// To read all workspaces on the site
-		err := authz.Authorize(user, authz.Object{}, authz.ReadAll)
-		var _ = err
-		require.Error(t, err, "this user cannot read all workspaces")
-	})
-
-	// nolint:paralleltest
-	// t.Run("ReadOrgWorkspaces", func(t *testing.T) {
-	// To read all workspaces on the org 'default'
-	// err := authz.Authorize(user, authz.ResourceWorkspace.Org("default"), authz.ActionRead)
-	// require.NoError(t, err, "this user can read all org workspaces in 'default'")
-	// })
-	//
-	// nolint:paralleltest
-	// t.Run("ReadMyWorkspace", func(t *testing.T) {
-	// Note 'database.Workspace' could fulfill the object interface and be passed in directly
-	// err := authz.Authorize(user, authz.ResourceWorkspace.Org("default").Owner(user.UserID), authz.ActionRead)
-	// require.NoError(t, err, "this user can their workspace")
-	//
-	// err = authz.Authorize(user, authz.ResourceWorkspace.Org("default").Owner(user.UserID).AsID("1234"), authz.ActionRead)
-	// require.NoError(t, err, "this user can read workspace '1234'")
-	// })
-	//
-	// nolint:paralleltest
-	// t.Run("CreateNewSiteUser", func(t *testing.T) {
-	// err := authz.Authorize(user, authz.ResourceUser, authz.ActionCreate)
-	// var _ = err
-	// require.Error(t, err, "this user cannot create new users")
-	// })
+	for _, c := range testCases {
+		t.Run(c.Name, func(t *testing.T) {
+			err := authz.Authorize(context.Background(), c.Subject, c.Resource, c.Action)
+			if c.ExpectedError {
+				require.EqualError(t, err, authz.ErrUnauthorized.Error(), "unauth")
+			} else {
+				require.NoError(t, err, "exp auth succeed")
+			}
+		})
+	}
 }
diff --git a/coderd/authz/domain.go b/coderd/authz/domain.go
@@ -50,9 +50,10 @@ const (
 	Workspaces          rbac.Resource = "environments"
 )
 
-// Operations
+// Operations **must** have an -all or -own suffix
 const (
-	Create    rbac.Operation = "create"     // create a new resource
+	CreateOwn rbac.Operation = "create-own" // create a new resource owned by me
+	CreateAll rbac.Operation = "create-all" // create a new resource in this scope
 	DeleteAll rbac.Operation = "delete-all" // delete any of these resources in this scope
 	DeleteOwn rbac.Operation = "delete-own" // delete any of these resources owned in this scope
 	ReadAll   rbac.Operation = "read-all"   // read all fields in any of these resources in this scope
@@ -77,7 +78,7 @@ var SiteEnforcer = rbac.Enforcer{
 			ResourcePools: {UpdateAll},
 		},
 		SiteAdmin: {
-			APIKeys: {Create, ReadAll, UpdateAll, DeleteAll},
+			APIKeys: {CreateAll, ReadAll, UpdateAll, DeleteAll},
 		},
 		SiteAuditor: {
 			AuditLogs: {ReadAll},
@@ -86,28 +87,28 @@ var SiteEnforcer = rbac.Enforcer{
 			AuditLogs:           {ReadAll},
 			Configs:             {ReadAll, UpdateAll},
 			SecretConfigs:       {ReadAll, UpdateAll},
-			Workspaces:          {Create, ReadAll, UpdateAll, DeleteAll},
-			Extensions:          {Create, DeleteAll},
+			Workspaces:          {CreateAll, ReadAll, UpdateAll, DeleteAll},
+			Extensions:          {CreateAll, DeleteAll},
 			FeatureFlags:        {ReadAll, UpdateAll},
-			ImageTags:           {Create, ReadAll, UpdateAll, DeleteAll},
-			Images:              {Create, ReadAll, UpdateAll, DeleteAll},
+			ImageTags:           {CreateAll, ReadAll, UpdateAll, DeleteAll},
+			Images:              {CreateAll, ReadAll, UpdateAll, DeleteAll},
 			Metrics:             {ReadAll},
 			OAuth:               {ReadAll, UpdateAll},
-			OrganizationMembers: {Create, ReadAll, UpdateAll, DeleteAll},
-			Organizations:       {Create, ReadAll, UpdateAll, DeleteAll},
-			Registries:          {Create, ReadAll, UpdateAll, DeleteAll},
+			OrganizationMembers: {CreateAll, ReadAll, UpdateAll, DeleteAll},
+			Organizations:       {CreateAll, ReadAll, UpdateAll, DeleteAll},
+			Registries:          {CreateAll, ReadAll, UpdateAll, DeleteAll},
 			ResourcePools:       {UpdateAll, ReadAll},
-			Satellites:          {Create, ReadAll, UpdateAll, DeleteAll},
-			SystemBanners:       {Create, ReadAll, UpdateAll, DeleteAll},
-			TLSCertificates:     {Create, ReadAll, UpdateAll, DeleteAll},
-			Usage:               {Create, ReadAll, UpdateAll, DeleteAll},
-			Users:               {Create, ReadAll, UpdateAll, DeleteAll},
-			WorkspaceProviders:  {Create, ReadAll, UpdateAll, DeleteAll},
+			Satellites:          {CreateAll, ReadAll, UpdateAll, DeleteAll},
+			SystemBanners:       {CreateAll, ReadAll, UpdateAll, DeleteAll},
+			TLSCertificates:     {CreateAll, ReadAll, UpdateAll, DeleteAll},
+			Usage:               {CreateAll, ReadAll, UpdateAll, DeleteAll},
+			Users:               {CreateAll, ReadAll, UpdateAll, DeleteAll},
+			WorkspaceProviders:  {CreateAll, ReadAll, UpdateAll, DeleteAll},
 		},
 		SiteMember: {
-			APIKeys:       {Create, ReadOwn, UpdateOwn, DeleteOwn},
+			APIKeys:       {CreateOwn, ReadOwn, UpdateOwn, DeleteOwn},
 			Configs:       {ReadAll},
-			DevURLs:       {Create, ReadOwn, UpdateOwn, DeleteOwn},
+			DevURLs:       {CreateOwn, ReadOwn, UpdateOwn, DeleteOwn},
 			FeatureFlags:  {ReadAll},
 			ResourcePools: {ReadAll},
 			Metrics:       {ReadOwn},
@@ -124,20 +125,20 @@ var OrganizationEnforcer = rbac.Enforcer{
 	},
 	RolePermissions: rbac.RolePermissions{
 		OrganizationManager: {
-			Workspaces:          {Create, ReadAll, UpdateAll, DeleteAll},
-			ImageTags:           {Create, ReadAll, UpdateAll, DeleteAll},
-			Images:              {Create, ReadAll, UpdateAll, DeleteAll},
+			Workspaces:          {CreateAll, ReadAll, UpdateAll, DeleteAll},
+			ImageTags:           {CreateAll, ReadAll, UpdateAll, DeleteAll},
+			Images:              {CreateAll, ReadAll, UpdateAll, DeleteAll},
 			Metrics:             {ReadAll},
-			OrganizationMembers: {Create, ReadAll, UpdateAll, DeleteAll},
+			OrganizationMembers: {CreateAll, ReadAll, UpdateAll, DeleteAll},
 			Organizations:       {ReadAll},
-			Registries:          {Create, ReadAll, UpdateAll, DeleteAll},
+			Registries:          {CreateAll, ReadAll, UpdateAll, DeleteAll},
 			Users:               {ReadAll},
 		},
 		OrganizationMember: {
 			DevURLs:             {ReadAll},
-			Workspaces:          {Create, ReadAll, UpdateOwn, DeleteOwn},
-			ImageTags:           {Create, ReadAll},
-			Images:              {Create, ReadAll},
+			Workspaces:          {CreateOwn, ReadAll, UpdateOwn, DeleteOwn},
+			ImageTags:           {CreateOwn, ReadAll},
+			Images:              {CreateOwn, ReadAll},
 			Metrics:             {ReadOwn},
 			OrganizationMembers: {},
 			Organizations:       {},
@@ -146,7 +147,7 @@ var OrganizationEnforcer = rbac.Enforcer{
 			Users:               {ReadOwn},
 		},
 		OrganizationRegistryManager: {
-			Registries: {Create, ReadAll, UpdateAll, DeleteAll},
+			Registries: {CreateAll, ReadAll, UpdateAll, DeleteAll},
 		},
 	},
 }
diff --git a/coderd/authz/enforcers_test.go b/coderd/authz/enforcers_test.go
@@ -15,7 +15,7 @@ func TestResolveSiteEnforcer(t *testing.T) {
 	assert.Exactly(t, siteEnforcerMap[SiteAdmin][AuditLogs][ReadAll], true)
 
 	// SiteAuditor inherited from SiteMember
-	assert.Exactly(t, siteEnforcerMap[SiteAuditor][DevURLs][Create], true)
+	assert.Exactly(t, siteEnforcerMap[SiteAuditor][DevURLs][CreateOwn], true)
 
 	// SiteManager merged Metrics perms with SiteMember
 	assert.Exactly(t, siteEnforcerMap[SiteManager][Metrics][ReadOwn], true)
@@ -31,7 +31,7 @@ func TestResolveOrgEnforcer(t *testing.T) {
 	assert.NotNil(t, orgEnforcerMap[OrganizationAdmin])
 
 	// OrganizationManager merged Workspaces perms with OrganizationMember
-	testOps := rbac.Operations{Create, ReadAll, UpdateAll, UpdateOwn, DeleteAll}
+	testOps := rbac.Operations{CreateOwn, ReadAll, UpdateAll, UpdateOwn, DeleteAll}
 	for _, op := range testOps {
 		assert.Exactly(t, orgEnforcerMap[OrganizationManager][Workspaces][op], true)
 	}
diff --git a/coderd/authz/example_test.go b/coderd/authz/example_test.go
