Skip to content

Commit 2f0d30d

Browse files
authored
chore: Reduce the amount of bytes allocated for Filter (coder#4209)
Reuse parsed data structure for subsequent queries
1 parent 48c0b59 commit 2f0d30d

File tree

1 file changed

+14
-3
lines changed

1 file changed

+14
-3
lines changed

coderd/rbac/partial.go

Lines changed: 14 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@ import (
55

66
"golang.org/x/xerrors"
77

8+
"github.com/open-policy-agent/opa/ast"
89
"github.com/open-policy-agent/opa/rego"
910

1011
"github.com/coder/coder/coderd/tracing"
@@ -32,6 +33,18 @@ func (pa *PartialAuthorizer) Authorize(ctx context.Context, object Object) error
3233
return nil
3334
}
3435

36+
// No queries means always false
37+
if len(pa.preparedQueries) == 0 {
38+
return ForbiddenWithInternal(xerrors.Errorf("policy disallows request"), pa.input, nil)
39+
}
40+
41+
parsed, err := ast.InterfaceToValue(map[string]interface{}{
42+
"object": object,
43+
})
44+
if err != nil {
45+
return xerrors.Errorf("parse object: %w", err)
46+
}
47+
3548
// How to interpret the results of the partial queries.
3649
// We have a list of queries that are along the lines of:
3750
// `input.object.org_owner = ""; "me" = input.object.owner`
@@ -45,9 +58,7 @@ func (pa *PartialAuthorizer) Authorize(ctx context.Context, object Object) error
4558
EachQueryLoop:
4659
for _, q := range pa.preparedQueries {
4760
// We need to eval each query with the newly known fields.
48-
results, err := q.Eval(ctx, rego.EvalInput(map[string]interface{}{
49-
"object": object,
50-
}))
61+
results, err := q.Eval(ctx, rego.EvalParsedInput(parsed))
5162
if err != nil {
5263
continue EachQueryLoop
5364
}

0 commit comments

Comments
 (0)