Comments

Emyrk · Emyrk · commit 944755efa282 · 2023-02-15T12:48:56.000-06:00
diff --git a/coderd/database/bindvars.go b/coderd/database/bindvars.go
diff --git a/coderd/database/modelqueries.go b/coderd/database/modelqueries.go
@@ -261,15 +261,19 @@ func (q *sqlQuerier) GetAuthorizedWorkspaces(ctx context.Context, arg GetWorkspa
 		return nil, xerrors.Errorf("insert authorized filter: %w", err)
 	}
 
+	// SQLx expects :arg-named arguments, but we use @arg-named arguments. So
+	// switch them. Also any ':' in comments breaks this...
 	filtered = strings.ReplaceAll(filtered, "@", ":")
 	query, args, err := q.sdb.BindNamed(filtered, arg)
 	if err != nil {
 		return nil, xerrors.Errorf("bind named: %w", err)
 	}
+	// So SQLx treats '::' as escaping a ":". So we need to unescape it??
 	query = strings.ReplaceAll(query, ":", "::")
 
 	// The name comment is for metric tracking
-	//query = fmt.Sprintf("-- name: GetAuthorizedWorkspaces :many\n%s", query)
+	// Must add after sqlx or else it breaks 'BindNamed'
+	query = fmt.Sprintf("-- name: GetAuthorizedWorkspaces :many\n%s", query)
 	var items []WorkspaceWithData
 	err = q.sdb.SelectContext(ctx, &items, query, args...)
 	if err != nil {
diff --git a/coderd/rbac/authz_internal_test.go b/coderd/rbac/authz_internal_test.go
@@ -1012,7 +1012,7 @@ func testAuthorize(t *testing.T, name string, subject Subject, sets ...[]authTes
 
 					// Ensure the partial can compile to a SQL clause.
 					// This does not guarantee that the clause is valid SQL.
-					_, err = Compile(ConfigWithACL(), partialAuthz)
+					_, err = Compile(ConfigWithACL(""), partialAuthz)
 					require.NoError(t, err, "compile prepared authorizer")
 
 					// Also check the rego policy can form a valid partial query result.
diff --git a/coderd/rbac/query.go b/coderd/rbac/query.go
@@ -20,15 +20,15 @@ type authorizedSQLFilter struct {
 	auth      *PartialAuthorizer
 }
 
-func ConfigWithACL() regosql.ConvertConfig {
+func ConfigWithACL(prefix string) regosql.ConvertConfig {
 	return regosql.ConvertConfig{
-		VariableConverter: regosql.DefaultVariableConverter(),
+		VariableConverter: regosql.DefaultVariableConverter(prefix),
 	}
 }
 
-func ConfigWithoutACL() regosql.ConvertConfig {
+func ConfigWithoutACL(prefix string) regosql.ConvertConfig {
 	return regosql.ConvertConfig{
-		VariableConverter: regosql.NoACLConverter(),
+		VariableConverter: regosql.NoACLConverter(prefix),
 	}
 }
 
diff --git a/coderd/rbac/regosql/compile_test.go b/coderd/rbac/regosql/compile_test.go
@@ -79,13 +79,13 @@ func TestRegoQueries(t *testing.T) {
 				`"read" in input.object.acl_group_list.allUsers`,
 			},
 			ExpectedSQL:       "(group_acl->'allUsers' ? 'read')",
-			VariableConverter: regosql.DefaultVariableConverter(),
+			VariableConverter: regosql.DefaultVariableConverter(""),
 		},
 		{
 			Name:              "GroupWildcard",
 			Queries:           []string{`"*" in input.object.acl_group_list.allUsers`},
 			ExpectedSQL:       "(group_acl->'allUsers' ? '*')",
-			VariableConverter: regosql.DefaultVariableConverter(),
+			VariableConverter: regosql.DefaultVariableConverter(""),
 		},
 		{
 			// Always return a constant string for all variables.
@@ -94,27 +94,27 @@ func TestRegoQueries(t *testing.T) {
 				`"read" in input.object.acl_group_list[input.object.org_owner]`,
 			},
 			ExpectedSQL:       "(group_acl->organization_id :: text ? 'read')",
-			VariableConverter: regosql.DefaultVariableConverter(),
+			VariableConverter: regosql.DefaultVariableConverter(""),
 		},
 		{
 			Name: "VarInArray",
 			Queries: []string{
 				`input.object.org_owner in {"a", "b", "c"}`,
 			},
 			ExpectedSQL:       p("organization_id :: text = ANY(ARRAY ['a','b','c'])"),
-			VariableConverter: regosql.DefaultVariableConverter(),
+			VariableConverter: regosql.DefaultVariableConverter(""),
 		},
 		{
 			Name:              "SetDereference",
 			Queries:           []string{`"*" in input.object.acl_group_list[input.object.org_owner]`},
 			ExpectedSQL:       p("group_acl->organization_id :: text ? '*'"),
-			VariableConverter: regosql.DefaultVariableConverter(),
+			VariableConverter: regosql.DefaultVariableConverter(""),
 		},
 		{
 			Name:              "JsonbLiteralDereference",
 			Queries:           []string{`"*" in input.object.acl_group_list["4d30d4a8-b87d-45ac-b0d4-51b2e68e7e75"]`},
 			ExpectedSQL:       p("group_acl->'4d30d4a8-b87d-45ac-b0d4-51b2e68e7e75' ? '*'"),
-			VariableConverter: regosql.DefaultVariableConverter(),
+			VariableConverter: regosql.DefaultVariableConverter(""),
 		},
 		{
 			Name: "Complex",
@@ -130,7 +130,7 @@ func TestRegoQueries(t *testing.T) {
 				`(organization_id :: text != '') OR ` +
 				`(group_acl->'allUsers' ? 'read') OR ` +
 				`(user_acl->'me' ? 'read'))`,
-			VariableConverter: regosql.DefaultVariableConverter(),
+			VariableConverter: regosql.DefaultVariableConverter(""),
 		},
 		{
 			Name: "NoACLs",
@@ -140,7 +140,7 @@ func TestRegoQueries(t *testing.T) {
 			},
 			// Special case where the bool is wrapped
 			ExpectedSQL:       p("(false) OR (false)"),
-			VariableConverter: regosql.NoACLConverter(),
+			VariableConverter: regosql.NoACLConverter(""),
 		},
 		{
 			Name: "AllowList",
@@ -151,15 +151,15 @@ func TestRegoQueries(t *testing.T) {
 			// Special case where the bool is wrapped
 			ExpectedSQL: p(`(id :: text != '') OR ` +
 				`(id :: text = ANY(ARRAY ['9046b041-58ed-47a3-9c3a-de302577875a']))`),
-			VariableConverter: regosql.NoACLConverter(),
+			VariableConverter: regosql.NoACLConverter(""),
 		},
 		{
 			Name: "TwoExpressions",
 			Queries: []string{
 				`true; true`,
 			},
 			ExpectedSQL:       p("true AND true"),
-			VariableConverter: regosql.DefaultVariableConverter(),
+			VariableConverter: regosql.DefaultVariableConverter(""),
 		},
 
 		// Actual vectors from production
@@ -171,7 +171,7 @@ func TestRegoQueries(t *testing.T) {
 				`"read" in input.object.acl_user_list["d5389ccc-57a4-4b13-8c3f-31747bcdc9f1"]`,
 			},
 			ExpectedSQL:       "true",
-			VariableConverter: regosql.NoACLConverter(),
+			VariableConverter: regosql.NoACLConverter(""),
 		},
 		{
 			Name: "OrgAdmin",
@@ -185,7 +185,7 @@ func TestRegoQueries(t *testing.T) {
 				"(organization_id :: text = ANY(ARRAY ['05f58202-4bfc-43ce-9ba4-5ff6e0174a71'])) AND " +
 				"(owner_id :: text != '') AND " +
 				"('d5389ccc-57a4-4b13-8c3f-31747bcdc9f1' = owner_id :: text))",
-			VariableConverter: regosql.DefaultVariableConverter(),
+			VariableConverter: regosql.DefaultVariableConverter(""),
 		},
 		{
 			Name: "UserACLAllow",
@@ -195,7 +195,7 @@ func TestRegoQueries(t *testing.T) {
 			},
 			ExpectedSQL: "((user_acl->'d5389ccc-57a4-4b13-8c3f-31747bcdc9f1' ? 'read') OR " +
 				"(user_acl->'d5389ccc-57a4-4b13-8c3f-31747bcdc9f1' ? '*'))",
-			VariableConverter: regosql.DefaultVariableConverter(),
+			VariableConverter: regosql.DefaultVariableConverter(""),
 		},
 		{
 			Name: "NoACLConfig",
@@ -205,7 +205,7 @@ func TestRegoQueries(t *testing.T) {
                 "read" in input.object.acl_group_list[input.object.org_owner]`,
 			},
 			ExpectedSQL:       "((organization_id :: text != '') AND (organization_id :: text = ANY(ARRAY ['05f58202-4bfc-43ce-9ba4-5ff6e0174a71'])) AND (false))",
-			VariableConverter: regosql.NoACLConverter(),
+			VariableConverter: regosql.NoACLConverter(""),
 		},
 		{
 			Name: "EmptyACLListNoACLs",
@@ -226,7 +226,7 @@ func TestRegoQueries(t *testing.T) {
 				p("(organization_id :: text != '') AND (false) AND (group_acl->organization_id :: text ? '*')") + " OR " +
 				p("user_acl->'me' ? 'create'") + " OR " +
 				p("user_acl->'me' ? '*'")),
-			VariableConverter: regosql.DefaultVariableConverter(),
+			VariableConverter: regosql.DefaultVariableConverter(""),
 		},
 		{
 			Name: "TemplateOwner",
diff --git a/coderd/rbac/regosql/configs.go b/coderd/rbac/regosql/configs.go
@@ -2,65 +2,68 @@ package regosql
 
 import "github.com/coder/coder/coderd/rbac/regosql/sqltypes"
 
-func resourceIDMatcher() sqltypes.VariableMatcher {
-	return sqltypes.StringVarMatcher("id :: text", []string{"input", "object", "id"})
+func resourceIDMatcher(prefix string) sqltypes.VariableMatcher {
+	return sqltypes.StringVarMatcher(prefix+"id :: text", []string{"input", "object", "id"})
 }
 
-func organizationOwnerMatcher() sqltypes.VariableMatcher {
-	return sqltypes.StringVarMatcher("organization_id :: text", []string{"input", "object", "org_owner"})
+func organizationOwnerMatcher(prefix string) sqltypes.VariableMatcher {
+	return sqltypes.StringVarMatcher(prefix+"organization_id :: text", []string{"input", "object", "org_owner"})
 }
 
-func userOwnerMatcher() sqltypes.VariableMatcher {
-	return sqltypes.StringVarMatcher("owner_id :: text", []string{"input", "object", "owner"})
+func userOwnerMatcher(prefix string) sqltypes.VariableMatcher {
+	return sqltypes.StringVarMatcher(prefix+"owner_id :: text", []string{"input", "object", "owner"})
 }
 
-func groupACLMatcher(m sqltypes.VariableMatcher) sqltypes.VariableMatcher {
-	return ACLGroupMatcher(m, "group_acl", []string{"input", "object", "acl_group_list"})
+func groupACLMatcher(prefix string, m sqltypes.VariableMatcher) sqltypes.VariableMatcher {
+	return ACLGroupMatcher(m, prefix+"group_acl", []string{"input", "object", "acl_group_list"})
 }
 
-func userACLMatcher(m sqltypes.VariableMatcher) sqltypes.VariableMatcher {
-	return ACLGroupMatcher(m, "user_acl", []string{"input", "object", "acl_user_list"})
+func userACLMatcher(prefix string, m sqltypes.VariableMatcher) sqltypes.VariableMatcher {
+	return ACLGroupMatcher(m, prefix+"user_acl", []string{"input", "object", "acl_user_list"})
 }
 
 func TemplateConverter() *sqltypes.VariableConverter {
+	prefix := ""
 	matcher := sqltypes.NewVariableConverter().RegisterMatcher(
-		resourceIDMatcher(),
-		organizationOwnerMatcher(),
+		resourceIDMatcher(prefix),
+		organizationOwnerMatcher(prefix),
 		// Templates have no user owner, only owner by an organization.
-		sqltypes.AlwaysFalse(userOwnerMatcher()),
+		sqltypes.AlwaysFalse(userOwnerMatcher(prefix)),
 	)
 	matcher.RegisterMatcher(
-		groupACLMatcher(matcher),
-		userACLMatcher(matcher),
+		groupACLMatcher(prefix, matcher),
+		userACLMatcher(prefix, matcher),
 	)
 	return matcher
 }
 
 // NoACLConverter should be used when the target SQL table does not contain
 // group or user ACL columns.
-func NoACLConverter() *sqltypes.VariableConverter {
+//
+// prefix allows namespacing the generated sql columns.
+func NoACLConverter(prefix string) *sqltypes.VariableConverter {
 	matcher := sqltypes.NewVariableConverter().RegisterMatcher(
-		resourceIDMatcher(),
-		organizationOwnerMatcher(),
-		userOwnerMatcher(),
+		resourceIDMatcher(prefix),
+		organizationOwnerMatcher(prefix),
+		userOwnerMatcher(prefix),
 	)
 	matcher.RegisterMatcher(
-		sqltypes.AlwaysFalse(groupACLMatcher(matcher)),
-		sqltypes.AlwaysFalse(userACLMatcher(matcher)),
+		sqltypes.AlwaysFalse(groupACLMatcher(prefix, matcher)),
+		sqltypes.AlwaysFalse(userACLMatcher(prefix, matcher)),
 	)
 
 	return matcher
 }
 
-func DefaultVariableConverter() *sqltypes.VariableConverter {
+func DefaultVariableConverter(prefix string) *sqltypes.VariableConverter {
 	matcher := sqltypes.NewVariableConverter().RegisterMatcher(
-		resourceIDMatcher(),
-		organizationOwnerMatcher(),
-		userOwnerMatcher(),
+		resourceIDMatcher(prefix),
+		organizationOwnerMatcher(prefix),
+		userOwnerMatcher(prefix),
 	)
 	matcher.RegisterMatcher(
-		groupACLMatcher(matcher),
-		userACLMatcher(matcher),
+		groupACLMatcher(prefix, matcher),
+		userACLMatcher(prefix, matcher),
 	)
 
 	return matcher

Original file line number	Diff line number	Diff line change
`@@ -20,15 +20,15 @@ type authorizedSQLFilter struct {`
`20`	`20`	`auth *PartialAuthorizer`
`21`	`21`	`}`
`22`	`22`
`23`		`-func ConfigWithACL() regosql.ConvertConfig {`
	`23`	`+func ConfigWithACL(prefix string) regosql.ConvertConfig {`
`24`	`24`	`return regosql.ConvertConfig{`
`25`		`- VariableConverter: regosql.DefaultVariableConverter(),`
	`25`	`+ VariableConverter: regosql.DefaultVariableConverter(prefix),`
`26`	`26`	`}`
`27`	`27`	`}`
`28`	`28`
`29`		`-func ConfigWithoutACL() regosql.ConvertConfig {`
	`29`	`+func ConfigWithoutACL(prefix string) regosql.ConvertConfig {`
`30`	`30`	`return regosql.ConvertConfig{`
`31`		`- VariableConverter: regosql.NoACLConverter(),`
	`31`	`+ VariableConverter: regosql.NoACLConverter(prefix),`
`32`	`32`	`}`
`33`	`33`	`}`
`34`	`34`