add x-authz-checks header

aslilac · aslilac · commit 038ad91c0f41 · 2025-04-09T21:04:53.000Z
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -315,6 +315,9 @@ func New(options *Options) *API {
 	if options.Authorizer == nil {
 		options.Authorizer = rbac.NewCachingAuthorizer(options.PrometheusRegistry)
 	}
+	if buildinfo.IsDev() {
+		options.Authorizer = rbac.Recorder(options.Authorizer)
+	}
 
 	if options.AccessControlStore == nil {
 		options.AccessControlStore = &atomic.Pointer[dbauthz.AccessControlStore]{}
@@ -456,8 +459,14 @@ func New(options *Options) *API {
 		options.NotificationsEnqueuer = notifications.NewNoopEnqueuer()
 	}
 
-	ctx, cancel := context.WithCancel(context.Background())
 	r := chi.NewRouter()
+	// We add this middleware early, to make sure that authorization checks made
+	// by other middleware get recorded.
+	if buildinfo.IsDev() {
+		r.Use(httpmw.RecordAuthzChecks)
+	}
+
+	ctx, cancel := context.WithCancel(context.Background())
 
 	// nolint:gocritic // Load deployment ID. This never changes
 	depID, err := options.Database.GetDeploymentID(dbauthz.AsSystemRestricted(ctx))
diff --git a/coderd/httpapi/httpapi.go b/coderd/httpapi/httpapi.go
@@ -20,6 +20,7 @@ import (
 	"github.com/coder/websocket/wsjson"
 
 	"github.com/coder/coder/v2/coderd/httpapi/httpapiconstraints"
+	"github.com/coder/coder/v2/coderd/rbac"
 	"github.com/coder/coder/v2/coderd/tracing"
 	"github.com/coder/coder/v2/codersdk"
 )
@@ -198,6 +199,22 @@ func Write(ctx context.Context, rw http.ResponseWriter, status int, response int
 	_, span := tracing.StartSpan(ctx)
 	defer span.End()
 
+	if rec, ok := rbac.GetAuthzCheckRecorder(ctx); ok {
+		// If you're here because you saw this header in a response, and you're
+		// trying to investigate the code, here are a couple of notable things
+		// for you to know:
+		// - If any of the checks are `false`, they might not represent the whole
+		//   picture. There could be additional checks that weren't performed,
+		//   because processing stopped after the failure.
+		// - The checks are recorded by the `authzRecorder` type, which is
+		//   configured on server startup for development and testing builds.
+		// - If this header is missing from a response, make sure the response is
+		//   being written by calling `httpapi.Write`!
+		// - An empty x-authz-checks header can be valid! Some requests don't
+		//   require authorization.
+		rw.Header().Set("x-authz-checks", rec.String())
+	}
+
 	rw.Header().Set("Content-Type", "application/json; charset=utf-8")
 	rw.WriteHeader(status)
 
@@ -213,6 +230,10 @@ func WriteIndent(ctx context.Context, rw http.ResponseWriter, status int, respon
 	_, span := tracing.StartSpan(ctx)
 	defer span.End()
 
+	if rec, ok := rbac.GetAuthzCheckRecorder(ctx); ok {
+		rw.Header().Set("x-dbauthz-checks", rec.String())
+	}
+
 	rw.Header().Set("Content-Type", "application/json; charset=utf-8")
 	rw.WriteHeader(status)
 
diff --git a/coderd/httpmw/authz.go b/coderd/httpmw/authz.go
@@ -6,6 +6,7 @@ import (
 	"github.com/go-chi/chi/v5"
 
 	"github.com/coder/coder/v2/coderd/database/dbauthz"
+	"github.com/coder/coder/v2/coderd/rbac"
 )
 
 // AsAuthzSystem is a chained handler that temporarily sets the dbauthz context
@@ -35,3 +36,15 @@ func AsAuthzSystem(mws ...func(http.Handler) http.Handler) func(http.Handler) ht
 		})
 	}
 }
+
+// RecordAuthzChecks enables recording all of the authorization checks that
+// occurred in the processing of a request. This is mostly helpful for debugging
+// and understanding what permissions are required for a given action.
+//
+// Requires using a Recorder Authorizer.
+func RecordAuthzChecks(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+		r = r.WithContext(rbac.WithAuthzCheckRecorder(r.Context()))
+		next.ServeHTTP(rw, r)
+	})
+}
diff --git a/coderd/rbac/authz.go b/coderd/rbac/authz.go
@@ -6,6 +6,7 @@ import (
 	_ "embed"
 	"encoding/json"
 	"errors"
+	"fmt"
 	"strings"
 	"sync"
 	"time"
@@ -23,7 +24,9 @@ import (
 	"github.com/coder/coder/v2/coderd/rbac/regosql"
 	"github.com/coder/coder/v2/coderd/rbac/regosql/sqltypes"
 	"github.com/coder/coder/v2/coderd/tracing"
+	"github.com/coder/coder/v2/coderd/util/ptr"
 	"github.com/coder/coder/v2/coderd/util/slice"
+	"github.com/coder/coder/v2/coderd/util/syncmap"
 )
 
 type AuthCall struct {
@@ -362,11 +365,11 @@ func (a RegoAuthorizer) Authorize(ctx context.Context, subject Subject, action p
 	defer span.End()
 
 	err := a.authorize(ctx, subject, action, object)
-
-	span.SetAttributes(attribute.Bool("authorized", err == nil))
+	authorized := err == nil
+	span.SetAttributes(attribute.Bool("authorized", authorized))
 
 	dur := time.Since(start)
-	if err != nil {
+	if !authorized {
 		a.authorizeHist.WithLabelValues("false").Observe(dur.Seconds())
 		return err
 	}
@@ -741,3 +744,98 @@ func rbacTraceAttributes(actor Subject, action policy.Action, objectType string,
 			attribute.String("object_type", objectType),
 		)...)
 }
+
+type authRecorder struct {
+	authz Authorizer
+}
+
+// Recorder returns an Authorizer that records any authorization checks made
+// on the Context provided for the authorization check.
+//
+// Requires using the RecordAuthzChecks middleware.
+func Recorder(authz Authorizer) Authorizer {
+	return &authRecorder{authz: authz}
+}
+
+func (c *authRecorder) Authorize(ctx context.Context, subject Subject, action policy.Action, object Object) error {
+	err := c.authz.Authorize(ctx, subject, action, object)
+	authorized := err == nil
+	recordAuthzCheck(ctx, action, object, authorized)
+	return err
+}
+
+func (c *authRecorder) Prepare(ctx context.Context, subject Subject, action policy.Action, objectType string) (PreparedAuthorized, error) {
+	return c.authz.Prepare(ctx, subject, action, objectType)
+}
+
+type authzCheckRecorderKey struct{}
+
+func WithAuthzCheckRecorder(ctx context.Context) context.Context {
+	return context.WithValue(ctx, authzCheckRecorderKey{}, ptr.Ref(AuthzCheckRecorder{
+		checks: syncmap.Map[string, bool]{},
+	}))
+}
+
+type AuthzCheckRecorder struct {
+	// Checks is a map from preformatted authz check IDs to their authorization
+	// status (true => authorized, false => not authorized)
+	checks syncmap.Map[string, bool]
+}
+
+func recordAuthzCheck(ctx context.Context, action policy.Action, object Object, authorized bool) {
+	r, ok := ctx.Value(authzCheckRecorderKey{}).(*AuthzCheckRecorder)
+	if !ok {
+		return
+	}
+
+	// We serialize the check using the following syntax
+	var b strings.Builder
+	if object.OrgID != "" {
+		_, err := fmt.Fprintf(&b, "organization:%v::", object.OrgID)
+		if err != nil {
+			return
+		}
+	}
+	if object.AnyOrgOwner {
+		_, err := fmt.Fprint(&b, "organization:any::")
+		if err != nil {
+			return
+		}
+	}
+	if object.Owner != "" {
+		_, err := fmt.Fprintf(&b, "owner:%v::", object.Owner)
+		if err != nil {
+			return
+		}
+	}
+	if object.ID != "" {
+		_, err := fmt.Fprintf(&b, "id:%v::", object.ID)
+		if err != nil {
+			return
+		}
+	}
+	_, err := fmt.Fprintf(&b, "%v.%v", object.RBACObject().Type, action)
+	if err != nil {
+		return
+	}
+
+	r.checks.Store(b.String(), authorized)
+}
+
+func GetAuthzCheckRecorder(ctx context.Context) (*AuthzCheckRecorder, bool) {
+	checks, ok := ctx.Value(authzCheckRecorderKey{}).(*AuthzCheckRecorder)
+	if !ok {
+		return nil, false
+	}
+
+	return checks, true
+}
+
+// String serializes all of the checks recorded, using the following syntax:
+func (r *AuthzCheckRecorder) String() string {
+	checks := make([]string, 0)
+	for check, result := range r.checks.Seq() {
+		checks = append(checks, fmt.Sprintf("%v=%v", check, result))
+	}
+	return strings.Join(checks, "; ")
+}
diff --git a/coderd/util/syncmap/map.go b/coderd/util/syncmap/map.go
@@ -1,6 +1,9 @@
 package syncmap
 
-import "sync"
+import (
+	"iter"
+	"sync"
+)
 
 // Map is a type safe sync.Map
 type Map[K, V any] struct {
@@ -75,3 +78,9 @@ func (m *Map[K, V]) Range(f func(key K, value V) bool) {
 		return f(key.(K), value.(V))
 	})
 }
+
+func (m *Map[K, V]) Seq() iter.Seq2[K, V] {
+	return func(yield func(K, V) bool) {
+		m.Range(yield)
+	}
+}
