Rename Scope -> ScopeName

Emyrk · Emyrk · commit 043a1d5aed3f · 2023-01-19T09:08:26.000-06:00
diff --git a/coderd/coderdtest/authorize.go b/coderd/coderdtest/authorize.go
@@ -527,7 +527,7 @@ type authCall struct {
 	SubjectID string
 	Roles     []string
 	Groups    []string
-	Scope     rbac.Scope
+	Scope     rbac.ScopeName
 	Action    rbac.Action
 	Object    rbac.Object
 }
@@ -541,11 +541,11 @@ var _ rbac.Authorizer = (*RecordingAuthorizer)(nil)
 
 // ByRoleNameSQL does not record the call. This matches the postgres behavior
 // of not calling Authorize()
-func (r *RecordingAuthorizer) ByRoleNameSQL(_ context.Context, _ string, _ []string, _ rbac.Scope, _ []string, _ rbac.Action, _ rbac.Object) error {
+func (r *RecordingAuthorizer) ByRoleNameSQL(_ context.Context, _ string, _ []string, _ rbac.ScopeName, _ []string, _ rbac.Action, _ rbac.Object) error {
 	return r.AlwaysReturn
 }
 
-func (r *RecordingAuthorizer) ByRoleName(_ context.Context, subjectID string, roleNames []string, scope rbac.Scope, groups []string, action rbac.Action, object rbac.Object) error {
+func (r *RecordingAuthorizer) ByRoleName(_ context.Context, subjectID string, roleNames []string, scope rbac.ScopeName, groups []string, action rbac.Action, object rbac.Object) error {
 	r.Called = &authCall{
 		SubjectID: subjectID,
 		Roles:     roleNames,
@@ -557,7 +557,7 @@ func (r *RecordingAuthorizer) ByRoleName(_ context.Context, subjectID string, ro
 	return r.AlwaysReturn
 }
 
-func (r *RecordingAuthorizer) PrepareByRoleName(_ context.Context, subjectID string, roles []string, scope rbac.Scope, groups []string, action rbac.Action, _ string) (rbac.PreparedAuthorized, error) {
+func (r *RecordingAuthorizer) PrepareByRoleName(_ context.Context, subjectID string, roles []string, scope rbac.ScopeName, groups []string, action rbac.Action, _ string) (rbac.PreparedAuthorized, error) {
 	return &fakePreparedAuthorizer{
 		Original:           r,
 		SubjectID:          subjectID,
@@ -577,7 +577,7 @@ type fakePreparedAuthorizer struct {
 	Original            *RecordingAuthorizer
 	SubjectID           string
 	Roles               []string
-	Scope               rbac.Scope
+	Scope               rbac.ScopeName
 	Action              rbac.Action
 	Groups              []string
 	HardCodedSQLString  string
diff --git a/coderd/database/modelmethods.go b/coderd/database/modelmethods.go
@@ -6,7 +6,7 @@ import (
 
 const AllUsersGroup = "Everyone"
 
-func (s APIKeyScope) ToRBAC() rbac.Scope {
+func (s APIKeyScope) ToRBAC() rbac.ScopeName {
 	switch s {
 	case APIKeyScopeAll:
 		return rbac.ScopeAll
diff --git a/coderd/rbac/authz.go b/coderd/rbac/authz.go
@@ -18,8 +18,8 @@ import (
 )
 
 type Authorizer interface {
-	ByRoleName(ctx context.Context, subjectID string, roleNames []string, scope Scope, groups []string, action Action, object Object) error
-	PrepareByRoleName(ctx context.Context, subjectID string, roleNames []string, scope Scope, groups []string, action Action, objectType string) (PreparedAuthorized, error)
+	ByRoleName(ctx context.Context, subjectID string, roleNames []string, scope ScopeName, groups []string, action Action, object Object) error
+	PrepareByRoleName(ctx context.Context, subjectID string, roleNames []string, scope ScopeName, groups []string, action Action, objectType string) (PreparedAuthorized, error)
 }
 
 type PreparedAuthorized interface {
@@ -33,7 +33,7 @@ type PreparedAuthorized interface {
 //
 // Ideally the 'CompileToSQL' is used instead for large sets. This cost scales
 // linearly with the number of objects passed in.
-func Filter[O Objecter](ctx context.Context, auth Authorizer, subjID string, subjRoles []string, scope Scope, groups []string, action Action, objects []O) ([]O, error) {
+func Filter[O Objecter](ctx context.Context, auth Authorizer, subjID string, subjRoles []string, scope ScopeName, groups []string, action Action, objects []O) ([]O, error) {
 	if len(objects) == 0 {
 		// Nothing to filter
 		return objects, nil
@@ -179,7 +179,7 @@ type authSubject struct {
 // ByRoleName will expand all roleNames into roles before calling Authorize().
 // This is the function intended to be used outside this package.
 // The role is fetched from the builtin map located in memory.
-func (a RegoAuthorizer) ByRoleName(ctx context.Context, subjectID string, roleNames []string, scope Scope, groups []string, action Action, object Object) error {
+func (a RegoAuthorizer) ByRoleName(ctx context.Context, subjectID string, roleNames []string, scope ScopeName, groups []string, action Action, object Object) error {
 	start := time.Now()
 	ctx, span := tracing.StartSpan(ctx,
 		trace.WithTimestamp(start), // Reuse the time.Now for metric and trace
@@ -239,7 +239,7 @@ func (a RegoAuthorizer) Authorize(ctx context.Context, subjectID string, roles [
 	return nil
 }
 
-func (a RegoAuthorizer) PrepareByRoleName(ctx context.Context, subjectID string, roleNames []string, scope Scope, groups []string, action Action, objectType string) (PreparedAuthorized, error) {
+func (a RegoAuthorizer) PrepareByRoleName(ctx context.Context, subjectID string, roleNames []string, scope ScopeName, groups []string, action Action, objectType string) (PreparedAuthorized, error) {
 	start := time.Now()
 	ctx, span := tracing.StartSpan(ctx,
 		trace.WithTimestamp(start),
diff --git a/coderd/rbac/authz_internal_test.go b/coderd/rbac/authz_internal_test.go
@@ -77,7 +77,7 @@ func TestFilter(t *testing.T) {
 		SubjectID  string
 		Roles      []string
 		Action     Action
-		Scope      Scope
+		Scope      ScopeName
 		ObjectType string
 	}{
 		{
diff --git a/coderd/rbac/authz_test.go b/coderd/rbac/authz_test.go
@@ -16,7 +16,7 @@ type benchmarkCase struct {
 	Roles  []string
 	Groups []string
 	UserID uuid.UUID
-	Scope  rbac.Scope
+	Scope  rbac.ScopeName
 }
 
 // benchmarkUserCases builds a set of users with different roles and groups.
diff --git a/coderd/rbac/scopes.go b/coderd/rbac/scopes.go
@@ -6,7 +6,7 @@ import (
 	"golang.org/x/xerrors"
 )
 
-type Scope string
+type ScopeName string
 
 // TODO: @emyrk rename this struct
 type ScopeRole struct {
@@ -15,12 +15,12 @@ type ScopeRole struct {
 }
 
 const (
-	ScopeAll                Scope = "all"
-	ScopeApplicationConnect Scope = "application_connect"
+	ScopeAll                ScopeName = "all"
+	ScopeApplicationConnect ScopeName = "application_connect"
 )
 
 // TODO: Support passing in scopeID list for allowlisting resources.
-var builtinScopes = map[Scope]ScopeRole{
+var builtinScopes = map[ScopeName]ScopeRole{
 	// ScopeAll is a special scope that allows access to all resources. During
 	// authorize checks it is usually not used directly and skips scope checks.
 	ScopeAll: {
@@ -50,7 +50,7 @@ var builtinScopes = map[Scope]ScopeRole{
 	},
 }
 
-func ExpandScope(scope Scope) (ScopeRole, error) {
+func ExpandScope(scope ScopeName) (ScopeRole, error) {
 	role, ok := builtinScopes[scope]
 	if !ok {
 		return ScopeRole{}, xerrors.Errorf("no scope named %q", scope)
diff --git a/coderd/rbac/trace.go b/coderd/rbac/trace.go
@@ -7,7 +7,7 @@ import (
 
 // rbacTraceAttributes are the attributes that are added to all spans created by
 // the rbac package. These attributes should help to debug slow spans.
-func rbacTraceAttributes(roles []string, groupCount int, scope Scope, action Action, objectType string, extra ...attribute.KeyValue) trace.SpanStartOption {
+func rbacTraceAttributes(roles []string, groupCount int, scope ScopeName, action Action, objectType string, extra ...attribute.KeyValue) trace.SpanStartOption {
 	return trace.WithAttributes(
 		append(extra,
 			attribute.StringSlice("subject_roles", roles),

Original file line number	Diff line number	Diff line change
`@@ -77,7 +77,7 @@ func TestFilter(t *testing.T) {`
`77`	`77`	`SubjectID string`
`78`	`78`	`Roles []string`
`79`	`79`	`Action Action`
`80`		`- Scope Scope`
	`80`	`+ Scope ScopeName`
`81`	`81`	`ObjectType string`
`82`	`82`	`}{`
`83`	`83`	`{`
Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,7 @@ type benchmarkCase struct {`
`16`	`16`	`Roles []string`
`17`	`17`	`Groups []string`
`18`	`18`	`UserID uuid.UUID`
`19`		`- Scope rbac.Scope`
	`19`	`+ Scope rbac.ScopeName`
`20`	`20`	`}`
`21`	`21`
`22`	`22`	`// benchmarkUserCases builds a set of users with different roles and groups.`