chore: add owner to resourceUser rbac object

Emyrk · Emyrk · commit 04a2cae0b598 · 2023-07-11T18:56:12.000-04:00
diff --git a/coderd/coderdtest/authorize.go b/coderd/coderdtest/authorize.go
@@ -116,7 +116,7 @@ func (RBACAsserter) convertObjects(t *testing.T, objs ...interface{}) []rbac.Obj
 		case codersdk.TemplateVersion:
 			robj = rbac.ResourceTemplate.InOrg(obj.OrganizationID)
 		case codersdk.User:
-			robj = rbac.ResourceUser.WithID(obj.ID)
+			robj = rbac.ResourceUser.WithID(obj.ID).WithOwner(obj.ID.String())
 		case codersdk.Workspace:
 			robj = rbac.ResourceWorkspace.WithID(obj.ID).InOrg(obj.OrganizationID).WithOwner(obj.OwnerID.String())
 		default:
diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go
@@ -1181,15 +1181,15 @@ func (q *querier) GetProvisionerLogsAfterID(ctx context.Context, arg database.Ge
 }
 
 func (q *querier) GetQuotaAllowanceForUser(ctx context.Context, userID uuid.UUID) (int64, error) {
-	err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceUser.WithID(userID))
+	err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceUser.WithID(userID).WithOwner(userID.String()))
 	if err != nil {
 		return -1, err
 	}
 	return q.db.GetQuotaAllowanceForUser(ctx, userID)
 }
 
 func (q *querier) GetQuotaConsumedForUser(ctx context.Context, userID uuid.UUID) (int64, error) {
-	err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceUser.WithID(userID))
+	err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceUser.WithID(userID).WithOwner(userID.String()))
 	if err != nil {
 		return -1, err
 	}
@@ -1436,7 +1436,7 @@ func (q *querier) GetUsers(ctx context.Context, arg database.GetUsersParams) ([]
 // itself.
 func (q *querier) GetUsersByIDs(ctx context.Context, ids []uuid.UUID) ([]database.User, error) {
 	for _, uid := range ids {
-		if err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceUser.WithID(uid)); err != nil {
+		if err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceUser.WithID(uid).WithOwner(uid.String())); err != nil {
 			return nil, err
 		}
 	}
@@ -1942,7 +1942,7 @@ func (q *querier) InsertUserGroupsByName(ctx context.Context, arg database.Inser
 
 // TODO: Should this be in system.go?
 func (q *querier) InsertUserLink(ctx context.Context, arg database.InsertUserLinkParams) (database.UserLink, error) {
-	if err := q.authorizeContext(ctx, rbac.ActionUpdate, rbac.ResourceUser.WithID(arg.UserID)); err != nil {
+	if err := q.authorizeContext(ctx, rbac.ActionUpdate, rbac.ResourceUser.WithID(arg.UserID).WithOwner(arg.UserID.String())); err != nil {
 		return database.UserLink{}, err
 	}
 	return q.db.InsertUserLink(ctx, arg)
diff --git a/coderd/database/dbauthz/dbauthz_test.go b/coderd/database/dbauthz/dbauthz_test.go
@@ -521,7 +521,7 @@ func (s *MethodTestSuite) TestOrganization() {
 		ma := dbgen.OrganizationMember(s.T(), db, database.OrganizationMember{OrganizationID: oa.ID})
 		mb := dbgen.OrganizationMember(s.T(), db, database.OrganizationMember{OrganizationID: ob.ID})
 		check.Args([]uuid.UUID{ma.UserID, mb.UserID}).
-			Asserts(rbac.ResourceUser.WithID(ma.UserID), rbac.ActionRead, rbac.ResourceUser.WithID(mb.UserID), rbac.ActionRead)
+			Asserts(rbac.ResourceUser.WithID(ma.UserID).WithOwner(ma.UserID.String()), rbac.ActionRead, rbac.ResourceUser.WithID(mb.UserID).WithOwner(mb.UserID.String()), rbac.ActionRead)
 	}))
 	s.Run("GetOrganizationMemberByUserID", s.Subtest(func(db database.Store, check *expects) {
 		mem := dbgen.OrganizationMember(s.T(), db, database.OrganizationMember{})
diff --git a/coderd/database/modelmethods.go b/coderd/database/modelmethods.go
@@ -201,7 +201,7 @@ func (m GetOrganizationIDsByMemberIDsRow) RBACObject() rbac.Object {
 	// TODO: This feels incorrect as we are really returning a list of orgmembers.
 	// This return type should be refactored to return a list of orgmembers, not this
 	// special type.
-	return rbac.ResourceUser.WithID(m.UserID)
+	return rbac.ResourceUser.WithID(m.UserID).WithOwner(m.UserID.String())
 }
 
 func (o Organization) RBACObject() rbac.Object {
@@ -233,15 +233,15 @@ func (f File) RBACObject() rbac.Object {
 // If you are trying to get the RBAC object for the UserData, use
 // u.UserDataRBACObject() instead.
 func (u User) RBACObject() rbac.Object {
-	return rbac.ResourceUser.WithID(u.ID)
+	return rbac.ResourceUser.WithID(u.ID).WithOwner(u.ID.String())
 }
 
 func (u User) UserDataRBACObject() rbac.Object {
 	return rbac.ResourceUserData.WithID(u.ID).WithOwner(u.ID.String())
 }
 
 func (u GetUsersRow) RBACObject() rbac.Object {
-	return rbac.ResourceUser.WithID(u.ID)
+	return rbac.ResourceUser.WithID(u.ID).WithOwner(u.ID.String())
 }
 
 func (u GitSSHKey) RBACObject() rbac.Object {
diff --git a/coderd/database/modelqueries.go b/coderd/database/modelqueries.go
@@ -256,7 +256,10 @@ type userQuerier interface {
 }
 
 func (q *sqlQuerier) GetAuthorizedUserCount(ctx context.Context, arg GetFilteredUserCountParams, prepared rbac.PreparedAuthorized) (int64, error) {
-	authorizedFilter, err := prepared.CompileToSQL(ctx, rbac.ConfigWithoutACL())
+	authorizedFilter, err := prepared.CompileToSQL(ctx, regosql.ConvertConfig{
+		VariableConverter: regosql.UserConverter(),
+	})
+
 	if err != nil {
 		return -1, xerrors.Errorf("compile authorized filter: %w", err)
 	}
diff --git a/coderd/rbac/regosql/configs.go b/coderd/rbac/regosql/configs.go
@@ -22,6 +22,22 @@ func userACLMatcher(m sqltypes.VariableMatcher) sqltypes.VariableMatcher {
 	return ACLGroupMatcher(m, "user_acl", []string{"input", "object", "acl_user_list"})
 }
 
+func UserConverter() *sqltypes.VariableConverter {
+	matcher := sqltypes.NewVariableConverter().RegisterMatcher(
+		resourceIDMatcher(),
+		// Users are never owned by an organization.
+		sqltypes.AlwaysFalse(organizationOwnerMatcher()),
+		// Users are always owned by themselves.
+		sqltypes.StringVarMatcher("id :: text", []string{"input", "object", "owner"}),
+	)
+	matcher.RegisterMatcher(
+		// No ACLs on the user type
+		sqltypes.AlwaysFalse(groupACLMatcher(matcher)),
+		sqltypes.AlwaysFalse(userACLMatcher(matcher)),
+	)
+	return matcher
+}
+
 func TemplateConverter() *sqltypes.VariableConverter {
 	matcher := sqltypes.NewVariableConverter().RegisterMatcher(
 		resourceIDMatcher(),
diff --git a/coderd/rbac/roles.go b/coderd/rbac/roles.go
@@ -145,14 +145,18 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 		Name:        member,
 		DisplayName: "",
 		Site: Permissions(map[string][]Action{
-			// All users can read all other users and know they exist.
-			ResourceUser.Type:           {ActionRead},
 			ResourceRoleAssignment.Type: {ActionRead},
 			// All users can see the provisioner daemons.
 			ResourceProvisionerDaemon.Type: {ActionRead},
 		}),
-		Org:  map[string][]Permission{},
-		User: allPermsExcept(ResourceWorkspaceLocked),
+		Org: map[string][]Permission{},
+		User: append(allPermsExcept(ResourceWorkspaceLocked, ResourceUser),
+			Permissions(map[string][]Action{
+				// Users cannot do create/update/delete on themselves, but they
+				// can read their own details.
+				ResourceUser.Type: {ActionRead},
+			})...,
+		),
 	}.withCachedRegoValue()
 
 	auditorRole := Role{
@@ -163,6 +167,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 			// are not in.
 			ResourceTemplate.Type: {ActionRead},
 			ResourceAuditLog.Type: {ActionRead},
+			ResourceUser.Type:     {ActionRead},
 		}),
 		Org:  map[string][]Permission{},
 		User: []Permission{},
@@ -172,6 +177,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
 		Name:        templateAdmin,
 		DisplayName: "Template Admin",
 		Site: Permissions(map[string][]Action{
+			ResourceUser.Type:     {ActionRead},
 			ResourceTemplate.Type: {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
 			// CRUD all files, even those they did not upload.
 			ResourceFile.Type:      {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
diff --git a/coderd/rbac/roles_test.go b/coderd/rbac/roles_test.go
@@ -106,7 +106,7 @@ func TestRolePermissions(t *testing.T) {
 		{
 			Name:     "MyUser",
 			Actions:  []rbac.Action{rbac.ActionRead},
-			Resource: rbac.ResourceUser.WithID(currentUser),
+			Resource: rbac.ResourceUser.WithID(currentUser).WithOwner(currentUser.String()),
 			AuthorizeMap: map[bool][]authSubject{
 				true:  {owner, memberMe, orgMemberMe, orgAdmin, otherOrgMember, otherOrgAdmin, templateAdmin, userAdmin},
 				false: {},

Original file line number	Diff line number	Diff line change
`@@ -1181,15 +1181,15 @@ func (q *querier) GetProvisionerLogsAfterID(ctx context.Context, arg database.Ge`
`1181`	`1181`	`}`
`1182`	`1182`
`1183`	`1183`	`func (q *querier) GetQuotaAllowanceForUser(ctx context.Context, userID uuid.UUID) (int64, error) {`
`1184`		`- err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceUser.WithID(userID))`
	`1184`	`+ err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceUser.WithID(userID).WithOwner(userID.String()))`
`1185`	`1185`	`if err != nil {`
`1186`	`1186`	`return -1, err`
`1187`	`1187`	`}`
`1188`	`1188`	`return q.db.GetQuotaAllowanceForUser(ctx, userID)`
`1189`	`1189`	`}`
`1190`	`1190`
`1191`	`1191`	`func (q *querier) GetQuotaConsumedForUser(ctx context.Context, userID uuid.UUID) (int64, error) {`
`1192`		`- err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceUser.WithID(userID))`
	`1192`	`+ err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceUser.WithID(userID).WithOwner(userID.String()))`
`1193`	`1193`	`if err != nil {`
`1194`	`1194`	`return -1, err`
`1195`	`1195`	`}`
`@@ -1436,7 +1436,7 @@ func (q *querier) GetUsers(ctx context.Context, arg database.GetUsersParams) ([]`
`1436`	`1436`	`// itself.`
`1437`	`1437`	`func (q *querier) GetUsersByIDs(ctx context.Context, ids []uuid.UUID) ([]database.User, error) {`
`1438`	`1438`	`for _, uid := range ids {`
`1439`		`- if err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceUser.WithID(uid)); err != nil {`
	`1439`	`+ if err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceUser.WithID(uid).WithOwner(uid.String())); err != nil {`
`1440`	`1440`	`return nil, err`
`1441`	`1441`	`}`
`1442`	`1442`	`}`
`@@ -1942,7 +1942,7 @@ func (q *querier) InsertUserGroupsByName(ctx context.Context, arg database.Inser`
`1942`	`1942`
`1943`	`1943`	`// TODO: Should this be in system.go?`
`1944`	`1944`	`func (q *querier) InsertUserLink(ctx context.Context, arg database.InsertUserLinkParams) (database.UserLink, error) {`
`1945`		`- if err := q.authorizeContext(ctx, rbac.ActionUpdate, rbac.ResourceUser.WithID(arg.UserID)); err != nil {`
	`1945`	`+ if err := q.authorizeContext(ctx, rbac.ActionUpdate, rbac.ResourceUser.WithID(arg.UserID).WithOwner(arg.UserID.String())); err != nil {`
`1946`	`1946`	`return database.UserLink{}, err`
`1947`	`1947`	`}`
`1948`	`1948`	`return q.db.InsertUserLink(ctx, arg)`
Original file line number	Diff line number	Diff line change
`@@ -201,7 +201,7 @@ func (m GetOrganizationIDsByMemberIDsRow) RBACObject() rbac.Object {`
`201`	`201`	`// TODO: This feels incorrect as we are really returning a list of orgmembers.`
`202`	`202`	`// This return type should be refactored to return a list of orgmembers, not this`
`203`	`203`	`// special type.`
`204`		`- return rbac.ResourceUser.WithID(m.UserID)`
	`204`	`+ return rbac.ResourceUser.WithID(m.UserID).WithOwner(m.UserID.String())`
`205`	`205`	`}`
`206`	`206`
`207`	`207`	`func (o Organization) RBACObject() rbac.Object {`
`@@ -233,15 +233,15 @@ func (f File) RBACObject() rbac.Object {`
`233`	`233`	`// If you are trying to get the RBAC object for the UserData, use`
`234`	`234`	`// u.UserDataRBACObject() instead.`
`235`	`235`	`func (u User) RBACObject() rbac.Object {`
`236`		`- return rbac.ResourceUser.WithID(u.ID)`
	`236`	`+ return rbac.ResourceUser.WithID(u.ID).WithOwner(u.ID.String())`
`237`	`237`	`}`
`238`	`238`
`239`	`239`	`func (u User) UserDataRBACObject() rbac.Object {`
`240`	`240`	`return rbac.ResourceUserData.WithID(u.ID).WithOwner(u.ID.String())`
`241`	`241`	`}`
`242`	`242`
`243`	`243`	`func (u GetUsersRow) RBACObject() rbac.Object {`
`244`		`- return rbac.ResourceUser.WithID(u.ID)`
	`244`	`+ return rbac.ResourceUser.WithID(u.ID).WithOwner(u.ID.String())`
`245`	`245`	`}`
`246`	`246`
`247`	`247`	`func (u GitSSHKey) RBACObject() rbac.Object {`
Original file line number	Diff line number	Diff line change
`@@ -256,7 +256,10 @@ type userQuerier interface {`
`256`	`256`	`}`
`257`	`257`
`258`	`258`	`func (q *sqlQuerier) GetAuthorizedUserCount(ctx context.Context, arg GetFilteredUserCountParams, prepared rbac.PreparedAuthorized) (int64, error) {`
`259`		`- authorizedFilter, err := prepared.CompileToSQL(ctx, rbac.ConfigWithoutACL())`
	`259`	`+ authorizedFilter, err := prepared.CompileToSQL(ctx, regosql.ConvertConfig{`
	`260`	`+ VariableConverter: regosql.UserConverter(),`
	`261`	`+ })`
	`262`	`+`
`260`	`263`	`if err != nil {`
`261`	`264`	`return -1, xerrors.Errorf("compile authorized filter: %w", err)`
`262`	`265`	`}`
Original file line number	Diff line number	Diff line change
`@@ -106,7 +106,7 @@ func TestRolePermissions(t *testing.T) {`
`106`	`106`	`{`
`107`	`107`	`Name: "MyUser",`
`108`	`108`	`Actions: []rbac.Action{rbac.ActionRead},`
`109`		`- Resource: rbac.ResourceUser.WithID(currentUser),`
	`109`	`+ Resource: rbac.ResourceUser.WithID(currentUser).WithOwner(currentUser.String()),`
`110`	`110`	`AuthorizeMap: map[bool][]authSubject{`
`111`	`111`	`true: {owner, memberMe, orgMemberMe, orgAdmin, otherOrgMember, otherOrgAdmin, templateAdmin, userAdmin},`
`112`	`112`	`false: {},`