remove queryWithRelated

johnstcn · johnstcn · commit 13f1c9f27f25 · 2023-02-07T14:39:05.000Z
diff --git a/coderd/authzquery/authz.go b/coderd/authzquery/authz.go
@@ -245,48 +245,6 @@ func fetchWithPostFilter[ArgumentType any, ObjectType rbac.Objecter,
 	}
 }
 
-// queryWithRelated performs the same function as authorizedQuery, except that
-// RBAC checks are performed on the result of relatedFunc() instead of the result of fetch().
-// This is useful for cases where ObjectType does not implement RBACObjecter.
-// For example, a TemplateVersion object does not implement RBACObjecter, but it is
-// related to a Template object, which does. Thus, any operations on a TemplateVersion
-// are predicated on the RBAC permissions of the related Template object.
-func queryWithRelated[ObjectType any, ArgumentType any, Related rbac.Objecter](
-	// Arguments
-	logger slog.Logger,
-	authorizer rbac.Authorizer,
-	action rbac.Action,
-	relatedFunc func(ObjectType, ArgumentType) (Related, error),
-	fetch func(ctx context.Context, arg ArgumentType) (ObjectType, error)) func(ctx context.Context, arg ArgumentType) (ObjectType, error) {
-	return func(ctx context.Context, arg ArgumentType) (empty ObjectType, err error) {
-		// Fetch the rbac subject
-		act, ok := ActorFromContext(ctx)
-		if !ok {
-			return empty, NoActorError
-		}
-
-		// Fetch the rbac object
-		obj, err := fetch(ctx, arg)
-		if err != nil {
-			return empty, xerrors.Errorf("fetch object: %w", err)
-		}
-
-		// Fetch the related object on which we actually do RBAC
-		rel, err := relatedFunc(obj, arg)
-		if err != nil {
-			return empty, xerrors.Errorf("fetch related object: %w", err)
-		}
-
-		// Authorize the action
-		err = authorizer.Authorize(ctx, act, action, rel.RBACObject())
-		if err != nil {
-			return empty, LogNotAuthorizedError(ctx, logger, err)
-		}
-
-		return obj, nil
-	}
-}
-
 // prepareSQLFilter is a helper function that prepares a SQL filter using the
 // given authorization context.
 func prepareSQLFilter(ctx context.Context, authorizer rbac.Authorizer, action rbac.Action, resourceType string) (rbac.PreparedAuthorized, error) {
diff --git a/coderd/authzquery/group.go b/coderd/authzquery/group.go
@@ -50,10 +50,10 @@ func (q *AuthzQuerier) GetGroupByOrgAndName(ctx context.Context, arg database.Ge
 }
 
 func (q *AuthzQuerier) GetGroupMembers(ctx context.Context, groupID uuid.UUID) ([]database.User, error) {
-	relatedFunc := func(_ []database.User, groupID uuid.UUID) (database.Group, error) {
-		return q.db.GetGroupByID(ctx, groupID)
+	if _, err := q.GetGroupByID(ctx, groupID); err != nil { // AuthZ check
+		return nil, err
 	}
-	return queryWithRelated(q.log, q.auth, rbac.ActionRead, relatedFunc, q.db.GetGroupMembers)(ctx, groupID)
+	return q.db.GetGroupMembers(ctx, groupID)
 }
 
 func (q *AuthzQuerier) InsertAllUsersGroup(ctx context.Context, organizationID uuid.UUID) (database.Group, error) {
diff --git a/coderd/authzquery/template.go b/coderd/authzquery/template.go
@@ -17,27 +17,26 @@ import (
 
 func (q *AuthzQuerier) GetPreviousTemplateVersion(ctx context.Context, arg database.GetPreviousTemplateVersionParams) (database.TemplateVersion, error) {
 	// An actor can read the previous template version if they can read the related template.
-	fetchRelated := func(_ database.TemplateVersion, _ database.GetPreviousTemplateVersionParams) (rbac.Objecter, error) {
-		if !arg.TemplateID.Valid {
-			// If no linked template exists, check if the actor can read the template in the organization.
-			return rbac.ResourceTemplate.InOrg(arg.OrganizationID), nil
+	// If no linked template exists, we check if the actor can read *a* template.
+	if !arg.TemplateID.Valid {
+		if err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceTemplate.InOrg(arg.OrganizationID)); err != nil {
+			return database.TemplateVersion{}, err
 		}
-		return q.db.GetTemplateByID(ctx, arg.TemplateID.UUID)
 	}
-	return queryWithRelated(q.log, q.auth, rbac.ActionRead, fetchRelated, q.db.GetPreviousTemplateVersion)(ctx, arg)
+	if _, err := q.GetTemplateByID(ctx, arg.TemplateID.UUID); err != nil {
+		return database.TemplateVersion{}, err
+	}
+	return q.db.GetPreviousTemplateVersion(ctx, arg)
 }
 
 func (q *AuthzQuerier) GetTemplateAverageBuildTime(ctx context.Context, arg database.GetTemplateAverageBuildTimeParams) (database.GetTemplateAverageBuildTimeRow, error) {
 	// An actor can read the average build time if they can read the related template.
-	fetchRelated := func(database.GetTemplateAverageBuildTimeRow, database.GetTemplateAverageBuildTimeParams) (rbac.Objecter, error) {
-		if !arg.TemplateID.Valid {
-			// If no linked template exists, check if the actor can read *a* template.
-			// We don't know the organization ID.
-			return rbac.ResourceTemplate, nil
-		}
-		return q.db.GetTemplateByID(ctx, arg.TemplateID.UUID)
+	// It doesn't make any sense to get the average build time for a template that doesn't
+	// exist, so omitting this check here.
+	if _, err := q.GetTemplateByID(ctx, arg.TemplateID.UUID); err != nil {
+		return database.GetTemplateAverageBuildTimeRow{}, err
 	}
-	return queryWithRelated(q.log, q.auth, rbac.ActionRead, fetchRelated, q.db.GetTemplateAverageBuildTime)(ctx, arg)
+	return q.db.GetTemplateAverageBuildTime(ctx, arg)
 }
 
 func (q *AuthzQuerier) GetTemplateByID(ctx context.Context, id uuid.UUID) (database.Template, error) {
@@ -50,68 +49,62 @@ func (q *AuthzQuerier) GetTemplateByOrganizationAndName(ctx context.Context, arg
 
 func (q *AuthzQuerier) GetTemplateDAUs(ctx context.Context, templateID uuid.UUID) ([]database.GetTemplateDAUsRow, error) {
 	// An actor can read the DAUs if they can read the related template.
-	fetchRelated := func(_ []database.GetTemplateDAUsRow, _ uuid.UUID) (rbac.Objecter, error) {
-		return q.db.GetTemplateByID(ctx, templateID)
+	// Again, it doesn't make sense to get DAUs for a template that doesn't exist.
+	if _, err := q.GetTemplateByID(ctx, templateID); err != nil {
+		return nil, err
 	}
-	return queryWithRelated(q.log, q.auth, rbac.ActionRead, fetchRelated, q.db.GetTemplateDAUs)(ctx, templateID)
+	return q.db.GetTemplateDAUs(ctx, templateID)
 }
 
 func (q *AuthzQuerier) GetTemplateVersionByID(ctx context.Context, tvid uuid.UUID) (database.TemplateVersion, error) {
-	// An actor can read the template version if they can read the related template.
-	fetchRelated := func(tv database.TemplateVersion, _ uuid.UUID) (rbac.Objecter, error) {
-		if !tv.TemplateID.Valid {
-			// If no linked template exists, check if the actor can read a template
-			// in the organization.
-			return rbac.ResourceTemplate.InOrg(tv.OrganizationID), nil
+	tv, err := q.db.GetTemplateVersionByID(ctx, tvid)
+	if err != nil {
+		return database.TemplateVersion{}, err
+	}
+	if !tv.TemplateID.Valid {
+		// If no linked template exists, check if the actor can read a template in the organization.
+		if err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceTemplate.InOrg(tv.OrganizationID)); err != nil {
+			return database.TemplateVersion{}, err
 		}
-		return q.db.GetTemplateByID(ctx, tv.TemplateID.UUID)
-	}
-	return queryWithRelated(
-		q.log,
-		q.auth,
-		rbac.ActionRead,
-		fetchRelated,
-		q.db.GetTemplateVersionByID,
-	)(ctx, tvid)
+	} else if _, err := q.GetTemplateByID(ctx, tv.TemplateID.UUID); err != nil {
+		// An actor can read the template version if they can read the related template.
+		return database.TemplateVersion{}, err
+	}
+	return tv, nil
 }
 
 func (q *AuthzQuerier) GetTemplateVersionByJobID(ctx context.Context, jobID uuid.UUID) (database.TemplateVersion, error) {
-	// An actor can read the template version if they can read the related template.
-	fetchRelated := func(tv database.TemplateVersion, _ uuid.UUID) (rbac.Objecter, error) {
-		if !tv.TemplateID.Valid {
-			// If no linked template exists, check if the actor can read a
-			// template in the organization.
-			return rbac.ResourceTemplate.InOrg(tv.OrganizationID), nil
+	tv, err := q.db.GetTemplateVersionByJobID(ctx, jobID)
+	if err != nil {
+		return database.TemplateVersion{}, err
+	}
+	if !tv.TemplateID.Valid {
+		// If no linked template exists, check if the actor can read a template in the organization.
+		if err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceTemplate.InOrg(tv.OrganizationID)); err != nil {
+			return database.TemplateVersion{}, err
 		}
-		return q.db.GetTemplateByID(ctx, tv.TemplateID.UUID)
-	}
-	return queryWithRelated(
-		q.log,
-		q.auth,
-		rbac.ActionRead,
-		fetchRelated,
-		q.db.GetTemplateVersionByJobID,
-	)(ctx, jobID)
+	} else if _, err := q.GetTemplateByID(ctx, tv.TemplateID.UUID); err != nil {
+		// An actor can read the template version if they can read the related template.
+		return database.TemplateVersion{}, err
+	}
+	return tv, nil
 }
 
 func (q *AuthzQuerier) GetTemplateVersionByTemplateIDAndName(ctx context.Context, arg database.GetTemplateVersionByTemplateIDAndNameParams) (database.TemplateVersion, error) {
-	// An actor can read the template version if they can read the related template.
-	fetchRelated := func(tv database.TemplateVersion, p database.GetTemplateVersionByTemplateIDAndNameParams) (rbac.Objecter, error) {
-		if !tv.TemplateID.Valid {
-			// If no linked template exists, check if the actor can read *a* template.
-			// We don't know the organization ID.
-			return rbac.ResourceTemplate, nil
+	tv, err := q.db.GetTemplateVersionByTemplateIDAndName(ctx, arg)
+	if err != nil {
+		return database.TemplateVersion{}, err
+	}
+	if !tv.TemplateID.Valid {
+		// If no linked template exists, check if the actor can read a template in the organization.
+		if err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceTemplate.InOrg(tv.OrganizationID)); err != nil {
+			return database.TemplateVersion{}, err
 		}
-		return q.db.GetTemplateByID(ctx, tv.TemplateID.UUID)
+	} else if _, err := q.GetTemplateByID(ctx, tv.TemplateID.UUID); err != nil {
+		// An actor can read the template version if they can read the related template.
+		return database.TemplateVersion{}, err
 	}
-
-	return queryWithRelated(
-		q.log,
-		q.auth,
-		rbac.ActionRead,
-		fetchRelated,
-		q.db.GetTemplateVersionByTemplateIDAndName,
-	)(ctx, arg)
+	return tv, nil
 }
 
 func (q *AuthzQuerier) GetTemplateVersionParameters(ctx context.Context, templateVersionID uuid.UUID) ([]database.TemplateVersionParameter, error) {
@@ -183,16 +176,10 @@ func (q *AuthzQuerier) GetTemplateVersionsByTemplateID(ctx context.Context, arg
 
 func (q *AuthzQuerier) GetTemplateVersionsCreatedAfter(ctx context.Context, createdAt time.Time) ([]database.TemplateVersion, error) {
 	// An actor can read execute this query if they can read all templates.
-	fetchRelated := func(tvs []database.TemplateVersion, _ time.Time) (rbac.Objecter, error) {
-		return rbac.ResourceTemplate.All(), nil
-	}
-	return queryWithRelated(
-		q.log,
-		q.auth,
-		rbac.ActionRead,
-		fetchRelated,
-		q.db.GetTemplateVersionsCreatedAfter,
-	)(ctx, createdAt)
+	if err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceTemplate); err != nil {
+		return nil, err
+	}
+	return q.db.GetTemplateVersionsCreatedAfter(ctx, createdAt)
 }
 
 func (q *AuthzQuerier) GetAuthorizedTemplates(ctx context.Context, arg database.GetTemplatesWithFilterParams, _ rbac.PreparedAuthorized) ([]database.Template, error) {

Original file line number	Diff line number	Diff line change
`@@ -50,10 +50,10 @@ func (q *AuthzQuerier) GetGroupByOrgAndName(ctx context.Context, arg database.Ge`
`50`	`50`	`}`
`51`	`51`
`52`	`52`	`func (q *AuthzQuerier) GetGroupMembers(ctx context.Context, groupID uuid.UUID) ([]database.User, error) {`
`53`		`- relatedFunc := func(_ []database.User, groupID uuid.UUID) (database.Group, error) {`
`54`		`- return q.db.GetGroupByID(ctx, groupID)`
	`53`	`+ if _, err := q.GetGroupByID(ctx, groupID); err != nil { // AuthZ check`
	`54`	`+ return nil, err`
`55`	`55`	`}`
`56`		`- return queryWithRelated(q.log, q.auth, rbac.ActionRead, relatedFunc, q.db.GetGroupMembers)(ctx, groupID)`
	`56`	`+ return q.db.GetGroupMembers(ctx, groupID)`
`57`	`57`	`}`
`58`	`58`
`59`	`59`	`func (q *AuthzQuerier) InsertAllUsersGroup(ctx context.Context, organizationID uuid.UUID) (database.Group, error) {`