Skip to content

Commit 1e1778d

Browse files
EmyrkEmyrk
committed
More dbauthz
1 parent cd68fef commit 1e1778d

File tree

1 file changed

+48
-105
lines changed

1 file changed

+48
-105
lines changed

coderd/database/dbauthz/dbauthz.go

+48-105
Original file line numberDiff line numberDiff line change
@@ -837,22 +837,22 @@ func (q *querier) DeleteOAuth2ProviderAppCodeByID(ctx context.Context, id uuid.U
837837

838838
func (q *querier) DeleteOAuth2ProviderAppCodesByAppAndUserID(ctx context.Context, arg database.DeleteOAuth2ProviderAppCodesByAppAndUserIDParams) error {
839839
if err := q.authorizeContext(ctx, policy.ActionDelete,
840-
rbac.ResourceOAuth2ProviderAppCodeToken.WithOwner(arg.UserID.String())); err != nil {
840+
rbac.ResourceOauth2AppCodeToken.WithOwner(arg.UserID.String())); err != nil {
841841
return err
842842
}
843843
return q.db.DeleteOAuth2ProviderAppCodesByAppAndUserID(ctx, arg)
844844
}
845845

846846
func (q *querier) DeleteOAuth2ProviderAppSecretByID(ctx context.Context, id uuid.UUID) error {
847-
if err := q.authorizeContext(ctx, policy.ActionDelete, rbac.ResourceOAuth2ProviderAppSecret); err != nil {
847+
if err := q.authorizeContext(ctx, policy.ActionDelete, rbac.ResourceOauth2AppSecret); err != nil {
848848
return err
849849
}
850850
return q.db.DeleteOAuth2ProviderAppSecretByID(ctx, id)
851851
}
852852

853853
func (q *querier) DeleteOAuth2ProviderAppTokensByAppAndUserID(ctx context.Context, arg database.DeleteOAuth2ProviderAppTokensByAppAndUserIDParams) error {
854854
if err := q.authorizeContext(ctx, policy.ActionDelete,
855-
rbac.ResourceOAuth2ProviderAppCodeToken.WithOwner(arg.UserID.String())); err != nil {
855+
rbac.ResourceOauth2AppCodeToken.WithOwner(arg.UserID.String())); err != nil {
856856
return err
857857
}
858858
return q.db.DeleteOAuth2ProviderAppTokensByAppAndUserID(ctx, arg)
@@ -1241,7 +1241,7 @@ func (q *querier) GetNotificationBanners(ctx context.Context) (string, error) {
12411241
}
12421242

12431243
func (q *querier) GetOAuth2ProviderAppByID(ctx context.Context, id uuid.UUID) (database.OAuth2ProviderApp, error) {
1244-
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceOAuth2ProviderApp); err != nil {
1244+
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceOauth2App); err != nil {
12451245
return database.OAuth2ProviderApp{}, err
12461246
}
12471247
return q.db.GetOAuth2ProviderAppByID(ctx, id)
@@ -1256,7 +1256,7 @@ func (q *querier) GetOAuth2ProviderAppCodeByPrefix(ctx context.Context, secretPr
12561256
}
12571257

12581258
func (q *querier) GetOAuth2ProviderAppSecretByID(ctx context.Context, id uuid.UUID) (database.OAuth2ProviderAppSecret, error) {
1259-
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceOAuth2ProviderAppSecret); err != nil {
1259+
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceOauth2AppSecret); err != nil {
12601260
return database.OAuth2ProviderAppSecret{}, err
12611261
}
12621262
return q.db.GetOAuth2ProviderAppSecretByID(ctx, id)
@@ -1267,7 +1267,7 @@ func (q *querier) GetOAuth2ProviderAppSecretByPrefix(ctx context.Context, secret
12671267
}
12681268

12691269
func (q *querier) GetOAuth2ProviderAppSecretsByAppID(ctx context.Context, appID uuid.UUID) ([]database.OAuth2ProviderAppSecret, error) {
1270-
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceOAuth2ProviderAppSecret); err != nil {
1270+
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceOauth2AppSecret); err != nil {
12711271
return []database.OAuth2ProviderAppSecret{}, err
12721272
}
12731273
return q.db.GetOAuth2ProviderAppSecretsByAppID(ctx, appID)
@@ -1283,14 +1283,14 @@ func (q *querier) GetOAuth2ProviderAppTokenByPrefix(ctx context.Context, hashPre
12831283
if err != nil {
12841284
return database.OAuth2ProviderAppToken{}, err
12851285
}
1286-
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceOAuth2ProviderAppCodeToken.WithOwner(key.UserID.String())); err != nil {
1286+
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceOauth2AppCodeToken.WithOwner(key.UserID.String())); err != nil {
12871287
return database.OAuth2ProviderAppToken{}, err
12881288
}
12891289
return token, nil
12901290
}
12911291

12921292
func (q *querier) GetOAuth2ProviderApps(ctx context.Context) ([]database.OAuth2ProviderApp, error) {
1293-
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceOAuth2ProviderApp); err != nil {
1293+
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceOauth2App); err != nil {
12941294
return []database.OAuth2ProviderApp{}, err
12951295
}
12961296
return q.db.GetOAuth2ProviderApps(ctx)
@@ -1299,7 +1299,7 @@ func (q *querier) GetOAuth2ProviderApps(ctx context.Context) ([]database.OAuth2P
12991299
func (q *querier) GetOAuth2ProviderAppsByUserID(ctx context.Context, userID uuid.UUID) ([]database.GetOAuth2ProviderAppsByUserIDRow, error) {
13001300
// This authz check is to make sure the caller can read all their own tokens.
13011301
if err := q.authorizeContext(ctx, policy.ActionRead,
1302-
rbac.ResourceOAuth2ProviderAppCodeToken.WithOwner(userID.String())); err != nil {
1302+
rbac.ResourceOauth2AppCodeToken.WithOwner(userID.String())); err != nil {
13031303
return []database.GetOAuth2ProviderAppsByUserIDRow{}, err
13041304
}
13051305
return q.db.GetOAuth2ProviderAppsByUserID(ctx, userID)
@@ -1510,31 +1510,15 @@ func (q *querier) GetTailnetTunnelPeerIDs(ctx context.Context, srcID uuid.UUID)
15101510
}
15111511

15121512
func (q *querier) GetTemplateAppInsights(ctx context.Context, arg database.GetTemplateAppInsightsParams) ([]database.GetTemplateAppInsightsRow, error) {
1513-
// Used by TemplateAppInsights endpoint
1514-
// For auditors, check read template_insights, and fall back to update template.
1515-
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceTemplateInsights); err != nil {
1516-
for _, templateID := range arg.TemplateIDs {
1517-
template, err := q.db.GetTemplateByID(ctx, templateID)
1518-
if err != nil {
1519-
return nil, err
1520-
}
1521-
1522-
if err := q.authorizeContext(ctx, policy.ActionUpdate, template); err != nil {
1523-
return nil, err
1524-
}
1525-
}
1526-
if len(arg.TemplateIDs) == 0 {
1527-
if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceTemplate.All()); err != nil {
1528-
return nil, err
1529-
}
1530-
}
1513+
if err := q.authorizeTemplateInsights(ctx, arg.TemplateIDs); err != nil {
1514+
return nil, err
15311515
}
15321516
return q.db.GetTemplateAppInsights(ctx, arg)
15331517
}
15341518

15351519
func (q *querier) GetTemplateAppInsightsByTemplate(ctx context.Context, arg database.GetTemplateAppInsightsByTemplateParams) ([]database.GetTemplateAppInsightsByTemplateRow, error) {
15361520
// Only used by prometheus metrics, so we don't strictly need to check update template perms.
1537-
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceTemplateInsights); err != nil {
1521+
if err := q.authorizeContext(ctx, policy.ActionViewInsights, rbac.ResourceTemplate); err != nil {
15381522
return nil, err
15391523
}
15401524
return q.db.GetTemplateAppInsightsByTemplate(ctx, arg)
@@ -1564,102 +1548,61 @@ func (q *querier) GetTemplateDAUs(ctx context.Context, arg database.GetTemplateD
15641548
return q.db.GetTemplateDAUs(ctx, arg)
15651549
}
15661550

1567-
func (q *querier) GetTemplateInsights(ctx context.Context, arg database.GetTemplateInsightsParams) (database.GetTemplateInsightsRow, error) {
1568-
// Used by TemplateInsights endpoint
1569-
// For auditors, check read template_insights, and fall back to update template.
1570-
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceTemplateInsights); err != nil {
1571-
for _, templateID := range arg.TemplateIDs {
1551+
func (q *querier) authorizeTemplateInsights(ctx context.Context, templateIDs []uuid.UUID) error {
1552+
// Abort early if can read all template insights, aka admins.
1553+
// TODO: If we know the org, that would allow org admins to abort early too.
1554+
if err := q.authorizeContext(ctx, policy.ActionViewInsights, rbac.ResourceTemplate); err != nil {
1555+
for _, templateID := range templateIDs {
15721556
template, err := q.db.GetTemplateByID(ctx, templateID)
15731557
if err != nil {
1574-
return database.GetTemplateInsightsRow{}, err
1558+
return err
15751559
}
15761560

1577-
if err := q.authorizeContext(ctx, policy.ActionUpdate, template); err != nil {
1578-
return database.GetTemplateInsightsRow{}, err
1561+
if err := q.authorizeContext(ctx, policy.ActionViewInsights, template); err != nil {
1562+
return err
15791563
}
15801564
}
1581-
if len(arg.TemplateIDs) == 0 {
1582-
if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceTemplate.All()); err != nil {
1583-
return database.GetTemplateInsightsRow{}, err
1565+
if len(templateIDs) == 0 {
1566+
if err := q.authorizeContext(ctx, policy.ActionViewInsights, rbac.ResourceTemplate.All()); err != nil {
1567+
return err
15841568
}
15851569
}
15861570
}
1571+
return nil
1572+
}
1573+
1574+
func (q *querier) GetTemplateInsights(ctx context.Context, arg database.GetTemplateInsightsParams) (database.GetTemplateInsightsRow, error) {
1575+
if err := q.authorizeTemplateInsights(ctx, arg.TemplateIDs); err != nil {
1576+
return database.GetTemplateInsightsRow{}, err
1577+
}
15871578
return q.db.GetTemplateInsights(ctx, arg)
15881579
}
15891580

15901581
func (q *querier) GetTemplateInsightsByInterval(ctx context.Context, arg database.GetTemplateInsightsByIntervalParams) ([]database.GetTemplateInsightsByIntervalRow, error) {
1591-
// Used by TemplateInsights endpoint
1592-
// For auditors, check read template_insights, and fall back to update template.
1593-
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceTemplateInsights); err != nil {
1594-
for _, templateID := range arg.TemplateIDs {
1595-
template, err := q.db.GetTemplateByID(ctx, templateID)
1596-
if err != nil {
1597-
return nil, err
1598-
}
1599-
1600-
if err := q.authorizeContext(ctx, policy.ActionUpdate, template); err != nil {
1601-
return nil, err
1602-
}
1603-
}
1604-
if len(arg.TemplateIDs) == 0 {
1605-
if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceTemplate.All()); err != nil {
1606-
return nil, err
1607-
}
1608-
}
1582+
if err := q.authorizeTemplateInsights(ctx, arg.TemplateIDs); err != nil {
1583+
return nil, err
16091584
}
16101585
return q.db.GetTemplateInsightsByInterval(ctx, arg)
16111586
}
16121587

16131588
func (q *querier) GetTemplateInsightsByTemplate(ctx context.Context, arg database.GetTemplateInsightsByTemplateParams) ([]database.GetTemplateInsightsByTemplateRow, error) {
16141589
// Only used by prometheus metrics collector. No need to check update template perms.
1615-
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceTemplateInsights); err != nil {
1590+
if err := q.authorizeContext(ctx, policy.ActionViewInsights, rbac.ResourceTemplate); err != nil {
16161591
return nil, err
16171592
}
16181593
return q.db.GetTemplateInsightsByTemplate(ctx, arg)
16191594
}
16201595

16211596
func (q *querier) GetTemplateParameterInsights(ctx context.Context, arg database.GetTemplateParameterInsightsParams) ([]database.GetTemplateParameterInsightsRow, error) {
1622-
// Used by both insights endpoint and prometheus collector.
1623-
// For auditors, check read template_insights, and fall back to update template.
1624-
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceTemplateInsights); err != nil {
1625-
for _, templateID := range arg.TemplateIDs {
1626-
template, err := q.db.GetTemplateByID(ctx, templateID)
1627-
if err != nil {
1628-
return nil, err
1629-
}
1630-
1631-
if err := q.authorizeContext(ctx, policy.ActionUpdate, template); err != nil {
1632-
return nil, err
1633-
}
1634-
}
1635-
if len(arg.TemplateIDs) == 0 {
1636-
if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceTemplate.All()); err != nil {
1637-
return nil, err
1638-
}
1639-
}
1597+
if err := q.authorizeTemplateInsights(ctx, arg.TemplateIDs); err != nil {
1598+
return nil, err
16401599
}
16411600
return q.db.GetTemplateParameterInsights(ctx, arg)
16421601
}
16431602

16441603
func (q *querier) GetTemplateUsageStats(ctx context.Context, arg database.GetTemplateUsageStatsParams) ([]database.TemplateUsageStat, error) {
1645-
// Used by dbrollup tests, use same safe-guard as other insights endpoints.
1646-
// For auditors, check read template_insights, and fall back to update template.
1647-
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceTemplateInsights); err != nil {
1648-
for _, templateID := range arg.TemplateIDs {
1649-
template, err := q.db.GetTemplateByID(ctx, templateID)
1650-
if err != nil {
1651-
return nil, err
1652-
}
1653-
1654-
if err := q.authorizeContext(ctx, policy.ActionUpdate, template); err != nil {
1655-
return nil, err
1656-
}
1657-
}
1658-
if len(arg.TemplateIDs) == 0 {
1659-
if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceTemplate.All()); err != nil {
1660-
return nil, err
1661-
}
1662-
}
1604+
if err := q.authorizeTemplateInsights(ctx, arg.TemplateIDs); err != nil {
1605+
return nil, err
16631606
}
16641607
return q.db.GetTemplateUsageStats(ctx, arg)
16651608
}
@@ -2291,7 +2234,7 @@ func (q *querier) GetWorkspacesEligibleForTransition(ctx context.Context, now ti
22912234

22922235
func (q *querier) InsertAPIKey(ctx context.Context, arg database.InsertAPIKeyParams) (database.APIKey, error) {
22932236
return insert(q.log, q.auth,
2294-
rbac.ResourceAPIKey.WithOwner(arg.UserID.String()),
2237+
rbac.ResourceApiKey.WithOwner(arg.UserID.String()),
22952238
q.db.InsertAPIKey)(ctx, arg)
22962239
}
22972240

@@ -2363,22 +2306,22 @@ func (q *querier) InsertMissingGroups(ctx context.Context, arg database.InsertMi
23632306
}
23642307

23652308
func (q *querier) InsertOAuth2ProviderApp(ctx context.Context, arg database.InsertOAuth2ProviderAppParams) (database.OAuth2ProviderApp, error) {
2366-
if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceOAuth2ProviderApp); err != nil {
2309+
if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceOauth2App); err != nil {
23672310
return database.OAuth2ProviderApp{}, err
23682311
}
23692312
return q.db.InsertOAuth2ProviderApp(ctx, arg)
23702313
}
23712314

23722315
func (q *querier) InsertOAuth2ProviderAppCode(ctx context.Context, arg database.InsertOAuth2ProviderAppCodeParams) (database.OAuth2ProviderAppCode, error) {
23732316
if err := q.authorizeContext(ctx, policy.ActionCreate,
2374-
rbac.ResourceOAuth2ProviderAppCodeToken.WithOwner(arg.UserID.String())); err != nil {
2317+
rbac.ResourceOauth2AppCodeToken.WithOwner(arg.UserID.String())); err != nil {
23752318
return database.OAuth2ProviderAppCode{}, err
23762319
}
23772320
return q.db.InsertOAuth2ProviderAppCode(ctx, arg)
23782321
}
23792322

23802323
func (q *querier) InsertOAuth2ProviderAppSecret(ctx context.Context, arg database.InsertOAuth2ProviderAppSecretParams) (database.OAuth2ProviderAppSecret, error) {
2381-
if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceOAuth2ProviderAppSecret); err != nil {
2324+
if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceOauth2AppSecret); err != nil {
23822325
return database.OAuth2ProviderAppSecret{}, err
23832326
}
23842327
return q.db.InsertOAuth2ProviderAppSecret(ctx, arg)
@@ -2389,7 +2332,7 @@ func (q *querier) InsertOAuth2ProviderAppToken(ctx context.Context, arg database
23892332
if err != nil {
23902333
return database.OAuth2ProviderAppToken{}, err
23912334
}
2392-
if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceOAuth2ProviderAppCodeToken.WithOwner(key.UserID.String())); err != nil {
2335+
if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceOauth2AppCodeToken.WithOwner(key.UserID.String())); err != nil {
23932336
return database.OAuth2ProviderAppToken{}, err
23942337
}
23952338
return q.db.InsertOAuth2ProviderAppToken(ctx, arg)
@@ -2779,14 +2722,14 @@ func (q *querier) UpdateMemberRoles(ctx context.Context, arg database.UpdateMemb
27792722
}
27802723

27812724
func (q *querier) UpdateOAuth2ProviderAppByID(ctx context.Context, arg database.UpdateOAuth2ProviderAppByIDParams) (database.OAuth2ProviderApp, error) {
2782-
if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceOAuth2ProviderApp); err != nil {
2725+
if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceOauth2App); err != nil {
27832726
return database.OAuth2ProviderApp{}, err
27842727
}
27852728
return q.db.UpdateOAuth2ProviderAppByID(ctx, arg)
27862729
}
27872730

27882731
func (q *querier) UpdateOAuth2ProviderAppSecretByID(ctx context.Context, arg database.UpdateOAuth2ProviderAppSecretByIDParams) (database.OAuth2ProviderAppSecret, error) {
2789-
if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceOAuth2ProviderAppSecret); err != nil {
2732+
if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceOauth2AppSecret); err != nil {
27902733
return database.OAuth2ProviderAppSecret{}, err
27912734
}
27922735
return q.db.UpdateOAuth2ProviderAppSecretByID(ctx, arg)
@@ -3324,7 +3267,7 @@ func (q *querier) UpsertAppSecurityKey(ctx context.Context, data string) error {
33243267
}
33253268

33263269
func (q *querier) UpsertApplicationName(ctx context.Context, value string) error {
3327-
if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceDeploymentValues); err != nil {
3270+
if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceDeploymentConfig); err != nil {
33283271
return err
33293272
}
33303273
return q.db.UpsertApplicationName(ctx, value)
@@ -3338,7 +3281,7 @@ func (q *querier) UpsertDefaultProxy(ctx context.Context, arg database.UpsertDef
33383281
}
33393282

33403283
func (q *querier) UpsertHealthSettings(ctx context.Context, value string) error {
3341-
if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceDeploymentValues); err != nil {
3284+
if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceDeploymentConfig); err != nil {
33423285
return err
33433286
}
33443287
return q.db.UpsertHealthSettings(ctx, value)
@@ -3373,14 +3316,14 @@ func (q *querier) UpsertLastUpdateCheck(ctx context.Context, value string) error
33733316
}
33743317

33753318
func (q *querier) UpsertLogoURL(ctx context.Context, value string) error {
3376-
if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceDeploymentValues); err != nil {
3319+
if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceDeploymentConfig); err != nil {
33773320
return err
33783321
}
33793322
return q.db.UpsertLogoURL(ctx, value)
33803323
}
33813324

33823325
func (q *querier) UpsertNotificationBanners(ctx context.Context, value string) error {
3383-
if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceDeploymentValues); err != nil {
3326+
if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceDeploymentConfig); err != nil {
33843327
return err
33853328
}
33863329
return q.db.UpsertNotificationBanners(ctx, value)

0 commit comments

Comments
 (0)