fixup! run golangci-lint and goimports

johnstcn · johnstcn · commit 2969fc10a67d · 2022-04-12T09:15:39.000-05:00
diff --git a/coderd/rbac/authz.go b/coderd/rbac/authz.go
@@ -54,20 +54,20 @@ func (a RegoAuthorizer) Authorize(ctx context.Context, subjectID string, roles [
 
 	results, err := a.query.Eval(ctx, rego.EvalInput(input))
 	if err != nil {
-		return ForbiddenWithInternal(xerrors.Errorf("eval rego: %w, err"), input)
+		return ForbiddenWithInternal(xerrors.Errorf("eval rego: %w, err"), input, results)
 	}
 
 	if len(results) != 1 {
-		return ForbiddenWithInternal(xerrors.Errorf("expect only 1 result, got %d", len(results)), input)
+		return ForbiddenWithInternal(xerrors.Errorf("expect only 1 result, got %d", len(results)), input, results)
 	}
 
 	allowedResult, ok := (results[0].Bindings["allowed"]).(bool)
 	if !ok {
-		return ForbiddenWithInternal(xerrors.Errorf("expected allowed to be a bool but got %T", allowedResult), input)
+		return ForbiddenWithInternal(xerrors.Errorf("expected allowed to be a bool but got %T", allowedResult), input, results)
 	}
 
-	if allowedResult {
-		return ForbiddenWithInternal(xerrors.Errorf("policy disallows request"), input)
+	if !allowedResult {
+		return ForbiddenWithInternal(xerrors.Errorf("policy disallows request"), input, results)
 	}
 
 	return nil
diff --git a/coderd/rbac/authz_test.go b/coderd/rbac/authz_test.go
@@ -606,6 +606,7 @@ func testAuthorize(t *testing.T, name string, subject subject, sets ...[]authTes
 							d, _ := json.Marshal(uerr.Input())
 							t.Logf("input: %s", string(d))
 							t.Logf("internal error: %+v", uerr.Internal().Error())
+							t.Logf("output: %+v", uerr.Output())
 						}
 						require.NoError(t, err, "expected no error for testcase action %s", a)
 						continue
diff --git a/coderd/rbac/error.go b/coderd/rbac/error.go
@@ -1,5 +1,7 @@
 package rbac
 
+import "github.com/open-policy-agent/opa/rego"
+
 const (
 	// errUnauthorized is the error message that should be returned to
 	// clients when an action is forbidden. It is intentionally vague to prevent
@@ -13,18 +15,20 @@ type UnauthorizedError struct {
 	// It is only for debugging purposes.
 	internal error
 	input    map[string]interface{}
+	output   rego.ResultSet
 }
 
 // ForbiddenWithInternal creates a new error that will return a simple
 // "forbidden" to the client, logging internally the more detailed message
 // provided.
-func ForbiddenWithInternal(internal error, input map[string]interface{}) *UnauthorizedError {
+func ForbiddenWithInternal(internal error, input map[string]interface{}, output rego.ResultSet) *UnauthorizedError {
 	if input == nil {
 		input = map[string]interface{}{}
 	}
 	return &UnauthorizedError{
 		internal: internal,
 		input:    input,
+		output:   output,
 	}
 }
 
@@ -41,3 +45,8 @@ func (e *UnauthorizedError) Internal() error {
 func (e *UnauthorizedError) Input() map[string]interface{} {
 	return e.input
 }
+
+// Output contains the results of the Rego query for debugging.
+func (e *UnauthorizedError) Output() rego.ResultSet {
+	return e.output
+}

Original file line number	Diff line number	Diff line change
`@@ -54,20 +54,20 @@ func (a RegoAuthorizer) Authorize(ctx context.Context, subjectID string, roles [`
`54`	`54`
`55`	`55`	`results, err := a.query.Eval(ctx, rego.EvalInput(input))`
`56`	`56`	`if err != nil {`
`57`		`- return ForbiddenWithInternal(xerrors.Errorf("eval rego: %w, err"), input)`
	`57`	`+ return ForbiddenWithInternal(xerrors.Errorf("eval rego: %w, err"), input, results)`
`58`	`58`	`}`
`59`	`59`
`60`	`60`	`if len(results) != 1 {`
`61`		`- return ForbiddenWithInternal(xerrors.Errorf("expect only 1 result, got %d", len(results)), input)`
	`61`	`+ return ForbiddenWithInternal(xerrors.Errorf("expect only 1 result, got %d", len(results)), input, results)`
`62`	`62`	`}`
`63`	`63`
`64`	`64`	`allowedResult, ok := (results[0].Bindings["allowed"]).(bool)`
`65`	`65`	`if !ok {`
`66`		`- return ForbiddenWithInternal(xerrors.Errorf("expected allowed to be a bool but got %T", allowedResult), input)`
	`66`	`+ return ForbiddenWithInternal(xerrors.Errorf("expected allowed to be a bool but got %T", allowedResult), input, results)`
`67`	`67`	`}`
`68`	`68`
`69`		`- if allowedResult {`
`70`		`- return ForbiddenWithInternal(xerrors.Errorf("policy disallows request"), input)`
	`69`	`+ if !allowedResult {`
	`70`	`+ return ForbiddenWithInternal(xerrors.Errorf("policy disallows request"), input, results)`
`71`	`71`	`}`
`72`	`72`
`73`	`73`	`return nil`
Original file line number	Diff line number	Diff line change
`@@ -606,6 +606,7 @@ func testAuthorize(t *testing.T, name string, subject subject, sets ...[]authTes`
`606`	`606`	`d, _ := json.Marshal(uerr.Input())`
`607`	`607`	`t.Logf("input: %s", string(d))`
`608`	`608`	`t.Logf("internal error: %+v", uerr.Internal().Error())`
	`609`	`+ t.Logf("output: %+v", uerr.Output())`
`609`	`610`	`}`
`610`	`611`	`require.NoError(t, err, "expected no error for testcase action %s", a)`
`611`	`612`	`continue`