feat: Move all authorize calls into each handler

Emyrk · Emyrk · commit 32af1e6cde8c · 2022-05-16T08:03:14.000-05:00
diff --git a/coderd/coderd_test.go b/coderd/coderd_test.go
@@ -42,6 +42,13 @@ func TestAuthorizeAllEndpoints(t *testing.T) {
 	organization, err := client.Organization(context.Background(), admin.OrganizationID)
 	require.NoError(t, err, "fetch org")
 
+	// Setup some data in the database.
+	coderdtest.NewProvisionerDaemon(t, client)
+	version := coderdtest.CreateTemplateVersion(t, client, admin.OrganizationID, nil)
+	coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+	template := coderdtest.CreateTemplate(t, client, admin.OrganizationID, version.ID)
+	coderdtest.CreateWorkspace(t, client, admin.OrganizationID, template.ID)
+
 	// Always fail auth from this point forward
 	authorizer.AlwaysReturn = rbac.ForbiddenWithInternal(xerrors.New("fake implementation"), nil, nil)
 
@@ -128,9 +135,10 @@ func TestAuthorizeAllEndpoints(t *testing.T) {
 		"GET:/api/v2/files/{hash}": {NoAuthorize: true},
 
 		// These endpoints have more assertions. This is good, add more endpoints to assert if you can!
-		"GET:/api/v2/organizations/{organization}": {AssertObject: rbac.ResourceOrganization.InOrg(admin.OrganizationID)},
-		"GET:/api/v2/users/{user}/organizations":   {StatusCode: http.StatusOK, AssertObject: rbac.ResourceOrganization},
-		"GET:/api/v2/users/{user}/workspaces":      {StatusCode: http.StatusOK, AssertObject: rbac.ResourceWorkspace},
+		"GET:/api/v2/organizations/{organization}":                   {AssertObject: rbac.ResourceOrganization.InOrg(admin.OrganizationID)},
+		"GET:/api/v2/users/{user}/organizations":                     {StatusCode: http.StatusOK, AssertObject: rbac.ResourceOrganization},
+		"GET:/api/v2/users/{user}/workspaces":                        {StatusCode: http.StatusOK, AssertObject: rbac.ResourceWorkspace},
+		"GET:/api/v2/organizations/{organization}/workspaces/{user}": {StatusCode: http.StatusOK, AssertObject: rbac.ResourceWorkspace},
 	}
 
 	c, _ := srv.Config.Handler.(*chi.Mux)
@@ -159,17 +167,19 @@ func TestAuthorizeAllEndpoints(t *testing.T) {
 			if !routeAssertions.NoAuthorize {
 				assert.NotNil(t, authorizer.Called, "authorizer expected")
 				assert.Equal(t, routeAssertions.StatusCode, resp.StatusCode, "expect unauthorized")
-				if routeAssertions.AssertObject.Type != "" {
-					assert.Equal(t, routeAssertions.AssertObject.Type, authorizer.Called.Object.Type, "resource type")
-				}
-				if routeAssertions.AssertObject.Owner != "" {
-					assert.Equal(t, routeAssertions.AssertObject.Owner, authorizer.Called.Object.Owner, "resource owner")
-				}
-				if routeAssertions.AssertObject.OrgID != "" {
-					assert.Equal(t, routeAssertions.AssertObject.OrgID, authorizer.Called.Object.OrgID, "resource org")
-				}
-				if routeAssertions.AssertObject.ResourceID != "" {
-					assert.Equal(t, routeAssertions.AssertObject.ResourceID, authorizer.Called.Object.ResourceID, "resource ID")
+				if authorizer.Called != nil {
+					if routeAssertions.AssertObject.Type != "" {
+						assert.Equal(t, routeAssertions.AssertObject.Type, authorizer.Called.Object.Type, "resource type")
+					}
+					if routeAssertions.AssertObject.Owner != "" {
+						assert.Equal(t, routeAssertions.AssertObject.Owner, authorizer.Called.Object.Owner, "resource owner")
+					}
+					if routeAssertions.AssertObject.OrgID != "" {
+						assert.Equal(t, routeAssertions.AssertObject.OrgID, authorizer.Called.Object.OrgID, "resource org")
+					}
+					if routeAssertions.AssertObject.ResourceID != "" {
+						assert.Equal(t, routeAssertions.AssertObject.ResourceID, authorizer.Called.Object.ResourceID, "resource ID")
+					}
 				}
 			} else {
 				assert.Nil(t, authorizer.Called, "authorize not expected")
diff --git a/coderd/gitsshkey.go b/coderd/gitsshkey.go
@@ -4,6 +4,8 @@ import (
 	"fmt"
 	"net/http"
 
+	"github.com/coder/coder/coderd/rbac"
+
 	"github.com/coder/coder/coderd/database"
 	"github.com/coder/coder/coderd/gitsshkey"
 	"github.com/coder/coder/coderd/httpapi"
@@ -13,6 +15,11 @@ import (
 
 func (api *api) regenerateGitSSHKey(rw http.ResponseWriter, r *http.Request) {
 	user := httpmw.UserParam(r)
+
+	if !api.Authorize(rw, r, rbac.ActionUpdate, rbac.ResourceUserData.WithOwner(user.ID.String())) {
+		return
+	}
+
 	privateKey, publicKey, err := gitsshkey.Generate(api.SSHKeygenAlgorithm)
 	if err != nil {
 		httpapi.Write(rw, http.StatusInternalServerError, httpapi.Response{
@@ -53,6 +60,11 @@ func (api *api) regenerateGitSSHKey(rw http.ResponseWriter, r *http.Request) {
 
 func (api *api) gitSSHKey(rw http.ResponseWriter, r *http.Request) {
 	user := httpmw.UserParam(r)
+
+	if !api.Authorize(rw, r, rbac.ActionRead, rbac.ResourceUserData.WithOwner(user.ID.String())) {
+		return
+	}
+
 	gitSSHKey, err := api.Database.GetGitSSHKey(r.Context(), user.ID)
 	if err != nil {
 		httpapi.Write(rw, http.StatusInternalServerError, httpapi.Response{
diff --git a/coderd/organizations.go b/coderd/organizations.go
@@ -7,6 +7,8 @@ import (
 	"fmt"
 	"net/http"
 
+	"github.com/coder/coder/coderd/rbac"
+
 	"github.com/go-chi/chi/v5"
 	"github.com/google/uuid"
 	"github.com/moby/moby/pkg/namesgenerator"
@@ -18,8 +20,15 @@ import (
 	"github.com/coder/coder/codersdk"
 )
 
-func (*api) organization(rw http.ResponseWriter, r *http.Request) {
+func (api *api) organization(rw http.ResponseWriter, r *http.Request) {
 	organization := httpmw.OrganizationParam(r)
+
+	if !api.Authorize(rw, r, rbac.ActionRead, rbac.ResourceOrganization.
+		InOrg(organization.ID).
+		WithID(organization.ID.String())) {
+		return
+	}
+
 	httpapi.Write(rw, http.StatusOK, convertOrganization(organization))
 }
 
@@ -327,6 +336,11 @@ func (api *api) templateByOrganizationAndName(rw http.ResponseWriter, r *http.Re
 
 func (api *api) workspacesByOrganization(rw http.ResponseWriter, r *http.Request) {
 	organization := httpmw.OrganizationParam(r)
+
+	if !api.Authorize(rw, r, rbac.ActionRead, rbac.ResourceWorkspace.InOrg(organization.ID)) {
+		return
+	}
+
 	workspaces, err := api.Database.GetWorkspacesByOrganizationID(r.Context(), database.GetWorkspacesByOrganizationIDParams{
 		OrganizationID: organization.ID,
 		Deleted:        false,
@@ -352,6 +366,8 @@ func (api *api) workspacesByOrganization(rw http.ResponseWriter, r *http.Request
 
 func (api *api) workspacesByOwner(rw http.ResponseWriter, r *http.Request) {
 	owner := httpmw.UserParam(r)
+	roles := httpmw.UserRoles(r)
+
 	workspaces, err := api.Database.GetWorkspacesByOwnerID(r.Context(), database.GetWorkspacesByOwnerIDParams{
 		OwnerID: owner.ID,
 	})
@@ -364,7 +380,19 @@ func (api *api) workspacesByOwner(rw http.ResponseWriter, r *http.Request) {
 		})
 		return
 	}
-	apiWorkspaces, err := convertWorkspaces(r.Context(), api.Database, workspaces)
+
+	allowed := make([]database.Workspace, 0)
+	for i := range workspaces {
+		w := workspaces[i]
+		err := api.Authorizer.ByRoleName(r.Context(), roles.ID.String(), roles.Roles, rbac.ActionRead,
+			rbac.ResourceWorkspace.InOrg(w.OrganizationID).WithOwner(w.OwnerID.String()).WithID(w.ID.String()))
+
+		if err == nil {
+			allowed = append(allowed, w)
+		}
+	}
+
+	apiWorkspaces, err := convertWorkspaces(r.Context(), api.Database, allowed)
 	if err != nil {
 		httpapi.Write(rw, http.StatusInternalServerError, httpapi.Response{
 			Message: fmt.Sprintf("convert workspaces: %s", err),
@@ -379,6 +407,10 @@ func (api *api) workspaceByOwnerAndName(rw http.ResponseWriter, r *http.Request)
 	organization := httpmw.OrganizationParam(r)
 	workspaceName := chi.URLParam(r, "workspace")
 
+	if !api.Authorize(rw, r, rbac.ActionRead, rbac.ResourceWorkspace.InOrg(organization.ID).WithOwner(owner.ID.String())) {
+		return
+	}
+
 	workspace, err := api.Database.GetWorkspaceByOwnerIDAndName(r.Context(), database.GetWorkspaceByOwnerIDAndNameParams{
 		OwnerID: owner.ID,
 		Name:    workspaceName,
@@ -431,11 +463,18 @@ func (api *api) workspaceByOwnerAndName(rw http.ResponseWriter, r *http.Request)
 
 // Create a new workspace for the currently authenticated user.
 func (api *api) postWorkspacesByOrganization(rw http.ResponseWriter, r *http.Request) {
+	organization := httpmw.OrganizationParam(r)
+	apiKey := httpmw.APIKey(r)
+
 	var createWorkspace codersdk.CreateWorkspaceRequest
 	if !httpapi.Read(rw, r, &createWorkspace) {
 		return
 	}
-	apiKey := httpmw.APIKey(r)
+
+	if !api.Authorize(rw, r, rbac.ActionCreate, rbac.ResourceWorkspace.InOrg(organization.ID).WithOwner(apiKey.UserID.String())) {
+		return
+	}
+
 	template, err := api.Database.GetTemplateByID(r.Context(), createWorkspace.TemplateID)
 	if errors.Is(err, sql.ErrNoRows) {
 		httpapi.Write(rw, http.StatusBadRequest, httpapi.Response{
@@ -453,7 +492,7 @@ func (api *api) postWorkspacesByOrganization(rw http.ResponseWriter, r *http.Req
 		})
 		return
 	}
-	organization := httpmw.OrganizationParam(r)
+
 	if organization.ID != template.OrganizationID {
 		httpapi.Write(rw, http.StatusUnauthorized, httpapi.Response{
 			Message: fmt.Sprintf("template is not in organization %q", organization.Name),
diff --git a/coderd/rbac/object.go b/coderd/rbac/object.go
@@ -54,13 +54,20 @@ var (
 	}
 
 	// ResourceUser is the user in the 'users' table.
+	// ResourceUser never has any owners or in an org, as it's site wide.
 	// 	create/delete = make or delete a new user.
 	// 	read = view all user's settings
 	// 	update = update all user field & settings
 	ResourceUser = Object{
 		Type: "user",
 	}
 
+	// ResourceUserData is any data associated with a user. A user has control
+	// over their data (profile, password, etc). So this resource has an owner.
+	ResourceUserData = Object{
+		Type: "user_data",
+	}
+
 	// ResourceOrganizationMember is a user's membership in an organization.
 	// Has ONLY an organization owner.
 	//	create/delete  = Create/delete member from org.
diff --git a/coderd/roles.go b/coderd/roles.go
@@ -11,33 +11,37 @@ import (
 )
 
 // assignableSiteRoles returns all site wide roles that can be assigned.
-func (*api) assignableSiteRoles(rw http.ResponseWriter, _ *http.Request) {
+func (api *api) assignableSiteRoles(rw http.ResponseWriter, r *http.Request) {
 	// TODO: @emyrk in the future, allow granular subsets of roles to be returned based on the
 	// 	role of the user.
 
+	if !api.Authorize(rw, r, rbac.ActionRead, rbac.ResourceUserRole) {
+		return
+	}
+
 	roles := rbac.SiteRoles()
 	httpapi.Write(rw, http.StatusOK, convertRoles(roles))
 }
 
 // assignableSiteRoles returns all site wide roles that can be assigned.
-func (*api) assignableOrgRoles(rw http.ResponseWriter, r *http.Request) {
+func (api *api) assignableOrgRoles(rw http.ResponseWriter, r *http.Request) {
 	// TODO: @emyrk in the future, allow granular subsets of roles to be returned based on the
 	// 	role of the user.
 	organization := httpmw.OrganizationParam(r)
+
+	if !api.Authorize(rw, r, rbac.ActionRead, rbac.ResourceUserRole.InOrg(organization.ID)) {
+		return
+	}
+
 	roles := rbac.OrganizationRoles(organization.ID)
 	httpapi.Write(rw, http.StatusOK, convertRoles(roles))
 }
 
 func (api *api) checkPermissions(rw http.ResponseWriter, r *http.Request) {
 	roles := httpmw.UserRoles(r)
 	user := httpmw.UserParam(r)
-	if user.ID != roles.ID {
-		httpapi.Write(rw, http.StatusBadRequest, httpapi.Response{
-			// TODO: @Emyrk in the future we could have an rbac check here.
-			//	If the user can masquerade/impersonate as the user passed in,
-			//	we could allow this or something like that.
-			Message: "only allowed to check permissions on yourself",
-		})
+
+	if !api.Authorize(rw, r, rbac.ActionRead, rbac.ResourceUserData.WithOwner(user.ID.String())) {
 		return
 	}
 
diff --git a/coderd/users.go b/coderd/users.go
