Authorize per endpoint

Emyrk · Emyrk · commit 452c72d8e00f · 2022-05-13T13:56:45.000-05:00
diff --git a/coderd/authorize.go b/coderd/authorize.go
@@ -3,6 +3,9 @@ package coderd
 import (
 	"net/http"
 
+	"cdr.dev/slog"
+	"golang.org/x/xerrors"
+
 	"github.com/coder/coder/coderd/httpapi"
 	"github.com/coder/coder/coderd/httpmw"
 	"github.com/coder/coder/coderd/rbac"
@@ -15,6 +18,24 @@ func (api *api) Authorize(rw http.ResponseWriter, r *http.Request, action rbac.A
 		httpapi.Write(rw, http.StatusUnauthorized, httpapi.Response{
 			Message: err.Error(),
 		})
+
+		// Log the errors for debugging
+		internalError := new(rbac.UnauthorizedError)
+		logger := api.Logger
+		if xerrors.As(err, internalError) {
+			logger = api.Logger.With(slog.F("internal", internalError.Internal()))
+		}
+		// Log information for debugging. This will be very helpful
+		// in the early days
+		logger.Warn(r.Context(), "unauthorized",
+			slog.F("roles", roles.Roles),
+			slog.F("user_id", roles.ID),
+			slog.F("username", roles.Username),
+			slog.F("route", r.URL.Path),
+			slog.F("action", action),
+			slog.F("object", object),
+		)
+
 		return false
 	}
 	return true
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -83,10 +83,6 @@ func New(options *Options) (http.Handler, func()) {
 	// TODO: @emyrk we should just move this into 'ExtractAPIKey'.
 	authRolesMiddleware := httpmw.ExtractUserRoles(options.Database)
 
-	authorize := func(f http.HandlerFunc, actions rbac.Action) http.HandlerFunc {
-		return httpmw.Authorize(api.Logger, api.Authorizer, actions)(f).ServeHTTP
-	}
-
 	r := chi.NewRouter()
 
 	r.Use(
@@ -158,10 +154,7 @@ func New(options *Options) (http.Handler, func()) {
 				})
 			})
 			r.Route("/members", func(r chi.Router) {
-				r.Route("/roles", func(r chi.Router) {
-					r.Use(httpmw.WithRBACObject(rbac.ResourceUserRole))
-					r.Get("/", authorize(api.assignableOrgRoles, rbac.ActionRead))
-				})
+				r.Get("/roles", api.assignableOrgRoles)
 				r.Route("/{user}", func(r chi.Router) {
 					r.Use(
 						httpmw.ExtractUserParam(options.Database),
@@ -232,16 +225,15 @@ func New(options *Options) (http.Handler, func()) {
 				r.Get("/", api.users)
 				// These routes query information about site wide roles.
 				r.Route("/roles", func(r chi.Router) {
-					r.Use(httpmw.WithRBACObject(rbac.ResourceUserRole))
-					r.Get("/", authorize(api.assignableSiteRoles, rbac.ActionRead))
+					r.Get("/", api.assignableSiteRoles)
 				})
 				r.Route("/{user}", func(r chi.Router) {
 					r.Use(httpmw.ExtractUserParam(options.Database))
 					r.Get("/", api.userByName)
 					r.Put("/profile", api.putUserProfile)
 					r.Put("/suspend", api.putUserSuspend)
 					r.Route("/password", func(r chi.Router) {
-						r.Put("/", authorize(api.putUserPassword, rbac.ActionUpdate))
+						r.Put("/", api.putUserPassword)
 					})
 					r.Get("/organizations", api.organizationsByUser)
 					r.Post("/organizations", api.postOrganizationsByUser)
diff --git a/coderd/roles.go b/coderd/roles.go
@@ -14,6 +14,7 @@ import (
 func (*api) assignableSiteRoles(rw http.ResponseWriter, _ *http.Request) {
 	// TODO: @emyrk in the future, allow granular subsets of roles to be returned based on the
 	// 	role of the user.
+
 	roles := rbac.SiteRoles()
 	httpapi.Write(rw, http.StatusOK, convertRoles(roles))
 }
diff --git a/coderd/users.go b/coderd/users.go
@@ -109,6 +109,11 @@ func (api *api) users(rw http.ResponseWriter, r *http.Request) {
 		statusFilter = r.URL.Query().Get("status")
 	)
 
+	// Reading all users across the site
+	if !api.Authorize(rw, r, rbac.ActionRead, rbac.ResourceUser) {
+		return
+	}
+
 	paginationParams, ok := parsePagination(rw, r)
 	if !ok {
 		return
@@ -175,6 +180,8 @@ func (api *api) postUser(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	// TODO: @emyrk Authorize the organization create if the createUser will do that.
+
 	_, err := api.Database.GetUserByEmailOrUsername(r.Context(), database.GetUserByEmailOrUsernameParams{
 		Username: createUser.Username,
 		Email:    createUser.Email,
@@ -253,6 +260,10 @@ func (api *api) userByName(rw http.ResponseWriter, r *http.Request) {
 func (api *api) putUserProfile(rw http.ResponseWriter, r *http.Request) {
 	user := httpmw.UserParam(r)
 
+	if !api.Authorize(rw, r, rbac.ActionUpdate, rbac.ResourceUser.WithID(user.ID.String())) {
+		return
+	}
+
 	var params codersdk.UpdateUserProfileRequest
 	if !httpapi.Read(rw, r, &params) {
 		return
@@ -318,6 +329,10 @@ func (api *api) putUserProfile(rw http.ResponseWriter, r *http.Request) {
 func (api *api) putUserSuspend(rw http.ResponseWriter, r *http.Request) {
 	user := httpmw.UserParam(r)
 
+	if !api.Authorize(rw, r, rbac.ActionUpdate, rbac.ResourceUser.WithID(user.ID.String())) {
+		return
+	}
+
 	suspendedUser, err := api.Database.UpdateUserStatus(r.Context(), database.UpdateUserStatusParams{
 		ID:        user.ID,
 		Status:    database.UserStatusSuspended,
@@ -351,6 +366,10 @@ func (api *api) putUserPassword(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if !api.Authorize(rw, r, rbac.ActionUpdate, rbac.ResourceUser.WithID(user.ID.String())) {
+		return
+	}
+
 	hashedPassword, err := userpassword.Hash(params.Password)
 	if err != nil {
 		httpapi.Write(rw, http.StatusInternalServerError, httpapi.Response{

Original file line number	Diff line number	Diff line change
`@@ -14,6 +14,7 @@ import (`
`14`	`14`	`func (api) assignableSiteRoles(rw http.ResponseWriter, _ http.Request) {`
`15`	`15`	`// TODO: @emyrk in the future, allow granular subsets of roles to be returned based on the`
`16`	`16`	`// role of the user.`
	`17`	`+`
`17`	`18`	`roles := rbac.SiteRoles()`
`18`	`19`	`httpapi.Write(rw, http.StatusOK, convertRoles(roles))`
`19`	`20`	`}`