chore: check proper rbac perms on open file in cache

Emyrk · Emyrk · commit 496a0962afef · 2025-06-12T13:01:28.000-05:00
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -572,10 +572,13 @@ func New(options *Options) *API {
 		TemplateScheduleStore:       options.TemplateScheduleStore,
 		UserQuietHoursScheduleStore: options.UserQuietHoursScheduleStore,
 		AccessControlStore:          options.AccessControlStore,
-		FileCache:                   files.NewFromStore(options.Database, options.PrometheusRegistry),
-		Experiments:                 experiments,
-		WebpushDispatcher:           options.WebPushDispatcher,
-		healthCheckGroup:            &singleflight.Group[string, *healthsdk.HealthcheckReport]{},
+		FileCache: files.NewFromStore(options.Database, options.PrometheusRegistry, func(ctx context.Context, action policy.Action, object rbac.Object) error {
+			subject := httpmw.UserAuthorizationCtx(ctx)
+			return options.Authorizer.Authorize(ctx, subject, action, object)
+		}),
+		Experiments:       experiments,
+		WebpushDispatcher: options.WebPushDispatcher,
+		healthCheckGroup:  &singleflight.Group[string, *healthsdk.HealthcheckReport]{},
 		Acquirer: provisionerdserver.NewAcquirer(
 			ctx,
 			options.Logger.Named("acquirer"),
diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go
@@ -432,6 +432,24 @@ var (
 		}),
 		Scope: rbac.ScopeAll,
 	}.WithCachedASTValue()
+
+	subjectFileReader = rbac.Subject{
+		Type:         rbac.SubjectTypeFileReader,
+		FriendlyName: "Can Read All Files",
+		ID:           uuid.Nil.String(),
+		Roles: rbac.Roles([]rbac.Role{
+			{
+				Identifier:  rbac.RoleIdentifier{Name: "file-reader"},
+				DisplayName: "FileReader",
+				Site: rbac.Permissions(map[string][]policy.Action{
+					rbac.ResourceFile.Type: {policy.ActionRead},
+				}),
+				Org:  map[string][]rbac.Permission{},
+				User: []rbac.Permission{},
+			},
+		}),
+		Scope: rbac.ScopeAll,
+	}.WithCachedASTValue()
 )
 
 // AsProvisionerd returns a context with an actor that has permissions required
@@ -498,6 +516,10 @@ func AsPrebuildsOrchestrator(ctx context.Context) context.Context {
 	return As(ctx, subjectPrebuildsOrchestrator)
 }
 
+func AsFileReader(ctx context.Context) context.Context {
+	return As(ctx, subjectFileReader)
+}
+
 var AsRemoveActor = rbac.Subject{
 	ID: "remove-actor",
 }
diff --git a/coderd/files/cache.go b/coderd/files/cache.go
@@ -13,33 +13,42 @@ import (
 
 	archivefs "github.com/coder/coder/v2/archive/fs"
 	"github.com/coder/coder/v2/coderd/database"
+	"github.com/coder/coder/v2/coderd/database/dbauthz"
+	"github.com/coder/coder/v2/coderd/rbac"
+	"github.com/coder/coder/v2/coderd/rbac/policy"
 	"github.com/coder/coder/v2/coderd/util/lazy"
 )
 
+type AuthorizeFile func(ctx context.Context, action policy.Action, object rbac.Object) error
+
 // NewFromStore returns a file cache that will fetch files from the provided
 // database.
-func NewFromStore(store database.Store, registerer prometheus.Registerer) *Cache {
+func NewFromStore(store database.Store, registerer prometheus.Registerer, authz AuthorizeFile) *Cache {
 	fetch := func(ctx context.Context, fileID uuid.UUID) (cacheEntryValue, error) {
-		file, err := store.GetFileByID(ctx, fileID)
+		// Make sure the read does not fail due to authorization issues.
+		// Authz is checked on the Acquire call, so this is safe.
+		file, err := store.GetFileByID(dbauthz.AsFileReader(ctx), fileID)
 		if err != nil {
 			return cacheEntryValue{}, xerrors.Errorf("failed to read file from database: %w", err)
 		}
 
 		content := bytes.NewBuffer(file.Data)
 		return cacheEntryValue{
-			FS:   archivefs.FromTarReader(content),
-			size: int64(content.Len()),
+			object: rbac.ResourceFile.WithID(file.ID).WithOwner(file.CreatedBy.String()),
+			FS:     archivefs.FromTarReader(content),
+			size:   int64(content.Len()),
 		}, nil
 	}
 
-	return New(fetch, registerer)
+	return New(fetch, registerer, authz)
 }
 
-func New(fetch fetcher, registerer prometheus.Registerer) *Cache {
+func New(fetch fetcher, registerer prometheus.Registerer, authz AuthorizeFile) *Cache {
 	return (&Cache{
 		lock:    sync.Mutex{},
 		data:    make(map[uuid.UUID]*cacheEntry),
 		fetcher: fetch,
+		authz:   authz,
 	}).registerMetrics(registerer)
 }
 
@@ -101,6 +110,7 @@ type Cache struct {
 	lock sync.Mutex
 	data map[uuid.UUID]*cacheEntry
 	fetcher
+	authz AuthorizeFile
 
 	// metrics
 	cacheMetrics
@@ -118,6 +128,7 @@ type cacheMetrics struct {
 }
 
 type cacheEntryValue struct {
+	object rbac.Object
 	fs.FS
 	size int64
 }
@@ -146,6 +157,13 @@ func (c *Cache) Acquire(ctx context.Context, fileID uuid.UUID) (fs.FS, error) {
 		c.Release(fileID)
 		return nil, err
 	}
+
+	// Always check the caller can actually read the file.
+	if c.authz(ctx, policy.ActionRead, it.object) != nil {
+		c.Release(fileID)
+		return nil, err
+	}
+
 	return it.FS, err
 }
 
diff --git a/coderd/httpmw/apikey.go b/coderd/httpmw/apikey.go
@@ -47,14 +47,18 @@ func APIKey(r *http.Request) database.APIKey {
 
 // UserAuthorizationOptional may return the roles and scope used for
 // authorization. Depends on the ExtractAPIKey handler.
-func UserAuthorizationOptional(r *http.Request) (rbac.Subject, bool) {
-	return dbauthz.ActorFromContext(r.Context())
+func UserAuthorizationOptional(ctx context.Context) (rbac.Subject, bool) {
+	return dbauthz.ActorFromContext(ctx)
 }
 
 // UserAuthorization returns the roles and scope used for authorization. Depends
 // on the ExtractAPIKey handler.
 func UserAuthorization(r *http.Request) rbac.Subject {
-	auth, ok := UserAuthorizationOptional(r)
+	return UserAuthorizationCtx(r.Context())
+}
+
+func UserAuthorizationCtx(ctx context.Context) rbac.Subject {
+	auth, ok := UserAuthorizationOptional(ctx)
 	if !ok {
 		panic("developer error: ExtractAPIKey middleware not provided")
 	}
diff --git a/coderd/httpmw/apikey_test.go b/coderd/httpmw/apikey_test.go
@@ -58,7 +58,7 @@ func TestAPIKey(t *testing.T) {
 			assert.NoError(t, err, "actor rego ok")
 		}
 
-		auth, ok := httpmw.UserAuthorizationOptional(r)
+		auth, ok := httpmw.UserAuthorizationOptional(r.Context())
 		assert.True(t, ok, "httpmw auth ok")
 		if ok {
 			_, err := auth.Roles.Expand()
diff --git a/coderd/rbac/authz.go b/coderd/rbac/authz.go
@@ -74,6 +74,7 @@ const (
 	SubjectTypeSystemRestricted             SubjectType = "system_restricted"
 	SubjectTypeNotifier                     SubjectType = "notifier"
 	SubjectTypeSubAgentAPI                  SubjectType = "sub_agent_api"
+	SubjectTypeFileReader                   SubjectType = "file_reader"
 )
 
 // Subject is a struct that contains all the elements of a subject in an rbac

Original file line number	Diff line number	Diff line change
`@@ -58,7 +58,7 @@ func TestAPIKey(t *testing.T) {`
`58`	`58`	`assert.NoError(t, err, "actor rego ok")`
`59`	`59`	`}`
`60`	`60`
`61`		`- auth, ok := httpmw.UserAuthorizationOptional(r)`
	`61`	`+ auth, ok := httpmw.UserAuthorizationOptional(r.Context())`
`62`	`62`	`assert.True(t, ok, "httpmw auth ok")`
`63`	`63`	`if ok {`
`64`	`64`	`_, err := auth.Roles.Expand()`
Original file line number	Diff line number	Diff line change
`@@ -74,6 +74,7 @@ const (`
`74`	`74`	`SubjectTypeSystemRestricted SubjectType = "system_restricted"`
`75`	`75`	`SubjectTypeNotifier SubjectType = "notifier"`
`76`	`76`	`SubjectTypeSubAgentAPI SubjectType = "sub_agent_api"`
	`77`	`+ SubjectTypeFileReader SubjectType = "file_reader"`
`77`	`78`	`)`
`78`	`79`
`79`	`80`	`// Subject is a struct that contains all the elements of a subject in an rbac`