Skip to content

Commit 4a7c68e

Browse files
committed
Linting
1 parent f5eacd0 commit 4a7c68e

File tree

7 files changed

+72
-68
lines changed

7 files changed

+72
-68
lines changed

coderd/coderd_test.go

Lines changed: 18 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -63,7 +63,7 @@ func TestBuildInfo(t *testing.T) {
6363
// TestAuthorizeAllEndpoints will check `authorize` is called on every endpoint registered.
6464
func TestAuthorizeAllEndpoints(t *testing.T) {
6565
t.Parallel()
66-
authorizer := &fakeAuthorizer{}
66+
authorizer := newRecordingAuthorizer()
6767

6868
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
6969
defer cancel()
@@ -563,21 +563,29 @@ type authCall struct {
563563
Object rbac.Object
564564
}
565565

566-
type fakeAuthorizer struct {
566+
type recordingAuthorizer struct {
567+
*rbac.FakeAuthorizer
567568
Called *authCall
568569
AlwaysReturn error
569570
}
570571

571-
func (f *fakeAuthorizer) ByRoleName(_ context.Context, subjectID string, roleNames []string, action rbac.Action, object rbac.Object) error {
572-
f.Called = &authCall{
573-
SubjectID: subjectID,
574-
Roles: roleNames,
575-
Action: action,
576-
Object: object,
572+
func newRecordingAuthorizer() recordingAuthorizer {
573+
r := recordingAuthorizer{}
574+
// Use the fake authorizer by rbac to handle prepared authorizers.
575+
r.FakeAuthorizer = &rbac.FakeAuthorizer{
576+
AuthFunc: func(ctx context.Context, subjectID string, roleNames []string, action rbac.Action, object rbac.Object) error {
577+
r.Called = &authCall{
578+
SubjectID: subjectID,
579+
Roles: roleNames,
580+
Action: action,
581+
Object: object,
582+
}
583+
return r.AlwaysReturn
584+
},
577585
}
578-
return f.AlwaysReturn
586+
return r
579587
}
580588

581-
func (f *fakeAuthorizer) reset() {
589+
func (f *recordingAuthorizer) reset() {
582590
f.Called = nil
583591
}

coderd/rbac/auth_fake.go

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
package rbac
2+
3+
import "context"
4+
5+
type FakeAuthorizer struct {
6+
AuthFunc func(ctx context.Context, subjectID string, roleNames []string, action Action, object Object) error
7+
}
8+
9+
func (f FakeAuthorizer) ByRoleName(ctx context.Context, subjectID string, roleNames []string, action Action, object Object) error {
10+
return f.AuthFunc(ctx, subjectID, roleNames, action, object)
11+
}
12+
13+
func (f FakeAuthorizer) PrepareByRoleName(_ context.Context, subjectID string, roles []string, action Action, _ string) (PreparedAuthorized, error) {
14+
return &fakePreparedAuthorizer{
15+
Original: f,
16+
SubjectID: subjectID,
17+
Roles: roles,
18+
Action: action,
19+
}, nil
20+
}
21+
22+
type fakePreparedAuthorizer struct {
23+
Original Authorizer
24+
SubjectID string
25+
Roles []string
26+
Action Action
27+
}
28+
29+
func (f fakePreparedAuthorizer) Authorize(ctx context.Context, object Object) error {
30+
return f.Original.ByRoleName(ctx, f.SubjectID, f.Roles, f.Action, object)
31+
}

coderd/rbac/authz.go

Lines changed: 5 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -86,7 +86,7 @@ type authSubject struct {
8686
// This is the function intended to be used outside this package.
8787
// The role is fetched from the builtin map located in memory.
8888
func (a RegoAuthorizer) ByRoleName(ctx context.Context, subjectID string, roleNames []string, action Action, object Object) error {
89-
roles, err := a.rolesByNames(roleNames)
89+
roles, err := RolesByNames(roleNames)
9090
if err != nil {
9191
return err
9292
}
@@ -119,15 +119,15 @@ func (a RegoAuthorizer) Authorize(ctx context.Context, subjectID string, roles [
119119
}
120120

121121
func (a RegoAuthorizer) PrepareByRoleName(ctx context.Context, subjectID string, roleNames []string, action Action, objectType string) (PreparedAuthorized, error) {
122-
roles, err := a.rolesByNames(roleNames)
122+
roles, err := RolesByNames(roleNames)
123123
if err != nil {
124124
return nil, err
125125
}
126126

127127
return a.Prepare(ctx, subjectID, roles, action, objectType)
128128
}
129129

130-
func (a RegoAuthorizer) Prepare(ctx context.Context, subjectID string, roles []Role, action Action, objectType string) (*partialAuthorizer, error) {
130+
func (RegoAuthorizer) Prepare(ctx context.Context, subjectID string, roles []Role, action Action, objectType string) (*PartialAuthorizer, error) {
131131
input := map[string]interface{}{
132132
"subject": authSubject{
133133
ID: subjectID,
@@ -139,7 +139,7 @@ func (a RegoAuthorizer) Prepare(ctx context.Context, subjectID string, roles []R
139139
"action": action,
140140
}
141141

142-
rego := rego.New(
142+
regoPolicy := rego.New(
143143
rego.Query("data.authz.allow"),
144144
rego.Module("policy.rego", policy),
145145
rego.Unknowns([]string{
@@ -149,26 +149,14 @@ func (a RegoAuthorizer) Prepare(ctx context.Context, subjectID string, roles []R
149149
rego.Input(input),
150150
)
151151

152-
auth, err := newPartialAuthorizer(ctx, rego, input)
152+
auth, err := newPartialAuthorizer(ctx, regoPolicy, input)
153153
if err != nil {
154154
return nil, xerrors.Errorf("new partial authorizer: %w", err)
155155
}
156156

157157
return auth, nil
158158
}
159159

160-
func (a RegoAuthorizer) rolesByNames(roleNames []string) ([]Role, error) {
161-
roles := make([]Role, 0, len(roleNames))
162-
for _, n := range roleNames {
163-
r, err := RoleByName(n)
164-
if err != nil {
165-
return nil, xerrors.Errorf("get role permissions: %w", err)
166-
}
167-
roles = append(roles, r)
168-
}
169-
return roles, nil
170-
}
171-
172160
// CheckPartial will not authorize the request. This function is to be used for unit testing to verify the rego policy
173161
// can be converted into ONLY queries. This ensures we can convert the queries into SQL WHERE clauses in the future.
174162
// If this function returns an error, then there is a set of inputs that also returns support rules, which cannot

coderd/rbac/authz_test.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -97,7 +97,7 @@ func TestFilter(t *testing.T) {
9797
c := c
9898
t.Run(c.Name, func(t *testing.T) {
9999
t.Parallel()
100-
authorizer := fakeAuthorizer{
100+
authorizer := rbac.FakeAuthorizer{
101101
AuthFunc: func(_ context.Context, _ string, _ []string, _ rbac.Action, object rbac.Object) error {
102102
return c.Auth(object)
103103
},
@@ -573,7 +573,7 @@ func testAuthorize(t *testing.T, name string, subject subject, sets ...[]authTes
573573
t.Run(name, func(t *testing.T) {
574574
for _, a := range c.actions {
575575
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitShort)
576-
defer cancel()
576+
t.Cleanup(cancel)
577577
authError := authorizer.Authorize(ctx, subject.UserID, subject.Roles, a, c.resource)
578578
if c.allow {
579579
if authError != nil {

coderd/rbac/builtin.go

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -221,6 +221,18 @@ func RoleByName(name string) (Role, error) {
221221
return role, nil
222222
}
223223

224+
func RolesByNames(roleNames []string) ([]Role, error) {
225+
roles := make([]Role, 0, len(roleNames))
226+
for _, n := range roleNames {
227+
r, err := RoleByName(n)
228+
if err != nil {
229+
return nil, xerrors.Errorf("get role permissions: %w", err)
230+
}
231+
roles = append(roles, r)
232+
}
233+
return roles, nil
234+
}
235+
224236
func IsOrgRole(roleName string) (string, bool) {
225237
_, orgID, err := roleSplit(roleName)
226238
if err == nil && orgID != "" {

coderd/rbac/fake_test.go

Lines changed: 0 additions & 35 deletions
This file was deleted.

coderd/rbac/partial.go

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -8,28 +8,28 @@ import (
88
"github.com/open-policy-agent/opa/rego"
99
)
1010

11-
type partialAuthorizer struct {
11+
type PartialAuthorizer struct {
1212
// PartialRego is mainly used for unit testing. It is the rego source policy.
1313
PartialRego *rego.Rego
1414
PartialResult rego.PartialResult
1515
Input map[string]interface{}
1616
}
1717

18-
func newPartialAuthorizer(ctx context.Context, partialRego *rego.Rego, input map[string]interface{}) (*partialAuthorizer, error) {
18+
func newPartialAuthorizer(ctx context.Context, partialRego *rego.Rego, input map[string]interface{}) (*PartialAuthorizer, error) {
1919
pResult, err := partialRego.PartialResult(ctx)
2020
if err != nil {
2121
return nil, xerrors.Errorf("partial results: %w", err)
2222
}
2323

24-
return &partialAuthorizer{
24+
return &PartialAuthorizer{
2525
PartialRego: partialRego,
2626
PartialResult: pResult,
2727
Input: input,
2828
}, nil
2929
}
3030

3131
// Authorize authorizes a single object
32-
func (a partialAuthorizer) Authorize(ctx context.Context, object Object) error {
32+
func (a PartialAuthorizer) Authorize(ctx context.Context, object Object) error {
3333
results, err := a.PartialResult.Rego(rego.Input(
3434
map[string]interface{}{
3535
"object": object,

0 commit comments

Comments
 (0)