Address PR comments

Emyrk · Emyrk · commit 512c09ed4fc0 · 2022-04-10T13:23:25.000-05:00
- Drop Resource inteface, use concrete struct for now
- Rename some roles
- Some comments
diff --git a/coderd/authz/authz.go b/coderd/authz/authz.go
@@ -5,7 +5,7 @@ import "golang.org/x/xerrors"
 var ErrUnauthorized = xerrors.New("unauthorized")
 
 // TODO: Implement Authorize. This will be implmented in mainly rego.
-func Authorize(subj Subject, obj Resource, action Action) error {
+func Authorize(subj Subject, obj Object, action Action) error {
 	// TODO: Expand subject roles into their permissions as appropriate. Apply scopes.
 	var _, _, _ = subj, obj, action
 	roles, err := subj.GetRoles()
@@ -28,13 +28,13 @@ func Authorize(subj Subject, obj Resource, action Action) error {
 		merged.Site = append(merged.Site, r.Site...)
 		// Only grab user roles if the resource is owned by a user.
 		// These roles only apply if the subject is said owner.
-		if obj.OwnerID() != "" && obj.OwnerID() == subj.ID() {
+		if obj.Owner != "" && obj.Owner == subj.ID() {
 			merged.User = append(merged.User, r.User...)
 		}
 
 		// Grab org roles if the resource is owned by a given organization.
-		if obj.OrgOwnerID() != "" {
-			orgID := obj.OrgOwnerID()
+		if obj.OrgOwner != "" {
+			orgID := obj.OrgOwner
 			if v, ok := r.Org[orgID]; ok {
 				merged.Org[orgID] = append(merged.Org[orgID], v...)
 			}
diff --git a/coderd/authz/authz_test.go b/coderd/authz/authz_test.go
@@ -31,7 +31,7 @@ func TestAuthorizeDomain(t *testing.T) {
 
 		{resource: authz.ResourceWorkspace.SetID(wrkID), actions: allActions(), allow: false},
 
-		{resource: authz.ResourceWorkspace, actions: allActions(), allow: false},
+		{resource: authz.ResourceWorkspace.All(), actions: allActions(), allow: false},
 
 		// Other org + me + id
 		{resource: authz.ResourceWorkspace.SetOrg("other").SetOwner(user.ID()).SetID(wrkID), actions: allActions(), allow: false},
@@ -75,7 +75,7 @@ func TestAuthorizeDomain(t *testing.T) {
 
 		{resource: authz.ResourceWorkspace.SetID(wrkID), actions: allActions(), allow: false},
 
-		{resource: authz.ResourceWorkspace, actions: allActions(), allow: false},
+		{resource: authz.ResourceWorkspace.All(), actions: allActions(), allow: false},
 
 		// Other org + me + id
 		{resource: authz.ResourceWorkspace.SetOrg("other").SetOwner(user.ID()).SetID(wrkID), actions: allActions(), allow: false},
@@ -122,7 +122,7 @@ func TestAuthorizeDomain(t *testing.T) {
 
 		{resource: authz.ResourceWorkspace.SetID(wrkID), actions: allActions(), allow: false},
 
-		{resource: authz.ResourceWorkspace, actions: allActions(), allow: false},
+		{resource: authz.ResourceWorkspace.All(), actions: allActions(), allow: false},
 
 		// Other org + me + id
 		{resource: authz.ResourceWorkspace.SetOrg("other").SetOwner(user.ID()).SetID(wrkID), actions: allActions(), allow: false},
@@ -169,7 +169,7 @@ func TestAuthorizeDomain(t *testing.T) {
 
 		{resource: authz.ResourceWorkspace.SetID(wrkID), actions: allActions(), allow: true},
 
-		{resource: authz.ResourceWorkspace, actions: allActions(), allow: true},
+		{resource: authz.ResourceWorkspace.All(), actions: allActions(), allow: true},
 
 		// Other org + me + id
 		{resource: authz.ResourceWorkspace.SetOrg("other").SetOwner(user.ID()).SetID(wrkID), actions: allActions(), allow: true},
@@ -216,7 +216,7 @@ func TestAuthorizeDomain(t *testing.T) {
 
 		{resource: authz.ResourceWorkspace.SetID(wrkID), actions: allActions(), allow: true},
 
-		{resource: authz.ResourceWorkspace, actions: allActions(), allow: false},
+		{resource: authz.ResourceWorkspace.All(), actions: allActions(), allow: false},
 
 		// Other org + me + id
 		{resource: authz.ResourceWorkspace.SetOrg("other").SetOwner(user.ID()).SetID(wrkID), actions: allActions(), allow: false},
@@ -286,7 +286,7 @@ func TestAuthorizeDomain(t *testing.T) {
 
 			{resource: authz.ResourceWorkspace.SetID(wrkID), allow: false},
 
-			{resource: authz.ResourceWorkspace, allow: false},
+			{resource: authz.ResourceWorkspace.All(), allow: false},
 
 			// Other org + me + id
 			{resource: authz.ResourceWorkspace.SetOrg("other").SetOwner(user.ID()).SetID(wrkID), allow: false},
@@ -331,7 +331,7 @@ func TestAuthorizeDomain(t *testing.T) {
 
 			{resource: authz.ResourceWorkspace.SetID(wrkID)},
 
-			{resource: authz.ResourceWorkspace},
+			{resource: authz.ResourceWorkspace.All()},
 
 			// Other org + me + id
 			{resource: authz.ResourceWorkspace.SetOrg("other").SetOwner(user.ID()).SetID(wrkID)},
@@ -401,7 +401,7 @@ func TestAuthorizeLevels(t *testing.T) {
 
 			{resource: authz.ResourceWorkspace.SetID(wrkID)},
 
-			{resource: authz.ResourceWorkspace},
+			{resource: authz.ResourceWorkspace.All()},
 
 			// Other org + me + id
 			{resource: authz.ResourceWorkspace.SetOrg("other").SetOwner(user.ID()).SetID(wrkID)},
@@ -474,7 +474,7 @@ func TestAuthorizeLevels(t *testing.T) {
 
 			{resource: authz.ResourceWorkspace.SetID(wrkID), allow: false},
 
-			{resource: authz.ResourceWorkspace, allow: false},
+			{resource: authz.ResourceWorkspace.All(), allow: false},
 
 			// Other org + me + id
 			{resource: authz.ResourceWorkspace.SetOrg("other").SetOwner(user.ID()).SetID(wrkID), allow: false},
@@ -514,7 +514,7 @@ func cases(opt func(c authTestCase) authTestCase, cases []authTestCase) []authTe
 }
 
 type authTestCase struct {
-	resource authz.Resource
+	resource authz.Object
 	actions  []authz.Action
 	allow    bool
 }
diff --git a/coderd/authz/example_test.go b/coderd/authz/example_test.go
@@ -28,7 +28,7 @@ func TestExample(t *testing.T) {
 	//nolint:paralleltest
 	t.Run("ReadAllWorkspaces", func(t *testing.T) {
 		// To read all workspaces on the site
-		err := authz.Authorize(user, authz.ResourceWorkspace, authz.ActionRead)
+		err := authz.Authorize(user, authz.ResourceWorkspace.All(), authz.ActionRead)
 		var _ = err
 		// require.Error(t, err, "this user cannot read all workspaces")
 	})
@@ -52,7 +52,7 @@ func TestExample(t *testing.T) {
 
 	//nolint:paralleltest
 	t.Run("CreateNewSiteUser", func(t *testing.T) {
-		err := authz.Authorize(user, authz.ResourceUser, authz.ActionCreate)
+		err := authz.Authorize(user, authz.ResourceUser.All(), authz.ActionCreate)
 		var _ = err
 		// require.Error(t, err, "this user cannot create new users")
 	})
diff --git a/coderd/authz/object.go b/coderd/authz/object.go
@@ -1,62 +1,46 @@
 package authz
 
-type Resource interface {
-	ID() string
-	ResourceType() ResourceType
+//type Resource interface {
+//	ID() string
+//	ResourceType() ResourceType
+//
+//	OwnerID() string
+//	OrgOwnerID() string
+//}
 
-	OwnerID() string
-	OrgOwnerID() string
-}
-
-var _ Resource = (*zObject)(nil)
+//var _ Resource = (*Object)(nil)
 
-// zObject is used to create objects for authz checks when you have none in
+// Object is used to create objects for authz checks when you have none in
 // hand to run the check on.
-// An example is if you want to list all workspaces, you can create a zObject
+// An example is if you want to list all workspaces, you can create a Object
 // that represents the set of workspaces you are trying to get access too.
 // Do not export this type, as it can be created from a resource type constant.
-type zObject struct {
-	id       string
-	owner    string
-	orgOwner string
+type Object struct {
+	ID       string
+	Owner    string
+	OrgOwner string
 
-	// objectType is "workspace", "project", "devurl", etc
-	objectType ResourceType
+	// ObjectType is "workspace", "project", "devurl", etc
+	ObjectType ResourceType
 	// TODO: SharedUsers?
 }
 
-func (z zObject) ID() string {
-	return z.id
-}
-
-func (z zObject) ResourceType() ResourceType {
-	return z.objectType
-}
-
-func (z zObject) OwnerID() string {
-	return z.owner
-}
-
-func (z zObject) OrgOwnerID() string {
-	return z.orgOwner
-}
-
 // SetOrg adds an org OwnerID to the resource
 //nolint:revive
-func (z zObject) SetOrg(orgID string) zObject {
-	z.orgOwner = orgID
+func (z Object) SetOrg(orgID string) Object {
+	z.OrgOwner = orgID
 	return z
 }
 
 // SetOwner adds an OwnerID to the resource
 //nolint:revive
-func (z zObject) SetOwner(id string) zObject {
-	z.owner = id
+func (z Object) SetOwner(id string) Object {
+	z.Owner = id
 	return z
 }
 
 //nolint:revive
-func (z zObject) SetID(id string) zObject {
-	z.id = id
+func (z Object) SetID(id string) Object {
+	z.ID = id
 	return z
 }
diff --git a/coderd/authz/permission.go b/coderd/authz/permission.go
diff --git a/coderd/authz/resources.go b/coderd/authz/resources.go
@@ -5,46 +5,41 @@ type ResourceType string
 
 const (
 	ResourceWorkspace ResourceType = "workspace"
-	ResourceProject   ResourceType = "project"
+	ResourceTemplate  ResourceType = "template"
 	ResourceDevURL    ResourceType = "devurl"
 	ResourceUser      ResourceType = "user"
 	ResourceAuditLogs ResourceType = "audit-logs"
 )
 
-func (ResourceType) ID() string {
-	return ""
-}
-
-func (t ResourceType) ResourceType() ResourceType {
-	return t
+func (z ResourceType) All() Object {
+	return Object{
+		ObjectType: z,
+	}
 }
 
-func (ResourceType) OwnerID() string    { return "" }
-func (ResourceType) OrgOwnerID() string { return "" }
-
 // SetOrg adds an org OwnerID to the resource
 //nolint:revive
-func (r ResourceType) SetOrg(orgID string) zObject {
-	return zObject{
-		orgOwner:   orgID,
-		objectType: r,
+func (r ResourceType) SetOrg(orgID string) Object {
+	return Object{
+		OrgOwner:   orgID,
+		ObjectType: r,
 	}
 }
 
 // SetOwner adds an OwnerID to the resource
 //nolint:revive
-func (r ResourceType) SetOwner(id string) zObject {
-	return zObject{
-		owner:      id,
-		objectType: r,
+func (r ResourceType) SetOwner(id string) Object {
+	return Object{
+		Owner:      id,
+		ObjectType: r,
 	}
 }
 
 // SetID adds a resource ID to the resource
 //nolint:revive
-func (r ResourceType) SetID(id string) zObject {
-	return zObject{
-		id:         id,
-		objectType: r,
+func (r ResourceType) SetID(id string) Object {
+	return Object{
+		ID:         id,
+		ObjectType: r,
 	}
 }
diff --git a/coderd/authz/role.go b/coderd/authz/role.go
@@ -4,6 +4,14 @@ import "fmt"
 
 const Wildcard = "*"
 
+type Permission struct {
+	// Negate makes this a negative permission
+	Negate       bool
+	ResourceType ResourceType
+	ResourceID   string
+	Action       Action
+}
+
 // Role is a set of permissions at multiple levels:
 // - Site level permissions apply EVERYWHERE
 // - Org level permissions apply to EVERYTHING in a given ORG
@@ -13,6 +21,9 @@ const Wildcard = "*"
 type Role struct {
 	Name string
 	Site []Permission
+	// Org is a map of orgid to permissions. We represent orgid as a string.
+	// TODO: Maybe switch to uuid, but tokens might need to support a "wildcard" org
+	//		which could be a special uuid (like all 0s?)
 	Org  map[string][]Permission
 	User []Permission
 }
@@ -22,23 +33,23 @@ type Role struct {
 var (
 	// RoleSiteAdmin is a role that allows everything everywhere.
 	RoleSiteAdmin = Role{
-		Name: "site-admin",
+		Name: "admin",
 		Site: permissions(map[ResourceType][]Action{
 			Wildcard: {Wildcard},
 		}),
 	}
 
 	// RoleSiteMember is a role that allows access to user-level resources.
 	RoleSiteMember = Role{
-		Name: "site-member",
+		Name: "member",
 		User: permissions(map[ResourceType][]Action{
 			Wildcard: {Wildcard},
 		}),
 	}
 
 	// RoleSiteAuditor is an example on how to give more precise permissions
 	RoleSiteAuditor = Role{
-		Name: "site-auditor",
+		Name: "auditor",
 		Site: permissions(map[ResourceType][]Action{
 			ResourceAuditLogs: {ActionRead},
 			// Should be able to read user details to associate with logs.
