feat: Implement basic authorize and unit test

Emyrk · Emyrk · commit 54bc0543b153 · 2022-05-03T09:26:55.000-05:00
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -81,8 +81,8 @@ func New(options *Options) (http.Handler, func()) {
 
 	authRolesMiddleware := httpmw.ExtractUserRoles(options.Database)
 
-	authorize := func(f http.HandlerFunc, actions rbac.Action) func(http.Handler) http.Handler {
-		return httpmw.Authorize(api.Logger, api.Authorizer, actions)
+	authorize := func(f http.HandlerFunc, actions rbac.Action) http.HandlerFunc {
+		return httpmw.Authorize(api.Logger, api.Authorizer, actions)(f).ServeHTTP
 	}
 
 	r := chi.NewRouter()
@@ -141,7 +141,7 @@ func New(options *Options) (http.Handler, func()) {
 			})
 			r.Route("/members", func(r chi.Router) {
 				r.Route("/roles", func(r chi.Router) {
-					r.Use(httpmw.Object(rbac.ResourceUserRole))
+					r.Use(httpmw.RBACObject(rbac.ResourceUserRole))
 					r.Get("/", authorize(api.assignableOrgRoles, rbac.ActionCreate))
 				})
 				r.Route("/{user}", func(r chi.Router) {
@@ -214,8 +214,8 @@ func New(options *Options) (http.Handler, func()) {
 				r.Get("/", api.users)
 				// These routes query information about site wide roles.
 				r.Route("/roles", func(r chi.Router) {
-					// Can create/delete all roles to view this endpoint
-					r.With(httpmw.Object(rbac.ResourceUserRole), authorize(rbac.ActionCreate, rbac.ActionDelete)).Get("/", api.assignableSiteRoles)
+					r.Use(httpmw.RBACObject(rbac.ResourceUserRole))
+					r.Get("/", authorize(api.assignableSiteRoles, rbac.ActionCreate))
 				})
 				r.Route("/{user}", func(r chi.Router) {
 					r.Use(httpmw.ExtractUserParam(options.Database))
diff --git a/coderd/database/databasefake/databasefake.go b/coderd/database/databasefake/databasefake.go
@@ -242,6 +242,37 @@ func (q *fakeQuerier) GetUsers(_ context.Context, params database.GetUsersParams
 	return tmp, nil
 }
 
+func (q *fakeQuerier) GetAllUserRoles(ctx context.Context, userID uuid.UUID) (database.GetAllUserRolesRow, error) {
+	q.mutex.RLock()
+	defer q.mutex.RUnlock()
+
+	var user *database.User
+	roles := make([]string, 0)
+	for _, u := range q.users {
+		if u.ID == userID {
+			roles = append(roles, u.RBACRoles...)
+			user = &u
+			break
+		}
+	}
+
+	for _, mem := range q.organizationMembers {
+		if mem.UserID == userID {
+			roles = append(roles, mem.Roles...)
+		}
+	}
+
+	if user == nil {
+		return database.GetAllUserRolesRow{}, sql.ErrNoRows
+	}
+
+	return database.GetAllUserRolesRow{
+		ID:       userID,
+		Username: user.Username,
+		Roles:    roles,
+	}, nil
+}
+
 func (q *fakeQuerier) GetWorkspacesByTemplateID(_ context.Context, arg database.GetWorkspacesByTemplateIDParams) ([]database.Workspace, error) {
 	q.mutex.RLock()
 	defer q.mutex.RUnlock()
diff --git a/coderd/database/querier.go b/coderd/database/querier.go
diff --git a/coderd/database/queries.sql.go b/coderd/database/queries.sql.go
diff --git a/coderd/database/queries/users.sql b/coderd/database/queries/users.sql
@@ -124,7 +124,7 @@ WHERE
 	id = $1 RETURNING *;
 
 
--- name: GetAllUserRoles :many
+-- name: GetAllUserRoles :one
 SELECT
     -- username is returned just to help for logging purposes
 	id, username, array_cat(users.rbac_roles, organization_members.roles) :: text[] AS roles
diff --git a/coderd/httpmw/authorize.go b/coderd/httpmw/authorize.go
@@ -5,8 +5,6 @@ import (
 	"fmt"
 	"net/http"
 
-	"github.com/google/uuid"
-
 	"golang.org/x/xerrors"
 
 	"cdr.dev/slog"
@@ -15,48 +13,13 @@ import (
 	"github.com/coder/coder/coderd/rbac"
 )
 
+// AuthObject wraps the rbac object type for middleware to customize this value
+// before being passed to Authorize().
 type AuthObject struct {
-	// WithUser sets the owner of the object to the value returned by the func
-	WithUser func(r *http.Request) uuid.UUID
-
-	// InOrg sets the org owner of the object to the value returned by the func
-	InOrg func(r *http.Request) uuid.UUID
-
-	// WithOwner sets the object id to the value returned by the func
-	WithOwner func(r *http.Request) uuid.UUID
-
 	// Object is that base static object the above functions can modify.
 	Object rbac.Object
 }
 
-func RBACWithOwner(owner func(r *http.Request) database.User) func(http.Handler) http.Handler {
-	return func(next http.Handler) http.Handler {
-		return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
-			ao := GetAuthObject(r)
-			ao.WithOwner = func(r *http.Request) uuid.UUID {
-				return owner(r).ID
-			}
-
-			ctx := context.WithValue(r.Context(), authObjectKey{}, ao)
-			next.ServeHTTP(rw, r.WithContext(ctx))
-		})
-	}
-}
-
-func RBACInOrg(org func(r *http.Request) database.Organization) func(http.Handler) http.Handler {
-	return func(next http.Handler) http.Handler {
-		return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
-			ao := GetAuthObject(r)
-			ao.InOrg = func(r *http.Request) uuid.UUID {
-				return org(r).ID
-			}
-
-			ctx := context.WithValue(r.Context(), authObjectKey{}, ao)
-			next.ServeHTTP(rw, r.WithContext(ctx))
-		})
-	}
-}
-
 // Authorize allows for static object & action authorize checking. If the object is a static object, this is an easy way
 // to enforce the route.
 func Authorize(logger slog.Logger, auth *rbac.RegoAuthorizer, action rbac.Action) func(http.Handler) http.Handler {
@@ -66,25 +29,27 @@ func Authorize(logger slog.Logger, auth *rbac.RegoAuthorizer, action rbac.Action
 			args := GetAuthObject(r)
 
 			object := args.Object
-			organization, ok := r.Context().Value(organizationParamContextKey{}).(database.Organization)
-			if ok {
+
+			unknownOrg := r.Context().Value(organizationParamContextKey{})
+			if organization, castOK := unknownOrg.(database.Organization); unknownOrg != nil {
+				if !castOK {
+					panic("developer error: organization param middleware not provided for authorize")
+				}
 				object = object.InOrg(organization.ID)
 			}
 
-			if args.InOrg != nil {
-				object.InOrg(args.InOrg(r))
-			}
-			if args.WithUser != nil {
-				object.WithOwner(args.InOrg(r).String())
-			}
-			if args.WithOwner != nil {
-				object.WithID(args.InOrg(r).String())
+			unknownOwner := r.Context().Value(userParamContextKey{})
+			if owner, castOK := unknownOwner.(database.User); unknownOwner != nil {
+				if !castOK {
+					panic("developer error: user param middleware not provided for authorize")
+				}
+				object = object.WithOwner(owner.ID.String())
 			}
 
 			// Error on the first action that fails
 			err := auth.AuthorizeByRoleName(r.Context(), roles.ID.String(), roles.Roles, action, object)
 			if err != nil {
-				var internalError *rbac.UnauthorizedError
+				internalError := new(rbac.UnauthorizedError)
 				if xerrors.As(err, internalError) {
 					logger = logger.With(slog.F("internal", internalError.Internal()))
 				}
@@ -117,7 +82,7 @@ func GetAuthObject(r *http.Request) AuthObject {
 	return obj
 }
 
-func Object(object rbac.Object) func(http.Handler) http.Handler {
+func RBACObject(object rbac.Object) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 			ao := GetAuthObject(r)
diff --git a/coderd/httpmw/organizationparam.go b/coderd/httpmw/organizationparam.go
@@ -78,9 +78,6 @@ func ExtractOrganizationParam(db database.Store) func(http.Handler) http.Handler
 			ctx := context.WithValue(r.Context(), organizationParamContextKey{}, organization)
 			ctx = context.WithValue(ctx, organizationMemberParamContextKey{}, organizationMember)
 
-			next = RBACInOrg(func(r *http.Request) database.Organization {
-				return organization
-			})(next)
 			next.ServeHTTP(rw, r.WithContext(ctx))
 		})
 	}
diff --git a/coderd/roles_test.go b/coderd/roles_test.go
@@ -0,0 +1,132 @@
+package coderd_test
+
+import (
+	"context"
+	"net/http"
+	"testing"
+
+	"github.com/coder/coder/coderd/rbac"
+
+	"github.com/google/uuid"
+
+	"github.com/coder/coder/codersdk"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/coderd/coderdtest"
+)
+
+func TestListRoles(t *testing.T) {
+	t.Parallel()
+
+	requireUnauthorized := func(t *testing.T, err error) {
+		var apiErr *codersdk.Error
+		require.ErrorAs(t, err, &apiErr)
+		require.Equal(t, http.StatusUnauthorized, apiErr.StatusCode())
+		require.Contains(t, apiErr.Message, "unauthorized")
+	}
+
+	ctx := context.Background()
+	client := coderdtest.New(t, nil)
+	// Create admin, member, and org admin
+	admin := coderdtest.CreateFirstUser(t, client)
+	member := coderdtest.CreateAnotherUser(t, client, admin.OrganizationID)
+
+	orgAdmin := coderdtest.CreateAnotherUser(t, client, admin.OrganizationID)
+	orgAdminUser, err := orgAdmin.User(ctx, codersdk.Me)
+	require.NoError(t, err)
+
+	// TODO: @emyrk switch this to the admin when getting non-personal users is
+	//	supported. `client.UpdateOrganizationMemberRoles(...)`
+	_, err = orgAdmin.UpdateOrganizationMemberRoles(ctx, admin.OrganizationID, orgAdminUser.ID,
+		codersdk.UpdateRoles{
+			Roles: []string{rbac.RoleOrgMember(admin.OrganizationID), rbac.RoleOrgAdmin(admin.OrganizationID)},
+		},
+	)
+	require.NoError(t, err)
+
+	testCases := []struct {
+		Name          string
+		Client        *codersdk.Client
+		APICall       func() ([]string, error)
+		ExpectedRoles []string
+		Authorized    bool
+	}{
+		{
+			Name: "MemberListSite",
+			APICall: func() ([]string, error) {
+				x, err := member.ListSiteRoles(ctx)
+				return x, err
+			},
+			Authorized: false,
+		},
+		{
+			Name: "OrgMemberListOrg",
+			APICall: func() ([]string, error) {
+				return member.ListOrgRoles(ctx, admin.OrganizationID)
+			},
+			Authorized: false,
+		},
+		{
+			Name: "NonOrgMemberListOrg",
+			APICall: func() ([]string, error) {
+				return member.ListOrgRoles(ctx, uuid.New())
+			},
+			Authorized: false,
+		},
+		// Org admin
+		{
+			Name: "OrgAdminListSite",
+			APICall: func() ([]string, error) {
+				return orgAdmin.ListSiteRoles(ctx)
+			},
+			Authorized: false,
+		},
+		{
+			Name: "OrgAdminListOrg",
+			APICall: func() ([]string, error) {
+				return orgAdmin.ListOrgRoles(ctx, admin.OrganizationID)
+			},
+			Authorized:    true,
+			ExpectedRoles: rbac.ListOrgRoles(admin.OrganizationID),
+		},
+		{
+			Name: "OrgAdminListOtherOrg",
+			APICall: func() ([]string, error) {
+				return orgAdmin.ListOrgRoles(ctx, uuid.New())
+			},
+			Authorized: false,
+		},
+		// Admin
+		{
+			Name: "AdminListSite",
+			APICall: func() ([]string, error) {
+				return client.ListSiteRoles(ctx)
+			},
+			Authorized:    true,
+			ExpectedRoles: rbac.ListSiteRoles(),
+		},
+		{
+			Name: "AdminListOrg",
+			APICall: func() ([]string, error) {
+				return client.ListOrgRoles(ctx, admin.OrganizationID)
+			},
+			Authorized:    true,
+			ExpectedRoles: rbac.ListOrgRoles(admin.OrganizationID),
+		},
+	}
+
+	for _, c := range testCases {
+		c := c
+		t.Run(c.Name, func(t *testing.T) {
+			t.Parallel()
+			roles, err := c.APICall()
+			if !c.Authorized {
+				requireUnauthorized(t, err)
+			} else {
+				require.NoError(t, err)
+				require.Equal(t, c.ExpectedRoles, roles)
+			}
+		})
+	}
+}
diff --git a/codersdk/roles.go b/codersdk/roles.go

Original file line number	Diff line number	Diff line change
`@@ -78,9 +78,6 @@ func ExtractOrganizationParam(db database.Store) func(http.Handler) http.Handler`
`78`	`78`	`ctx := context.WithValue(r.Context(), organizationParamContextKey{}, organization)`
`79`	`79`	`ctx = context.WithValue(ctx, organizationMemberParamContextKey{}, organizationMember)`
`80`	`80`
`81`		`- next = RBACInOrg(func(r *http.Request) database.Organization {`
`82`		`- return organization`
`83`		`- })(next)`
`84`	`81`	`next.ServeHTTP(rw, r.WithContext(ctx))`
`85`	`82`	`})`
`86`	`83`	`}`