Add a unit test that prevents regressions of rego input

Emyrk · Emyrk · commit 5b08612b96b5 · 2023-02-09T11:46:31.000-06:00
The optimized input is always compared to the normal json
marshal parser.
diff --git a/coderd/rbac/astvalue.go b/coderd/rbac/astvalue.go
@@ -5,6 +5,9 @@ import (
 	"golang.org/x/xerrors"
 )
 
+// regoInputValue returns a rego input value for the given subject, action, and
+// object. This rego input is already parsed and can be used directly in a
+// rego query.
 func regoInputValue(subject Subject, action Action, object Object) (ast.Value, error) {
 	regoSubj, err := subject.regoValue()
 	if err != nil {
@@ -29,6 +32,7 @@ func regoInputValue(subject Subject, action Action, object Object) (ast.Value, e
 	return input, nil
 }
 
+// regoValue returns the ast.Object representation of the subject.
 func (s Subject) regoValue() (ast.Value, error) {
 	subjRoles, err := s.Roles.Expand()
 	if err != nil {
@@ -153,6 +157,8 @@ type regoValue interface {
 	regoValue() ast.Value
 }
 
+// regoSlice returns the ast.Array representation of the slice.
+// The slice must contain only types that implement the regoValue interface.
 func regoSlice[T regoValue](slice []T) *ast.Array {
 	terms := make([]*ast.Term, len(slice))
 	for i, v := range slice {
diff --git a/coderd/rbac/authz.go b/coderd/rbac/authz.go
@@ -6,7 +6,6 @@ import (
 	"sync"
 	"time"
 
-	"github.com/open-policy-agent/opa/ast"
 	"github.com/open-policy-agent/opa/rego"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promauto"
@@ -252,43 +251,6 @@ func (a RegoAuthorizer) Authorize(ctx context.Context, subject Subject, action A
 	return nil
 }
 
-type inputType struct {
-	Subject authSubject `json:"subject"`
-	Action  Action      `json:"action"`
-	Object  Object      `json:"object"`
-}
-
-func (i inputType) Value() (ast.Value, error) {
-	s := [2]*ast.Term{
-		ast.StringTerm("subject"),
-		ast.NewTerm(ast.NewObject([2]*ast.Term{
-			// ID
-			ast.StringTerm("id"),
-			ast.NewTerm(ast.NewObject([2]*ast.Term{
-				ast.StringTerm("id"),
-				ast.StringTerm(i.Subject.ID),
-			})),
-			////
-			//ast.NewTerm(ast.NewObject([2]*ast.Term{
-			//	ast.StringTerm("groups"),
-			//	ast.NewTerm(ast.NewArray(i.Subject.Groups)),
-			//})),
-		})),
-	}
-	o := [2]*ast.Term{
-		ast.StringTerm("subject"),
-		ast.StringTerm(i.Subject.ID),
-	}
-	a := [2]*ast.Term{
-		ast.StringTerm("action"),
-		ast.StringTerm(string(i.Action)),
-	}
-
-	input := ast.NewObject(s, a, o)
-
-	return input, nil
-}
-
 // authorize is the internal function that does the actual authorization.
 // It is a different function so the exported one can add tracing + metrics.
 // That code tends to clutter up the actual logic, so it's separated out.
diff --git a/coderd/rbac/builtin.go b/coderd/rbac/builtin.go
@@ -1,6 +1,7 @@
 package rbac
 
 import (
+	"sort"
 	"strings"
 
 	"github.com/google/uuid"
@@ -79,6 +80,8 @@ var (
 				Site: permissions(map[string][]Action{
 					ResourceWildcard.Type: {WildcardSymbol},
 				}),
+				Org:  map[string][]Permission{},
+				User: []Permission{},
 			}
 		},
 
@@ -94,6 +97,7 @@ var (
 					// All users can see the provisioner daemons.
 					ResourceProvisionerDaemon.Type: {ActionRead},
 				}),
+				Org: map[string][]Permission{},
 				User: permissions(map[string][]Action{
 					ResourceWildcard.Type: {WildcardSymbol},
 				}),
@@ -113,6 +117,8 @@ var (
 					ResourceTemplate.Type: {ActionRead},
 					ResourceAuditLog.Type: {ActionRead},
 				}),
+				Org:  map[string][]Permission{},
+				User: []Permission{},
 			}
 		},
 
@@ -128,6 +134,8 @@ var (
 					// CRUD to provisioner daemons for now.
 					ResourceProvisionerDaemon.Type: {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
 				}),
+				Org:  map[string][]Permission{},
+				User: []Permission{},
 			}
 		},
 
@@ -142,6 +150,8 @@ var (
 					ResourceOrganizationMember.Type: {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
 					ResourceGroup.Type:              {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
 				}),
+				Org:  map[string][]Permission{},
+				User: []Permission{},
 			}
 		},
 
@@ -151,6 +161,7 @@ var (
 			return Role{
 				Name:        roleName(orgAdmin, organizationID),
 				DisplayName: "Organization Admin",
+				Site:        []Permission{},
 				Org: map[string][]Permission{
 					organizationID: {
 						{
@@ -160,6 +171,7 @@ var (
 						},
 					},
 				},
+				User: []Permission{},
 			}
 		},
 
@@ -169,6 +181,7 @@ var (
 			return Role{
 				Name:        roleName(orgMember, organizationID),
 				DisplayName: "",
+				Site:        []Permission{},
 				Org: map[string][]Permission{
 					organizationID: {
 						{
@@ -192,6 +205,7 @@ var (
 						},
 					},
 				},
+				User: []Permission{},
 			}
 		},
 	}
@@ -422,5 +436,9 @@ func permissions(perms map[string][]Action) []Permission {
 			})
 		}
 	}
+	// Deterministic ordering of permissions
+	sort.Slice(list, func(i, j int) bool {
+		return list[i].ResourceType < list[j].ResourceType
+	})
 	return list
 }
diff --git a/coderd/rbac/builtin_internal_test.go b/coderd/rbac/builtin_internal_test.go
@@ -8,6 +8,14 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
+// BenchmarkRBACValueAllocation benchmarks the cost of allocating a rego input
+// value. By default, `ast.InterfaceToValue` is used to convert the input,
+// which uses json marshalling under the hood.
+//
+// Currently ast.Object.insert() is the slowest part of the process and allocates
+// the most amount of bytes. This general approach copies all of our struct
+// data and uses a lot of extra memory for handling things like sort order.
+// A possible large improvement would be to implement the ast.Value interface directly.
 func BenchmarkRBACValueAllocation(b *testing.B) {
 	actor := Subject{
 		Roles:  RoleNames{RoleOrgMember(uuid.New()), RoleOrgAdmin(uuid.New()), RoleMember()},
@@ -47,7 +55,98 @@ func BenchmarkRBACValueAllocation(b *testing.B) {
 			require.NoError(b, err)
 		}
 	})
+}
+
+// TestRegoInputValue ensures the custom rego input parser returns the
+// same value as the default json parser. The json parser is always correct,
+// and the custom parser is used to reduce allocations. This optimization
+// should yield the same results. Anything different is a bug.
+func TestRegoInputValue(t *testing.T) {
+	actor := Subject{
+		Roles:  RoleNames{RoleOrgMember(uuid.New()), RoleOrgAdmin(uuid.New()), RoleMember()},
+		ID:     uuid.NewString(),
+		Scope:  ScopeAll,
+		Groups: []string{uuid.NewString(), uuid.NewString(), uuid.NewString()},
+	}
+
+	obj := ResourceTemplate.
+		WithID(uuid.New()).
+		InOrg(uuid.New()).
+		WithOwner(uuid.NewString()).
+		WithGroupACL(map[string][]Action{
+			uuid.NewString(): {ActionRead, ActionCreate},
+			uuid.NewString(): {ActionRead, ActionCreate},
+			uuid.NewString(): {ActionRead, ActionCreate},
+		}).WithACLUserList(map[string][]Action{
+		uuid.NewString(): {ActionRead, ActionCreate},
+		uuid.NewString(): {ActionRead, ActionCreate},
+	})
+
+	action := ActionRead
+
+	// This is the input that would be passed to the rego policy.
+	jsonInput := map[string]interface{}{
+		"subject": authSubject{
+			ID:     actor.ID,
+			Roles:  must(actor.Roles.Expand()),
+			Groups: actor.Groups,
+			Scope:  must(actor.Scope.Expand()),
+		},
+		"action": action,
+		"object": obj,
+	}
+
+	manual, err := regoInputValue(actor, action, obj)
+	require.NoError(t, err)
+
+	general, err := ast.InterfaceToValue(jsonInput)
+	require.NoError(t, err)
+
+	// The custom parser does not set these fields because they are not needed.
+	// To ensure the outputs are identical, intentionally overwrite all names
+	// to the same values.
+	ignoreNames(t, manual)
+	ignoreNames(t, general)
+
+	cmp := manual.Compare(general)
+	require.Equal(t, 0, cmp, "manual and general input values should be equal")
+}
+
+// ignoreNames sets all names to "ignore" to ensure the values are identical.
+func ignoreNames(t *testing.T, value ast.Value) {
+	t.Helper()
+
+	// Override the names of the roles
+	ref := ast.Ref{
+		ast.StringTerm("subject"),
+		ast.StringTerm("roles"),
+	}
+	roles, err := value.Find(ref)
+	require.NoError(t, err)
+
+	rolesArray, ok := roles.(*ast.Array)
+	require.True(t, ok, "roles is expected to be an array")
+
+	rolesArray.Foreach(func(term *ast.Term) {
+		obj, _ := term.Value.(ast.Object)
+		// Ignore all names
+		obj.Insert(ast.StringTerm("name"), ast.StringTerm("ignore"))
+		obj.Insert(ast.StringTerm("display_name"), ast.StringTerm("ignore"))
+	})
+
+	// Override the names of the scope role
+	ref = ast.Ref{
+		ast.StringTerm("subject"),
+		ast.StringTerm("scope"),
+	}
+	scope, err := value.Find(ref)
+	require.NoError(t, err)
+
+	scopeObj, ok := scope.(ast.Object)
+	require.True(t, ok, "scope is expected to be an object")
 
+	scopeObj.Insert(ast.StringTerm("name"), ast.StringTerm("ignore"))
+	scopeObj.Insert(ast.StringTerm("display_name"), ast.StringTerm("ignore"))
 }
 
 func TestRoleByName(t *testing.T) {
diff --git a/coderd/rbac/input.json b/coderd/rbac/input.json
@@ -24,7 +24,7 @@
           }
         ],
         "org": {},
-        "user": [],
+        "user": []
       }
     ],
     "groups": ["b617a647-b5d0-4cbe-9e40-26f89710bf18"],

Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,7 @@`
`24`	`24`	`}`
`25`	`25`	`],`
`26`	`26`	`"org": {},`
`27`		`- "user": [],`
	`27`	`+ "user": []`
`28`	`28`	`}`
`29`	`29`	`],`
`30`	`30`	`"groups": ["b617a647-b5d0-4cbe-9e40-26f89710bf18"],`