Make filter ignore owner, not org

Emyrk · Emyrk · commit 5de395a97a49 · 2022-11-21T10:12:46.000-06:00
diff --git a/coderd/rbac/input.json b/coderd/rbac/input.json
@@ -0,0 +1,120 @@
+{
+  "action":"read",
+  "object":{
+    "owner":"d5389ccc-57a4-4b13-8c3f-31747bcdc9f1",
+    "org_owner":"",
+    "type":"file",
+    "acl_user_list":null,
+    "acl_group_list":null
+  },
+  "subject":{
+    "id":"d5389ccc-57a4-4b13-8c3f-31747bcdc9f1",
+    "roles":[
+      {
+        "name":"owner",
+        "display_name":"Owner",
+        "site":[
+          {
+            "negate":false,
+            "resource_type":"*",
+            "action":"*"
+          }
+        ],
+        "org":null,
+        "user":null
+      },
+      {
+        "name":"member",
+        "display_name":"",
+        "site":[
+          {
+            "negate":false,
+            "resource_type":"user",
+            "action":"read"
+          },
+          {
+            "negate":false,
+            "resource_type":"assign_role",
+            "action":"read"
+          },
+          {
+            "negate":false,
+            "resource_type":"provisioner_daemon",
+            "action":"read"
+          }
+        ],
+        "org":null,
+        "user":[
+          {
+            "negate":false,
+            "resource_type":"*",
+            "action":"*"
+          }
+        ]
+      },
+      {
+        "name":"organization-admin:05f58202-4bfc-43ce-9ba4-5ff6e0174a71",
+        "display_name":"Organization Admin",
+        "site":null,
+        "org":{
+          "05f58202-4bfc-43ce-9ba4-5ff6e0174a71":[
+            {
+              "negate":false,
+              "resource_type":"*",
+              "action":"*"
+            }
+          ]
+        },
+        "user":null
+      },
+      {
+        "name":"organization-member:05f58202-4bfc-43ce-9ba4-5ff6e0174a71",
+        "display_name":"",
+        "site":null,
+        "org":{
+          "05f58202-4bfc-43ce-9ba4-5ff6e0174a71":[
+            {
+              "negate":false,
+              "resource_type":"organization_member",
+              "action":"read"
+            },
+            {
+              "negate":false,
+              "resource_type":"organization",
+              "action":"read"
+            },
+            {
+              "negate":false,
+              "resource_type":"assign_org_role",
+              "action":"read"
+            },
+            {
+              "negate":false,
+              "resource_type":"group",
+              "action":"read"
+            }
+          ]
+        },
+        "user":null
+      }
+    ],
+    "groups":null,
+    "scope":{
+      "name":"Scope_all",
+      "display_name":"All operations",
+      "site":[
+        {
+          "negate":false,
+          "resource_type":"*",
+          "action":"*"
+        }
+      ],
+      "org":{
+
+      },
+      "user":[
+
+      ]
+    }
+  }
+}
diff --git a/coderd/rbac/input2.json b/coderd/rbac/input2.json
@@ -0,0 +1 @@
+{"action":"create","object":{"owner":"me","org_owner":"","type":"workspace","acl_user_list":null,"acl_group_list":null},"subject":{"id":"me","roles":[{"name":"deny-all","display_name":"","site":[{"negate":true,"resource_type":"*","action":"*"}],"org":null,"user":null}],"groups":null,"scope":{"name":"Scope_all","display_name":"All operations","site":[{"negate":false,"resource_type":"*","action":"*"}],"org":{},"user":[]}}}
diff --git a/coderd/rbac/memprofile.out b/coderd/rbac/memprofile.out
diff --git a/coderd/rbac/partial.json b/coderd/rbac/partial.json
@@ -0,0 +1,7 @@
+{
+  "object":{
+    "owner":"me",
+    "org_owner":"b8ec52c9-0691-41e5-acd3-9ac5604d17c2",
+    "type":"workspace"
+  }
+}
diff --git a/coderd/rbac/partial.rego b/coderd/rbac/partial.rego
@@ -0,0 +1 @@
+package partial
diff --git a/coderd/rbac/profile.out b/coderd/rbac/profile.out
diff --git a/coderd/rbac/rbac.test b/coderd/rbac/rbac.test
diff --git a/coderd/rbac/regosql/alwaysfalse.go b/coderd/rbac/regosql/alwaysfalse.go
diff --git a/coderd/rbac/regosql/compile_test.go b/coderd/rbac/regosql/compile_test.go
@@ -196,7 +196,7 @@ func TestRegoQueries(t *testing.T) {
 			VariableConverter: regosql.NoACLConverter(),
 		},
 		{
-			Name: "EmptyACLList",
+			Name: "EmptyACLListNoACLs",
 			Queries: []string{
 				`input.object.org_owner != "";
 				input.object.org_owner in set();
@@ -216,6 +216,20 @@ func TestRegoQueries(t *testing.T) {
 				p("user_acl->'me' ? '*'")),
 			VariableConverter: regosql.DefaultVariableConverter(),
 		},
+		{
+			Name: "TemplateOwner",
+			Queries: []string{
+				`neq(input.object.org_owner, "");
+internal.member_2(input.object.org_owner, {"3bf82434-e40b-44ae-b3d8-d0115bba9bad", "5630fda3-26ab-462c-9014-a88a62d7a415", "c304877a-bc0d-4e9b-9623-a38eae412929"});
+neq(input.object.owner, "");
+"806dd721-775f-4c85-9ce3-63fbbd975954" = input.object.owner`,
+			},
+			ExpectedSQL: p(p("organization_id :: text != ''") + " AND " +
+				p("organization_id :: text = ANY(ARRAY ['3bf82434-e40b-44ae-b3d8-d0115bba9bad','5630fda3-26ab-462c-9014-a88a62d7a415','c304877a-bc0d-4e9b-9623-a38eae412929'])") + " AND " +
+				p("false") + " AND " +
+				p("false")),
+			VariableConverter: regosql.TemplateConverter(),
+		},
 	}
 
 	for _, tc := range testCases {
diff --git a/coderd/rbac/regosql/configs.go b/coderd/rbac/regosql/configs.go
@@ -6,8 +6,8 @@ import "github.com/coder/coder/coderd/rbac/regosql/sqltypes"
 func TemplateConverter() *sqltypes.VariableConverter {
 	matcher := sqltypes.NewVariableConverter().RegisterMatcher(
 		// Basic strings
-		AlwaysFalse(sqltypes.StringVarMatcher("organization_id :: text", []string{"input", "object", "org_owner"})),
-		sqltypes.StringVarMatcher("owner_id :: text", []string{"input", "object", "owner"}),
+		sqltypes.StringVarMatcher("organization_id :: text", []string{"input", "object", "org_owner"}),
+		sqltypes.AlwaysFalse(sqltypes.StringVarMatcher("owner_id :: text", []string{"input", "object", "owner"})),
 	)
 	matcher.RegisterMatcher(
 		ACLGroupMatcher(matcher, "group_acl", []string{"input", "object", "acl_group_list"}),
@@ -25,8 +25,8 @@ func NoACLConverter() *sqltypes.VariableConverter {
 		sqltypes.StringVarMatcher("owner_id :: text", []string{"input", "object", "owner"}),
 	)
 	matcher.RegisterMatcher(
-		AlwaysFalse(ACLGroupMatcher(matcher, "group_acl", []string{"input", "object", "acl_group_list"})),
-		AlwaysFalse(ACLGroupMatcher(matcher, "user_acl", []string{"input", "object", "acl_user_list"})),
+		sqltypes.AlwaysFalse(ACLGroupMatcher(matcher, "group_acl", []string{"input", "object", "acl_group_list"})),
+		sqltypes.AlwaysFalse(ACLGroupMatcher(matcher, "user_acl", []string{"input", "object", "acl_user_list"})),
 	)
 
 	return matcher
diff --git a/coderd/rbac/regosql/sqltypes/alwaysFalse.go b/coderd/rbac/regosql/sqltypes/alwaysFalse.go
@@ -0,0 +1,60 @@
+package sqltypes
+
+import (
+	"github.com/open-policy-agent/opa/ast"
+)
+
+var _ Node = alwaysFalse{}
+var _ VariableMatcher = alwaysFalse{}
+
+type alwaysFalse struct {
+	Matcher VariableMatcher
+
+	InnerNode Node
+}
+
+func AlwaysFalse(m VariableMatcher) alwaysFalse {
+	return alwaysFalse{
+		Matcher: m,
+	}
+}
+
+// AlwaysFalseNode is mainly used for unit testing to make a Node immediately.
+func AlwaysFalseNode(n Node) alwaysFalse {
+	return alwaysFalse{
+		InnerNode: n,
+		Matcher:   nil,
+	}
+}
+
+// UseAs uses a type no one supports to always override with false.
+func (f alwaysFalse) UseAs() Node { return alwaysFalse{} }
+func (f alwaysFalse) ConvertVariable(rego ast.Ref) (Node, bool) {
+	if f.Matcher != nil {
+		n, ok := f.Matcher.ConvertVariable(rego)
+		if ok {
+			return alwaysFalse{
+				Matcher:   f.Matcher,
+				InnerNode: n,
+			}, true
+		}
+	}
+
+	return nil, false
+}
+
+func (f alwaysFalse) SQLString(_ *SQLGenerator) string {
+	return "false"
+}
+
+func (f alwaysFalse) ContainsSQL(_ *SQLGenerator, _ Node) (string, error) {
+	return "false", nil
+}
+
+func (f alwaysFalse) ContainedInSQL(_ *SQLGenerator, _ Node) (string, error) {
+	return "false", nil
+}
+
+func (f alwaysFalse) EqualsSQLString(_ *SQLGenerator, not bool, _ Node) (string, error) {
+	return "false", nil
+}
diff --git a/coderd/rbac/regosql/sqltypes/array.go b/coderd/rbac/regosql/sqltypes/array.go
@@ -37,8 +37,6 @@ func (a ASTArray) ContainsSQL(cfg *SQLGenerator, needle Node) (string, error) {
 	// This condition supports any contains function if the needle type is
 	// the same as the ASTArray element type.
 	if reflect.TypeOf(a.MyType().UseAs()) != reflect.TypeOf(needle.UseAs()) {
-		cfg.AddError(fmt.Errorf("array contains %q: type mismatch (%T, %T)",
-			a.Source, a.MyType(), needle))
 		return "ArrayContainsError", fmt.Errorf("array contains %q: type mismatch (%T, %T)",
 			a.Source, a.MyType(), needle)
 	}
diff --git a/coderd/rbac/regosql/sqltypes/equality_test.go b/coderd/rbac/regosql/sqltypes/equality_test.go
@@ -94,6 +94,22 @@ func TestEquality(t *testing.T) {
 			),
 			ExpectedSQL: "(('foo' = ANY(ARRAY ['foo','bar'])) != false) = (true = (2 = ANY(ARRAY [5,2])))",
 		},
+		{
+			Name: "AlwaysFalse=String",
+			Equality: sqltypes.Equality(false,
+				sqltypes.AlwaysFalseNode(sqltypes.String("foo")),
+				sqltypes.String("foo"),
+			),
+			ExpectedSQL: "false",
+		},
+		{
+			Name: "String=AlwaysFalse",
+			Equality: sqltypes.Equality(false,
+				sqltypes.String("foo"),
+				sqltypes.AlwaysFalseNode(sqltypes.String("foo")),
+			),
+			ExpectedSQL: "false",
+		},
 	}
 
 	for _, tc := range testCases {
diff --git a/coderd/rbac/regosql/sqltypes/member.go b/coderd/rbac/regosql/sqltypes/member.go
@@ -10,6 +10,12 @@ type SupportsContains interface {
 	ContainsSQL(cfg *SQLGenerator, other Node) (string, error)
 }
 
+// SupportsContainedIn is the inverse of SupportsContains. It is implemented
+// from the "needle" rather than the haystack.
+type SupportsContainedIn interface {
+	ContainedInSQL(cfg *SQLGenerator, other Node) (string, error)
+}
+
 var _ BooleanNode = memberOf{}
 var _ Node = memberOf{}
 
@@ -44,6 +50,13 @@ func (e memberOf) SQLString(cfg *SQLGenerator) string {
 		}
 	}
 
+	if sc, ok := e.Needle.(SupportsContainedIn); ok {
+		v, err := sc.ContainedInSQL(cfg, e.Haystack)
+		if err == nil {
+			return v
+		}
+	}
+
 	cfg.AddError(fmt.Errorf("unsupported contains: %T contains %T", e.Haystack, e.Needle))
 	return "MemberOfError"
 }
diff --git a/coderd/rbac/regosql/sqltypes/member_test.go b/coderd/rbac/regosql/sqltypes/member_test.go
@@ -56,6 +56,28 @@ func TestMembership(t *testing.T) {
 			),
 			ExpectedSQL: "false",
 		},
+		{
+			Name: "AlwaysFalseMember",
+			Membership: sqltypes.MemberOf(
+				sqltypes.AlwaysFalseNode(sqltypes.Bool(true)),
+				must(sqltypes.Array("",
+					sqltypes.Bool(false),
+					sqltypes.Bool(true),
+				)),
+			),
+			ExpectedSQL: "false",
+		},
+		{
+			Name: "AlwaysFalseArray",
+			Membership: sqltypes.MemberOf(
+				sqltypes.Bool(true),
+				sqltypes.AlwaysFalseNode(must(sqltypes.Array("",
+					sqltypes.Bool(false),
+					sqltypes.Bool(true),
+				))),
+			),
+			ExpectedSQL: "false",
+		},
 
 		// Errors
 		{
@@ -76,9 +98,10 @@ func TestMembership(t *testing.T) {
 			gen := sqltypes.NewSQLGenerator()
 			found := tc.Membership.SQLString(gen)
 			if tc.ExpectedErrors > 0 {
-				require.Equal(t, tc.ExpectedErrors, len(gen.Errors()), "expected AstNumber of errors")
+				require.Equal(t, tc.ExpectedErrors, len(gen.Errors()), "expected some errors")
 			} else {
 				require.Equal(t, tc.ExpectedSQL, found, "expected sql")
+				require.Equal(t, tc.ExpectedErrors, 0, "expected no errors")
 			}
 		})
 	}
diff --git a/enterprise/coderd/templates_test.go b/enterprise/coderd/templates_test.go

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+{"action":"create","object":{"owner":"me","org_owner":"","type":"workspace","acl_user_list":null,"acl_group_list":null},"subject":{"id":"me","roles":[{"name":"deny-all","display_name":"","site":[{"negate":true,"resource_type":"","action":""}],"org":null,"user":null}],"groups":null,"scope":{"name":"Scope_all","display_name":"All operations","site":[{"negate":false,"resource_type":"","action":""}],"org":{},"user":[]}}}`
Original file line number	Diff line number	Diff line change
`@@ -37,8 +37,6 @@ func (a ASTArray) ContainsSQL(cfg *SQLGenerator, needle Node) (string, error) {`
`37`	`37`	`// This condition supports any contains function if the needle type is`
`38`	`38`	`// the same as the ASTArray element type.`
`39`	`39`	`if reflect.TypeOf(a.MyType().UseAs()) != reflect.TypeOf(needle.UseAs()) {`
`40`		`- cfg.AddError(fmt.Errorf("array contains %q: type mismatch (%T, %T)",`
`41`		`- a.Source, a.MyType(), needle))`
`42`	`40`	`return "ArrayContainsError", fmt.Errorf("array contains %q: type mismatch (%T, %T)",`
`43`	`41`	`a.Source, a.MyType(), needle)`
`44`	`42`	`}`
Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,12 @@ type SupportsContains interface {`
`10`	`10`	`ContainsSQL(cfg *SQLGenerator, other Node) (string, error)`
`11`	`11`	`}`
`12`	`12`
	`13`	`+// SupportsContainedIn is the inverse of SupportsContains. It is implemented`
	`14`	`+// from the "needle" rather than the haystack.`
	`15`	`+type SupportsContainedIn interface {`
	`16`	`+ ContainedInSQL(cfg *SQLGenerator, other Node) (string, error)`
	`17`	`+}`
	`18`	`+`
`13`	`19`	`var _ BooleanNode = memberOf{}`
`14`	`20`	`var _ Node = memberOf{}`
`15`	`21`
`@@ -44,6 +50,13 @@ func (e memberOf) SQLString(cfg *SQLGenerator) string {`
`44`	`50`	`}`
`45`	`51`	`}`
`46`	`52`
	`53`	`+ if sc, ok := e.Needle.(SupportsContainedIn); ok {`
	`54`	`+ v, err := sc.ContainedInSQL(cfg, e.Haystack)`
	`55`	`+ if err == nil {`
	`56`	`+ return v`
	`57`	`+ }`
	`58`	`+ }`
	`59`	`+`
`47`	`60`	`cfg.AddError(fmt.Errorf("unsupported contains: %T contains %T", e.Haystack, e.Needle))`
`48`	`61`	`return "MemberOfError"`
`49`	`62`	`}`