feat: push GetUsers filter to SQL

Emyrk · Emyrk · commit 634f4ca14881 · 2023-07-13T10:04:49.000-04:00
diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go
@@ -620,7 +620,6 @@ func (q *querier) GetAuthorizedUserCount(ctx context.Context, arg database.GetFi
 }
 
 func (q *querier) GetUsersWithCount(ctx context.Context, arg database.GetUsersParams) ([]database.User, int64, error) {
-	// TODO Implement this with a SQL filter. The count is incorrect without it.
 	rowUsers, err := q.db.GetUsers(ctx, arg)
 	if err != nil {
 		return nil, -1, err
@@ -630,18 +629,8 @@ func (q *querier) GetUsersWithCount(ctx context.Context, arg database.GetUsersPa
 		return []database.User{}, 0, nil
 	}
 
-	act, ok := ActorFromContext(ctx)
-	if !ok {
-		return nil, -1, NoActorError
-	}
-
 	// TODO: Is this correct? Should we return a restricted user?
 	users := database.ConvertUserRows(rowUsers)
-	users, err = rbac.Filter(ctx, q.auth, act, rbac.ActionRead, users)
-	if err != nil {
-		return nil, -1, err
-	}
-
 	return users, rowUsers[0].Count, nil
 }
 
@@ -699,6 +688,13 @@ func authorizedTemplateVersionFromJob(ctx context.Context, q *querier, job datab
 	}
 }
 
+// GetAuthorizedUsers is not required for dbauthz since GetUsers is already
+// authenticated.
+func (q *querier) GetAuthorizedUsers(ctx context.Context, arg database.GetUsersParams, _ rbac.PreparedAuthorized) ([]database.GetUsersRow, error) {
+	// GetUsers is authenticated.
+	return q.GetUsers(ctx, arg)
+}
+
 func (q *querier) AcquireLock(ctx context.Context, id int64) error {
 	return q.db.AcquireLock(ctx, id)
 }
@@ -1427,8 +1423,12 @@ func (q *querier) GetUserLinkByUserIDLoginType(ctx context.Context, arg database
 }
 
 func (q *querier) GetUsers(ctx context.Context, arg database.GetUsersParams) ([]database.GetUsersRow, error) {
-	// TODO: We should use GetUsersWithCount with a better method signature.
-	return fetchWithPostFilter(q.auth, q.db.GetUsers)(ctx, arg)
+	// This does the filtering in SQL.
+	prep, err := prepareSQLFilter(ctx, q.auth, rbac.ActionRead, rbac.ResourceUser.Type)
+	if err != nil {
+		return nil, xerrors.Errorf("(dev error) prepare sql filter: %w", err)
+	}
+	return q.db.GetAuthorizedUsers(ctx, arg, prep)
 }
 
 // GetUsersByIDs is only used for usernames on workspace return data.
diff --git a/coderd/database/dbfake/dbfake.go b/coderd/database/dbfake/dbfake.go
@@ -23,6 +23,7 @@ import (
 	"github.com/coder/coder/coderd/database/db2sdk"
 	"github.com/coder/coder/coderd/httpapi"
 	"github.com/coder/coder/coderd/rbac"
+	"github.com/coder/coder/coderd/rbac/regosql"
 	"github.com/coder/coder/coderd/util/slice"
 	"github.com/coder/coder/codersdk"
 )
@@ -5437,3 +5438,38 @@ func (*FakeQuerier) UpsertTailnetClient(context.Context, database.UpsertTailnetC
 func (*FakeQuerier) UpsertTailnetCoordinator(context.Context, uuid.UUID) (database.TailnetCoordinator, error) {
 	return database.TailnetCoordinator{}, ErrUnimplemented
 }
+
+func (q *FakeQuerier) GetAuthorizedUsers(ctx context.Context, arg database.GetUsersParams, prepared rbac.PreparedAuthorized) ([]database.GetUsersRow, error) {
+	if err := validateDatabaseType(arg); err != nil {
+		return nil, err
+	}
+
+	// Call this to match the same function calls as the SQL implementation.
+	if prepared != nil {
+		_, err := prepared.CompileToSQL(ctx, regosql.ConvertConfig{
+			VariableConverter: regosql.UserConverter(),
+		})
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	users, err := q.GetUsers(ctx, arg)
+	if err != nil {
+		return nil, err
+	}
+
+	q.mutex.RLock()
+	defer q.mutex.RUnlock()
+
+	filteredUsers := make([]database.GetUsersRow, 0, len(users))
+	for _, user := range users {
+		// If the filter exists, ensure the object is authorized.
+		if prepared != nil && prepared.Authorize(ctx, user.RBACObject()) != nil {
+			continue
+		}
+
+		filteredUsers = append(filteredUsers, user)
+	}
+	return filteredUsers, nil
+}
diff --git a/coderd/database/dbmetrics/dbmetrics.go b/coderd/database/dbmetrics/dbmetrics.go
diff --git a/coderd/database/dbmock/dbmock.go b/coderd/database/dbmock/dbmock.go
diff --git a/coderd/database/modelqueries.go b/coderd/database/modelqueries.go
@@ -256,10 +256,73 @@ func (q *sqlQuerier) GetAuthorizedWorkspaces(ctx context.Context, arg GetWorkspa
 
 type userQuerier interface {
 	GetAuthorizedUserCount(ctx context.Context, arg GetFilteredUserCountParams, prepared rbac.PreparedAuthorized) (int64, error)
+	GetAuthorizedUsers(ctx context.Context, arg GetUsersParams, prepared rbac.PreparedAuthorized) ([]GetUsersRow, error)
+}
+
+func (q *sqlQuerier) GetAuthorizedUsers(ctx context.Context, arg GetUsersParams, prepared rbac.PreparedAuthorized) ([]GetUsersRow, error) {
+	authorizedFilter, err := prepared.CompileToSQL(ctx, regosql.ConvertConfig{
+		VariableConverter: regosql.UserConverter(),
+	})
+
+	if err != nil {
+		return nil, xerrors.Errorf("compile authorized filter: %w", err)
+	}
+
+	filtered, err := insertAuthorizedFilter(getUsers, fmt.Sprintf(" AND %s", authorizedFilter))
+	if err != nil {
+		return nil, xerrors.Errorf("insert authorized filter: %w", err)
+	}
+
+	query := fmt.Sprintf("-- name: GetAuthorizedUsers :many\n%s", filtered)
+	rows, err := q.db.QueryContext(ctx, query,
+		arg.AfterID,
+		arg.Search,
+		pq.Array(arg.Status),
+		pq.Array(arg.RbacRole),
+		arg.LastSeenBefore,
+		arg.LastSeenAfter,
+		arg.OffsetOpt,
+		arg.LimitOpt,
+	)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []GetUsersRow
+	for rows.Next() {
+		var i GetUsersRow
+		if err := rows.Scan(
+			&i.ID,
+			&i.Email,
+			&i.Username,
+			&i.HashedPassword,
+			&i.CreatedAt,
+			&i.UpdatedAt,
+			&i.Status,
+			&i.RBACRoles,
+			&i.LoginType,
+			&i.AvatarURL,
+			&i.Deleted,
+			&i.LastSeenAt,
+			&i.Count,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Close(); err != nil {
+		return nil, err
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
 }
 
 func (q *sqlQuerier) GetAuthorizedUserCount(ctx context.Context, arg GetFilteredUserCountParams, prepared rbac.PreparedAuthorized) (int64, error) {
-	authorizedFilter, err := prepared.CompileToSQL(ctx, rbac.ConfigWithoutACL())
+	authorizedFilter, err := prepared.CompileToSQL(ctx, regosql.ConvertConfig{
+		VariableConverter: regosql.UserConverter(),
+	})
 	if err != nil {
 		return -1, xerrors.Errorf("compile authorized filter: %w", err)
 	}
diff --git a/coderd/database/queries.sql.go b/coderd/database/queries.sql.go
diff --git a/coderd/database/queries/users.sql b/coderd/database/queries/users.sql
@@ -208,6 +208,9 @@ WHERE
 		ELSE true
 	END
 	-- End of filters
+
+	-- Authorize Filter clause will be injected below in GetAuthorizedUsers
+	-- @authorize_filter
 ORDER BY
 	-- Deterministic and consistent ordering of all users. This is to ensure consistent pagination.
 	LOWER(username) ASC OFFSET @offset_opt
diff --git a/coderd/rbac/regosql/compile_test.go b/coderd/rbac/regosql/compile_test.go
@@ -242,6 +242,26 @@ neq(input.object.owner, "");
 				p("false")),
 			VariableConverter: regosql.TemplateConverter(),
 		},
+		{
+			Name: "UserNoOrgOwner",
+			Queries: []string{
+				`input.object.org_owner != ""`,
+			},
+			ExpectedSQL:       p("'' != ''"),
+			VariableConverter: regosql.UserConverter(),
+		},
+		{
+			Name: "UserOwnsSelf",
+			Queries: []string{
+				`"10d03e62-7703-4df5-a358-4f76577d4e2f" = input.object.owner;
+				input.object.owner != "";
+				input.object.org_owner = ""`,
+			},
+			VariableConverter: regosql.UserConverter(),
+			ExpectedSQL: p(
+				p("'10d03e62-7703-4df5-a358-4f76577d4e2f' = ''") + " AND " + p("'' != ''") + " AND " + p("'' = ''"),
+			),
+		},
 	}
 
 	for _, tc := range testCases {
diff --git a/coderd/rbac/regosql/configs.go b/coderd/rbac/regosql/configs.go
@@ -36,6 +36,23 @@ func TemplateConverter() *sqltypes.VariableConverter {
 	return matcher
 }
 
+func UserConverter() *sqltypes.VariableConverter {
+	matcher := sqltypes.NewVariableConverter().RegisterMatcher(
+		resourceIDMatcher(),
+		// Users are never owned by an organization, so always return the empty string
+		// for the org owner.
+		sqltypes.StringVarMatcher("''", []string{"input", "object", "org_owner"}),
+		// Users never have an owner, and are only owned site wide.
+		sqltypes.StringVarMatcher("''", []string{"input", "object", "owner"}),
+	)
+	matcher.RegisterMatcher(
+		// No ACLs on the user type
+		sqltypes.AlwaysFalse(groupACLMatcher(matcher)),
+		sqltypes.AlwaysFalse(userACLMatcher(matcher)),
+	)
+	return matcher
+}
+
 // NoACLConverter should be used when the target SQL table does not contain
 // group or user ACL columns.
 func NoACLConverter() *sqltypes.VariableConverter {
