Fix rbac benchmark

Emyrk · Emyrk · commit 655e8dbf1594 · 2023-01-18T10:34:05.000-06:00
diff --git a/coderd/rbac/authz.go b/coderd/rbac/authz.go
@@ -170,10 +170,10 @@ func NewAuthorizer(registry prometheus.Registerer) *RegoAuthorizer {
 }
 
 type authSubject struct {
-	ID     string   `json:"id"`
-	Roles  []Role   `json:"roles"`
-	Groups []string `json:"groups"`
-	Scope  Role     `json:"scope"`
+	ID     string    `json:"id"`
+	Roles  []Role    `json:"roles"`
+	Groups []string  `json:"groups"`
+	Scope  ScopeRole `json:"scope"`
 }
 
 // ByRoleName will expand all roleNames into roles before calling Authorize().
@@ -216,7 +216,7 @@ func (a RegoAuthorizer) ByRoleName(ctx context.Context, subjectID string, roleNa
 
 // Authorize allows passing in custom Roles.
 // This is really helpful for unit testing, as we can create custom roles to exercise edge cases.
-func (a RegoAuthorizer) Authorize(ctx context.Context, subjectID string, roles []Role, scope Role, groups []string, action Action, object Object) error {
+func (a RegoAuthorizer) Authorize(ctx context.Context, subjectID string, roles []Role, scope ScopeRole, groups []string, action Action, object Object) error {
 	input := map[string]interface{}{
 		"subject": authSubject{
 			ID:     subjectID,
@@ -275,7 +275,7 @@ func (a RegoAuthorizer) PrepareByRoleName(ctx context.Context, subjectID string,
 
 // Prepare will partially execute the rego policy leaving the object fields unknown (except for the type).
 // This will vastly speed up performance if batch authorization on the same type of objects is needed.
-func (RegoAuthorizer) Prepare(ctx context.Context, subjectID string, roles []Role, scope Role, groups []string, action Action, objectType string) (*PartialAuthorizer, error) {
+func (RegoAuthorizer) Prepare(ctx context.Context, subjectID string, roles []Role, scope ScopeRole, groups []string, action Action, objectType string) (*PartialAuthorizer, error) {
 	auth, err := newPartialAuthorizer(ctx, subjectID, roles, scope, groups, action, objectType)
 	if err != nil {
 		return nil, xerrors.Errorf("new partial authorizer: %w", err)
diff --git a/coderd/rbac/authz_internal_test.go b/coderd/rbac/authz_internal_test.go
@@ -20,9 +20,9 @@ type subject struct {
 	// For the unit test we want to pass in the roles directly, instead of just
 	// by name. This allows us to test custom roles that do not exist in the product,
 	// but test edge cases of the implementation.
-	Roles  []Role   `json:"roles"`
-	Groups []string `json:"groups"`
-	Scope  Role     `json:"scope"`
+	Roles  []Role    `json:"roles"`
+	Groups []string  `json:"groups"`
+	Scope  ScopeRole `json:"scope"`
 }
 
 type fakeObject struct {
diff --git a/coderd/rbac/partial.go b/coderd/rbac/partial.go
@@ -121,7 +121,7 @@ EachQueryLoop:
 	return ForbiddenWithInternal(xerrors.Errorf("policy disallows request"), pa.input, nil)
 }
 
-func newPartialAuthorizer(ctx context.Context, subjectID string, roles []Role, scope Role, groups []string, action Action, objectType string) (*PartialAuthorizer, error) {
+func newPartialAuthorizer(ctx context.Context, subjectID string, roles []Role, scope ScopeRole, groups []string, action Action, objectType string) (*PartialAuthorizer, error) {
 	input := map[string]interface{}{
 		"subject": authSubject{
 			ID:     subjectID,
diff --git a/coderd/rbac/policy.rego b/coderd/rbac/policy.rego
@@ -156,7 +156,7 @@ scope_allow_list {
 
 scope_allow_list {
 	# If the wildcard is listed in the allow_list, we do not care about the
-	# object.id. This line is included to prevent partial compliations from
+	# object.id. This line is included to prevent partial compilations from
 	# ever needing to include the object.id.
 	not "*" in input.subject.scope.allow_list
 	input.object.id  != ""

Original file line number	Diff line number	Diff line change
`@@ -121,7 +121,7 @@ EachQueryLoop:`
`121`	`121`	`return ForbiddenWithInternal(xerrors.Errorf("policy disallows request"), pa.input, nil)`
`122`	`122`	`}`
`123`	`123`
`124`		`-func newPartialAuthorizer(ctx context.Context, subjectID string, roles []Role, scope Role, groups []string, action Action, objectType string) (*PartialAuthorizer, error) {`
	`124`	`+func newPartialAuthorizer(ctx context.Context, subjectID string, roles []Role, scope ScopeRole, groups []string, action Action, objectType string) (*PartialAuthorizer, error) {`
`125`	`125`	`input := map[string]interface{}{`
`126`	`126`	`"subject": authSubject{`
`127`	`127`	`ID: subjectID,`