fix: Fix acl list rego policy

Emyrk · Emyrk · commit 7297c3cead95 · 2022-09-26T13:43:03.000-04:00
diff --git a/coderd/rbac/authz.go b/coderd/rbac/authz.go
@@ -3,7 +3,6 @@ package rbac
 import (
 	"context"
 	_ "embed"
-	"fmt"
 	"sync"
 
 	"github.com/open-policy-agent/opa/rego"
@@ -92,12 +91,7 @@ func NewAuthorizer() *RegoAuthorizer {
 	queryOnce.Do(func() {
 		var err error
 		query, err = rego.New(
-			// Bind the results to 2 variables for easy checking later.
-			rego.Query(
-				fmt.Sprintf("%s := data.authz.role_allow "+
-					"%s := data.authz.scope_allow",
-					rolesOkCheck, scopeOkCheck),
-			),
+			rego.Query("data.authz.allow"),
 			rego.Module("policy.rego", policy),
 		).PrepareForEval(context.Background())
 		if err != nil {
@@ -158,31 +152,10 @@ func (a RegoAuthorizer) Authorize(ctx context.Context, subjectID string, roles [
 		return ForbiddenWithInternal(xerrors.Errorf("eval rego: %w", err), input, results)
 	}
 
-	// We expect only the 2 bindings for scopes and roles checks.
-	if len(results) == 1 && len(results[0].Bindings) == 2 {
-		roleCheck, ok := results[0].Bindings[rolesOkCheck].(bool)
-		if !ok || !roleCheck {
-			return ForbiddenWithInternal(xerrors.Errorf("policy disallows request"), input, results)
-		}
-
-		scopeCheck, ok := results[0].Bindings[scopeOkCheck].(bool)
-		if !ok || !scopeCheck {
-			return ForbiddenWithInternal(xerrors.Errorf("policy disallows request"), input, results)
-		}
-
-		// This is purely defensive programming. The two above checks already
-		// check for 'true' expressions. This is just a sanity check to make
-		// sure we don't add non-boolean expressions to our query.
-		// This is super cheap to do, and just adds in some extra safety for
-		// programmer error.
-		for _, exp := range results[0].Expressions {
-			if b, ok := exp.Value.(bool); !ok || !b {
-				return ForbiddenWithInternal(xerrors.Errorf("policy disallows request"), input, results)
-			}
-		}
-		return nil
+	if !results.Allowed() {
+		return ForbiddenWithInternal(xerrors.Errorf("policy disallows request"), input, results)
 	}
-	return ForbiddenWithInternal(xerrors.Errorf("policy disallows request"), input, results)
+	return nil
 }
 
 // Prepare will partially execute the rego policy leaving the object fields unknown (except for the type).
diff --git a/coderd/rbac/authz_internal_test.go b/coderd/rbac/authz_internal_test.go
@@ -208,37 +208,37 @@ func TestAuthorizeDomain(t *testing.T) {
 		},
 	}
 
-	//testAuthorize(t, "ACLList", user, []authTestCase{
-	//	{
-	//		resource: ResourceWorkspace.WithOwner(unuseID.String()).InOrg(unuseID).WithACLUserList(map[string][]Action{
-	//			user.UserID: allActions(),
-	//		}),
-	//		actions: allActions(),
-	//		allow:   true,
-	//	},
-	//	{
-	//		resource: ResourceWorkspace.WithOwner(unuseID.String()).InOrg(unuseID).WithACLUserList(map[string][]Action{
-	//			user.UserID: {WildcardSymbol},
-	//		}),
-	//		actions: allActions(),
-	//		allow:   true,
-	//	},
-	//	{
-	//		resource: ResourceWorkspace.WithOwner(unuseID.String()).InOrg(unuseID).WithACLUserList(map[string][]Action{
-	//			user.UserID: {ActionRead, ActionUpdate},
-	//		}),
-	//		actions: []Action{ActionCreate, ActionDelete},
-	//		allow:   false,
-	//	},
-	//	{
-	//		// By default users cannot update templates
-	//		resource: ResourceTemplate.InOrg(defOrg).WithACLUserList(map[string][]Action{
-	//			user.UserID: {ActionUpdate},
-	//		}),
-	//		actions: []Action{ActionRead, ActionUpdate},
-	//		allow:   true,
-	//	},
-	//})
+	testAuthorize(t, "ACLList", user, []authTestCase{
+		{
+			resource: ResourceWorkspace.WithOwner(unuseID.String()).InOrg(unuseID).WithACLUserList(map[string][]Action{
+				user.UserID: allActions(),
+			}),
+			actions: allActions(),
+			allow:   true,
+		},
+		{
+			resource: ResourceWorkspace.WithOwner(unuseID.String()).InOrg(unuseID).WithACLUserList(map[string][]Action{
+				user.UserID: {WildcardSymbol},
+			}),
+			actions: allActions(),
+			allow:   true,
+		},
+		{
+			resource: ResourceWorkspace.WithOwner(unuseID.String()).InOrg(unuseID).WithACLUserList(map[string][]Action{
+				user.UserID: {ActionRead, ActionUpdate},
+			}),
+			actions: []Action{ActionCreate, ActionDelete},
+			allow:   false,
+		},
+		{
+			// By default users cannot update templates
+			resource: ResourceTemplate.InOrg(defOrg).WithACLUserList(map[string][]Action{
+				user.UserID: {ActionUpdate},
+			}),
+			actions: []Action{ActionRead, ActionUpdate},
+			allow:   true,
+		},
+	})
 
 	testAuthorize(t, "Member", user, []authTestCase{
 		// Org + me
diff --git a/coderd/rbac/partial.go b/coderd/rbac/partial.go
@@ -111,7 +111,7 @@ func newPartialAuthorizer(ctx context.Context, subjectID string, roles []Role, s
 	// Run the rego policy with a few unknown fields. This should simplify our
 	// policy to a set of queries.
 	partialQueries, err := rego.New(
-		rego.Query("data.authz.role_allow = true data.authz.scope_allow = true"),
+		rego.Query("data.authz.allow = true"),
 		rego.Module("policy.rego", policy),
 		rego.Unknowns([]string{
 			"input.object.owner",
diff --git a/coderd/rbac/policy.rego b/coderd/rbac/policy.rego
@@ -2,8 +2,8 @@ package authz
 import future.keywords
 # A great playground: https://play.openpolicyagent.org/
 # Helpful cli commands to debug.
-# opa eval --format=pretty 'data.authz.role_allow data.authz.scope_allow' -d policy.rego  -i input.json
-# opa eval --partial --format=pretty 'data.authz.role_allow = true data.authz.scope_allow = true' -d policy.rego --unknowns input.object.owner --unknowns input.object.org_owner --unknowns input.object.acl_user_list --unknowns input.object.acl_group_list -i input.json
+# opa eval --format=pretty 'data.authz.allow' -d policy.rego  -i input.json
+# opa eval --partial --format=pretty 'data.authz.allow' -d policy.rego --unknowns input.object.owner --unknowns input.object.org_owner --unknowns input.object.acl_user_list --unknowns input.object.acl_group_list -i input.json
 
 #
 # This policy is specifically constructed to compress to a set of queries if the
@@ -156,7 +156,6 @@ user_allow(roles) := num {
 # Allow query:
 #	 data.authz.role_allow = true data.authz.scope_allow = true
 
-default role_allow = false
 role_allow {
 	site = 1
 }
@@ -175,8 +174,6 @@ role_allow {
 	user = 1
 }
 
-
-default scope_allow = false
 scope_allow {
 	scope_site = 1
 }
@@ -196,15 +193,15 @@ scope_allow {
 }
 
 # ACL for users
-allow {
+acl_allow {
 	# Should you have to be a member of the org too?
 	perms := input.object.acl_user_list[input.subject.id]
 	# Either the input action or wildcard
 	[input.action, "*"][_] in perms
 }
 
 # ACL for groups
-allow {
+acl_allow {
 	# If there is no organization owner, the object cannot be owned by an
 	# org_scoped team.
 	# TODO: This line and 'org_mem' are similiar and should be combined.
@@ -220,3 +217,15 @@ allow {
 	[input.action, "*"][_] in perms
 }
 
+allow {
+	role_allow
+	scope_allow
+}
+
+# ACL list must also have the scope_allow to pass
+allow {
+	acl_allow
+	scope_allow
+}
+
+
