Refactor recording authorizer

Emyrk · Emyrk · commit 8134d1b0e669 · 2023-02-03T09:24:06.000-06:00
diff --git a/coderd/authzquery/methods_test.go b/coderd/authzquery/methods_test.go
@@ -129,9 +129,13 @@ MethodLoop:
 				// be expected to be a NotAuthorizedError.
 				erroredResp := reflect.ValueOf(az).Method(i).Call(append([]reflect.Value{reflect.ValueOf(ctx)}, testCase.Inputs...))
 				err := findError(t, erroredResp)
-				require.Errorf(t, err, "method %q should an error with disallow authz", testName)
-				require.ErrorIsf(t, err, sql.ErrNoRows, "error should match sql.ErrNoRows")
-				require.ErrorAs(t, err, &authzquery.NotAuthorizedError{}, "error should be NotAuthorizedError")
+				// This is unfortunate, but if we are using `Filter` the error returned will be nil. So filter out
+				// any case where the error is nil and the response is an empty slice.
+				if err != nil || !hasEmptySliceResponse(erroredResp) {
+					require.Errorf(t, err, "method %q should an error with disallow authz", testName)
+					require.ErrorIsf(t, err, sql.ErrNoRows, "error should match sql.ErrNoRows")
+					require.ErrorAs(t, err, &authzquery.NotAuthorizedError{}, "error should be NotAuthorizedError")
+				}
 				// Set things back to normal.
 				fakeAuthorizer.AlwaysReturn = nil
 				rec.Reset()
@@ -162,6 +166,17 @@ MethodLoop:
 	require.NoError(t, rec.AllAsserted(), "all rbac calls must be asserted")
 }
 
+func hasEmptySliceResponse(values []reflect.Value) bool {
+	for _, r := range values {
+		if r.Kind() == reflect.Slice || r.Kind() == reflect.Array {
+			if r.Len() == 0 {
+				return true
+			}
+		}
+	}
+	return false
+}
+
 func findError(t *testing.T, values []reflect.Value) error {
 	for _, r := range values {
 		if r.Type().Implements(reflect.TypeOf((*error)(nil)).Elem()) {
diff --git a/coderd/authzquery/organization.go b/coderd/authzquery/organization.go
@@ -115,11 +115,11 @@ func (q *AuthzQuerier) canAssignRoles(ctx context.Context, orgID *uuid.UUID, add
 	}
 
 	if len(added) > 0 && q.authorizeContext(ctx, rbac.ActionCreate, roleAssign) != nil {
-		return xerrors.Errorf("not authorized to assign roles")
+		return LogNotAuthorizedError(ctx, q.log, xerrors.Errorf("not authorized to assign roles"))
 	}
 
 	if len(removed) > 0 && q.authorizeContext(ctx, rbac.ActionDelete, roleAssign) != nil {
-		return xerrors.Errorf("not authorized to deleteQ roles")
+		return LogNotAuthorizedError(ctx, q.log, xerrors.Errorf("not authorized to delete roles"))
 	}
 
 	for _, roleName := range grantedRoles {
diff --git a/coderd/coderdtest/authorize.go b/coderd/coderdtest/authorize.go
@@ -444,7 +444,6 @@ func NewAuthTester(ctx context.Context, t *testing.T, client *codersdk.Client, a
 func (a *AuthTester) Test(ctx context.Context, assertRoute map[string]RouteCheck, skipRoutes map[string]string) {
 	// Always fail auth from this point forward
 	a.authorizer.Wrapped = &FakeAuthorizer{
-		Original:     a.authorizer,
 		AlwaysReturn: rbac.ForbiddenWithInternal(xerrors.New("fake implementation"), nil, nil),
 	}
 
@@ -639,40 +638,38 @@ func (r *RecordingAuthorizer) AssertActor(t *testing.T, actor rbac.Subject, did
 	assert.Equalf(t, len(did), ptr, "assert actor: didn't find all actions, %d missing actions", len(did)-ptr)
 }
 
-// _AuthorizeSQL does not record the call. This matches the postgres behavior
-// of not calling Authorize()
-func (r *RecordingAuthorizer) _AuthorizeSQL(ctx context.Context, subject rbac.Subject, action rbac.Action, object rbac.Object) error {
-	if r.Wrapped == nil {
-		panic("Developer error: RecordingAuthorizer.Wrapped is nil")
-	}
-	return r.Wrapped.Authorize(ctx, subject, action, object)
-}
-
-func (r *RecordingAuthorizer) Authorize(ctx context.Context, subject rbac.Subject, action rbac.Action, object rbac.Object) error {
+func (r *RecordingAuthorizer) RecordAuthorize(ctx context.Context, subject rbac.Subject, action rbac.Action, object rbac.Object) {
 	r.Lock()
 	defer r.Unlock()
 	r.Called = append(r.Called, authCall{
 		Actor:  subject,
 		Action: action,
 		Object: object,
 	})
+}
+
+func (r *RecordingAuthorizer) Authorize(ctx context.Context, subject rbac.Subject, action rbac.Action, object rbac.Object) error {
+	r.RecordAuthorize(ctx, subject, action, object)
 	if r.Wrapped == nil {
 		panic("Developer error: RecordingAuthorizer.Wrapped is nil")
 	}
 	return r.Wrapped.Authorize(ctx, subject, action, object)
 }
 
-func (r *RecordingAuthorizer) Prepare(_ context.Context, subject rbac.Subject, action rbac.Action, _ string) (rbac.PreparedAuthorized, error) {
+func (r *RecordingAuthorizer) Prepare(ctx context.Context, subject rbac.Subject, action rbac.Action, objectType string) (rbac.PreparedAuthorized, error) {
 	r.RLock()
 	defer r.RUnlock()
 	if r.Wrapped == nil {
 		panic("Developer error: RecordingAuthorizer.Wrapped is nil")
 	}
-	return &fakePreparedAuthorizer{
-		Original:           r,
-		Subject:            subject,
-		Action:             action,
-		HardCodedSQLString: "true",
+
+	prep, err := r.Wrapped.Prepare(ctx, subject, action, objectType)
+	if err != nil {
+		return nil, err
+	}
+	return &PreparedRecorder{
+		rec:     r,
+		prepped: prep,
 	}, nil
 }
 
@@ -682,46 +679,63 @@ func (r *RecordingAuthorizer) Reset() {
 	r.Called = nil
 }
 
+// lastCall is implemented to support legacy tests.
+// Deprecated
+func (r *RecordingAuthorizer) lastCall() *authCall {
+	r.RLock()
+	defer r.RUnlock()
+	if len(r.Called) == 0 {
+		return nil
+	}
+	return &r.Called[len(r.Called)-1]
+}
+
+type PreparedRecorder struct {
+	rec     *RecordingAuthorizer
+	prepped rbac.PreparedAuthorized
+	subject rbac.Subject
+	action  rbac.Action
+
+	rw       sync.Mutex
+	usingSQL bool
+}
+
+func (s *PreparedRecorder) Authorize(ctx context.Context, object rbac.Object) error {
+	s.rw.Lock()
+	defer s.rw.Unlock()
+
+	if !s.usingSQL {
+		s.rec.RecordAuthorize(ctx, s.subject, s.action, object)
+	}
+	return s.prepped.Authorize(ctx, object)
+}
+func (s *PreparedRecorder) CompileToSQL(ctx context.Context, cfg regosql.ConvertConfig) (string, error) {
+	s.rw.Lock()
+	defer s.rw.Unlock()
+
+	s.usingSQL = true
+	return s.prepped.CompileToSQL(ctx, cfg)
+}
+
 type fakePreparedAuthorizer struct {
 	sync.RWMutex
-	Original           *RecordingAuthorizer
+	Original           *FakeAuthorizer
 	Subject            rbac.Subject
 	Action             rbac.Action
-	HardCodedSQLString string
 	ShouldCompileToSQL bool
 }
 
 func (f *fakePreparedAuthorizer) Authorize(ctx context.Context, object rbac.Object) error {
-	f.RLock()
-	defer f.RUnlock()
-	if f.ShouldCompileToSQL {
-		return f.Original._AuthorizeSQL(ctx, f.Subject, f.Action, object)
-	}
 	return f.Original.Authorize(ctx, f.Subject, f.Action, object)
 }
 
 // CompileToSQL returns a compiled version of the authorizer that will work for
 // in memory databases. This fake version will not work against a SQL database.
 func (f *fakePreparedAuthorizer) CompileToSQL(_ context.Context, _ regosql.ConvertConfig) (string, error) {
-	f.Lock()
-	f.ShouldCompileToSQL = true
-	f.Unlock()
-	return f.HardCodedSQLString, nil
-}
-
-// lastCall is implemented to support legacy tests.
-// Deprecated
-func (r *RecordingAuthorizer) lastCall() *authCall {
-	r.RLock()
-	defer r.RUnlock()
-	if len(r.Called) == 0 {
-		return nil
-	}
-	return &r.Called[len(r.Called)-1]
+	return "not a valid sql string", nil
 }
 
 type FakeAuthorizer struct {
-	Original *RecordingAuthorizer
 	// AlwaysReturn is the error that will be returned by Authorize.
 	AlwaysReturn error
 }
@@ -732,11 +746,14 @@ func (d *FakeAuthorizer) Authorize(_ context.Context, _ rbac.Subject, _ rbac.Act
 	return d.AlwaysReturn
 }
 
+func (d *FakeAuthorizer) CompileToSQL(_ context.Context, _ regosql.ConvertConfig) (string, error) {
+	return "not a valid sql string", nil
+}
+
 func (d *FakeAuthorizer) Prepare(_ context.Context, subject rbac.Subject, action rbac.Action, _ string) (rbac.PreparedAuthorized, error) {
 	return &fakePreparedAuthorizer{
-		Original:           d.Original,
-		Subject:            subject,
-		Action:             action,
-		HardCodedSQLString: "true",
+		Original: d,
+		Subject:  subject,
+		Action:   action,
 	}, nil
 }

Original file line number	Diff line number	Diff line change
`@@ -115,11 +115,11 @@ func (q AuthzQuerier) canAssignRoles(ctx context.Context, orgID uuid.UUID, add`
`115`	`115`	`}`
`116`	`116`
`117`	`117`	`if len(added) > 0 && q.authorizeContext(ctx, rbac.ActionCreate, roleAssign) != nil {`
`118`		`- return xerrors.Errorf("not authorized to assign roles")`
	`118`	`+ return LogNotAuthorizedError(ctx, q.log, xerrors.Errorf("not authorized to assign roles"))`
`119`	`119`	`}`
`120`	`120`
`121`	`121`	`if len(removed) > 0 && q.authorizeContext(ctx, rbac.ActionDelete, roleAssign) != nil {`
`122`		`- return xerrors.Errorf("not authorized to deleteQ roles")`
	`122`	`+ return LogNotAuthorizedError(ctx, q.log, xerrors.Errorf("not authorized to delete roles"))`
`123`	`123`	`}`
`124`	`124`
`125`	`125`	`for _, roleName := range grantedRoles {`