Skip to content

Commit 9bbef21

Browse files
ibetitsmikeibetitsmike
committed
expanded user query with email on authorization and extracted actor injection to a single method
1 parent 8faaa14 commit 9bbef21

File tree

5 files changed

+29
-12
lines changed

5 files changed

+29
-12
lines changed

coderd/database/dbauthz/dbauthz.go

Lines changed: 20 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -388,59 +388,59 @@ var (
388388
// AsProvisionerd returns a context with an actor that has permissions required
389389
// for provisionerd to function.
390390
func AsProvisionerd(ctx context.Context) context.Context {
391-
return context.WithValue(ctx, authContextKey{}, subjectProvisionerd)
391+
return InjectActorToContext(ctx, subjectProvisionerd)
392392
}
393393

394394
// AsAutostart returns a context with an actor that has permissions required
395395
// for autostart to function.
396396
func AsAutostart(ctx context.Context) context.Context {
397-
return context.WithValue(ctx, authContextKey{}, subjectAutostart)
397+
return InjectActorToContext(ctx, subjectAutostart)
398398
}
399399

400400
// AsHangDetector returns a context with an actor that has permissions required
401401
// for unhanger.Detector to function.
402402
func AsHangDetector(ctx context.Context) context.Context {
403-
return context.WithValue(ctx, authContextKey{}, subjectHangDetector)
403+
return InjectActorToContext(ctx, subjectHangDetector)
404404
}
405405

406406
// AsKeyRotator returns a context with an actor that has permissions required for rotating crypto keys.
407407
func AsKeyRotator(ctx context.Context) context.Context {
408-
return context.WithValue(ctx, authContextKey{}, subjectCryptoKeyRotator)
408+
return InjectActorToContext(ctx, subjectCryptoKeyRotator)
409409
}
410410

411411
// AsKeyReader returns a context with an actor that has permissions required for reading crypto keys.
412412
func AsKeyReader(ctx context.Context) context.Context {
413-
return context.WithValue(ctx, authContextKey{}, subjectCryptoKeyReader)
413+
return InjectActorToContext(ctx, subjectCryptoKeyReader)
414414
}
415415

416416
// AsNotifier returns a context with an actor that has permissions required for
417417
// creating/reading/updating/deleting notifications.
418418
func AsNotifier(ctx context.Context) context.Context {
419-
return context.WithValue(ctx, authContextKey{}, subjectNotifier)
419+
return InjectActorToContext(ctx, subjectNotifier)
420420
}
421421

422422
// AsResourceMonitor returns a context with an actor that has permissions required for
423423
// updating resource monitors.
424424
func AsResourceMonitor(ctx context.Context) context.Context {
425-
return context.WithValue(ctx, authContextKey{}, subjectResourceMonitor)
425+
return InjectActorToContext(ctx, subjectResourceMonitor)
426426
}
427427

428428
// AsSystemRestricted returns a context with an actor that has permissions
429429
// required for various system operations (login, logout, metrics cache).
430430
func AsSystemRestricted(ctx context.Context) context.Context {
431-
return context.WithValue(ctx, authContextKey{}, subjectSystemRestricted)
431+
return InjectActorToContext(ctx, subjectSystemRestricted)
432432
}
433433

434434
// AsSystemReadProvisionerDaemons returns a context with an actor that has permissions
435435
// to read provisioner daemons.
436436
func AsSystemReadProvisionerDaemons(ctx context.Context) context.Context {
437-
return context.WithValue(ctx, authContextKey{}, subjectSystemReadProvisionerDaemons)
437+
return InjectActorToContext(ctx, subjectSystemReadProvisionerDaemons)
438438
}
439439

440440
// AsPrebuildsOrchestrator returns a context with an actor that has permissions
441441
// to read orchestrator workspace prebuilds.
442442
func AsPrebuildsOrchestrator(ctx context.Context) context.Context {
443-
return context.WithValue(ctx, authContextKey{}, subjectPrebuildsOrchestrator)
443+
return InjectActorToContext(ctx, subjectPrebuildsOrchestrator)
444444
}
445445

446446
var AsRemoveActor = rbac.Subject{
@@ -458,6 +458,16 @@ func As(ctx context.Context, actor rbac.Subject) context.Context {
458458
// should be removed from the context.
459459
return context.WithValue(ctx, authContextKey{}, nil)
460460
}
461+
return InjectActorToContext(ctx, actor)
462+
}
463+
464+
func InjectActorToContext(ctx context.Context, actor rbac.Subject) context.Context {
465+
// if rlogger := httpmw.RequestLoggerFromContext(ctx); rlogger != nil {
466+
// rlogger.WithFields(
467+
// slog.F("requestor_id", actor.ID),
468+
// slog.F("requestor_email", actor.Email),
469+
// )
470+
// }
461471
return context.WithValue(ctx, authContextKey{}, actor)
462472
}
463473

coderd/database/queries.sql.go

Lines changed: 3 additions & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/database/queries/users.sql

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -303,7 +303,7 @@ SELECT
303303
-- username is returned just to help for logging purposes
304304
-- status is used to enforce 'suspended' users, as all roles are ignored
305305
-- when suspended.
306-
id, username, status,
306+
id, username, status, email,
307307
-- All user roles, including their org roles.
308308
array_cat(
309309
-- All users are members

coderd/httpmw/apikey.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -466,6 +466,7 @@ func UserRBACSubject(ctx context.Context, db database.Store, userID uuid.UUID, s
466466

467467
actor := rbac.Subject{
468468
FriendlyName: roles.Username,
469+
Email: roles.Email,
469470
ID: userID.String(),
470471
Roles: rbacRoles,
471472
Groups: roles.Groups,

coderd/rbac/authz.go

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -66,6 +66,10 @@ type Subject struct {
6666
// external workspace proxy or other service type actor.
6767
FriendlyName string
6868

69+
// Email is entirely optional and is used for logging and debugging
70+
// It is not used in any functional way.
71+
Email string
72+
6973
ID string
7074
Roles ExpandableRoles
7175
Groups []string

0 commit comments

Comments
 (0)