chore: unit tests for cache authz

Emyrk · Emyrk · commit b909207df9e2 · 2025-06-12T13:45:42.000-05:00
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -572,13 +572,10 @@ func New(options *Options) *API {
 		TemplateScheduleStore:       options.TemplateScheduleStore,
 		UserQuietHoursScheduleStore: options.UserQuietHoursScheduleStore,
 		AccessControlStore:          options.AccessControlStore,
-		FileCache: files.NewFromStore(options.Database, options.PrometheusRegistry, func(ctx context.Context, action policy.Action, object rbac.Object) error {
-			subject := httpmw.UserAuthorizationCtx(ctx)
-			return options.Authorizer.Authorize(ctx, subject, action, object)
-		}),
-		Experiments:       experiments,
-		WebpushDispatcher: options.WebPushDispatcher,
-		healthCheckGroup:  &singleflight.Group[string, *healthsdk.HealthcheckReport]{},
+		FileCache:                   files.NewFromStore(options.Database, options.PrometheusRegistry, options.Authorizer.Authorize),
+		Experiments:                 experiments,
+		WebpushDispatcher:           options.WebPushDispatcher,
+		healthCheckGroup:            &singleflight.Group[string, *healthsdk.HealthcheckReport]{},
 		Acquirer: provisionerdserver.NewAcquirer(
 			ctx,
 			options.Logger.Named("acquirer"),
diff --git a/coderd/coderdtest/authorize.go b/coderd/coderdtest/authorize.go
@@ -234,6 +234,10 @@ func (r *RecordingAuthorizer) AssertOutOfOrder(t *testing.T, actor rbac.Subject,
 // AssertActor asserts in order. If the order of authz calls does not match,
 // this will fail.
 func (r *RecordingAuthorizer) AssertActor(t *testing.T, actor rbac.Subject, did ...ActionObjectPair) {
+	r.AssertActorID(t, actor.ID, did...)
+}
+
+func (r *RecordingAuthorizer) AssertActorID(t *testing.T, id string, did ...ActionObjectPair) {
 	r.Lock()
 	defer r.Unlock()
 	ptr := 0
@@ -242,7 +246,7 @@ func (r *RecordingAuthorizer) AssertActor(t *testing.T, actor rbac.Subject, did
 			// Finished all assertions
 			return
 		}
-		if call.Actor.ID == actor.ID {
+		if call.Actor.ID == id {
 			action, object := did[ptr].Action, did[ptr].Object
 			assert.Equalf(t, action, call.Action, "assert action %d", ptr)
 			assert.Equalf(t, object, call.Object, "assert object %d", ptr)
diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go
@@ -436,7 +436,8 @@ var (
 	subjectFileReader = rbac.Subject{
 		Type:         rbac.SubjectTypeFileReader,
 		FriendlyName: "Can Read All Files",
-		ID:           uuid.Nil.String(),
+		// Arbitrary uuid to have a unique ID for this subject.
+		ID: rbac.SubjectTypeFileReaderID,
 		Roles: rbac.Roles([]rbac.Role{
 			{
 				Identifier:  rbac.RoleIdentifier{Name: "file-reader"},
diff --git a/coderd/files/cache.go b/coderd/files/cache.go
@@ -19,7 +19,7 @@ import (
 	"github.com/coder/coder/v2/coderd/util/lazy"
 )
 
-type AuthorizeFile func(ctx context.Context, action policy.Action, object rbac.Object) error
+type AuthorizeFile func(ctx context.Context, subject rbac.Subject, action policy.Action, object rbac.Object) error
 
 // NewFromStore returns a file cache that will fetch files from the provided
 // database.
@@ -158,8 +158,12 @@ func (c *Cache) Acquire(ctx context.Context, fileID uuid.UUID) (fs.FS, error) {
 		return nil, err
 	}
 
+	subject, ok := dbauthz.ActorFromContext(ctx)
+	if !ok {
+		return nil, dbauthz.ErrNoActor
+	}
 	// Always check the caller can actually read the file.
-	if c.authz(ctx, policy.ActionRead, it.object) != nil {
+	if err := c.authz(ctx, subject, policy.ActionRead, it.object); err != nil {
 		c.Release(fileID)
 		return nil, err
 	}
diff --git a/coderd/files/cache_internal_test.go b/coderd/files/cache_internal_test.go
@@ -13,9 +13,15 @@ import (
 	"golang.org/x/sync/errgroup"
 
 	"github.com/coder/coder/v2/coderd/coderdtest/promhelp"
+	"github.com/coder/coder/v2/coderd/rbac"
+	"github.com/coder/coder/v2/coderd/rbac/policy"
 	"github.com/coder/coder/v2/testutil"
 )
 
+func authzAlwaysTrue(_ context.Context, _ rbac.Subject, _ policy.Action, _ rbac.Object) error {
+	return nil
+}
+
 func cachePromMetricName(metric string) string {
 	return "coderd_file_cache_" + metric
 }
@@ -33,7 +39,7 @@ func TestConcurrency(t *testing.T) {
 		// will be waiting in line, ensuring that no one duplicated a fetch.
 		time.Sleep(testutil.IntervalMedium)
 		return cacheEntryValue{FS: emptyFS, size: fileSize}, nil
-	}, reg)
+	}, reg, authzAlwaysTrue)
 
 	batches := 1000
 	groups := make([]*errgroup.Group, 0, batches)
@@ -83,7 +89,7 @@ func TestRelease(t *testing.T) {
 			FS:   emptyFS,
 			size: fileSize,
 		}, nil
-	}, reg)
+	}, reg, authzAlwaysTrue)
 
 	batches := 100
 	ids := make([]uuid.UUID, 0, batches)
diff --git a/coderd/files/cache_test.go b/coderd/files/cache_test.go
@@ -0,0 +1,119 @@
+package files_test
+
+import (
+	"testing"
+
+	"github.com/google/uuid"
+	"github.com/prometheus/client_golang/prometheus"
+	"github.com/stretchr/testify/require"
+
+	"cdr.dev/slog/sloggers/slogtest"
+	"github.com/coder/coder/v2/coderd/coderdtest"
+	"github.com/coder/coder/v2/coderd/database"
+	"github.com/coder/coder/v2/coderd/database/dbauthz"
+	"github.com/coder/coder/v2/coderd/database/dbgen"
+	"github.com/coder/coder/v2/coderd/database/dbtestutil"
+	"github.com/coder/coder/v2/coderd/files"
+	"github.com/coder/coder/v2/coderd/rbac"
+	"github.com/coder/coder/v2/coderd/rbac/policy"
+	"github.com/coder/coder/v2/testutil"
+)
+
+func TestCacheRBAC(t *testing.T) {
+	t.Parallel()
+
+	db, cache, rec := cacheAuthzSetup(t)
+	ctx := testutil.Context(t, testutil.WaitMedium)
+
+	file := dbgen.File(t, db, database.File{})
+
+	nobodyID := uuid.New()
+	nobody := dbauthz.As(ctx, rbac.Subject{
+		ID:    nobodyID.String(),
+		Roles: rbac.Roles{},
+		Scope: rbac.ScopeAll,
+	})
+
+	userID := uuid.New()
+	userReader := dbauthz.As(ctx, rbac.Subject{
+		ID: userID.String(),
+		Roles: rbac.Roles{
+			must(rbac.RoleByName(rbac.RoleTemplateAdmin())),
+		},
+		Scope: rbac.ScopeAll,
+	})
+
+	cacheReader := dbauthz.AsFileReader(ctx)
+
+	t.Run("NoRolesOpen", func(t *testing.T) {
+		// Ensure start is clean
+		require.Equal(t, 0, cache.Count())
+		rec.Reset()
+
+		_, err := cache.Acquire(nobody, file.ID)
+		require.Error(t, err)
+		require.True(t, rbac.IsUnauthorizedError(err))
+
+		// Ensure that the cache is empty
+		require.Equal(t, 0, cache.Count())
+
+		// Check the assertions
+		rec.AssertActorID(t, nobodyID.String(), rec.Pair(policy.ActionRead, file))
+		rec.AssertActorID(t, rbac.SubjectTypeFileReaderID, rec.Pair(policy.ActionRead, file))
+	})
+
+	t.Run("CacheHasFile", func(t *testing.T) {
+		rec.Reset()
+		require.Equal(t, 0, cache.Count())
+
+		// Read the file with a file reader to put it into the cache.
+		_, err := cache.Acquire(cacheReader, file.ID)
+		require.NoError(t, err)
+		require.Equal(t, 1, cache.Count())
+
+		// "nobody" should not be able to read the file.
+		_, err = cache.Acquire(nobody, file.ID)
+		require.Error(t, err)
+		require.True(t, rbac.IsUnauthorizedError(err))
+		require.Equal(t, 1, cache.Count())
+
+		// UserReader can
+		_, err = cache.Acquire(userReader, file.ID)
+		require.NoError(t, err)
+		require.Equal(t, 1, cache.Count())
+
+		cache.Release(file.ID)
+		cache.Release(file.ID)
+		require.Equal(t, 0, cache.Count())
+
+		rec.AssertActorID(t, nobodyID.String(), rec.Pair(policy.ActionRead, file))
+		rec.AssertActorID(t, rbac.SubjectTypeFileReaderID, rec.Pair(policy.ActionRead, file))
+		rec.AssertActorID(t, userID.String(), rec.Pair(policy.ActionRead, file))
+	})
+}
+
+func cacheAuthzSetup(t *testing.T) (database.Store, *files.Cache, *coderdtest.RecordingAuthorizer) {
+	t.Helper()
+
+	logger := slogtest.Make(t, &slogtest.Options{})
+	reg := prometheus.NewRegistry()
+
+	db, _ := dbtestutil.NewDB(t)
+	authz := rbac.NewAuthorizer(reg)
+	rec := &coderdtest.RecordingAuthorizer{
+		Called:  nil,
+		Wrapped: authz,
+	}
+
+	// Dbauthz wrap the db
+	db = dbauthz.New(db, rec, logger, coderdtest.AccessControlStorePointer())
+	c := files.NewFromStore(db, reg, rec.Authorize)
+	return db, c, rec
+}
+
+func must[T any](t T, err error) T {
+	if err != nil {
+		panic(err)
+	}
+	return t
+}
diff --git a/coderd/rbac/authz.go b/coderd/rbac/authz.go
@@ -77,6 +77,10 @@ const (
 	SubjectTypeFileReader                   SubjectType = "file_reader"
 )
 
+const (
+	SubjectTypeFileReaderID = "acbf0be6-6fed-47b6-8c43-962cb5cab994"
+)
+
 // Subject is a struct that contains all the elements of a subject in an rbac
 // authorize.
 type Subject struct {

Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,7 @@ import (`
`19`	`19`	`"github.com/coder/coder/v2/coderd/util/lazy"`
`20`	`20`	`)`
`21`	`21`
`22`		`-type AuthorizeFile func(ctx context.Context, action policy.Action, object rbac.Object) error`
	`22`	`+type AuthorizeFile func(ctx context.Context, subject rbac.Subject, action policy.Action, object rbac.Object) error`
`23`	`23`
`24`	`24`	`// NewFromStore returns a file cache that will fetch files from the provided`
`25`	`25`	`// database.`
`@@ -158,8 +158,12 @@ func (c *Cache) Acquire(ctx context.Context, fileID uuid.UUID) (fs.FS, error) {`
`158`	`158`	`return nil, err`
`159`	`159`	`}`
`160`	`160`
	`161`	`+ subject, ok := dbauthz.ActorFromContext(ctx)`
	`162`	`+ if !ok {`
	`163`	`+ return nil, dbauthz.ErrNoActor`
	`164`	`+ }`
`161`	`165`	`// Always check the caller can actually read the file.`
`162`		`- if c.authz(ctx, policy.ActionRead, it.object) != nil {`
	`166`	`+ if err := c.authz(ctx, subject, policy.ActionRead, it.object); err != nil {`
`163`	`167`	`c.Release(fileID)`
`164`	`168`	`return nil, err`
`165`	`169`	`}`