Add groups to rego objects

Emyrk · Emyrk · commit ba1953a52097 · 2022-09-22T14:19:34.000-04:00
diff --git a/coderd/rbac/authz.go b/coderd/rbac/authz.go
@@ -93,20 +93,21 @@ func NewAuthorizer() (*RegoAuthorizer, error) {
 }
 
 type authSubject struct {
-	ID    string `json:"id"`
-	Roles []Role `json:"roles"`
+	ID     string   `json:"id"`
+	Roles  []Role   `json:"roles"`
+	Groups []string `json:"groups"`
 }
 
 // ByRoleName will expand all roleNames into roles before calling Authorize().
 // This is the function intended to be used outside this package.
 // The role is fetched from the builtin map located in memory.
-func (a RegoAuthorizer) ByRoleName(ctx context.Context, subjectID string, roleNames []string, scope Scope, action Action, object Object) error {
+func (a RegoAuthorizer) ByRoleName(ctx context.Context, subjectID string, roleNames []string, groups []string, scope Scope, action Action, object Object) error {
 	roles, err := RolesByNames(roleNames)
 	if err != nil {
 		return err
 	}
 
-	err = a.Authorize(ctx, subjectID, roles, action, object)
+	err = a.Authorize(ctx, subjectID, roles, groups, action, object)
 	if err != nil {
 		return err
 	}
@@ -118,7 +119,7 @@ func (a RegoAuthorizer) ByRoleName(ctx context.Context, subjectID string, roleNa
 			return err
 		}
 
-		err = a.Authorize(ctx, subjectID, []Role{scopeRole}, action, object)
+		err = a.Authorize(ctx, subjectID, []Role{scopeRole}, groups, action, object)
 		if err != nil {
 			return err
 		}
@@ -129,14 +130,15 @@ func (a RegoAuthorizer) ByRoleName(ctx context.Context, subjectID string, roleNa
 
 // Authorize allows passing in custom Roles.
 // This is really helpful for unit testing, as we can create custom roles to exercise edge cases.
-func (a RegoAuthorizer) Authorize(ctx context.Context, subjectID string, roles []Role, action Action, object Object) error {
+func (a RegoAuthorizer) Authorize(ctx context.Context, subjectID string, roles []Role, groups []string, action Action, object Object) error {
 	ctx, span := tracing.StartSpan(ctx)
 	defer span.End()
 
 	input := map[string]interface{}{
 		"subject": authSubject{
-			ID:    subjectID,
-			Roles: roles,
+			ID:     subjectID,
+			Roles:  roles,
+			Groups: groups,
 		},
 		"object": object,
 		"action": action,
diff --git a/coderd/rbac/object.go b/coderd/rbac/object.go
@@ -160,8 +160,8 @@ type Object struct {
 	// Type is "workspace", "project", "app", etc
 	Type string `json:"type"`
 
-	// map[string][]Action
-	ACLUserList map[string][]Action ` json:"acl_user_list"`
+	ACLUserList  map[string][]Action ` json:"acl_user_list"`
+	ACLGroupList map[string][]Action ` json:"acl_group_list"`
 }
 
 func (z Object) RBACObject() Object {
@@ -171,36 +171,53 @@ func (z Object) RBACObject() Object {
 // All returns an object matching all resources of the same type.
 func (z Object) All() Object {
 	return Object{
-		Owner: "",
-		OrgID: "",
-		Type:  z.Type,
+		Owner:        "",
+		OrgID:        "",
+		Type:         z.Type,
+		ACLUserList:  map[string][]Action{},
+		ACLGroupList: map[string][]Action{},
 	}
 }
 
 // InOrg adds an org OwnerID to the resource
 func (z Object) InOrg(orgID uuid.UUID) Object {
 	return Object{
-		Owner: z.Owner,
-		OrgID: orgID.String(),
-		Type:  z.Type,
+		Owner:        z.Owner,
+		OrgID:        orgID.String(),
+		Type:         z.Type,
+		ACLUserList:  z.ACLUserList,
+		ACLGroupList: z.ACLGroupList,
 	}
 }
 
 // WithOwner adds an OwnerID to the resource
 func (z Object) WithOwner(ownerID string) Object {
 	return Object{
-		Owner: ownerID,
-		OrgID: z.OrgID,
-		Type:  z.Type,
+		Owner:        ownerID,
+		OrgID:        z.OrgID,
+		Type:         z.Type,
+		ACLUserList:  z.ACLUserList,
+		ACLGroupList: z.ACLGroupList,
 	}
 }
 
 // WithACLUserList adds an ACL list to a given object
 func (z Object) WithACLUserList(acl map[string][]Action) Object {
 	return Object{
-		Owner:       z.Owner,
-		OrgID:       z.OrgID,
-		Type:        z.Type,
-		ACLUserList: acl,
+		Owner:        z.Owner,
+		OrgID:        z.OrgID,
+		Type:         z.Type,
+		ACLUserList:  acl,
+		ACLGroupList: z.ACLGroupList,
+	}
+}
+
+func (z Object) WithGroups(groups map[string][]Action) Object {
+	return Object{
+		Owner:        z.Owner,
+		OrgID:        z.OrgID,
+		Type:         z.Type,
+		ACLUserList:  z.ACLUserList,
+		ACLGroupList: groups,
 	}
 }
diff --git a/coderd/rbac/policy.rego b/coderd/rbac/policy.rego
@@ -176,7 +176,7 @@ allow {
 	input.object.org_owner != ""
 	# Only people in the org can use the team access.
 	org_mem
-	group := input.subject.groups[input.object.org_owner][_]
+	group := input.subject.groups[_]
 	perms := input.object.acl_group_list[group]
 	# Either the input action or wildcard
 	[input.action, "*"][_] in perms
