just pass the authorizer as a whole

Emyrk · Emyrk · commit c9cf7809aab2 · 2025-06-13T11:45:23.000-05:00
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -572,7 +572,7 @@ func New(options *Options) *API {
 		TemplateScheduleStore:       options.TemplateScheduleStore,
 		UserQuietHoursScheduleStore: options.UserQuietHoursScheduleStore,
 		AccessControlStore:          options.AccessControlStore,
-		FileCache:                   files.NewFromStore(options.Database, options.PrometheusRegistry, options.Authorizer.Authorize),
+		FileCache:                   files.NewFromStore(options.Database, options.PrometheusRegistry, options.Authorizer),
 		Experiments:                 experiments,
 		WebpushDispatcher:           options.WebPushDispatcher,
 		healthCheckGroup:            &singleflight.Group[string, *healthsdk.HealthcheckReport]{},
diff --git a/coderd/files/cache.go b/coderd/files/cache.go
@@ -19,11 +19,9 @@ import (
 	"github.com/coder/coder/v2/coderd/util/lazy"
 )
 
-type AuthorizeFile func(ctx context.Context, subject rbac.Subject, action policy.Action, object rbac.Object) error
-
 // NewFromStore returns a file cache that will fetch files from the provided
 // database.
-func NewFromStore(store database.Store, registerer prometheus.Registerer, authz AuthorizeFile) *Cache {
+func NewFromStore(store database.Store, registerer prometheus.Registerer, authz rbac.Authorizer) *Cache {
 	fetch := func(ctx context.Context, fileID uuid.UUID) (cacheEntryValue, error) {
 		// Make sure the read does not fail due to authorization issues.
 		// Authz is checked on the Acquire call, so this is safe.
@@ -44,7 +42,7 @@ func NewFromStore(store database.Store, registerer prometheus.Registerer, authz
 	return New(fetch, registerer, authz)
 }
 
-func New(fetch fetcher, registerer prometheus.Registerer, authz AuthorizeFile) *Cache {
+func New(fetch fetcher, registerer prometheus.Registerer, authz rbac.Authorizer) *Cache {
 	return (&Cache{
 		lock:    sync.Mutex{},
 		data:    make(map[uuid.UUID]*cacheEntry),
@@ -111,7 +109,7 @@ type Cache struct {
 	lock sync.Mutex
 	data map[uuid.UUID]*cacheEntry
 	fetcher
-	authz AuthorizeFile
+	authz rbac.Authorizer
 
 	// metrics
 	cacheMetrics
@@ -164,7 +162,7 @@ func (c *Cache) Acquire(ctx context.Context, fileID uuid.UUID) (fs.FS, error) {
 		return nil, dbauthz.ErrNoActor
 	}
 	// Always check the caller can actually read the file.
-	if err := c.authz(ctx, subject, policy.ActionRead, it.object); err != nil {
+	if err := c.authz.Authorize(ctx, subject, policy.ActionRead, it.object); err != nil {
 		c.Release(fileID)
 		return nil, err
 	}
diff --git a/coderd/files/cache_internal_test.go b/coderd/files/cache_internal_test.go
@@ -12,17 +12,12 @@ import (
 	"github.com/stretchr/testify/require"
 	"golang.org/x/sync/errgroup"
 
+	"github.com/coder/coder/v2/coderd/coderdtest"
 	"github.com/coder/coder/v2/coderd/coderdtest/promhelp"
 	"github.com/coder/coder/v2/coderd/database/dbauthz"
-	"github.com/coder/coder/v2/coderd/rbac"
-	"github.com/coder/coder/v2/coderd/rbac/policy"
 	"github.com/coder/coder/v2/testutil"
 )
 
-func authzAlwaysTrue(_ context.Context, _ rbac.Subject, _ policy.Action, _ rbac.Object) error {
-	return nil
-}
-
 func cachePromMetricName(metric string) string {
 	return "coderd_file_cache_" + metric
 }
@@ -42,7 +37,7 @@ func TestConcurrency(t *testing.T) {
 		// will be waiting in line, ensuring that no one duplicated a fetch.
 		time.Sleep(testutil.IntervalMedium)
 		return cacheEntryValue{FS: emptyFS, size: fileSize}, nil
-	}, reg, authzAlwaysTrue)
+	}, reg, &coderdtest.FakeAuthorizer{})
 
 	batches := 1000
 	groups := make([]*errgroup.Group, 0, batches)
@@ -94,7 +89,7 @@ func TestRelease(t *testing.T) {
 			FS:   emptyFS,
 			size: fileSize,
 		}, nil
-	}, reg, authzAlwaysTrue)
+	}, reg, &coderdtest.FakeAuthorizer{})
 
 	batches := 100
 	ids := make([]uuid.UUID, 0, batches)
diff --git a/coderd/files/cache_test.go b/coderd/files/cache_test.go
@@ -109,7 +109,7 @@ func cacheAuthzSetup(t *testing.T) (database.Store, *files.Cache, *coderdtest.Re
 
 	// Dbauthz wrap the db
 	db = dbauthz.New(db, rec, logger, coderdtest.AccessControlStorePointer())
-	c := files.NewFromStore(db, reg, rec.Authorize)
+	c := files.NewFromStore(db, reg, rec)
 	return db, c, rec
 }
 

Original file line number	Diff line number	Diff line change
`@@ -109,7 +109,7 @@ func cacheAuthzSetup(t testing.T) (database.Store, files.Cache, *coderdtest.Re`
`109`	`109`
`110`	`110`	`// Dbauthz wrap the db`
`111`	`111`	`db = dbauthz.New(db, rec, logger, coderdtest.AccessControlStorePointer())`
`112`		`- c := files.NewFromStore(db, reg, rec.Authorize)`
	`112`	`+ c := files.NewFromStore(db, reg, rec)`
`113`	`113`	`return db, c, rec`
`114`	`114`	`}`
`115`	`115`