Fix compile errors from merge

Emyrk · Emyrk · commit cb406863a318 · 2023-01-26T14:50:19.000-06:00
diff --git a/coderd/authzquery/authz.go b/coderd/authzquery/authz.go
@@ -44,7 +44,7 @@ func authorizedInsertWithReturn[ObjectType any, ArgumentType any,
 		}
 
 		// Authorize the action
-		err = authorizer.ByRoleName(ctx, act.ID.String(), rbac.RoleNames(act.Roles.Names()), act.Scope, act.Groups, action, object.RBACObject())
+		err = authorizer.Authorize(ctx, act, action, object.RBACObject())
 		if err != nil {
 			return empty, xerrors.Errorf("unauthorized: %w", err)
 		}
@@ -135,7 +135,7 @@ func authorizedFetchAndQuery[ObjectType rbac.Objecter, ArgumentType any,
 		}
 
 		// Authorize the action
-		err = authorizer.ByRoleName(ctx, act.ID.String(), rbac.RoleNames(act.Roles.Names()), act.Scope, act.Groups, action, object.RBACObject())
+		err = authorizer.Authorize(ctx, act, action, object.RBACObject())
 		if err != nil {
 			return empty, xerrors.Errorf("unauthorized: %w", err)
 		}
@@ -184,7 +184,7 @@ func authorizedQuery[ArgumentType any, ObjectType rbac.Objecter,
 		}
 
 		// Authorize the action
-		err = authorizer.ByRoleName(ctx, act.ID.String(), rbac.RoleNames(act.Roles.Names()), act.Scope, act.Groups, action, object.RBACObject())
+		err = authorizer.Authorize(ctx, act, action, object.RBACObject())
 		if err != nil {
 			return empty, xerrors.Errorf("unauthorized: %w", err)
 		}
@@ -215,7 +215,7 @@ func authorizedFetchSet[ArgumentType any, ObjectType rbac.Objecter,
 		}
 
 		// Authorize the action
-		return rbac.Filter(ctx, authorizer, act.ID.String(), rbac.RoleNames(act.Roles.Names()), act.Scope, act.Groups, rbac.ActionRead, objects)
+		return rbac.Filter(ctx, authorizer, act, rbac.ActionRead, objects)
 	}
 }
 
@@ -246,7 +246,7 @@ func authorizedQueryWithRelated[ObjectType any, ArgumentType any, Related rbac.O
 		}
 
 		// Authorize the action
-		err = authorizer.ByRoleName(ctx, act.ID.String(), rbac.RoleNames(act.Roles.Names()), act.Scope, act.Groups, action, rel.RBACObject())
+		err = authorizer.Authorize(ctx, act, action, rel.RBACObject())
 		if err != nil {
 			return empty, xerrors.Errorf("unauthorized: %w", err)
 		}
@@ -263,5 +263,5 @@ func prepareSQLFilter(ctx context.Context, authorizer rbac.Authorizer, action rb
 		return nil, xerrors.Errorf("no authorization actor in context")
 	}
 
-	return authorizer.PrepareByRoleName(ctx, act.ID.String(), rbac.RoleNames(act.Roles.Names()), act.Scope, act.Groups, action, resourceType)
+	return authorizer.Prepare(ctx, act, action, resourceType)
 }
diff --git a/coderd/authzquery/authz_test.go b/coderd/authzquery/authz_test.go
@@ -19,10 +19,15 @@ import (
 func TestAuthzQueryRecursive(t *testing.T) {
 	t.Parallel()
 	q := authzquery.NewAuthzQuerier(databasefake.New(), &coderdtest.RecordingAuthorizer{})
+	actor := rbac.Subject{
+		ID:     uuid.NewString(),
+		Roles:  rbac.RoleNames{rbac.RoleOwner()},
+		Groups: []string{},
+		Scope:  rbac.ScopeAll,
+	}
 	for i := 0; i < reflect.TypeOf(q).NumMethod(); i++ {
 		var ins []reflect.Value
-		ctx := authzquery.WithAuthorizeContext(context.Background(), uuid.New(),
-			rbac.RoleNames{rbac.RoleOwner()}, []string{}, rbac.ScopeAll)
+		ctx := authzquery.WithAuthorizeContext(context.Background(), actor)
 
 		ins = append(ins, reflect.ValueOf(ctx))
 		method := reflect.TypeOf(q).Method(i)
diff --git a/coderd/authzquery/authzquerier.go b/coderd/authzquery/authzquerier.go
@@ -57,7 +57,7 @@ func (q *AuthzQuerier) authorizeContext(ctx context.Context, action rbac.Action,
 		return xerrors.Errorf("no authorization actor in context")
 	}
 
-	err := q.authorizer.ByRoleName(ctx, act.ID.String(), act.Roles, act.Scope, act.Groups, action, object.RBACObject())
+	err := q.authorizer.Authorize(ctx, act, action, object.RBACObject())
 	if err != nil {
 		return xerrors.Errorf("unauthorized: %w", err)
 	}
diff --git a/coderd/authzquery/context.go b/coderd/authzquery/context.go
@@ -14,34 +14,20 @@ import (
 
 type authContextKey struct{}
 
-// actor is the authorization subject for a request.
-// This is **required** for all AuthzQuerier operations.
-type actor struct {
-	ID     uuid.UUID
-	Roles  rbac.ExpandableRoles
-	Scope  rbac.ScopeName
-	Groups []string
-}
-
 func WithAuthorizeSystemContext(ctx context.Context, roles rbac.ExpandableRoles) context.Context {
 	// TODO: Add protections to search for user roles. If user roles are found,
 	// this should panic. That is a developer error that should be caught
 	// in unit tests.
-	return context.WithValue(ctx, authContextKey{}, actor{
-		ID:     uuid.Nil,
+	return context.WithValue(ctx, authContextKey{}, rbac.Subject{
+		ID:     uuid.Nil.String(),
 		Roles:  roles,
 		Scope:  rbac.ScopeAll,
 		Groups: []string{},
 	})
 }
 
-func WithAuthorizeContext(ctx context.Context, actorID uuid.UUID, roles rbac.ExpandableRoles, groups []string, scope rbac.ScopeName) context.Context {
-	return context.WithValue(ctx, authContextKey{}, actor{
-		ID:     actorID,
-		Roles:  roles,
-		Scope:  scope,
-		Groups: groups,
-	})
+func WithAuthorizeContext(ctx context.Context, actor rbac.Subject) context.Context {
+	return context.WithValue(ctx, authContextKey{}, actor)
 }
 
 // WithWorkspaceAgentTokenContext returns a context with a workspace agent token
@@ -55,8 +41,8 @@ func WithAuthorizeContext(ctx context.Context, actorID uuid.UUID, roles rbac.Exp
 func WithWorkspaceAgentTokenContext(ctx context.Context, workspaceID uuid.UUID, actorID uuid.UUID, roles rbac.ExpandableRoles, groups []string) context.Context {
 	// TODO: This workspace ID should be applied in the scope.
 	var _ = workspaceID
-	return context.WithValue(ctx, authContextKey{}, actor{
-		ID:    actorID,
+	return context.WithValue(ctx, authContextKey{}, rbac.Subject{
+		ID:    actorID.String(),
 		Roles: roles,
 		// TODO: @emyrk This scope is INCORRECT. The correct scope is a readonly
 		// scope for the specified workspaceID. Limit the permissions as much as
@@ -70,7 +56,7 @@ func WithWorkspaceAgentTokenContext(ctx context.Context, workspaceID uuid.UUID,
 // actorFromContext returns the authorization subject from the context.
 // All authentication flows should set the authorization subject in the context.
 // If no actor is present, the function returns false.
-func actorFromContext(ctx context.Context) (actor, bool) {
-	a, ok := ctx.Value(authContextKey{}).(actor)
+func actorFromContext(ctx context.Context) (rbac.Subject, bool) {
+	a, ok := ctx.Value(authContextKey{}).(rbac.Subject)
 	return a, ok
 }
diff --git a/coderd/authzquery/methods.go b/coderd/authzquery/methods.go
@@ -31,3 +31,8 @@ func (q *AuthzQuerier) GetProvisionerLogsByIDBetween(ctx context.Context, arg da
 	}
 	return q.database.GetProvisionerLogsByIDBetween(ctx, arg)
 }
+
+func (q *AuthzQuerier) GetDeploymentDAUs(ctx context.Context) ([]database.GetDeploymentDAUsRow, error) {
+	//TODO implement me
+	panic("implement me")
+}
diff --git a/coderd/authzquery/organization.go b/coderd/authzquery/organization.go
@@ -131,7 +131,7 @@ func (q *AuthzQuerier) canAssignRoles(ctx context.Context, orgID *uuid.UUID, add
 	}
 
 	for _, roleName := range grantedRoles {
-		if !rbac.CanAssignRole(actor.Roles.Names(), roleName) {
+		if !rbac.CanAssignRole(actor.Roles, roleName) {
 			return xerrors.Errorf("not authorized to assign role %q", roleName)
 		}
 	}
diff --git a/coderd/authzquery/user.go b/coderd/authzquery/user.go
@@ -83,7 +83,7 @@ func (q *AuthzQuerier) GetUsersWithCount(ctx context.Context, arg database.GetUs
 
 	// TODO: Is this correct? Should we return a retricted user?
 	users := database.ConvertUserRows(rowUsers)
-	users, err = rbac.Filter(ctx, q.authorizer, act.ID.String(), rbac.RoleNames(act.Roles.Names()), act.Scope, act.Groups, rbac.ActionRead, users)
+	users, err = rbac.Filter(ctx, q.authorizer, act, rbac.ActionRead, users)
 	if err != nil {
 		return nil, -1, err
 	}
diff --git a/coderd/httpmw/apikey.go b/coderd/httpmw/apikey.go
@@ -342,23 +342,20 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {
 				return
 			}
 
+			// Actor is the user's authorization context.
+			actor := rbac.Subject{
+				ID:     key.UserID.String(),
+				Roles:  rbac.RoleNames(roles.Roles),
+				Groups: roles.Groups,
+				Scope:  rbac.ScopeName(key.Scope),
+			}
 			ctx = context.WithValue(ctx, apiKeyContextKey{}, key)
 			ctx = context.WithValue(ctx, userAuthKey{}, Authorization{
 				Username: roles.Username,
-				Actor: rbac.Subject{
-					ID:     key.UserID.String(),
-					Roles:  rbac.RoleNames(roles.Roles),
-					Groups: roles.Groups,
-					Scope:  rbac.ScopeName(key.Scope),
-				},
+				Actor:    actor,
 			})
 			// Set the auth context for the authzquerier as well.
-			ctx = authzquery.WithAuthorizeContext(ctx,
-				key.UserID,
-				rbac.RoleNames(roles.Roles),
-				roles.Groups,
-				rbac.ScopeName(key.Scope),
-			)
+			ctx = authzquery.WithAuthorizeContext(ctx, actor)
 
 			next.ServeHTTP(rw, r.WithContext(ctx))
 		})
diff --git a/coderd/httpmw/userparam.go b/coderd/httpmw/userparam.go
@@ -13,7 +13,6 @@ import (
 	"github.com/coder/coder/coderd/authzquery"
 	"github.com/coder/coder/coderd/database"
 	"github.com/coder/coder/coderd/httpapi"
-	"github.com/coder/coder/coderd/rbac"
 	"github.com/coder/coder/codersdk"
 )
 
@@ -45,7 +44,7 @@ func ExtractUserParam(db database.Store, redirectToLoginOnMe bool) func(http.Han
 		return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 			var (
 				auth = UserAuthorization(r)
-				ctx  = authzquery.WithAuthorizeContext(r.Context(), auth.ID, auth.Roles, auth.Groups, rbac.ScopeName(auth.Scope))
+				ctx  = authzquery.WithAuthorizeContext(r.Context(), auth.Actor)
 				user database.User
 				err  error
 			)
diff --git a/coderd/rbac/builtin.go b/coderd/rbac/builtin.go
@@ -38,20 +38,6 @@ func (names RoleNames) Names() []string {
 	return names
 }
 
-type Roles []Role
-
-func (roles Roles) Expand() ([]Role, error) {
-	return roles, nil
-}
-
-func (roles Roles) Names() []string {
-	names := make([]string, 0, len(roles))
-	for _, r := range roles {
-		return append(names, r.Name)
-	}
-	return names
-}
-
 // RolesAutostartSystem is the limited set of permissions required for autostart
 // to function.
 func RolesAutostartSystem() Roles {

Original file line number	Diff line number	Diff line change
`@@ -44,7 +44,7 @@ func authorizedInsertWithReturn[ObjectType any, ArgumentType any,`
`44`	`44`	`}`
`45`	`45`
`46`	`46`	`// Authorize the action`
`47`		`- err = authorizer.ByRoleName(ctx, act.ID.String(), rbac.RoleNames(act.Roles.Names()), act.Scope, act.Groups, action, object.RBACObject())`
	`47`	`+ err = authorizer.Authorize(ctx, act, action, object.RBACObject())`
`48`	`48`	`if err != nil {`
`49`	`49`	`return empty, xerrors.Errorf("unauthorized: %w", err)`
`50`	`50`	`}`
`@@ -135,7 +135,7 @@ func authorizedFetchAndQuery[ObjectType rbac.Objecter, ArgumentType any,`
`135`	`135`	`}`
`136`	`136`
`137`	`137`	`// Authorize the action`
`138`		`- err = authorizer.ByRoleName(ctx, act.ID.String(), rbac.RoleNames(act.Roles.Names()), act.Scope, act.Groups, action, object.RBACObject())`
	`138`	`+ err = authorizer.Authorize(ctx, act, action, object.RBACObject())`
`139`	`139`	`if err != nil {`
`140`	`140`	`return empty, xerrors.Errorf("unauthorized: %w", err)`
`141`	`141`	`}`
`@@ -184,7 +184,7 @@ func authorizedQuery[ArgumentType any, ObjectType rbac.Objecter,`
`184`	`184`	`}`
`185`	`185`
`186`	`186`	`// Authorize the action`
`187`		`- err = authorizer.ByRoleName(ctx, act.ID.String(), rbac.RoleNames(act.Roles.Names()), act.Scope, act.Groups, action, object.RBACObject())`
	`187`	`+ err = authorizer.Authorize(ctx, act, action, object.RBACObject())`
`188`	`188`	`if err != nil {`
`189`	`189`	`return empty, xerrors.Errorf("unauthorized: %w", err)`
`190`	`190`	`}`
`@@ -215,7 +215,7 @@ func authorizedFetchSet[ArgumentType any, ObjectType rbac.Objecter,`
`215`	`215`	`}`
`216`	`216`
`217`	`217`	`// Authorize the action`
`218`		`- return rbac.Filter(ctx, authorizer, act.ID.String(), rbac.RoleNames(act.Roles.Names()), act.Scope, act.Groups, rbac.ActionRead, objects)`
	`218`	`+ return rbac.Filter(ctx, authorizer, act, rbac.ActionRead, objects)`
`219`	`219`	`}`
`220`	`220`	`}`
`221`	`221`
`@@ -246,7 +246,7 @@ func authorizedQueryWithRelated[ObjectType any, ArgumentType any, Related rbac.O`
`246`	`246`	`}`
`247`	`247`
`248`	`248`	`// Authorize the action`
`249`		`- err = authorizer.ByRoleName(ctx, act.ID.String(), rbac.RoleNames(act.Roles.Names()), act.Scope, act.Groups, action, rel.RBACObject())`
	`249`	`+ err = authorizer.Authorize(ctx, act, action, rel.RBACObject())`
`250`	`250`	`if err != nil {`
`251`	`251`	`return empty, xerrors.Errorf("unauthorized: %w", err)`
`252`	`252`	`}`
`@@ -263,5 +263,5 @@ func prepareSQLFilter(ctx context.Context, authorizer rbac.Authorizer, action rb`
`263`	`263`	`return nil, xerrors.Errorf("no authorization actor in context")`
`264`	`264`	`}`
`265`	`265`
`266`		`- return authorizer.PrepareByRoleName(ctx, act.ID.String(), rbac.RoleNames(act.Roles.Names()), act.Scope, act.Groups, action, resourceType)`
	`266`	`+ return authorizer.Prepare(ctx, act, action, resourceType)`
`267`	`267`	`}`
Original file line number	Diff line number	Diff line change
`@@ -57,7 +57,7 @@ func (q *AuthzQuerier) authorizeContext(ctx context.Context, action rbac.Action,`
`57`	`57`	`return xerrors.Errorf("no authorization actor in context")`
`58`	`58`	`}`
`59`	`59`
`60`		`- err := q.authorizer.ByRoleName(ctx, act.ID.String(), act.Roles, act.Scope, act.Groups, action, object.RBACObject())`
	`60`	`+ err := q.authorizer.Authorize(ctx, act, action, object.RBACObject())`
`61`	`61`	`if err != nil {`
`62`	`62`	`return xerrors.Errorf("unauthorized: %w", err)`
`63`	`63`	`}`
Original file line number	Diff line number	Diff line change
`@@ -31,3 +31,8 @@ func (q *AuthzQuerier) GetProvisionerLogsByIDBetween(ctx context.Context, arg da`
`31`	`31`	`}`
`32`	`32`	`return q.database.GetProvisionerLogsByIDBetween(ctx, arg)`
`33`	`33`	`}`
	`34`	`+`
	`35`	`+func (q *AuthzQuerier) GetDeploymentDAUs(ctx context.Context) ([]database.GetDeploymentDAUsRow, error) {`
	`36`	`+ //TODO implement me`
	`37`	`+ panic("implement me")`
	`38`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -131,7 +131,7 @@ func (q AuthzQuerier) canAssignRoles(ctx context.Context, orgID uuid.UUID, add`
`131`	`131`	`}`
`132`	`132`
`133`	`133`	`for _, roleName := range grantedRoles {`
`134`		`- if !rbac.CanAssignRole(actor.Roles.Names(), roleName) {`
	`134`	`+ if !rbac.CanAssignRole(actor.Roles, roleName) {`
`135`	`135`	`return xerrors.Errorf("not authorized to assign role %q", roleName)`
`136`	`136`	`}`
`137`	`137`	`}`
Original file line number	Diff line number	Diff line change
`@@ -83,7 +83,7 @@ func (q *AuthzQuerier) GetUsersWithCount(ctx context.Context, arg database.GetUs`
`83`	`83`
`84`	`84`	`// TODO: Is this correct? Should we return a retricted user?`
`85`	`85`	`users := database.ConvertUserRows(rowUsers)`
`86`		`- users, err = rbac.Filter(ctx, q.authorizer, act.ID.String(), rbac.RoleNames(act.Roles.Names()), act.Scope, act.Groups, rbac.ActionRead, users)`
	`86`	`+ users, err = rbac.Filter(ctx, q.authorizer, act, rbac.ActionRead, users)`
`87`	`87`	`if err != nil {`
`88`	`88`	`return nil, -1, err`
`89`	`89`	`}`