extended rbac.Subject with SubjectType enum

ibetitsmike · ibetitsmike · commit ccc32e4318e9 · 2025-04-10T13:24:09.000Z
diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go
@@ -164,6 +164,7 @@ func ActorFromContext(ctx context.Context) (rbac.Subject, bool) {
 
 var (
 	subjectProvisionerd = rbac.Subject{
+		Type:         rbac.SubjectTypeProvisionerd,
 		FriendlyName: "Provisioner Daemon",
 		ID:           uuid.Nil.String(),
 		Roles: rbac.Roles([]rbac.Role{
@@ -198,6 +199,7 @@ var (
 	}.WithCachedASTValue()
 
 	subjectAutostart = rbac.Subject{
+		Type:         rbac.SubjectTypeAutostart,
 		FriendlyName: "Autostart",
 		ID:           uuid.Nil.String(),
 		Roles: rbac.Roles([]rbac.Role{
@@ -216,11 +218,14 @@ var (
 				User: []rbac.Permission{},
 			},
 		}),
-		Scope: rbac.ScopeAll,
+		Scope:  rbac.ScopeAll,
+		Email:  "",
+		Groups: []string{},
 	}.WithCachedASTValue()
 
 	// See unhanger package.
 	subjectHangDetector = rbac.Subject{
+		Type:         rbac.SubjectTypeHangDetector,
 		FriendlyName: "Hang Detector",
 		ID:           uuid.Nil.String(),
 		Roles: rbac.Roles([]rbac.Role{
@@ -241,6 +246,7 @@ var (
 
 	// See cryptokeys package.
 	subjectCryptoKeyRotator = rbac.Subject{
+		Type:         rbac.SubjectTypeCryptoKeyRotator,
 		FriendlyName: "Crypto Key Rotator",
 		ID:           uuid.Nil.String(),
 		Roles: rbac.Roles([]rbac.Role{
@@ -259,6 +265,7 @@ var (
 
 	// See cryptokeys package.
 	subjectCryptoKeyReader = rbac.Subject{
+		Type:         rbac.SubjectTypeCryptoKeyReader,
 		FriendlyName: "Crypto Key Reader",
 		ID:           uuid.Nil.String(),
 		Roles: rbac.Roles([]rbac.Role{
@@ -276,6 +283,7 @@ var (
 	}.WithCachedASTValue()
 
 	subjectNotifier = rbac.Subject{
+		Type:         rbac.SubjectTypeNotifier,
 		FriendlyName: "Notifier",
 		ID:           uuid.Nil.String(),
 		Roles: rbac.Roles([]rbac.Role{
@@ -296,6 +304,7 @@ var (
 	}.WithCachedASTValue()
 
 	subjectResourceMonitor = rbac.Subject{
+		Type:         rbac.SubjectTypeResourceMonitor,
 		FriendlyName: "Resource Monitor",
 		ID:           uuid.Nil.String(),
 		Roles: rbac.Roles([]rbac.Role{
@@ -314,6 +323,7 @@ var (
 	}.WithCachedASTValue()
 
 	subjectSystemRestricted = rbac.Subject{
+		Type:         rbac.SubjectTypeSystemRestricted,
 		FriendlyName: "System",
 		ID:           uuid.Nil.String(),
 		Roles: rbac.Roles([]rbac.Role{
@@ -348,6 +358,7 @@ var (
 	}.WithCachedASTValue()
 
 	subjectSystemReadProvisionerDaemons = rbac.Subject{
+		Type:         rbac.SubjectTypeSystemReadProvisionerDaemons,
 		FriendlyName: "Provisioner Daemons Reader",
 		ID:           uuid.Nil.String(),
 		Roles: rbac.Roles([]rbac.Role{
@@ -365,6 +376,7 @@ var (
 	}.WithCachedASTValue()
 
 	subjectPrebuildsOrchestrator = rbac.Subject{
+		Type:         rbac.SubjectTypePrebuildsOrchestrator,
 		FriendlyName: "Prebuilds Orchestrator",
 		ID:           prebuilds.SystemUserID.String(),
 		Roles: rbac.Roles([]rbac.Role{
diff --git a/coderd/httpmw/apikey.go b/coderd/httpmw/apikey.go
@@ -465,6 +465,7 @@ func UserRBACSubject(ctx context.Context, db database.Store, userID uuid.UUID, s
 	}
 
 	actor := rbac.Subject{
+		Type:         rbac.SubjectTypeUser,
 		FriendlyName: roles.Username,
 		Email:        roles.Email,
 		ID:           userID.String(),
diff --git a/coderd/rbac/astvalue.go b/coderd/rbac/astvalue.go
@@ -81,6 +81,10 @@ func (s Subject) regoValue() (ast.Value, error) {
 		return nil, xerrors.Errorf("expand scope: %w", err)
 	}
 	subj := ast.NewObject(
+		[2]*ast.Term{
+			ast.StringTerm("type"),
+			ast.StringTerm(string(s.Type)),
+		},
 		[2]*ast.Term{
 			ast.StringTerm("id"),
 			ast.StringTerm(s.ID),
diff --git a/coderd/rbac/authz.go b/coderd/rbac/authz.go
@@ -57,9 +57,30 @@ func hashAuthorizeCall(actor Subject, action policy.Action, object Object) [32]b
 	return hashOut
 }
 
+// SubjectType represents the type of subject in the RBAC system.
+type SubjectType string
+
+const (
+	SubjectTypeUser                         SubjectType = "user"
+	SubjectTypeProvisionerd                 SubjectType = "provisionerd"
+	SubjectTypeAutostart                    SubjectType = "autostart"
+	SubjectTypeHangDetector                 SubjectType = "hang_detector"
+	SubjectTypeResourceMonitor              SubjectType = "resource_monitor"
+	SubjectTypeCryptoKeyRotator             SubjectType = "crypto_key_rotator"
+	SubjectTypeCryptoKeyReader              SubjectType = "crypto_key_reader"
+	SubjectTypePrebuildsOrchestrator        SubjectType = "prebuilds_orchestrator"
+	SubjectTypeSystemReadProvisionerDaemons SubjectType = "system_read_provisioner_daemons"
+	SubjectTypeSystemRestricted             SubjectType = "system_restricted"
+	SubjectTypeNotifier                     SubjectType = "notifier"
+)
+
 // Subject is a struct that contains all the elements of a subject in an rbac
 // authorize.
 type Subject struct {
+	// Type indicates what kind of subject this is (user, system, provisioner, etc.)
+	// It is not used in any functional way, only for logging.
+	Type SubjectType
+
 	// FriendlyName is entirely optional and is used for logging and debugging
 	// It is not used in any functional way.
 	// It is usually the "username" of the user, but it can be the name of the
@@ -102,6 +123,9 @@ func (s Subject) WithCachedASTValue() Subject {
 }
 
 func (s Subject) Equal(b Subject) bool {
+	if s.Type != b.Type {
+		return false
+	}
 	if s.ID != b.ID {
 		return false
 	}
@@ -336,10 +360,11 @@ func NewAuthorizer(registry prometheus.Registerer) *RegoAuthorizer {
 }
 
 type authSubject struct {
-	ID     string   `json:"id"`
-	Roles  []Role   `json:"roles"`
-	Groups []string `json:"groups"`
-	Scope  Scope    `json:"scope"`
+	Type   SubjectType `json:"type"`
+	ID     string      `json:"id"`
+	Roles  []Role      `json:"roles"`
+	Groups []string    `json:"groups"`
+	Scope  Scope       `json:"scope"`
 }
 
 // Authorize is the intended function to be used outside this package.
diff --git a/coderd/rbac/roles_internal_test.go b/coderd/rbac/roles_internal_test.go
@@ -20,6 +20,7 @@ import (
 // A possible large improvement would be to implement the ast.Value interface directly.
 func BenchmarkRBACValueAllocation(b *testing.B) {
 	actor := Subject{
+		Type:   SubjectTypeUser,
 		Roles:  RoleIdentifiers{ScopedRoleOrgMember(uuid.New()), ScopedRoleOrgAdmin(uuid.New()), RoleMember()},
 		ID:     uuid.NewString(),
 		Scope:  ScopeAll,
@@ -39,6 +40,7 @@ func BenchmarkRBACValueAllocation(b *testing.B) {
 	})
 
 	jsonSubject := authSubject{
+		Type:   actor.Type,
 		ID:     actor.ID,
 		Roles:  must(actor.Roles.Expand()),
 		Groups: actor.Groups,
@@ -82,6 +84,7 @@ func TestRegoInputValue(t *testing.T) {
 	}
 
 	actor := Subject{
+		Type:   SubjectTypeUser,
 		Roles:  Roles(roles),
 		ID:     uuid.NewString(),
 		Scope:  ScopeAll,
@@ -109,6 +112,7 @@ func TestRegoInputValue(t *testing.T) {
 		// This is the input that would be passed to the rego policy.
 		jsonInput := map[string]interface{}{
 			"subject": authSubject{
+				Type:   actor.Type,
 				ID:     actor.ID,
 				Roles:  must(actor.Roles.Expand()),
 				Groups: actor.Groups,

Original file line number	Diff line number	Diff line change
`@@ -465,6 +465,7 @@ func UserRBACSubject(ctx context.Context, db database.Store, userID uuid.UUID, s`
`465`	`465`	`}`
`466`	`466`
`467`	`467`	`actor := rbac.Subject{`
	`468`	`+ Type: rbac.SubjectTypeUser,`
`468`	`469`	`FriendlyName: roles.Username,`
`469`	`470`	`Email: roles.Email,`
`470`	`471`	`ID: userID.String(),`