Some cleanup

Emyrk · Emyrk · commit d083a7c87ecf · 2022-05-03T09:34:50.000-05:00
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -79,6 +79,7 @@ func New(options *Options) (http.Handler, func()) {
 		Github: options.GithubOAuth2Config,
 	})
 
+	// TODO: @emyrk we should just move this into 'ExtractAPIKey'.
 	authRolesMiddleware := httpmw.ExtractUserRoles(options.Database)
 
 	authorize := func(f http.HandlerFunc, actions rbac.Action) http.HandlerFunc {
@@ -142,7 +143,7 @@ func New(options *Options) (http.Handler, func()) {
 			r.Route("/members", func(r chi.Router) {
 				r.Route("/roles", func(r chi.Router) {
 					r.Use(httpmw.RBACObject(rbac.ResourceUserRole))
-					r.Get("/", authorize(api.assignableOrgRoles, rbac.ActionCreate))
+					r.Get("/", authorize(api.assignableOrgRoles, rbac.ActionRead))
 				})
 				r.Route("/{user}", func(r chi.Router) {
 					r.Use(
@@ -215,7 +216,7 @@ func New(options *Options) (http.Handler, func()) {
 				// These routes query information about site wide roles.
 				r.Route("/roles", func(r chi.Router) {
 					r.Use(httpmw.RBACObject(rbac.ResourceUserRole))
-					r.Get("/", authorize(api.assignableSiteRoles, rbac.ActionCreate))
+					r.Get("/", authorize(api.assignableSiteRoles, rbac.ActionRead))
 				})
 				r.Route("/{user}", func(r chi.Router) {
 					r.Use(httpmw.ExtractUserParam(options.Database))
diff --git a/coderd/httpmw/authorize.go b/coderd/httpmw/authorize.go
@@ -20,16 +20,21 @@ type AuthObject struct {
 	Object rbac.Object
 }
 
-// Authorize allows for static object & action authorize checking. If the object is a static object, this is an easy way
-// to enforce the route.
+// Authorize will enforce if the user roles can complete the action on the AuthObject.
+// The organization and owner are found using the ExtractOrganization and
+// ExtractUser middleware if present.
 func Authorize(logger slog.Logger, auth *rbac.RegoAuthorizer, action rbac.Action) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 			roles := UserRoles(r)
 			args := GetAuthObject(r)
 
 			object := args.Object
+			if object.Type == "" {
+				panic("developer error: auth object has no type")
+			}
 
+			// First extract the object's owner and organization if present.
 			unknownOrg := r.Context().Value(organizationParamContextKey{})
 			if organization, castOK := unknownOrg.(database.Organization); unknownOrg != nil {
 				if !castOK {
@@ -46,13 +51,14 @@ func Authorize(logger slog.Logger, auth *rbac.RegoAuthorizer, action rbac.Action
 				object = object.WithOwner(owner.ID.String())
 			}
 
-			// Error on the first action that fails
 			err := auth.AuthorizeByRoleName(r.Context(), roles.ID.String(), roles.Roles, action, object)
 			if err != nil {
 				internalError := new(rbac.UnauthorizedError)
 				if xerrors.As(err, internalError) {
 					logger = logger.With(slog.F("internal", internalError.Internal()))
 				}
+				// Log information for debugging. This will be very helpful
+				// in the early days if we over secure endpoints.
 				logger.Warn(r.Context(), "unauthorized",
 					slog.F("roles", roles.Roles),
 					slog.F("user_id", roles.ID),
@@ -77,11 +83,13 @@ type authObjectKey struct{}
 func GetAuthObject(r *http.Request) AuthObject {
 	obj, ok := r.Context().Value(authObjectKey{}).(AuthObject)
 	if !ok {
-		return AuthObject{}
+		panic("developer error: auth object middleware not provided")
 	}
 	return obj
 }
 
+// RBACObject sets the object for 'Authorize()' for all routes handled
+// by this middleware. The important field to set is 'Type'
 func RBACObject(object rbac.Object) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
diff --git a/coderd/httpmw/organizationparam.go b/coderd/httpmw/organizationparam.go
@@ -77,7 +77,6 @@ func ExtractOrganizationParam(db database.Store) func(http.Handler) http.Handler
 
 			ctx := context.WithValue(r.Context(), organizationParamContextKey{}, organization)
 			ctx = context.WithValue(ctx, organizationMemberParamContextKey{}, organizationMember)
-
 			next.ServeHTTP(rw, r.WithContext(ctx))
 		})
 	}
diff --git a/coderd/rbac/authz.go b/coderd/rbac/authz.go
@@ -50,7 +50,6 @@ func (a RegoAuthorizer) AuthorizeByRoleName(ctx context.Context, subjectID strin
 		}
 		roles = append(roles, r)
 	}
-
 	return a.Authorize(ctx, subjectID, roles, action, object)
 }
 
diff --git a/coderd/roles_test.go b/coderd/roles_test.go
@@ -5,15 +5,11 @@ import (
 	"net/http"
 	"testing"
 
+	"github.com/coder/coder/coderd/coderdtest"
 	"github.com/coder/coder/coderd/rbac"
-
-	"github.com/google/uuid"
-
 	"github.com/coder/coder/codersdk"
-
+	"github.com/google/uuid"
 	"github.com/stretchr/testify/require"
-
-	"github.com/coder/coder/coderd/coderdtest"
 )
 
 func TestListRoles(t *testing.T) {

Original file line number	Diff line number	Diff line change
`@@ -77,7 +77,6 @@ func ExtractOrganizationParam(db database.Store) func(http.Handler) http.Handler`
`77`	`77`
`78`	`78`	`ctx := context.WithValue(r.Context(), organizationParamContextKey{}, organization)`
`79`	`79`	`ctx = context.WithValue(ctx, organizationMemberParamContextKey{}, organizationMember)`
`80`		`-`
`81`	`80`	`next.ServeHTTP(rw, r.WithContext(ctx))`
`82`	`81`	`})`
`83`	`82`	`}`
Original file line number	Diff line number	Diff line change
`@@ -50,7 +50,6 @@ func (a RegoAuthorizer) AuthorizeByRoleName(ctx context.Context, subjectID strin`
`50`	`50`	`}`
`51`	`51`	`roles = append(roles, r)`
`52`	`52`	`}`
`53`		`-`
`54`	`53`	`return a.Authorize(ctx, subjectID, roles, action, object)`
`55`	`54`	`}`
`56`	`55`