coder
diff --git a/‎coderd/authz/authz.go
Lines changed: 9 additions & 36 deletions b/‎coderd/authz/authz.go
Lines changed: 9 additions & 36 deletions
diff --git a/‎coderd/authz/authz_test.go
Lines changed: 174 additions & 100 deletions b/‎coderd/authz/authz_test.go
Lines changed: 174 additions & 100 deletions
diff --git a/‎coderd/authz/error.go
Lines changed: 43 additions & 0 deletions b/‎coderd/authz/error.go
Lines changed: 43 additions & 0 deletions
diff --git a/‎coderd/authz/example_test.go
Lines changed: 7 additions & 12 deletions b/‎coderd/authz/example_test.go
Lines changed: 7 additions & 12 deletions
diff --git a/‎coderd/authz/object.go
Lines changed: 12 additions & 15 deletions b/‎coderd/authz/object.go
Lines changed: 12 additions & 15 deletions
diff --git a/‎coderd/authz/policy.rego
Lines changed: 123 additions & 0 deletions b/‎coderd/authz/policy.rego
Lines changed: 123 additions & 0 deletions
@@ -1,46 +1,19 @@
 package authz
 
-import "golang.org/x/xerrors"
+import (
+	"context"
+	"golang.org/x/xerrors"
+)
 
 var ErrUnauthorized = xerrors.New("unauthorized")
 
 // TODO: Implement Authorize. This will be implmented in mainly rego.
-func Authorize(subj Subject, obj Object, action Action) error {
-	// TODO: Expand subject roles into their permissions as appropriate. Apply scopes.
-	var _, _, _ = subj, obj, action
-	roles, err := subj.GetRoles()
+func Authorize(ctx context.Context, subjID string, roles []Role, obj Object, action Action) error {
+	// TODO: Cache authorizer
+	authorizer, err := newAuthorizer()
 	if err != nil {
-		return ErrUnauthorized
+		return ForbiddenWithInternal(xerrors.Errorf("new authorizer: %w", err), nil)
 	}
 
-	// Merge before we send to rego to optimize the json payload.
-	// TODO: Benchmark the rego, it might be ok to just send everything and let
-	//		rego handle it. The number of roles will be small, so it might not
-	//		matter. This code exists just to show how you can merge the roles
-	//		into a single one for evaluation if need be.
-	//		If done in rego, the roles will not be merged, and just walked over
-	//		1 by 1.
-	var merged Role
-	for _, r := range roles {
-		// Site, Org, and User permissions exist on every role. Pull out only the permissions that
-		// are relevant to the object.
-
-		merged.Site = append(merged.Site, r.Site...)
-		// Only grab user roles if the resource is owned by a user.
-		// These roles only apply if the subject is said owner.
-		if obj.Owner != "" && obj.Owner == subj.ID() {
-			merged.User = append(merged.User, r.User...)
-		}
-
-		// Grab org roles if the resource is owned by a given organization.
-		if obj.OrgID != "" {
-			orgID := obj.OrgID
-			if v, ok := r.Org[orgID]; ok {
-				merged.Org[orgID] = append(merged.Org[orgID], v...)
-			}
-		}
-	}
-
-	// TODO: Send to rego policy evaluation.
-	return nil
+	return authorizer.Authorize(ctx, subjID, roles, obj, action)
 }
@@ -0,0 +1,43 @@
+package authz
+
+const (
+	// UnauthorizedErrorMessage is the error message that should be returned to
+	// clients when an action is forbidden. It is intentionally vague to prevent
+	// disclosing information that a client should not have access to.
+	UnauthorizedErrorMessage = "unauthorized"
+)
+
+// Unauthorized is the error type for authorization errors
+type Unauthorized struct {
+	// internal is the internal error that should never be shown to the client.
+	// It is only for debugging purposes.
+	internal error
+	input    map[string]interface{}
+}
+
+// ForbiddenWithInternal creates a new error that will return a simple
+// "forbidden" to the client, logging internally the more detailed message
+// provided.
+func ForbiddenWithInternal(internal error, input map[string]interface{}) *Unauthorized {
+	if input == nil {
+		input = map[string]interface{}{}
+	}
+	return &Unauthorized{
+		internal: internal,
+		input:    input,
+	}
+}
+
+// Error implements the error interface.
+func (e *Unauthorized) Error() string {
+	return UnauthorizedErrorMessage
+}
+
+// Internal allows the internal error message to be logged.
+func (e *Unauthorized) Internal() error {
+	return e.internal
+}
+
+func (e *Unauthorized) Input() map[string]interface{} {
+	return e.input
+}
@@ -1,6 +1,7 @@
 package authz_test
 
 import (
+	"context"
 	"testing"
 
 	"github.com/coder/coder/coderd/authz"
@@ -12,10 +13,11 @@ import (
 func TestExample(t *testing.T) {
 	t.Skip("TODO: unskip when rego is done")
 	t.Parallel()
+	ctx := context.Background()
 
 	// user will become an authn object, and can even be a database.User if it
 	// fulfills the interface. Until then, use a placeholder.
-	user := authz.SubjectTODO{
+	user := subject{
 		UserID: "alice",
 		Roles: []authz.Role{
 			authz.RoleOrgAdmin("default"),
@@ -28,32 +30,25 @@ func TestExample(t *testing.T) {
 	//nolint:paralleltest
 	t.Run("ReadAllWorkspaces", func(t *testing.T) {
 		// To read all workspaces on the site
-		err := authz.Authorize(user, authz.ResourceWorkspace.All(), authz.ActionRead)
+		err := authz.Authorize(ctx, user.UserID, user.Roles, authz.ResourceWorkspace.All(), authz.ActionRead)
 		var _ = err
 		// require.Error(t, err, "this user cannot read all workspaces")
 	})
 
 	//nolint:paralleltest
 	t.Run("ReadOrgWorkspaces", func(t *testing.T) {
 		// To read all workspaces on the org 'default'
-		err := authz.Authorize(user, authz.ResourceWorkspace.InOrg("default"), authz.ActionRead)
+		err := authz.Authorize(ctx, user.UserID, user.Roles, authz.ResourceWorkspace.InOrg("default"), authz.ActionRead)
 		require.NoError(t, err, "this user can read all org workspaces in 'default'")
 	})
 
 	//nolint:paralleltest
 	t.Run("ReadMyWorkspace", func(t *testing.T) {
 		// Note 'database.Workspace' could fulfill the object interface and be passed in directly
-		err := authz.Authorize(user, authz.ResourceWorkspace.InOrg("default").WithOwner(user.UserID), authz.ActionRead)
+		err := authz.Authorize(ctx, user.UserID, user.Roles, authz.ResourceWorkspace.InOrg("default").WithOwner(user.UserID), authz.ActionRead)
 		require.NoError(t, err, "this user can their workspace")
 
-		err = authz.Authorize(user, authz.ResourceWorkspace.InOrg("default").WithOwner(user.UserID).WithID("1234"), authz.ActionRead)
+		err = authz.Authorize(ctx, user.UserID, user.Roles, authz.ResourceWorkspace.InOrg("default").WithOwner(user.UserID).WithID("1234"), authz.ActionRead)
 		require.NoError(t, err, "this user can read workspace '1234'")
 	})
-
-	//nolint:paralleltest
-	t.Run("CreateNewSiteUser", func(t *testing.T) {
-		err := authz.Authorize(user, authz.ResourceUser.All(), authz.ActionCreate)
-		var _ = err
-		// require.Error(t, err, "this user cannot create new users")
-	})
 }
@@ -1,31 +1,28 @@
 package authz
 
-//type Resource interface {
-//	ID() string
-//	ResourceType() ResourceType
-//
-//	OwnerID() string
-//	OrgOwnerID() string
-//}
-
-//var _ Resource = (*Object)(nil)
-
 // Object is used to create objects for authz checks when you have none in
 // hand to run the check on.
 // An example is if you want to list all workspaces, you can create a Object
 // that represents the set of workspaces you are trying to get access too.
 // Do not export this type, as it can be created from a resource type constant.
 type Object struct {
-	ID    string `json:"id"`
-	Owner string `json:"owner"`
+	ResourceID string `json:"id"`
+	Owner      string `json:"owner"`
 	// OrgID specifies which org the object is a part of.
 	OrgID string `json:"org_owner"`
 
-	// ObjectType is "workspace", "project", "devurl", etc
-	ObjectType ResourceType `json:"object_type"`
+	// Type is "workspace", "project", "devurl", etc
+	Type string `json:"type"`
 	// TODO: SharedUsers?
 }
 
+func (z Object) All() Object {
+	z.OrgID = ""
+	z.Owner = ""
+	z.ResourceID = ""
+	return z
+}
+
 // InOrg adds an org OwnerID to the resource
 //nolint:revive
 func (z Object) InOrg(orgID string) Object {
@@ -42,6 +39,6 @@ func (z Object) WithOwner(id string) Object {
 
 //nolint:revive
 func (z Object) WithID(id string) Object {
-	z.ID = id
+	z.ResourceID = id
 	return z
 }
@@ -0,0 +1,123 @@
+package authz
+import future.keywords.in
+import future.keywords.every
+
+# https://play.openpolicyagent.org/p/Jlzq5gIjkd
+# grant_allow: https://play.openpolicyagent.org/p/9wpE9x6Tg2
+
+# bool_flip lets you assign a value to an inverted bool.
+# You cannot do 'x := !false', but you can do 'x := bool_flip(false)'
+bool_flip(b) = flipped {
+	b
+	flipped = false
+}
+
+bool_flip(b) = flipped {
+	not b
+	flipped = true
+}
+
+# perms_grant returns a set of boolean values (true, false).
+# It will only return `bool_flip(perm.negate)` for permissions that affect a given
+# resource_type, resource_id, and action.
+# The empty set is returned if no relevant permissions are found.
+perms_grant(permissions) = grants {
+	# If there are no permissions, this value is the empty set {}.
+	grants := { x |
+		# All permissions ...
+    	perm := permissions[_]
+		# Such that the permission action, type, and resource_id matches
+    	perm.action in [input.action, "*"]
+        perm.resource_type in [input.object.type, "*"]
+        perm.resource_id in [input.object.id, "*"]
+        x := bool_flip(perm.negate)
+    }
+}
+
+# Site & User are both very simple. We default both to the empty set '{}'. If no permissions are present, then the
+# result is the default value.
+default site = {}
+site = grant {
+	# Boolean set for all site wide permissions
+    grant = { v |
+    	v = perms_grant(input.subject.roles[_].site)[_]
+    }
+}
+
+default user = {}
+user = grant {
+	# Only apply user permissions if the user owns the resource
+    input.object.owner != ""
+ 	input.object.owner == input.subject.id
+    grant = { v |
+    	v = perms_grant(input.subject.roles[_].user)[_]
+    }
+}
+
+# Organizations are more complex. If the user has no roles that specifically indicate the org_id of the object,
+# then we want to block the action. This is because that means the user is not a member of the org.
+
+# org_member returns the set of permissions associated with a user if the user is a member of the
+# organization
+org_member = grant {
+	input.object.org_owner != ""
+    grant = { v |
+    	v = perms_grant(input.subject.roles[_].org[input.object.org_owner])[_]
+    }
+}
+
+# If a user is not part of an organization, 'org_non_member' is set to true
+org_non_member {
+	input.object.org_owner != ""
+ 	# Identify if the user is in the org
+    roles := input.subject.roles
+    every role in roles {
+    	not role.org[input.object.org_owner]
+    }
+}
+
+# org is two rules that equate to the following
+#	if !org_non_member { return org_member }
+#	else {false}
+#
+# It is important both rules cannot be true, as the `org` rules cannot produce multiple outputs.
+default org = []
+org = set {
+	not org_non_member
+	set = org_member
+}
+
+org = set {
+	org_non_member
+    set = {false}
+}
+
+# The allow block is quite simple. Any set with `false` cascades down in levels.
+# Authorization looks for any `allow` statement that is true. Multiple can be true!
+
+# site allow
+allow {
+	# No site wide deny
+    not false in site
+    # And all permissions are positive
+    site[_]
+}
+
+# org allow
+allow {
+	# No site or org deny
+    not false in site
+	not false in org
+    # And all permissions are positive
+    org[_]
+}
+
+# user allow
+allow {
+    # No site, org, or user deny
+    not false in site
+	not false in org
+    not false in user
+    # And all permissions are positive
+    user[_]
+}