coder
diff --git a/‎coderd/authorize.go
Lines changed: 14 additions & 12 deletions b/‎coderd/authorize.go
Lines changed: 14 additions & 12 deletions
diff --git a/‎coderd/coderdtest/authorize.go
Lines changed: 14 additions & 26 deletions b/‎coderd/coderdtest/authorize.go
Lines changed: 14 additions & 26 deletions
diff --git a/‎coderd/httpmw/apikey.go
Lines changed: 9 additions & 8 deletions b/‎coderd/httpmw/apikey.go
Lines changed: 9 additions & 8 deletions
diff --git a/‎coderd/httpmw/authorize_test.go
Lines changed: 2 additions & 2 deletions b/‎coderd/httpmw/authorize_test.go
Lines changed: 2 additions & 2 deletions
diff --git a/‎coderd/httpmw/ratelimit.go
Lines changed: 1 addition & 1 deletion b/‎coderd/httpmw/ratelimit.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/members.go
Lines changed: 1 addition & 1 deletion b/‎coderd/members.go
Lines changed: 1 addition & 1 deletion
@@ -19,14 +19,15 @@ import (
 // This is faster than calling Authorize() on each object.
 func AuthorizeFilter[O rbac.Objecter](h *HTTPAuthorizer, r *http.Request, action rbac.Action, objects []O) ([]O, error) {
 	roles := httpmw.UserAuthorization(r)
-	objects, err := rbac.Filter(r.Context(), h.Authorizer, roles.ID.String(), roles.Roles, roles.Scope.ToRBAC(), roles.Groups, action, objects)
+	objects, err := rbac.Filter(r.Context(), h.Authorizer, roles.Actor, action, objects)
 	if err != nil {
 		// Log the error as Filter should not be erroring.
 		h.Logger.Error(r.Context(), "filter failed",
 			slog.Error(err),
-			slog.F("user_id", roles.ID),
+			slog.F("user_id", roles.Actor.ID),
 			slog.F("username", roles.Username),
-			slog.F("scope", roles.Scope),
+			slog.F("roles", roles.Actor.SafeRoleNames()),
+			slog.F("scope", roles.Actor.SafeScopeName()),
 			slog.F("route", r.URL.Path),
 			slog.F("action", action),
 		)
@@ -64,7 +65,7 @@ func (api *API) Authorize(r *http.Request, action rbac.Action, object rbac.Objec
 //	}
 func (h *HTTPAuthorizer) Authorize(r *http.Request, action rbac.Action, object rbac.Objecter) bool {
 	roles := httpmw.UserAuthorization(r)
-	err := h.Authorizer.ByRoleName(r.Context(), roles.ID.String(), roles.Roles, roles.Scope.ToRBAC(), roles.Groups, action, object.RBACObject())
+	err := h.Authorizer.Authorize(r.Context(), roles.Actor, action, object.RBACObject())
 	if err != nil {
 		// Log the errors for debugging
 		internalError := new(rbac.UnauthorizedError)
@@ -75,10 +76,10 @@ func (h *HTTPAuthorizer) Authorize(r *http.Request, action rbac.Action, object r
 		// Log information for debugging. This will be very helpful
 		// in the early days
 		logger.Warn(r.Context(), "unauthorized",
-			slog.F("roles", roles.Roles),
-			slog.F("user_id", roles.ID),
+			slog.F("roles", roles.Actor.SafeRoleNames()),
+			slog.F("user_id", roles.Actor.ID),
 			slog.F("username", roles.Username),
-			slog.F("scope", roles.Scope),
+			slog.F("scope", roles.Actor.SafeScopeName()),
 			slog.F("route", r.URL.Path),
 			slog.F("action", action),
 			slog.F("object", object),
@@ -96,7 +97,7 @@ func (h *HTTPAuthorizer) Authorize(r *http.Request, action rbac.Action, object r
 // Note the authorization is only for the given action and object type.
 func (h *HTTPAuthorizer) AuthorizeSQLFilter(r *http.Request, action rbac.Action, objectType string) (rbac.PreparedAuthorized, error) {
 	roles := httpmw.UserAuthorization(r)
-	prepared, err := h.Authorizer.PrepareByRoleName(r.Context(), roles.ID.String(), roles.Roles, roles.Scope.ToRBAC(), roles.Groups, action, objectType)
+	prepared, err := h.Authorizer.Prepare(r.Context(), roles.Actor, action, objectType)
 	if err != nil {
 		return nil, xerrors.Errorf("prepare filter: %w", err)
 	}
@@ -127,9 +128,10 @@ func (api *API) checkAuthorization(rw http.ResponseWriter, r *http.Request) {
 
 	api.Logger.Debug(ctx, "check-auth",
 		slog.F("my_id", httpmw.APIKey(r).UserID),
-		slog.F("got_id", auth.ID),
+		slog.F("got_id", auth.Actor.ID),
 		slog.F("name", auth.Username),
-		slog.F("roles", auth.Roles), slog.F("scope", auth.Scope),
+		slog.F("roles", auth.Actor.SafeRoleNames()),
+		slog.F("scope", auth.Actor.SafeScopeName()),
 	)
 
 	response := make(codersdk.AuthorizationResponse)
@@ -169,7 +171,7 @@ func (api *API) checkAuthorization(rw http.ResponseWriter, r *http.Request) {
 			Type:  v.Object.ResourceType,
 		}
 		if obj.Owner == "me" {
-			obj.Owner = auth.ID.String()
+			obj.Owner = auth.Actor.ID
 		}
 
 		// If a resource ID is specified, fetch that specific resource.
@@ -217,7 +219,7 @@ func (api *API) checkAuthorization(rw http.ResponseWriter, r *http.Request) {
 			obj = dbObj.RBACObject()
 		}
 
-		err := api.Authorizer.ByRoleName(ctx, auth.ID.String(), auth.Roles, auth.Scope.ToRBAC(), auth.Groups, rbac.Action(v.Action), obj)
+		err := api.Authorizer.Authorize(ctx, auth.Actor, rbac.Action(v.Action), obj)
 		response[k] = err == nil
 	}
 
 
@@ -533,12 +533,9 @@ func (a *AuthTester) Test(ctx context.Context, assertRoute map[string]RouteCheck
 }
 
 type authCall struct {
-	SubjectID string
-	Roles     rbac.ExpandableRoles
-	Groups    []string
-	Scope     rbac.ScopeName
-	Action    rbac.Action
-	Object    rbac.Object
+	Subject rbac.Subject
+	Action  rbac.Action
+	Object  rbac.Object
 }
 
 type RecordingAuthorizer struct {
@@ -548,33 +545,27 @@ type RecordingAuthorizer struct {
 
 var _ rbac.Authorizer = (*RecordingAuthorizer)(nil)
 
-// ByRoleNameSQL does not record the call. This matches the postgres behavior
+// AuthorizeSQL does not record the call. This matches the postgres behavior
 // of not calling Authorize()
-func (r *RecordingAuthorizer) ByRoleNameSQL(_ context.Context, _ string, _ rbac.ExpandableRoles, _ rbac.ScopeName, _ []string, _ rbac.Action, _ rbac.Object) error {
+func (r *RecordingAuthorizer) AuthorizeSQL(_ context.Context, _ rbac.Subject, _ rbac.Action, _ rbac.Object) error {
 	return r.AlwaysReturn
 }
 
-func (r *RecordingAuthorizer) ByRoleName(_ context.Context, subjectID string, roleNames rbac.ExpandableRoles, scope rbac.ScopeName, groups []string, action rbac.Action, object rbac.Object) error {
+func (r *RecordingAuthorizer) Authorize(_ context.Context, subject rbac.Subject, action rbac.Action, object rbac.Object) error {
 	r.Called = &authCall{
-		SubjectID: subjectID,
-		Roles:     roleNames,
-		Groups:    groups,
-		Scope:     scope,
-		Action:    action,
-		Object:    object,
+		Subject: subject,
+		Action:  action,
+		Object:  object,
 	}
 	return r.AlwaysReturn
 }
 
-func (r *RecordingAuthorizer) PrepareByRoleName(_ context.Context, subjectID string, roles rbac.ExpandableRoles, scope rbac.ScopeName, groups []string, action rbac.Action, _ string) (rbac.PreparedAuthorized, error) {
+func (r *RecordingAuthorizer) Prepare(_ context.Context, subject rbac.Subject, action rbac.Action, _ string) (rbac.PreparedAuthorized, error) {
 	return &fakePreparedAuthorizer{
 		Original:           r,
-		SubjectID:          subjectID,
-		Roles:              roles,
-		Scope:              scope,
+		Subject:            subject,
 		Action:             action,
 		HardCodedSQLString: "true",
-		Groups:             groups,
 	}, nil
 }
 
@@ -584,17 +575,14 @@ func (r *RecordingAuthorizer) reset() {
 
 type fakePreparedAuthorizer struct {
 	Original            *RecordingAuthorizer
-	SubjectID           string
-	Roles               rbac.ExpandableRoles
-	Scope               rbac.ScopeName
+	Subject             rbac.Subject
 	Action              rbac.Action
-	Groups              []string
 	HardCodedSQLString  string
 	HardCodedRegoString string
 }
 
 func (f *fakePreparedAuthorizer) Authorize(ctx context.Context, object rbac.Object) error {
-	return f.Original.ByRoleName(ctx, f.SubjectID, f.Roles, f.Scope, f.Groups, f.Action, object)
+	return f.Original.Authorize(ctx, f.Subject, f.Action, object)
 }
 
 // CompileToSQL returns a compiled version of the authorizer that will work for
@@ -604,7 +592,7 @@ func (fakePreparedAuthorizer) CompileToSQL(_ context.Context, _ regosql.ConvertC
 }
 
 func (f *fakePreparedAuthorizer) Eval(object rbac.Object) bool {
-	return f.Original.ByRoleNameSQL(context.Background(), f.SubjectID, f.Roles, f.Scope, f.Groups, f.Action, object) == nil
+	return f.Original.AuthorizeSQL(context.Background(), f.Subject, f.Action, object) == nil
 }
 
 func (f fakePreparedAuthorizer) RegoString() string {
 
@@ -53,11 +53,10 @@ func APIKey(r *http.Request) database.APIKey {
 type userAuthKey struct{}
 
 type Authorization struct {
-	ID       uuid.UUID
+	Actor rbac.Subject
+	// Username is required for logging and human friendly related
+	// identification.
 	Username string
-	Roles    rbac.RoleNames
-	Groups   []string
-	Scope    database.APIKeyScope
 }
 
 // UserAuthorizationOptional may return the roles and scope used for
@@ -345,11 +344,13 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {
 
 			ctx = context.WithValue(ctx, apiKeyContextKey{}, key)
 			ctx = context.WithValue(ctx, userAuthKey{}, Authorization{
-				ID:       key.UserID,
 				Username: roles.Username,
-				Roles:    roles.Roles,
-				Scope:    key.Scope,
-				Groups:   roles.Groups,
+				Actor: rbac.Subject{
+					ID:     key.UserID.String(),
+					Roles:  rbac.RoleNames(roles.Roles),
+					Groups: roles.Groups,
+					Scope:  rbac.ScopeName(key.Scope),
+				},
 			})
 			// Set the auth context for the authzquerier as well.
 			ctx = authzquery.WithAuthorizeContext(ctx,
 
@@ -126,8 +126,8 @@ func TestExtractUserRoles(t *testing.T) {
 			)
 			rtr.Get("/", func(_ http.ResponseWriter, r *http.Request) {
 				roles := httpmw.UserAuthorization(r)
-				require.ElementsMatch(t, user.ID, roles.ID)
-				require.ElementsMatch(t, expRoles, roles.Roles)
+				require.Equal(t, user.ID.String(), roles.Actor.ID)
+				require.ElementsMatch(t, expRoles, roles.Actor.Roles.Names())
 			})
 
 			req := httptest.NewRequest("GET", "/", nil)
 
@@ -47,7 +47,7 @@ func RateLimit(count int, window time.Duration) func(http.Handler) http.Handler
 
 			// We avoid using rbac.Authorizer since rego is CPU-intensive
 			// and undermines the DoS-prevention goal of the rate limiter.
-			for _, role := range auth.Roles {
+			for _, role := range auth.Actor.SafeRoleNames() {
 				if role == rbac.RoleOwner() {
 					// HACK: use a random key each time to
 					// de facto disable rate limiting. The
 
@@ -67,7 +67,7 @@ func (api *API) putMemberRoles(rw http.ResponseWriter, r *http.Request) {
 
 	// Just treat adding & removing as "assigning" for now.
 	for _, roleName := range append(added, removed...) {
-		if !rbac.CanAssignRole(actorRoles.Roles, roleName) {
+		if !rbac.CanAssignRole(actorRoles.Actor.Roles, roleName) {
 			httpapi.Forbidden(rw)
 			return
 		}
Original file line number	Diff line number	Diff line change
`@@ -67,7 +67,7 @@ func (api API) putMemberRoles(rw http.ResponseWriter, r http.Request) {`
`67`	`67`
`68`	`68`	`// Just treat adding & removing as "assigning" for now.`
`69`	`69`	`for _, roleName := range append(added, removed...) {`
`70`		`- if !rbac.CanAssignRole(actorRoles.Roles, roleName) {`
	`70`	`+ if !rbac.CanAssignRole(actorRoles.Actor.Roles, roleName) {`
`71`	`71`	`httpapi.Forbidden(rw)`
`72`	`72`	`return`
`73`	`73`	`}`