fixup! wip: dbauthz.WithAuthorizeSystemContext -> dbauthz.AsSystem()

johnstcn · johnstcn · commit f666e130ff77 · 2023-02-10T17:10:39.000Z
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -295,8 +295,6 @@ func New(options *Options) *API {
 				DisableSessionExpiryRefresh: options.DeploymentConfig.DisableSessionExpiryRefresh.Value,
 				Optional:                    true,
 			}),
-			// TODO: We should remove this auth context after middleware.
-			httpmw.SystemAuthCtx,
 			httpmw.ExtractUserParam(api.Database, false),
 			httpmw.ExtractWorkspaceAndAgentParam(api.Database),
 		),
@@ -325,8 +323,6 @@ func New(options *Options) *API {
 				DisableSessionExpiryRefresh: options.DeploymentConfig.DisableSessionExpiryRefresh.Value,
 				Optional:                    true,
 			}),
-			// TODO: We should remove this auth context after middleware.
-			httpmw.SystemAuthCtx,
 			// Redirect to the login page if the user tries to open an app with
 			// "me" as the username and they are not logged in.
 			httpmw.ExtractUserParam(api.Database, true),
diff --git a/coderd/coderdtest/authorize.go b/coderd/coderdtest/authorize.go
@@ -12,14 +12,15 @@ import (
 	"testing"
 	"time"
 
-	"github.com/coder/coder/cryptorand"
 	"github.com/go-chi/chi/v5"
 	"github.com/google/uuid"
 	"github.com/moby/moby/pkg/namesgenerator"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/xerrors"
 
+	"github.com/coder/coder/cryptorand"
+
 	"github.com/coder/coder/coderd"
 	"github.com/coder/coder/coderd/rbac"
 	"github.com/coder/coder/coderd/rbac/regosql"
diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go
@@ -105,24 +105,10 @@ func ActorFromContext(ctx context.Context) (rbac.Subject, bool) {
 	return a, ok
 }
 
-// func WithAuthorizeContext(ctx context.Context, actor rbac.Subject) context.Context {
-// 	return context.WithValue(ctx, authContextKey{}, actor)
-// }
-
-// func WithAuthorizeSystemContext(ctx context.Context, roles rbac.ExpandableRoles) context.Context {
-// 	// TODO: Add protections to search for user roles. If user roles are found,
-// 	// this should panic. That is a developer error that should be caught
-// 	// in unit tests.
-// 	return context.WithValue(ctx, authContextKey{}, rbac.Subject{
-// 		ID:     uuid.Nil.String(),
-// 		Roles:  roles,
-// 		Scope:  rbac.ScopeAll,
-// 		Groups: []string{},
-// 	})
-// }
-
 // AsSystem returns a context with a system actor. This is used for internal
-// system operations that do not require authorization.
+// system operations that are not tied to any particular actor.
+// When you use this function, be sure to add a //nolint comment
+// explaining why it is necessary.
 //
 // We trust you have received the usual lecture from the local System
 // Administrator. It usually boils down to these three things:
@@ -153,6 +139,8 @@ func AsSystem(ctx context.Context) context.Context {
 // As returns a context with the given actor stored in the context.
 // This is used for cases where the actor touching the database is not the
 // actor stored in the context.
+// When you use this function, be sure to add a //nolint comment
+// explaining why it is necessary.
 func As(ctx context.Context, actor rbac.Subject) context.Context {
 	return context.WithValue(ctx, authContextKey{}, actor)
 }
diff --git a/coderd/provisionerdserver/provisionerdserver.go b/coderd/provisionerdserver/provisionerdserver.go
@@ -27,7 +27,6 @@ import (
 	"github.com/coder/coder/coderd/database"
 	"github.com/coder/coder/coderd/database/dbauthz"
 	"github.com/coder/coder/coderd/parameter"
-	"github.com/coder/coder/coderd/rbac"
 	"github.com/coder/coder/coderd/telemetry"
 	"github.com/coder/coder/codersdk"
 	"github.com/coder/coder/provisioner"
@@ -502,7 +501,7 @@ func (server *Server) FailJob(ctx context.Context, failJob *proto.FailedJob) (*p
 		Valid:  failJob.Error != "",
 	}
 
-	err = server.Database.UpdateProvisionerJobWithCompleteByID(ctx, database.UpdateProvisionerJobWithCompleteByIDParams{
+	err = server.Database.UpdateProvisionerJobWithCompleteByID(dbauthz.AsSystem(ctx), database.UpdateProvisionerJobWithCompleteByIDParams{
 		ID:          jobID,
 		CompletedAt: job.CompletedAt,
 		UpdatedAt:   database.Now(),
@@ -525,7 +524,7 @@ func (server *Server) FailJob(ctx context.Context, failJob *proto.FailedJob) (*p
 		if err != nil {
 			return nil, xerrors.Errorf("unmarshal workspace provision input: %w", err)
 		}
-		build, err := server.Database.UpdateWorkspaceBuildByID(ctx, database.UpdateWorkspaceBuildByIDParams{
+		build, err := server.Database.UpdateWorkspaceBuildByID(dbauthz.AsSystem(ctx), database.UpdateWorkspaceBuildByIDParams{
 			ID:               input.WorkspaceBuildID,
 			UpdatedAt:        database.Now(),
 			ProvisionerState: jobType.WorkspaceBuild.State,
@@ -544,12 +543,12 @@ func (server *Server) FailJob(ctx context.Context, failJob *proto.FailedJob) (*p
 	// if failed job is a workspace build, audit the outcome
 	if job.Type == database.ProvisionerJobTypeWorkspaceBuild {
 		auditor := server.Auditor.Load()
-		build, err := server.Database.GetWorkspaceBuildByJobID(ctx, job.ID)
+		build, err := server.Database.GetWorkspaceBuildByJobID(dbauthz.AsSystem(ctx), job.ID)
 		if err != nil {
 			server.Logger.Error(ctx, "audit log - get build", slog.Error(err))
 		} else {
 			auditAction := auditActionFromTransition(build.Transition)
-			workspace, err := server.Database.GetWorkspaceByID(ctx, build.WorkspaceID)
+			workspace, err := server.Database.GetWorkspaceByID(dbauthz.AsSystem(ctx), build.WorkspaceID)
 			if err != nil {
 				server.Logger.Error(ctx, "audit log - get workspace", slog.Error(err))
 			} else {
@@ -605,13 +604,13 @@ func (server *Server) FailJob(ctx context.Context, failJob *proto.FailedJob) (*p
 // CompleteJob is triggered by a provision daemon to mark a provisioner job as completed.
 func (server *Server) CompleteJob(ctx context.Context, completed *proto.CompletedJob) (*proto.Empty, error) {
 	// TODO: make a provisionerd role
-	ctx = dbauthz.WithAuthorizeSystemContext(ctx, rbac.RolesAdminSystem())
+	// ctx = dbauthz.WithAuthorizeSystemContext(ctx, rbac.RolesAdminSystem())
 	jobID, err := uuid.Parse(completed.JobId)
 	if err != nil {
 		return nil, xerrors.Errorf("parse job id: %w", err)
 	}
 	server.Logger.Debug(ctx, "CompleteJob starting", slog.F("job_id", jobID))
-	job, err := server.Database.GetProvisionerJobByID(ctx, jobID)
+	job, err := server.Database.GetProvisionerJobByID(dbauthz.AsSystem(ctx), jobID)
 	if err != nil {
 		return nil, xerrors.Errorf("get job by id: %w", err)
 	}
@@ -642,7 +641,7 @@ func (server *Server) CompleteJob(ctx context.Context, completed *proto.Complete
 					slog.F("resource_type", resource.Type),
 					slog.F("transition", transition))
 
-				err = InsertWorkspaceResource(ctx, server.Database, jobID, transition, resource, telemetrySnapshot)
+				err = InsertWorkspaceResource(dbauthz.AsSystem(ctx), server.Database, jobID, transition, resource, telemetrySnapshot)
 				if err != nil {
 					return nil, xerrors.Errorf("insert resource: %w", err)
 				}
@@ -658,7 +657,7 @@ func (server *Server) CompleteJob(ctx context.Context, completed *proto.Complete
 			if err != nil {
 				return nil, xerrors.Errorf("marshal parameter options: %w", err)
 			}
-			_, err = server.Database.InsertTemplateVersionParameter(ctx, database.InsertTemplateVersionParameterParams{
+			_, err = server.Database.InsertTemplateVersionParameter(dbauthz.AsSystem(ctx), database.InsertTemplateVersionParameterParams{
 				TemplateVersionID:   input.TemplateVersionID,
 				Name:                richParameter.Name,
 				Description:         richParameter.Description,
@@ -678,7 +677,7 @@ func (server *Server) CompleteJob(ctx context.Context, completed *proto.Complete
 			}
 		}
 
-		err = server.Database.UpdateProvisionerJobWithCompleteByID(ctx, database.UpdateProvisionerJobWithCompleteByIDParams{
+		err = server.Database.UpdateProvisionerJobWithCompleteByID(dbauthz.AsSystem(ctx), database.UpdateProvisionerJobWithCompleteByIDParams{
 			ID:        jobID,
 			UpdatedAt: database.Now(),
 			CompletedAt: sql.NullTime{
@@ -700,7 +699,7 @@ func (server *Server) CompleteJob(ctx context.Context, completed *proto.Complete
 			return nil, xerrors.Errorf("unmarshal job data: %w", err)
 		}
 
-		workspaceBuild, err := server.Database.GetWorkspaceBuildByID(ctx, input.WorkspaceBuildID)
+		workspaceBuild, err := server.Database.GetWorkspaceBuildByID(dbauthz.AsSystem(ctx), input.WorkspaceBuildID)
 		if err != nil {
 			return nil, xerrors.Errorf("get workspace build: %w", err)
 		}
@@ -711,7 +710,7 @@ func (server *Server) CompleteJob(ctx context.Context, completed *proto.Complete
 		err = server.Database.InTx(func(db database.Store) error {
 			now := database.Now()
 			var workspaceDeadline time.Time
-			workspace, getWorkspaceError = db.GetWorkspaceByID(ctx, workspaceBuild.WorkspaceID)
+			workspace, getWorkspaceError = db.GetWorkspaceByID(dbauthz.AsSystem(ctx), workspaceBuild.WorkspaceID)
 			if getWorkspaceError == nil {
 				if workspace.Ttl.Valid {
 					workspaceDeadline = now.Add(time.Duration(workspace.Ttl.Int64))
@@ -721,7 +720,7 @@ func (server *Server) CompleteJob(ctx context.Context, completed *proto.Complete
 				// In any case, since this is just for the TTL, try and continue anyway.
 				server.Logger.Error(ctx, "fetch workspace for build", slog.F("workspace_build_id", workspaceBuild.ID), slog.F("workspace_id", workspaceBuild.WorkspaceID))
 			}
-			err = db.UpdateProvisionerJobWithCompleteByID(ctx, database.UpdateProvisionerJobWithCompleteByIDParams{
+			err = db.UpdateProvisionerJobWithCompleteByID(dbauthz.AsSystem(ctx), database.UpdateProvisionerJobWithCompleteByIDParams{
 				ID:        jobID,
 				UpdatedAt: database.Now(),
 				CompletedAt: sql.NullTime{
@@ -732,7 +731,7 @@ func (server *Server) CompleteJob(ctx context.Context, completed *proto.Complete
 			if err != nil {
 				return xerrors.Errorf("update provisioner job: %w", err)
 			}
-			_, err = db.UpdateWorkspaceBuildByID(ctx, database.UpdateWorkspaceBuildByIDParams{
+			_, err = db.UpdateWorkspaceBuildByID(dbauthz.AsSystem(ctx), database.UpdateWorkspaceBuildByIDParams{
 				ID:               workspaceBuild.ID,
 				Deadline:         workspaceDeadline,
 				ProvisionerState: jobType.WorkspaceBuild.State,
@@ -749,7 +748,7 @@ func (server *Server) CompleteJob(ctx context.Context, completed *proto.Complete
 					dur := time.Duration(protoAgent.GetConnectionTimeoutSeconds()) * time.Second
 					agentTimeouts[dur] = true
 				}
-				err = InsertWorkspaceResource(ctx, db, job.ID, workspaceBuild.Transition, protoResource, telemetrySnapshot)
+				err = InsertWorkspaceResource(dbauthz.AsSystem(ctx), db, job.ID, workspaceBuild.Transition, protoResource, telemetrySnapshot)
 				if err != nil {
 					return xerrors.Errorf("insert provisioner job: %w", err)
 				}
@@ -798,7 +797,7 @@ func (server *Server) CompleteJob(ctx context.Context, completed *proto.Complete
 				return nil
 			}
 
-			err = db.UpdateWorkspaceDeletedByID(ctx, database.UpdateWorkspaceDeletedByIDParams{
+			err = db.UpdateWorkspaceDeletedByID(dbauthz.AsSystem(ctx), database.UpdateWorkspaceDeletedByIDParams{
 				ID:      workspaceBuild.WorkspaceID,
 				Deleted: true,
 			})
diff --git a/coderd/rbac/builtin.go b/coderd/rbac/builtin.go
@@ -33,40 +33,6 @@ func (names RoleNames) Names() []string {
 	return names
 }
 
-// RolesAutostartSystem is the limited set of permissions required for autostart
-// to function.
-// It is EXPLICITLY NOT included in builtinRoles so that it CANNOT be assigned to a user.
-// func RolesAutostartSystem() Roles {
-// return Roles{
-// Role{
-// Name:        "auto-start",
-// DisplayName: "Autostart",
-// Site: permissions(map[string][]Action{
-// ResourceWorkspace.Type: {ActionRead, ActionUpdate},
-// ResourceTemplate.Type:  {ActionRead},
-// }),
-// Org:  map[string][]Permission{},
-// User: []Permission{},
-// },
-// }
-// }
-
-// RolesAdminSystem is an all-powerful system role. Use sparingly.
-// It is EXPLICITLY NOT included in builtinRoles so that it CANNOT be assigned to a user.
-// func RolesAdminSystem() Roles {
-// 	return Roles{
-// 		Role{
-// 			Name:        "system",
-// 			DisplayName: "System",
-// 			Site: permissions(map[string][]Action{
-// 				ResourceWildcard.Type: {WildcardSymbol},
-// 			}),
-// 			Org:  map[string][]Permission{},
-// 			User: []Permission{},
-// 		},
-// 	}
-// }
-
 // The functions below ONLY need to exist for roles that are "defaulted" in some way.
 // Any other roles (like auditor), can be listed and let the user select/assigned.
 // Once we have a database implementation, the "default" roles can be defined on the
diff --git a/enterprise/coderd/coderd.go b/enterprise/coderd/coderd.go
@@ -146,8 +146,6 @@ func New(ctx context.Context, options *Options) (*API, error) {
 		api.AGPL.RootHandler.Route("/scim/v2", func(r chi.Router) {
 			r.Use(
 				api.scimEnabledMW,
-				// TODO: Make a scim auth role.
-				httpmw.SystemAuthCtx,
 			)
 			r.Post("/Users", api.scimPostUser)
 			r.Route("/Users", func(r chi.Router) {
diff --git a/enterprise/coderd/coderd_test.go b/enterprise/coderd/coderd_test.go
@@ -7,7 +7,6 @@ import (
 	"time"
 
 	"github.com/coder/coder/coderd/database/dbauthz"
-	"github.com/coder/coder/coderd/rbac"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -103,7 +102,7 @@ func TestEntitlements(t *testing.T) {
 		require.NoError(t, err)
 		require.False(t, entitlements.HasLicense)
 		coderdtest.CreateFirstUser(t, client)
-		ctx := dbauthz.WithAuthorizeSystemContext(context.Background(), rbac.RolesAdminSystem())
+		ctx := dbauthz.AsSystem(context.Background())
 		_, err = api.Database.InsertLicense(ctx, database.InsertLicenseParams{
 			UploadedAt: database.Now(),
 			Exp:        database.Now().AddDate(1, 0, 0),
@@ -132,8 +131,8 @@ func TestEntitlements(t *testing.T) {
 		require.False(t, entitlements.HasLicense)
 		coderdtest.CreateFirstUser(t, client)
 		// Valid
-		ctx := dbauthz.WithAuthorizeSystemContext(context.Background(), rbac.RolesAdminSystem())
-		_, err = api.Database.InsertLicense(ctx, database.InsertLicenseParams{
+		ctx := context.Background()
+		_, err = api.Database.InsertLicense(dbauthz.AsSystem(ctx), database.InsertLicenseParams{
 			UploadedAt: database.Now(),
 			Exp:        database.Now().AddDate(1, 0, 0),
 			JWT: coderdenttest.GenerateLicense(t, coderdenttest.LicenseOptions{
@@ -144,7 +143,7 @@ func TestEntitlements(t *testing.T) {
 		})
 		require.NoError(t, err)
 		// Expired
-		_, err = api.Database.InsertLicense(ctx, database.InsertLicenseParams{
+		_, err = api.Database.InsertLicense(dbauthz.AsSystem(ctx), database.InsertLicenseParams{
 			UploadedAt: database.Now(),
 			Exp:        database.Now().AddDate(-1, 0, 0),
 			JWT: coderdenttest.GenerateLicense(t, coderdenttest.LicenseOptions{
@@ -153,7 +152,7 @@ func TestEntitlements(t *testing.T) {
 		})
 		require.NoError(t, err)
 		// Invalid
-		_, err = api.Database.InsertLicense(ctx, database.InsertLicenseParams{
+		_, err = api.Database.InsertLicense(dbauthz.AsSystem(ctx), database.InsertLicenseParams{
 			UploadedAt: database.Now(),
 			Exp:        database.Now().AddDate(1, 0, 0),
 			JWT:        "invalid",
diff --git a/enterprise/coderd/scim.go b/enterprise/coderd/scim.go
@@ -14,6 +14,7 @@ import (
 
 	agpl "github.com/coder/coder/coderd"
 	"github.com/coder/coder/coderd/database"
+	"github.com/coder/coder/coderd/database/dbauthz"
 	"github.com/coder/coder/coderd/httpapi"
 	"github.com/coder/coder/codersdk"
 )
@@ -155,7 +156,7 @@ func (api *API) scimPostUser(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	user, _, err := api.AGPL.CreateUser(ctx, api.Database, agpl.CreateUserRequest{
+	user, _, err := api.AGPL.CreateUser(dbauthz.AsSystem(ctx), api.Database, agpl.CreateUserRequest{
 		CreateUserRequest: codersdk.CreateUserRequest{
 			Username: sUser.UserName,
 			Email:    email,
@@ -207,7 +208,7 @@ func (api *API) scimPatchUser(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	dbUser, err := api.Database.GetUserByID(ctx, uid)
+	dbUser, err := api.Database.GetUserByID(dbauthz.AsSystem(ctx), uid)
 	if err != nil {
 		_ = handlerutil.WriteError(rw, err)
 		return
@@ -220,7 +221,7 @@ func (api *API) scimPatchUser(rw http.ResponseWriter, r *http.Request) {
 		status = database.UserStatusSuspended
 	}
 
-	_, err = api.Database.UpdateUserStatus(r.Context(), database.UpdateUserStatusParams{
+	_, err = api.Database.UpdateUserStatus(dbauthz.AsSystem(r.Context()), database.UpdateUserStatusParams{
 		ID:        dbUser.ID,
 		Status:    status,
 		UpdatedAt: database.Now(),

Original file line number	Diff line number	Diff line change
`@@ -146,8 +146,6 @@ func New(ctx context.Context, options Options) (API, error) {`
`146`	`146`	`api.AGPL.RootHandler.Route("/scim/v2", func(r chi.Router) {`
`147`	`147`	`r.Use(`
`148`	`148`	`api.scimEnabledMW,`
`149`		`- // TODO: Make a scim auth role.`
`150`		`- httpmw.SystemAuthCtx,`
`151`	`149`	`)`
`152`	`150`	`r.Post("/Users", api.scimPostUser)`
`153`	`151`	`r.Route("/Users", func(r chi.Router) {`