🧹

aslilac · aslilac · commit fe0e466befa9 · 2025-04-10T16:49:57.000Z
diff --git a/coderd/httpapi/httpapi.go b/coderd/httpapi/httpapi.go
@@ -210,8 +210,6 @@ func Write(ctx context.Context, rw http.ResponseWriter, status int, response int
 		//   configured on server startup for development and testing builds.
 		// - If this header is missing from a response, make sure the response is
 		//   being written by calling `httpapi.Write`!
-		// - An empty x-authz-checks header can be valid! Some requests don't
-		//   require authorization.
 		rw.Header().Set("x-authz-checks", rec.String())
 	}
 
@@ -231,7 +229,7 @@ func WriteIndent(ctx context.Context, rw http.ResponseWriter, status int, respon
 	defer span.End()
 
 	if rec, ok := rbac.GetAuthzCheckRecorder(ctx); ok {
-		rw.Header().Set("x-dbauthz-checks", rec.String())
+		rw.Header().Set("x-authz-checks", rec.String())
 	}
 
 	rw.Header().Set("Content-Type", "application/json; charset=utf-8")
diff --git a/coderd/rbac/authz.go b/coderd/rbac/authz.go
@@ -24,9 +24,7 @@ import (
 	"github.com/coder/coder/v2/coderd/rbac/regosql"
 	"github.com/coder/coder/v2/coderd/rbac/regosql/sqltypes"
 	"github.com/coder/coder/v2/coderd/tracing"
-	"github.com/coder/coder/v2/coderd/util/ptr"
 	"github.com/coder/coder/v2/coderd/util/slice"
-	"github.com/coder/coder/v2/coderd/util/syncmap"
 )
 
 type AuthCall struct {
@@ -770,16 +768,21 @@ func (c *authRecorder) Prepare(ctx context.Context, subject Subject, action poli
 
 type authzCheckRecorderKey struct{}
 
-func WithAuthzCheckRecorder(ctx context.Context) context.Context {
-	return context.WithValue(ctx, authzCheckRecorderKey{}, ptr.Ref(AuthzCheckRecorder{
-		checks: syncmap.Map[string, bool]{},
-	}))
+type AuthzCheckRecorder struct {
+	// lock guards checks
+	lock sync.Mutex
+	// checks is a list preformatted authz check IDs and their result
+	checks []recordedCheck
 }
 
-type AuthzCheckRecorder struct {
-	// Checks is a map from preformatted authz check IDs to their authorization
-	// status (true => authorized, false => not authorized)
-	checks syncmap.Map[string, bool]
+type recordedCheck struct {
+	name string
+	// true => authorized, false => not authorized
+	result bool
+}
+
+func WithAuthzCheckRecorder(ctx context.Context) context.Context {
+	return context.WithValue(ctx, authzCheckRecorderKey{}, &AuthzCheckRecorder{})
 }
 
 func recordAuthzCheck(ctx context.Context, action policy.Action, object Object, authorized bool) {
@@ -819,7 +822,9 @@ func recordAuthzCheck(ctx context.Context, action policy.Action, object Object,
 		return
 	}
 
-	r.checks.Store(b.String(), authorized)
+	r.lock.Lock()
+	defer r.lock.Unlock()
+	r.checks = append(r.checks, recordedCheck{name: b.String(), result: authorized})
 }
 
 func GetAuthzCheckRecorder(ctx context.Context) (*AuthzCheckRecorder, bool) {
@@ -833,8 +838,15 @@ func GetAuthzCheckRecorder(ctx context.Context) (*AuthzCheckRecorder, bool) {
 
 // String serializes all of the checks recorded, using the following syntax:
 func (r *AuthzCheckRecorder) String() string {
-	checks := make([]string, 0)
-	for check, result := range r.checks.Seq() {
+	r.lock.Lock()
+	defer r.lock.Unlock()
+
+	if len(r.checks) == 0 {
+		return "nil"
+	}
+
+	checks := make([]string, 0, len(r.checks))
+	for check, result := range r.checks {
 		checks = append(checks, fmt.Sprintf("%v=%v", check, result))
 	}
 	return strings.Join(checks, "; ")
diff --git a/coderd/util/syncmap/map.go b/coderd/util/syncmap/map.go
@@ -1,7 +1,6 @@
 package syncmap
 
 import (
-	"iter"
 	"sync"
 )
 
@@ -78,9 +77,3 @@ func (m *Map[K, V]) Range(f func(key K, value V) bool) {
 		return f(key.(K), value.(V))
 	})
 }
-
-func (m *Map[K, V]) Seq() iter.Seq2[K, V] {
-	return func(yield func(K, V) bool) {
-		m.Range(yield)
-	}
-}

Original file line number	Diff line number	Diff line change
`@@ -210,8 +210,6 @@ func Write(ctx context.Context, rw http.ResponseWriter, status int, response int`
`210`	`210`	`// configured on server startup for development and testing builds.`
`211`	`211`	`// - If this header is missing from a response, make sure the response is`
`212`	`212`	// being written by calling `httpapi.Write`!
`213`		`- // - An empty x-authz-checks header can be valid! Some requests don't`
`214`		`- // require authorization.`
`215`	`213`	`rw.Header().Set("x-authz-checks", rec.String())`
`216`	`214`	`}`
`217`	`215`
`@@ -231,7 +229,7 @@ func WriteIndent(ctx context.Context, rw http.ResponseWriter, status int, respon`
`231`	`229`	`defer span.End()`
`232`	`230`
`233`	`231`	`if rec, ok := rbac.GetAuthzCheckRecorder(ctx); ok {`
`234`		`- rw.Header().Set("x-dbauthz-checks", rec.String())`
	`232`	`+ rw.Header().Set("x-authz-checks", rec.String())`
`235`	`233`	`}`
`236`	`234`
`237`	`235`	`rw.Header().Set("Content-Type", "application/json; charset=utf-8")`