Skip to content

chore: enforcement of dbauthz tests was broken #11218

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 18 commits into from
Dec 15, 2023
Merged

chore: enforcement of dbauthz tests was broken #11218

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
ef12fbb
chore: enforcement of dbauthz tests was broken
Emyrk Dec 14, 2023
15e91ff
Add another skip
Emyrk Dec 14, 2023
a876975
dbauthz: allow asserting errors in tests
johnstcn Dec 15, 2023
f38be5d
add tailnet methods
johnstcn Dec 15, 2023
193d3b3
add dbcrypt methods
johnstcn Dec 15, 2023
2ddae13
fixup! chore: enforcement of dbauthz tests was broken
johnstcn Dec 15, 2023
c31b190
linting
Emyrk Dec 15, 2023
e930fb2
Add more dbauthz tests
Emyrk Dec 15, 2023
f6fe76f
GetTemplateInsights require an actor to call
Emyrk Dec 15, 2023
48857d2
Add more system functions;
Emyrk Dec 15, 2023
2e2f6be
Implement another chunk
Emyrk Dec 15, 2023
5d2f9b1
Another chunk of tests
Emyrk Dec 15, 2023
6481561
Another chunk
Emyrk Dec 15, 2023
55fbd8f
Update template tests
Emyrk Dec 15, 2023
b5ba222
Passing tests
Emyrk Dec 15, 2023
531c7f8
Lint
Emyrk Dec 15, 2023
440573a
lint
Emyrk Dec 15, 2023
af0b3f5
fmt
Emyrk Dec 15, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 12 additions & 6 deletions coderd/database/dbauthz/dbauthz.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,10 @@ func IsNotAuthorizedError(err error) bool {
if err == nil {
return false
}
if xerrors.Is(err, NoActorError) {
return true
}
Comment on lines +65 to +67
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oops


return xerrors.As(err, &NotAuthorizedError{})
}

Expand Down Expand Up @@ -1338,7 +1342,7 @@ func (q *querier) GetTailnetTunnelPeerIDs(ctx context.Context, srcID uuid.UUID)
func (q *querier) GetTemplateAppInsights(ctx context.Context, arg database.GetTemplateAppInsightsParams) ([]database.GetTemplateAppInsightsRow, error) {
// Used by TemplateAppInsights endpoint
// For auditors, check read template_insights, and fall back to update template.
if err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceTemplateInsights); IsNotAuthorizedError(err) {
if err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceTemplateInsights); err != nil {
for _, templateID := range arg.TemplateIDs {
template, err := q.db.GetTemplateByID(ctx, templateID)
if err != nil {
Expand Down Expand Up @@ -1393,7 +1397,7 @@ func (q *querier) GetTemplateDAUs(ctx context.Context, arg database.GetTemplateD
func (q *querier) GetTemplateInsights(ctx context.Context, arg database.GetTemplateInsightsParams) (database.GetTemplateInsightsRow, error) {
// Used by TemplateInsights endpoint
// For auditors, check read template_insights, and fall back to update template.
if err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceTemplateInsights); IsNotAuthorizedError(err) {
if err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceTemplateInsights); err != nil {
for _, templateID := range arg.TemplateIDs {
template, err := q.db.GetTemplateByID(ctx, templateID)
if err != nil {
Expand All @@ -1416,7 +1420,7 @@ func (q *querier) GetTemplateInsights(ctx context.Context, arg database.GetTempl
func (q *querier) GetTemplateInsightsByInterval(ctx context.Context, arg database.GetTemplateInsightsByIntervalParams) ([]database.GetTemplateInsightsByIntervalRow, error) {
// Used by TemplateInsights endpoint
// For auditors, check read template_insights, and fall back to update template.
if err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceTemplateInsights); IsNotAuthorizedError(err) {
if err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceTemplateInsights); err != nil {
for _, templateID := range arg.TemplateIDs {
template, err := q.db.GetTemplateByID(ctx, templateID)
if err != nil {
Expand Down Expand Up @@ -1447,7 +1451,7 @@ func (q *querier) GetTemplateInsightsByTemplate(ctx context.Context, arg databas
func (q *querier) GetTemplateParameterInsights(ctx context.Context, arg database.GetTemplateParameterInsightsParams) ([]database.GetTemplateParameterInsightsRow, error) {
// Used by both insights endpoint and prometheus collector.
// For auditors, check read template_insights, and fall back to update template.
if err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceTemplateInsights); IsNotAuthorizedError(err) {
if err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceTemplateInsights); err != nil {
for _, templateID := range arg.TemplateIDs {
template, err := q.db.GetTemplateByID(ctx, templateID)
if err != nil {
Expand Down Expand Up @@ -1620,7 +1624,7 @@ func (q *querier) GetUnexpiredLicenses(ctx context.Context) ([]database.License,

func (q *querier) GetUserActivityInsights(ctx context.Context, arg database.GetUserActivityInsightsParams) ([]database.GetUserActivityInsightsRow, error) {
// Used by insights endpoints. Need to check both for auditors and for regular users with template acl perms.
if err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceTemplateInsights); IsNotAuthorizedError(err) {
if err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceTemplateInsights); err != nil {
for _, templateID := range arg.TemplateIDs {
template, err := q.db.GetTemplateByID(ctx, templateID)
if err != nil {
Expand Down Expand Up @@ -1657,7 +1661,7 @@ func (q *querier) GetUserCount(ctx context.Context) (int64, error) {

func (q *querier) GetUserLatencyInsights(ctx context.Context, arg database.GetUserLatencyInsightsParams) ([]database.GetUserLatencyInsightsRow, error) {
// Used by insights endpoints. Need to check both for auditors and for regular users with template acl perms.
if err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceTemplateInsights); IsNotAuthorizedError(err) {
if err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceTemplateInsights); err != nil {
for _, templateID := range arg.TemplateIDs {
template, err := q.db.GetTemplateByID(ctx, templateID)
if err != nil {
Expand Down Expand Up @@ -2266,10 +2270,12 @@ func (q *querier) InsertWorkspaceAgent(ctx context.Context, arg database.InsertW
}

func (q *querier) InsertWorkspaceAgentLogSources(ctx context.Context, arg database.InsertWorkspaceAgentLogSourcesParams) ([]database.WorkspaceAgentLogSource, error) {
// TODO: This is used by the agent, should we have an rbac check here?
return q.db.InsertWorkspaceAgentLogSources(ctx, arg)
}

func (q *querier) InsertWorkspaceAgentLogs(ctx context.Context, arg database.InsertWorkspaceAgentLogsParams) ([]database.WorkspaceAgentLog, error) {
// TODO: This is used by the agent, should we have an rbac check here?
return q.db.InsertWorkspaceAgentLogs(ctx, arg)
}

Expand Down
Loading