coder · Emyrk · May 3, 2022 · May 3, 2022 · May 3, 2022 · May 3, 2022
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -12,6 +12,7 @@ import (
 	"github.com/go-chi/chi/v5"
 	"github.com/go-chi/chi/v5/middleware"
 	"github.com/pion/webrtc/v3"
+	"golang.org/x/xerrors"
 	"google.golang.org/api/idtoken"
 
 	chitrace "gopkg.in/DataDog/dd-trace-go.v1/contrib/go-chi/chi.v5"
@@ -23,6 +24,7 @@ import (
 	"github.com/coder/coder/coderd/gitsshkey"
 	"github.com/coder/coder/coderd/httpapi"
 	"github.com/coder/coder/coderd/httpmw"
+	"github.com/coder/coder/coderd/rbac"
 	"github.com/coder/coder/coderd/turnconn"
 	"github.com/coder/coder/codersdk"
 	"github.com/coder/coder/site"
@@ -48,6 +50,7 @@ type Options struct {
 	SecureAuthCookie     bool
 	SSHKeygenAlgorithm   gitsshkey.Algorithm
 	TURNServer           *turnconn.Server
+	Authorizer           *rbac.RegoAuthorizer
 type api struct { 
 	*Options 
 	websocketWaitMutex sync.Mutex 
 	websocketWaitGroup sync.WaitGroup 
 } 
 type api struct { 
 	*Options 
  
 	websocketWaitMutex sync.Mutex 
 	websocketWaitGroup sync.WaitGroup 
 } 
 }
 
 // New constructs the Coder API into an HTTP handler.
@@ -61,13 +64,29 @@ func New(options *Options) (http.Handler, func()) {
 	if options.APIRateLimit == 0 {
 		options.APIRateLimit = 512
 	}
+	if options.Authorizer == nil {
+		var err error
+		options.Authorizer, err = rbac.NewAuthorizer()
+		if err != nil {
+			// This should never happen, as the unit tests would fail if the
+			// default built in authorizer failed.
+			panic(xerrors.Errorf("rego authorize panic: %w", err))
+		}
+	}
 	api := &api{
 		Options: options,
 	}
 	apiKeyMiddleware := httpmw.ExtractAPIKey(options.Database, &httpmw.OAuth2Configs{
 		Github: options.GithubOAuth2Config,
 	})
 
+	// TODO: @emyrk we should just move this into 'ExtractAPIKey'.
+	authRolesMiddleware := httpmw.ExtractUserRoles(options.Database)
+
+	authorize := func(f http.HandlerFunc, actions rbac.Action) http.HandlerFunc {
+		return httpmw.Authorize(api.Logger, api.Authorizer, actions)(f).ServeHTTP
+	}
+
 	r := chi.NewRouter()
 
 	r.Use(
@@ -119,6 +138,7 @@ func New(options *Options) (http.Handler, func()) {
 			r.Use(
 				apiKeyMiddleware,
 				httpmw.ExtractOrganizationParam(options.Database),
+				authRolesMiddleware,
 			)
 			r.Get("/", api.organization)
 			r.Get("/provisionerdaemons", api.provisionerDaemonsByOrganization)
@@ -138,6 +158,10 @@ func New(options *Options) (http.Handler, func()) {
 				})
 			})
 			r.Route("/members", func(r chi.Router) {
+				r.Route("/roles", func(r chi.Router) {
+					r.Use(httpmw.WithRBACObject(rbac.ResourceUserRole))
+					r.Get("/", authorize(api.assignableOrgRoles, rbac.ActionRead))
+				})
 				r.Route("/{user}", func(r chi.Router) {
 					r.Use(
 						httpmw.ExtractUserParam(options.Database),
@@ -200,20 +224,28 @@ func New(options *Options) (http.Handler, func()) {
 				})
 			})
 			r.Group(func(r chi.Router) {
-				r.Use(apiKeyMiddleware)
+				r.Use(
+					apiKeyMiddleware,
+					authRolesMiddleware,
+				)
 				r.Post("/", api.postUser)
 				r.Get("/", api.users)
+				// These routes query information about site wide roles.
+				r.Route("/roles", func(r chi.Router) {
+					r.Use(httpmw.WithRBACObject(rbac.ResourceUserRole))
+					r.Get("/", authorize(api.assignableSiteRoles, rbac.ActionRead))
+				})
 				r.Route("/{user}", func(r chi.Router) {
 					r.Use(httpmw.ExtractUserParam(options.Database))
 					r.Get("/", api.userByName)
 					r.Put("/profile", api.putUserProfile)
 					r.Put("/suspend", api.putUserSuspend)
-					// TODO: @emyrk Might want to move these to a /roles group instead of /user.
-					//		As we include more roles like org roles, it makes less sense to scope these here.
-					r.Put("/roles", api.putUserRoles)
-					r.Get("/roles", api.userRoles)
 					r.Get("/organizations", api.organizationsByUser)
 					r.Post("/organizations", api.postOrganizationsByUser)
+					// These roles apply to the site wide permissions.
+					r.Put("/roles", api.putUserRoles)
+					r.Get("/roles", api.userRoles)
+
 					r.Post("/keys", api.postAPIKey)
 					r.Route("/organizations", func(r chi.Router) {
 						r.Post("/", api.postOrganizationsByUser)

diff --git a/coderd/database/databasefake/databasefake.go b/coderd/database/databasefake/databasefake.go
@@ -245,6 +245,38 @@ func (q *fakeQuerier) GetUsers(_ context.Context, params database.GetUsersParams
 	return tmp, nil
 }
 
+func (q *fakeQuerier) GetAllUserRoles(_ context.Context, userID uuid.UUID) (database.GetAllUserRolesRow, error) {
+	q.mutex.RLock()
+	defer q.mutex.RUnlock()
+
+	var user *database.User
+	roles := make([]string, 0)
+	for _, u := range q.users {
+		if u.ID == userID {
+			u := u
+			roles = append(roles, u.RBACRoles...)
+			user = &u
+			break
+		}
+	}
+
+	for _, mem := range q.organizationMembers {
+		if mem.UserID == userID {
+			roles = append(roles, mem.Roles...)
+		}
+	}
+
+	if user == nil {
+		return database.GetAllUserRolesRow{}, sql.ErrNoRows
+	}
+
+	return database.GetAllUserRolesRow{
+		ID:       userID,
+		Username: user.Username,
+		Roles:    roles,
+	}, nil
+}
+
 func (q *fakeQuerier) GetWorkspacesByTemplateID(_ context.Context, arg database.GetWorkspacesByTemplateIDParams) ([]database.Workspace, error) {
 	q.mutex.RLock()
 	defer q.mutex.RUnlock()

diff --git a/coderd/database/querier.go b/coderd/database/querier.go
diff --git a/coderd/database/queries.sql.go b/coderd/database/queries.sql.go
diff --git a/coderd/database/queries/users.sql b/coderd/database/queries/users.sql
@@ -122,3 +122,15 @@ SET
 	updated_at = $3
 WHERE
 	id = $1 RETURNING *;
+
+
+-- name: GetAllUserRoles :one
+SELECT
+    -- username is returned just to help for logging purposes
+	id, username, array_cat(users.rbac_roles, organization_members.roles) :: text[] AS roles
+FROM
+	users
+LEFT JOIN organization_members
+	ON id = user_id
+WHERE
+    id = @user_id;
diff --git a/coderd/httpmw/authorize.go b/coderd/httpmw/authorize.go
@@ -0,0 +1,122 @@
+package httpmw
+
+import (
+	"context"
+	"net/http"
+
+	"golang.org/x/xerrors"
+
+	"cdr.dev/slog"
+	"github.com/coder/coder/coderd/database"
+	"github.com/coder/coder/coderd/httpapi"
+	"github.com/coder/coder/coderd/rbac"
+)
+
+// Authorize will enforce if the user roles can complete the action on the AuthObject.
+// The organization and owner are found using the ExtractOrganization and
+// ExtractUser middleware if present.
+func Authorize(logger slog.Logger, auth *rbac.RegoAuthorizer, action rbac.Action) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+			roles := UserRoles(r)
+			object := rbacObject(r)
+
+			if object.Type == "" {
+				panic("developer error: auth object has no type")
+			}
+
+			// First extract the object's owner and organization if present.
+			unknownOrg := r.Context().Value(organizationParamContextKey{})
+			if organization, castOK := unknownOrg.(database.Organization); unknownOrg != nil {
+				if !castOK {
+					panic("developer error: organization param middleware not provided for authorize")
+				}
+				object = object.InOrg(organization.ID)
+			}
+
+			unknownOwner := r.Context().Value(userParamContextKey{})
+			if owner, castOK := unknownOwner.(database.User); unknownOwner != nil {
+				if !castOK {
+					panic("developer error: user param middleware not provided for authorize")
+				}
+				object = object.WithOwner(owner.ID.String())
+			}
+
+			err := auth.AuthorizeByRoleName(r.Context(), roles.ID.String(), roles.Roles, action, object)
+			if err != nil {
+				internalError := new(rbac.UnauthorizedError)
+				if xerrors.As(err, internalError) {
+					logger = logger.With(slog.F("internal", internalError.Internal()))
+				}
+				// Log information for debugging. This will be very helpful
+				// in the early days if we over secure endpoints.
+				logger.Warn(r.Context(), "unauthorized",
+					slog.F("roles", roles.Roles),
+					slog.F("user_id", roles.ID),
+					slog.F("username", roles.Username),
+					slog.F("route", r.URL.Path),
+					slog.F("action", action),
+					slog.F("object", object),
+				)
+				httpapi.Write(rw, http.StatusUnauthorized, httpapi.Response{
+					Message: err.Error(),
+				})
+				return
+			}
+			next.ServeHTTP(rw, r)
+		})
+	}
+}
+
+type authObjectKey struct{}
+
+// APIKey returns the API key from the ExtractAPIKey handler.
+func rbacObject(r *http.Request) rbac.Object {
+	obj, ok := r.Context().Value(authObjectKey{}).(rbac.Object)
+	if !ok {
+		panic("developer error: auth object middleware not provided")
+	}
+	return obj
+}
+
+// WithRBACObject sets the object for 'Authorize()' for all routes handled
+// by this middleware. The important field to set is 'Type'
+func WithRBACObject(object rbac.Object) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+			ctx := context.WithValue(r.Context(), authObjectKey{}, object)
+			next.ServeHTTP(rw, r.WithContext(ctx))
+		})
+	}
+}
+
+// User roles are the 'subject' field of Authorize()
+type userRolesKey struct{}
+
+// UserRoles returns the API key from the ExtractUserRoles handler.
+func UserRoles(r *http.Request) database.GetAllUserRolesRow {
+	apiKey, ok := r.Context().Value(userRolesKey{}).(database.GetAllUserRolesRow)
+	if !ok {
+		panic("developer error: user roles middleware not provided")
+	}
+	return apiKey
+}
+
+// ExtractUserRoles requires authentication using a valid API key.
+func ExtractUserRoles(db database.Store) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+			apiKey := APIKey(r)
+			role, err := db.GetAllUserRoles(r.Context(), apiKey.UserID)
+			if err != nil {
+				httpapi.Write(rw, http.StatusUnauthorized, httpapi.Response{
+					Message: "roles not found",
+				})
+				return
+			}
+
+			ctx := context.WithValue(r.Context(), userRolesKey{}, role)
+			next.ServeHTTP(rw, r.WithContext(ctx))
+		})
+	}
+}