feat: Rbac more coderd endpoints, unit test to confirm #1406
Conversation
- Make 'request()' exported for running custom requests
Skip workspace agent endpoints
Codecov Report
@@ Coverage Diff @@
## main #1406 +/- ##
==========================================
+ Coverage 67.18% 75.26% +8.08%
==========================================
Files 287 130 -157
Lines 19331 1965 -17366
Branches 244 244
==========================================
- Hits 12987 1479 -11508
+ Misses 5004 420 -4584
+ Partials 1340 66 -1274
Continue to review full report at Codecov.
|
| // TODO: @emyrk (rbac) Currently files are owned by the site? | ||
| // Should files be org scoped? User scoped? | ||
| httpmw.WithRBACObject(rbac.ResourceFile), |
There was a problem hiding this comment.
Leaving some TODOs to come back to as I add authorize to more endpoints. There are some routes I might want to move around or scope differently.
| r.Use(httpmw.WithRBACObject(rbac.ResourceUserPasswordRole)) | ||
| r.Put("/", authorize(api.putUserPassword, rbac.ActionUpdate)) | ||
| r.Group(func(r chi.Router) { | ||
| r.Use(httpmw.WithRBACObject(rbac.ResourceUser)) |
There was a problem hiding this comment.
Might add more resources for granular control of user settings, but for now, it's all clumped under update for the user resource.
coderd/coderd_test.go
Outdated
| // TODO: @emyrk these need to be fixed by adding authorize calls | ||
| "GET:/api/v2/workspaceresources/{workspaceresource}": {NoAuthorize: true}, | ||
| "GET:/api/v2/workspacebuilds/{workspacebuild}": {NoAuthorize: true}, | ||
| "GET:/api/v2/workspacebuilds/{workspacebuild}/logs": {NoAuthorize: true}, | ||
| "GET:/api/v2/workspacebuilds/{workspacebuild}/resources": {NoAuthorize: true}, | ||
| "GET:/api/v2/workspacebuilds/{workspacebuild}/state": {NoAuthorize: true}, | ||
| "PATCH:/api/v2/workspacebuilds/{workspacebuild}/cancel": {NoAuthorize: true}, | ||
| "GET:/api/v2/workspaces/{workspace}/builds/{workspacebuildname}": {NoAuthorize: true}, | ||
|
|
||
| "GET:/api/v2/users/oauth2/github/callback": {NoAuthorize: true}, | ||
|
|
||
| "POST:/api/v2/users/{user}/organizations/": {NoAuthorize: true}, | ||
| "PUT:/api/v2/organizations/{organization}/members/{user}/roles": {NoAuthorize: true}, | ||
| "GET:/api/v2/organizations/{organization}/provisionerdaemons": {NoAuthorize: true}, | ||
| "POST:/api/v2/organizations/{organization}/templates": {NoAuthorize: true}, | ||
| "GET:/api/v2/organizations/{organization}/templates": {NoAuthorize: true}, | ||
| "GET:/api/v2/organizations/{organization}/templates/{templatename}": {NoAuthorize: true}, | ||
| "POST:/api/v2/organizations/{organization}/templateversions": {NoAuthorize: true}, | ||
|
|
||
| "POST:/api/v2/parameters/{scope}/{id}": {NoAuthorize: true}, | ||
| "GET:/api/v2/parameters/{scope}/{id}": {NoAuthorize: true}, | ||
| "DELETE:/api/v2/parameters/{scope}/{id}/{name}": {NoAuthorize: true}, | ||
|
|
||
| "GET:/api/v2/provisionerdaemons/me/listen": {NoAuthorize: true}, | ||
|
|
||
| "DELETE:/api/v2/templates/{template}": {NoAuthorize: true}, | ||
| "GET:/api/v2/templates/{template}": {NoAuthorize: true}, | ||
| "GET:/api/v2/templates/{template}/versions": {NoAuthorize: true}, | ||
| "PATCH:/api/v2/templates/{template}/versions": {NoAuthorize: true}, | ||
| "GET:/api/v2/templates/{template}/versions/{templateversionname}": {NoAuthorize: true}, | ||
|
|
||
| "GET:/api/v2/templateversions/{templateversion}": {NoAuthorize: true}, | ||
| "PATCH:/api/v2/templateversions/{templateversion}/cancel": {NoAuthorize: true}, | ||
| "GET:/api/v2/templateversions/{templateversion}/logs": {NoAuthorize: true}, | ||
| "GET:/api/v2/templateversions/{templateversion}/parameters": {NoAuthorize: true}, | ||
| "GET:/api/v2/templateversions/{templateversion}/resources": {NoAuthorize: true}, | ||
| "GET:/api/v2/templateversions/{templateversion}/schema": {NoAuthorize: true}, | ||
|
|
||
| "POST:/api/v2/users/{user}/organizations": {NoAuthorize: true}, | ||
|
|
||
| "GET:/api/v2/workspaces/{workspace}": {NoAuthorize: true}, | ||
| "PUT:/api/v2/workspaces/{workspace}/autostart": {NoAuthorize: true}, | ||
| "PUT:/api/v2/workspaces/{workspace}/autostop": {NoAuthorize: true}, | ||
| "GET:/api/v2/workspaces/{workspace}/builds": {NoAuthorize: true}, | ||
| "POST:/api/v2/workspaces/{workspace}/builds": {NoAuthorize: true}, | ||
|
|
||
| "POST:/api/v2/files": {NoAuthorize: true}, | ||
| "GET:/api/v2/files/{hash}": {NoAuthorize: true}, | ||
|
|
There was a problem hiding this comment.
This is my TODO homework for my next PR. You can see that I would rather get some approvals before I continue the grind.
| // Interfaces can hold a nil value | ||
| if config == nil || reflect.ValueOf(config).IsNil() { |
There was a problem hiding this comment.
This was a bug that was causing panics in unit tests.
| // TODO: @emyrk this should be 'admin.UpdateUserRoles' once proper authz | ||
| // is enforced. | ||
| _, err = member.UpdateUserRoles(ctx, codersdk.Me, codersdk.UpdateRoles{ | ||
| _, err = admin.UpdateUserRoles(ctx, memberUser.ID, codersdk.UpdateRoles{ |
There was a problem hiding this comment.
admin updating a user's roles, cool!
| // Request performs an HTTP request with the body provided. | ||
| // The caller is responsible for closing the response body. | ||
| func (c *Client) request(ctx context.Context, method, path string, body interface{}, opts ...requestOption) (*http.Response, error) { | ||
| func (c *Client) Request(ctx context.Context, method, path string, body interface{}, opts ...requestOption) (*http.Response, error) { |
There was a problem hiding this comment.
I had to export this to use it generically in my unit test.
There was a problem hiding this comment.
Could be helpful though as now we can make unit tests that send malformed payloads 🤷♂️
There was a problem hiding this comment.
I'm not opposed to having both in package and out of package tests for different kinds of testing (black box/white box)
| @@ -24,3 +29,178 @@ func TestBuildInfo(t *testing.T) { | |||
| require.Equal(t, buildinfo.ExternalURL(), buildInfo.ExternalURL, "external URL") | |||
| require.Equal(t, buildinfo.Version(), buildInfo.Version, "version") | |||
| } | |||
|
|
|||
| // TestAuthorizeAllEndpoints will check `authorize` is called on every endpoint registered. | |||
| func TestAuthorizeAllEndpoints(t *testing.T) { | |||
There was a problem hiding this comment.
praise: This is a really useful check to have. Nice one.
| @@ -63,7 +66,7 @@ type Options struct { | |||
|
|
|||
| // New constructs an in-memory coderd instance and returns | |||
| // the connected client. | |||
| func New(t *testing.T, options *Options) *codersdk.Client { | |||
| func NewMemoryCoderd(t *testing.T, options *Options) (*httptest.Server, *codersdk.Client) { | |||
There was a problem hiding this comment.
I'd tried something before where I returned a coderdtest.API struct to which we could add extra fields, but it touched basically everything. This is probably a way nicer/better way of doing it.
Also, having control of the test server is definitely something we want to have available in unit tests.
There was a problem hiding this comment.
Yea, I really didn't want to touch much. I just needed access to the server. If you pass things into the Options, you do have some of those fields you'd include in that API type.
| r.With(httpmw.WithRBACObject(rbac.ResourceOrganization)). | ||
| Get("/", authorize(api.organization, rbac.ActionRead)) |
There was a problem hiding this comment.
This indent makes this harder to read. Can we not push this middleware into the r.Use() block?
There was a problem hiding this comment.
It's just for 1 endpoint. I can put it inside a group block by itself with use?
There was a problem hiding this comment.
r.With(httpmw.WithRBACObject(rbac.ResourceOrganization)).
Get("/", authorize(api.organization, rbac.ActionRead))
// ------------------
// Or
// ------------------
r.Group(func(r chi.Router) {
r.Use(httpmw.WithRBACObject(rbac.ResourceOrganization))
r.Get("/", authorize(api.organization, rbac.ActionRead))
})| // This has 2 authorize calls. The second is explicitly called | ||
| // in the handler. |
There was a problem hiding this comment.
Can we make it a middleware? I feel like calling authorize in the handler is a sign of a failure in what we originally want.
There was a problem hiding this comment.
It would be a middleware made for just this endpoint. The authorize check has to be called on each role assigned/deleted. So it depends on the payload of the request body.
Some endpoints will likely have this because it's really difficult to determine the authorize input at the middleware level, as it might be dependent on the request body.
One good thing to note is that my unit test still ensures if we don't use the middleware, an authorize check is still called. We still need to add tests for the endpoint to test auth though and make sure a user can't give themselves admin for example.
There was a problem hiding this comment.
Also, is this the only endpoint where we require multiple RBAC checks for a specific action? Or, do we need to make things more general?
| @@ -63,7 +66,7 @@ type Options struct { | |||
|
|
|||
| // New constructs an in-memory coderd instance and returns | |||
| // the connected client. | |||
| func New(t *testing.T, options *Options) *codersdk.Client { | |||
| func NewMemoryCoderd(t *testing.T, options *Options) (*httptest.Server, *codersdk.Client) { | |||
There was a problem hiding this comment.
Because the test consuming this is just using the HTTP handler returned and not the actual server, it might be clearer to just call coderd.New directly in that test instead of changing this.
Considering none of our other tests have required access to the HTTP server object, it seems like that could be cleaner.
There was a problem hiding this comment.
The thing is, if I don't use the coderdtest for the setup, I hit a lot of random issues with endpoints because the underlying infrastructure is not implemented. I do use the server, as I am using the sdk Request function to ensure the proper auth, and I have to do setup for the unit tests.
I will need to make a template & workspace for certain endpoints to not return 404's.
It is much easier to know the coderd I am interacting with works when I use coderdtest.
There was a problem hiding this comment.
The only thing it should need to check for permissions is Database and Authorize!
There was a problem hiding this comment.
Yes, but the unit test calls all possible routes, and checks if authorize was called since I fake the Authorizer and can check if it was called. So I need to setup all the routes on a server.
I could do this just on the handler returned by coderd.New(), but it does make it kinda annoying to make the setup. I need to make a first user for the api key middleware to work, which requires a client for all the helper funcs. I need to make an organization for some of the routes. I probably need to make a template & workspace too. All this setup means if I only have the DB, I have to make the DB calls directly. It's much easier to to just the sdk.
So I could probably make it work without calling codertest.New(), but I don't see the value in doing all this work to prop up all this "fake" stuff, when I can just use coderdtest.New(). It does all that for me and I have the same tools as all the other tests 🤷.
The only downside is that I need to expose the server to the unit test to grab the handler to walk it.
| // Interfaces can hold a nil value | ||
| if config == nil || reflect.ValueOf(config).IsNil() { |
There was a problem hiding this comment.
I'm confused why the reflect.ValueOf solves this, but the nil check doesn't.
There was a problem hiding this comment.
Because of how we pass the nil value. We pass it from a struct, and Go is being Go.
See this:
https://go.dev/play/p/9mgJ58zg7kn
It sucks, I was trying to rework it to fix it, and it's kinda a PIA
There was a problem hiding this comment.
One way we can fix this is avoid passing in nil in the first place.
There was a problem hiding this comment.
r.Route("/github", func(r chi.Router) {
if options.GithubOAuth2Config != nil {
r.Use(httpmw.ExtractOAuth2(options.GithubOAuth2Config))
r.Get("/callback", api.userOAuth2Github)
}
})- Rename authObject - Shorten 'AuthorizeByRoleName'
| // Request performs an HTTP request with the body provided. | ||
| // The caller is responsible for closing the response body. | ||
| func (c *Client) request(ctx context.Context, method, path string, body interface{}, opts ...requestOption) (*http.Response, error) { | ||
| func (c *Client) Request(ctx context.Context, method, path string, body interface{}, opts ...requestOption) (*http.Response, error) { |
There was a problem hiding this comment.
I'm not opposed to having both in package and out of package tests for different kinds of testing (black box/white box)
| } else { | ||
| // Attempt to find the resource owner id | ||
| unknownOwner := r.Context().Value(userParamContextKey{}) | ||
| if owner, castOK := unknownOwner.(database.User); unknownOwner != nil { |
There was a problem hiding this comment.
it's very strange to me to have owner, castOK := unknownOwner.(database.User) appear in this if statement when neither value is evaluated by the if. I think it would be less confusing on the next line inside the block
There was a problem hiding this comment.
I see how it is confusing, I can rework this logic flow
| @@ -70,21 +80,59 @@ func Authorize(logger slog.Logger, auth *rbac.RegoAuthorizer, action rbac.Action | |||
|
|
|||
| type authObjectKey struct{} | |||
|
|
|||
| type RBACObject struct { | |||
There was a problem hiding this comment.
I find this very confusing. What exactly is an httpmw.RBACObject and how is it different from an rbac.Object?
There was a problem hiding this comment.
rbac.Object is what is used by the rbac package. When making a middleware to construct this object, there are times where the fields of the object are not static, and need to be determined based on the request. So a middleware can set a WithOwner function, instead of a static field.
(I added a comment)
| if owner, castOK := unknownOwner.(database.User); unknownOwner != nil { | ||
| if !castOK { | ||
| panic("developer error: user param middleware not provided for authorize") | ||
| if authObject.WithOwner != nil { |
There was a problem hiding this comment.
This design seems to leave us in a place where we're calling Authorize before we've actually constructed the full object, so the first part of this method is collecting bits of information about the object itself. Is there a way that we can construct the object first, then call authorize?
There was a problem hiding this comment.
I don't think I follow this comment.
This Authorize middleware builds the object from the following:
- First grabs the object set by
httpmw.WithRBACObject(...). This sets all the static fields of the rbac object to check (likely just the type) - Any endpoint that has
{organization}or{user}we assume the resource is owned by theorganizationand/oruserin the url params. (This is currently mostly always true) - In some cases the above is not true, you can use
httpmw.WithOwner(...)to set the owner of the object dynamically. You cannot set it statically because it is dependent on the request's context. So it is a function that takes the request, and outputs someuuid.
The actual auth call is done at the bottom:
coder/coderd/httpmw/authorize.go
Line 54 in 96a5727
| if err != nil { | ||
| httpapi.Write(rw, http.StatusInternalServerError, httpapi.Response{ | ||
| Message: fmt.Sprintf("get organization member: %s", err), | ||
| httpapi.Write(rw, http.StatusUnauthorized, httpapi.Response{ |
There was a problem hiding this comment.
this leaks whether an organization with this name exists, since if it doesn't, you get NotFound, but if it does, and you're just not allowed to see it, you get Unauthorized. To avoid this we should probably return NotFound in both cases.
There was a problem hiding this comment.
Doesn't the 404 above leak that if that is a concern? I think we should change the 404 to unauthorized rather than the other way around.
I'll make the 404 return unauthorized
coderd/users.go
Outdated
| } | ||
|
|
||
| for _, roleName := range params.Roles { | ||
| // If the user already has the role, we don't need to check the permission. |
There was a problem hiding this comment.
Is that true? I'm used to systems where there are roles that don't grant the power to create others at the same level. Like, if you're a contributor to a project, you don't get to add additional contributors.
There was a problem hiding this comment.
That is not what this comment is. I'll add more clarity.
At first there was an endpoint to "AddRole" and "RemoveRole". But it was replaced by a generic "SetRoles". When you call "SetRoles", I only check the difference in the sets. If a member tries to assign themselves the roles they already have, there is no difference and this for loop just "continues".
| } | ||
|
|
||
| // Assigning a role requires the create permission. The middleware checks if | ||
| // we can update this user, so the combination of the 2 permissions enables |
There was a problem hiding this comment.
I'm concerned that you need update privilege on a user to be able to assign a role to that user. It feels like that would limit role assignment to essentially site admins because you don't want just org owners to be able to make arbitrary changes to a user.
There was a problem hiding this comment.
Good point.
My goal was to have this first draft just lump everything into user resource. As we get some more variety, then we can have things like user, user_password, user_roles, user_profile, etc. This allows more granular control like you mentioned.
For this PR though, we only have admin and org-admin who can assign roles. No one else can. So I'd like to keep it as is for now. Once RBAC is on all the routes (which I have not finished), we can go back in and add more granularity where needed.
coderd/coderd.go
Outdated
| r.Get("/", api.users) | ||
| r.Group(func(r chi.Router) { | ||
| // Site wide, all users | ||
| r.Use(httpmw.WithRBACObject(rbac.ResourceUser.All())) |
There was a problem hiding this comment.
Isn't rbac.ResourceUser.All() identical to rbac.ResourceUser due to zero values?
There was a problem hiding this comment.
Yea it is. I added that when walking through the code to illustrate what it's doing. I forgot to remove it.
|
A general comment I have is that this style with the Chi router and extracting different parameters in different middlewares makes it very difficult to reason about what exactly the object is for different endpoints. I understand the D.R.Y. motivations, but it would be really nice if for a given endpoint there was just a single function that gets called and it returns an |
Really the only way I can see us doing that on a per endpoint basis is to write it custom for each handler. So when you make a handler, you have to handle the authorize checks. I'm not totally opposed to that, in the past we leaked endpoints, but my unit test would catch these now. The top of every handler would look something like: // Creates a new workspace.
func (api *api) createWorkspace(rw http.ResponseWriter, r *http.Request) {
apiKey := httpmw.APIKey(r)
roles := httpmw.UserRoles(r)
org := httpmw.OrganizationParam(r)
err := api.Authorizer.ByRoleName(r.Context(), roles.ID, roles.Roles, rbac.ActionCreate,
rbac.ResourceWorkspace.
InOrg(org.ID).
WithOwner(apiKey.UserID.String()),
)
if !err {
// ...
}
//... Rest ...
} |
|
I'm going to go with the per handler approach. Unfortunate to lose time, but it will be easier to follow: Working here: #1437 |
I want to get this approved before I continue my quest for all endpoints
#607
Want to confirm on the right path, it's just tedious work I'd rather get some checkpoints in.
What this does
This adds rbac authorize checks to many more endpoints that require authorize checks.
Most authorize checks happen in middleware, but sometimes we have to do it in the handler. I wrote a unit test that ensures all endpoints call
authorize. It does not check the permissions are set correctly, but it at least ensures we intentionally callauthorize. For now, I put skips in the test for endpoints I did not authorize yetEndpoints coverd
Future work
Make it easy to test various types of users against each endpoint to test proper auth checks.
E.g: A member cannot create a new user