From 97cd00d96e560f5292eb1455742c661a53fef013 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 23 Dec 2024 13:34:35 +0000 Subject: [PATCH 1/6] chore: bump github.com/open-policy-agent/opa from 0.70.0 to 1.0.0 Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 0.70.0 to 1.0.0. - [Release notes](https://github.com/open-policy-agent/opa/releases) - [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-policy-agent/opa/compare/v0.70.0...v1.0.0) --- updated-dependencies: - dependency-name: github.com/open-policy-agent/opa dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- go.mod | 24 +++++++++++++----------- go.sum | 46 ++++++++++++++++++++++++---------------------- 2 files changed, 37 insertions(+), 33 deletions(-) diff --git a/go.mod b/go.mod index fff233592f525..cf7a84f5336d2 100644 --- a/go.mod +++ b/go.mod @@ -158,7 +158,7 @@ require ( github.com/mocktools/go-smtp-mock/v2 v2.4.0 github.com/muesli/termenv v0.15.3-0.20240618155329-98d742f6907a github.com/natefinch/atomic v1.0.1 - github.com/open-policy-agent/opa v0.70.0 + github.com/open-policy-agent/opa v1.0.0 github.com/ory/dockertest/v3 v3.11.0 github.com/pion/udp v0.1.4 github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c @@ -184,11 +184,11 @@ require ( github.com/wagslane/go-password-validator v0.3.0 go.mozilla.org/pkcs7 v0.9.0 go.nhat.io/otelsql v0.14.0 - go.opentelemetry.io/otel v1.31.0 - go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.29.0 - go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0 - go.opentelemetry.io/otel/sdk v1.31.0 - go.opentelemetry.io/otel/trace v1.31.0 + go.opentelemetry.io/otel v1.33.0 + go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.33.0 + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.33.0 + go.opentelemetry.io/otel/sdk v1.33.0 + go.opentelemetry.io/otel/trace v1.33.0 go.uber.org/atomic v1.11.0 go.uber.org/goleak v1.3.1-0.20240429205332-517bace7cc29 go.uber.org/mock v0.5.0 @@ -320,7 +320,7 @@ require ( github.com/googleapis/gax-go/v2 v2.14.0 // indirect github.com/gorilla/css v1.0.1 // indirect github.com/gorilla/mux v1.8.1 // indirect - github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect + github.com/grpc-ecosystem/grpc-gateway/v2 v2.24.0 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320 // indirect @@ -427,9 +427,9 @@ require ( github.com/zclconf/go-cty v1.15.1 github.com/zeebo/errs v1.3.0 // indirect go.opentelemetry.io/contrib v1.19.0 // indirect - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 // indirect - go.opentelemetry.io/otel/metric v1.31.0 // indirect - go.opentelemetry.io/proto/otlp v1.3.1 // indirect + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 // indirect + go.opentelemetry.io/otel/metric v1.33.0 // indirect + go.opentelemetry.io/proto/otlp v1.4.0 // indirect go4.org/mem v0.0.0-20220726221520-4f986261bf13 // indirect golang.org/x/time v0.8.0 // indirect golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect @@ -437,7 +437,7 @@ require ( golang.zx2c4.com/wireguard/windows v0.5.3 // indirect google.golang.org/appengine v1.6.8 // indirect google.golang.org/genproto v0.0.0-20241118233622-e639e219e697 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20241113202542-65e8d215514f // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect howett.net/plist v1.0.0 // indirect @@ -445,3 +445,5 @@ require ( kernel.org/pub/linux/libs/security/libcap/psx v1.2.73 // indirect sigs.k8s.io/yaml v1.4.0 // indirect ) + +require go.opentelemetry.io/auto/sdk v1.1.0 // indirect diff --git a/go.sum b/go.sum index 02be8d1364385..84f8cf522f398 100644 --- a/go.sum +++ b/go.sum @@ -484,8 +484,8 @@ github.com/gorilla/css v1.0.1 h1:ntNaBIghp6JmvWnxbZKANoLyuXTPZ4cAMlo6RyhlbO8= github.com/gorilla/css v1.0.1/go.mod h1:BvnYkspnSzMmwRK+b8/xgNPLiIuNZr6vbZBTPQ2A3b0= github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY= github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 h1:bkypFPDjIYGfCYD5mRBvpqxfYX1YCS1PXdKYWi8FsN0= -github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0/go.mod h1:P+Lt/0by1T8bfcF3z737NnSbmxQAppXMRziHUxPOC8k= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.24.0 h1:TmHmbvxPmaegwhDubVz0lICL0J5Ka2vwTzhoePEXsGE= +github.com/grpc-ecosystem/grpc-gateway/v2 v2.24.0/go.mod h1:qztMSjm835F2bXf+5HKAPIS5qsmQDqZna/PgVt4rWtI= github.com/hairyhenderson/go-codeowners v0.7.0 h1:s0W4wF8bdsBEjTWzwzSlsatSthWtTAF2xLgo4a4RwAo= github.com/hairyhenderson/go-codeowners v0.7.0/go.mod h1:wUlNgQ3QjqC4z8DnM5nnCYVq/icpqXJyJOukKx5U8/Q= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -720,8 +720,8 @@ github.com/oklog/run v1.1.0 h1:GEenZ1cK0+q0+wsJew9qUg/DyD8k3JzYsZAi5gYi2mA= github.com/oklog/run v1.1.0/go.mod h1:sVPdnTZT1zYwAJeCMu2Th4T21pA3FPOQRfWjQlk7DVU= github.com/olekukonko/tablewriter v0.0.5 h1:P2Ga83D34wi1o9J6Wh1mRuqd4mF/x/lgBS7N7AbDhec= github.com/olekukonko/tablewriter v0.0.5/go.mod h1:hPp6KlRPjbx+hW8ykQs1w3UBbZlj6HuIJcUGPhkA7kY= -github.com/open-policy-agent/opa v0.70.0 h1:B3cqCN2iQAyKxK6+GI+N40uqkin+wzIrM7YA60t9x1U= -github.com/open-policy-agent/opa v0.70.0/go.mod h1:Y/nm5NY0BX0BqjBriKUiV81sCl8XOjjvqQG7dXrggtI= +github.com/open-policy-agent/opa v1.0.0 h1:fZsEwxg1knpPvUn0YDJuJZBcbVg4G3zKpWa3+CnYK+I= +github.com/open-policy-agent/opa v1.0.0/go.mod h1:+JyoH12I0+zqyC1iX7a2tmoQlipwAEGvOhVJMhmy+rM= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= @@ -946,36 +946,38 @@ go.mozilla.org/pkcs7 v0.9.0 h1:yM4/HS9dYv7ri2biPtxt8ikvB37a980dg69/pKmS+eI= go.mozilla.org/pkcs7 v0.9.0/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk= go.nhat.io/otelsql v0.14.0 h1:Mz4xo+WVQLAOPZy6abxjVzZzNe8xoOUh/tOMJoxo3oo= go.nhat.io/otelsql v0.14.0/go.mod h1:iO9KfDBZO2WI6O7n+ippHe5OHdXQ5iiA2aIa3Kzywo8= +go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA= +go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A= go.opentelemetry.io/contrib v1.0.0/go.mod h1:EH4yDYeNoaTqn/8yCWQmfNB78VHfGX2Jt2bvnvzBlGM= go.opentelemetry.io/contrib v1.19.0 h1:rnYI7OEPMWFeM4QCqWQ3InMJ0arWMR1i0Cx9A5hcjYM= go.opentelemetry.io/contrib v1.19.0/go.mod h1:gIzjwWFoGazJmtCaDgViqOSJPde2mCWzv60o0bWPcZs= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.54.0 h1:r6I7RJCN86bpD/FQwedZ0vSixDpwuWREjW9oRMsmqDc= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.54.0/go.mod h1:B9yO6b04uB80CzjedvewuqDhxJxi11s7/GtiGa8bAjI= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 h1:TT4fX+nBOA/+LUkobKGW1ydGcn+G3vRw9+g5HwCphpk= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0/go.mod h1:L7UH0GbB0p47T4Rri3uHjbpCFYrVrwc1I25QhNPiGK8= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 h1:yd02MEjBdJkG3uabWP9apV+OuWRIXGDuJEUJbOHmCFU= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0/go.mod h1:umTcuxiv1n/s/S6/c2AT/g2CQ7u5C59sHDNmfSwgz7Q= go.opentelemetry.io/otel v1.3.0/go.mod h1:PWIKzi6JCp7sM0k9yZ43VX+T345uNbAkDKwHVjb2PTs= -go.opentelemetry.io/otel v1.31.0 h1:NsJcKPIW0D0H3NgzPDHmo0WW6SptzPdqg/L1zsIm2hY= -go.opentelemetry.io/otel v1.31.0/go.mod h1:O0C14Yl9FgkjqcCZAsE053C13OaddMYr/hz6clDkEJE= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.29.0 h1:dIIDULZJpgdiHz5tXrTgKIMLkus6jEFa7x5SOKcyR7E= -go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.29.0/go.mod h1:jlRVBe7+Z1wyxFSUs48L6OBQZ5JwH2Hg/Vbl+t9rAgI= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0 h1:R3X6ZXmNPRR8ul6i3WgFURCHzaXjHdm0karRG/+dj3s= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0/go.mod h1:QWFXnDavXWwMx2EEcZsf3yxgEKAqsxQ+Syjp+seyInw= +go.opentelemetry.io/otel v1.33.0 h1:/FerN9bax5LoK51X/sI0SVYrjSE0/yUL7DpxW4K3FWw= +go.opentelemetry.io/otel v1.33.0/go.mod h1:SUUkR6csvUQl+yjReHu5uM3EtVV7MBm5FHKRlNx4I8I= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.33.0 h1:Vh5HayB/0HHfOQA7Ctx69E/Y/DcQSMPpKANYVMQ7fBA= +go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.33.0/go.mod h1:cpgtDBaqD/6ok/UG0jT15/uKjAY8mRA53diogHBg3UI= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.33.0 h1:5pojmb1U1AogINhN3SurB+zm/nIcusopeBNp42f45QM= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.33.0/go.mod h1:57gTHJSE5S1tqg+EKsLPlTWhpHMsWlVmer+LA926XiA= go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.30.0 h1:IyFlqNsi8VT/nwYlLJfdM0y1gavxGpEvnf6FtVfZ6X4= go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.30.0/go.mod h1:bxiX8eUeKoAEQmbq/ecUT8UqZwCjZW52yJrXJUSozsk= go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.30.0 h1:kn1BudCgwtE7PxLqcZkErpD8GKqLZ6BSzeW9QihQJeM= go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.30.0/go.mod h1:ljkUDtAMdleoi9tIG1R6dJUpVwDcYjw3J2Q6Q/SuiC0= -go.opentelemetry.io/otel/metric v1.31.0 h1:FSErL0ATQAmYHUIzSezZibnyVlft1ybhy4ozRPcF2fE= -go.opentelemetry.io/otel/metric v1.31.0/go.mod h1:C3dEloVbLuYoX41KpmAhOqNriGbA+qqH6PQ5E5mUfnY= +go.opentelemetry.io/otel/metric v1.33.0 h1:r+JOocAyeRVXD8lZpjdQjzMadVZp2M4WmQ+5WtEnklQ= +go.opentelemetry.io/otel/metric v1.33.0/go.mod h1:L9+Fyctbp6HFTddIxClbQkjtubW6O9QS3Ann/M82u6M= go.opentelemetry.io/otel/sdk v1.3.0/go.mod h1:rIo4suHNhQwBIPg9axF8V9CA72Wz2mKF1teNrup8yzs= -go.opentelemetry.io/otel/sdk v1.31.0 h1:xLY3abVHYZ5HSfOg3l2E5LUj2Cwva5Y7yGxnSW9H5Gk= -go.opentelemetry.io/otel/sdk v1.31.0/go.mod h1:TfRbMdhvxIIr/B2N2LQW2S5v9m3gOQ/08KsbbO5BPT0= +go.opentelemetry.io/otel/sdk v1.33.0 h1:iax7M131HuAm9QkZotNHEfstof92xM+N8sr3uHXc2IM= +go.opentelemetry.io/otel/sdk v1.33.0/go.mod h1:A1Q5oi7/9XaMlIWzPSxLRWOI8nG3FnzHJNbiENQuihM= go.opentelemetry.io/otel/sdk/metric v1.31.0 h1:i9hxxLJF/9kkvfHppyLL55aW7iIJz4JjxTeYusH7zMc= go.opentelemetry.io/otel/sdk/metric v1.31.0/go.mod h1:CRInTMVvNhUKgSAMbKyTMxqOBC0zgyxzW55lZzX43Y8= go.opentelemetry.io/otel/trace v1.3.0/go.mod h1:c/VDhno8888bvQYmbYLqe41/Ldmr/KKunbvWM4/fEjk= -go.opentelemetry.io/otel/trace v1.31.0 h1:ffjsj1aRouKewfr85U2aGagJ46+MvodynlQ1HYdmJys= -go.opentelemetry.io/otel/trace v1.31.0/go.mod h1:TXZkRk7SM2ZQLtR6eoAWQFIHPvzQ06FJAsO1tJg480A= -go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0= -go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8= +go.opentelemetry.io/otel/trace v1.33.0 h1:cCJuF7LRjUFso9LPnEAHJDB2pqzp+hbO8eu1qqW2d/s= +go.opentelemetry.io/otel/trace v1.33.0/go.mod h1:uIcdVUZMpTAmz0tI1z04GoVSezK37CbGV4fr1f2nBck= +go.opentelemetry.io/proto/otlp v1.4.0 h1:TA9WRvW6zMwP+Ssb6fLoUIuirti1gGbP28GcKG1jgeg= +go.opentelemetry.io/proto/otlp v1.4.0/go.mod h1:PPBWZIP98o2ElSqI35IHfu7hIhSwvc5N38Jw8pXuGFY= go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE= go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0= @@ -1127,8 +1129,8 @@ google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAs google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds= google.golang.org/genproto v0.0.0-20241118233622-e639e219e697 h1:ToEetK57OidYuqD4Q5w+vfEnPvPpuTwedCNVohYJfNk= google.golang.org/genproto v0.0.0-20241118233622-e639e219e697/go.mod h1:JJrvXBWRZaFMxBufik1a4RpFw4HhgVtBBWQeQgUj2cc= -google.golang.org/genproto/googleapis/api v0.0.0-20241113202542-65e8d215514f h1:M65LEviCfuZTfrfzwwEoxVtgvfkFkBUbFnRbxCXuXhU= -google.golang.org/genproto/googleapis/api v0.0.0-20241113202542-65e8d215514f/go.mod h1:Yo94eF2nj7igQt+TiJ49KxjIH8ndLYPZMIRSiRcEbg0= +google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576 h1:CkkIfIt50+lT6NHAVoRYEyAvQGFM7xEwXUUywFvEb3Q= +google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576/go.mod h1:1R3kvZ1dtP3+4p4d3G8uJ8rFk/fWlScl38vanWACI08= google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 h1:8ZmaLZE4XWrtU3MyClkYqqtl6Oegr3235h7jxsDyqCY= google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576/go.mod h1:5uTbfoYQed2U9p3KIj2/Zzm02PYhndfdmML0qC3q3FU= google.golang.org/grpc v1.69.2 h1:U3S9QEtbXC0bYNvRtcoklF3xGtLViumSYxWykJS+7AU= From d90bd4c5eccb39b4510bb49c01a9e865be8cfb3f Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Thu, 2 Jan 2025 08:40:54 -0600 Subject: [PATCH 2/6] chore: use now mandatory 'if' for v1 rego rules --- coderd/rbac/policy.rego | 57 +++++++++++++++++++++-------------------- 1 file changed, 29 insertions(+), 28 deletions(-) diff --git a/coderd/rbac/policy.rego b/coderd/rbac/policy.rego index bf7a38c3cc194..ee294689236b5 100644 --- a/coderd/rbac/policy.rego +++ b/coderd/rbac/policy.rego @@ -1,5 +1,6 @@ package authz -import future.keywords +import rego.v1 + # A great playground: https://play.openpolicyagent.org/ # Helpful cli commands to debug. # opa eval --format=pretty 'data.authz.allow' -d policy.rego -i input.json @@ -29,12 +30,12 @@ import future.keywords # bool_flip lets you assign a value to an inverted bool. # You cannot do 'x := !false', but you can do 'x := bool_flip(false)' -bool_flip(b) = flipped { +bool_flip(b) = flipped if { b flipped = false } -bool_flip(b) = flipped { +bool_flip(b) = flipped if { not b flipped = true } @@ -43,17 +44,17 @@ bool_flip(b) = flipped { # -1: {false, true} or {false} # 0: {} # 1: {true} -number(set) = c { +number(set) = c if { count(set) == 0 c := 0 } -number(set) = c { +number(set) = c if { false in set c := -1 } -number(set) = c { +number(set) = c if { not false in set set[_] c := 1 @@ -67,7 +68,7 @@ site := site_allow(input.subject.roles) default scope_site := 0 scope_site := site_allow([input.subject.scope]) -site_allow(roles) := num { +site_allow(roles) := num if { # allow is a set of boolean values without duplicates. allow := { x | # Iterate over all site permissions in all roles @@ -102,7 +103,7 @@ scope_org := org_allow([input.scope]) # The reason we calculate this for all orgs, and not just the input.object.org_owner # is that sometimes the input.object.org_owner is unknown. In those cases # we have a list of org_ids that can we use in a SQL 'WHERE' clause. -org_allow_set(roles) := allow_set { +org_allow_set(roles) := allow_set if { allow_set := { id: num | id := org_members[_] set := { x | @@ -115,7 +116,7 @@ org_allow_set(roles) := allow_set { } } -org_allow(roles) := num { +org_allow(roles) := num if { # If the object has "any_org" set to true, then use the other # org_allow block. not input.object.any_org @@ -135,7 +136,7 @@ org_allow(roles) := num { # This is useful for UI elements when we want to conclude, "Can the user create # a new template in any organization?" # It is easier than iterating over every organization the user is apart of. -org_allow(roles) := num { +org_allow(roles) := num if { input.object.any_org # if this is false, this code block is not used allow := org_allow_set(roles) @@ -159,24 +160,24 @@ org_allow(roles) := num { # 'org_mem' is set to true if the user is an org member # If 'any_org' is set to true, use the other block to determine org membership. -org_mem := true { +org_mem := true if { not input.object.any_org input.object.org_owner != "" input.object.org_owner in org_members } -org_mem := true { +org_mem := true if { input.object.any_org count(org_members) > 0 } -org_ok { +org_ok if { org_mem } # If the object has no organization, then the user is also considered part of # the non-existent org. -org_ok { +org_ok if { input.object.org_owner == "" not input.object.any_org } @@ -188,7 +189,7 @@ user := user_allow(input.subject.roles) default user_scope := 0 scope_user := user_allow([input.scope]) -user_allow(roles) := num { +user_allow(roles) := num if { input.object.owner != "" input.subject.id = input.object.owner allow := { x | @@ -202,11 +203,11 @@ user_allow(roles) := num { # Scope allow_list is a list of resource IDs explicitly allowed by the scope. # If the list is '*', then all resources are allowed. -scope_allow_list { +scope_allow_list if { "*" in input.subject.scope.allow_list } -scope_allow_list { +scope_allow_list if { # If the wildcard is listed in the allow_list, we do not care about the # object.id. This line is included to prevent partial compilations from # ever needing to include the object.id. @@ -226,16 +227,16 @@ scope_allow_list { # Allow query: # data.authz.role_allow = true data.authz.scope_allow = true -role_allow { +role_allow if { site = 1 } -role_allow { +role_allow if { not site = -1 org = 1 } -role_allow { +role_allow if { not site = -1 not org = -1 # If we are not a member of an org, and the object has an org, then we are @@ -244,18 +245,18 @@ role_allow { user = 1 } -scope_allow { +scope_allow if { scope_allow_list scope_site = 1 } -scope_allow { +scope_allow if { scope_allow_list not scope_site = -1 scope_org = 1 } -scope_allow { +scope_allow if { scope_allow_list not scope_site = -1 not scope_org = -1 @@ -266,7 +267,7 @@ scope_allow { } # ACL for users -acl_allow { +acl_allow if { # Should you have to be a member of the org too? perms := input.object.acl_user_list[input.subject.id] # Either the input action or wildcard @@ -274,7 +275,7 @@ acl_allow { } # ACL for groups -acl_allow { +acl_allow if { # If there is no organization owner, the object cannot be owned by an # org_scoped team. org_mem @@ -285,7 +286,7 @@ acl_allow { } # ACL for 'all_users' special group -acl_allow { +acl_allow if { org_mem perms := input.object.acl_group_list[input.object.org_owner] [input.action, "*"][_] in perms @@ -296,13 +297,13 @@ acl_allow { # The role or the ACL must allow the action. Scopes can be used to limit, # so scope_allow must always be true. -allow { +allow if { role_allow scope_allow } # ACL list must also have the scope_allow to pass -allow { +allow if { acl_allow scope_allow } From 84d2eed81b0dc8d3e2db26f374cb9f9fb6ce41e0 Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Thu, 2 Jan 2025 08:41:31 -0600 Subject: [PATCH 3/6] opa fmt rego.policy --- coderd/rbac/policy.rego | 92 ++++++++++++++++++++++++----------------- 1 file changed, 54 insertions(+), 38 deletions(-) diff --git a/coderd/rbac/policy.rego b/coderd/rbac/policy.rego index ee294689236b5..f1c58317213c4 100644 --- a/coderd/rbac/policy.rego +++ b/coderd/rbac/policy.rego @@ -1,4 +1,5 @@ package authz + import rego.v1 # A great playground: https://play.openpolicyagent.org/ @@ -31,13 +32,13 @@ import rego.v1 # bool_flip lets you assign a value to an inverted bool. # You cannot do 'x := !false', but you can do 'x := bool_flip(false)' bool_flip(b) = flipped if { - b - flipped = false + b + flipped = false } bool_flip(b) = flipped if { - not b - flipped = true + not b + flipped = true } # number is a quick way to get a set of {true, false} and convert it to @@ -46,51 +47,58 @@ bool_flip(b) = flipped if { # 1: {true} number(set) = c if { count(set) == 0 - c := 0 + c := 0 } number(set) = c if { false in set - c := -1 + c := -1 } number(set) = c if { not false in set set[_] - c := 1 + c := 1 } # site, org, and user rules are all similar. Each rule should return a number # from [-1, 1]. The number corresponds to "negative", "abstain", and "positive" # for the given level. See the 'allow' rules for how these numbers are used. default site = 0 + site := site_allow(input.subject.roles) + default scope_site := 0 + scope_site := site_allow([input.subject.scope]) site_allow(roles) := num if { # allow is a set of boolean values without duplicates. - allow := { x | + allow := {x | # Iterate over all site permissions in all roles - perm := roles[_].site[_] - perm.action in [input.action, "*"] + perm := roles[_].site[_] + perm.action in [input.action, "*"] perm.resource_type in [input.object.type, "*"] + # x is either 'true' or 'false' if a matching permission exists. - x := bool_flip(perm.negate) - } - num := number(allow) + x := bool_flip(perm.negate) + } + num := number(allow) } # org_members is the list of organizations the actor is apart of. -org_members := { orgID | +org_members := {orgID | input.subject.roles[_].org[orgID] } # org is the same as 'site' except we need to iterate over each organization # that the actor is a member of. default org = 0 + org := org_allow(input.subject.roles) + default scope_org := 0 + scope_org := org_allow([input.scope]) # org_allow_set is a helper function that iterates over all orgs that the actor @@ -104,9 +112,9 @@ scope_org := org_allow([input.scope]) # is that sometimes the input.object.org_owner is unknown. In those cases # we have a list of org_ids that can we use in a SQL 'WHERE' clause. org_allow_set(roles) := allow_set if { - allow_set := { id: num | + allow_set := {id: num | id := org_members[_] - set := { x | + set := {x | perm := roles[_].org[id][_] perm.action in [input.action, "*"] perm.resource_type in [input.object.type, "*"] @@ -140,33 +148,34 @@ org_allow(roles) := num if { input.object.any_org # if this is false, this code block is not used allow := org_allow_set(roles) - # allow is a map of {"": }. We only care about values # that are 1, and ignore the rest. num := number([ - keep | - # for every value in the mapping - value := allow[_] - # only keep values > 0. - # 1 = allow, 0 = abstain, -1 = deny - # We only need 1 explicit allow to allow the action. - # deny's and abstains are intentionally ignored. - value > 0 - # result set is a set of [true,false,...] - # which "number()" will convert to a number. - keep := true + keep | + # for every value in the mapping + value := allow[_] + + # only keep values > 0. + # 1 = allow, 0 = abstain, -1 = deny + # We only need 1 explicit allow to allow the action. + # deny's and abstains are intentionally ignored. + value > 0 + + # result set is a set of [true,false,...] + # which "number()" will convert to a number. + keep := true ]) } # 'org_mem' is set to true if the user is an org member # If 'any_org' is set to true, use the other block to determine org membership. -org_mem := true if { +org_mem if { not input.object.any_org input.object.org_owner != "" input.object.org_owner in org_members } -org_mem := true if { +org_mem if { input.object.any_org count(org_members) > 0 } @@ -185,20 +194,23 @@ org_ok if { # User is the same as the site, except it only applies if the user owns the object and # the user is apart of the org (if the object has an org). default user = 0 + user := user_allow(input.subject.roles) + default user_scope := 0 + scope_user := user_allow([input.scope]) user_allow(roles) := num if { - input.object.owner != "" - input.subject.id = input.object.owner - allow := { x | - perm := roles[_].user[_] - perm.action in [input.action, "*"] + input.object.owner != "" + input.subject.id = input.object.owner + allow := {x | + perm := roles[_].user[_] + perm.action in [input.action, "*"] perm.resource_type in [input.object.type, "*"] - x := bool_flip(perm.negate) - } - num := number(allow) + x := bool_flip(perm.negate) + } + num := number(allow) } # Scope allow_list is a list of resource IDs explicitly allowed by the scope. @@ -239,6 +251,7 @@ role_allow if { role_allow if { not site = -1 not org = -1 + # If we are not a member of an org, and the object has an org, then we are # not authorized. This is an "implied -1" for not being in the org. org_ok @@ -260,6 +273,7 @@ scope_allow if { scope_allow_list not scope_site = -1 not scope_org = -1 + # If we are not a member of an org, and the object has an org, then we are # not authorized. This is an "implied -1" for not being in the org. org_ok @@ -270,6 +284,7 @@ scope_allow if { acl_allow if { # Should you have to be a member of the org too? perms := input.object.acl_user_list[input.subject.id] + # Either the input action or wildcard [input.action, "*"][_] in perms } @@ -281,6 +296,7 @@ acl_allow if { org_mem group := input.subject.groups[_] perms := input.object.acl_group_list[group] + # Either the input action or wildcard [input.action, "*"][_] in perms } From d89dbb80cecedad37ebbc2b6beadf8abbcdda710 Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Thu, 2 Jan 2025 08:47:42 -0600 Subject: [PATCH 4/6] opa fmt with v1.0.0 --- coderd/rbac/policy.rego | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/coderd/rbac/policy.rego b/coderd/rbac/policy.rego index f1c58317213c4..ea381fa88d8e4 100644 --- a/coderd/rbac/policy.rego +++ b/coderd/rbac/policy.rego @@ -31,12 +31,12 @@ import rego.v1 # bool_flip lets you assign a value to an inverted bool. # You cannot do 'x := !false', but you can do 'x := bool_flip(false)' -bool_flip(b) = flipped if { +bool_flip(b) := flipped if { b flipped = false } -bool_flip(b) = flipped if { +bool_flip(b) := flipped if { not b flipped = true } @@ -45,17 +45,17 @@ bool_flip(b) = flipped if { # -1: {false, true} or {false} # 0: {} # 1: {true} -number(set) = c if { +number(set) := c if { count(set) == 0 c := 0 } -number(set) = c if { +number(set) := c if { false in set c := -1 } -number(set) = c if { +number(set) := c if { not false in set set[_] c := 1 @@ -64,7 +64,7 @@ number(set) = c if { # site, org, and user rules are all similar. Each rule should return a number # from [-1, 1]. The number corresponds to "negative", "abstain", and "positive" # for the given level. See the 'allow' rules for how these numbers are used. -default site = 0 +default site := 0 site := site_allow(input.subject.roles) @@ -93,7 +93,7 @@ org_members := {orgID | # org is the same as 'site' except we need to iterate over each organization # that the actor is a member of. -default org = 0 +default org := 0 org := org_allow(input.subject.roles) @@ -193,7 +193,7 @@ org_ok if { # User is the same as the site, except it only applies if the user owns the object and # the user is apart of the org (if the object has an org). -default user = 0 +default user := 0 user := user_allow(input.subject.roles) From a6ce8d2fd823ee3beca92df5e65ed485c96a78b9 Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Thu, 2 Jan 2025 09:09:21 -0600 Subject: [PATCH 5/6] bump imports --- coderd/rbac/authz.go | 2 +- coderd/rbac/error.go | 2 +- coderd/rbac/regosql/compile.go | 2 +- coderd/rbac/regosql/compile_test.go | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/coderd/rbac/authz.go b/coderd/rbac/authz.go index ff4f9ce2371d4..aaba7d6eae3af 100644 --- a/coderd/rbac/authz.go +++ b/coderd/rbac/authz.go @@ -12,7 +12,7 @@ import ( "github.com/ammario/tlru" "github.com/open-policy-agent/opa/ast" - "github.com/open-policy-agent/opa/rego" + "github.com/open-policy-agent/opa/v1/rego" "github.com/prometheus/client_golang/prometheus" "github.com/prometheus/client_golang/prometheus/promauto" "go.opentelemetry.io/otel/attribute" diff --git a/coderd/rbac/error.go b/coderd/rbac/error.go index 98735ade322c4..1ea16dca7f13f 100644 --- a/coderd/rbac/error.go +++ b/coderd/rbac/error.go @@ -6,8 +6,8 @@ import ( "flag" "fmt" - "github.com/open-policy-agent/opa/rego" "github.com/open-policy-agent/opa/topdown" + "github.com/open-policy-agent/opa/v1/rego" "golang.org/x/xerrors" "github.com/coder/coder/v2/coderd/httpapi/httpapiconstraints" diff --git a/coderd/rbac/regosql/compile.go b/coderd/rbac/regosql/compile.go index 69ef2a018f36c..7c843d619aa26 100644 --- a/coderd/rbac/regosql/compile.go +++ b/coderd/rbac/regosql/compile.go @@ -5,7 +5,7 @@ import ( "strings" "github.com/open-policy-agent/opa/ast" - "github.com/open-policy-agent/opa/rego" + "github.com/open-policy-agent/opa/v1/rego" "golang.org/x/xerrors" "github.com/coder/coder/v2/coderd/rbac/regosql/sqltypes" diff --git a/coderd/rbac/regosql/compile_test.go b/coderd/rbac/regosql/compile_test.go index be0385bf83699..a6b59d1fdd4bd 100644 --- a/coderd/rbac/regosql/compile_test.go +++ b/coderd/rbac/regosql/compile_test.go @@ -4,7 +4,7 @@ import ( "testing" "github.com/open-policy-agent/opa/ast" - "github.com/open-policy-agent/opa/rego" + "github.com/open-policy-agent/opa/v1/rego" "github.com/stretchr/testify/require" "github.com/coder/coder/v2/coderd/rbac/regosql" From ea6373f6e77857fc05fec28b0de0ffdd1d9a8a25 Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Fri, 3 Jan 2025 10:40:48 -0600 Subject: [PATCH 6/6] go mod formatting --- go.mod | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/go.mod b/go.mod index cf7a84f5336d2..e0251f198d037 100644 --- a/go.mod +++ b/go.mod @@ -426,6 +426,7 @@ require ( github.com/yuin/goldmark-emoji v1.0.4 // indirect github.com/zclconf/go-cty v1.15.1 github.com/zeebo/errs v1.3.0 // indirect + go.opentelemetry.io/auto/sdk v1.1.0 // indirect go.opentelemetry.io/contrib v1.19.0 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 // indirect go.opentelemetry.io/otel/metric v1.33.0 // indirect @@ -445,5 +446,3 @@ require ( kernel.org/pub/linux/libs/security/libcap/psx v1.2.73 // indirect sigs.k8s.io/yaml v1.4.0 // indirect ) - -require go.opentelemetry.io/auto/sdk v1.1.0 // indirect