feat: Add RBAC to /files endpoints

coder · Emyrk · May 24, 2022 · May 20, 2022 · May 23, 2022 · May 23, 2022
commit 84a415f44a5ef93cec9d8ad331d287d49afde4d0
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -134,6 +134,7 @@ func newRouter(options *Options, a *api) chi.Router {
 		r.Route("/files", func(r chi.Router) {
 			r.Use(
 				apiKeyMiddleware,
+				authRolesMiddleware,
 				// This number is arbitrary, but reading/writing
 				// file content is expensive so it should be small.
 				httpmw.RateLimitPerMinute(12),

diff --git a/coderd/coderd_test.go b/coderd/coderd_test.go
@@ -121,8 +121,6 @@ func TestAuthorizeAllEndpoints(t *testing.T) {
 
 		"POST:/api/v2/users/{user}/organizations": {NoAuthorize: true},
 
-		"POST:/api/v2/files":                       {NoAuthorize: true},
-		"GET:/api/v2/files/{hash}":                 {NoAuthorize: true},
 		"GET:/api/v2/workspaces/{workspace}/watch": {NoAuthorize: true},
 
 		// These endpoints have more assertions. This is good, add more endpoints to assert if you can!
@@ -184,6 +182,9 @@ func TestAuthorizeAllEndpoints(t *testing.T) {
 			AssertObject: workspaceRBACObj,
 		},
 
+		"POST:/api/v2/files":       {AssertAction: rbac.ActionCreate, AssertObject: rbac.ResourceFile},
+		"GET:/api/v2/files/{hash}": {AssertAction: rbac.ActionRead, AssertObject: rbac.ResourceFile},
+
 		// These endpoints need payloads to get to the auth part. Payloads will be required
 		"PUT:/api/v2/users/{user}/roles":             {StatusCode: http.StatusBadRequest, NoAuthorize: true},
 		"POST:/api/v2/workspaces/{workspace}/builds": {StatusCode: http.StatusBadRequest, NoAuthorize: true},
@@ -197,7 +198,7 @@ func TestAuthorizeAllEndpoints(t *testing.T) {
 		}
 		assertRoute[noTrailSlash] = v
 	}
-
+	
 	c, _ := srv.Config.Handler.(*chi.Mux)
 	err = chi.Walk(c, func(method string, route string, handler http.Handler, middlewares ...func(http.Handler) http.Handler) error {
 		name := method + ":" + route

diff --git a/coderd/files.go b/coderd/files.go
@@ -14,11 +14,16 @@ import (
 	"github.com/coder/coder/coderd/database"
 	"github.com/coder/coder/coderd/httpapi"
 	"github.com/coder/coder/coderd/httpmw"
+	"github.com/coder/coder/coderd/rbac"
 	"github.com/coder/coder/codersdk"
 )
 
 func (api *api) postFile(rw http.ResponseWriter, r *http.Request) {
 	apiKey := httpmw.APIKey(r)
+	if !api.Authorize(rw, r, rbac.ActionCreate, rbac.ResourceFile) {
+		return
+	}
+
 	contentType := r.Header.Get("Content-Type")
 
 	switch contentType {
@@ -77,9 +82,7 @@ func (api *api) fileByHash(rw http.ResponseWriter, r *http.Request) {
 	}
 	file, err := api.Database.GetFileByHash(r.Context(), hash)
 	if errors.Is(err, sql.ErrNoRows) {
-		httpapi.Write(rw, http.StatusNotFound, httpapi.Response{
-			Message: "no file exists with that hash",
-		})
+		httpapi.Forbidden(rw)
 		return
 	}
 	if err != nil {
@@ -88,6 +91,12 @@ func (api *api) fileByHash(rw http.ResponseWriter, r *http.Request) {
 		})
 		return
 	}
+
+	if !api.Authorize(rw, r, rbac.ActionRead,
+		rbac.ResourceFile.WithOwner(file.CreatedBy.String()).WithID(file.Hash)) {
+		return
+	}
+
 	rw.Header().Set("Content-Type", file.Mimetype)
 	rw.WriteHeader(http.StatusOK)
 	_, _ = rw.Write(file.Data)

diff --git a/coderd/files_test.go b/coderd/files_test.go
@@ -50,7 +50,7 @@ func TestDownload(t *testing.T) {
 		_, _, err := client.Download(context.Background(), "something")
 		var apiErr *codersdk.Error
 		require.ErrorAs(t, err, &apiErr)
-		require.Equal(t, http.StatusNotFound, apiErr.StatusCode())
+		require.Equal(t, http.StatusForbidden, apiErr.StatusCode())
 	})
 
 	t.Run("Insert", func(t *testing.T) {