Skip to content

feat: Implement RBAC checks on /templates endpoints #1678

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 8 commits into from
May 24, 2022
Merged

feat: Implement RBAC checks on /templates endpoints #1678

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
291b35b
feat: Generic Filter method for rbac objects
Emyrk May 23, 2022
b825ce9
Make filter easier to use"
Emyrk May 23, 2022
561b981
Linting changes
Emyrk May 23, 2022
3587963
fix unit tests sharing slice
Emyrk May 23, 2022
bf74b4c
Use authorize filter in more places
Emyrk May 23, 2022
e3a63ad
RBAC template endpoints
Emyrk May 23, 2022
f401432
Allocate new slice for RBAC filter instead
Emyrk May 24, 2022
555f815
Merge remote-tracking branch 'origin/main' into stevenmasley/rbac_tem…
Emyrk May 24, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Allocate new slice for RBAC filter instead
  • Loading branch information
@Emyrk
Emyrk committed May 24, 2022
commit f401432a776628d0de0f664a728e77eb1cbc3876
4 changes: 2 additions & 2 deletions coderd/authorize.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,12 +12,12 @@ import (
"github.com/coder/coder/coderd/rbac"
)

func AuthorizeFilter[O rbac.IsObject](api *api, r *http.Request, action rbac.Action, objects []O) []O {
func AuthorizeFilter[O rbac.Objecter](api *api, r *http.Request, action rbac.Action, objects []O) []O {
roles := httpmw.UserRoles(r)
return rbac.Filter(r.Context(), api.Authorizer, roles.ID.String(), roles.Roles, action, objects)
}

func (api *api) Authorize(rw http.ResponseWriter, r *http.Request, action rbac.Action, object rbac.IsObject) bool {
func (api *api) Authorize(rw http.ResponseWriter, r *http.Request, action rbac.Action, object rbac.Objecter) bool {
roles := httpmw.UserRoles(r)
err := api.Authorizer.ByRoleName(r.Context(), roles.ID.String(), roles.Roles, action, object.RBACObject())
if err != nil {
Expand Down
10 changes: 5 additions & 5 deletions coderd/rbac/authz.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,17 +17,17 @@ type Authorizer interface {
// Filter does not allocate a new slice, and will use the existing one
// passed in. This can cause memory leaks if the slice is held for a prolonged
// period of time.
func Filter[O IsObject](ctx context.Context, auth Authorizer, subjID string, subjRoles []string, action Action, objects []O) []O {
var currentIdx int
func Filter[O Objecter](ctx context.Context, auth Authorizer, subjID string, subjRoles []string, action Action, objects []O) []O {
filtered := make([]O, 0)

for i := range objects {
object := objects[i]
err := auth.ByRoleName(ctx, subjID, subjRoles, action, object.RBACObject())
if err == nil {
objects[currentIdx] = objects[i]
currentIdx++
filtered = append(filtered, object)
}
}
return objects[:currentIdx]
return filtered
}

// RegoAuthorizer will use a prepared rego query for performing authorize()
Expand Down
4 changes: 2 additions & 2 deletions coderd/rbac/object.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@ import (

const WildcardSymbol = "*"

// IsObject returns the RBAC object for itself.
type IsObject interface {
// Objecter returns the RBAC object for itself.
type Objecter interface {
RBACObject() Object
}

Expand Down