Skip to content

chore: add x-authz-checks debug header when running in dev mode #16873

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Apr 10, 2025
Merged

chore: add x-authz-checks debug header when running in dev mode #16873

merged 7 commits into from
Apr 10, 2025

Conversation

aslilac
Copy link
Member

@aslilac aslilac commented Mar 10, 2025
edited
Loading

In development builds...

  • Adds a middleware that configures every request context with a set of authorization checks which have been made
  • Adds a recording authorizer that stores every authorization check in that request context set
  • Updates httpapi.Write to put this information in a response header

The header will look something like:

x-authz-checks: debug_info.read=true; template.update=true; deployment_config.read=true; idpsync_settings.read=true; notification_template.read=true; system.read=true; workspace_proxy.read=true; organization:any::organization.update=true; organization:any::group.update=true; organization:any::idpsync_settings.read=true; organization:any::assign_org_role.assign=true; group.read=true; user.update=true; deployment_stats.read=true; user.read=true; license.read=true; owner:0b974b9c-b357-4994-aa5e-532d9609625e::id:vQinIfz28C::api_key.read=true; group.create=true; organization.create=true; deployment_config.update=true; workspace_proxy.create=true; template.delete=true; user.create=true; organization:any::audit_log.read=true; organization:any::template.create=true; organization:any::organization_member.read=true

The syntax may look a bit weird, but I think it's important to have distinct separators for everything.

  • "attribute names" and "attribute values" are separated by :
  • "attributes" are separated by ::
  • "object type" and "action type" are separated by "."
  • "authorization check" and "authorization result" are separated by =
  • "authorizations" are separated by ;

This can totally be changed in the future if people think it's too confusing, but I think it's pretty good.

@aslilac aslilac requested a review from Emyrk March 10, 2025 23:20
Emyrk
Emyrk reviewed Mar 11, 2025
View reviewed changes
Emyrk
Emyrk reviewed Mar 11, 2025
View reviewed changes
Emyrk
Emyrk reviewed Mar 11, 2025
View reviewed changes
Emyrk
Emyrk reviewed Mar 11, 2025
View reviewed changes
johnstcn
johnstcn reviewed Mar 18, 2025
View reviewed changes
Emyrk
Emyrk reviewed Mar 25, 2025
View reviewed changes
@github-actions github-actions bot added the stale This issue is like stale bread. label Apr 2, 2025
@github-actions github-actions bot closed this Apr 5, 2025
@aslilac aslilac removed the stale This issue is like stale bread. label Apr 8, 2025
@aslilac aslilac reopened this Apr 8, 2025
@aslilac aslilac marked this pull request as ready for review April 8, 2025 23:36
@aslilac aslilac force-pushed the lilac/x-authz-checks branch from 6026b20 to 038ad91 Compare April 9, 2025 21:05
johnstcn
johnstcn reviewed Apr 10, 2025
View reviewed changes
coderd/rbac/authz.go Outdated
return
}

r.checks.Store(b.String(), authorized)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know this probably shouldn't happen in the real world, but what if the first authz check returns true, and a subsequent authz check for the same subject, action, and object returns false? I think this would be a really good opportunity to catch something like this and make a lot of confused and angry noises.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe I should just use a slice so that duplicates get recorded

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ooh, a slice would also show you how many times a particular authz check gets done. Maybe a map[string]int to count frequencies? That would make it easier to read?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

map[string]int doesn't leave room to store the bool. now that I'm thinking about it, a slice is also nice because it guarantees that order is preserved, which is probably a good thing.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a good point actually! You can then reason about the order of the checks. 🧠

johnstcn
johnstcn reviewed Apr 10, 2025
View reviewed changes
coderd/coderd.go
Comment on lines +317 to +319
if buildinfo.IsDev() {
options.Authorizer = rbac.Recorder(options.Authorizer)
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will actually run on dogfood as well. Is this what we want?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yup! makes for a nice quick resource to check

@aslilac aslilac merged commit 46d4b28 into main Apr 10, 2025
34 checks passed
@aslilac aslilac deleted the lilac/x-authz-checks branch April 10, 2025 17:36
@github-actions github-actions bot locked and limited conversation to collaborators Apr 10, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@Emyrk Emyrk Emyrk left review comments

@johnstcn johnstcn johnstcn approved these changes

Assignees

@aslilac aslilac

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@aslilac @johnstcn @Emyrk