Skip to content

feat: Convert rego queries into SQL clauses #4225

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 20 commits into from
Oct 4, 2022
Merged

feat: Convert rego queries into SQL clauses #4225

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
ff931dc
feat: Convert rego queries into SQL clauses
Emyrk Sep 27, 2022
e535e5a
Fix postgres quotes to single quotes
Emyrk Sep 27, 2022
8f92953
Ensure all test cases can compile into SQL clauses
Emyrk Sep 27, 2022
cb5d519
Do not export extra types
Emyrk Sep 27, 2022
2bd0165
Add custom query with rbac filter
Emyrk Sep 27, 2022
364498c
First draft of a custom authorized db call
Emyrk Sep 28, 2022
b2da580
Merge remote-tracking branch 'origin/main' into stevenmasley/rego_to_sql
Emyrk Sep 28, 2022
d516be7
Add comments + tests
Emyrk Sep 28, 2022
125931a
Support better regex style matching for variables
Emyrk Sep 28, 2022
fc58da5
Handle jsonb arrays
Emyrk Sep 28, 2022
04c1d6a
Remove auth call on workspaces
Emyrk Sep 28, 2022
98b405e
Fix PG endpoints test
Emyrk Sep 28, 2022
6ad0b51
Match psql implementation
Emyrk Sep 29, 2022
7cfad87
Add some comments
Emyrk Sep 29, 2022
33c9d34
Merge remote-tracking branch 'origin/main' into stevenmasley/rego_to_sql
Emyrk Sep 29, 2022
f10e9b7
Remove unused argument
Emyrk Sep 29, 2022
d89c4d2
Add query name for tracking
Emyrk Sep 29, 2022
3828c29
Handle nested types
Emyrk Sep 30, 2022
913fb27
Add comment
Emyrk Sep 30, 2022
3e2fbb8
Renaming function call to GetAuthorizedWorkspaces
Emyrk Sep 30, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Add some comments
  • Loading branch information
@Emyrk
Emyrk committed Sep 29, 2022
commit 7cfad877ff795523c4a02e65ba8d51053e1b979c
26 changes: 13 additions & 13 deletions coderd/coderdtest/authorize.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -515,21 +515,21 @@ type RecordingAuthorizer struct {

var _ rbac.Authorizer = (*RecordingAuthorizer)(nil)

func (r *RecordingAuthorizer) FakeByRoleName(_ context.Context, subjectID string, roleNames []string, scope rbac.Scope, action rbac.Action, object rbac.Object, record bool) error {
if record {
r.Called = &authCall{
SubjectID: subjectID,
Roles: roleNames,
Scope: scope,
Action: action,
Object: object,
}
}
// ByRoleNameSQL does not record the call. This matches the postgres behavior
// of not calling Authorize()
func (r *RecordingAuthorizer) ByRoleNameSQL(_ context.Context, _ string, _ []string, _ rbac.Scope, _ rbac.Action, _ rbac.Object) error {
return r.AlwaysReturn
}

func (r *RecordingAuthorizer) ByRoleName(ctx context.Context, subjectID string, roleNames []string, scope rbac.Scope, action rbac.Action, object rbac.Object) error {
return r.FakeByRoleName(ctx, subjectID, roleNames, scope, action, object, true)
r.Called = &authCall{
SubjectID: subjectID,
Roles: roleNames,
Scope: scope,
Action: action,
Object: object,
}
return r.AlwaysReturn
}

func (r *RecordingAuthorizer) PrepareByRoleName(_ context.Context, subjectID string, roles []string, scope rbac.Scope, action rbac.Action, _ string) (rbac.PreparedAuthorized, error) {
Expand Down Expand Up @@ -558,7 +558,7 @@ type fakePreparedAuthorizer struct {
}

func (f *fakePreparedAuthorizer) Authorize(ctx context.Context, object rbac.Object) error {
return f.Original.FakeByRoleName(ctx, f.SubjectID, f.Roles, f.Scope, f.Action, object, true)
return f.Original.ByRoleName(ctx, f.SubjectID, f.Roles, f.Scope, f.Action, object)
}

// Compile returns a compiled version of the authorizer that will work for
Expand All @@ -568,7 +568,7 @@ func (f *fakePreparedAuthorizer) Compile() (rbac.AuthorizeFilter, error) {
}

func (f *fakePreparedAuthorizer) Eval(object rbac.Object) bool {
return f.Original.FakeByRoleName(context.Background(), f.SubjectID, f.Roles, f.Scope, f.Action, object, false) == nil
return f.Original.ByRoleNameSQL(context.Background(), f.SubjectID, f.Roles, f.Scope, f.Action, object) == nil
}

func (f fakePreparedAuthorizer) RegoString() string {
Expand Down
20 changes: 11 additions & 9 deletions coderd/rbac/query.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ type SQLColumn struct {
// Type indicates the postgres type of the column. Some expressions will
// need to know this in order to determine what SQL to produce.
// An example is if the variable is a jsonb array, the "contains" SQL
// query is `"value"' @> variable.` instead of `'value' = ANY(variable)`.
// query is `variable ? 'value'` instead of `'value' = ANY(variable)`.
// This type is only needed to be provided
Type TermType
}
Expand All @@ -47,7 +47,7 @@ type SQLConfig struct {
// }
// "input\.object\.group_acl\.(.*)": SQLColumn{
// ColumnSelect: "group_acl->$1",
// Type: VarTypeJsonb
// Type: VarTypeJsonbTextArray
// }
Variables []SQLColumn
}
Expand Down Expand Up @@ -394,12 +394,14 @@ func (t opInternalMember2) Eval(object Object) bool {
func (t opInternalMember2) SQLString(cfg SQLConfig) string {
if haystack, ok := t.Haystack.(*termVariable); ok {
// This is a special case where the haystack is a jsonb array.
// The more general way to solve this would be to implement a fuller type
// system and handle type conversions for each supported type.
// Then we could determine that the haystack is always an "array" and
// implement the "contains" function on the array type.
// But that requires a lot more code to handle a lot of cases we don't
// actually care about.
// There is a more general way to solve this, but that requires a lot
// more code to cover a lot more cases that we do not care about.
// To handle this more generally we should implement "Array" as a type.
// Then have the `contains` function on the Array type. This would defer
// knowing the element type to the Array and cover more cases without
// having to add more "if" branches here.
// But until we need more cases, our basic type system is ok, and
// this is the only case we need to handle.
if haystack.SQLType(cfg) == VarTypeJsonbTextArray {
return fmt.Sprintf("%s ? %s", haystack.SQLString(cfg), t.Needle.SQLString(cfg))
}
Expand Down Expand Up @@ -433,7 +435,7 @@ func (t termString) SQLString(_ SQLConfig) string {
return "'" + t.Value + "'"
}

func (t termString) SQLType(_ SQLConfig) TermType {
func (termString) SQLType(_ SQLConfig) TermType {
return VarTypeText
}

Expand Down