Skip to content

feat: add template RBAC/groups #4235

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 161 commits into from
Oct 10, 2022
Merged

feat: add template RBAC/groups #4235

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
161 commits
Select commit Hold shift + click to select a range
5a47132
feat: Add ACL list support to rego objects
Emyrk Sep 13, 2022
03f69bf
Add unit tests
Emyrk Sep 13, 2022
91a358d
Rename ACL list
Emyrk Sep 13, 2022
8f837b7
Flip rego json to key by user id
Emyrk Sep 15, 2022
8378c9b
feat: add template ACL
sreya Sep 17, 2022
54a0d13
add down migration
sreya Sep 19, 2022
72ea751
remove unused file
sreya Sep 19, 2022
d533a16
undo insert templates query change
sreya Sep 19, 2022
f56fcf9
add patch endpoint tests
sreya Sep 19, 2022
f162694
Unit test use shadowed copied value
Emyrk Sep 19, 2022
ea25c08
Allow wildcards for ACL list
Emyrk Sep 19, 2022
5a081eb
fix authorize bug
sreya Sep 19, 2022
072b3e4
feat: Allow filter to accept objects of multiple types
Emyrk Sep 19, 2022
205c36c
add support for private templates
sreya Sep 19, 2022
ba32928
go.mod
sreya Sep 19, 2022
5c6344f
Merge branch 'main' into resource_acl_list
sreya Sep 19, 2022
ef15908
fix rbac merge woes
sreya Sep 19, 2022
8ab5200
update migration
sreya Sep 19, 2022
c040e8e
fix workspaces_test
sreya Sep 19, 2022
1f4ceee
remove sqlx
sreya Sep 19, 2022
7cc71e1
fix audit
sreya Sep 19, 2022
131d5ed
fix lint
sreya Sep 19, 2022
8c3ee6a
Revert "remove sqlx"
sreya Sep 19, 2022
fe2af91
add test for list templates
sreya Sep 20, 2022
0218c4e
fix error msg
sreya Sep 20, 2022
6883106
fix sqlx woes
sreya Sep 20, 2022
4fbd9be
fix lint
sreya Sep 20, 2022
c96a6ca
fix audit
sreya Sep 20, 2022
57ba8b3
make gen
sreya Sep 20, 2022
c66d247
Merge branch 'main' into resource_acl_list
sreya Sep 20, 2022
0af367a
fix merge woes
sreya Sep 20, 2022
f6c3f51
fix test template
sreya Sep 20, 2022
6e72286
fmt
sreya Sep 20, 2022
44bcbde
Add base layout
BrunoQuaresma Sep 21, 2022
0f80beb
Add table
BrunoQuaresma Sep 21, 2022
d274d62
Add search user
BrunoQuaresma Sep 21, 2022
943c76b
Add user role
BrunoQuaresma Sep 21, 2022
7f7f1d3
Add update and delete
BrunoQuaresma Sep 21, 2022
967a1a9
Fix summary view
BrunoQuaresma Sep 21, 2022
1324991
Merge branch 'resource_acl_list' of github.com:coder/coder into resou…
BrunoQuaresma Sep 21, 2022
bd34d20
Merge branch 'resource_acl_list' of github.com:coder/coder into resou…
sreya Sep 22, 2022
5982dd3
add schema for groups
sreya Sep 22, 2022
c759d99
add skeleton for group API routes
sreya Sep 22, 2022
4169569
add create group endpoint
sreya Sep 22, 2022
a8943c9
add group httpmw
sreya Sep 22, 2022
9fbc15f
add patch group endpoint
sreya Sep 22, 2022
baaf445
add test pkg for opening database
sreya Sep 22, 2022
4f1a308
test: Add unit test to exercise roles query with multiple orgs
Emyrk Sep 22, 2022
f98c3b7
feat: Add group support to rego policy
Emyrk Sep 22, 2022
930cdf6
Add query to include group fetch
Emyrk Sep 22, 2022
b26cd97
Fix auth query
Emyrk Sep 22, 2022
bf13f37
add patch group endpoint w/ tests
sreya Sep 22, 2022
eea0aee
add get group endpoint w/ tests
sreya Sep 22, 2022
d70911b
add groups endpoint with tests
sreya Sep 22, 2022
ba1953a
Add groups to rego objects
Emyrk Sep 22, 2022
7544e37
fix: Group ACL list fixed
Emyrk Sep 22, 2022
ff9d968
add delete group endpoint
sreya Sep 22, 2022
7f2de03
Merge branch 'groups' of github.com:coder/coder into groups
sreya Sep 22, 2022
8cf12e9
Merge remote-tracking branch 'origin/main' into groups
Emyrk Sep 23, 2022
ea84bc6
Fix authorize calls for group endpoints
Emyrk Sep 23, 2022
f28156f
Merge remote-tracking branch 'origin/main' into groups
Emyrk Sep 26, 2022
759bddf
Fix FE errors
BrunoQuaresma Sep 26, 2022
0e2cb22
Fix migration name
BrunoQuaresma Sep 26, 2022
41b79b6
Scopes broke ACL. Fixing unit tests.
Emyrk Sep 26, 2022
7297c3c
fix: Fix acl list rego policy
Emyrk Sep 26, 2022
dc65257
Remove need to be in the org for the group to work in the rego
Emyrk Sep 26, 2022
d50a0c5
Add group ACL unit test
Emyrk Sep 26, 2022
7375484
update uuid -> id
sreya Sep 26, 2022
d70664d
make gen
sreya Sep 26, 2022
3dac95a
Add index page for groups
BrunoQuaresma Sep 26, 2022
5ac06fb
Merge branch 'groups' of github.com:coder/coder into groups
BrunoQuaresma Sep 26, 2022
2c4fd8d
Add create group page
BrunoQuaresma Sep 26, 2022
cb1464f
Remove filter's ability to filter multiple object types
Emyrk Sep 26, 2022
c2e1196
Merge remote-tracking branch 'origin/main' into groups
Emyrk Sep 26, 2022
afe328b
groups changes
sreya Sep 26, 2022
85e05c3
Merge branch 'groups' of github.com:coder/coder into groups
BrunoQuaresma Sep 26, 2022
e0ea8ec
Add user auto complete component
BrunoQuaresma Sep 26, 2022
82b1faf
add groups acl
sreya Sep 27, 2022
6505039
Add member to the group
BrunoQuaresma Sep 27, 2022
7e98ca8
Refactor loader
BrunoQuaresma Sep 27, 2022
4bb1e5f
Add empty state
BrunoQuaresma Sep 27, 2022
cba7065
Remove members from group
BrunoQuaresma Sep 27, 2022
d6b7f42
Merge branch 'main' of github.com:coder/coder into groups
BrunoQuaresma Sep 27, 2022
9dee125
Fix migrations
BrunoQuaresma Sep 27, 2022
883b28c
Merge branch 'groups' of github.com:coder/coder into groups
sreya Sep 27, 2022
a27d364
Update autocomplete and update verbiage
BrunoQuaresma Sep 27, 2022
11690bc
Adjust autocomplete height
BrunoQuaresma Sep 27, 2022
c18379e
Merge branch 'groups' of github.com:coder/coder into groups
sreya Sep 27, 2022
53ff126
prevent duplicate group adds
sreya Sep 27, 2022
5180608
Delete a group
BrunoQuaresma Sep 27, 2022
7770498
Merge branch 'groups' of github.com:coder/coder into groups
BrunoQuaresma Sep 27, 2022
9aa686b
Add group settings
BrunoQuaresma Sep 27, 2022
5e956c1
Fix loader
BrunoQuaresma Sep 27, 2022
d08bd75
Add implied all_users to org members
Emyrk Sep 27, 2022
876a7c7
Move groups to users page with tabs
BrunoQuaresma Sep 27, 2022
9c9e9c0
Improve groups table
BrunoQuaresma Sep 27, 2022
3ee20a3
add all users group
sreya Sep 27, 2022
3ea5793
add endpoints for patching template groups
sreya Sep 27, 2022
fc4c275
Merge branch 'groups' of github.com:coder/coder into groups
sreya Sep 28, 2022
6379c7b
make gen
sreya Sep 28, 2022
6aa1712
Merge branch 'main' into groups
sreya Sep 28, 2022
b0fc388
fix tests
sreya Sep 28, 2022
7d1ce8b
fix migration
sreya Sep 28, 2022
200ea81
fix migration (again)
sreya Sep 28, 2022
9f344fc
feat: move groups/template RBAC to enterprise folder (#4236)
sreya Sep 28, 2022
b763bc2
chore: update TemplateRole names (#4248)
sreya Sep 28, 2022
0ba4465
add custom group access test (#4254)
sreya Sep 29, 2022
9662a3b
refactor all users to behave the same as any other group (#4266)
sreya Sep 29, 2022
58679e5
filter deleted/suspended users (#4271)
sreya Sep 30, 2022
248a3f3
Update FE to use Template ACL and Groups (#4267)
BrunoQuaresma Sep 30, 2022
a0c8571
Merge branch 'main' of github.com:coder/coder into groups
BrunoQuaresma Sep 30, 2022
08805b3
allow org members to read all groups (#4277)
sreya Sep 30, 2022
845d81f
populate template acl group with members (#4279)
sreya Sep 30, 2022
564928e
chore: Minor rego optimization by removing excessive queries (#4275)
Emyrk Sep 30, 2022
38cce76
feat: Add resource_id option to authcheck (#4278)
Emyrk Sep 30, 2022
dac034f
Merge branch 'main' of github.com:coder/coder into groups
BrunoQuaresma Sep 30, 2022
a59138a
Add group for authcheck
Emyrk Oct 3, 2022
a50af85
chore: Update permissions (#4337)
BrunoQuaresma Oct 3, 2022
993ee32
filter deleted/suspended users for groups (#4343)
sreya Oct 3, 2022
a52203d
rm extraneous filter (#4272)
sreya Oct 3, 2022
bfa35e3
merge main into groups (#4349)
sreya Oct 3, 2022
1c461f7
add groups to license entitlements (#4345)
sreya Oct 3, 2022
c5ecbf4
omit all users from groups endpoint (#4350)
sreya Oct 3, 2022
f0f5a93
Add paywall into the entitlements
BrunoQuaresma Oct 4, 2022
efd1ed2
Merge remote-tracking branch 'origin/main' into groups
Emyrk Oct 4, 2022
cbaafca
Fix rego -> SQL in acl cases with string literals
Emyrk Oct 4, 2022
f20b783
Merge branch 'main' of github.com:coder/coder into groups
BrunoQuaresma Oct 4, 2022
cc2138d
Use rego to eval, not custom
Emyrk Oct 4, 2022
fd0b43a
Fix Navbar tests
BrunoQuaresma Oct 4, 2022
5997317
Fix UsersPage test
BrunoQuaresma Oct 4, 2022
0cf3784
Merge branch 'groups' of github.com:coder/coder into groups
BrunoQuaresma Oct 4, 2022
7c76bc0
Fix Template tests
BrunoQuaresma Oct 4, 2022
b77eeaf
Regenerate types
BrunoQuaresma Oct 4, 2022
0afc361
Remove type generation
BrunoQuaresma Oct 4, 2022
461cb8a
Switch to NoACL config as those columns do not exist
Emyrk Oct 4, 2022
620c384
Fix service extension
BrunoQuaresma Oct 4, 2022
e7f72af
Merge branch 'groups' of github.com:coder/coder into groups
BrunoQuaresma Oct 4, 2022
b920801
fix lint
sreya Oct 4, 2022
9bfa415
add test for creating a forbidden template (#4371)
sreya Oct 5, 2022
22db0d2
migrate existing templates (#4353)
sreya Oct 5, 2022
e0c90ef
Fix routes
BrunoQuaresma Oct 5, 2022
f0fd9a0
Add GroupsPage storybook
BrunoQuaresma Oct 6, 2022
20670f1
Add CreateGroupPage stories
BrunoQuaresma Oct 6, 2022
09c6771
Add Settings Group Page stories
BrunoQuaresma Oct 6, 2022
f8a7b7e
Add template permissions stories
BrunoQuaresma Oct 6, 2022
b86abcf
Fix FE
BrunoQuaresma Oct 6, 2022
510287b
Fix repetitive results
BrunoQuaresma Oct 7, 2022
21af86e
feat: Allow users to make files (#4423)
Emyrk Oct 9, 2022
9e199d3
add test for template rbac admin pushing template version (#4438)
sreya Oct 9, 2022
b101ae7
merge main into groups (#4439)
sreya Oct 10, 2022
d715ea6
Revert "merge main into groups (#4439)"
sreya Oct 10, 2022
413b6e1
merge main
sreya Oct 10, 2022
85d0643
fix coderd/license
sreya Oct 9, 2022
262bb45
fix license woes
sreya Oct 9, 2022
a5c6848
remove migration conflict
sreya Oct 9, 2022
a69c018
fix tests
sreya Oct 10, 2022
1809d3e
fix merge conflict
sreya Oct 10, 2022
21c078b
fix ts lint
sreya Oct 10, 2022
c8f6afd
make fmt
sreya Oct 10, 2022
ad02da0
delete old files
sreya Oct 10, 2022
35aef1b
Fix types
BrunoQuaresma Oct 10, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
fix: Group ACL list fixed
  • Loading branch information
@Emyrk
Emyrk committed Sep 22, 2022
commit 7544e373c301c5b2b43977cf57a3710c242e241c
4 changes: 2 additions & 2 deletions coderd/authorize.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ import (

func AuthorizeFilter[O rbac.Objecter](h *HTTPAuthorizer, r *http.Request, action rbac.Action, objects []O) ([]O, error) {
roles := httpmw.UserAuthorization(r)
objects, err := rbac.Filter(r.Context(), h.Authorizer, roles.ID.String(), roles.Roles, roles.Scope.ToRBAC(), action, objects)
objects, err := rbac.Filter(r.Context(), h.Authorizer, roles.ID.String(), roles.Roles, roles.Groups, roles.Scope.ToRBAC(), action, objects)
if err != nil {
// Log the error as Filter should not be erroring.
h.Logger.Error(r.Context(), "filter failed",
Expand Down Expand Up @@ -57,7 +57,7 @@ func (api *API) Authorize(r *http.Request, action rbac.Action, object rbac.Objec
// }
func (h *HTTPAuthorizer) Authorize(r *http.Request, action rbac.Action, object rbac.Objecter) bool {
roles := httpmw.UserAuthorization(r)
err := h.Authorizer.ByRoleName(r.Context(), roles.ID.String(), roles.Roles, roles.Scope.ToRBAC(), action, object.RBACObject())
err := h.Authorizer.ByRoleName(r.Context(), roles.ID.String(), roles.Roles, roles.Groups, roles.Scope.ToRBAC(), action, object.RBACObject())
if err != nil {
// Log the errors for debugging
internalError := new(rbac.UnauthorizedError)
Expand Down
10 changes: 7 additions & 3 deletions coderd/coderdtest/authorize.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -498,6 +498,7 @@ func (a *AuthTester) Test(ctx context.Context, assertRoute map[string]RouteCheck
type authCall struct {
SubjectID string
Roles []string
Groups []string
Scope rbac.Scope
Action rbac.Action
Object rbac.Object
Expand All @@ -510,24 +511,26 @@ type RecordingAuthorizer struct {

var _ rbac.Authorizer = (*RecordingAuthorizer)(nil)

func (r *RecordingAuthorizer) ByRoleName(_ context.Context, subjectID string, roleNames []string, scope rbac.Scope, action rbac.Action, object rbac.Object) error {
func (r *RecordingAuthorizer) ByRoleName(_ context.Context, subjectID string, roleNames []string, groups []string, scope rbac.Scope, action rbac.Action, object rbac.Object) error {
r.Called = &authCall{
SubjectID: subjectID,
Roles: roleNames,
Groups: groups,
Scope: scope,
Action: action,
Object: object,
}
return r.AlwaysReturn
}

func (r *RecordingAuthorizer) PrepareByRoleName(_ context.Context, subjectID string, roles []string, scope rbac.Scope, action rbac.Action, _ string) (rbac.PreparedAuthorized, error) {
func (r *RecordingAuthorizer) PrepareByRoleName(_ context.Context, subjectID string, roles []string, groups []string, scope rbac.Scope, action rbac.Action, _ string) (rbac.PreparedAuthorized, error) {
return &fakePreparedAuthorizer{
Original: r,
SubjectID: subjectID,
Roles: roles,
Scope: scope,
Action: action,
Groups: groups,
}, nil
}

Expand All @@ -539,10 +542,11 @@ type fakePreparedAuthorizer struct {
Original *RecordingAuthorizer
SubjectID string
Roles []string
Groups []string
Scope rbac.Scope
Action rbac.Action
}

func (f *fakePreparedAuthorizer) Authorize(ctx context.Context, object rbac.Object) error {
return f.Original.ByRoleName(ctx, f.SubjectID, f.Roles, f.Scope, f.Action, object)
return f.Original.ByRoleName(ctx, f.SubjectID, f.Roles, f.Groups, f.Scope, f.Action, object)
}
2 changes: 2 additions & 0 deletions coderd/httpmw/apikey.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ type Authorization struct {
ID uuid.UUID
Username string
Roles []string
Groups []string
Scope database.APIKeyScope
}

Expand Down Expand Up @@ -336,6 +337,7 @@ func ExtractAPIKey(db database.Store, oauth *OAuth2Configs, redirectToLogin bool
Username: roles.Username,
Roles: roles.Roles,
Scope: key.Scope,
Groups: roles.Groups,
})

next.ServeHTTP(rw, r.WithContext(ctx))
Expand Down
16 changes: 8 additions & 8 deletions coderd/rbac/authz.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,8 @@ import (
)

type Authorizer interface {
ByRoleName(ctx context.Context, subjectID string, roleNames []string, scope Scope, action Action, object Object) error
PrepareByRoleName(ctx context.Context, subjectID string, roleNames []string, scope Scope, action Action, objectType string) (PreparedAuthorized, error)
ByRoleName(ctx context.Context, subjectID string, roleNames []string, groups []string, scope Scope, action Action, object Object) error
PrepareByRoleName(ctx context.Context, subjectID string, roleNames []string, groups []string, scope Scope, action Action, objectType string) (PreparedAuthorized, error)
}

type PreparedAuthorized interface {
Expand All @@ -25,7 +25,7 @@ type PreparedAuthorized interface {
// the elements the subject does not have permission for. This function slows
// down if the list contains objects of multiple types. Attempt to only
// filter objects of the same type for faster performance.
func Filter[O Objecter](ctx context.Context, auth Authorizer, subjID string, subjRoles []string, scope Scope, action Action, objects []O) ([]O, error) {
func Filter[O Objecter](ctx context.Context, auth Authorizer, subjID string, subjRoles []string, groups []string, scope Scope, action Action, objects []O) ([]O, error) {
ctx, span := tracing.StartSpan(ctx, trace.WithAttributes(
attribute.String("subject_id", subjID),
attribute.StringSlice("subject_roles", subjRoles),
Expand All @@ -48,7 +48,7 @@ func Filter[O Objecter](ctx context.Context, auth Authorizer, subjID string, sub
objectAuth, ok := prepared[object.RBACObject().Type]
if !ok {
var err error
objectAuth, err = auth.PrepareByRoleName(ctx, subjID, subjRoles, scope, action, objectType)
objectAuth, err = auth.PrepareByRoleName(ctx, subjID, subjRoles, groups, scope, action, objectType)
if err != nil {
return nil, xerrors.Errorf("prepare: %w", err)
}
Expand Down Expand Up @@ -158,19 +158,19 @@ func (a RegoAuthorizer) Authorize(ctx context.Context, subjectID string, roles [

// Prepare will partially execute the rego policy leaving the object fields unknown (except for the type).
// This will vastly speed up performance if batch authorization on the same type of objects is needed.
func (RegoAuthorizer) Prepare(ctx context.Context, subjectID string, roles []Role, scope Scope, action Action, objectType string) (*PartialAuthorizer, error) {
func (RegoAuthorizer) Prepare(ctx context.Context, subjectID string, roles []Role, groups []string, scope Scope, action Action, objectType string) (*PartialAuthorizer, error) {
ctx, span := tracing.StartSpan(ctx)
defer span.End()

auth, err := newPartialAuthorizer(ctx, subjectID, roles, scope, action, objectType)
auth, err := newPartialAuthorizer(ctx, subjectID, roles, groups, scope, action, objectType)
if err != nil {
return nil, xerrors.Errorf("new partial authorizer: %w", err)
}

return auth, nil
}

func (a RegoAuthorizer) PrepareByRoleName(ctx context.Context, subjectID string, roleNames []string, scope Scope, action Action, objectType string) (PreparedAuthorized, error) {
func (a RegoAuthorizer) PrepareByRoleName(ctx context.Context, subjectID string, roleNames []string, groups []string, scope Scope, action Action, objectType string) (PreparedAuthorized, error) {
ctx, span := tracing.StartSpan(ctx)
defer span.End()

Expand All @@ -179,5 +179,5 @@ func (a RegoAuthorizer) PrepareByRoleName(ctx context.Context, subjectID string,
return nil, err
}

return a.Prepare(ctx, subjectID, roles, scope, action, objectType)
return a.Prepare(ctx, subjectID, roles, groups, scope, action, objectType)
}
11 changes: 6 additions & 5 deletions coderd/rbac/authz_internal_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,8 @@ type subject struct {
// For the unit test we want to pass in the roles directly, instead of just
// by name. This allows us to test custom roles that do not exist in the product,
// but test edge cases of the implementation.
Roles []Role `json:"roles"`
Roles []Role `json:"roles"`
Groups []string `json:"groups"`
}

type fakeObject struct {
Expand Down Expand Up @@ -162,7 +163,7 @@ func TestFilter(t *testing.T) {
var allowedCount int
for i, obj := range localObjects {
obj.Type = tc.ObjectType
err := auth.ByRoleName(ctx, tc.SubjectID, tc.Roles, scope, ActionRead, obj.RBACObject())
err := auth.ByRoleName(ctx, tc.SubjectID, tc.Roles, []string{}, scope, ActionRead, obj.RBACObject())
obj.Allowed = err == nil
if err == nil {
allowedCount++
Expand All @@ -171,7 +172,7 @@ func TestFilter(t *testing.T) {
}

// Run by filter
list, err := Filter(ctx, auth, tc.SubjectID, tc.Roles, scope, tc.Action, localObjects)
list, err := Filter(ctx, auth, tc.SubjectID, tc.Roles, []string{}, scope, tc.Action, localObjects)
require.NoError(t, err)
require.Equal(t, allowedCount, len(list), "expected number of allowed")
for _, obj := range list {
Expand Down Expand Up @@ -714,7 +715,7 @@ func testAuthorize(t *testing.T, name string, subject subject, sets ...[]authTes
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitShort)
t.Cleanup(cancel)

authError := authorizer.Authorize(ctx, subject.UserID, subject.Roles, a, c.resource)
authError := authorizer.Authorize(ctx, subject.UserID, subject.Roles, subject.Groups, a, c.resource)

// Logging only
if authError != nil {
Expand All @@ -739,7 +740,7 @@ func testAuthorize(t *testing.T, name string, subject subject, sets ...[]authTes
assert.Error(t, authError, "expected unauthorized")
}

partialAuthz, err := authorizer.Prepare(ctx, subject.UserID, subject.Roles, ScopeAll, a, c.resource.Type)
partialAuthz, err := authorizer.Prepare(ctx, subject.UserID, subject.Roles, subject.Groups, ScopeAll, a, c.resource.Type)
require.NoError(t, err, "make prepared authorizer")

// Also check the rego policy can form a valid partial query result.
Expand Down
6 changes: 4 additions & 2 deletions coderd/rbac/builtin_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ func BenchmarkRBACFilter(b *testing.B) {
benchCases := []struct {
Name string
Roles []string
Groups []string
UserID uuid.UUID
Scope rbac.Scope
}{
Expand Down Expand Up @@ -90,7 +91,7 @@ func BenchmarkRBACFilter(b *testing.B) {
b.Run(c.Name, func(b *testing.B) {
objects := benchmarkSetup(orgs, users, b.N)
b.ResetTimer()
allowed, err := rbac.Filter(context.Background(), authorizer, c.UserID.String(), c.Roles, c.Scope, rbac.ActionRead, objects)
allowed, err := rbac.Filter(context.Background(), authorizer, c.UserID.String(), c.Roles, c.Groups, c.Scope, rbac.ActionRead, objects)
require.NoError(b, err)
var _ = allowed
})
Expand All @@ -114,6 +115,7 @@ type authSubject struct {
Name string
UserID string
Roles []string
Groups []string
}

func TestRolePermissions(t *testing.T) {
Expand Down Expand Up @@ -359,7 +361,7 @@ func TestRolePermissions(t *testing.T) {
delete(remainingSubjs, subj.Name)
msg := fmt.Sprintf("%s as %q doing %q on %q", c.Name, subj.Name, action, c.Resource.Type)
// TODO: scopey
err := auth.ByRoleName(context.Background(), subj.UserID, subj.Roles, rbac.ScopeAll, action, c.Resource)
err := auth.ByRoleName(context.Background(), subj.UserID, subj.Roles, subj.Groups, rbac.ScopeAll, action, c.Resource)
if result {
assert.NoError(t, err, fmt.Sprintf("Should pass: %s", msg))
} else {
Expand Down
13 changes: 7 additions & 6 deletions coderd/rbac/partial.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,11 +35,11 @@ func (pa *PartialAuthorizer) Authorize(ctx context.Context, object Object) error
return nil
}

func newPartialAuthorizer(ctx context.Context, subjectID string, roles []Role, scope Scope, action Action, objectType string) (*PartialAuthorizer, error) {
func newPartialAuthorizer(ctx context.Context, subjectID string, roles []Role, groups []string, scope Scope, action Action, objectType string) (*PartialAuthorizer, error) {
ctx, span := tracing.StartSpan(ctx)
defer span.End()

pAuth, err := newSubPartialAuthorizer(ctx, subjectID, roles, action, objectType)
pAuth, err := newSubPartialAuthorizer(ctx, subjectID, roles, groups, action, objectType)
if err != nil {
return nil, err
}
Expand All @@ -51,7 +51,7 @@ func newPartialAuthorizer(ctx context.Context, subjectID string, roles []Role, s
return nil, xerrors.Errorf("unknown scope %q", scope)
}

scopeAuth, err = newSubPartialAuthorizer(ctx, subjectID, []Role{scopeRole}, action, objectType)
scopeAuth, err = newSubPartialAuthorizer(ctx, subjectID, []Role{scopeRole}, groups, action, objectType)
if err != nil {
return nil, err
}
Expand All @@ -78,14 +78,15 @@ type subPartialAuthorizer struct {
alwaysTrue bool
}

func newSubPartialAuthorizer(ctx context.Context, subjectID string, roles []Role, action Action, objectType string) (*subPartialAuthorizer, error) {
func newSubPartialAuthorizer(ctx context.Context, subjectID string, roles []Role, groups []string, action Action, objectType string) (*subPartialAuthorizer, error) {
ctx, span := tracing.StartSpan(ctx)
defer span.End()

input := map[string]interface{}{
"subject": authSubject{
ID: subjectID,
Roles: roles,
ID: subjectID,
Roles: roles,
Groups: groups,
},
"object": map[string]string{
"type": objectType,
Expand Down
2 changes: 1 addition & 1 deletion coderd/roles.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ func (api *API) checkPermissions(rw http.ResponseWriter, r *http.Request) {
if v.Object.OwnerID == "me" {
v.Object.OwnerID = roles.ID.String()
}
err := api.Authorizer.ByRoleName(r.Context(), roles.ID.String(), roles.Roles, apiKey.Scope.ToRBAC(), rbac.Action(v.Action),
err := api.Authorizer.ByRoleName(r.Context(), roles.ID.String(), roles.Roles, roles.Groups, apiKey.Scope.ToRBAC(), rbac.Action(v.Action),
rbac.Object{
Owner: v.Object.OwnerID,
OrgID: v.Object.OrganizationID,
Expand Down