Skip to content

feat: add template RBAC/groups #4235

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 161 commits into from
Oct 10, 2022
Merged

feat: add template RBAC/groups #4235

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
161 commits
Select commit Hold shift + click to select a range
5a47132
feat: Add ACL list support to rego objects
Emyrk Sep 13, 2022
03f69bf
Add unit tests
Emyrk Sep 13, 2022
91a358d
Rename ACL list
Emyrk Sep 13, 2022
8f837b7
Flip rego json to key by user id
Emyrk Sep 15, 2022
8378c9b
feat: add template ACL
sreya Sep 17, 2022
54a0d13
add down migration
sreya Sep 19, 2022
72ea751
remove unused file
sreya Sep 19, 2022
d533a16
undo insert templates query change
sreya Sep 19, 2022
f56fcf9
add patch endpoint tests
sreya Sep 19, 2022
f162694
Unit test use shadowed copied value
Emyrk Sep 19, 2022
ea25c08
Allow wildcards for ACL list
Emyrk Sep 19, 2022
5a081eb
fix authorize bug
sreya Sep 19, 2022
072b3e4
feat: Allow filter to accept objects of multiple types
Emyrk Sep 19, 2022
205c36c
add support for private templates
sreya Sep 19, 2022
ba32928
go.mod
sreya Sep 19, 2022
5c6344f
Merge branch 'main' into resource_acl_list
sreya Sep 19, 2022
ef15908
fix rbac merge woes
sreya Sep 19, 2022
8ab5200
update migration
sreya Sep 19, 2022
c040e8e
fix workspaces_test
sreya Sep 19, 2022
1f4ceee
remove sqlx
sreya Sep 19, 2022
7cc71e1
fix audit
sreya Sep 19, 2022
131d5ed
fix lint
sreya Sep 19, 2022
8c3ee6a
Revert "remove sqlx"
sreya Sep 19, 2022
fe2af91
add test for list templates
sreya Sep 20, 2022
0218c4e
fix error msg
sreya Sep 20, 2022
6883106
fix sqlx woes
sreya Sep 20, 2022
4fbd9be
fix lint
sreya Sep 20, 2022
c96a6ca
fix audit
sreya Sep 20, 2022
57ba8b3
make gen
sreya Sep 20, 2022
c66d247
Merge branch 'main' into resource_acl_list
sreya Sep 20, 2022
0af367a
fix merge woes
sreya Sep 20, 2022
f6c3f51
fix test template
sreya Sep 20, 2022
6e72286
fmt
sreya Sep 20, 2022
44bcbde
Add base layout
BrunoQuaresma Sep 21, 2022
0f80beb
Add table
BrunoQuaresma Sep 21, 2022
d274d62
Add search user
BrunoQuaresma Sep 21, 2022
943c76b
Add user role
BrunoQuaresma Sep 21, 2022
7f7f1d3
Add update and delete
BrunoQuaresma Sep 21, 2022
967a1a9
Fix summary view
BrunoQuaresma Sep 21, 2022
1324991
Merge branch 'resource_acl_list' of github.com:coder/coder into resou…
BrunoQuaresma Sep 21, 2022
bd34d20
Merge branch 'resource_acl_list' of github.com:coder/coder into resou…
sreya Sep 22, 2022
5982dd3
add schema for groups
sreya Sep 22, 2022
c759d99
add skeleton for group API routes
sreya Sep 22, 2022
4169569
add create group endpoint
sreya Sep 22, 2022
a8943c9
add group httpmw
sreya Sep 22, 2022
9fbc15f
add patch group endpoint
sreya Sep 22, 2022
baaf445
add test pkg for opening database
sreya Sep 22, 2022
4f1a308
test: Add unit test to exercise roles query with multiple orgs
Emyrk Sep 22, 2022
f98c3b7
feat: Add group support to rego policy
Emyrk Sep 22, 2022
930cdf6
Add query to include group fetch
Emyrk Sep 22, 2022
b26cd97
Fix auth query
Emyrk Sep 22, 2022
bf13f37
add patch group endpoint w/ tests
sreya Sep 22, 2022
eea0aee
add get group endpoint w/ tests
sreya Sep 22, 2022
d70911b
add groups endpoint with tests
sreya Sep 22, 2022
ba1953a
Add groups to rego objects
Emyrk Sep 22, 2022
7544e37
fix: Group ACL list fixed
Emyrk Sep 22, 2022
ff9d968
add delete group endpoint
sreya Sep 22, 2022
7f2de03
Merge branch 'groups' of github.com:coder/coder into groups
sreya Sep 22, 2022
8cf12e9
Merge remote-tracking branch 'origin/main' into groups
Emyrk Sep 23, 2022
ea84bc6
Fix authorize calls for group endpoints
Emyrk Sep 23, 2022
f28156f
Merge remote-tracking branch 'origin/main' into groups
Emyrk Sep 26, 2022
759bddf
Fix FE errors
BrunoQuaresma Sep 26, 2022
0e2cb22
Fix migration name
BrunoQuaresma Sep 26, 2022
41b79b6
Scopes broke ACL. Fixing unit tests.
Emyrk Sep 26, 2022
7297c3c
fix: Fix acl list rego policy
Emyrk Sep 26, 2022
dc65257
Remove need to be in the org for the group to work in the rego
Emyrk Sep 26, 2022
d50a0c5
Add group ACL unit test
Emyrk Sep 26, 2022
7375484
update uuid -> id
sreya Sep 26, 2022
d70664d
make gen
sreya Sep 26, 2022
3dac95a
Add index page for groups
BrunoQuaresma Sep 26, 2022
5ac06fb
Merge branch 'groups' of github.com:coder/coder into groups
BrunoQuaresma Sep 26, 2022
2c4fd8d
Add create group page
BrunoQuaresma Sep 26, 2022
cb1464f
Remove filter's ability to filter multiple object types
Emyrk Sep 26, 2022
c2e1196
Merge remote-tracking branch 'origin/main' into groups
Emyrk Sep 26, 2022
afe328b
groups changes
sreya Sep 26, 2022
85e05c3
Merge branch 'groups' of github.com:coder/coder into groups
BrunoQuaresma Sep 26, 2022
e0ea8ec
Add user auto complete component
BrunoQuaresma Sep 26, 2022
82b1faf
add groups acl
sreya Sep 27, 2022
6505039
Add member to the group
BrunoQuaresma Sep 27, 2022
7e98ca8
Refactor loader
BrunoQuaresma Sep 27, 2022
4bb1e5f
Add empty state
BrunoQuaresma Sep 27, 2022
cba7065
Remove members from group
BrunoQuaresma Sep 27, 2022
d6b7f42
Merge branch 'main' of github.com:coder/coder into groups
BrunoQuaresma Sep 27, 2022
9dee125
Fix migrations
BrunoQuaresma Sep 27, 2022
883b28c
Merge branch 'groups' of github.com:coder/coder into groups
sreya Sep 27, 2022
a27d364
Update autocomplete and update verbiage
BrunoQuaresma Sep 27, 2022
11690bc
Adjust autocomplete height
BrunoQuaresma Sep 27, 2022
c18379e
Merge branch 'groups' of github.com:coder/coder into groups
sreya Sep 27, 2022
53ff126
prevent duplicate group adds
sreya Sep 27, 2022
5180608
Delete a group
BrunoQuaresma Sep 27, 2022
7770498
Merge branch 'groups' of github.com:coder/coder into groups
BrunoQuaresma Sep 27, 2022
9aa686b
Add group settings
BrunoQuaresma Sep 27, 2022
5e956c1
Fix loader
BrunoQuaresma Sep 27, 2022
d08bd75
Add implied all_users to org members
Emyrk Sep 27, 2022
876a7c7
Move groups to users page with tabs
BrunoQuaresma Sep 27, 2022
9c9e9c0
Improve groups table
BrunoQuaresma Sep 27, 2022
3ee20a3
add all users group
sreya Sep 27, 2022
3ea5793
add endpoints for patching template groups
sreya Sep 27, 2022
fc4c275
Merge branch 'groups' of github.com:coder/coder into groups
sreya Sep 28, 2022
6379c7b
make gen
sreya Sep 28, 2022
6aa1712
Merge branch 'main' into groups
sreya Sep 28, 2022
b0fc388
fix tests
sreya Sep 28, 2022
7d1ce8b
fix migration
sreya Sep 28, 2022
200ea81
fix migration (again)
sreya Sep 28, 2022
9f344fc
feat: move groups/template RBAC to enterprise folder (#4236)
sreya Sep 28, 2022
b763bc2
chore: update TemplateRole names (#4248)
sreya Sep 28, 2022
0ba4465
add custom group access test (#4254)
sreya Sep 29, 2022
9662a3b
refactor all users to behave the same as any other group (#4266)
sreya Sep 29, 2022
58679e5
filter deleted/suspended users (#4271)
sreya Sep 30, 2022
248a3f3
Update FE to use Template ACL and Groups (#4267)
BrunoQuaresma Sep 30, 2022
a0c8571
Merge branch 'main' of github.com:coder/coder into groups
BrunoQuaresma Sep 30, 2022
08805b3
allow org members to read all groups (#4277)
sreya Sep 30, 2022
845d81f
populate template acl group with members (#4279)
sreya Sep 30, 2022
564928e
chore: Minor rego optimization by removing excessive queries (#4275)
Emyrk Sep 30, 2022
38cce76
feat: Add resource_id option to authcheck (#4278)
Emyrk Sep 30, 2022
dac034f
Merge branch 'main' of github.com:coder/coder into groups
BrunoQuaresma Sep 30, 2022
a59138a
Add group for authcheck
Emyrk Oct 3, 2022
a50af85
chore: Update permissions (#4337)
BrunoQuaresma Oct 3, 2022
993ee32
filter deleted/suspended users for groups (#4343)
sreya Oct 3, 2022
a52203d
rm extraneous filter (#4272)
sreya Oct 3, 2022
bfa35e3
merge main into groups (#4349)
sreya Oct 3, 2022
1c461f7
add groups to license entitlements (#4345)
sreya Oct 3, 2022
c5ecbf4
omit all users from groups endpoint (#4350)
sreya Oct 3, 2022
f0f5a93
Add paywall into the entitlements
BrunoQuaresma Oct 4, 2022
efd1ed2
Merge remote-tracking branch 'origin/main' into groups
Emyrk Oct 4, 2022
cbaafca
Fix rego -> SQL in acl cases with string literals
Emyrk Oct 4, 2022
f20b783
Merge branch 'main' of github.com:coder/coder into groups
BrunoQuaresma Oct 4, 2022
cc2138d
Use rego to eval, not custom
Emyrk Oct 4, 2022
fd0b43a
Fix Navbar tests
BrunoQuaresma Oct 4, 2022
5997317
Fix UsersPage test
BrunoQuaresma Oct 4, 2022
0cf3784
Merge branch 'groups' of github.com:coder/coder into groups
BrunoQuaresma Oct 4, 2022
7c76bc0
Fix Template tests
BrunoQuaresma Oct 4, 2022
b77eeaf
Regenerate types
BrunoQuaresma Oct 4, 2022
0afc361
Remove type generation
BrunoQuaresma Oct 4, 2022
461cb8a
Switch to NoACL config as those columns do not exist
Emyrk Oct 4, 2022
620c384
Fix service extension
BrunoQuaresma Oct 4, 2022
e7f72af
Merge branch 'groups' of github.com:coder/coder into groups
BrunoQuaresma Oct 4, 2022
b920801
fix lint
sreya Oct 4, 2022
9bfa415
add test for creating a forbidden template (#4371)
sreya Oct 5, 2022
22db0d2
migrate existing templates (#4353)
sreya Oct 5, 2022
e0c90ef
Fix routes
BrunoQuaresma Oct 5, 2022
f0fd9a0
Add GroupsPage storybook
BrunoQuaresma Oct 6, 2022
20670f1
Add CreateGroupPage stories
BrunoQuaresma Oct 6, 2022
09c6771
Add Settings Group Page stories
BrunoQuaresma Oct 6, 2022
f8a7b7e
Add template permissions stories
BrunoQuaresma Oct 6, 2022
b86abcf
Fix FE
BrunoQuaresma Oct 6, 2022
510287b
Fix repetitive results
BrunoQuaresma Oct 7, 2022
21af86e
feat: Allow users to make files (#4423)
Emyrk Oct 9, 2022
9e199d3
add test for template rbac admin pushing template version (#4438)
sreya Oct 9, 2022
b101ae7
merge main into groups (#4439)
sreya Oct 10, 2022
d715ea6
Revert "merge main into groups (#4439)"
sreya Oct 10, 2022
413b6e1
merge main
sreya Oct 10, 2022
85d0643
fix coderd/license
sreya Oct 9, 2022
262bb45
fix license woes
sreya Oct 9, 2022
a5c6848
remove migration conflict
sreya Oct 9, 2022
a69c018
fix tests
sreya Oct 10, 2022
1809d3e
fix merge conflict
sreya Oct 10, 2022
21c078b
fix ts lint
sreya Oct 10, 2022
c8f6afd
make fmt
sreya Oct 10, 2022
ad02da0
delete old files
sreya Oct 10, 2022
35aef1b
Fix types
BrunoQuaresma Oct 10, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions coderd/audit.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -265,6 +265,7 @@ func auditSearchQuery(query string) (database.GetAuditLogsOffsetParams, []coders
Username: parser.String(searchParams, "", "username"),
Email: parser.String(searchParams, "", "email"),
}

return filter, parser.Errors
}

Expand Down Expand Up @@ -296,6 +297,7 @@ func actionFromString(actionString string) string {
return actionString
case codersdk.AuditActionDelete:
return actionString
default:
}
return ""
}
91 changes: 80 additions & 11 deletions coderd/authorize.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ import (
"fmt"
"net/http"

"github.com/google/uuid"

"golang.org/x/xerrors"

"cdr.dev/slog"
Expand All @@ -18,7 +20,7 @@ import (
// This is faster than calling Authorize() on each object.
func AuthorizeFilter[O rbac.Objecter](h *HTTPAuthorizer, r *http.Request, action rbac.Action, objects []O) ([]O, error) {
roles := httpmw.UserAuthorization(r)
objects, err := rbac.Filter(r.Context(), h.Authorizer, roles.ID.String(), roles.Roles, roles.Scope.ToRBAC(), action, objects)
objects, err := rbac.Filter(r.Context(), h.Authorizer, roles.ID.String(), roles.Roles, roles.Scope.ToRBAC(), roles.Groups, action, objects)
if err != nil {
// Log the error as Filter should not be erroring.
h.Logger.Error(r.Context(), "filter failed",
Expand Down Expand Up @@ -63,7 +65,7 @@ func (api *API) Authorize(r *http.Request, action rbac.Action, object rbac.Objec
// }
func (h *HTTPAuthorizer) Authorize(r *http.Request, action rbac.Action, object rbac.Objecter) bool {
roles := httpmw.UserAuthorization(r)
err := h.Authorizer.ByRoleName(r.Context(), roles.ID.String(), roles.Roles, roles.Scope.ToRBAC(), action, object.RBACObject())
err := h.Authorizer.ByRoleName(r.Context(), roles.ID.String(), roles.Roles, roles.Scope.ToRBAC(), roles.Groups, action, object.RBACObject())
if err != nil {
// Log the errors for debugging
internalError := new(rbac.UnauthorizedError)
Expand Down Expand Up @@ -95,7 +97,7 @@ func (h *HTTPAuthorizer) Authorize(r *http.Request, action rbac.Action, object r
// Note the authorization is only for the given action and object type.
func (h *HTTPAuthorizer) AuthorizeSQLFilter(r *http.Request, action rbac.Action, objectType string) (rbac.AuthorizeFilter, error) {
roles := httpmw.UserAuthorization(r)
prepared, err := h.Authorizer.PrepareByRoleName(r.Context(), roles.ID.String(), roles.Roles, roles.Scope.ToRBAC(), action, objectType)
prepared, err := h.Authorizer.PrepareByRoleName(r.Context(), roles.ID.String(), roles.Roles, roles.Scope.ToRBAC(), roles.Groups, action, objectType)
if err != nil {
return nil, xerrors.Errorf("prepare filter: %w", err)
}
Expand Down Expand Up @@ -127,6 +129,28 @@ func (api *API) checkAuthorization(rw http.ResponseWriter, r *http.Request) {
)

response := make(codersdk.AuthorizationResponse)
// Prevent using too many resources by ID. This prevents database abuse
// from this endpoint. This also prevents misuse of this endpoint, as
// resource_id should be used for single objects, not for a list of them.
var (
idFetch int
maxFetch = 10
)
for _, v := range params.Checks {
if v.Object.ResourceID != "" {
idFetch++
}
}
if idFetch > maxFetch {
httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
Message: fmt.Sprintf(
"Endpoint only supports using \"resource_id\" field %d times, found %d usages. Remove %d objects with this field set.",
maxFetch, idFetch, idFetch-maxFetch,
),
})
return
}

for k, v := range params.Checks {
if v.Object.ResourceType == "" {
httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
Expand All @@ -135,15 +159,60 @@ func (api *API) checkAuthorization(rw http.ResponseWriter, r *http.Request) {
return
}

if v.Object.OwnerID == "me" {
v.Object.OwnerID = auth.ID.String()
obj := rbac.Object{
Owner: v.Object.OwnerID,
OrgID: v.Object.OrganizationID,
Type: v.Object.ResourceType,
}
err := api.Authorizer.ByRoleName(r.Context(), auth.ID.String(), auth.Roles, auth.Scope.ToRBAC(), rbac.Action(v.Action),
rbac.Object{
Owner: v.Object.OwnerID,
OrgID: v.Object.OrganizationID,
Type: v.Object.ResourceType,
})
if obj.Owner == "me" {
obj.Owner = auth.ID.String()
}

// If a resource ID is specified, fetch that specific resource.
if v.Object.ResourceID != "" {
id, err := uuid.Parse(v.Object.ResourceID)
if err != nil {
httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
Message: fmt.Sprintf("Object %q id is not a valid uuid.", v.Object.ResourceID),
Validations: []codersdk.ValidationError{{Field: "resource_id", Detail: err.Error()}},
})
return
}

var dbObj rbac.Objecter
var dbErr error
// Only support referencing some resources by ID.
switch v.Object.ResourceType {
case rbac.ResourceWorkspaceExecution.Type:
wrkSpace, err := api.Database.GetWorkspaceByID(ctx, id)
if err == nil {
dbObj = wrkSpace.ExecutionRBAC()
}
dbErr = err
case rbac.ResourceWorkspace.Type:
dbObj, dbErr = api.Database.GetWorkspaceByID(ctx, id)
case rbac.ResourceTemplate.Type:
dbObj, dbErr = api.Database.GetTemplateByID(ctx, id)
case rbac.ResourceUser.Type:
dbObj, dbErr = api.Database.GetUserByID(ctx, id)
case rbac.ResourceGroup.Type:
dbObj, dbErr = api.Database.GetGroupByID(ctx, id)
default:
httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
Message: fmt.Sprintf("Object type %q does not support \"resource_id\" field.", v.Object.ResourceType),
Validations: []codersdk.ValidationError{{Field: "resource_type", Detail: err.Error()}},
})
return
}
Comment on lines +185 to +206
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Non-blocking: we could probably fetch by multiple IDs instead for performance. Not sure how frequently this case is hit though...

if dbErr != nil {
// 404 or unauthorized is false
response[k] = false
continue
}
obj = dbObj.RBACObject()
}

err := api.Authorizer.ByRoleName(r.Context(), auth.ID.String(), auth.Roles, auth.Scope.ToRBAC(), auth.Groups, rbac.Action(v.Action), obj)
response[k] = err == nil
}

Expand Down
51 changes: 34 additions & 17 deletions coderd/authorize_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,9 @@ func TestCheckPermissions(t *testing.T) {
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
t.Cleanup(cancel)

adminClient := coderdtest.New(t, nil)
adminClient := coderdtest.New(t, &coderdtest.Options{
IncludeProvisionerDaemon: true,
})
// Create adminClient, member, and org adminClient
adminUser := coderdtest.CreateFirstUser(t, adminClient)
memberClient := coderdtest.CreateAnotherUser(t, adminClient, adminUser.OrganizationID)
Expand All @@ -29,12 +31,17 @@ func TestCheckPermissions(t *testing.T) {
orgAdminUser, err := orgAdminClient.User(ctx, codersdk.Me)
require.NoError(t, err)

version := coderdtest.CreateTemplateVersion(t, adminClient, adminUser.OrganizationID, nil)
coderdtest.AwaitTemplateVersionJob(t, adminClient, version.ID)
template := coderdtest.CreateTemplate(t, adminClient, adminUser.OrganizationID, version.ID)

// With admin, member, and org admin
const (
readAllUsers = "read-all-users"
readOrgWorkspaces = "read-org-workspaces"
readMyself = "read-myself"
readOwnWorkspaces = "read-own-workspaces"
readAllUsers = "read-all-users"
readOrgWorkspaces = "read-org-workspaces"
readMyself = "read-myself"
readOwnWorkspaces = "read-own-workspaces"
updateSpecificTemplate = "update-specific-template"
)
params := map[string]codersdk.AuthorizationCheck{
readAllUsers: {
Expand Down Expand Up @@ -64,6 +71,13 @@ func TestCheckPermissions(t *testing.T) {
},
Action: "read",
},
updateSpecificTemplate: {
Object: codersdk.AuthorizationObject{
ResourceType: rbac.ResourceTemplate.Type,
ResourceID: template.ID.String(),
},
Action: "update",
},
}

testCases := []struct {
Expand All @@ -77,32 +91,35 @@ func TestCheckPermissions(t *testing.T) {
Client: adminClient,
UserID: adminUser.UserID,
Check: map[string]bool{
readAllUsers: true,
readMyself: true,
readOwnWorkspaces: true,
readOrgWorkspaces: true,
readAllUsers: true,
readMyself: true,
readOwnWorkspaces: true,
readOrgWorkspaces: true,
updateSpecificTemplate: true,
},
},
{
Name: "OrgAdmin",
Client: orgAdminClient,
UserID: orgAdminUser.ID,
Check: map[string]bool{
readAllUsers: false,
readMyself: true,
readOwnWorkspaces: true,
readOrgWorkspaces: true,
readAllUsers: false,
readMyself: true,
readOwnWorkspaces: true,
readOrgWorkspaces: true,
updateSpecificTemplate: true,
},
},
{
Name: "Member",
Client: memberClient,
UserID: memberUser.ID,
Check: map[string]bool{
readAllUsers: false,
readMyself: true,
readOwnWorkspaces: true,
readOrgWorkspaces: false,
readAllUsers: false,
readMyself: true,
readOwnWorkspaces: true,
readOrgWorkspaces: false,
updateSpecificTemplate: false,
},
},
}
Expand Down
1 change: 1 addition & 0 deletions coderd/coderd.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -283,6 +283,7 @@ func New(options *Options) *API {
r.Get("/{hash}", api.fileByHash)
r.Post("/", api.postFile)
})

r.Route("/provisionerdaemons", func(r chi.Router) {
r.Use(
apiKeyMiddleware,
Expand Down
14 changes: 9 additions & 5 deletions coderd/coderdtest/authorize.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -499,6 +499,7 @@ func (a *AuthTester) Test(ctx context.Context, assertRoute map[string]RouteCheck
type authCall struct {
SubjectID string
Roles []string
Groups []string
Scope rbac.Scope
Action rbac.Action
Object rbac.Object
Expand All @@ -513,29 +514,31 @@ var _ rbac.Authorizer = (*RecordingAuthorizer)(nil)

// ByRoleNameSQL does not record the call. This matches the postgres behavior
// of not calling Authorize()
func (r *RecordingAuthorizer) ByRoleNameSQL(_ context.Context, _ string, _ []string, _ rbac.Scope, _ rbac.Action, _ rbac.Object) error {
func (r *RecordingAuthorizer) ByRoleNameSQL(_ context.Context, _ string, _ []string, _ rbac.Scope, _ []string, _ rbac.Action, _ rbac.Object) error {
return r.AlwaysReturn
}

func (r *RecordingAuthorizer) ByRoleName(_ context.Context, subjectID string, roleNames []string, scope rbac.Scope, action rbac.Action, object rbac.Object) error {
func (r *RecordingAuthorizer) ByRoleName(_ context.Context, subjectID string, roleNames []string, scope rbac.Scope, groups []string, action rbac.Action, object rbac.Object) error {
r.Called = &authCall{
SubjectID: subjectID,
Roles: roleNames,
Groups: groups,
Scope: scope,
Action: action,
Object: object,
}
return r.AlwaysReturn
}

func (r *RecordingAuthorizer) PrepareByRoleName(_ context.Context, subjectID string, roles []string, scope rbac.Scope, action rbac.Action, _ string) (rbac.PreparedAuthorized, error) {
func (r *RecordingAuthorizer) PrepareByRoleName(_ context.Context, subjectID string, roles []string, scope rbac.Scope, groups []string, action rbac.Action, _ string) (rbac.PreparedAuthorized, error) {
return &fakePreparedAuthorizer{
Original: r,
SubjectID: subjectID,
Roles: roles,
Scope: scope,
Action: action,
HardCodedSQLString: "true",
Groups: groups,
}, nil
}

Expand All @@ -549,12 +552,13 @@ type fakePreparedAuthorizer struct {
Roles []string
Scope rbac.Scope
Action rbac.Action
Groups []string
HardCodedSQLString string
HardCodedRegoString string
}

func (f *fakePreparedAuthorizer) Authorize(ctx context.Context, object rbac.Object) error {
return f.Original.ByRoleName(ctx, f.SubjectID, f.Roles, f.Scope, f.Action, object)
return f.Original.ByRoleName(ctx, f.SubjectID, f.Roles, f.Scope, f.Groups, f.Action, object)
}

// Compile returns a compiled version of the authorizer that will work for
Expand All @@ -564,7 +568,7 @@ func (f *fakePreparedAuthorizer) Compile() (rbac.AuthorizeFilter, error) {
}

func (f *fakePreparedAuthorizer) Eval(object rbac.Object) bool {
return f.Original.ByRoleNameSQL(context.Background(), f.SubjectID, f.Roles, f.Scope, f.Action, object) == nil
return f.Original.ByRoleNameSQL(context.Background(), f.SubjectID, f.Roles, f.Scope, f.Groups, f.Action, object) == nil
}

func (f fakePreparedAuthorizer) RegoString() string {
Expand Down
27 changes: 3 additions & 24 deletions coderd/coderdtest/coderdtest.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@ import (
"crypto/sha256"
"crypto/x509"
"crypto/x509/pkix"
"database/sql"
"encoding/base64"
"encoding/json"
"encoding/pem"
Expand All @@ -21,7 +20,6 @@ import (
"net/http"
"net/http/httptest"
"net/url"
"os"
"strconv"
"strings"
"testing"
Expand Down Expand Up @@ -49,8 +47,7 @@ import (
"github.com/coder/coder/coderd/autobuild/executor"
"github.com/coder/coder/coderd/awsidentity"
"github.com/coder/coder/coderd/database"
"github.com/coder/coder/coderd/database/databasefake"
"github.com/coder/coder/coderd/database/postgres"
"github.com/coder/coder/coderd/database/dbtestutil"
"github.com/coder/coder/coderd/gitsshkey"
"github.com/coder/coder/coderd/rbac"
"github.com/coder/coder/coderd/telemetry"
Expand Down Expand Up @@ -139,26 +136,7 @@ func NewOptions(t *testing.T, options *Options) (*httptest.Server, context.Cance
})
}

// This can be hotswapped for a live database instance.
db := databasefake.New()
pubsub := database.NewPubsubInMemory()
if os.Getenv("DB") != "" {
connectionURL, closePg, err := postgres.Open()
require.NoError(t, err)
t.Cleanup(closePg)
sqlDB, err := sql.Open("postgres", connectionURL)
require.NoError(t, err)
t.Cleanup(func() {
_ = sqlDB.Close()
})
db = database.New(sqlDB)

pubsub, err = database.NewPubsub(context.Background(), sqlDB, connectionURL)
require.NoError(t, err)
t.Cleanup(func() {
_ = pubsub.Close()
})
}
db, pubsub := dbtestutil.NewDB(t)

ctx, cancelFunc := context.WithCancel(context.Background())
lifecycleExecutor := executor.New(
Expand Down Expand Up @@ -399,6 +377,7 @@ func createAnotherUserRetry(t *testing.T, client *codersdk.Client, organizationI
// with the responses provided. It uses the "echo" provisioner for compatibility
// with testing.
func CreateTemplateVersion(t *testing.T, client *codersdk.Client, organizationID uuid.UUID, res *echo.Responses) codersdk.TemplateVersion {
t.Helper()
data, err := echo.Tar(res)
require.NoError(t, err)
file, err := client.Upload(context.Background(), codersdk.ContentTypeTar, data)
Expand Down
Loading