Skip to content

chore: Rewrite rbac rego -> SQL clause #5138

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 23 commits into from
Nov 28, 2022
Merged

chore: Rewrite rbac rego -> SQL clause #5138

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
d8fce5e
chore: Rewrite rbac rego -> SQL clause
Emyrk Nov 20, 2022
4b2e99f
Begin removing all old code
Emyrk Nov 20, 2022
6c89f1d
Add unit tests for equality and membership
Emyrk Nov 20, 2022
300dc4c
fixup! Add unit tests for equality and membership
Emyrk Nov 20, 2022
87b3454
Rework arguments
Emyrk Nov 20, 2022
de198c5
Add test vectors
Emyrk Nov 20, 2022
b9b1c4e
Handle empty arrays
Emyrk Nov 20, 2022
a0790b0
test: Add unit test verifying acl behavior against all normal cases.
Emyrk Nov 20, 2022
618904e
Implement AlwaysFalsE
Emyrk Nov 20, 2022
5de395a
Make filter ignore owner, not org
Emyrk Nov 21, 2022
e6696cc
Add comment
Emyrk Nov 21, 2022
1f37ca1
Cleanup some code
Emyrk Nov 21, 2022
203bc7c
Cleanup and comments
Emyrk Nov 21, 2022
f0fce00
Linting
Emyrk Nov 21, 2022
a000c15
errors.New -> xerrors.fmt
Emyrk Nov 21, 2022
a521616
More linting
Emyrk Nov 21, 2022
cbb219b
Handle fakeDB for authorize test
Emyrk Nov 21, 2022
f8453af
Add comment
Emyrk Nov 21, 2022
7e1f482
Trying to make the linter happy
Emyrk Nov 21, 2022
7b1231a
Add exempt method
Emyrk Nov 21, 2022
5333401
Merge remote-tracking branch 'origin/main' into stevenmasley/rego_to_…
Emyrk Nov 21, 2022
aae858e
Fix merge with master: Add template fields
Emyrk Nov 21, 2022
38e9fde
Add defensive programming checks
Emyrk Nov 28, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
chore: Rewrite rbac rego -> SQL clause 
Previous code was challenging to read with edge cases
  • Loading branch information
@Emyrk
Emyrk committed Nov 20, 2022
commit d8fce5e85eb014f689d628fed08404bcd5ae1b0f
122 changes: 122 additions & 0 deletions coderd/rbac/regosql/aclGroupVar.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,122 @@
package regosql

import (
"fmt"

"github.com/open-policy-agent/opa/ast"

"github.com/coder/coder/coderd/rbac/regosql/sqltypes"
)

var _ sqltypes.VariableMatcher = ACLGroupVar{}

// ACLGroupVar is also the Node type to reduce the number of types that we need
// to export.
var _ sqltypes.Node = ACLGroupVar{}

// ACLGroupVar is a variable matcher that handles group_acl and user_acl.
// The sql type is a jsonb object with the following structure:
//
// "group_acl": {
// "<group_name>": ["<actions>"]
// }
//
// This is a custom variable matcher as json objects have arbitrary complexity.
type ACLGroupVar struct {
StructSQL string
StructPath []string
// DenyAll is helpful for when we don't care about ACL groups.
// We need to default to denying access.
DenyAll bool

// FieldReference handles referencing the subfields, which could be
// more variables. We pass one in as the global one might not be correctly
// scoped.
FieldReference sqltypes.VariableMatcher

// Instance fields
Source sqltypes.RegoSource
GroupNode sqltypes.Node
}

func ACLGroupMatcher(fieldRefernce sqltypes.VariableMatcher, structSQL string, structPath []string) ACLGroupVar {
return ACLGroupVar{StructSQL: structSQL, StructPath: structPath, FieldReference: fieldRefernce}
}

func (ACLGroupVar) UseAs() sqltypes.Node { return ACLGroupVar{} }

// Disable is a helper to disable the ACL group matching in the SQL generation.
// This is because some tables do not have ACL columns, and in this case we
// do not want to grant access based on columns that do not exist.
// This replaces any clause with "group_acl" or "user_acl" with "false".
func (g *ACLGroupVar) Disable() *ACLGroupVar {
g.DenyAll = true
return g
}

func (g ACLGroupVar) ConvertVariable(rego ast.Ref) (sqltypes.Node, bool) {
// "left" will be a map of group names to actions in rego.
// {
// "all_users": ["read"]
// }
left, err := sqltypes.RegoVarPath(g.StructPath, rego)
if err != nil {
return nil, false
}

aclGrp := ACLGroupVar{
DenyAll: g.DenyAll,
StructSQL: g.StructSQL,
StructPath: g.StructPath,
FieldReference: g.FieldReference,

Source: sqltypes.RegoSource(rego.String()),
}

// We expect 1 more term. Either a ref or a string.
if len(left) != 1 {
return nil, false
}

// If the remaining is a variable, then we need to convert it.
// Assuming we support variable fields.
ref, ok := left[0].Value.(ast.Ref)
if ok && g.FieldReference != nil {
groupNode, ok := g.FieldReference.ConvertVariable(ref)
if ok {
aclGrp.GroupNode = groupNode
return aclGrp, true
}
}

// If it is a string, we assume it is a literal
groupName, ok := left[0].Value.(ast.String)
if ok {
aclGrp.GroupNode = sqltypes.String(string(groupName))
return aclGrp, true
}

// If we have not matched it yet, then it is something we do not recognize.
return nil, false
}

func (g ACLGroupVar) SQLString(cfg *sqltypes.SQLGenerator) string {
if g.DenyAll {
return "false"
}
return fmt.Sprintf("%s->%s", g.StructSQL, g.GroupNode.SQLString(cfg))
}

func (g ACLGroupVar) ContainsSQL(cfg *sqltypes.SQLGenerator, other sqltypes.Node) (string, error) {
if g.DenyAll {
return "false", nil
}

switch other.UseAs().(type) {
// Only supports containing other strings.
case sqltypes.AstString:
return fmt.Sprintf("%s ? %s", g.SQLString(cfg), other.SQLString(cfg)), nil
}

return "", fmt.Errorf("unsupported acl group contains %T", other)
}
Loading