Skip to content

feat: Implement allow_list for scopes for resource specific permissions #5769

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 17 commits into from
Jan 19, 2023
Merged

feat: Implement allow_list for scopes for resource specific permissions #5769

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
212ebce
feat: Implement allow_list for scopes for resource specific permissions
Emyrk Jan 18, 2023
655e8db
Fix rbac benchmark
Emyrk Jan 18, 2023
5f5653d
Update coderd/rbac/scopes.go
Emyrk Jan 18, 2023
4d66a03
Update coderd/rbac/scopes.go
Emyrk Jan 18, 2023
f924578
Include workspace agent token example in rbac readme
Emyrk Jan 18, 2023
b9fed91
WithID unit tests and model method support
Emyrk Jan 18, 2023
504c54b
Fix typo and fmt of readme
Emyrk Jan 18, 2023
257701f
Plumbing WithID for rbac objects (incomplete)
Emyrk Jan 18, 2023
a9cf8f4
Plumb through WithID on rbac objects (complete)
Emyrk Jan 18, 2023
fa44bfe
Fix TestAuthorizeAllEndpoints token routes
Emyrk Jan 19, 2023
94ad568
Fix TestAuthorizeAllEndpoints provisonerdaemon route
Emyrk Jan 19, 2023
043a1d5
Rename Scope -> ScopeName
Emyrk Jan 19, 2023
e0e6312
Update input.json with scope allow_list
Emyrk Jan 19, 2023
7492385
Allow empty string allow_list
Emyrk Jan 19, 2023
64a246d
Delete unused file.
Emyrk Jan 19, 2023
ca88a38
Rename Scope back to 'Scope'
Emyrk Jan 19, 2023
9e4d72f
Merge remote-tracking branch 'origin/main' into stevenmasley/scope_re…
Emyrk Jan 19, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Fix rbac benchmark
  • Loading branch information
@Emyrk
Emyrk committed Jan 18, 2023
commit 655e8dbf159444efededcb26a892a90a435f93ca
12 changes: 6 additions & 6 deletions coderd/rbac/authz.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -170,10 +170,10 @@ func NewAuthorizer(registry prometheus.Registerer) *RegoAuthorizer {
}

type authSubject struct {
ID string `json:"id"`
Roles []Role `json:"roles"`
Groups []string `json:"groups"`
Scope Role `json:"scope"`
ID string `json:"id"`
Roles []Role `json:"roles"`
Groups []string `json:"groups"`
Scope ScopeRole `json:"scope"`
}

// ByRoleName will expand all roleNames into roles before calling Authorize().
Expand Down Expand Up @@ -216,7 +216,7 @@ func (a RegoAuthorizer) ByRoleName(ctx context.Context, subjectID string, roleNa

// Authorize allows passing in custom Roles.
// This is really helpful for unit testing, as we can create custom roles to exercise edge cases.
func (a RegoAuthorizer) Authorize(ctx context.Context, subjectID string, roles []Role, scope Role, groups []string, action Action, object Object) error {
func (a RegoAuthorizer) Authorize(ctx context.Context, subjectID string, roles []Role, scope ScopeRole, groups []string, action Action, object Object) error {
input := map[string]interface{}{
"subject": authSubject{
ID: subjectID,
Expand Down Expand Up @@ -275,7 +275,7 @@ func (a RegoAuthorizer) PrepareByRoleName(ctx context.Context, subjectID string,

// Prepare will partially execute the rego policy leaving the object fields unknown (except for the type).
// This will vastly speed up performance if batch authorization on the same type of objects is needed.
func (RegoAuthorizer) Prepare(ctx context.Context, subjectID string, roles []Role, scope Role, groups []string, action Action, objectType string) (*PartialAuthorizer, error) {
func (RegoAuthorizer) Prepare(ctx context.Context, subjectID string, roles []Role, scope ScopeRole, groups []string, action Action, objectType string) (*PartialAuthorizer, error) {
auth, err := newPartialAuthorizer(ctx, subjectID, roles, scope, groups, action, objectType)
if err != nil {
return nil, xerrors.Errorf("new partial authorizer: %w", err)
Expand Down
6 changes: 3 additions & 3 deletions coderd/rbac/authz_internal_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,9 @@ type subject struct {
// For the unit test we want to pass in the roles directly, instead of just
// by name. This allows us to test custom roles that do not exist in the product,
// but test edge cases of the implementation.
Roles []Role `json:"roles"`
Groups []string `json:"groups"`
Scope Role `json:"scope"`
Roles []Role `json:"roles"`
Groups []string `json:"groups"`
Scope ScopeRole `json:"scope"`
}

type fakeObject struct {
Expand Down
2 changes: 1 addition & 1 deletion coderd/rbac/partial.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -121,7 +121,7 @@ EachQueryLoop:
return ForbiddenWithInternal(xerrors.Errorf("policy disallows request"), pa.input, nil)
}

func newPartialAuthorizer(ctx context.Context, subjectID string, roles []Role, scope Role, groups []string, action Action, objectType string) (*PartialAuthorizer, error) {
func newPartialAuthorizer(ctx context.Context, subjectID string, roles []Role, scope ScopeRole, groups []string, action Action, objectType string) (*PartialAuthorizer, error) {
input := map[string]interface{}{
"subject": authSubject{
ID: subjectID,
Expand Down
2 changes: 1 addition & 1 deletion coderd/rbac/policy.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -156,7 +156,7 @@ scope_allow_list {

scope_allow_list {
# If the wildcard is listed in the allow_list, we do not care about the
# object.id. This line is included to prevent partial compliations from
# object.id. This line is included to prevent partial compilations from
# ever needing to include the object.id.
not "*" in input.subject.scope.allow_list
input.object.id != ""
Expand Down