coder · Emyrk · Jan 19, 2023 · Jan 18, 2023 · Jan 18, 2023 · Jan 18, 2023
diff --git a/coderd/rbac/README.md b/coderd/rbac/README.md
@@ -48,6 +48,7 @@ This can be represented by the following truth table, where Y represents _positi
 - `level` is either `site`, `org`, or `user`.
 - `object` is any valid resource type.
 - `id` is any valid UUID v4.
+ - `id` is included in the permission syntax, however only scopes may use `id` to specify a specific object.
 - `action` is `create`, `read`, `modify`, or `delete`.
 
 ## Example Permissions
@@ -72,6 +73,20 @@ Y indicates that the role provides positive permissions, N indicates the role pr
 |                 | \_   | \_   | N    | N      |
 | unauthenticated | \_   | \_   | \_   | N      |
 
+## Scopes
+
+Scopes can restrict a given set of permissions. The format of a scope matches a role with the addition of a list of resource ids. For a authorization call to be successful, the subject's roles and the subject's scopes must both allow the action. This means the resulting permissions is the intersection of the subject's roles and the subject's scopes.
+
+An example to give a readonly token is to grant a readonly scope across all resources `+site.*.*.read`. The intersection with the user's permissions will be the readonly set of their permissions.
+
+
+### Resource IDs
+
+There exists use cases that require specifying a specific resource. If resource IDs are allowed in the roles, then there is
+an unbounded set of resource IDs that be added to an "allow_list", as the number of roles a user can have is unbounded. This also adds a level of complexity to the role evaluation logic that has large costs at scale.
+
+The use case for specifying this type of permission in a role is limited, and does not justify the extra cost. To solve this for the remaining cases (eg. workspace agent tokens), we can apply an `allow_list` on a scope. For most cases, the `allow_list` will just be `["*"]` which means the scope is allowed to be applied to any resource. This adds negligible cost to the role evaluation logic and 0 cost to partial evaluations.
+
 # Testing
 
 You can test outside of golang by using the `opa` cli.

diff --git a/coderd/rbac/authz.go b/coderd/rbac/authz.go
@@ -170,10 +170,10 @@ func NewAuthorizer(registry prometheus.Registerer) *RegoAuthorizer {
 }
 
 type authSubject struct {
-	ID     string   `json:"id"`
-	Roles  []Role   `json:"roles"`
-	Groups []string `json:"groups"`
-	Scope  Role     `json:"scope"`
+	ID     string    `json:"id"`
+	Roles  []Role    `json:"roles"`
+	Groups []string  `json:"groups"`
+	Scope  ScopeRole `json:"scope"`
 }
 
 // ByRoleName will expand all roleNames into roles before calling Authorize().
@@ -197,7 +197,7 @@ func (a RegoAuthorizer) ByRoleName(ctx context.Context, subjectID string, roleNa
 		return err
 	}
 
-	scopeRole, err := ScopeRole(scope)
+	scopeRole, err := ExpandScope(scope)
 	if err != nil {
 		return err
 	}
@@ -216,7 +216,7 @@ func (a RegoAuthorizer) ByRoleName(ctx context.Context, subjectID string, roleNa
 
 // Authorize allows passing in custom Roles.
 // This is really helpful for unit testing, as we can create custom roles to exercise edge cases.
-func (a RegoAuthorizer) Authorize(ctx context.Context, subjectID string, roles []Role, scope Role, groups []string, action Action, object Object) error {
+func (a RegoAuthorizer) Authorize(ctx context.Context, subjectID string, roles []Role, scope ScopeRole, groups []string, action Action, object Object) error {
 	input := map[string]interface{}{
 		"subject": authSubject{
 			ID:     subjectID,
@@ -252,7 +252,7 @@ func (a RegoAuthorizer) PrepareByRoleName(ctx context.Context, subjectID string,
 		return nil, err
 	}
 
-	scopeRole, err := ScopeRole(scope)
+	scopeRole, err := ExpandScope(scope)
 	if err != nil {
 		return nil, err
 	}
@@ -275,7 +275,7 @@ func (a RegoAuthorizer) PrepareByRoleName(ctx context.Context, subjectID string,
 
 // Prepare will partially execute the rego policy leaving the object fields unknown (except for the type).
 // This will vastly speed up performance if batch authorization on the same type of objects is needed.
-func (RegoAuthorizer) Prepare(ctx context.Context, subjectID string, roles []Role, scope Role, groups []string, action Action, objectType string) (*PartialAuthorizer, error) {
+func (RegoAuthorizer) Prepare(ctx context.Context, subjectID string, roles []Role, scope ScopeRole, groups []string, action Action, objectType string) (*PartialAuthorizer, error) {
 	auth, err := newPartialAuthorizer(ctx, subjectID, roles, scope, groups, action, objectType)
 	if err != nil {
 		return nil, xerrors.Errorf("new partial authorizer: %w", err)

diff --git a/coderd/rbac/authz_internal_test.go b/coderd/rbac/authz_internal_test.go
@@ -20,9 +20,9 @@ type subject struct {
 	// For the unit test we want to pass in the roles directly, instead of just
 	// by name. This allows us to test custom roles that do not exist in the product,
 	// but test edge cases of the implementation.
-	Roles  []Role   `json:"roles"`
-	Groups []string `json:"groups"`
-	Scope  Role     `json:"scope"`
+	Roles  []Role    `json:"roles"`
+	Groups []string  `json:"groups"`
+	Scope  ScopeRole `json:"scope"`
 }
 
 type fakeObject struct {
@@ -200,7 +200,7 @@ func TestAuthorizeDomain(t *testing.T) {
 
 	user := subject{
 		UserID: "me",
-		Scope:  must(ScopeRole(ScopeAll)),
+		Scope:  must(ExpandScope(ScopeAll)),
 		Groups: []string{allUsersGroup},
 		Roles: []Role{
 			must(RoleByName(RoleMember())),
@@ -299,7 +299,7 @@ func TestAuthorizeDomain(t *testing.T) {
 
 	user = subject{
 		UserID: "me",
-		Scope:  must(ScopeRole(ScopeAll)),
+		Scope:  must(ExpandScope(ScopeAll)),
 		Roles: []Role{{
 			Name: "deny-all",
 			// List out deny permissions explicitly
@@ -340,7 +340,7 @@ func TestAuthorizeDomain(t *testing.T) {
 
 	user = subject{
 		UserID: "me",
-		Scope:  must(ScopeRole(ScopeAll)),
+		Scope:  must(ExpandScope(ScopeAll)),
 		Roles: []Role{
 			must(RoleByName(RoleOrgAdmin(defOrg))),
 			must(RoleByName(RoleMember())),
@@ -374,7 +374,7 @@ func TestAuthorizeDomain(t *testing.T) {
 
 	user = subject{
 		UserID: "me",
-		Scope:  must(ScopeRole(ScopeAll)),
+		Scope:  must(ExpandScope(ScopeAll)),
 		Roles: []Role{
 			must(RoleByName(RoleOwner())),
 			must(RoleByName(RoleMember())),
@@ -408,7 +408,7 @@ func TestAuthorizeDomain(t *testing.T) {
 
 	user = subject{
 		UserID: "me",
-		Scope:  must(ScopeRole(ScopeApplicationConnect)),
+		Scope:  must(ExpandScope(ScopeApplicationConnect)),
 		Roles: []Role{
 			must(RoleByName(RoleOrgMember(defOrg))),
 			must(RoleByName(RoleMember())),
@@ -507,7 +507,7 @@ func TestAuthorizeDomain(t *testing.T) {
 	// In practice this is a token scope on a regular subject
 	user = subject{
 		UserID: "me",
-		Scope:  must(ScopeRole(ScopeAll)),
+		Scope:  must(ExpandScope(ScopeAll)),
 		Roles: []Role{
 			{
 				Name: "ReadOnlyOrgAndUser",
@@ -600,7 +600,7 @@ func TestAuthorizeLevels(t *testing.T) {
 
 	user := subject{
 		UserID: "me",
-		Scope:  must(ScopeRole(ScopeAll)),
+		Scope:  must(ExpandScope(ScopeAll)),
 		Roles: []Role{
 			must(RoleByName(RoleOwner())),
 			{
@@ -661,7 +661,7 @@ func TestAuthorizeLevels(t *testing.T) {
 
 	user = subject{
 		UserID: "me",
-		Scope:  must(ScopeRole(ScopeAll)),
+		Scope:  must(ExpandScope(ScopeAll)),
 		Roles: []Role{
 			{
 				Name: "site-noise",
@@ -726,7 +726,7 @@ func TestAuthorizeScope(t *testing.T) {
 	user := subject{
 		UserID: "me",
 		Roles:  []Role{must(RoleByName(RoleOwner()))},
-		Scope:  must(ScopeRole(ScopeApplicationConnect)),
+		Scope:  must(ExpandScope(ScopeApplicationConnect)),
 	}
 
 	testAuthorize(t, "Admin_ScopeApplicationConnect", user,
@@ -760,7 +760,7 @@ func TestAuthorizeScope(t *testing.T) {
 			must(RoleByName(RoleMember())),
 			must(RoleByName(RoleOrgMember(defOrg))),
 		},
-		Scope: must(ScopeRole(ScopeApplicationConnect)),
+		Scope: must(ExpandScope(ScopeApplicationConnect)),
 	}
 
 	testAuthorize(t, "User_ScopeApplicationConnect", user,

diff --git a/coderd/rbac/input.json b/coderd/rbac/input.json
@@ -1,6 +1,7 @@
 {
   "action": "never-match-action",
   "object": {
+    "id": "00000000-0000-0000-0000-000000000000",
     "owner": "00000000-0000-0000-0000-000000000000",
     "org_owner": "bf7b72bd-a2b1-4ef2-962c-1d698e0483f6",
     "type": "workspace",
@@ -16,6 +17,7 @@
     "scope": {
       "name": "Scope_all",
       "display_name": "All operations",
+      "allow_list": ["123", "*"],
       "site": [
         {
           "negate": false,

diff --git a/coderd/rbac/object.go b/coderd/rbac/object.go
@@ -158,6 +158,8 @@ var (
 // that represents the set of workspaces you are trying to get access too.
 // Do not export this type, as it can be created from a resource type constant.
 type Object struct {
+	// ID is the resource's uuid
+	ID    string `json:"id"`
 	Owner string `json:"owner"`
 	// OrgID specifies which org the object is a part of.
 	OrgID string `json:"org_owner"`
@@ -184,9 +186,21 @@ func (z Object) All() Object {
 	}
 }
 
+func (z Object) WithID(id uuid.UUID) Object {
+	return Object{
+		ID:           id.String(),
+		Owner:        z.Owner,
+		OrgID:        z.OrgID,
+		Type:         z.Type,
+		ACLUserList:  z.ACLUserList,
+		ACLGroupList: z.ACLGroupList,
+	}
+}
+
 // InOrg adds an org OwnerID to the resource
 func (z Object) InOrg(orgID uuid.UUID) Object {
 	return Object{
+		ID:           z.ID,
 		Owner:        z.Owner,
 		OrgID:        orgID.String(),
 		Type:         z.Type,
@@ -198,6 +212,7 @@ func (z Object) InOrg(orgID uuid.UUID) Object {
 // WithOwner adds an OwnerID to the resource
 func (z Object) WithOwner(ownerID string) Object {
 	return Object{
+		ID:           z.ID,
 		Owner:        ownerID,
 		OrgID:        z.OrgID,
 		Type:         z.Type,
@@ -209,6 +224,7 @@ func (z Object) WithOwner(ownerID string) Object {
 // WithACLUserList adds an ACL list to a given object
 func (z Object) WithACLUserList(acl map[string][]Action) Object {
 	return Object{
+		ID:           z.ID,
 		Owner:        z.Owner,
 		OrgID:        z.OrgID,
 		Type:         z.Type,
@@ -219,6 +235,7 @@ func (z Object) WithACLUserList(acl map[string][]Action) Object {
 
 func (z Object) WithGroupACL(groups map[string][]Action) Object {
 	return Object{
+		ID:           z.ID,
 		Owner:        z.Owner,
 		OrgID:        z.OrgID,
 		Type:         z.Type,

diff --git a/coderd/rbac/partial.go b/coderd/rbac/partial.go
@@ -121,7 +121,7 @@ EachQueryLoop:
 	return ForbiddenWithInternal(xerrors.Errorf("policy disallows request"), pa.input, nil)
 }
 
-func newPartialAuthorizer(ctx context.Context, subjectID string, roles []Role, scope Role, groups []string, action Action, objectType string) (*PartialAuthorizer, error) {
+func newPartialAuthorizer(ctx context.Context, subjectID string, roles []Role, scope ScopeRole, groups []string, action Action, objectType string) (*PartialAuthorizer, error) {
 	input := map[string]interface{}{
 		"subject": authSubject{
 			ID:     subjectID,
@@ -141,6 +141,7 @@ func newPartialAuthorizer(ctx context.Context, subjectID string, roles []Role, s
 		rego.Query("data.authz.allow = true"),
 		rego.Module("policy.rego", policy),
 		rego.Unknowns([]string{
+			"input.object.id",
 			"input.object.owner",
 			"input.object.org_owner",
 			"input.object.acl_user_list",

diff --git a/coderd/rbac/policy.rego b/coderd/rbac/policy.rego
@@ -148,6 +148,23 @@ user_allow(roles) := num {
     num := number(allow)
 }
 
+# Scope allow_list is a list of resource IDs explicitly allowed by the scope.
+# If the list is '*', then all resources are allowed.
+scope_allow_list {
+	"*" in input.subject.scope.allow_list
+}
+
+scope_allow_list {
+	# If the wildcard is listed in the allow_list, we do not care about the
+	# object.id. This line is included to prevent partial compilations from
+	# ever needing to include the object.id.
+	not "*" in input.subject.scope.allow_list
+	input.object.id  != ""
+	input.object.id in input.subject.scope.allow_list
+}
+
+
+
 # The allow block is quite simple. Any set with `-1` cascades down in levels.
 # Authorization looks for any `allow` statement that is true. Multiple can be true!
 # Note that the absence of `allow` means "unauthorized".
@@ -179,15 +196,18 @@ role_allow {
 }
 
 scope_allow {
+	scope_allow_list
 	scope_site = 1
 }
 
 scope_allow {
+	scope_allow_list
 	not scope_site = -1
 	scope_org = 1
 }
 
 scope_allow {
+	scope_allow_list
 	not scope_site = -1
 	not scope_org = -1
 	# If we are not a member of an org, and the object has an org, then we are

diff --git a/coderd/rbac/scopes.go b/coderd/rbac/scopes.go
@@ -8,39 +8,52 @@ import (
 
 type Scope string
 
+// TODO: @emyrk rename this struct
+type ScopeRole struct {
+	Role
+	AllowIDList []string `json:"allow_list"`
+}
+
 const (
 	ScopeAll                Scope = "all"
 	ScopeApplicationConnect Scope = "application_connect"
 )
 
-var builtinScopes map[Scope]Role = map[Scope]Role{
+// TODO: Support passing in scopeID list for whitelisting allowed resources.
+var builtinScopes map[Scope]ScopeRole = map[Scope]ScopeRole{
 	// ScopeAll is a special scope that allows access to all resources. During
 	// authorize checks it is usually not used directly and skips scope checks.
 	ScopeAll: {
-		Name:        fmt.Sprintf("Scope_%s", ScopeAll),
-		DisplayName: "All operations",
-		Site: permissions(map[string][]Action{
-			ResourceWildcard.Type: {WildcardSymbol},
-		}),
-		Org:  map[string][]Permission{},
-		User: []Permission{},
+		Role: Role{
+			Name:        fmt.Sprintf("Scope_%s", ScopeAll),
+			DisplayName: "All operations",
+			Site: permissions(map[string][]Action{
+				ResourceWildcard.Type: {WildcardSymbol},
+			}),
+			Org:  map[string][]Permission{},
+			User: []Permission{},
+		},
+		AllowIDList: []string{WildcardSymbol},
 	},
 
 	ScopeApplicationConnect: {
-		Name:        fmt.Sprintf("Scope_%s", ScopeApplicationConnect),
-		DisplayName: "Ability to connect to applications",
-		Site: permissions(map[string][]Action{
-			ResourceWorkspaceApplicationConnect.Type: {ActionCreate},
-		}),
-		Org:  map[string][]Permission{},
-		User: []Permission{},
+		Role: Role{
+			Name:        fmt.Sprintf("Scope_%s", ScopeApplicationConnect),
+			DisplayName: "Ability to connect to applications",
+			Site: permissions(map[string][]Action{
+				ResourceWorkspaceApplicationConnect.Type: {ActionCreate},
+			}),
+			Org:  map[string][]Permission{},
+			User: []Permission{},
+		},
+		AllowIDList: []string{WildcardSymbol},
 	},
 }
 
-func ScopeRole(scope Scope) (Role, error) {
+func ExpandScope(scope Scope) (ScopeRole, error) {
 resource_id uuid NOT NULL, 
 auth_token uuid NOT NULL, 
 resource_id uuid NOT NULL, 
 auth_token uuid NOT NULL, 
 	role, ok := builtinScopes[scope]
 	if !ok {
-		return Role{}, xerrors.Errorf("no scope named %q", scope)
+		return ScopeRole{}, xerrors.Errorf("no scope named %q", scope)
 	}
 	return role, nil
 }