From d77203999be483d52d49b64a5e42f25c4b5873e7 Mon Sep 17 00:00:00 2001 From: Cian Johnston Date: Mon, 23 Jan 2023 10:11:45 +0000 Subject: [PATCH 1/6] feat(coderd): add authz_querier experiment --- coderd/apidoc/docs.go | 11 ++++++++++- coderd/apidoc/swagger.json | 7 ++++++- codersdk/experiments.go | 7 +++++-- docs/api/general.md | 14 ++++++++++---- docs/api/schemas.md | 14 ++++++++++++++ site/src/api/typesGenerated.ts | 4 ++-- 6 files changed, 47 insertions(+), 10 deletions(-) diff --git a/coderd/apidoc/docs.go b/coderd/apidoc/docs.go index a14ebd4ad5b70..c6adc0b48e62b 100644 --- a/coderd/apidoc/docs.go +++ b/coderd/apidoc/docs.go @@ -408,7 +408,7 @@ const docTemplate = `{ "schema": { "type": "array", "items": { - "type": "string" + "$ref": "#/definitions/codersdk.Experiment" } } } @@ -6173,6 +6173,15 @@ const docTemplate = `{ } } }, + "codersdk.Experiment": { + "type": "string", + "enum": [ + "authz_querier" + ], + "x-enum-varnames": [ + "ExperimentAuthzQuerier" + ] + }, "codersdk.Feature": { "type": "object", "properties": { diff --git a/coderd/apidoc/swagger.json b/coderd/apidoc/swagger.json index 53b5b41efd2bd..98803bfc698dd 100644 --- a/coderd/apidoc/swagger.json +++ b/coderd/apidoc/swagger.json @@ -346,7 +346,7 @@ "schema": { "type": "array", "items": { - "type": "string" + "$ref": "#/definitions/codersdk.Experiment" } } } @@ -5510,6 +5510,11 @@ } } }, + "codersdk.Experiment": { + "type": "string", + "enum": ["authz_querier"], + "x-enum-varnames": ["ExperimentAuthzQuerier"] + }, "codersdk.Feature": { "type": "object", "properties": { diff --git a/codersdk/experiments.go b/codersdk/experiments.go index ecd963ef901cf..c729b5c4c04d5 100644 --- a/codersdk/experiments.go +++ b/codersdk/experiments.go @@ -9,8 +9,11 @@ import ( type Experiment string const ( -// Add new experiments here! -// ExperimentExample Experiment = "example" + // ExperimentAuthzQuerier is an internal experiment that enables the ExperimentAuthzQuerier + // interface for all RBAC operations. NOT READY FOR PRODUCTION USE. + ExperimentAuthzQuerier Experiment = "authz_querier" + // Add new experiments here! + // ExperimentExample Experiment = "example" ) var ( diff --git a/docs/api/general.md b/docs/api/general.md index 58ac05f3fd8e5..cdfbcd77caf9c 100644 --- a/docs/api/general.md +++ b/docs/api/general.md @@ -1072,17 +1072,23 @@ curl -X GET http://coder-server:8080/api/v2/experiments \ > 200 Response ```json -["string"] +["authz_querier"] ``` ### Responses -| Status | Meaning | Description | Schema | -| ------ | ------------------------------------------------------- | ----------- | --------------- | -| 200 | [OK](https://tools.ietf.org/html/rfc7231#section-6.3.1) | OK | array of string | +| Status | Meaning | Description | Schema | +| ------ | ------------------------------------------------------- | ----------- | ------------------------------------------------------------- | +| 200 | [OK](https://tools.ietf.org/html/rfc7231#section-6.3.1) | OK | array of [codersdk.Experiment](schemas.md#codersdkexperiment) |

Response Schema

+Status Code **200** + +| Name | Type | Required | Restrictions | Description | +| -------------- | ----- | -------- | ------------ | ----------- | +| `[array item]` | array | false | | | + To perform this operation, you must be authenticated. [Learn more](authentication.md). ## Update check diff --git a/docs/api/schemas.md b/docs/api/schemas.md index 48694c49322e1..76a5d1783e6df 100644 --- a/docs/api/schemas.md +++ b/docs/api/schemas.md @@ -2439,6 +2439,20 @@ CreateParameterRequest is a structure used to create a new parameter value for a | `trial` | boolean | false | | | | `warnings` | array of string | false | | | +## codersdk.Experiment + +```json +"authz_querier" +``` + +### Properties + +#### Enumerated Values + +| Value | +| --------------- | +| `authz_querier` | + ## codersdk.Feature ```json diff --git a/site/src/api/typesGenerated.ts b/site/src/api/typesGenerated.ts index c8f5b66483091..418f14cd8d23c 100644 --- a/site/src/api/typesGenerated.ts +++ b/site/src/api/typesGenerated.ts @@ -1097,8 +1097,8 @@ export const Entitlements: Entitlement[] = [ ] // From codersdk/experiments.go -export type Experiment = never -export const Experiments: Experiment[] = [] +export type Experiment = "authz_querier" +export const Experiments: Experiment[] = ["authz_querier"] // From codersdk/features.go export type FeatureName = From 2638aa35d355078f119fd0a2ce01d95845368c20 Mon Sep 17 00:00:00 2001 From: Cian Johnston Date: Mon, 23 Jan 2023 12:18:50 +0000 Subject: [PATCH 2/6] coderdtest: wire up authz_querier --- coderd/coderdtest/coderdtest.go | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/coderd/coderdtest/coderdtest.go b/coderd/coderdtest/coderdtest.go index cf28f4d2492d9..dd2ac5e72a21d 100644 --- a/coderd/coderdtest/coderdtest.go +++ b/coderd/coderdtest/coderdtest.go @@ -21,6 +21,7 @@ import ( "net/http" "net/http/httptest" "net/url" + "os" "regexp" "strconv" "strings" @@ -54,6 +55,7 @@ import ( "github.com/coder/coder/cli/deployment" "github.com/coder/coder/coderd" "github.com/coder/coder/coderd/audit" + "github.com/coder/coder/coderd/authzquery" "github.com/coder/coder/coderd/autobuild/executor" "github.com/coder/coder/coderd/awsidentity" "github.com/coder/coder/coderd/database" @@ -176,6 +178,13 @@ func NewOptions(t *testing.T, options *Options) (func(http.Handler), context.Can if options.Database == nil { options.Database, options.Pubsub = dbtestutil.NewDB(t) } + // TODO: remove this once we're ready to enable authz querier by default. + if strings.Contains(os.Getenv("CODER_EXPERIMENTS_TEST"), "authz_querier") { + if options.Authorizer != nil { + options.Authorizer = &RecordingAuthorizer{} + } + options.Database = authzquery.NewAuthzQuerier(options.Database, options.Authorizer) + } if options.DeploymentConfig == nil { options.DeploymentConfig = DeploymentConfig(t) } From 2229cac87b49c50d76ec562aacbe26d6e0587063 Mon Sep 17 00:00:00 2001 From: Cian Johnston Date: Mon, 23 Jan 2023 13:04:30 +0000 Subject: [PATCH 3/6] wire up AuthzQuerier in coderd --- coderd/coderd.go | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/coderd/coderd.go b/coderd/coderd.go index 6119497796354..88d2c7e5c7bdf 100644 --- a/coderd/coderd.go +++ b/coderd/coderd.go @@ -40,6 +40,7 @@ import ( // Used to serve the Swagger endpoint _ "github.com/coder/coder/coderd/apidoc" "github.com/coder/coder/coderd/audit" + "github.com/coder/coder/coderd/authzquery" "github.com/coder/coder/coderd/awsidentity" "github.com/coder/coder/coderd/database" "github.com/coder/coder/coderd/database/dbtype" @@ -154,6 +155,13 @@ func New(options *Options) *API { if options == nil { options = &Options{} } + experiments := initExperiments(options.Logger, options.DeploymentConfig.Experiments.Value, options.DeploymentConfig.Experimental.Value) + // TODO: remove this once we promote authz_querier out of experiments. + if experiments.Enabled(codersdk.ExperimentAuthzQuerier) { + if _, ok := (options.Database).(*authzquery.AuthzQuerier); !ok { + options.Database = authzquery.NewAuthzQuerier(options.Database, options.Authorizer) + } + } if options.AppHostname != "" && options.AppHostnameRegex == nil || options.AppHostname == "" && options.AppHostnameRegex != nil { panic("coderd: both AppHostname and AppHostnameRegex must be set or unset") } @@ -222,7 +230,7 @@ func New(options *Options) *API { }, metricsCache: metricsCache, Auditor: atomic.Pointer[audit.Auditor]{}, - Experiments: initExperiments(options.Logger, options.DeploymentConfig.Experiments.Value, options.DeploymentConfig.Experimental.Value), + Experiments: experiments, } if options.UpdateCheckOptions != nil { api.updateChecker = updatecheck.New( From 36b7804b7b9737345fc331fbbf555fbcd07f0e69 Mon Sep 17 00:00:00 2001 From: Cian Johnston Date: Wed, 25 Jan 2023 17:25:07 +0000 Subject: [PATCH 4/6] remove things that do not yet exist in this timeline --- coderd/coderd.go | 8 ++++---- coderd/coderdtest/coderdtest.go | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/coderd/coderd.go b/coderd/coderd.go index 88d2c7e5c7bdf..ad8af686c622b 100644 --- a/coderd/coderd.go +++ b/coderd/coderd.go @@ -40,7 +40,6 @@ import ( // Used to serve the Swagger endpoint _ "github.com/coder/coder/coderd/apidoc" "github.com/coder/coder/coderd/audit" - "github.com/coder/coder/coderd/authzquery" "github.com/coder/coder/coderd/awsidentity" "github.com/coder/coder/coderd/database" "github.com/coder/coder/coderd/database/dbtype" @@ -158,9 +157,10 @@ func New(options *Options) *API { experiments := initExperiments(options.Logger, options.DeploymentConfig.Experiments.Value, options.DeploymentConfig.Experimental.Value) // TODO: remove this once we promote authz_querier out of experiments. if experiments.Enabled(codersdk.ExperimentAuthzQuerier) { - if _, ok := (options.Database).(*authzquery.AuthzQuerier); !ok { - options.Database = authzquery.NewAuthzQuerier(options.Database, options.Authorizer) - } + panic("Coming soon!") + // if _, ok := (options.Database).(*authzquery.AuthzQuerier); !ok { + // options.Database = authzquery.NewAuthzQuerier(options.Database, options.Authorizer) + // } } if options.AppHostname != "" && options.AppHostnameRegex == nil || options.AppHostname == "" && options.AppHostnameRegex != nil { panic("coderd: both AppHostname and AppHostnameRegex must be set or unset") diff --git a/coderd/coderdtest/coderdtest.go b/coderd/coderdtest/coderdtest.go index dd2ac5e72a21d..f6128def6f029 100644 --- a/coderd/coderdtest/coderdtest.go +++ b/coderd/coderdtest/coderdtest.go @@ -55,7 +55,6 @@ import ( "github.com/coder/coder/cli/deployment" "github.com/coder/coder/coderd" "github.com/coder/coder/coderd/audit" - "github.com/coder/coder/coderd/authzquery" "github.com/coder/coder/coderd/autobuild/executor" "github.com/coder/coder/coderd/awsidentity" "github.com/coder/coder/coderd/database" @@ -180,10 +179,11 @@ func NewOptions(t *testing.T, options *Options) (func(http.Handler), context.Can } // TODO: remove this once we're ready to enable authz querier by default. if strings.Contains(os.Getenv("CODER_EXPERIMENTS_TEST"), "authz_querier") { + panic("Coming soon!") if options.Authorizer != nil { options.Authorizer = &RecordingAuthorizer{} } - options.Database = authzquery.NewAuthzQuerier(options.Database, options.Authorizer) + // options.Database = authzquery.NewAuthzQuerier(options.Database, options.Authorizer) } if options.DeploymentConfig == nil { options.DeploymentConfig = DeploymentConfig(t) From 5209c48829191b6be4889d888ffa6aee123c8cce Mon Sep 17 00:00:00 2001 From: Cian Johnston Date: Wed, 25 Jan 2023 19:18:26 +0000 Subject: [PATCH 5/6] add newline --- codersdk/experiments.go | 1 + 1 file changed, 1 insertion(+) diff --git a/codersdk/experiments.go b/codersdk/experiments.go index c729b5c4c04d5..1412f375e3998 100644 --- a/codersdk/experiments.go +++ b/codersdk/experiments.go @@ -12,6 +12,7 @@ const ( // ExperimentAuthzQuerier is an internal experiment that enables the ExperimentAuthzQuerier // interface for all RBAC operations. NOT READY FOR PRODUCTION USE. ExperimentAuthzQuerier Experiment = "authz_querier" + // Add new experiments here! // ExperimentExample Experiment = "example" ) From 1a8c6ca86bc5cfc4cc9a916d76425a2f8753437f Mon Sep 17 00:00:00 2001 From: Cian Johnston Date: Wed, 25 Jan 2023 19:58:21 +0000 Subject: [PATCH 6/6] comment unreachable code --- coderd/coderdtest/coderdtest.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/coderd/coderdtest/coderdtest.go b/coderd/coderdtest/coderdtest.go index f6128def6f029..5bc1012366333 100644 --- a/coderd/coderdtest/coderdtest.go +++ b/coderd/coderdtest/coderdtest.go @@ -180,9 +180,9 @@ func NewOptions(t *testing.T, options *Options) (func(http.Handler), context.Can // TODO: remove this once we're ready to enable authz querier by default. if strings.Contains(os.Getenv("CODER_EXPERIMENTS_TEST"), "authz_querier") { panic("Coming soon!") - if options.Authorizer != nil { - options.Authorizer = &RecordingAuthorizer{} - } + // if options.Authorizer != nil { + // options.Authorizer = &RecordingAuthorizer{} + // } // options.Database = authzquery.NewAuthzQuerier(options.Database, options.Authorizer) } if options.DeploymentConfig == nil {