Skip to content

chore: Implement standard rbac.Subject to be reused everywhere #5881

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jan 26, 2023
Merged

chore: Implement standard rbac.Subject to be reused everywhere #5881

merged 4 commits into from
Jan 26, 2023

Conversation

Emyrk
Copy link
Member

@Emyrk Emyrk commented Jan 26, 2023
edited
Loading

This is purely a type refactor, and does not change any behavior

What this does

Before this PR, the rbac package expected the caller to hold the various Subject fields, and pass them in as individual arguments: (subjectID string, roleNames ExpandableRoles, scope ScopeName, groups []string). This was ok in the beginning when it was just (ID, Roles), but it has grown to scope and groups as well.

This change ensures all subject fields are tightly coupled, and less likely to be mistakenly used. It also simplifies using rbac since the arguments are now Autorize(ctx, subject, action, object).

The only downside is that logging still requires poking into the subject struct. But usage of the rbac package now takes less arguments.

What this enables

For authquerier interface we wanted to enable the use of a System actor. This actor needs to have custom roles that should not be available to the user. This new Subject struct accepts both user defined roles, RoleNames and explicit Roles.

This allows us to create custom roles that will never be returned via an api or any other exporting of roles (docs, enums, etc).

Minor bonus, this allows unit tests to call the Authorize directly as it was using explicit Roles.

Emyrk added 2 commits January 26, 2023 11:50
@Emyrk
chore: Implement standard rbac.Subject to be reused everywhere
451b67a 
An rbac subject is created in multiple spots because of the way we
expand roles, scopes, etc. This difference in use creates a list
of arguments which is unwieldy.

Use of the expander interface lets us conform to a single subject
in every case
@Emyrk
Handle possible panics
f38cf04
Emyrk
Emyrk commented Jan 26, 2023
View reviewed changes
coderd/rbac/authz.go
Comment on lines +22 to +27
type Subject struct {
ID string
Roles ExpandableRoles
Groups []string
Scope ExpandableScope
}
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the added type shared by all callers now.

Emyrk
Emyrk commented Jan 26, 2023
View reviewed changes
coderd/rbac/authz.go
Comment on lines +46 to +47
Authorize(ctx context.Context, subject Subject, action Action, object Object) error
Prepare(ctx context.Context, subject Subject, action Action, objectType string) (PreparedAuthorized, error)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the interface of the package changing to use less arguments.

Emyrk
Emyrk commented Jan 26, 2023
View reviewed changes
coderd/rbac/authz.go
return err
}
err := a.authorize(ctx, subject, action, object)
span.SetAttributes(attribute.Bool("authorized", err == nil))
Copy link
Member Author

@Emyrk Emyrk Jan 26, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is better than an event, learned I can add attributes to a span after I started it. So it allows filtering the parent span on this attribute, which is what I want.

@Emyrk Emyrk requested review from johnstcn and kylecarbs January 26, 2023 18:57
johnstcn
johnstcn reviewed Jan 26, 2023
View reviewed changes
coderd/authorize.go
@@ -217,7 +219,7 @@ func (api *API) checkAuthorization(rw http.ResponseWriter, r *http.Request) {
obj = dbObj.RBACObject()
}

err := api.Authorizer.ByRoleName(ctx, auth.ID.String(), auth.Roles, auth.Scope.ToRBAC(), auth.Groups, rbac.Action(v.Action), obj)
err := api.Authorizer.Authorize(ctx, auth.Actor, rbac.Action(v.Action), obj)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is so much nicer and more readable ❤️

johnstcn
johnstcn reviewed Jan 26, 2023
View reviewed changes
coderd/rbac/authz.go

// SafeScopeName prevent nil pointer dereference.
func (s Subject) SafeScopeName() string {
if s.Scope == nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking at RegoAuthorizer.Authorize, wouldn't this be a developer error?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be a developer error.

johnstcn
johnstcn approved these changes Jan 26, 2023
View reviewed changes
Copy link
Member

@johnstcn johnstcn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@Emyrk Emyrk merged commit b0a1615 into main Jan 26, 2023
@Emyrk Emyrk deleted the stevenmasley/standard_rbac_subject branch January 26, 2023 20:42
@github-actions github-actions bot locked and limited conversation to collaborators Jan 26, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@johnstcn johnstcn johnstcn approved these changes

@kylecarbs kylecarbs Awaiting requested review from kylecarbs

Assignees

@Emyrk Emyrk

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Emyrk @johnstcn