Skip to content

feat: Add initial AuthzQuerier implementation #5919

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 384 commits into from
Feb 14, 2023
Merged

feat: Add initial AuthzQuerier implementation #5919

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
384 commits
Select commit Hold shift + click to select a range
7d0fad4
Fix typo
Emyrk Jan 27, 2023
efe7f93
Merge remote-tracking branch 'origin/main' into authzquerier_layer
johnstcn Jan 30, 2023
923219a
make RecordingAuthorizer wrap another rbac.Authorizer
johnstcn Jan 30, 2023
f97ca2a
fix FakeAuthorizer
johnstcn Jan 30, 2023
ad6ff52
skip TestAuthorizeAllEndpoints if authz_querier experiment is enabled
johnstcn Jan 30, 2023
0e3b9ff
lock more things
johnstcn Jan 30, 2023
feb7689
Merge remote-tracking branch 'origin/main' into authzquerier_layer
johnstcn Jan 30, 2023
083bcf2
rbac/builtin.go: remove consts
johnstcn Jan 30, 2023
161842d
extract getAgentSubject()
johnstcn Jan 30, 2023
11983ab
Merge remote-tracking branch 'origin/main' into authzquerier_layer
johnstcn Jan 31, 2023
ab9c049
use systemCtx in API.oauthLogin()
johnstcn Jan 31, 2023
04e32bc
workspaceagents: fetch request ctx after httpmw.WorkspaceAgent sets a…
johnstcn Jan 31, 2023
21d0f97
httpmw: pass systemCtx to getAgentSubject, add OwnerID to workspace a…
johnstcn Jan 31, 2023
76a490e
authzquery: workspace: fix GetWorkspaceAppByAgentIDAndSlug and GetWor…
johnstcn Jan 31, 2023
fa399d6
steven said its ok to remove this
johnstcn Jan 31, 2023
cb9a2c5
Fix recursive test
Emyrk Jan 31, 2023
9aa7835
Move experiment init below authz init
Emyrk Jan 31, 2023
8f6265b
add httpmw.SystemAuthCtx to api.handleSubdomainApplications
johnstcn Jan 31, 2023
bfa91c1
REVERT THIS COMMIT BEFORE MERGING !!!!
johnstcn Jan 31, 2023
13710c6
ALSO DO NOT MERGE THIS COMMIT
johnstcn Jan 31, 2023
467646d
authzquery: fix InsertAgentStat
johnstcn Jan 31, 2023
32c8af1
activitybump: use systemCtx for activityBumpWorkspace
johnstcn Jan 31, 2023
11ef507
Merge remote-tracking branch 'origin/main' into authzquerier_layer
Emyrk Jan 31, 2023
b08fc44
remove unused function
Emyrk Jan 31, 2023
69a6346
authzquery: fixes to templates and parameters
johnstcn Feb 1, 2023
4967fe6
Fix fetch dry run template version from job id
Emyrk Feb 1, 2023
6a7b053
Pass actor to follow logs for subscriber listen
Emyrk Feb 1, 2023
fc992cd
gerge remote-tracking branch 'origin/main' into authzquerier_layer
johnstcn Feb 2, 2023
d599753
rbac: add IsUnauthorizedError, return 404 if UnauthorizedError in org…
johnstcn Feb 2, 2023
0ce75c6
goimports
johnstcn Feb 2, 2023
357b05d
Implemented first draft testing framework
Emyrk Feb 2, 2023
6bb2e1c
authzquery: fixes in workspaces.go
johnstcn Feb 2, 2023
8a8ce06
Merge remote-tracking branch 'origin/authzquerier_layer' into authzqu…
johnstcn Feb 2, 2023
300f6dc
Add test method accounting to ensure all functions are called
Emyrk Feb 2, 2023
9f7d276
fixup! authzquery: fixes in workspaces.go
johnstcn Feb 2, 2023
d37379d
Merge remote-tracking branch 'origin/authzquerier_layer' into authzqu…
johnstcn Feb 2, 2023
6cc14b4
Add rbac checks
Emyrk Feb 2, 2023
2107b74
Fix scim unit tests
Emyrk Feb 2, 2023
53f7a5d
authzquery: update UpdateTemplateDeletedByID to call SoftDeleteTempla…
johnstcn Feb 2, 2023
44ca906
Merge remote-tracking branch 'origin/authzquerier_layer' into authzqu…
johnstcn Feb 2, 2023
73655ab
Fix scim and workspace agent unit tests
Emyrk Feb 2, 2023
0d6f6a0
Fix getTemplateVersionsByID
Emyrk Feb 2, 2023
32a9e12
Fix more unit tests
Emyrk Feb 2, 2023
85ff5f1
Fix license unit test
Emyrk Feb 2, 2023
e152d5f
authzquery: add some more convenience methods, comments etc.
johnstcn Feb 2, 2023
ef1deb5
Merge remote-tracking branch 'origin/authzquerier_layer' into authzqu…
johnstcn Feb 2, 2023
4848481
Add sentinel errors for unauth authz errors
Emyrk Feb 2, 2023
b583a1e
Use sentinal error that returns a 404
Emyrk Feb 2, 2023
75747f5
Use sentinel error always
Emyrk Feb 2, 2023
add77c6
add slice.New util function
johnstcn Feb 2, 2023
4357a3c
RecordingAuthorizer: AllAsserted: provide more information on missed …
johnstcn Feb 2, 2023
9dbc6bf
Merge remote-tracking branch 'origin/authzquerier_layer' into authzqu…
johnstcn Feb 2, 2023
c285f6f
skip GetAuthorizedWorkspaces
johnstcn Feb 2, 2023
58261fe
Add admin context to provisonerd
Emyrk Feb 2, 2023
a4a2994
Merge remote-tracking branch 'origin/main' into authzquerier_layer
Emyrk Feb 2, 2023
874e9da
Fix Delte group
Emyrk Feb 2, 2023
d878e71
remove excess comments
Emyrk Feb 2, 2023
10ac765
typos and lint
Emyrk Feb 2, 2023
e353c4d
Fix template admin permissions
Emyrk Feb 2, 2023
db647ba
Fix rbac unit test
Emyrk Feb 2, 2023
f45a170
Call compileToSQL in getWorkspaces
Emyrk Feb 2, 2023
b4beb38
Call compileToSQL in getWorkspaces
Emyrk Feb 2, 2023
d9d23b6
Fix compile issue
Emyrk Feb 2, 2023
8780e4e
Handle nil prepared case
Emyrk Feb 2, 2023
e6d5c2f
Linting
Emyrk Feb 2, 2023
672b2e0
fix GetLatestWorkspaceBuildsByWorkspaceIDs
johnstcn Feb 2, 2023
5a0e5a2
add existing workspace tests
johnstcn Feb 2, 2023
016c56d
Check returned error from db call
Emyrk Feb 2, 2023
e086e51
Fix build number to be 1 indexed
Emyrk Feb 2, 2023
390a284
more tests
johnstcn Feb 2, 2023
53fcf79
generate random AuthInstanceID, more unit tests
johnstcn Feb 2, 2023
0add01a
Test all api key methods
Emyrk Feb 2, 2023
6191561
Test audit methods
Emyrk Feb 2, 2023
e8ab762
Add group and file unit tests
Emyrk Feb 2, 2023
837f66a
Add template unit test
Emyrk Feb 2, 2023
88d422f
Add system functions
Emyrk Feb 2, 2023
a32b4f3
Merge remote-tracking branch 'origin/main' into authzquerier_layer
Emyrk Feb 2, 2023
d3affdc
Fix merge compile issues
Emyrk Feb 2, 2023
338e300
Jobs, orgs, and extra methods implemented
Emyrk Feb 2, 2023
f5c4040
Merge remote-tracking branch 'origin/main' into authzquerier_layer
Emyrk Feb 3, 2023
a7899cf
:
Emyrk Feb 3, 2023
0da03c6
Implement parameters tests
Emyrk Feb 3, 2023
4415b6b
Start license unit tests
Emyrk Feb 3, 2023
fb8973c
Merge remote-tracking branch 'origin/main' into authzquerier_layer
Emyrk Feb 3, 2023
6763fbf
Finish license tests
Emyrk Feb 3, 2023
d1b948d
Add workspace tests
Emyrk Feb 3, 2023
13a4fab
chore: Add WorkspaceApps to dbgen
Emyrk Feb 3, 2023
607e428
Add user unit tests
Emyrk Feb 3, 2023
592a62b
GitSSHKey, UserLink, GitAuthLink
Emyrk Feb 3, 2023
102af8a
Fix user unit tests
Emyrk Feb 3, 2023
d2b1f41
Merge remote-tracking branch 'origin/main' into authzquerier_layer
johnstcn Feb 3, 2023
b6afc2a
rm unused-import
johnstcn Feb 3, 2023
d1cfa73
authzquery: implement group and system methods
johnstcn Feb 3, 2023
b7cd5a5
fixup! authzquery: implement group and system methods
johnstcn Feb 3, 2023
f34c61b
fixup! authzquery: implement group and system methods
johnstcn Feb 3, 2023
e53d709
ineffasign
johnstcn Feb 3, 2023
cb4d92f
unshadow, unused-reciever
johnstcn Feb 3, 2023
13a8445
unused-param
johnstcn Feb 3, 2023
e1ce04e
finish testing template methods
johnstcn Feb 3, 2023
7fde8fb
Rename logger-> log, database->db, authorizer->auth, remove "authoriz…
Emyrk Feb 3, 2023
7ba3482
Rename fetchSet to fetchWithPostFilter
Emyrk Feb 3, 2023
cf763cb
Verify the correct error is returned on disallow auth
Emyrk Feb 3, 2023
64e80fb
Linting
Emyrk Feb 3, 2023
432a261
database: add missing argument to GetAuthorizedWorkspaces
johnstcn Feb 3, 2023
8134d1b
Refactor recording authorizer
Emyrk Feb 3, 2023
29e7c46
Address incorrect errors
Emyrk Feb 3, 2023
a37fead
Support asserting outputs in authzquery test
Emyrk Feb 3, 2023
2e435cf
Require outputs to be asserted
Emyrk Feb 3, 2023
792cbb6
Fix comment
Emyrk Feb 3, 2023
1336e28
allow skipping outputs
Emyrk Feb 3, 2023
0923780
Fix user tests to expect outputs
Emyrk Feb 3, 2023
92f89ec
fix api key unit tests to expect outputs
Emyrk Feb 3, 2023
acae52b
values audit_test.go
johnstcn Feb 3, 2023
764b0a0
Implement outputs for workspace tests
Emyrk Feb 3, 2023
0cee453
Some system outputs
Emyrk Feb 3, 2023
d1e3214
values file_test.go
johnstcn Feb 3, 2023
e799713
values group_test.go
johnstcn Feb 3, 2023
cbb4502
Template outputs
Emyrk Feb 3, 2023
83a31cb
System outputs
Emyrk Feb 3, 2023
9010ad7
values job_test.go, methods_test.go
johnstcn Feb 3, 2023
912c97a
Add organization output
Emyrk Feb 3, 2023
a3f67bb
values license_test.go
johnstcn Feb 3, 2023
7d31209
Merge remote-tracking branch 'origin/authzquerier_layer' into authzqu…
johnstcn Feb 3, 2023
2c906e5
Add parameters ooutput
Emyrk Feb 3, 2023
5e92648
Api key and audit fix
Emyrk Feb 3, 2023
04cce68
Fix file outputs
Emyrk Feb 3, 2023
712c0f4
Fix groups
Emyrk Feb 3, 2023
8f92a77
Fix job, license, and org
Emyrk Feb 3, 2023
3df9848
System done
Emyrk Feb 3, 2023
90a9d87
Fix templates
Emyrk Feb 3, 2023
8b39d7e
Fix most users
Emyrk Feb 3, 2023
a621743
Linting
Emyrk Feb 3, 2023
2c002bd
workspace_test.go values fix
johnstcn Feb 3, 2023
cbd5cb4
nolint unreachable
johnstcn Feb 3, 2023
6fed479
Fix all user method tests
Emyrk Feb 3, 2023
5928c37
Add unit tests for InTx and Ping
Emyrk Feb 3, 2023
46b8366
Add AuthorizedXX tests
Emyrk Feb 3, 2023
21a6f6a
api: skip Authorize if codersdk.ExperimentAuthzQuerier enabled
johnstcn Feb 3, 2023
d6810de
Merge remote-tracking branch 'origin/authzquerier_layer' into authzqu…
johnstcn Feb 3, 2023
889b650
Only abort early on checks that should be removed
Emyrk Feb 3, 2023
72ed503
remove authorizedQuery
Emyrk Feb 3, 2023
94ff5ef
authzquery: use GetProvisionerJobById to auth GetWorkspaceResourceByID
johnstcn Feb 3, 2023
38a90de
Merge remote-tracking branch 'origin/authzquerier_layer' into authzqu…
johnstcn Feb 3, 2023
c962897
All insert generic functions use rbac.ActionCreate
Emyrk Feb 3, 2023
62e3fa0
Fix unit tests that use create over update
Emyrk Feb 3, 2023
a0725b9
un-skip TestAuthorizeAllEndpoints and remove always-true conditional …
johnstcn Feb 3, 2023
a4c4489
Merge remote-tracking branch 'origin/authzquerier_layer' into authzqu…
johnstcn Feb 3, 2023
567cfa4
Merge remote-tracking branch 'origin/main' into authzquerier_layer
johnstcn Feb 3, 2023
91910af
fixup! un-skip TestAuthorizeAllEndpoints and remove always-true condi…
johnstcn Feb 3, 2023
dce10b5
where my members at yo
johnstcn Feb 3, 2023
58b71f9
Allow out of order slicing
Emyrk Feb 3, 2023
833bbc2
Use slice.New()
Emyrk Feb 3, 2023
fcfdb4e
paralalalaleleleel
johnstcn Feb 3, 2023
8858fd3
Ordering of users in fetch
Emyrk Feb 3, 2023
64e0f8c
Add actual scope to workspace agent ctx
Emyrk Feb 6, 2023
9d6ab90
Merge remote-tracking branch 'origin/main' into authzquerier_layer
Emyrk Feb 6, 2023
1821dcb
RBAC UserData should use the correct rbac resource
Emyrk Feb 7, 2023
7c9f686
Remove workspace IDs filter arg
Emyrk Feb 7, 2023
eda4e0a
rename authzquery.NewAuthzQuerier to authzquery.New
johnstcn Feb 7, 2023
073aa2c
Start removing QueryByRelated
Emyrk Feb 7, 2023
4fe26e9
Start removing QueryByRelated
Emyrk Feb 7, 2023
13f1c9f
remove queryWithRelated
johnstcn Feb 7, 2023
ba172ea
Fixup generic func comments
Emyrk Feb 7, 2023
509ebdc
fixup! remove queryWithRelated
johnstcn Feb 7, 2023
802272b
remove todo
Emyrk Feb 7, 2023
57cde94
Improve readability of generics and arguments
Emyrk Feb 7, 2023
4daa878
Update fetchAndQuery comment
Emyrk Feb 7, 2023
4608462
Fix comment about system functions
Emyrk Feb 7, 2023
2767264
remove insert() function
johnstcn Feb 7, 2023
fc3ae4b
insertWithReturn is the new insert
johnstcn Feb 7, 2023
bf653b6
Merge remote-tracking branch 'origin/authzquerier_layer' into authzqu…
johnstcn Feb 7, 2023
ca68db2
Remove duplicate workspace agent scope
Emyrk Feb 7, 2023
f1f05cc
Pass agent ctx into activityBumpWorkspace
Emyrk Feb 7, 2023
eb38c0d
remove panic
johnstcn Feb 7, 2023
b96bb21
Merge remote-tracking branch 'origin/authzquerier_layer' into authzqu…
johnstcn Feb 7, 2023
0a061be
Remove uneeded comments
Emyrk Feb 7, 2023
8295eb3
Use 's' for all suite methods
Emyrk Feb 7, 2023
c2bc20e
Reduce LoC by using setup and teardown test
Emyrk Feb 7, 2023
3bd3e89
Remove nested "RunMethodTest", use new assertions
Emyrk Feb 7, 2023
052c531
Start converting tests to the new format
Emyrk Feb 7, 2023
6aa55ac
refactor out error test
Emyrk Feb 7, 2023
72d0a4e
Update unit test teardown to include NoActorError
Emyrk Feb 7, 2023
4c68562
Attempt a new style of subtest
Emyrk Feb 7, 2023
fdfdd73
Fix user tests to use new subtest strategy
Emyrk Feb 7, 2023
c902715
Fix unit tests names
Emyrk Feb 7, 2023
f5dbd3e
Convert more tests to new format
Emyrk Feb 7, 2023
97ad3df
Convert all unit tests
Emyrk Feb 7, 2023
b369c99
Add comments
Emyrk Feb 7, 2023
03d42d3
remove unused code
Emyrk Feb 7, 2023
69d1aa3
rename MethodCase to expects
Emyrk Feb 7, 2023
3861a43
Merge remote-tracking branch 'origin/main' into authzquerier_layer
Emyrk Feb 7, 2023
9e7ff9a
DB function was renamed/changed
Emyrk Feb 7, 2023
9dc357e
imports
johnstcn Feb 8, 2023
ad6ad36
authzquery -> database/dbauthz
johnstcn Feb 8, 2023
0985060
conditionally skip TestAuthorizeAllEndpoints
johnstcn Feb 8, 2023
d4e1124
userauth: use systemCtx when setting user groups
johnstcn Feb 8, 2023
4e6b43f
Merge branch 'cj/dbauthz' into authzquerier_layer
johnstcn Feb 8, 2023
22e1057
fixup! authzquery -> database/dbauthz
johnstcn Feb 8, 2023
c5346ad
rm todo
johnstcn Feb 8, 2023
7a14b64
Condense into 1 file
Emyrk Feb 8, 2023
b89b430
doc.go
Emyrk Feb 8, 2023
21532a6
Update coderd/database/dbauthz/doc.go
Emyrk Feb 8, 2023
6a7970f
Move files around, consolidate to dbauthz.go
Emyrk Feb 8, 2023
399241a
Merge remote-tracking branch 'origin/main' into authzquerier_layer
Emyrk Feb 8, 2023
924ef9c
fix unit test to work with dbauthz
Emyrk Feb 8, 2023
2cf0fb2
Consolidate files
Emyrk Feb 8, 2023
d1bb7cf
goimports
johnstcn Feb 9, 2023
ef97e4b
rename methods.go -> querier.go
johnstcn Feb 9, 2023
951d74f
Do not export the authzQuerier
Emyrk Feb 9, 2023
2cf1cad
Rename to "querier", add unit test for double wrap protection
Emyrk Feb 9, 2023
a9f2581
remove duplicate dbauthz init
johnstcn Feb 10, 2023
832d91a
use codersdk experiment value instead of hard-coded string
johnstcn Feb 10, 2023
0ddee07
Merge remote-tracking branch 'origin/main' into authzquerier_layer
johnstcn Feb 10, 2023
cc76887
Merge remote-tracking branch 'origin/main' into authzquerier_layer
johnstcn Feb 10, 2023
002f354
Remove rbac ctx from provisionerd
Emyrk Feb 10, 2023
039e1e2
fixup! Remove rbac ctx from provisionerd
Emyrk Feb 10, 2023
b509b8f
wip: dbauthz.WithAuthorizeSystemContext -> dbauthz.AsSystem()
johnstcn Feb 10, 2023
524394f
Add lint rule to prevent system ctx abuse
Emyrk Feb 10, 2023
f666e13
fixup! wip: dbauthz.WithAuthorizeSystemContext -> dbauthz.AsSystem()
johnstcn Feb 10, 2023
1a97843
Merge remote-tracking branch 'origin/authzquerier_layer' into authzqu…
johnstcn Feb 10, 2023
4b292e2
fix autobuild/executor unit tests
johnstcn Feb 10, 2023
bebe638
Add middleware for using system ctx in middlewares
Emyrk Feb 10, 2023
f99c778
fix compile errors
johnstcn Feb 10, 2023
84bc12f
set system ctx in provisionerdserver
johnstcn Feb 10, 2023
c5e69fa
Unit test the AsAuthzSystem mw
Emyrk Feb 10, 2023
a93c2d5
Update unit tests to cover the no actor case
Emyrk Feb 10, 2023
f7023a4
Typo
Emyrk Feb 10, 2023
035609b
remove todo
Emyrk Feb 10, 2023
bbe4f18
User proper rbac errors in unit test
Emyrk Feb 10, 2023
f0bbaaf
Add unit test to cover prepareSQL error case
Emyrk Feb 10, 2023
51a2dae
NullUUID is empty, so takeFirst fails
Emyrk Feb 10, 2023
00955e0
Add AsSystem
Emyrk Feb 10, 2023
2289f4d
Fix internal error logging
Emyrk Feb 10, 2023
106d58b
Remove error noise in unit tests
Emyrk Feb 10, 2023
2724dfd
Use AsSystem for decrypting encrypted api keys
Emyrk Feb 10, 2023
2c34f6d
fix linter errors
johnstcn Feb 13, 2023
c54afc5
userauth: create API key as user instead of as system
johnstcn Feb 13, 2023
d282e9c
Merge remote-tracking branch 'origin/main' into authzquerier_layer
johnstcn Feb 13, 2023
7334046
Remove unused file
Emyrk Feb 13, 2023
3dbbc71
Use system context to set a disconnected agent
Emyrk Feb 13, 2023
cd6096f
Log error on failed agent disconnect update
Emyrk Feb 13, 2023
eb2497a
Merge remote-tracking branch 'origin/main' into authzquerier_layer
Emyrk Feb 14, 2023
d2c7a1f
Unit tests do not handle error log well
Emyrk Feb 14, 2023
99fa810
Merge remote-tracking branch 'origin/main' into authzquerier_layer
Emyrk Feb 14, 2023
1dfa287
Fix license uuid in merge
Emyrk Feb 14, 2023
57ab200
Fix unit test error logging
Emyrk Feb 14, 2023
306c591
Correct the returned error from not authorized
Emyrk Feb 14, 2023
f39cee0
Fix if/else logic
Emyrk Feb 14, 2023
2ed5588
fixup! Fix if/else logic
Emyrk Feb 14, 2023
c09b077
Merge remote-tracking branch 'origin/main' into authzquerier_layer
johnstcn Feb 14, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions coderd/authzquery/apikey.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,11 +10,11 @@ import (
)

func (q *AuthzQuerier) DeleteAPIKeyByID(ctx context.Context, id string) error {
return authorizedDelete(q.authorizer, q.database.GetAPIKeyByID, q.database.DeleteAPIKeyByID)(ctx, id)
return authorizedDelete(q.logger, q.authorizer, q.database.GetAPIKeyByID, q.database.DeleteAPIKeyByID)(ctx, id)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: these lines should be broken at something reasonable like 100 chars

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oof, my IDE line is set to 120. We do go over this often too though.

}

func (q *AuthzQuerier) GetAPIKeyByID(ctx context.Context, id string) (database.APIKey, error) {
return authorizedFetch(q.authorizer, q.database.GetAPIKeyByID)(ctx, id)
return authorizedFetch(q.logger, q.authorizer, q.database.GetAPIKeyByID)(ctx, id)
}

func (q *AuthzQuerier) GetAPIKeysByLoginType(ctx context.Context, loginType database.LoginType) ([]database.APIKey, error) {
Expand All @@ -26,7 +26,7 @@ func (q *AuthzQuerier) GetAPIKeysLastUsedAfter(ctx context.Context, lastUsed tim
}

func (q *AuthzQuerier) InsertAPIKey(ctx context.Context, arg database.InsertAPIKeyParams) (database.APIKey, error) {
return authorizedInsertWithReturn(q.authorizer,
return authorizedInsertWithReturn(q.logger, q.authorizer,
rbac.ActionRead,
rbac.ResourceAPIKey.WithOwner(arg.UserID.String()),
q.database.InsertAPIKey)(ctx, arg)
Expand All @@ -36,5 +36,5 @@ func (q *AuthzQuerier) UpdateAPIKeyByID(ctx context.Context, arg database.Update
fetch := func(ctx context.Context, arg database.UpdateAPIKeyByIDParams) (database.APIKey, error) {
return q.GetAPIKeyByID(ctx, arg.ID)
}
return authorizedUpdate(q.authorizer, fetch, q.database.UpdateAPIKeyByID)(ctx, arg)
return authorizedUpdate(q.logger, q.authorizer, fetch, q.database.UpdateAPIKeyByID)(ctx, arg)
}
2 changes: 1 addition & 1 deletion coderd/authzquery/audit.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ import (
)

func (q *AuthzQuerier) InsertAuditLog(ctx context.Context, arg database.InsertAuditLogParams) (database.AuditLog, error) {
return authorizedInsertWithReturn(q.authorizer, rbac.ActionCreate, rbac.ResourceAuditLog, q.database.InsertAuditLog)(ctx, arg)
return authorizedInsertWithReturn(q.logger, q.authorizer, rbac.ActionCreate, rbac.ResourceAuditLog, q.database.InsertAuditLog)(ctx, arg)
}

func (q *AuthzQuerier) GetAuditLogsOffset(ctx context.Context, arg database.GetAuditLogsOffsetParams) ([]database.GetAuditLogsOffsetRow, error) {
Expand Down
65 changes: 54 additions & 11 deletions coderd/authzquery/authz.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@ package authzquery
import (
"context"
"database/sql"
"fmt"

"cdr.dev/slog"

"golang.org/x/xerrors"

Expand All @@ -17,20 +20,51 @@ var (
// NoActorError wraps ErrNoRows for the api to return a 404. This is the correct
// response when the user is not authorized.
NoActorError = xerrors.Errorf("no authorization actor in context: %w", sql.ErrNoRows)
// TODO: Log this error every time it occurs.
NotAuthorizedError = xerrors.Errorf("unauthorized: %w", sql.ErrNoRows)
)

// NotAuthorizedError is a sentinal error that unwraps to sql.ErrNoRows.
// This allows the internal error to be read by the caller if needed. Otherwise
// it will be handled as a 404.
type NotAuthorizedError struct {
Err error
}

func (e NotAuthorizedError) Error() string {
return fmt.Sprintf("unauthorized: %s", e.Err.Error())
}

// Unwrap will always unwrap to a sql.ErrNoRows so the API returns a 404.
// So 'errors.Is(err, sql.ErrNoRows)' will always be true.
func (e NotAuthorizedError) Unwrap() error {
return sql.ErrNoRows
}

func LogNotAuthorizedError(ctx context.Context, logger slog.Logger, err error) error {
// Only log the errors if it is an UnauthorizedError error.
internalError := new(rbac.UnauthorizedError)
if err != nil && xerrors.As(err, internalError) {
logger.Debug(ctx, "unauthorized",
slog.F("internal", internalError.Internal()),
slog.F("input", internalError.Input()),
slog.Error(err),
)
}
return NotAuthorizedError{
Err: err,
}
}

func authorizedInsert[ArgumentType any,
Insert func(ctx context.Context, arg ArgumentType) error](
// Arguments
logger slog.Logger,
authorizer rbac.Authorizer,
action rbac.Action,
object rbac.Objecter,
insertFunc Insert) Insert {

return func(ctx context.Context, arg ArgumentType) error {
_, err := authorizedInsertWithReturn(authorizer, action, object, func(ctx context.Context, arg ArgumentType) (rbac.Objecter, error) {
_, err := authorizedInsertWithReturn(logger, authorizer, action, object, func(ctx context.Context, arg ArgumentType) (rbac.Objecter, error) {
return rbac.Object{}, insertFunc(ctx, arg)
})(ctx, arg)
return err
Expand All @@ -40,6 +74,7 @@ func authorizedInsert[ArgumentType any,
func authorizedInsertWithReturn[ObjectType any, ArgumentType any,
Insert func(ctx context.Context, arg ArgumentType) (ObjectType, error)](
// Arguments
logger slog.Logger,
authorizer rbac.Authorizer,
action rbac.Action,
object rbac.Objecter,
Expand All @@ -55,7 +90,7 @@ func authorizedInsertWithReturn[ObjectType any, ArgumentType any,
// Authorize the action
err = authorizer.Authorize(ctx, act, action, object.RBACObject())
if err != nil {
return empty, NotAuthorizedError
return empty, LogNotAuthorizedError(ctx, logger, err)
}

// Insert the database object
Expand All @@ -67,11 +102,12 @@ func authorizedDelete[ObjectType rbac.Objecter, ArgumentType any,
Fetch func(ctx context.Context, arg ArgumentType) (ObjectType, error),
Delete func(ctx context.Context, arg ArgumentType) error](
// Arguments
logger slog.Logger,
authorizer rbac.Authorizer,
fetchFunc Fetch,
deleteFunc Delete) Delete {

return authorizedFetchAndExec(authorizer,
return authorizedFetchAndExec(logger, authorizer,
rbac.ActionDelete, fetchFunc, deleteFunc)
}

Expand All @@ -80,23 +116,25 @@ func authorizedUpdateWithReturn[ObjectType rbac.Objecter,
Fetch func(ctx context.Context, arg ArgumentType) (ObjectType, error),
UpdateQuery func(ctx context.Context, arg ArgumentType) (ObjectType, error)](
// Arguments
logger slog.Logger,
authorizer rbac.Authorizer,
fetchFunc Fetch,
updateQuery UpdateQuery) UpdateQuery {

return authorizedFetchAndQuery(authorizer, rbac.ActionUpdate, fetchFunc, updateQuery)
return authorizedFetchAndQuery(logger, authorizer, rbac.ActionUpdate, fetchFunc, updateQuery)
}

func authorizedUpdate[ObjectType rbac.Objecter,
ArgumentType any,
Fetch func(ctx context.Context, arg ArgumentType) (ObjectType, error),
Exec func(ctx context.Context, arg ArgumentType) error](
// Arguments
logger slog.Logger,
authorizer rbac.Authorizer,
fetchFunc Fetch,
updateExec Exec) Exec {

return authorizedFetchAndExec(authorizer, rbac.ActionUpdate, fetchFunc, updateExec)
return authorizedFetchAndExec(logger, authorizer, rbac.ActionUpdate, fetchFunc, updateExec)
}

// authorizedFetchAndExecWithConverter uses authorizedFetchAndQueryWithConverter but
Expand All @@ -107,12 +145,13 @@ func authorizedFetchAndExec[ObjectType rbac.Objecter,
Fetch func(ctx context.Context, arg ArgumentType) (ObjectType, error),
Exec func(ctx context.Context, arg ArgumentType) error](
// Arguments
logger slog.Logger,
authorizer rbac.Authorizer,
action rbac.Action,
fetchFunc Fetch,
execFunc Exec) Exec {

f := authorizedFetchAndQuery(authorizer, action, fetchFunc, func(ctx context.Context, arg ArgumentType) (empty ObjectType, err error) {
f := authorizedFetchAndQuery(logger, authorizer, action, fetchFunc, func(ctx context.Context, arg ArgumentType) (empty ObjectType, err error) {
return empty, execFunc(ctx, arg)
})
return func(ctx context.Context, arg ArgumentType) error {
Expand All @@ -125,6 +164,7 @@ func authorizedFetchAndQuery[ObjectType rbac.Objecter, ArgumentType any,
Fetch func(ctx context.Context, arg ArgumentType) (ObjectType, error),
Query func(ctx context.Context, arg ArgumentType) (ObjectType, error)](
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I still don't understand the difference between a fetch and a query. They have the same signature.

The next method is called "fetch" and says, "fetch is a generic function that wraps a database query" suggesting that maybe they are interchangeable?

This file is extremely abstract, so it is extremely important that we pick a consistent set of terms, define them tightly, and stick to the definitions.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The difference is a fetch has no side effects, a query does. I commented what fetchAndQuery does.

// fetchAndQuery is a generic function that wraps a database fetch and query.
// A query has potential side effects in the database (update, delete, etc).
// The fetch is used to know which rbac object the action should be asserted on
// **before** the query runs. The returns from the fetch are only used to
// assert rbac. The final return of this function comes from the Query function.

// Arguments
logger slog.Logger,
authorizer rbac.Authorizer,
action rbac.Action,
fetchFunc Fetch,
Expand All @@ -146,7 +186,7 @@ func authorizedFetchAndQuery[ObjectType rbac.Objecter, ArgumentType any,
// Authorize the action
err = authorizer.Authorize(ctx, act, action, object.RBACObject())
if err != nil {
return empty, NotAuthorizedError
return empty, LogNotAuthorizedError(ctx, logger, err)
}

return queryFunc(ctx, arg)
Expand All @@ -156,10 +196,11 @@ func authorizedFetchAndQuery[ObjectType rbac.Objecter, ArgumentType any,
func authorizedFetch[ObjectType rbac.Objecter, ArgumentType any,
Fetch func(ctx context.Context, arg ArgumentType) (ObjectType, error)](
// Arguments
logger slog.Logger,
authorizer rbac.Authorizer,
fetchFunc Fetch) Fetch {

return authorizedQuery(authorizer, rbac.ActionRead, fetchFunc)
return authorizedQuery(logger, authorizer, rbac.ActionRead, fetchFunc)
}

// authorizedQuery is a generic function that wraps a database
Expand All @@ -175,6 +216,7 @@ func authorizedFetch[ObjectType rbac.Objecter, ArgumentType any,
func authorizedQuery[ArgumentType any, ObjectType rbac.Objecter,
DatabaseFunc func(ctx context.Context, arg ArgumentType) (ObjectType, error)](
// Arguments
logger slog.Logger,
authorizer rbac.Authorizer,
action rbac.Action,
f DatabaseFunc) DatabaseFunc {
Expand All @@ -195,7 +237,7 @@ func authorizedQuery[ArgumentType any, ObjectType rbac.Objecter,
// Authorize the action
err = authorizer.Authorize(ctx, act, action, object.RBACObject())
if err != nil {
return empty, NotAuthorizedError
return empty, LogNotAuthorizedError(ctx, logger, err)
}

return object, nil
Expand Down Expand Up @@ -236,6 +278,7 @@ func authorizedFetchSet[ArgumentType any, ObjectType rbac.Objecter,
// are predicated on the RBAC permissions of the related Template object.
func authorizedQueryWithRelated[ObjectType any, ArgumentType any, Related rbac.Objecter](
// Arguments
logger slog.Logger,
authorizer rbac.Authorizer,
action rbac.Action,
relatedFunc func(ObjectType, ArgumentType) (Related, error),
Expand Down
25 changes: 24 additions & 1 deletion coderd/authzquery/authz_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,19 +2,42 @@ package authzquery_test

import (
"context"
"database/sql"
"reflect"
"testing"

"cdr.dev/slog"
"github.com/stretchr/testify/require"

"cdr.dev/slog/sloggers/slogtest"

"golang.org/x/xerrors"

"github.com/google/uuid"

"cdr.dev/slog"
"github.com/coder/coder/coderd/authzquery"
"github.com/coder/coder/coderd/coderdtest"
"github.com/coder/coder/coderd/database/databasefake"
"github.com/coder/coder/coderd/rbac"
)

func TestNotAuthorizedError(t *testing.T) {
t.Parallel()

t.Run("Is404", func(t *testing.T) {
t.Parallel()

testErr := xerrors.New("custom error")

err := authzquery.LogNotAuthorizedError(context.Background(), slogtest.Make(t, nil), testErr)
require.ErrorIs(t, err, sql.ErrNoRows, "must be a sql.ErrNoRows")

var authErr authzquery.NotAuthorizedError
require.ErrorAs(t, err, &authErr, "must be a NotAuthorizedError")
require.ErrorIs(t, authErr.Err, testErr, "internal error must match")
})
}

// TestAuthzQueryRecursive is a simple test to search for infinite recursion
// bugs. It isn't perfect, and only catches a subset of the possible bugs
// as only the first db call will be made. But it is better than nothing.
Expand Down
6 changes: 2 additions & 4 deletions coderd/authzquery/authzquerier.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,6 @@ import (

"cdr.dev/slog"

"golang.org/x/xerrors"

"github.com/coder/coder/coderd/database"
"github.com/coder/coder/coderd/rbac"
)
Expand Down Expand Up @@ -58,12 +56,12 @@ func (q *AuthzQuerier) InTx(function func(querier database.Store) error, txOpts
func (q *AuthzQuerier) authorizeContext(ctx context.Context, action rbac.Action, object rbac.Objecter) error {
act, ok := ActorFromContext(ctx)
if !ok {
return xerrors.Errorf("no authorization actor in context")
return NoActorError
}

err := q.authorizer.Authorize(ctx, act, action, object.RBACObject())
if err != nil {
return xerrors.Errorf("unauthorized: %w", err)
return LogNotAuthorizedError(ctx, q.logger, err)
}
return nil
}
6 changes: 3 additions & 3 deletions coderd/authzquery/file.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,13 +11,13 @@ import (
)

func (q *AuthzQuerier) GetFileByHashAndCreator(ctx context.Context, arg database.GetFileByHashAndCreatorParams) (database.File, error) {
return authorizedFetch(q.authorizer, q.database.GetFileByHashAndCreator)(ctx, arg)
return authorizedFetch(q.logger, q.authorizer, q.database.GetFileByHashAndCreator)(ctx, arg)
}

func (q *AuthzQuerier) GetFileByID(ctx context.Context, id uuid.UUID) (database.File, error) {
return authorizedFetch(q.authorizer, q.database.GetFileByID)(ctx, id)
return authorizedFetch(q.logger, q.authorizer, q.database.GetFileByID)(ctx, id)
}

func (q *AuthzQuerier) InsertFile(ctx context.Context, arg database.InsertFileParams) (database.File, error) {
return authorizedInsertWithReturn(q.authorizer, rbac.ActionCreate, rbac.ResourceFile.WithOwner(arg.CreatedBy.String()), q.database.InsertFile)(ctx, arg)
return authorizedInsertWithReturn(q.logger, q.authorizer, rbac.ActionCreate, rbac.ResourceFile.WithOwner(arg.CreatedBy.String()), q.database.InsertFile)(ctx, arg)
}
16 changes: 8 additions & 8 deletions coderd/authzquery/group.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,20 +11,20 @@ import (
)

func (q *AuthzQuerier) DeleteGroupByID(ctx context.Context, id uuid.UUID) error {
return authorizedDelete(q.authorizer, q.database.GetGroupByID, q.database.DeleteGroupByID)(ctx, id)
return authorizedDelete(q.logger, q.authorizer, q.database.GetGroupByID, q.database.DeleteGroupByID)(ctx, id)
}

func (q *AuthzQuerier) DeleteGroupMember(ctx context.Context, userID uuid.UUID) error {
// Deleting a group member counts as updating a group.
return authorizedUpdate(q.authorizer, q.database.GetGroupByID, q.database.DeleteGroupMember)(ctx, userID)
return authorizedUpdate(q.logger, q.authorizer, q.database.GetGroupByID, q.database.DeleteGroupMember)(ctx, userID)
}

func (q *AuthzQuerier) GetGroupByID(ctx context.Context, id uuid.UUID) (database.Group, error) {
return authorizedFetch(q.authorizer, q.database.GetGroupByID)(ctx, id)
return authorizedFetch(q.logger, q.authorizer, q.database.GetGroupByID)(ctx, id)
}

func (q *AuthzQuerier) GetGroupByOrgAndName(ctx context.Context, arg database.GetGroupByOrgAndNameParams) (database.Group, error) {
return authorizedFetch(q.authorizer, q.database.GetGroupByOrgAndName)(ctx, arg)
return authorizedFetch(q.logger, q.authorizer, q.database.GetGroupByOrgAndName)(ctx, arg)
}

func (q *AuthzQuerier) GetGroupMembers(ctx context.Context, groupID uuid.UUID) ([]database.User, error) {
Expand All @@ -41,23 +41,23 @@ func (q *AuthzQuerier) GetGroupMembers(ctx context.Context, groupID uuid.UUID) (

func (q *AuthzQuerier) InsertAllUsersGroup(ctx context.Context, organizationID uuid.UUID) (database.Group, error) {
// This method creates a new group.
return authorizedInsertWithReturn(q.authorizer, rbac.ActionCreate, rbac.ResourceGroup.InOrg(organizationID), q.database.InsertAllUsersGroup)(ctx, organizationID)
return authorizedInsertWithReturn(q.logger, q.authorizer, rbac.ActionCreate, rbac.ResourceGroup.InOrg(organizationID), q.database.InsertAllUsersGroup)(ctx, organizationID)
}

func (q *AuthzQuerier) InsertGroup(ctx context.Context, arg database.InsertGroupParams) (database.Group, error) {
return authorizedInsertWithReturn(q.authorizer, rbac.ActionCreate, rbac.ResourceGroup.InOrg(arg.OrganizationID), q.database.InsertGroup)(ctx, arg)
return authorizedInsertWithReturn(q.logger, q.authorizer, rbac.ActionCreate, rbac.ResourceGroup.InOrg(arg.OrganizationID), q.database.InsertGroup)(ctx, arg)
}

func (q *AuthzQuerier) InsertGroupMember(ctx context.Context, arg database.InsertGroupMemberParams) error {
fetch := func(ctx context.Context, arg database.InsertGroupMemberParams) (database.Group, error) {
return q.database.GetGroupByID(ctx, arg.GroupID)
}
return authorizedUpdate(q.authorizer, fetch, q.database.InsertGroupMember)(ctx, arg)
return authorizedUpdate(q.logger, q.authorizer, fetch, q.database.InsertGroupMember)(ctx, arg)
}

func (q *AuthzQuerier) UpdateGroupByID(ctx context.Context, arg database.UpdateGroupByIDParams) (database.Group, error) {
fetch := func(ctx context.Context, arg database.UpdateGroupByIDParams) (database.Group, error) {
return q.database.GetGroupByID(ctx, arg.ID)
}
return authorizedUpdateWithReturn(q.authorizer, fetch, q.database.UpdateGroupByID)(ctx, arg)
return authorizedUpdateWithReturn(q.logger, q.authorizer, fetch, q.database.UpdateGroupByID)(ctx, arg)
}
10 changes: 5 additions & 5 deletions coderd/authzquery/license.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,23 +16,23 @@ func (q *AuthzQuerier) GetLicenses(ctx context.Context) ([]database.License, err
}

func (q *AuthzQuerier) InsertLicense(ctx context.Context, arg database.InsertLicenseParams) (database.License, error) {
return authorizedInsertWithReturn(q.authorizer, rbac.ActionCreate, rbac.ResourceLicense, q.database.InsertLicense)(ctx, arg)
return authorizedInsertWithReturn(q.logger, q.authorizer, rbac.ActionCreate, rbac.ResourceLicense, q.database.InsertLicense)(ctx, arg)
}

func (q *AuthzQuerier) InsertOrUpdateLogoURL(ctx context.Context, value string) error {
return authorizedInsert(q.authorizer, rbac.ActionUpdate, rbac.ResourceDeploymentConfig, q.database.InsertOrUpdateLogoURL)(ctx, value)
return authorizedInsert(q.logger, q.authorizer, rbac.ActionUpdate, rbac.ResourceDeploymentConfig, q.database.InsertOrUpdateLogoURL)(ctx, value)
}

func (q *AuthzQuerier) InsertOrUpdateServiceBanner(ctx context.Context, value string) error {
return authorizedInsert(q.authorizer, rbac.ActionUpdate, rbac.ResourceDeploymentConfig, q.database.InsertOrUpdateServiceBanner)(ctx, value)
return authorizedInsert(q.logger, q.authorizer, rbac.ActionUpdate, rbac.ResourceDeploymentConfig, q.database.InsertOrUpdateServiceBanner)(ctx, value)
}

func (q *AuthzQuerier) GetLicenseByID(ctx context.Context, id int32) (database.License, error) {
return authorizedFetch(q.authorizer, q.database.GetLicenseByID)(ctx, id)
return authorizedFetch(q.logger, q.authorizer, q.database.GetLicenseByID)(ctx, id)
}

func (q *AuthzQuerier) DeleteLicense(ctx context.Context, id int32) (int32, error) {
err := authorizedDelete(q.authorizer, q.database.GetLicenseByID, func(ctx context.Context, id int32) error {
err := authorizedDelete(q.logger, q.authorizer, q.database.GetLicenseByID, func(ctx context.Context, id int32) error {
_, err := q.database.DeleteLicense(ctx, id)
return err
})(ctx, id)
Expand Down
Loading