coder · Emyrk · Feb 9, 2023 · Feb 9, 2023 · Feb 9, 2023 · Feb 9, 2023
diff --git a/coderd/coderdtest/authorize.go b/coderd/coderdtest/authorize.go
@@ -445,7 +445,7 @@ func NewAuthTester(ctx context.Context, t *testing.T, client *codersdk.Client, a
 func (a *AuthTester) Test(ctx context.Context, assertRoute map[string]RouteCheck, skipRoutes map[string]string) {
 	// Always fail auth from this point forward
 	a.authorizer.Wrapped = &FakeAuthorizer{
-		AlwaysReturn: rbac.ForbiddenWithInternal(xerrors.New("fake implementation"), nil, nil),
+		AlwaysReturn: rbac.ForbiddenWithInternal(xerrors.New("fake implementation"), rbac.Subject{}, "", rbac.Object{}, nil),
 	}
 
 	routeMissing := make(map[string]bool)

diff --git a/coderd/rbac/astvalue.go b/coderd/rbac/astvalue.go
@@ -0,0 +1,210 @@
+package rbac
+
+import (
+	"github.com/open-policy-agent/opa/ast"
+	"golang.org/x/xerrors"
+)
+
+// regoInputValue returns a rego input value for the given subject, action, and
+// object. This rego input is already parsed and can be used directly in a
+// rego query.
+func regoInputValue(subject Subject, action Action, object Object) (ast.Value, error) {
+	regoSubj, err := subject.regoValue()
+	if err != nil {
+		return nil, xerrors.Errorf("subject: %w", err)
+	}
+
+	s := [2]*ast.Term{
+		ast.StringTerm("subject"),
+		ast.NewTerm(regoSubj),
+	}
+	a := [2]*ast.Term{
+		ast.StringTerm("action"),
+		ast.StringTerm(string(action)),
+	}
+	o := [2]*ast.Term{
+		ast.StringTerm("object"),
+		ast.NewTerm(object.regoValue()),
+	}
+
+	input := ast.NewObject(s, a, o)
+
+	return input, nil
+}
+
+// regoPartialInputValue is the same as regoInputValue but only includes the
+// object type. This is for partial evaluations.
+func regoPartialInputValue(subject Subject, action Action, objectType string) (ast.Value, error) {
+	regoSubj, err := subject.regoValue()
+	if err != nil {
+		return nil, xerrors.Errorf("subject: %w", err)
+	}
+
+	s := [2]*ast.Term{
+		ast.StringTerm("subject"),
+		ast.NewTerm(regoSubj),
+	}
+	a := [2]*ast.Term{
+		ast.StringTerm("action"),
+		ast.StringTerm(string(action)),
+	}
+	o := [2]*ast.Term{
+		ast.StringTerm("object"),
+		ast.NewTerm(ast.NewObject(
+			[2]*ast.Term{
+				ast.StringTerm("type"),
+				ast.StringTerm(objectType),
+			}),
+		),
+	}
+
+	input := ast.NewObject(s, a, o)
+
+	return input, nil
+}
+
+// regoValue returns the ast.Object representation of the subject.
+func (s Subject) regoValue() (ast.Value, error) {
+	subjRoles, err := s.Roles.Expand()
+	if err != nil {
+		return nil, xerrors.Errorf("expand roles: %w", err)
+	}
+
+	subjScope, err := s.Scope.Expand()
+	if err != nil {
+		return nil, xerrors.Errorf("expand scope: %w", err)
+	}
+	subj := ast.NewObject(
+		[2]*ast.Term{
+			ast.StringTerm("id"),
+			ast.StringTerm(s.ID),
+		},
+		[2]*ast.Term{
+			ast.StringTerm("roles"),
+			ast.NewTerm(regoSlice(subjRoles)),
+		},
+		[2]*ast.Term{
+			ast.StringTerm("scope"),
+			ast.NewTerm(subjScope.regoValue()),
+		},
+		[2]*ast.Term{
+			ast.StringTerm("groups"),
+			ast.NewTerm(regoSliceString(s.Groups...)),
+		},
+	)
+
+	return subj, nil
+}
+
+func (z Object) regoValue() ast.Value {
+	userACL := ast.NewObject()
+	for k, v := range z.ACLUserList {
+		userACL.Insert(ast.StringTerm(k), ast.NewTerm(regoSlice(v)))
+	}
+	grpACL := ast.NewObject()
+	for k, v := range z.ACLGroupList {
+		grpACL.Insert(ast.StringTerm(k), ast.NewTerm(regoSlice(v)))
+	}
+	return ast.NewObject(
+		[2]*ast.Term{
+			ast.StringTerm("id"),
+			ast.StringTerm(z.ID),
+		},
+		[2]*ast.Term{
+			ast.StringTerm("owner"),
+			ast.StringTerm(z.Owner),
+		},
+		[2]*ast.Term{
+			ast.StringTerm("org_owner"),
+			ast.StringTerm(z.OrgID),
+		},
+		[2]*ast.Term{
+			ast.StringTerm("type"),
+			ast.StringTerm(z.Type),
+		},
+		[2]*ast.Term{
+			ast.StringTerm("acl_user_list"),
+			ast.NewTerm(userACL),
+		},
+		[2]*ast.Term{
+			ast.StringTerm("acl_group_list"),
+			ast.NewTerm(grpACL),
+		},
+	)
+}
+
+func (role Role) regoValue() ast.Value {
+	orgMap := ast.NewObject()
+	for k, p := range role.Org {
+		orgMap.Insert(ast.StringTerm(k), ast.NewTerm(regoSlice(p)))
+	}
+	return ast.NewObject(
+		[2]*ast.Term{
+			ast.StringTerm("site"),
+			ast.NewTerm(regoSlice(role.Site)),
+		},
+		[2]*ast.Term{
+			ast.StringTerm("org"),
+			ast.NewTerm(orgMap),
+		},
+		[2]*ast.Term{
+			ast.StringTerm("user"),
+			ast.NewTerm(regoSlice(role.User)),
+		},
+	)
+}
+
+func (s Scope) regoValue() ast.Value {
+	r, ok := s.Role.regoValue().(ast.Object)
+	if !ok {
+		panic("developer error: role is not an object")
+	}
+	r.Insert(
+		ast.StringTerm("allow_list"),
+		ast.NewTerm(regoSliceString(s.AllowIDList...)),
+	)
+	return r
+}
+
+func (perm Permission) regoValue() ast.Value {
+	return ast.NewObject(
+		[2]*ast.Term{
+			ast.StringTerm("negate"),
+			ast.BooleanTerm(perm.Negate),
+		},
+		[2]*ast.Term{
+			ast.StringTerm("resource_type"),
+			ast.StringTerm(perm.ResourceType),
+		},
+		[2]*ast.Term{
+			ast.StringTerm("action"),
+			ast.StringTerm(string(perm.Action)),
+		},
+	)
+}
+
+func (act Action) regoValue() ast.Value {
+	return ast.StringTerm(string(act)).Value
+}
+
+type regoValue interface {
+	regoValue() ast.Value
+}
+
+// regoSlice returns the ast.Array representation of the slice.
+// The slice must contain only types that implement the regoValue interface.
+func regoSlice[T regoValue](slice []T) *ast.Array {
+	terms := make([]*ast.Term, len(slice))
+	for i, v := range slice {
+		terms[i] = ast.NewTerm(v.regoValue())
+	}
+	return ast.NewArray(terms...)
+}
+
+func regoSliceString(slice ...string) *ast.Array {
+	terms := make([]*ast.Term, len(slice))
+	for i, v := range slice {
+		terms[i] = ast.StringTerm(v)
+	}
+	return ast.NewArray(terms...)
+}
diff --git a/coderd/rbac/authz.go b/coderd/rbac/authz.go
@@ -263,34 +263,18 @@ func (a RegoAuthorizer) authorize(ctx context.Context, subject Subject, action A
 		return xerrors.Errorf("subject must have a scope")
 	}
 
-	subjRoles, err := subject.Roles.Expand()
+	astV, err := regoInputValue(subject, action, object)
 	if err != nil {
-		return xerrors.Errorf("expand roles: %w", err)
+		return xerrors.Errorf("convert input to value: %w", err)
 	}
 
-	subjScope, err := subject.Scope.Expand()
+	results, err := a.query.Eval(ctx, rego.EvalParsedInput(astV))
 	if err != nil {
-		return xerrors.Errorf("expand scope: %w", err)
-	}
-
-	input := map[string]interface{}{
-		"subject": authSubject{
-			ID:     subject.ID,
-			Roles:  subjRoles,
-			Groups: subject.Groups,
-			Scope:  subjScope,
-		},
-		"object": object,
-		"action": action,
-	}
-
-	results, err := a.query.Eval(ctx, rego.EvalInput(input))
-	if err != nil {
-		return ForbiddenWithInternal(xerrors.Errorf("eval rego: %w", err), input, results)
+		return ForbiddenWithInternal(xerrors.Errorf("eval rego: %w", err), subject, action, object, results)
 	}
 
 	if !results.Allowed() {
-		return ForbiddenWithInternal(xerrors.Errorf("policy disallows request"), input, results)
+		return ForbiddenWithInternal(xerrors.Errorf("policy disallows request"), subject, action, object, results)
 	}
 	return nil
 }

diff --git a/coderd/rbac/builtin.go b/coderd/rbac/builtin.go
@@ -1,6 +1,7 @@
 package rbac
 
 import (
+	"sort"
 	"strings"
 
 	"github.com/google/uuid"
@@ -79,6 +80,8 @@ var (
 				Site: permissions(map[string][]Action{
 					ResourceWildcard.Type: {WildcardSymbol},
 				}),
+				Org:  map[string][]Permission{},
+				User: []Permission{},
 			}
 		},
 
@@ -94,6 +97,7 @@ var (
 					// All users can see the provisioner daemons.
 					ResourceProvisionerDaemon.Type: {ActionRead},
 				}),
+				Org: map[string][]Permission{},
 				User: permissions(map[string][]Action{
 					ResourceWildcard.Type: {WildcardSymbol},
 				}),
@@ -113,6 +117,8 @@ var (
 					ResourceTemplate.Type: {ActionRead},
 					ResourceAuditLog.Type: {ActionRead},
 				}),
+				Org:  map[string][]Permission{},
+				User: []Permission{},
 			}
 		},
 
@@ -128,6 +134,8 @@ var (
 					// CRUD to provisioner daemons for now.
 					ResourceProvisionerDaemon.Type: {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
 				}),
+				Org:  map[string][]Permission{},
+				User: []Permission{},
 			}
 		},
 
@@ -142,6 +150,8 @@ var (
 					ResourceOrganizationMember.Type: {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
 					ResourceGroup.Type:              {ActionCreate, ActionRead, ActionUpdate, ActionDelete},
 				}),
+				Org:  map[string][]Permission{},
+				User: []Permission{},
 			}
 		},
 
@@ -151,6 +161,7 @@ var (
 			return Role{
 				Name:        roleName(orgAdmin, organizationID),
 				DisplayName: "Organization Admin",
+				Site:        []Permission{},
 				Org: map[string][]Permission{
 					organizationID: {
 						{
@@ -160,6 +171,7 @@ var (
 						},
 					},
 				},
+				User: []Permission{},
 			}
 		},
 
@@ -169,6 +181,7 @@ var (
 			return Role{
 				Name:        roleName(orgMember, organizationID),
 				DisplayName: "",
+				Site:        []Permission{},
 				Org: map[string][]Permission{
 					organizationID: {
 						{
@@ -192,6 +205,7 @@ var (
 						},
 					},
 				},
+				User: []Permission{},
 			}
 		},
 	}
@@ -422,5 +436,9 @@ func permissions(perms map[string][]Action) []Permission {
 			})
 		}
 	}
+	// Deterministic ordering of permissions
+	sort.Slice(list, func(i, j int) bool {
+		return list[i].ResourceType < list[j].ResourceType
+	})
 	return list
 }