Skip to content

refactor(dbauthz): add authz for system-level functions #6513

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 16 commits into from
Mar 10, 2023
Merged

refactor(dbauthz): add authz for system-level functions #6513

merged 16 commits into from
Mar 10, 2023

Conversation

johnstcn
Copy link
Member

@johnstcn johnstcn commented Mar 8, 2023
edited
Loading

  • Introduces rbac.ResourceSystem
  • Grants system.* to system and provisionerd rbac subjects
  • Updates dbauthz system queries where applicable

Note: I'm skipping provisionerd and provisionerjob-related functions; we need to add RBAC resources for these. Will create a follow-up PR for this.

johnstcn added 3 commits March 9, 2023 09:45
@johnstcn
refactor(dbauthz): add authz for system-level functions
4da9a94 
- Introduces rbac.ResourceSystem
- Grants system.* to system and provisionerd rbac subjects
@johnstcn
replace short names
a11fed5
@johnstcn
fix: add dbauthz.AsSystemRestricted in updatecheck, when creating fir…
6f40cf6 
…st user, and when registering InMemoryProvisionerd
@johnstcn johnstcn force-pushed the cj/dbauthz-system branch from 35341eb to 6f40cf6 Compare March 9, 2023 09:45
@johnstcn johnstcn marked this pull request as ready for review March 9, 2023 16:55
@johnstcn johnstcn requested review from Emyrk and mafredri March 9, 2023 16:55
johnstcn
johnstcn commented Mar 9, 2023
View reviewed changes
coderd/database/dbauthz/querier_test.go
@@ -282,11 +282,6 @@ func (s *MethodTestSuite) TestProvsionerJob() {
check.Args(database.UpdateProvisionerJobWithCancelByIDParams{ID: j.ID}).
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note: most of the changes here are just moving the respective tests to system_test.go to keep things consistent.

johnstcn
johnstcn commented Mar 9, 2023
View reviewed changes
coderd/database/dbauthz/querier.go
@@ -963,6 +963,18 @@ func (q *querier) GetUserByID(ctx context.Context, id uuid.UUID) (database.User,
return fetch(q.log, q.auth, q.db.GetUserByID)(ctx, id)
}

// GetUsersByIDs is only used for usernames on workspace return data.
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note: Moved this to querier from system and set a simple authz check here. I can move it back to system but it's probably better to use rbac.ResourceUser here.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fair 👍.

johnstcn
johnstcn commented Mar 9, 2023
View reviewed changes
enterprise/coderd/provisionerdaemons_test.go
@@ -42,11 +59,16 @@ func TestProvisionerDaemonServe(t *testing.T) {
codersdk.FeatureExternalProvisionerDaemons: 1,
},
})
srv, err := client.ServeProvisionerDaemon(context.Background(), user.OrganizationID, []codersdk.ProvisionerType{
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

note: updated this test to use a separate user from owner

johnstcn
johnstcn commented Mar 9, 2023
View reviewed changes
mafredri
mafredri approved these changes Mar 10, 2023
View reviewed changes
Copy link
Member

@mafredri mafredri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me. Only one observation which seems fairly minor for now anyway.

Emyrk
Emyrk approved these changes Mar 10, 2023
View reviewed changes
Copy link
Member

@Emyrk Emyrk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LG, glad we protect these now.

coderd/database/dbauthz/querier.go
@@ -963,6 +963,18 @@ func (q *querier) GetUserByID(ctx context.Context, id uuid.UUID) (database.User,
return fetch(q.log, q.auth, q.db.GetUserByID)(ctx, id)
}

// GetUsersByIDs is only used for usernames on workspace return data.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fair 👍.

@johnstcn johnstcn merged commit 144f374 into main Mar 10, 2023
@johnstcn johnstcn deleted the cj/dbauthz-system branch March 10, 2023 18:09
@github-actions github-actions bot locked and limited conversation to collaborators Mar 10, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@mafredri mafredri mafredri approved these changes

@Emyrk Emyrk Emyrk approved these changes

Assignees

@johnstcn johnstcn

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@johnstcn @mafredri @Emyrk