Skip to content

test: Handle Filter flake with ctx errors #7119

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 8 commits into from
Apr 14, 2023
Merged

test: Handle Filter flake with ctx errors #7119

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
6d41edc
test: Handle Fitler flake with ctx errors
Emyrk Apr 13, 2023
633fab3
Add unit test to check filter for proper error
Emyrk Apr 14, 2023
46b5099
Correctly return category of errors
Emyrk Apr 14, 2023
c150c53
Add skip msg
Emyrk Apr 14, 2023
0c52c87
Fix
Emyrk Apr 14, 2023
1d509f8
Fix?
Emyrk Apr 14, 2023
cddbafb
Fix typos
Emyrk Apr 14, 2023
75b840a
Fmt
Emyrk Apr 14, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 12 additions & 2 deletions coderd/rbac/authz.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -137,6 +137,10 @@ func Filter[O Objecter](ctx context.Context, auth Authorizer, subject Subject, a
err := auth.Authorize(ctx, subject, action, o.RBACObject())
if err == nil {
filtered = append(filtered, o)
} else if !IsUnauthorizedError(err) {
// If the error is not the expected "Unauthorized" error, then
// it is something unexpected.
return nil, err
}
}
return filtered, nil
Expand All @@ -155,6 +159,10 @@ func Filter[O Objecter](ctx context.Context, auth Authorizer, subject Subject, a
err := prepared.Authorize(ctx, rbacObj)
if err == nil {
filtered = append(filtered, object)
} else if !IsUnauthorizedError(err) {
// If the error is not the expected "Unauthorized" error, then
// it is something unexpected.
return nil, err
}
}

Expand Down Expand Up @@ -319,7 +327,8 @@ func (a RegoAuthorizer) authorize(ctx context.Context, subject Subject, action A

results, err := a.query.Eval(ctx, rego.EvalParsedInput(astV))
if err != nil {
return ForbiddenWithInternal(xerrors.Errorf("eval rego: %w", err), subject, action, object, results)
err = correctCancelError(err)
return xerrors.Errorf("evaluate rego: %w", err)
Comment on lines +330 to +331
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For authorize single items.

}

if !results.Allowed() {
Expand Down Expand Up @@ -430,7 +439,8 @@ EachQueryLoop:
// We need to eval each query with the newly known fields.
results, err := q.Eval(ctx, rego.EvalParsedInput(parsed))
if err != nil {
continue EachQueryLoop
err = correctCancelError(err)
return xerrors.Errorf("eval error: %w", err)
Comment on lines +442 to +443
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For prepared.

}

// If there are no results, then the query is false. This is because rego
Expand Down
69 changes: 59 additions & 10 deletions coderd/rbac/authz_internal_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,18 +30,67 @@ func (w fakeObject) RBACObject() Object {
}
}

// objectBomb is a wrapper around an Objecter that calls a function when
// RBACObject is called.
type objectBomb struct {
Objecter
bomb func()
}

func (o *objectBomb) RBACObject() Object {
o.bomb()
return o.Objecter.RBACObject()
}

func TestFilterError(t *testing.T) {
t.Parallel()
auth := NewAuthorizer(prometheus.NewRegistry())
subject := Subject{
ID: uuid.NewString(),
Roles: RoleNames{},
Groups: []string{},
Scope: ScopeAll,
}

_, err := Filter(context.Background(), auth, subject, ActionRead, []Object{ResourceUser, ResourceWorkspace})
require.ErrorContains(t, err, "object types must be uniform")
t.Run("DifferentResourceTypes", func(t *testing.T) {
t.Parallel()

auth := NewAuthorizer(prometheus.NewRegistry())
subject := Subject{
ID: uuid.NewString(),
Roles: RoleNames{},
Groups: []string{},
Scope: ScopeAll,
}

_, err := Filter(context.Background(), auth, subject, ActionRead, []Object{ResourceUser, ResourceWorkspace})
require.ErrorContains(t, err, "object types must be uniform")
})

t.Run("CancelledContext", func(t *testing.T) {
t.Parallel()
t.Skipf("This test is racy as rego eval checks the ctx cancelled in a go routine. " +
"It is a coin flip if the query finishes before the 'cancel' is checked. " +
"So sometimes the 'Authorize' call succeeds even if ctx is cancelled.")

auth := NewAuthorizer(prometheus.NewRegistry())
subject := Subject{
ID: uuid.NewString(),
Roles: RoleNames{
RoleOwner(),
},
Groups: []string{},
Scope: ScopeAll,
}

ctx, cancel := context.WithCancel(context.Background())
defer cancel()
objects := []Objecter{
ResourceUser,
ResourceUser,
&objectBomb{
Objecter: ResourceUser,
bomb: cancel,
},
ResourceUser,
}

_, err := Filter(ctx, auth, subject, ActionRead, objects)
require.ErrorIs(t, err, context.Canceled)
})
}

// TestFilter ensures the filter acts the same as an individual authorize.
Expand Down Expand Up @@ -170,7 +219,7 @@ func TestFilter(t *testing.T) {
localObjects := make([]fakeObject, len(objects))
copy(localObjects, objects)

ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitShort)
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitMedium)
defer cancel()
auth := NewAuthorizer(prometheus.NewRegistry())

Expand Down
17 changes: 17 additions & 0 deletions coderd/rbac/error.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,14 @@
package rbac

import (
"context"
"errors"
"flag"
"fmt"

"github.com/open-policy-agent/opa/rego"
"github.com/open-policy-agent/opa/topdown"
"golang.org/x/xerrors"
)

const (
Expand Down Expand Up @@ -97,3 +100,17 @@ func (*UnauthorizedError) As(target interface{}) bool {
}
return false
}

// correctCancelError will return the correct error for a cancelled context. This
// is because rego changes a canceled context to a topdown.CancelErr. This error
// is not helpful if the code is "cancelled". To make the error conform with the
// rest of our cancelled errors, we will convert the error to a context.Canceled
// error. No good information is lost, as the topdown.CancelErr provides the
// location of the query that was cancelled, which does not matter.
func correctCancelError(err error) error {
e := new(topdown.Error)
if xerrors.As(err, &e) || e.Code == topdown.CancelErr {
return context.Canceled
}
return err
}