feat(coder): add authz_querier experiment (coder#5858)

johnstcn · web-flow · commit 8735f510479e · 2023-01-25T21:35:53.000Z
* feat(coderd): add authz_querier experiment

* coderdtest: wire up authz_querier

* wire up AuthzQuerier in coderd

* remove things that do not yet exist in this timeline

* add newline

* comment unreachable code
diff --git a/coderd/apidoc/docs.go b/coderd/apidoc/docs.go
diff --git a/coderd/apidoc/swagger.json b/coderd/apidoc/swagger.json
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -154,6 +154,14 @@ func New(options *Options) *API {
 	if options == nil {
 		options = &Options{}
 	}
+	experiments := initExperiments(options.Logger, options.DeploymentConfig.Experiments.Value, options.DeploymentConfig.Experimental.Value)
+	// TODO: remove this once we promote authz_querier out of experiments.
+	if experiments.Enabled(codersdk.ExperimentAuthzQuerier) {
+		panic("Coming soon!")
+		// if _, ok := (options.Database).(*authzquery.AuthzQuerier); !ok {
+		// 	options.Database = authzquery.NewAuthzQuerier(options.Database, options.Authorizer)
+		// }
+	}
 	if options.AppHostname != "" && options.AppHostnameRegex == nil || options.AppHostname == "" && options.AppHostnameRegex != nil {
 		panic("coderd: both AppHostname and AppHostnameRegex must be set or unset")
 	}
@@ -222,7 +230,7 @@ func New(options *Options) *API {
 		},
 		metricsCache: metricsCache,
 		Auditor:      atomic.Pointer[audit.Auditor]{},
-		Experiments:  initExperiments(options.Logger, options.DeploymentConfig.Experiments.Value, options.DeploymentConfig.Experimental.Value),
+		Experiments:  experiments,
 	}
 	if options.UpdateCheckOptions != nil {
 		api.updateChecker = updatecheck.New(
diff --git a/coderd/coderdtest/coderdtest.go b/coderd/coderdtest/coderdtest.go
@@ -21,6 +21,7 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"net/url"
+	"os"
 	"regexp"
 	"strconv"
 	"strings"
@@ -176,6 +177,14 @@ func NewOptions(t *testing.T, options *Options) (func(http.Handler), context.Can
 	if options.Database == nil {
 		options.Database, options.Pubsub = dbtestutil.NewDB(t)
 	}
+	// TODO: remove this once we're ready to enable authz querier by default.
+	if strings.Contains(os.Getenv("CODER_EXPERIMENTS_TEST"), "authz_querier") {
+		panic("Coming soon!")
+		// if options.Authorizer != nil {
+		// 	options.Authorizer = &RecordingAuthorizer{}
+		// }
+		// options.Database = authzquery.NewAuthzQuerier(options.Database, options.Authorizer)
+	}
 	if options.DeploymentConfig == nil {
 		options.DeploymentConfig = DeploymentConfig(t)
 	}
diff --git a/codersdk/experiments.go b/codersdk/experiments.go
@@ -9,8 +9,12 @@ import (
 type Experiment string
 
 const (
-// Add new experiments here!
-// ExperimentExample Experiment = "example"
+	// ExperimentAuthzQuerier is an internal experiment that enables the ExperimentAuthzQuerier
+	// interface for all RBAC operations. NOT READY FOR PRODUCTION USE.
+	ExperimentAuthzQuerier Experiment = "authz_querier"
+
+	// Add new experiments here!
+	// ExperimentExample Experiment = "example"
 )
 
 var (
diff --git a/docs/api/general.md b/docs/api/general.md
@@ -1072,17 +1072,23 @@ curl -X GET http://coder-server:8080/api/v2/experiments \
 > 200 Response
 
 ```json
-["string"]
+["authz_querier"]
 ```
 
 ### Responses
 
-| Status | Meaning                                                 | Description | Schema          |
-| ------ | ------------------------------------------------------- | ----------- | --------------- |
-| 200    | [OK](https://tools.ietf.org/html/rfc7231#section-6.3.1) | OK          | array of string |
+| Status | Meaning                                                 | Description | Schema                                                        |
+| ------ | ------------------------------------------------------- | ----------- | ------------------------------------------------------------- |
+| 200    | [OK](https://tools.ietf.org/html/rfc7231#section-6.3.1) | OK          | array of [codersdk.Experiment](schemas.md#codersdkexperiment) |
 
 <h3 id="get-experiments-responseschema">Response Schema</h3>
 
+Status Code **200**
+
+| Name           | Type  | Required | Restrictions | Description |
+| -------------- | ----- | -------- | ------------ | ----------- |
+| `[array item]` | array | false    |              |             |
+
 To perform this operation, you must be authenticated. [Learn more](authentication.md).
 
 ## Update check
diff --git a/docs/api/schemas.md b/docs/api/schemas.md
@@ -2439,6 +2439,20 @@ CreateParameterRequest is a structure used to create a new parameter value for a
 | `trial`            | boolean                              | false    |              |                                       |
 | `warnings`         | array of string                      | false    |              |                                       |
 
+## codersdk.Experiment
+
+```json
+"authz_querier"
+```
+
+### Properties
+
+#### Enumerated Values
+
+| Value           |
+| --------------- |
+| `authz_querier` |
+
 ## codersdk.Feature
 
 ```json
diff --git a/site/src/api/typesGenerated.ts b/site/src/api/typesGenerated.ts
@@ -1097,8 +1097,8 @@ export const Entitlements: Entitlement[] = [
 ]
 
 // From codersdk/experiments.go
-export type Experiment = never
-export const Experiments: Experiment[] = []
+export type Experiment = "authz_querier"
+export const Experiments: Experiment[] = ["authz_querier"]
 
 // From codersdk/features.go
 export type FeatureName =

Original file line number	Diff line number	Diff line change
`@@ -1097,8 +1097,8 @@ export const Entitlements: Entitlement[] = [`
`1097`	`1097`	`]`
`1098`	`1098`
`1099`	`1099`	`// From codersdk/experiments.go`
`1100`		`-export type Experiment = never`
`1101`		`-export const Experiments: Experiment[] = []`
	`1100`	`+export type Experiment = "authz_querier"`
	`1101`	`+export const Experiments: Experiment[] = ["authz_querier"]`
`1102`	`1102`
`1103`	`1103`	`// From codersdk/features.go`
`1104`	`1104`	`export type FeatureName =`