coder
diff --git a/‎coderd/coderd.go
Lines changed: 3 additions & 3 deletions b/‎coderd/coderd.go
Lines changed: 3 additions & 3 deletions
diff --git a/‎coderd/coderdtest/authorize.go
Lines changed: 1 addition & 1 deletion b/‎coderd/coderdtest/authorize.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/database/modelqueries.go
Lines changed: 3 additions & 3 deletions b/‎coderd/database/modelqueries.go
Lines changed: 3 additions & 3 deletions
diff --git a/‎coderd/rbac/README.md
Lines changed: 14 additions & 0 deletions b/‎coderd/rbac/README.md
Lines changed: 14 additions & 0 deletions
diff --git a/‎coderd/rbac/authz.go
Lines changed: 116 additions & 29 deletions b/‎coderd/rbac/authz.go
Lines changed: 116 additions & 29 deletions
diff --git a/‎coderd/rbac/authz_internal_test.go
Lines changed: 4 additions & 3 deletions b/‎coderd/rbac/authz_internal_test.go
Lines changed: 4 additions & 3 deletions
@@ -177,12 +177,12 @@ func New(options *Options) *API {
 	if options.FilesRateLimit == 0 {
 		options.FilesRateLimit = 12
 	}
-	if options.Authorizer == nil {
-		options.Authorizer = rbac.NewAuthorizer()
-	}
 	if options.PrometheusRegistry == nil {
 		options.PrometheusRegistry = prometheus.NewRegistry()
 	}
+	if options.Authorizer == nil {
+		options.Authorizer = rbac.NewAuthorizer(options.PrometheusRegistry)
+	}
 	if options.TailnetCoordinator == nil {
 		options.TailnetCoordinator = tailnet.NewCoordinator()
 	}
 
@@ -565,7 +565,7 @@ func (f *fakePreparedAuthorizer) Authorize(ctx context.Context, object rbac.Obje
 
 // CompileToSQL returns a compiled version of the authorizer that will work for
 // in memory databases. This fake version will not work against a SQL database.
-func (fakePreparedAuthorizer) CompileToSQL(_ regosql.ConvertConfig) (string, error) {
+func (fakePreparedAuthorizer) CompileToSQL(_ context.Context, _ regosql.ConvertConfig) (string, error) {
 	return "", xerrors.New("not implemented")
 }
 
 
@@ -33,7 +33,7 @@ type templateQuerier interface {
 }
 
 func (q *sqlQuerier) GetAuthorizedTemplates(ctx context.Context, arg GetTemplatesWithFilterParams, prepared rbac.PreparedAuthorized) ([]Template, error) {
-	authorizedFilter, err := prepared.CompileToSQL(regosql.ConvertConfig{
+	authorizedFilter, err := prepared.CompileToSQL(ctx, regosql.ConvertConfig{
 		VariableConverter: regosql.TemplateConverter(),
 	})
 	if err != nil {
@@ -183,7 +183,7 @@ type workspaceQuerier interface {
 // This code is copied from `GetWorkspaces` and adds the authorized filter WHERE
 // clause.
 func (q *sqlQuerier) GetAuthorizedWorkspaces(ctx context.Context, arg GetWorkspacesParams, prepared rbac.PreparedAuthorized) ([]GetWorkspacesRow, error) {
-	authorizedFilter, err := prepared.CompileToSQL(rbac.ConfigWithoutACL())
+	authorizedFilter, err := prepared.CompileToSQL(ctx, rbac.ConfigWithoutACL())
 	if err != nil {
 		return nil, xerrors.Errorf("compile authorized filter: %w", err)
 	}
@@ -249,7 +249,7 @@ type userQuerier interface {
 }
 
 func (q *sqlQuerier) GetAuthorizedUserCount(ctx context.Context, arg GetFilteredUserCountParams, prepared rbac.PreparedAuthorized) (int64, error) {
-	authorizedFilter, err := prepared.CompileToSQL(rbac.ConfigWithoutACL())
+	authorizedFilter, err := prepared.CompileToSQL(ctx, rbac.ConfigWithoutACL())
 	if err != nil {
 		return -1, xerrors.Errorf("compile authorized filter: %w", err)
 	}
 
@@ -71,3 +71,17 @@ Y indicates that the role provides positive permissions, N indicates the role pr
 | user            | \_   | \_   | Y    | Y      |
 |                 | \_   | \_   | N    | N      |
 | unauthenticated | \_   | \_   | \_   | N      |
+
+# Testing
+
+You can test outside of golang by using the `opa` cli.
+
+**Evaluation**
+
+opa eval --format=pretty 'false' -d policy.rego -i input.json
+
+**Partial Evaluation**
+
+```bash
+opa eval --partial --format=pretty 'data.authz.allow' -d policy.rego --unknowns input.object.owner --unknowns input.object.org_owner --unknowns input.object.acl_user_list --unknowns input.object.acl_group_list -i input.json
+```
@@ -4,8 +4,11 @@ import (
 	"context"
 	_ "embed"
 	"sync"
+	"time"
 
 	"github.com/open-policy-agent/opa/rego"
+	"github.com/prometheus/client_golang/prometheus"
+	"github.com/prometheus/client_golang/prometheus/promauto"
 	"go.opentelemetry.io/otel/attribute"
 	"go.opentelemetry.io/otel/trace"
 	"golang.org/x/xerrors"
@@ -21,27 +24,37 @@ type Authorizer interface {
 
 type PreparedAuthorized interface {
 	Authorize(ctx context.Context, object Object) error
-	CompileToSQL(cfg regosql.ConvertConfig) (string, error)
+	CompileToSQL(ctx context.Context, cfg regosql.ConvertConfig) (string, error)
 }
 
 // Filter takes in a list of objects, and will filter the list removing all
 // the elements the subject does not have permission for. All objects must be
 // of the same type.
+//
+// Ideally the 'CompileToSQL' is used instead for large sets. This cost scales
+// linearly with the number of objects passed in.
 func Filter[O Objecter](ctx context.Context, auth Authorizer, subjID string, subjRoles []string, scope Scope, groups []string, action Action, objects []O) ([]O, error) {
-	ctx, span := tracing.StartSpan(ctx, trace.WithAttributes(
-		attribute.String("subject_id", subjID),
-		attribute.StringSlice("subject_roles", subjRoles),
-		attribute.Int("num_objects", len(objects)),
-	))
-	defer span.End()
-
 	if len(objects) == 0 {
 		// Nothing to filter
 		return objects, nil
 	}
 	objectType := objects[0].RBACObject().Type
 	filtered := make([]O, 0)
 
+	// Start the span after the object type is detected. If we are filtering 0
+	// objects, then the span is not interesting. It would just add excessive
+	// 0 time spans that provide no insight.
+	ctx, span := tracing.StartSpan(ctx,
+		rbacTraceAttributes(subjRoles, len(groups), scope, action, objectType,
+			// For filtering, we are only measuring the total time for the entire
+			// set of objects. This and the 'PrepareByRoleName' span time
+			// is all that is required to measure the performance of this
+			// function on a per-object basis.
+			attribute.Int("num_objects", len(objects)),
+		),
+	)
+	defer span.End()
+
 	// Running benchmarks on this function, it is **always** faster to call
 	// auth.ByRoleName on <10 objects. This is because the overhead of
 	// 'PrepareByRoleName'. Once we cross 10 objects, then it starts to become
@@ -82,6 +95,9 @@ func Filter[O Objecter](ctx context.Context, auth Authorizer, subjID string, sub
 // RegoAuthorizer will use a prepared rego query for performing authorize()
 type RegoAuthorizer struct {
 	query rego.PreparedEvalQuery
+
+	authorizeHist *prometheus.HistogramVec
+	prepareHist   prometheus.Histogram
 }
 
 var _ Authorizer = (*RegoAuthorizer)(nil)
@@ -95,7 +111,7 @@ var (
 	query     rego.PreparedEvalQuery
 )
 
-func NewAuthorizer() *RegoAuthorizer {
+func NewAuthorizer(registry prometheus.Registerer) *RegoAuthorizer {
 	queryOnce.Do(func() {
 		var err error
 		query, err = rego.New(
@@ -106,7 +122,51 @@ func NewAuthorizer() *RegoAuthorizer {
 			panic(xerrors.Errorf("compile rego: %w", err))
 		}
 	})
-	return &RegoAuthorizer{query: query}
+
+	// Register metrics to prometheus.
+	// These bucket values are based on the average time it takes to run authz
+	// being around 1ms. Anything under ~2ms is OK and does not need to be
+	// analyzed any further.
+	buckets := []float64{
+		0.0005, // 0.5ms
+		0.001,  // 1ms
+		0.002,  // 2ms
+		0.003,
+		0.005,
+		0.01, // 10ms
+		0.02,
+		0.035, // 35ms
+		0.05,
+		0.075,
+		0.1,  // 100ms
+		0.25, // 250ms
+		0.75, // 750ms
+		1,    // 1s
+	}
+
+	factory := promauto.With(registry)
+	authorizeHistogram := factory.NewHistogramVec(prometheus.HistogramOpts{
+		Namespace: "coderd",
+		Subsystem: "authz",
+		Name:      "authorize_duration_seconds",
+		Help:      "Duration of the 'Authorize' call in seconds. Only counts calls that succeed.",
+		Buckets:   buckets,
+	}, []string{"allowed"})
+
+	prepareHistogram := factory.NewHistogram(prometheus.HistogramOpts{
+		Namespace: "coderd",
+		Subsystem: "authz",
+		Name:      "prepare_authorize_duration_seconds",
+		Help:      "Duration of the 'PrepareAuthorize' call in seconds.",
+		Buckets:   buckets,
+	})
+
+	return &RegoAuthorizer{
+		query: query,
+
+		authorizeHist: authorizeHistogram,
+		prepareHist:   prepareHistogram,
+	}
 }
 
 type authSubject struct {
@@ -120,6 +180,18 @@ type authSubject struct {
 // This is the function intended to be used outside this package.
 // The role is fetched from the builtin map located in memory.
 func (a RegoAuthorizer) ByRoleName(ctx context.Context, subjectID string, roleNames []string, scope Scope, groups []string, action Action, object Object) error {
+	start := time.Now()
+	ctx, span := tracing.StartSpan(ctx,
+		trace.WithTimestamp(start), // Reuse the time.Now for metric and trace
+		rbacTraceAttributes(roleNames, len(groups), scope, action, object.Type,
+			// For authorizing a single object, this data is useful to know how
+			// complex our objects are getting.
+			attribute.Int("object_num_groups", len(object.ACLGroupList)),
+			attribute.Int("object_num_users", len(object.ACLUserList)),
+		),
+	)
+	defer span.End()
+
 	roles, err := RolesByNames(roleNames)
 	if err != nil {
 		return err
@@ -131,19 +203,20 @@ func (a RegoAuthorizer) ByRoleName(ctx context.Context, subjectID string, roleNa
 	}
 
 	err = a.Authorize(ctx, subjectID, roles, scopeRole, groups, action, object)
+	span.AddEvent("authorized", trace.WithAttributes(attribute.Bool("authorized", err == nil)))
+	dur := time.Since(start)
 	if err != nil {
+		a.authorizeHist.WithLabelValues("false").Observe(dur.Seconds())
 		return err
 	}
 
+	a.authorizeHist.WithLabelValues("true").Observe(dur.Seconds())
 	return nil
 }
 
 // Authorize allows passing in custom Roles.
 // This is really helpful for unit testing, as we can create custom roles to exercise edge cases.
 func (a RegoAuthorizer) Authorize(ctx context.Context, subjectID string, roles []Role, scope Role, groups []string, action Action, object Object) error {
-	ctx, span := tracing.StartSpan(ctx)
-	defer span.End()
-
 	input := map[string]interface{}{
 		"subject": authSubject{
 			ID:     subjectID,
@@ -166,22 +239,12 @@ func (a RegoAuthorizer) Authorize(ctx context.Context, subjectID string, roles [
 	return nil
 }
 
-// Prepare will partially execute the rego policy leaving the object fields unknown (except for the type).
-// This will vastly speed up performance if batch authorization on the same type of objects is needed.
-func (RegoAuthorizer) Prepare(ctx context.Context, subjectID string, roles []Role, scope Role, groups []string, action Action, objectType string) (*PartialAuthorizer, error) {
-	ctx, span := tracing.StartSpan(ctx)
-	defer span.End()
-
-	auth, err := newPartialAuthorizer(ctx, subjectID, roles, scope, groups, action, objectType)
-	if err != nil {
-		return nil, xerrors.Errorf("new partial authorizer: %w", err)
-	}
-
-	return auth, nil
-}
-
 func (a RegoAuthorizer) PrepareByRoleName(ctx context.Context, subjectID string, roleNames []string, scope Scope, groups []string, action Action, objectType string) (PreparedAuthorized, error) {
-	ctx, span := tracing.StartSpan(ctx)
+	start := time.Now()
+	ctx, span := tracing.StartSpan(ctx,
+		trace.WithTimestamp(start),
+		rbacTraceAttributes(roleNames, len(groups), scope, action, objectType),
+	)
 	defer span.End()
 
 	roles, err := RolesByNames(roleNames)
@@ -194,5 +257,29 @@ func (a RegoAuthorizer) PrepareByRoleName(ctx context.Context, subjectID string,
 		return nil, err
 	}
 
-	return a.Prepare(ctx, subjectID, roles, scopeRole, groups, action, objectType)
+	prepared, err := a.Prepare(ctx, subjectID, roles, scopeRole, groups, action, objectType)
+	if err != nil {
+		return nil, err
+	}
+
+	// Add attributes of the Prepare results. This will help understand the
+	// complexity of the roles and how it affects the time taken.
+	span.SetAttributes(
+		attribute.Int("num_queries", len(prepared.preparedQueries)),
+		attribute.Bool("always_true", prepared.alwaysTrue),
+	)
+
+	a.prepareHist.Observe(time.Since(start).Seconds())
+	return prepared, nil
+}
+
+// Prepare will partially execute the rego policy leaving the object fields unknown (except for the type).
+// This will vastly speed up performance if batch authorization on the same type of objects is needed.
+func (RegoAuthorizer) Prepare(ctx context.Context, subjectID string, roles []Role, scope Role, groups []string, action Action, objectType string) (*PartialAuthorizer, error) {
+	auth, err := newPartialAuthorizer(ctx, subjectID, roles, scope, groups, action, objectType)
+	if err != nil {
+		return nil, xerrors.Errorf("new partial authorizer: %w", err)
+	}
+
+	return auth, nil
 }
@@ -7,6 +7,7 @@ import (
 	"testing"
 
 	"github.com/google/uuid"
+	"github.com/prometheus/client_golang/prometheus"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/xerrors"
@@ -41,7 +42,7 @@ func (w fakeObject) RBACObject() Object {
 
 func TestFilterError(t *testing.T) {
 	t.Parallel()
-	auth := NewAuthorizer()
+	auth := NewAuthorizer(prometheus.NewRegistry())
 
 	_, err := Filter(context.Background(), auth, uuid.NewString(), []string{}, ScopeAll, []string{}, ActionRead, []Object{ResourceUser, ResourceWorkspace})
 	require.ErrorContains(t, err, "object types must be uniform")
@@ -160,7 +161,7 @@ func TestFilter(t *testing.T) {
 
 			ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitShort)
 			defer cancel()
-			auth := NewAuthorizer()
+			auth := NewAuthorizer(prometheus.NewRegistry())
 
 			scope := ScopeAll
 			if tc.Scope != "" {
@@ -808,7 +809,7 @@ type authTestCase struct {
 
 func testAuthorize(t *testing.T, name string, subject subject, sets ...[]authTestCase) {
 	t.Helper()
-	authorizer := NewAuthorizer()
+	authorizer := NewAuthorizer(prometheus.NewRegistry())
 	for _, cases := range sets {
 		for i, c := range cases {
 			c := c
Original file line number	Diff line number	Diff line change
`@@ -177,12 +177,12 @@ func New(options Options) API {`
`177`	`177`	`if options.FilesRateLimit == 0 {`
`178`	`178`	`options.FilesRateLimit = 12`
`179`	`179`	`}`
`180`		`- if options.Authorizer == nil {`
`181`		`- options.Authorizer = rbac.NewAuthorizer()`
`182`		`- }`
`183`	`180`	`if options.PrometheusRegistry == nil {`
`184`	`181`	`options.PrometheusRegistry = prometheus.NewRegistry()`
`185`	`182`	`}`
	`183`	`+ if options.Authorizer == nil {`
	`184`	`+ options.Authorizer = rbac.NewAuthorizer(options.PrometheusRegistry)`
	`185`	`+ }`
`186`	`186`	`if options.TailnetCoordinator == nil {`
`187`	`187`	`options.TailnetCoordinator = tailnet.NewCoordinator()`
`188`	`188`	`}`
Original file line number	Diff line number	Diff line change
`@@ -565,7 +565,7 @@ func (f *fakePreparedAuthorizer) Authorize(ctx context.Context, object rbac.Obje`
`565`	`565`
`566`	`566`	`// CompileToSQL returns a compiled version of the authorizer that will work for`
`567`	`567`	`// in memory databases. This fake version will not work against a SQL database.`
`568`		`-func (fakePreparedAuthorizer) CompileToSQL(_ regosql.ConvertConfig) (string, error) {`
	`568`	`+func (fakePreparedAuthorizer) CompileToSQL(_ context.Context, _ regosql.ConvertConfig) (string, error) {`
`569`	`569`	`return "", xerrors.New("not implemented")`
`570`	`570`	`}`
`571`	`571`
Original file line number	Diff line number	Diff line change
`@@ -33,7 +33,7 @@ type templateQuerier interface {`
`33`	`33`	`}`
`34`	`34`
`35`	`35`	`func (q *sqlQuerier) GetAuthorizedTemplates(ctx context.Context, arg GetTemplatesWithFilterParams, prepared rbac.PreparedAuthorized) ([]Template, error) {`
`36`		`- authorizedFilter, err := prepared.CompileToSQL(regosql.ConvertConfig{`
	`36`	`+ authorizedFilter, err := prepared.CompileToSQL(ctx, regosql.ConvertConfig{`
`37`	`37`	`VariableConverter: regosql.TemplateConverter(),`
`38`	`38`	`})`
`39`	`39`	`if err != nil {`
`@@ -183,7 +183,7 @@ type workspaceQuerier interface {`
`183`	`183`	// This code is copied from `GetWorkspaces` and adds the authorized filter WHERE
`184`	`184`	`// clause.`
`185`	`185`	`func (q *sqlQuerier) GetAuthorizedWorkspaces(ctx context.Context, arg GetWorkspacesParams, prepared rbac.PreparedAuthorized) ([]GetWorkspacesRow, error) {`
`186`		`- authorizedFilter, err := prepared.CompileToSQL(rbac.ConfigWithoutACL())`
	`186`	`+ authorizedFilter, err := prepared.CompileToSQL(ctx, rbac.ConfigWithoutACL())`
`187`	`187`	`if err != nil {`
`188`	`188`	`return nil, xerrors.Errorf("compile authorized filter: %w", err)`
`189`	`189`	`}`
`@@ -249,7 +249,7 @@ type userQuerier interface {`
`249`	`249`	`}`
`250`	`250`
`251`	`251`	`func (q *sqlQuerier) GetAuthorizedUserCount(ctx context.Context, arg GetFilteredUserCountParams, prepared rbac.PreparedAuthorized) (int64, error) {`
`252`		`- authorizedFilter, err := prepared.CompileToSQL(rbac.ConfigWithoutACL())`
	`252`	`+ authorizedFilter, err := prepared.CompileToSQL(ctx, rbac.ConfigWithoutACL())`
`253`	`253`	`if err != nil {`
`254`	`254`	`return -1, xerrors.Errorf("compile authorized filter: %w", err)`
`255`	`255`	`}`