Thanks to visit codestin.com
Credit goes to github.com

Skip to content

chore: reorder prebuilt workspace authorization logic #18506

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Jun 24, 2025
Merged

chore: reorder prebuilt workspace authorization logic #18506

merged 6 commits into from
Jun 24, 2025

Conversation

ssncferreira
Copy link
Contributor

Description

Follow-up from PR #18333
Related with: #18333 (comment)

This changes the authorization logic to first try the normal workspace authorization check, and only if the resource is a prebuilt workspace, fall back to the prebuilt workspace authorization check. Since prebuilt workspaces are a subset of workspaces, the normal workspace check is more likely to succeed. This is a small optimization to reduce unnecessary prebuilt authorization calls.

@ssncferreira ssncferreira force-pushed the ssncferreira/chore-prebuilt-authz-order branch from 0e5bcd0 to a4b2e8d Compare June 23, 2025 16:25
@ssncferreira ssncferreira marked this pull request as ready for review June 23, 2025 16:27
@ssncferreira ssncferreira requested review from Emyrk and johnstcn June 23, 2025 16:27
johnstcn
johnstcn reviewed Jun 23, 2025
View reviewed changes
@johnstcn johnstcn self-requested a review June 23, 2025 17:27
Emyrk
Emyrk reviewed Jun 23, 2025
View reviewed changes
coderd/database/dbauthz/dbauthz.go Outdated
if prebuiltErr = q.authorizeContext(ctx, action, workspace.AsPrebuild()); prebuiltErr == nil {
return nil
}
return xerrors.Errorf("authorize context as prebuild: %w", errors.Join(workspaceErr, prebuiltErr))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see what you are doing, but idk how much more value it is to show both errors.

Maybe just show the prebuildErr, since that is a subset. Your call in the end. xerrors.As and xerrors.Is does handle joined errors. It takes the first one it looks like.

Copy link
Contributor Author

@ssncferreira ssncferreira Jun 24, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point 🤔 I wanted to keep the workspaceErr to make it explicit that both the workspace and prebuilt authorization paths failed. I think this could be useful for debugging and for quickly identifying that the error comes from this special-case handling.
Instead of using errors.Join, maybe I could make it more readable by updating the message to something like:

return xerrors.Errorf("authorize context failed for workspace (%v) and prebuilt (%w)", workspaceErr, prebuiltErr)

Wdyt? Addressed in 1f0e33a

Copy link
Member

@Emyrk Emyrk Jun 24, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That works. In production, the %v just translates to rbac: forbidden

errUnauthorized = "rbac: forbidden"

coder/coderd/rbac/error.go

Lines 78 to 83 in f3f0183

func (e UnauthorizedError) Error() string {
if flag.Lookup("test.v") != nil {
return e.longError()
}
return errUnauthorized
}

So the message is like:

authorize context failed for workspace (rbac: forbidden) and prebuilt (rbac: forbidden)

(assuming no error chains, which is probably there)
That all looks good to me imo 👍

@ssncferreira ssncferreira requested a review from Emyrk June 24, 2025 12:57
@ssncferreira ssncferreira merged commit f44969b into main Jun 24, 2025
34 checks passed
@ssncferreira ssncferreira deleted the ssncferreira/chore-prebuilt-authz-order branch June 24, 2025 15:33
@github-actions github-actions bot locked and limited conversation to collaborators Jun 24, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@johnstcn johnstcn johnstcn approved these changes

@Emyrk Emyrk Emyrk approved these changes

Assignees

@ssncferreira ssncferreira

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ssncferreira @johnstcn @Emyrk