Thanks to visit codestin.com
Credit goes to github.com

Skip to content

feat: Dbauthz is now default, remove out of experimental #6650

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 32 commits into from
Mar 21, 2023
Merged

feat: Dbauthz is now default, remove out of experimental #6650

Changes from 1 commit
Commits
Show all changes
32 commits
Select commit Hold shift + click to select a range
ac597a5
feat: dbauthz always on, out of experimental
Emyrk Mar 16, 2023
7118bf0
Add ability to do rbac checks in unit tests
Emyrk Mar 17, 2023
c555c57
Remove AuthorizeAllEndpoints
Emyrk Mar 17, 2023
c6210c4
Remove some duplicate rbac checks
Emyrk Mar 17, 2023
d48a5c3
Remove rest of duplicate rbac checks
Emyrk Mar 17, 2023
7672f6e
Adding unit tests for rbac checks
Emyrk Mar 17, 2023
263801b
Add method to unit test rbac
Emyrk Mar 17, 2023
893198a
Add comment
Emyrk Mar 17, 2023
6b2c3f9
Add comments
Emyrk Mar 17, 2023
84ba18d
Add comment
Emyrk Mar 17, 2023
38bec6d
Merge remote-tracking branch 'origin/main' into stevenmasley/dbauthz_on
Emyrk Mar 17, 2023
a5ff7fc
Make gen
Emyrk Mar 17, 2023
bb788a4
Make golden files
Emyrk Mar 17, 2023
c0f6ff0
linting
Emyrk Mar 20, 2023
386a967
Merge remote-tracking branch 'origin/main' into stevenmasley/dbauthz_on
Emyrk Mar 20, 2023
f7842ee
linting
Emyrk Mar 20, 2023
b6130e3
linting
Emyrk Mar 20, 2023
8b744ac
Merge lost a config section
Emyrk Mar 20, 2023
55f01c5
Linting
Emyrk Mar 20, 2023
4965c10
Make gen
Emyrk Mar 20, 2023
d038934
Make gen
Emyrk Mar 20, 2023
55b1308
remove experiment enum
Emyrk Mar 20, 2023
f7923df
Make gen
Emyrk Mar 20, 2023
549a34d
Linting
Emyrk Mar 20, 2023
2ae9eac
Correct unit test
Emyrk Mar 20, 2023
faf0714
Merge remote-tracking branch 'origin/main' into stevenmasley/dbauthz_on
Emyrk Mar 20, 2023
899cc69
Override a copy of the error
Emyrk Mar 20, 2023
4fcc69e
have nicer status codes
Emyrk Mar 20, 2023
4ab765f
Test be parallel
Emyrk Mar 20, 2023
9b69f39
This test takes way too long
Emyrk Mar 20, 2023
974d915
Paginated users was taking too long
Emyrk Mar 20, 2023
0934326
Subtest context is shared :(
Emyrk Mar 20, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Add comments
  • Loading branch information
@Emyrk
Emyrk committed Mar 17, 2023
commit 6b2c3f9eac6d220a4e30ac86ae653716a55d22b8
74 changes: 41 additions & 33 deletions coderd/coderdtest/authorize.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,44 @@ type RBACAsserter struct {
Recorder *RecordingAuthorizer
}

// AssertRBAC returns an RBACAsserter for the given user. This asserter will
// allow asserting that the correct RBAC checks are performed for the given user.
// All checks that are not run against this user will be ignored.
func AssertRBAC(t *testing.T, api *coderd.API, client *codersdk.Client) RBACAsserter {
if client.SessionToken() == "" {
t.Fatal("client must be logged in")
}
recorder, ok := api.Authorizer.(*RecordingAuthorizer)
if !ok {
t.Fatal("expected RecordingAuthorizer")
}

// We use the database directly to not cause additional auth checks on behalf
// of the user. This does add authz checks on behalf of the system user, but
// it is hard to avoid that.
ctx := dbauthz.AsSystemRestricted(context.Background())
token := client.SessionToken()
parts := strings.Split(token, "-")
key, err := api.Database.GetAPIKeyByID(ctx, parts[0])
require.NoError(t, err, "fetch client api key")

roles, err := api.Database.GetAuthorizationUserRoles(ctx, key.UserID)
require.NoError(t, err, "fetch user roles")

return RBACAsserter{
Subject: rbac.Subject{
ID: key.UserID.String(),
Roles: rbac.RoleNames(roles.Roles),
Groups: roles.Groups,
Scope: rbac.ScopeName(key.Scope),
},
Recorder: recorder,
}
}

// AllCalls is for debugging. If you are not sure where calls are coming from,
// call this and use a debugger or print them. They have small callstacks
// on them to help locate the 'Authorize' call.
func (a RBACAsserter) AllCalls() []AuthCall {
return a.Recorder.AllCalls(&a.Subject)
}
Expand Down Expand Up @@ -85,48 +123,18 @@ func (a RBACAsserter) convertObjects(t *testing.T, objs ...interface{}) []rbac.O
}

// Reset will clear all previously recorded authz calls.
// This is helpful when wanting to ignore checks run in test setup.
func (a RBACAsserter) Reset() RBACAsserter {
a.Recorder.Reset()
return a
}

func AssertRBAC(t *testing.T, api *coderd.API, client *codersdk.Client) RBACAsserter {
if client.SessionToken() == "" {
t.Fatal("client must be logged in")
}
recorder, ok := api.Authorizer.(*RecordingAuthorizer)
if !ok {
t.Fatal("expected RecordingAuthorizer")
}

// We use the database directly to not cause additional auth checks on behalf
// of the user. This does add authz checks on behalf of the system user, but
// it is hard to avoid that.
ctx := dbauthz.AsSystemRestricted(context.Background())
token := client.SessionToken()
parts := strings.Split(token, "-")
key, err := api.Database.GetAPIKeyByID(ctx, parts[0])
require.NoError(t, err, "fetch client api key")

roles, err := api.Database.GetAuthorizationUserRoles(ctx, key.UserID)
require.NoError(t, err, "fetch user roles")

return RBACAsserter{
Subject: rbac.Subject{
ID: key.UserID.String(),
Roles: rbac.RoleNames(roles.Roles),
Groups: roles.Groups,
Scope: rbac.ScopeName(key.Scope),
},
Recorder: recorder,
}
}

type AuthCall struct {
rbac.AuthCall

asserted bool
callers []string
// callers is a small stack trace for debugging.
callers []string
}

var _ rbac.Authorizer = (*RecordingAuthorizer)(nil)
Expand Down