Skip to content

Commit 6f89f42

Browse files
EmyrkEmyrk
committed
More dbauthz
1 parent 4f71c30 commit 6f89f42

File tree

1 file changed

+48
-105
lines changed

1 file changed

+48
-105
lines changed

coderd/database/dbauthz/dbauthz.go

Lines changed: 48 additions & 105 deletions
Original file line numberDiff line numberDiff line change
@@ -837,22 +837,22 @@ func (q *querier) DeleteOAuth2ProviderAppCodeByID(ctx context.Context, id uuid.U
837837

838838
func (q *querier) DeleteOAuth2ProviderAppCodesByAppAndUserID(ctx context.Context, arg database.DeleteOAuth2ProviderAppCodesByAppAndUserIDParams) error {
839839
if err := q.authorizeContext(ctx, policy.ActionDelete,
840-
rbac.ResourceOAuth2ProviderAppCodeToken.WithOwner(arg.UserID.String())); err != nil {
840+
rbac.ResourceOauth2AppCodeToken.WithOwner(arg.UserID.String())); err != nil {
841841
return err
842842
}
843843
return q.db.DeleteOAuth2ProviderAppCodesByAppAndUserID(ctx, arg)
844844
}
845845

846846
func (q *querier) DeleteOAuth2ProviderAppSecretByID(ctx context.Context, id uuid.UUID) error {
847-
if err := q.authorizeContext(ctx, policy.ActionDelete, rbac.ResourceOAuth2ProviderAppSecret); err != nil {
847+
if err := q.authorizeContext(ctx, policy.ActionDelete, rbac.ResourceOauth2AppSecret); err != nil {
848848
return err
849849
}
850850
return q.db.DeleteOAuth2ProviderAppSecretByID(ctx, id)
851851
}
852852

853853
func (q *querier) DeleteOAuth2ProviderAppTokensByAppAndUserID(ctx context.Context, arg database.DeleteOAuth2ProviderAppTokensByAppAndUserIDParams) error {
854854
if err := q.authorizeContext(ctx, policy.ActionDelete,
855-
rbac.ResourceOAuth2ProviderAppCodeToken.WithOwner(arg.UserID.String())); err != nil {
855+
rbac.ResourceOauth2AppCodeToken.WithOwner(arg.UserID.String())); err != nil {
856856
return err
857857
}
858858
return q.db.DeleteOAuth2ProviderAppTokensByAppAndUserID(ctx, arg)
@@ -1241,7 +1241,7 @@ func (q *querier) GetNotificationBanners(ctx context.Context) (string, error) {
12411241
}
12421242

12431243
func (q *querier) GetOAuth2ProviderAppByID(ctx context.Context, id uuid.UUID) (database.OAuth2ProviderApp, error) {
1244-
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceOAuth2ProviderApp); err != nil {
1244+
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceOauth2App); err != nil {
12451245
return database.OAuth2ProviderApp{}, err
12461246
}
12471247
return q.db.GetOAuth2ProviderAppByID(ctx, id)
@@ -1256,7 +1256,7 @@ func (q *querier) GetOAuth2ProviderAppCodeByPrefix(ctx context.Context, secretPr
12561256
}
12571257

12581258
func (q *querier) GetOAuth2ProviderAppSecretByID(ctx context.Context, id uuid.UUID) (database.OAuth2ProviderAppSecret, error) {
1259-
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceOAuth2ProviderAppSecret); err != nil {
1259+
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceOauth2AppSecret); err != nil {
12601260
return database.OAuth2ProviderAppSecret{}, err
12611261
}
12621262
return q.db.GetOAuth2ProviderAppSecretByID(ctx, id)
@@ -1267,7 +1267,7 @@ func (q *querier) GetOAuth2ProviderAppSecretByPrefix(ctx context.Context, secret
12671267
}
12681268

12691269
func (q *querier) GetOAuth2ProviderAppSecretsByAppID(ctx context.Context, appID uuid.UUID) ([]database.OAuth2ProviderAppSecret, error) {
1270-
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceOAuth2ProviderAppSecret); err != nil {
1270+
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceOauth2AppSecret); err != nil {
12711271
return []database.OAuth2ProviderAppSecret{}, err
12721272
}
12731273
return q.db.GetOAuth2ProviderAppSecretsByAppID(ctx, appID)
@@ -1283,14 +1283,14 @@ func (q *querier) GetOAuth2ProviderAppTokenByPrefix(ctx context.Context, hashPre
12831283
if err != nil {
12841284
return database.OAuth2ProviderAppToken{}, err
12851285
}
1286-
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceOAuth2ProviderAppCodeToken.WithOwner(key.UserID.String())); err != nil {
1286+
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceOauth2AppCodeToken.WithOwner(key.UserID.String())); err != nil {
12871287
return database.OAuth2ProviderAppToken{}, err
12881288
}
12891289
return token, nil
12901290
}
12911291

12921292
func (q *querier) GetOAuth2ProviderApps(ctx context.Context) ([]database.OAuth2ProviderApp, error) {
1293-
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceOAuth2ProviderApp); err != nil {
1293+
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceOauth2App); err != nil {
12941294
return []database.OAuth2ProviderApp{}, err
12951295
}
12961296
return q.db.GetOAuth2ProviderApps(ctx)
@@ -1299,7 +1299,7 @@ func (q *querier) GetOAuth2ProviderApps(ctx context.Context) ([]database.OAuth2P
12991299
func (q *querier) GetOAuth2ProviderAppsByUserID(ctx context.Context, userID uuid.UUID) ([]database.GetOAuth2ProviderAppsByUserIDRow, error) {
13001300
// This authz check is to make sure the caller can read all their own tokens.
13011301
if err := q.authorizeContext(ctx, policy.ActionRead,
1302-
rbac.ResourceOAuth2ProviderAppCodeToken.WithOwner(userID.String())); err != nil {
1302+
rbac.ResourceOauth2AppCodeToken.WithOwner(userID.String())); err != nil {
13031303
return []database.GetOAuth2ProviderAppsByUserIDRow{}, err
13041304
}
13051305
return q.db.GetOAuth2ProviderAppsByUserID(ctx, userID)
@@ -1510,31 +1510,15 @@ func (q *querier) GetTailnetTunnelPeerIDs(ctx context.Context, srcID uuid.UUID)
15101510
}
15111511

15121512
func (q *querier) GetTemplateAppInsights(ctx context.Context, arg database.GetTemplateAppInsightsParams) ([]database.GetTemplateAppInsightsRow, error) {
1513-
// Used by TemplateAppInsights endpoint
1514-
// For auditors, check read template_insights, and fall back to update template.
1515-
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceTemplateInsights); err != nil {
1516-
for _, templateID := range arg.TemplateIDs {
1517-
template, err := q.db.GetTemplateByID(ctx, templateID)
1518-
if err != nil {
1519-
return nil, err
1520-
}
1521-
1522-
if err := q.authorizeContext(ctx, policy.ActionUpdate, template); err != nil {
1523-
return nil, err
1524-
}
1525-
}
1526-
if len(arg.TemplateIDs) == 0 {
1527-
if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceTemplate.All()); err != nil {
1528-
return nil, err
1529-
}
1530-
}
1513+
if err := q.authorizeTemplateInsights(ctx, arg.TemplateIDs); err != nil {
1514+
return nil, err
15311515
}
15321516
return q.db.GetTemplateAppInsights(ctx, arg)
15331517
}
15341518

15351519
func (q *querier) GetTemplateAppInsightsByTemplate(ctx context.Context, arg database.GetTemplateAppInsightsByTemplateParams) ([]database.GetTemplateAppInsightsByTemplateRow, error) {
15361520
// Only used by prometheus metrics, so we don't strictly need to check update template perms.
1537-
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceTemplateInsights); err != nil {
1521+
if err := q.authorizeContext(ctx, policy.ActionViewInsights, rbac.ResourceTemplate); err != nil {
15381522
return nil, err
15391523
}
15401524
return q.db.GetTemplateAppInsightsByTemplate(ctx, arg)
@@ -1564,102 +1548,61 @@ func (q *querier) GetTemplateDAUs(ctx context.Context, arg database.GetTemplateD
15641548
return q.db.GetTemplateDAUs(ctx, arg)
15651549
}
15661550

1567-
func (q *querier) GetTemplateInsights(ctx context.Context, arg database.GetTemplateInsightsParams) (database.GetTemplateInsightsRow, error) {
1568-
// Used by TemplateInsights endpoint
1569-
// For auditors, check read template_insights, and fall back to update template.
1570-
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceTemplateInsights); err != nil {
1571-
for _, templateID := range arg.TemplateIDs {
1551+
func (q *querier) authorizeTemplateInsights(ctx context.Context, templateIDs []uuid.UUID) error {
1552+
// Abort early if can read all template insights, aka admins.
1553+
// TODO: If we know the org, that would allow org admins to abort early too.
1554+
if err := q.authorizeContext(ctx, policy.ActionViewInsights, rbac.ResourceTemplate); err != nil {
1555+
for _, templateID := range templateIDs {
15721556
template, err := q.db.GetTemplateByID(ctx, templateID)
15731557
if err != nil {
1574-
return database.GetTemplateInsightsRow{}, err
1558+
return err
15751559
}
15761560

1577-
if err := q.authorizeContext(ctx, policy.ActionUpdate, template); err != nil {
1578-
return database.GetTemplateInsightsRow{}, err
1561+
if err := q.authorizeContext(ctx, policy.ActionViewInsights, template); err != nil {
1562+
return err
15791563
}
15801564
}
1581-
if len(arg.TemplateIDs) == 0 {
1582-
if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceTemplate.All()); err != nil {
1583-
return database.GetTemplateInsightsRow{}, err
1565+
if len(templateIDs) == 0 {
1566+
if err := q.authorizeContext(ctx, policy.ActionViewInsights, rbac.ResourceTemplate.All()); err != nil {
1567+
return err
15841568
}
15851569
}
15861570
}
1571+
return nil
1572+
}
1573+
1574+
func (q *querier) GetTemplateInsights(ctx context.Context, arg database.GetTemplateInsightsParams) (database.GetTemplateInsightsRow, error) {
1575+
if err := q.authorizeTemplateInsights(ctx, arg.TemplateIDs); err != nil {
1576+
return database.GetTemplateInsightsRow{}, err
1577+
}
15871578
return q.db.GetTemplateInsights(ctx, arg)
15881579
}
15891580

15901581
func (q *querier) GetTemplateInsightsByInterval(ctx context.Context, arg database.GetTemplateInsightsByIntervalParams) ([]database.GetTemplateInsightsByIntervalRow, error) {
1591-
// Used by TemplateInsights endpoint
1592-
// For auditors, check read template_insights, and fall back to update template.
1593-
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceTemplateInsights); err != nil {
1594-
for _, templateID := range arg.TemplateIDs {
1595-
template, err := q.db.GetTemplateByID(ctx, templateID)
1596-
if err != nil {
1597-
return nil, err
1598-
}
1599-
1600-
if err := q.authorizeContext(ctx, policy.ActionUpdate, template); err != nil {
1601-
return nil, err
1602-
}
1603-
}
1604-
if len(arg.TemplateIDs) == 0 {
1605-
if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceTemplate.All()); err != nil {
1606-
return nil, err
1607-
}
1608-
}
1582+
if err := q.authorizeTemplateInsights(ctx, arg.TemplateIDs); err != nil {
1583+
return nil, err
16091584
}
16101585
return q.db.GetTemplateInsightsByInterval(ctx, arg)
16111586
}
16121587

16131588
func (q *querier) GetTemplateInsightsByTemplate(ctx context.Context, arg database.GetTemplateInsightsByTemplateParams) ([]database.GetTemplateInsightsByTemplateRow, error) {
16141589
// Only used by prometheus metrics collector. No need to check update template perms.
1615-
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceTemplateInsights); err != nil {
1590+
if err := q.authorizeContext(ctx, policy.ActionViewInsights, rbac.ResourceTemplate); err != nil {
16161591
return nil, err
16171592
}
16181593
return q.db.GetTemplateInsightsByTemplate(ctx, arg)
16191594
}
16201595

16211596
func (q *querier) GetTemplateParameterInsights(ctx context.Context, arg database.GetTemplateParameterInsightsParams) ([]database.GetTemplateParameterInsightsRow, error) {
1622-
// Used by both insights endpoint and prometheus collector.
1623-
// For auditors, check read template_insights, and fall back to update template.
1624-
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceTemplateInsights); err != nil {
1625-
for _, templateID := range arg.TemplateIDs {
1626-
template, err := q.db.GetTemplateByID(ctx, templateID)
1627-
if err != nil {
1628-
return nil, err
1629-
}
1630-
1631-
if err := q.authorizeContext(ctx, policy.ActionUpdate, template); err != nil {
1632-
return nil, err
1633-
}
1634-
}
1635-
if len(arg.TemplateIDs) == 0 {
1636-
if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceTemplate.All()); err != nil {
1637-
return nil, err
1638-
}
1639-
}
1597+
if err := q.authorizeTemplateInsights(ctx, arg.TemplateIDs); err != nil {
1598+
return nil, err
16401599
}
16411600
return q.db.GetTemplateParameterInsights(ctx, arg)
16421601
}
16431602

16441603
func (q *querier) GetTemplateUsageStats(ctx context.Context, arg database.GetTemplateUsageStatsParams) ([]database.TemplateUsageStat, error) {
1645-
// Used by dbrollup tests, use same safe-guard as other insights endpoints.
1646-
// For auditors, check read template_insights, and fall back to update template.
1647-
if err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceTemplateInsights); err != nil {
1648-
for _, templateID := range arg.TemplateIDs {
1649-
template, err := q.db.GetTemplateByID(ctx, templateID)
1650-
if err != nil {
1651-
return nil, err
1652-
}
1653-
1654-
if err := q.authorizeContext(ctx, policy.ActionUpdate, template); err != nil {
1655-
return nil, err
1656-
}
1657-
}
1658-
if len(arg.TemplateIDs) == 0 {
1659-
if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceTemplate.All()); err != nil {
1660-
return nil, err
1661-
}
1662-
}
1604+
if err := q.authorizeTemplateInsights(ctx, arg.TemplateIDs); err != nil {
1605+
return nil, err
16631606
}
16641607
return q.db.GetTemplateUsageStats(ctx, arg)
16651608
}
@@ -2291,7 +2234,7 @@ func (q *querier) GetWorkspacesEligibleForTransition(ctx context.Context, now ti
22912234

22922235
func (q *querier) InsertAPIKey(ctx context.Context, arg database.InsertAPIKeyParams) (database.APIKey, error) {
22932236
return insert(q.log, q.auth,
2294-
rbac.ResourceAPIKey.WithOwner(arg.UserID.String()),
2237+
rbac.ResourceApiKey.WithOwner(arg.UserID.String()),
22952238
q.db.InsertAPIKey)(ctx, arg)
22962239
}
22972240

@@ -2363,22 +2306,22 @@ func (q *querier) InsertMissingGroups(ctx context.Context, arg database.InsertMi
23632306
}
23642307

23652308
func (q *querier) InsertOAuth2ProviderApp(ctx context.Context, arg database.InsertOAuth2ProviderAppParams) (database.OAuth2ProviderApp, error) {
2366-
if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceOAuth2ProviderApp); err != nil {
2309+
if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceOauth2App); err != nil {
23672310
return database.OAuth2ProviderApp{}, err
23682311
}
23692312
return q.db.InsertOAuth2ProviderApp(ctx, arg)
23702313
}
23712314

23722315
func (q *querier) InsertOAuth2ProviderAppCode(ctx context.Context, arg database.InsertOAuth2ProviderAppCodeParams) (database.OAuth2ProviderAppCode, error) {
23732316
if err := q.authorizeContext(ctx, policy.ActionCreate,
2374-
rbac.ResourceOAuth2ProviderAppCodeToken.WithOwner(arg.UserID.String())); err != nil {
2317+
rbac.ResourceOauth2AppCodeToken.WithOwner(arg.UserID.String())); err != nil {
23752318
return database.OAuth2ProviderAppCode{}, err
23762319
}
23772320
return q.db.InsertOAuth2ProviderAppCode(ctx, arg)
23782321
}
23792322

23802323
func (q *querier) InsertOAuth2ProviderAppSecret(ctx context.Context, arg database.InsertOAuth2ProviderAppSecretParams) (database.OAuth2ProviderAppSecret, error) {
2381-
if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceOAuth2ProviderAppSecret); err != nil {
2324+
if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceOauth2AppSecret); err != nil {
23822325
return database.OAuth2ProviderAppSecret{}, err
23832326
}
23842327
return q.db.InsertOAuth2ProviderAppSecret(ctx, arg)
@@ -2389,7 +2332,7 @@ func (q *querier) InsertOAuth2ProviderAppToken(ctx context.Context, arg database
23892332
if err != nil {
23902333
return database.OAuth2ProviderAppToken{}, err
23912334
}
2392-
if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceOAuth2ProviderAppCodeToken.WithOwner(key.UserID.String())); err != nil {
2335+
if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceOauth2AppCodeToken.WithOwner(key.UserID.String())); err != nil {
23932336
return database.OAuth2ProviderAppToken{}, err
23942337
}
23952338
return q.db.InsertOAuth2ProviderAppToken(ctx, arg)
@@ -2779,14 +2722,14 @@ func (q *querier) UpdateMemberRoles(ctx context.Context, arg database.UpdateMemb
27792722
}
27802723

27812724
func (q *querier) UpdateOAuth2ProviderAppByID(ctx context.Context, arg database.UpdateOAuth2ProviderAppByIDParams) (database.OAuth2ProviderApp, error) {
2782-
if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceOAuth2ProviderApp); err != nil {
2725+
if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceOauth2App); err != nil {
27832726
return database.OAuth2ProviderApp{}, err
27842727
}
27852728
return q.db.UpdateOAuth2ProviderAppByID(ctx, arg)
27862729
}
27872730

27882731
func (q *querier) UpdateOAuth2ProviderAppSecretByID(ctx context.Context, arg database.UpdateOAuth2ProviderAppSecretByIDParams) (database.OAuth2ProviderAppSecret, error) {
2789-
if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceOAuth2ProviderAppSecret); err != nil {
2732+
if err := q.authorizeContext(ctx, policy.ActionUpdate, rbac.ResourceOauth2AppSecret); err != nil {
27902733
return database.OAuth2ProviderAppSecret{}, err
27912734
}
27922735
return q.db.UpdateOAuth2ProviderAppSecretByID(ctx, arg)
@@ -3324,7 +3267,7 @@ func (q *querier) UpsertAppSecurityKey(ctx context.Context, data string) error {
33243267
}
33253268

33263269
func (q *querier) UpsertApplicationName(ctx context.Context, value string) error {
3327-
if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceDeploymentValues); err != nil {
3270+
if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceDeploymentConfig); err != nil {
33283271
return err
33293272
}
33303273
return q.db.UpsertApplicationName(ctx, value)
@@ -3338,7 +3281,7 @@ func (q *querier) UpsertDefaultProxy(ctx context.Context, arg database.UpsertDef
33383281
}
33393282

33403283
func (q *querier) UpsertHealthSettings(ctx context.Context, value string) error {
3341-
if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceDeploymentValues); err != nil {
3284+
if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceDeploymentConfig); err != nil {
33423285
return err
33433286
}
33443287
return q.db.UpsertHealthSettings(ctx, value)
@@ -3373,14 +3316,14 @@ func (q *querier) UpsertLastUpdateCheck(ctx context.Context, value string) error
33733316
}
33743317

33753318
func (q *querier) UpsertLogoURL(ctx context.Context, value string) error {
3376-
if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceDeploymentValues); err != nil {
3319+
if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceDeploymentConfig); err != nil {
33773320
return err
33783321
}
33793322
return q.db.UpsertLogoURL(ctx, value)
33803323
}
33813324

33823325
func (q *querier) UpsertNotificationBanners(ctx context.Context, value string) error {
3383-
if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceDeploymentValues); err != nil {
3326+
if err := q.authorizeContext(ctx, policy.ActionCreate, rbac.ResourceDeploymentConfig); err != nil {
33843327
return err
33853328
}
33863329
return q.db.UpsertNotificationBanners(ctx, value)

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy