-
Notifications
You must be signed in to change notification settings - Fork 583
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: Rbac more coderd endpoints, unit test to confirm (#1437)
* feat: Enforce authorize call on all endpoints - Make 'request()' exported for running custom requests * Rbac users endpoints * 401 -> 403
- Loading branch information
Showing
40 changed files
with
631 additions
and
319 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
package coderd | ||
|
||
import ( | ||
"net/http" | ||
|
||
"golang.org/x/xerrors" | ||
|
||
"cdr.dev/slog" | ||
|
||
"github.com/coder/coder/coderd/httpapi" | ||
"github.com/coder/coder/coderd/httpmw" | ||
"github.com/coder/coder/coderd/rbac" | ||
) | ||
|
||
func (api *api) Authorize(rw http.ResponseWriter, r *http.Request, action rbac.Action, object rbac.Object) bool { | ||
roles := httpmw.UserRoles(r) | ||
err := api.Authorizer.ByRoleName(r.Context(), roles.ID.String(), roles.Roles, action, object) | ||
if err != nil { | ||
httpapi.Write(rw, http.StatusForbidden, httpapi.Response{ | ||
Message: err.Error(), | ||
}) | ||
|
||
// Log the errors for debugging | ||
internalError := new(rbac.UnauthorizedError) | ||
logger := api.Logger | ||
if xerrors.As(err, internalError) { | ||
logger = api.Logger.With(slog.F("internal", internalError.Internal())) | ||
} | ||
// Log information for debugging. This will be very helpful | ||
// in the early days | ||
logger.Warn(r.Context(), "unauthorized", | ||
slog.F("roles", roles.Roles), | ||
slog.F("user_id", roles.ID), | ||
slog.F("username", roles.Username), | ||
slog.F("route", r.URL.Path), | ||
slog.F("action", action), | ||
slog.F("object", object), | ||
) | ||
|
||
return false | ||
} | ||
return true | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.