diff --git a/coderd/rbac/partial.go b/coderd/rbac/partial.go index 637440e121..7fea09d374 100644 --- a/coderd/rbac/partial.go +++ b/coderd/rbac/partial.go @@ -5,6 +5,7 @@ import ( "golang.org/x/xerrors" + "github.com/open-policy-agent/opa/ast" "github.com/open-policy-agent/opa/rego" "github.com/coder/coder/coderd/tracing" @@ -32,6 +33,18 @@ func (pa *PartialAuthorizer) Authorize(ctx context.Context, object Object) error return nil } + // No queries means always false + if len(pa.preparedQueries) == 0 { + return ForbiddenWithInternal(xerrors.Errorf("policy disallows request"), pa.input, nil) + } + + parsed, err := ast.InterfaceToValue(map[string]interface{}{ + "object": object, + }) + if err != nil { + return xerrors.Errorf("parse object: %w", err) + } + // How to interpret the results of the partial queries. // We have a list of queries that are along the lines of: // `input.object.org_owner = ""; "me" = input.object.owner` @@ -45,9 +58,7 @@ func (pa *PartialAuthorizer) Authorize(ctx context.Context, object Object) error EachQueryLoop: for _, q := range pa.preparedQueries { // We need to eval each query with the newly known fields. - results, err := q.Eval(ctx, rego.EvalInput(map[string]interface{}{ - "object": object, - })) + results, err := q.Eval(ctx, rego.EvalParsedInput(parsed)) if err != nil { continue EachQueryLoop }