chore: avoid depending on rbac in slim builds (#17959)

I noticed the `coder-vpn.dylib` (of course alongside the Agent/CLI binaries) had grown substantially (from 29MB to 37MB for the dylib), and discovered that importing RBAC in slim builds was the issue This PR removes the dependency on RBAC in slim builds, and adds a compile-time check to ensure it can't be imported in the future: ``` $ make build # github.com/coder/coder/v2/coderd/rbac coderd/rbac/no_slim.go:8:2: initialization cycle: _DO_NOT_IMPORT_THIS_PACKAGE_IN_SLIM_BUILDS refers to itself make: *** [Makefile:224: build/coder-slim_2.22.1-devel+7e46d24b4_linux_amd64] Error 1 ``` Before and after for `coder-slim_darwin_arm64`: ``` $ gsa before after ┌───────────────────────────────────────────────────────────────────────────────────┐ │ Diff between before and after │ ├─────────┬─────────────────────────────────────────┬──────────┬──────────┬─────────┤ │ PERCENT │ NAME │ OLD SIZE │ NEW SIZE │ DIFF │ ├─────────┼─────────────────────────────────────────┼──────────┼──────────┼─────────┤ │ -100% │ github.com/gorilla/mux │ │ │ +0 B │ │ -100% │ github.com/ammario/tlru │ │ │ +0 B │ │ -100% │ github.com/armon/go-radix │ │ │ +0 B │ │ -0.00% │ gvisor.dev/gvisor │ 2.4 MB │ 2.4 MB │ -4 B │ │ -0.21% │ os │ 155 kB │ 155 kB │ -328 B │ │ -0.23% │ regexp │ 152 kB │ 152 kB │ -346 B │ │ -0.04% │ runtime │ 876 kB │ 876 kB │ -372 B │ │ -100% │ github.com/rcrowley/go-metrics │ 675 B │ │ -675 B │ │ -23.79% │ github.com/cespare/xxhash/v2 │ 3.0 kB │ 2.3 kB │ -715 B │ │ -100% │ github.com/agnivade/levenshtein │ 1.4 kB │ │ -1.4 kB │ │ -100% │ github.com/go-ini/ini │ 1.5 kB │ │ -1.5 kB │ │ -100% │ github.com/xeipuuv/gojsonreference │ 2.4 kB │ │ -2.4 kB │ │ -100% │ github.com/xeipuuv/gojsonpointer │ 5.2 kB │ │ -5.2 kB │ │ -2.43% │ go.opentelemetry.io/otel │ 316 kB │ 309 kB │ -7.7 kB │ │ -2.40% │ slices │ 381 kB │ 372 kB │ -9.2 kB │ │ -0.68% │ crypto │ 1.4 MB │ 1.4 MB │ -9.5 kB │ │ -100% │ github.com/tchap/go-patricia/v2 │ 23 kB │ │ -23 kB │ │ -100% │ github.com/yashtewari/glob-intersection │ 28 kB │ │ -28 kB │ │ -4.35% │ <autogenerated> │ 754 kB │ 721 kB │ -33 kB │ │ -100% │ github.com/sirupsen/logrus │ 72 kB │ │ -72 kB │ │ -2.56% │ github.com/coder/coder/v2 │ 3.3 MB │ 3.2 MB │ -84 kB │ │ -100% │ github.com/gobwas/glob │ 107 kB │ │ -107 kB │ │ -100% │ sigs.k8s.io/yaml │ 244 kB │ │ -244 kB │ │ -100% │ github.com/open-policy-agent/opa │ 2.2 MB │ │ -2.2 MB │ ├─────────┼─────────────────────────────────────────┼──────────┼──────────┼─────────┤ │ -7.79% │ __go_buildinfo __DATA │ 18 kB │ 17 kB │ -1.4 kB │ │ -6.81% │ __itablink __DATA_CONST │ 23 kB │ 22 kB │ -1.6 kB │ │ -6.61% │ __typelink __DATA_CONST │ 71 kB │ 66 kB │ -4.7 kB │ │ -2.86% │ __noptrdata __DATA │ 1.0 MB │ 993 kB │ -29 kB │ │ -21.49% │ __data __DATA │ 320 kB │ 251 kB │ -69 kB │ │ -6.19% │ __rodata __DATA_CONST │ 6.0 MB │ 5.6 MB │ -372 kB │ │ -47.19% │ __rodata __TEXT │ 7.6 MB │ 4.0 MB │ -3.6 MB │ ├─────────┼─────────────────────────────────────────┼──────────┼──────────┼─────────┤ │ -14.02% │ before │ 50 MB │ 43 MB │ -7.0 MB │ │ │ after │ │ │ │ └─────────┴─────────────────────────────────────────┴──────────┴──────────┴─────────┘ ```
2025-07-09 11:45:56 +00:00 · 2025-05-22 19:48:23 +10:00
parent 1e1e6f3bd1
commit 34494fb330
13 changed files with 78 additions and 60 deletions
--- a/coderd/database/no_slim.go
+++ b/coderd/database/no_slim.go
@ -1,8 +1,9 @@
+//go:build slim
+
 package database

 const (
-	// This declaration protects against imports in slim builds, see
-	// no_slim_slim.go.
-	//nolint:revive,unused
-	_DO_NOT_IMPORT_THIS_PACKAGE_IN_SLIM_BUILDS = "DO_NOT_IMPORT_THIS_PACKAGE_IN_SLIM_BUILDS"
+	// This line fails to compile, preventing this package from being imported
+	// in slim builds.
+	_DO_NOT_IMPORT_THIS_PACKAGE_IN_SLIM_BUILDS = _DO_NOT_IMPORT_THIS_PACKAGE_IN_SLIM_BUILDS
 )
--- a/coderd/database/no_slim_slim.go
+++ b/coderd/database/no_slim_slim.go
@ -1,14 +0,0 @@
-//go:build slim
-
-package database
-
-const (
-	// This re-declaration will result in a compilation error and is present to
-	// prevent increasing the slim binary size by importing this package,
-	// directly or indirectly.
-	//
-	// no_slim_slim.go:7:2: _DO_NOT_IMPORT_THIS_PACKAGE_IN_SLIM_BUILDS redeclared in this block
-	// 	no_slim.go:4:2: other declaration of _DO_NOT_IMPORT_THIS_PACKAGE_IN_SLIM_BUILDS
-	//nolint:revive,unused
-	_DO_NOT_IMPORT_THIS_PACKAGE_IN_SLIM_BUILDS = "DO_NOT_IMPORT_THIS_PACKAGE_IN_SLIM_BUILDS"
-)
--- a/coderd/httpapi/authz.go
+++ b/coderd/httpapi/authz.go
@ -0,0 +1,28 @@
+//go:build !slim
+
+package httpapi
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/coder/coder/v2/coderd/rbac"
+)
+
+// This is defined separately in slim builds to avoid importing the rbac
+// package, which is a large dependency.
+func SetAuthzCheckRecorderHeader(ctx context.Context, rw http.ResponseWriter) {
+	if rec, ok := rbac.GetAuthzCheckRecorder(ctx); ok {
+		// If you're here because you saw this header in a response, and you're
+		// trying to investigate the code, here are a couple of notable things
+		// for you to know:
+		// - If any of the checks are `false`, they might not represent the whole
+		//   picture. There could be additional checks that weren't performed,
+		//   because processing stopped after the failure.
+		// - The checks are recorded by the `authzRecorder` type, which is
+		//   configured on server startup for development and testing builds.
+		// - If this header is missing from a response, make sure the response is
+		//   being written by calling `httpapi.Write`!
+		rw.Header().Set("x-authz-checks", rec.String())
+	}
+}
--- a/coderd/httpapi/authz_slim.go
+++ b/coderd/httpapi/authz_slim.go
@ -0,0 +1,13 @@
+//go:build slim
+
+package httpapi
+
+import (
+	"context"
+	"net/http"
+)
+
+func SetAuthzCheckRecorderHeader(ctx context.Context, rw http.ResponseWriter) {
+	// There's no RBAC on the agent API, so this is separately defined to
+	// avoid importing the RBAC package, which is a large dependency.
+}
--- a/coderd/httpapi/httpapi.go
+++ b/coderd/httpapi/httpapi.go
@ -20,7 +20,6 @@ import (
 	"github.com/coder/websocket/wsjson"

 	"github.com/coder/coder/v2/coderd/httpapi/httpapiconstraints"
-	"github.com/coder/coder/v2/coderd/rbac"
 	"github.com/coder/coder/v2/coderd/tracing"
 	"github.com/coder/coder/v2/codersdk"
 )
@ -199,19 +198,7 @@ func Write(ctx context.Context, rw http.ResponseWriter, status int, response int
 	_, span := tracing.StartSpan(ctx)
 	defer span.End()

-	if rec, ok := rbac.GetAuthzCheckRecorder(ctx); ok {
-		// If you're here because you saw this header in a response, and you're
-		// trying to investigate the code, here are a couple of notable things
-		// for you to know:
-		// - If any of the checks are `false`, they might not represent the whole
-		//   picture. There could be additional checks that weren't performed,
-		//   because processing stopped after the failure.
-		// - The checks are recorded by the `authzRecorder` type, which is
-		//   configured on server startup for development and testing builds.
-		// - If this header is missing from a response, make sure the response is
-		//   being written by calling `httpapi.Write`!
-		rw.Header().Set("x-authz-checks", rec.String())
-	}
+	SetAuthzCheckRecorderHeader(ctx, rw)

 	rw.Header().Set("Content-Type", "application/json; charset=utf-8")
 	rw.WriteHeader(status)
@ -228,9 +215,7 @@ func WriteIndent(ctx context.Context, rw http.ResponseWriter, status int, respon
 	_, span := tracing.StartSpan(ctx)
 	defer span.End()

-	if rec, ok := rbac.GetAuthzCheckRecorder(ctx); ok {
-		rw.Header().Set("x-authz-checks", rec.String())
-	}
+	SetAuthzCheckRecorderHeader(ctx, rw)

 	rw.Header().Set("Content-Type", "application/json; charset=utf-8")
 	rw.WriteHeader(status)
--- a/coderd/httpmw/authz.go
+++ b/coderd/httpmw/authz.go
@ -1,3 +1,5 @@
+//go:build !slim
+
 package httpmw

 import (
--- a/coderd/rbac/no_slim.go
+++ b/coderd/rbac/no_slim.go
@ -0,0 +1,9 @@
+//go:build slim
+
+package rbac
+
+const (
+	// This line fails to compile, preventing this package from being imported
+	// in slim builds.
+	_DO_NOT_IMPORT_THIS_PACKAGE_IN_SLIM_BUILDS = _DO_NOT_IMPORT_THIS_PACKAGE_IN_SLIM_BUILDS
+)
--- a/coderd/rbac/roles.go
+++ b/coderd/rbac/roles.go
@ -798,12 +798,12 @@ func OrganizationRoles(organizationID uuid.UUID) []Role {
 	return roles
 }

-// SiteRoles lists all roles that can be applied to a user.
+// SiteBuiltInRoles lists all roles that can be applied to a user.
 // This is the list of available roles, and not specific to a user
 //
 // This should be a list in a database, but until then we build
 // the list from the builtins.
-func SiteRoles() []Role {
+func SiteBuiltInRoles() []Role {
 	var roles []Role
 	for _, roleF := range builtInRoles {
 		// Must provide some non-nil uuid to filter out org roles.
--- a/coderd/rbac/roles_test.go
+++ b/coderd/rbac/roles_test.go
@ -34,7 +34,7 @@ func (a authSubject) Subjects() []authSubject { return []authSubject{a} }
 // rules. If this is incorrect, that is a mistake.
 func TestBuiltInRoles(t *testing.T) {
 	t.Parallel()
-	for _, r := range rbac.SiteRoles() {
+	for _, r := range rbac.SiteBuiltInRoles() {
 		r := r
 		t.Run(r.Identifier.String(), func(t *testing.T) {
 			t.Parallel()
@ -997,7 +997,7 @@ func TestIsOrgRole(t *testing.T) {
 func TestListRoles(t *testing.T) {
 	t.Parallel()

-	siteRoles := rbac.SiteRoles()
+	siteRoles := rbac.SiteBuiltInRoles()
 	siteRoleNames := make([]string, 0, len(siteRoles))
 	for _, role := range siteRoles {
 		siteRoleNames = append(siteRoleNames, role.Identifier.Name)
--- a/coderd/roles.go
+++ b/coderd/roles.go
@ -43,7 +43,7 @@ func (api *API) AssignableSiteRoles(rw http.ResponseWriter, r *http.Request) {
 		return
 	}

-	httpapi.Write(ctx, rw, http.StatusOK, assignableRoles(actorRoles.Roles, rbac.SiteRoles(), dbCustomRoles))
+	httpapi.Write(ctx, rw, http.StatusOK, assignableRoles(actorRoles.Roles, rbac.SiteBuiltInRoles(), dbCustomRoles))
 }

 // assignableOrgRoles returns all org wide roles that can be assigned.