feat: Add initial AuthzQuerier implementation (#5919)

feat: Add initial AuthzQuerier implementation - Adds package database/dbauthz that adds a database.Store implementation where each method goes through AuthZ checks - Implements all database.Store methods on AuthzQuerier - Updates and fixes unit tests where required - Updates coderd initialization to use AuthzQuerier if codersdk.ExperimentAuthzQuerier is enabled
2025-07-03 16:13:58 +00:00 · 2023-02-14 08:27:06 -06:00
parent ebdfdc749d
commit 6fb8aff6d0
59 changed files with 5013 additions and 136 deletions
--- a/coderd/authorize.go
+++ b/coderd/authorize.go
@ -51,6 +51,28 @@ type HTTPAuthorizer struct {
 //		return
 //	}
 func (api *API) Authorize(r *http.Request, action rbac.Action, object rbac.Objecter) bool {
+	// The experiment does not replace ALL rbac checks, but does replace most.
+	// This statement aborts early on the checks that will be removed in the
+	// future when this experiment is default.
+	if api.Experiments.Enabled(codersdk.ExperimentAuthzQuerier) {
+		// Some resource types do not interact with the persistent layer and
+		// we need to keep these checks happening in the API layer.
+		switch object.RBACObject().Type {
+		case rbac.ResourceWorkspaceExecution.Type:
+			// This is not a db resource, always in API layer
+		case rbac.ResourceDeploymentConfig.Type:
+			// For metric cache items like DAU, we do not hit the DB.
+			// Some db actions are in asserted in the authz layer.
+		case rbac.ResourceReplicas.Type:
+			// Replica rbac is checked for adding and removing replicas.
+		case rbac.ResourceProvisionerDaemon.Type:
+			// Provisioner rbac is checked for adding and removing provisioners.
+		case rbac.ResourceDebugInfo.Type:
+			// This is not a db resource, always in API layer.
+		default:
+			return true
+		}
+	}
 	return api.HTTPAuth.Authorize(r, action, object)
 }