chore: Implement standard rbac.Subject to be reused everywhere (#5881)

* chore: Implement standard rbac.Subject to be reused everywhere An rbac subject is created in multiple spots because of the way we expand roles, scopes, etc. This difference in use creates a list of arguments which is unwieldy. Use of the expander interface lets us conform to a single subject in every case
2025-07-15 22:20:27 +00:00 · 2023-01-26 14:42:54 -06:00
parent 5c54d8b8cd
commit b0a16150a3
18 changed files with 465 additions and 371 deletions
--- a/coderd/rbac/partial.go
+++ b/coderd/rbac/partial.go
@ -121,13 +121,30 @@ EachQueryLoop:
 	return ForbiddenWithInternal(xerrors.Errorf("policy disallows request"), pa.input, nil)
 }

-func newPartialAuthorizer(ctx context.Context, subjectID string, roles []Role, scope Scope, groups []string, action Action, objectType string) (*PartialAuthorizer, error) {
+func newPartialAuthorizer(ctx context.Context, subject Subject, action Action, objectType string) (*PartialAuthorizer, error) {
+	if subject.Roles == nil {
+		return nil, xerrors.Errorf("subject must have roles")
+	}
+	if subject.Scope == nil {
+		return nil, xerrors.Errorf("subject must have a scope")
+	}
+
+	roles, err := subject.Roles.Expand()
+	if err != nil {
+		return nil, xerrors.Errorf("expand roles: %w", err)
+	}
+
+	scope, err := subject.Scope.Expand()
+	if err != nil {
+		return nil, xerrors.Errorf("expand scope: %w", err)
+	}
+
 	input := map[string]interface{}{
 		"subject": authSubject{
-			ID:     subjectID,
+			ID:     subject.ID,
 			Roles:  roles,
 			Scope:  scope,
-			Groups: groups,
+			Groups: subject.Groups,
 		},
 		"object": map[string]string{
 			"type": objectType,