chore: Implement standard rbac.Subject to be reused everywhere (#5881)

* chore: Implement standard rbac.Subject to be reused everywhere An rbac subject is created in multiple spots because of the way we expand roles, scopes, etc. This difference in use creates a list of arguments which is unwieldy. Use of the expander interface lets us conform to a single subject in every case
2025-07-06 15:41:45 +00:00 · 2023-01-26 14:42:54 -06:00
parent 5c54d8b8cd
commit b0a16150a3
18 changed files with 465 additions and 371 deletions
--- a/coderd/rbac/trace.go
+++ b/coderd/rbac/trace.go
@ -7,13 +7,13 @@ import (

 // rbacTraceAttributes are the attributes that are added to all spans created by
 // the rbac package. These attributes should help to debug slow spans.
-func rbacTraceAttributes(roles []string, groupCount int, scope ScopeName, action Action, objectType string, extra ...attribute.KeyValue) trace.SpanStartOption {
+func rbacTraceAttributes(actor Subject, action Action, objectType string, extra ...attribute.KeyValue) trace.SpanStartOption {
 	return trace.WithAttributes(
 		append(extra,
-			attribute.StringSlice("subject_roles", roles),
-			attribute.Int("num_subject_roles", len(roles)),
-			attribute.Int("num_groups", groupCount),
-			attribute.String("scope", string(scope)),
+			attribute.StringSlice("subject_roles", actor.SafeRoleNames()),
+			attribute.Int("num_subject_roles", len(actor.SafeRoleNames())),
+			attribute.Int("num_groups", len(actor.Groups)),
+			attribute.String("scope", actor.SafeScopeName()),
 			attribute.String("action", string(action)),
 			attribute.String("object_type", objectType),
 		)...)