synced/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2025-07-03 16:13:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: Add cachable authorizer to elimate duplicate rbac calls (#6107)

Browse Source 
* feat: Add cachable authorizer to elimate duplicate rbac calls

Cache is context bound, so only prevents duplicate rbac calls in
the same request context.
This commit is contained in:
Steven Masley
2023-02-09 20:14:31 -06:00
committed by GitHub
parent 6f3f7f2937
commit e6da7afd33
6 changed files with 331 additions and 99 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
coderd/coderdtest/authorize_test.go
View File

@ -4,7 +4,6 @@ import (
"context"
"testing"
"github.com/moby/moby/pkg/namesgenerator"
"github.com/stretchr/testify/require"
"github.com/coder/coder/coderd/coderdtest"
@ -34,7 +33,7 @@ func TestAuthzRecorder(t *testing.T) {
rec := &coderdtest.RecordingAuthorizer{
Wrapped: &coderdtest.FakeAuthorizer{},
}
sub := randomSubject()
sub := coderdtest.RandomRBACSubject()
pairs := fuzzAuthz(t, sub, rec, 10)
rec.AssertActor(t, sub, pairs...)
require.NoError(t, rec.AllAsserted(), "all assertions should have been made")
@ -46,10 +45,10 @@ func TestAuthzRecorder(t *testing.T) {
rec := &coderdtest.RecordingAuthorizer{
Wrapped: &coderdtest.FakeAuthorizer{},
}
a := randomSubject()
a := coderdtest.RandomRBACSubject()
aPairs := fuzzAuthz(t, a, rec, 10)
b := randomSubject()
b := coderdtest.RandomRBACSubject()
bPairs := fuzzAuthz(t, b, rec, 10)
rec.AssertActor(t, b, bPairs...)
@ -63,12 +62,12 @@ func TestAuthzRecorder(t *testing.T) {
rec := &coderdtest.RecordingAuthorizer{
Wrapped: &coderdtest.FakeAuthorizer{},
}
a := randomSubject()
a := coderdtest.RandomRBACSubject()
aPairs := fuzzAuthz(t, a, rec, 10)
b := randomSubject()
b := coderdtest.RandomRBACSubject()
act, objTy := randomAction(), randomObject().Type
act, objTy := coderdtest.RandomRBACAction(), coderdtest.RandomRBACObject().Type
prep, _ := rec.Prepare(context.Background(), b, act, objTy)
bPairs := fuzzAuthzPrep(t, prep, 10, act, objTy)
@ -84,7 +83,7 @@ func fuzzAuthzPrep(t *testing.T, prep rbac.PreparedAuthorized, n int, action rba
pairs := make([]coderdtest.ActionObjectPair, 0, n)
for i := 0; i < n; i++ {
obj := randomObject()
obj := coderdtest.RandomRBACObject()
obj.Type = objectType
p := coderdtest.ActionObjectPair{Action: action, Object: obj}
_ = prep.Authorize(context.Background(), p.Object)
@ -98,37 +97,9 @@ func fuzzAuthz(t *testing.T, sub rbac.Subject, rec rbac.Authorizer, n int) []cod
pairs := make([]coderdtest.ActionObjectPair, 0, n)
for i := 0; i < n; i++ {
p := coderdtest.ActionObjectPair{Action: randomAction(), Object: randomObject()}
p := coderdtest.ActionObjectPair{Action: coderdtest.RandomRBACAction(), Object: coderdtest.RandomRBACObject()}
_ = rec.Authorize(context.Background(), sub, p.Action, p.Object)
pairs = append(pairs, p)
}
return pairs
}
func randomAction() rbac.Action {
return rbac.Action(namesgenerator.GetRandomName(1))
}
func randomObject() rbac.Object {
return rbac.Object{
ID: namesgenerator.GetRandomName(1),
Owner: namesgenerator.GetRandomName(1),
OrgID: namesgenerator.GetRandomName(1),
Type: namesgenerator.GetRandomName(1),
ACLUserList: map[string][]rbac.Action{
namesgenerator.GetRandomName(1): {rbac.ActionRead},
},
ACLGroupList: map[string][]rbac.Action{
namesgenerator.GetRandomName(1): {rbac.ActionRead},
},
}
}
func randomSubject() rbac.Subject {
return rbac.Subject{
ID: namesgenerator.GetRandomName(1),
Roles: rbac.RoleNames{rbac.RoleMember()},
Groups: []string{namesgenerator.GetRandomName(1)},
Scope: rbac.ScopeAll,
}
}