chore: break down dbauthz.System into smaller roles (#6218)

- rbac: export rbac.Permissions - dbauthz: move GetDeploymentDAUs, GetTemplateDAUs, GetTemplateAverageBuildTime from querier.go to system.go and removes auth checks - dbauthz: remove AsSystem(), add individual roles for autostart, provisionerd, add restricted system role for everything else
2025-07-06 15:41:45 +00:00 · 2023-02-15 16:14:37 +00:00
parent 84da6056b2
commit f0f39b4892
25 changed files with 180 additions and 141 deletions
--- a/coderd/httpmw/apikey.go
+++ b/coderd/httpmw/apikey.go
@ -161,7 +161,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {
 			}

 			//nolint:gocritic // System needs to fetch API key to check if it's valid.
-			key, err := cfg.DB.GetAPIKeyByID(dbauthz.AsSystem(ctx), keyID)
+			key, err := cfg.DB.GetAPIKeyByID(dbauthz.AsSystemRestricted(ctx), keyID)
 			if err != nil {
 				if errors.Is(err, sql.ErrNoRows) {
 					optionalWrite(http.StatusUnauthorized, codersdk.Response{
@ -195,7 +195,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {
 			)
 			if key.LoginType == database.LoginTypeGithub || key.LoginType == database.LoginTypeOIDC {
 				//nolint:gocritic // System needs to fetch UserLink to check if it's valid.
-				link, err = cfg.DB.GetUserLinkByUserIDLoginType(dbauthz.AsSystem(ctx), database.GetUserLinkByUserIDLoginTypeParams{
+				link, err = cfg.DB.GetUserLinkByUserIDLoginType(dbauthz.AsSystemRestricted(ctx), database.GetUserLinkByUserIDLoginTypeParams{
 					UserID:    key.UserID,
 					LoginType: key.LoginType,
 				})
@ -279,7 +279,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {
 			}
 			if changed {
 				//nolint:gocritic // System needs to update API Key LastUsed
-				err := cfg.DB.UpdateAPIKeyByID(dbauthz.AsSystem(ctx), database.UpdateAPIKeyByIDParams{
+				err := cfg.DB.UpdateAPIKeyByID(dbauthz.AsSystemRestricted(ctx), database.UpdateAPIKeyByIDParams{
 					ID:        key.ID,
 					LastUsed:  key.LastUsed,
 					ExpiresAt: key.ExpiresAt,
@ -296,7 +296,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {
 				// then we want to update the relevant oauth fields.
 				if link.UserID != uuid.Nil {
 					// nolint:gocritic
-					link, err = cfg.DB.UpdateUserLink(dbauthz.AsSystem(ctx), database.UpdateUserLinkParams{
+					link, err = cfg.DB.UpdateUserLink(dbauthz.AsSystemRestricted(ctx), database.UpdateUserLinkParams{
 						UserID:            link.UserID,
 						LoginType:         link.LoginType,
 						OAuthAccessToken:  link.OAuthAccessToken,
@ -316,7 +316,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {
 				// load. We update alongside the UserLink and APIKey since it's
 				// easier on the DB to colocate writes.
 				// nolint:gocritic
-				_, err = cfg.DB.UpdateUserLastSeenAt(dbauthz.AsSystem(ctx), database.UpdateUserLastSeenAtParams{
+				_, err = cfg.DB.UpdateUserLastSeenAt(dbauthz.AsSystemRestricted(ctx), database.UpdateUserLastSeenAtParams{
 					ID:         key.UserID,
 					LastSeenAt: database.Now(),
 					UpdatedAt:  database.Now(),
@ -334,7 +334,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {
 			// The roles are used for RBAC authorize checks, and the status
 			// is to block 'suspended' users from accessing the platform.
 			// nolint:gocritic
-			roles, err := cfg.DB.GetAuthorizationUserRoles(dbauthz.AsSystem(ctx), key.UserID)
+			roles, err := cfg.DB.GetAuthorizationUserRoles(dbauthz.AsSystemRestricted(ctx), key.UserID)
 			if err != nil {
 				write(http.StatusUnauthorized, codersdk.Response{
 					Message: internalErrorMessage,
--- a/coderd/httpmw/authz.go
+++ b/coderd/httpmw/authz.go
@ -28,7 +28,7 @@ func AsAuthzSystem(mws ...func(http.Handler) http.Handler) func(http.Handler) ht
 			}

 			// nolint:gocritic // AsAuthzSystem needs to do this.
-			r = r.WithContext(dbauthz.AsSystem(ctx))
+			r = r.WithContext(dbauthz.AsSystemRestricted(ctx))
 			chain.Handler(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 				r = r.WithContext(dbauthz.As(r.Context(), before))
 				next.ServeHTTP(rw, r)
--- a/coderd/httpmw/hsts_test.go
+++ b/coderd/httpmw/hsts_test.go
@ -96,7 +96,7 @@ func TestHSTS(t *testing.T) {
 			req := httptest.NewRequest("GET", "/", nil)
 			res := httptest.NewRecorder()
 			got.ServeHTTP(res, req)
-			
+
 			require.Equal(t, tt.expectHeader, res.Header().Get("Strict-Transport-Security"), "expected header value")
 		})
 	}
--- a/coderd/httpmw/userparam.go
+++ b/coderd/httpmw/userparam.go
@ -70,7 +70,7 @@ func ExtractUserParam(db database.Store, redirectToLoginOnMe bool) func(http.Han
 					return
 				}
 				//nolint:gocritic // System needs to be able to get user from param.
-				user, err = db.GetUserByID(dbauthz.AsSystem(ctx), apiKey.UserID)
+				user, err = db.GetUserByID(dbauthz.AsSystemRestricted(ctx), apiKey.UserID)
 				if xerrors.Is(err, sql.ErrNoRows) {
 					httpapi.ResourceNotFound(rw)
 					return
@ -84,7 +84,7 @@ func ExtractUserParam(db database.Store, redirectToLoginOnMe bool) func(http.Han
 				}
 			} else if userID, err := uuid.Parse(userQuery); err == nil {
 				//nolint:gocritic // If the userQuery is a valid uuid
-				user, err = db.GetUserByID(dbauthz.AsSystem(ctx), userID)
+				user, err = db.GetUserByID(dbauthz.AsSystemRestricted(ctx), userID)
 				if err != nil {
 					httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
 						Message: userErrorMessage,
@ -93,7 +93,7 @@ func ExtractUserParam(db database.Store, redirectToLoginOnMe bool) func(http.Han
 				}
 			} else {
 				// nolint:gocritic // Try as a username last
-				user, err = db.GetUserByEmailOrUsername(dbauthz.AsSystem(ctx), database.GetUserByEmailOrUsernameParams{
+				user, err = db.GetUserByEmailOrUsername(dbauthz.AsSystemRestricted(ctx), database.GetUserByEmailOrUsernameParams{
 					Username: userQuery,
 				})
 				if err != nil {
--- a/coderd/httpmw/workspaceagent.go
+++ b/coderd/httpmw/workspaceagent.go
@ -48,7 +48,7 @@ func ExtractWorkspaceAgent(db database.Store) func(http.Handler) http.Handler {
 				return
 			}
 			//nolint:gocritic // System needs to be able to get workspace agents.
-			agent, err := db.GetWorkspaceAgentByAuthToken(dbauthz.AsSystem(ctx), token)
+			agent, err := db.GetWorkspaceAgentByAuthToken(dbauthz.AsSystemRestricted(ctx), token)
 			if err != nil {
 				if errors.Is(err, sql.ErrNoRows) {
 					httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{
@ -66,7 +66,7 @@ func ExtractWorkspaceAgent(db database.Store) func(http.Handler) http.Handler {
 			}

 			//nolint:gocritic // System needs to be able to get workspace agents.
-			subject, err := getAgentSubject(dbauthz.AsSystem(ctx), db, agent)
+			subject, err := getAgentSubject(dbauthz.AsSystemRestricted(ctx), db, agent)
 			if err != nil {
 				httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
 					Message: "Internal error fetching workspace agent.",