- rbac: export rbac.Permissions
- dbauthz: move GetDeploymentDAUs, GetTemplateDAUs,
GetTemplateAverageBuildTime from querier.go to system.go
and removes auth checks
- dbauthz: remove AsSystem(), add individual roles for
autostart, provisionerd, add restricted system role for
everything else
The authz library returns a 404 if the authorization fails. If the
context is cancelled, then a 404 message is inaccurate.
Add a unit test to ensure context cancelled errors are raised
properly
* fix: allow disabling all password auth even if owner
Removes any and all ability to auth with a password.
* Hide create user if password auth is disabled
feat: Add initial AuthzQuerier implementation
- Adds package database/dbauthz that adds a database.Store implementation where each method goes through AuthZ checks
- Implements all database.Store methods on AuthzQuerier
- Updates and fixes unit tests where required
- Updates coderd initialization to use AuthzQuerier if codersdk.ExperimentAuthzQuerier is enabled
* chore: Force license uuids to not be null
* All unit tests generate uuids for licenses
* Update migration files to new numbers
* Put migration in transaction
* feat: Add cachable authorizer to elimate duplicate rbac calls
Cache is context bound, so only prevents duplicate rbac calls in
the same request context.
* chore: Optimize rego policy evaluation allocations
Manually convert to ast.Value instead of using generic
json.Marshal conversion.
* Add a unit test that prevents regressions of rego input
The optimized input is always compared to the normal json
marshal parser.
* chore: Use dbgen in unit test
- organizationparam_test
- templateparam_test
* Use dbgen in all unit tests vs insert methods
* fixup! Use dbgen in all unit tests vs insert methods
---------
Co-authored-by: Cian Johnston <cian@coder.com>
* added migration for api key resource
* sort of working
* auditing login
* passing the correct user id
* added and fixed tests
* gen documentation
* formatting and lint
* lint
* audit Github oauth and write tests
* audit oauth and write tests
* added defer fn for login error auditing
* fixed test
* feat: audit logout (#5998)
* Update coderd/userauth.go
Co-authored-by: Steven Masley <Emyrk@users.noreply.github.com>
* fix test
* bypassing diff generation if login/logout
* lint
---------
Co-authored-by: Steven Masley <Emyrk@users.noreply.github.com>
Adds a flag --disable-password-auth that prevents the password login
endpoint from working unless the user has the "owner" (aka. site admin)
role.
Adds a subcommand `coder server create-admin-user` which creates a user
directly in the database with the "owner" role, the "admin" role in
every organization, and password auth. This is to avoid lock-out
situations where all accounts have the login type set to an identity
provider and nobody can login.
* chore: Allow RecordingAuthorizer to record multiple rbac authz calls
Prior iteration only recorded the last call. This is required for
more comprehensive testing
Adds --session-duration which lets admins customize the default session
expiration for browser sessions.
Adds --disable-session-expiry-refresh which allows admins to prevent
session expiry from being automatically bumped upon the API key being
used.
