mirror of
https://github.com/coder/coder.git
synced 2025-07-03 16:13:58 +00:00
3cb9b20b11
## Description This PR improves the RBAC package by refactoring the policy, enhancing documentation, and adding utility scripts. ## Changes * Refactored `policy.rego` for clarity and readability * Updated README with OPA section * Added `benchmark_authz.sh` script for authz performance testing and comparison * Added `gen_input.go` to generate input for `opa eval` testing
101 lines
2.5 KiB
Go
101 lines
2.5 KiB
Go
// This program generates an input.json file containing action, object, and subject fields
|
|
// to be used as input for `opa eval`, e.g.:
|
|
// > opa eval --format=pretty "data.authz.allow" -d policy.rego -i input.json
|
|
// This helps verify that the policy returns the expected authorization decision.
|
|
package main
|
|
|
|
import (
|
|
"encoding/json"
|
|
"log"
|
|
"os"
|
|
|
|
"github.com/google/uuid"
|
|
"golang.org/x/xerrors"
|
|
|
|
"github.com/coder/coder/v2/coderd/rbac"
|
|
"github.com/coder/coder/v2/coderd/rbac/policy"
|
|
)
|
|
|
|
type SubjectJSON struct {
|
|
ID string `json:"id"`
|
|
Roles []rbac.Role `json:"roles"`
|
|
Groups []string `json:"groups"`
|
|
Scope rbac.Scope `json:"scope"`
|
|
}
|
|
type OutputData struct {
|
|
Action policy.Action `json:"action"`
|
|
Object rbac.Object `json:"object"`
|
|
Subject *SubjectJSON `json:"subject"`
|
|
}
|
|
|
|
func newSubjectJSON(s rbac.Subject) (*SubjectJSON, error) {
|
|
roles, err := s.Roles.Expand()
|
|
if err != nil {
|
|
return nil, xerrors.Errorf("failed to expand subject roles: %w", err)
|
|
}
|
|
scopes, err := s.Scope.Expand()
|
|
if err != nil {
|
|
return nil, xerrors.Errorf("failed to expand subject scopes: %w", err)
|
|
}
|
|
return &SubjectJSON{
|
|
ID: s.ID,
|
|
Roles: roles,
|
|
Groups: s.Groups,
|
|
Scope: scopes,
|
|
}, nil
|
|
}
|
|
|
|
// TODO: Support optional CLI flags to customize the input:
|
|
// --action=[one of the supported actions]
|
|
// --subject=[one of the built-in roles]
|
|
// --object=[one of the supported resources]
|
|
func main() {
|
|
// Template Admin user
|
|
subject := rbac.Subject{
|
|
FriendlyName: "Test Name",
|
|
Email: "test@coder.com",
|
|
Type: "user",
|
|
ID: uuid.New().String(),
|
|
Roles: rbac.RoleIdentifiers{
|
|
rbac.RoleTemplateAdmin(),
|
|
},
|
|
Scope: rbac.ScopeAll,
|
|
}
|
|
|
|
subjectJSON, err := newSubjectJSON(subject)
|
|
if err != nil {
|
|
log.Fatalf("Failed to convert to subject to JSON: %v", err)
|
|
}
|
|
|
|
// Delete action
|
|
action := policy.ActionDelete
|
|
|
|
// Prebuilt Workspace object
|
|
object := rbac.Object{
|
|
ID: uuid.New().String(),
|
|
Owner: "c42fdf75-3097-471c-8c33-fb52454d81c0",
|
|
OrgID: "663f8241-23e0-41c4-a621-cec3a347318e",
|
|
Type: "prebuilt_workspace",
|
|
}
|
|
|
|
// Output file path
|
|
outputPath := "input.json"
|
|
|
|
output := OutputData{
|
|
Action: action,
|
|
Object: object,
|
|
Subject: subjectJSON,
|
|
}
|
|
|
|
outputBytes, err := json.MarshalIndent(output, "", " ")
|
|
if err != nil {
|
|
log.Fatalf("Failed to marshal output to json: %v", err)
|
|
}
|
|
|
|
if err := os.WriteFile(outputPath, outputBytes, 0o600); err != nil {
|
|
log.Fatalf("Failed to generate input file: %v", err)
|
|
}
|
|
|
|
log.Println("Input JSON written to", outputPath)
|
|
}
|