Skip to content

Commit 9bbef21

Browse files
ibetitsmikeibetitsmike
committed
expanded user query with email on authorization and extracted actor injection to a single method
1 parent 8faaa14 commit 9bbef21

File tree

5 files changed

+29
-12
lines changed

5 files changed

+29
-12
lines changed

coderd/database/dbauthz/dbauthz.go

Lines changed: 20 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -388,59 +388,59 @@ var (
388388
// AsProvisionerd returns a context with an actor that has permissions required
389389
// for provisionerd to function.
390390
func AsProvisionerd(ctx context.Context) context.Context {
391-
return context.WithValue(ctx, authContextKey{}, subjectProvisionerd)
391+
return InjectActorToContext(ctx, subjectProvisionerd)
392392
}
393393

394394
// AsAutostart returns a context with an actor that has permissions required
395395
// for autostart to function.
396396
func AsAutostart(ctx context.Context) context.Context {
397-
return context.WithValue(ctx, authContextKey{}, subjectAutostart)
397+
return InjectActorToContext(ctx, subjectAutostart)
398398
}
399399

400400
// AsHangDetector returns a context with an actor that has permissions required
401401
// for unhanger.Detector to function.
402402
func AsHangDetector(ctx context.Context) context.Context {
403-
return context.WithValue(ctx, authContextKey{}, subjectHangDetector)
403+
return InjectActorToContext(ctx, subjectHangDetector)
404404
}
405405

406406
// AsKeyRotator returns a context with an actor that has permissions required for rotating crypto keys.
407407
func AsKeyRotator(ctx context.Context) context.Context {
408-
return context.WithValue(ctx, authContextKey{}, subjectCryptoKeyRotator)
408+
return InjectActorToContext(ctx, subjectCryptoKeyRotator)
409409
}
410410

411411
// AsKeyReader returns a context with an actor that has permissions required for reading crypto keys.
412412
func AsKeyReader(ctx context.Context) context.Context {
413-
return context.WithValue(ctx, authContextKey{}, subjectCryptoKeyReader)
413+
return InjectActorToContext(ctx, subjectCryptoKeyReader)
414414
}
415415

416416
// AsNotifier returns a context with an actor that has permissions required for
417417
// creating/reading/updating/deleting notifications.
418418
func AsNotifier(ctx context.Context) context.Context {
419-
return context.WithValue(ctx, authContextKey{}, subjectNotifier)
419+
return InjectActorToContext(ctx, subjectNotifier)
420420
}
421421

422422
// AsResourceMonitor returns a context with an actor that has permissions required for
423423
// updating resource monitors.
424424
func AsResourceMonitor(ctx context.Context) context.Context {
425-
return context.WithValue(ctx, authContextKey{}, subjectResourceMonitor)
425+
return InjectActorToContext(ctx, subjectResourceMonitor)
426426
}
427427

428428
// AsSystemRestricted returns a context with an actor that has permissions
429429
// required for various system operations (login, logout, metrics cache).
430430
func AsSystemRestricted(ctx context.Context) context.Context {
431-
return context.WithValue(ctx, authContextKey{}, subjectSystemRestricted)
431+
return InjectActorToContext(ctx, subjectSystemRestricted)
432432
}
433433

434434
// AsSystemReadProvisionerDaemons returns a context with an actor that has permissions
435435
// to read provisioner daemons.
436436
func AsSystemReadProvisionerDaemons(ctx context.Context) context.Context {
437-
return context.WithValue(ctx, authContextKey{}, subjectSystemReadProvisionerDaemons)
437+
return InjectActorToContext(ctx, subjectSystemReadProvisionerDaemons)
438438
}
439439

440440
// AsPrebuildsOrchestrator returns a context with an actor that has permissions
441441
// to read orchestrator workspace prebuilds.
442442
func AsPrebuildsOrchestrator(ctx context.Context) context.Context {
443-
return context.WithValue(ctx, authContextKey{}, subjectPrebuildsOrchestrator)
443+
return InjectActorToContext(ctx, subjectPrebuildsOrchestrator)
444444
}
445445

446446
var AsRemoveActor = rbac.Subject{
@@ -458,6 +458,16 @@ func As(ctx context.Context, actor rbac.Subject) context.Context {
458458
// should be removed from the context.
459459
return context.WithValue(ctx, authContextKey{}, nil)
460460
}
461+
return InjectActorToContext(ctx, actor)
462+
}
463+
464+
func InjectActorToContext(ctx context.Context, actor rbac.Subject) context.Context {
465+
// if rlogger := httpmw.RequestLoggerFromContext(ctx); rlogger != nil {
466+
// rlogger.WithFields(
467+
// slog.F("requestor_id", actor.ID),
468+
// slog.F("requestor_email", actor.Email),
469+
// )
470+
// }
461471
return context.WithValue(ctx, authContextKey{}, actor)
462472
}
463473

coderd/database/queries.sql.go

Lines changed: 3 additions & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/database/queries/users.sql

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -303,7 +303,7 @@ SELECT
303303
-- username is returned just to help for logging purposes
304304
-- status is used to enforce 'suspended' users, as all roles are ignored
305305
-- when suspended.
306-
id, username, status,
306+
id, username, status, email,
307307
-- All user roles, including their org roles.
308308
array_cat(
309309
-- All users are members

coderd/httpmw/apikey.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -466,6 +466,7 @@ func UserRBACSubject(ctx context.Context, db database.Store, userID uuid.UUID, s
466466

467467
actor := rbac.Subject{
468468
FriendlyName: roles.Username,
469+
Email: roles.Email,
469470
ID: userID.String(),
470471
Roles: rbacRoles,
471472
Groups: roles.Groups,

coderd/rbac/authz.go

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -66,6 +66,10 @@ type Subject struct {
6666
// external workspace proxy or other service type actor.
6767
FriendlyName string
6868

69+
// Email is entirely optional and is used for logging and debugging
70+
// It is not used in any functional way.
71+
Email string
72+
6973
ID string
7074
Roles ExpandableRoles
7175
Groups []string

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy