Skip to content

Merge httpmw and dbauthz "actor/subject" contexts #12363

New issue
New issue
Closed
#12816
Closed
Merge httpmw and dbauthz "actor/subject" contexts#12363
#12816
@Emyrk

Description

@Emyrk
Emyrk
opened on Feb 29, 2024

httpmw uses userAuthKey, see:

coder/coderd/httpmw/apikey.go

Line 67 in 0656d80

func UserAuthorization(r *http.Request) Authorization {

dbauthz uses authContextKey, see:

coder/coderd/database/dbauthz/dbauthz.go

Line 151 in 0656d80

func ActorFromContext(ctx context.Context) (rbac.Subject, bool) {

These are the same concept, but both are set in httpmw. Requiring this dance:

coder/coderd/httpmw/workspaceproxy.go

Lines 137 to 154 in 0656d80

ctx = r.Context()
ctx = context.WithValue(ctx, workspaceProxyContextKey{}, proxy)
//nolint:gocritic // Workspace proxies have full permissions. The
// workspace proxy auth middleware is not mounted to every route, so
// they can still only access the routes that the middleware is
// mounted to.
ctx = dbauthz.AsSystemRestricted(ctx)
subj, ok := dbauthz.ActorFromContext(ctx)
if !ok {
// This should never happen
httpapi.InternalServerError(w, xerrors.New("developer error: ExtractWorkspaceProxy missing rbac actor"))
return
}
// Use the same subject for the userAuthKey
ctx = context.WithValue(ctx, userAuthKey{}, Authorization{
Actor: subj,
ActorName: "proxy_" + proxy.Name,
})

We should merge them into 1 concept.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions