feat: Check permissions endpoint

Emyrk · Emyrk · commit fb7adf5580ce · 2022-05-11T09:18:46.000-05:00
Allows FE to query backend for permission capabilities.
Batch requests supported
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -250,6 +250,10 @@ func New(options *Options) (http.Handler, func()) {
 					r.Put("/roles", api.putUserRoles)
 					r.Get("/roles", api.userRoles)
 
+					r.Route("/permissions", func(r chi.Router) {
+						r.Post("/check", api.checkPermissions)
+					})
+
 					r.Post("/keys", api.postAPIKey)
 					r.Route("/organizations", func(r chi.Router) {
 						r.Post("/", api.postOrganizationsByUser)
diff --git a/coderd/roles.go b/coderd/roles.go
@@ -27,6 +27,49 @@ func (*api) assignableOrgRoles(rw http.ResponseWriter, r *http.Request) {
 	httpapi.Write(rw, http.StatusOK, convertRoles(roles))
 }
 
+func (api *api) checkPermissions(rw http.ResponseWriter, r *http.Request) {
+	roles := httpmw.UserRoles(r)
+	user := httpmw.UserParam(r)
+	if user.ID != roles.ID {
+		httpapi.Write(rw, http.StatusBadRequest, httpapi.Response{
+			// TODO: @Emyrk in the future we could have an rbac check here.
+			//	If the user can masquerade/impersonate as the user passed in,
+			//	we could allow this or something like that.
+			Message: "only allowed to check permissions on yourself",
+		})
+		return
+	}
+
+	var params codersdk.UserPermissionCheckRequest
+	if !httpapi.Read(rw, r, &params) {
+		return
+	}
+
+	response := make(codersdk.UserPermissionCheckResponse)
+	for k, v := range params.Checks {
+		if v.Object.ResourceType == "" {
+			httpapi.Write(rw, http.StatusBadRequest, httpapi.Response{
+				Message: "'resource_type' must be defined",
+			})
+			return
+		}
+
+		if v.Object.OwnerID == "me" {
+			v.Object.OwnerID = roles.ID.String()
+		}
+		err := api.Authorizer.AuthorizeByRoleName(r.Context(), roles.ID.String(), roles.Roles, v.Action,
+			rbac.Object{
+				ResourceID: v.Object.ResourceID,
+				Owner:      v.Object.OwnerID,
+				OrgID:      v.Object.OrganizationID,
+				Type:       v.Object.ResourceType,
+			})
+		response[k] = err == nil
+	}
+
+	httpapi.Write(rw, http.StatusOK, response)
+}
+
 func convertRole(role rbac.Role) codersdk.Role {
 	return codersdk.Role{
 		DisplayName: role.DisplayName,
diff --git a/coderd/roles_test.go b/coderd/roles_test.go
@@ -12,6 +12,103 @@ import (
 	"github.com/coder/coder/codersdk"
 )
 
+func TestPermissionCheck(t *testing.T) {
+	t.Parallel()
+
+	ctx := context.Background()
+	client := coderdtest.New(t, nil)
+	// Create admin, member, and org admin
+	admin := coderdtest.CreateFirstUser(t, client)
+	member := coderdtest.CreateAnotherUser(t, client, admin.OrganizationID)
+
+	orgAdmin := coderdtest.CreateAnotherUser(t, client, admin.OrganizationID)
+	orgAdminUser, err := orgAdmin.User(ctx, codersdk.Me)
+	require.NoError(t, err)
+
+	// TODO: @emyrk switch this to the admin when getting non-personal users is
+	//	supported. `client.UpdateOrganizationMemberRoles(...)`
+	_, err = orgAdmin.UpdateOrganizationMemberRoles(ctx, admin.OrganizationID, orgAdminUser.ID,
+		codersdk.UpdateRoles{
+			Roles: []string{rbac.RoleOrgMember(admin.OrganizationID), rbac.RoleOrgAdmin(admin.OrganizationID)},
+		},
+	)
+	require.NoError(t, err, "update org member roles")
+
+	// With admin, member, and org admin
+	const (
+		allUsers          = "read-all-users"
+		readOrgWorkspaces = "read-org-workspaces"
+		myself            = "read-myself"
+		myWorkspace       = "read-my-workspace"
+	)
+	params := map[string]codersdk.UserPermissionCheck{
+		allUsers: {
+			Object: codersdk.UserPermissionCheckObject{
+				ResourceType: "users",
+			},
+			Action: "read",
+		},
+		myself: {
+			Object: codersdk.UserPermissionCheckObject{
+				ResourceType: "users",
+				OwnerID:      "me",
+			},
+			Action: "read",
+		},
+		myWorkspace: {
+			Object: codersdk.UserPermissionCheckObject{
+				ResourceType: "workspaces",
+				OwnerID:      "me",
+			},
+			Action: "read",
+		},
+		readOrgWorkspaces: {
+			Object: codersdk.UserPermissionCheckObject{
+				ResourceType:   "workspaces",
+				OrganizationID: admin.OrganizationID.String(),
+			},
+			Action: "read",
+		},
+	}
+
+	testCases := []struct {
+		Name   string
+		Client *codersdk.Client
+		Check  codersdk.UserPermissionCheckResponse
+	}{
+		{
+			Name:   "Admin",
+			Client: client,
+			Check: map[string]bool{
+				allUsers: true, myself: true, myWorkspace: true, readOrgWorkspaces: true,
+			},
+		},
+		{
+			Name:   "Member",
+			Client: member,
+			Check: map[string]bool{
+				allUsers: false, myself: true, myWorkspace: true, readOrgWorkspaces: false,
+			},
+		},
+		{
+			Name:   "OrgAdmin",
+			Client: orgAdmin,
+			Check: map[string]bool{
+				allUsers: false, myself: true, myWorkspace: true, readOrgWorkspaces: true,
+			},
+		},
+	}
+
+	for _, c := range testCases {
+		c := c
+		t.Run(c.Name, func(t *testing.T) {
+			resp, err := c.Client.CheckPermissions(context.Background(), codersdk.UserPermissionCheckRequest{Checks: params})
+			require.NoError(t, err, "check perms")
+			require.Equal(t, resp, c.Check)
+		})
+	}
+}
+
 func TestListRoles(t *testing.T) {
 	t.Parallel()
 
diff --git a/codersdk/roles.go b/codersdk/roles.go
@@ -43,3 +43,16 @@ func (c *Client) ListOrganizationRoles(ctx context.Context, org uuid.UUID) ([]Ro
 	var roles []Role
 	return roles, json.NewDecoder(res.Body).Decode(&roles)
 }
+
+func (c *Client) CheckPermissions(ctx context.Context, checks UserPermissionCheckRequest) (UserPermissionCheckResponse, error) {
+	res, err := c.request(ctx, http.MethodPost, fmt.Sprintf("/api/v2/users/%s/permissions/check", uuidOrMe(Me)), checks)
+	if err != nil {
+		return nil, err
+	}
+	defer res.Body.Close()
+	if res.StatusCode != http.StatusOK {
+		return nil, readBodyAsError(res)
+	}
+	var roles UserPermissionCheckResponse
+	return roles, json.NewDecoder(res.Body).Decode(&roles)
+}
diff --git a/codersdk/users.go b/codersdk/users.go
@@ -8,6 +8,8 @@ import (
 	"time"
 
 	"github.com/google/uuid"
+
+	"github.com/coder/coder/coderd/rbac"
 )
 
 // Me is used as a replacement for your own ID.
@@ -76,6 +78,27 @@ type UserRoles struct {
 	OrganizationRoles map[uuid.UUID][]string `json:"organization_roles"`
 }
 
+type UserPermissionCheckObject struct {
+	ResourceType   string `json:"resource_type,omitempty"`
+	OwnerID        string `json:"owner_id,omitempty"`
+	OrganizationID string `json:"organization_id,omitempty"`
+	ResourceID     string `json:"resource_id,omitempty"`
+}
+
+type UserPermissionCheckResponse map[string]bool
+
+// UserPermissionCheckRequest is a structure instead of a map because
+// go-playground/validate can only validate structs. If you attempt to pass
+// a map into 'httpapi.Read', you will get an invalid type error.
+type UserPermissionCheckRequest struct {
+	Checks map[string]UserPermissionCheck `json:"checks"`
+}
+
+type UserPermissionCheck struct {
+	Object UserPermissionCheckObject `json:"object"`
+	Action rbac.Action               `json:"action"`
+}
+
 // LoginWithPasswordRequest enables callers to authenticate with email and password.
 type LoginWithPasswordRequest struct {
 	Email    string `json:"email" validate:"required,email"`
