code review feedback

davepacheco · davepacheco · commit 484ae6bcf090 · 2022-01-18T09:13:19.000-08:00
diff --git a/nexus/src/authz/api_resources.rs b/nexus/src/authz/api_resources.rs
@@ -20,7 +20,7 @@
 // parts we need for authorization.
 
 use super::actor::AnyActor;
-use super::context::Authorize;
+use super::context::AuthorizedResource;
 use super::roles::{
     load_roles_for_resource, load_roles_for_resource_tree, RoleSet,
 };
@@ -37,9 +37,7 @@ use uuid::Uuid;
 
 /// Describes an authz resource that corresponds to an API resource that has a
 /// corresponding ResourceType and is stored in the database
-///
-/// This is a helper trait used to impl [`AuthzResource`].
-pub trait AuthzApiResource: Clone + Send + Sync + 'static {
+pub trait ApiResource: Clone + Send + Sync + 'static {
     /// If roles can be assigned to this resource, return the type and id of the
     /// database record describing this resource
     ///
@@ -49,14 +47,14 @@ pub trait AuthzApiResource: Clone + Send + Sync + 'static {
     /// If this resource has a parent in the API hierarchy whose assigned roles
     /// can affect access to this resource, return the parent resource.
     /// Otherwise, returns `None`.
-    fn parent(&self) -> Option<&dyn Authorize>;
+    fn parent(&self) -> Option<&dyn AuthorizedResource>;
 
     /// Returns an error as though this resource were not found, suitable for
     /// use when an actor should not be able to see that this resource exists
     fn not_found(&self) -> Error;
 }
 
-impl<T: AuthzApiResource + oso::PolarClass> Authorize for T {
+impl<T: ApiResource + oso::PolarClass> AuthorizedResource for T {
     fn load_roles<'a, 'b, 'c, 'd, 'e, 'f>(
         &'a self,
         opctx: &'b OpContext,
@@ -81,21 +79,21 @@ impl<T: AuthzApiResource + oso::PolarClass> Authorize for T {
         error: Error,
         actor: AnyActor,
         action: Action,
-    ) -> Result<(), Error> {
+    ) -> Error {
         if action == Action::Read {
-            return Err(self.not_found());
+            return self.not_found();
         }
 
         // If the user failed an authz check, and they can't even read this
         // resource, then we should produce a 404 rather than a 401/403.
         match authz.is_allowed(&actor, Action::Read, self) {
-            Err(error) => Err(Error::internal_error(&format!(
+            Err(error) => Error::internal_error(&format!(
                 "failed to compute read authorization to determine visibility: \
                 {:#}",
                 error
-            ))),
-            Ok(false) => Err(self.not_found()),
-            Ok(true) => Err(error),
+            )),
+            Ok(false) => self.not_found(),
+            Ok(true) => error,
         }
     }
 }
@@ -163,13 +161,13 @@ impl oso::PolarClass for Fleet {
     }
 }
 
-impl Authorize for Fleet {
+impl AuthorizedResource for Fleet {
     fn load_roles<'a, 'b, 'c, 'd, 'e, 'f>(
         &'a self,
-        opctx: &'b crate::context::OpContext,
-        datastore: &'c crate::db::DataStore,
-        authn: &'d crate::authn::Context,
-        roleset: &'e mut super::roles::RoleSet,
+        opctx: &'b OpContext,
+        datastore: &'c DataStore,
+        authn: &'d authn::Context,
+        roleset: &'e mut RoleSet,
     ) -> futures::future::BoxFuture<'f, Result<(), Error>>
     where
         'a: 'f,
@@ -195,8 +193,8 @@ impl Authorize for Fleet {
         error: Error,
         _: AnyActor,
         _: Action,
-    ) -> Result<(), Error> {
-        Err(error)
+    ) -> Error {
+        error
     }
 }
 
@@ -232,12 +230,12 @@ impl oso::PolarClass for FleetChild {
     }
 }
 
-impl AuthzApiResource for FleetChild {
+impl ApiResource for FleetChild {
     fn db_resource(&self) -> Option<(ResourceType, Uuid)> {
         None
     }
 
-    fn parent(&self) -> Option<&dyn Authorize> {
+    fn parent(&self) -> Option<&dyn AuthorizedResource> {
         Some(&FLEET)
     }
 
@@ -303,12 +301,12 @@ impl oso::PolarClass for Organization {
     }
 }
 
-impl AuthzApiResource for Organization {
+impl ApiResource for Organization {
     fn db_resource(&self) -> Option<(ResourceType, Uuid)> {
         Some((ResourceType::Organization, self.organization_id))
     }
 
-    fn parent(&self) -> Option<&dyn Authorize> {
+    fn parent(&self) -> Option<&dyn AuthorizedResource> {
         Some(&FLEET)
     }
 
@@ -382,12 +380,12 @@ impl oso::PolarClass for Project {
     }
 }
 
-impl AuthzApiResource for Project {
+impl ApiResource for Project {
     fn db_resource(&self) -> Option<(ResourceType, Uuid)> {
         Some((ResourceType::Project, self.project_id))
     }
 
-    fn parent(&self) -> Option<&dyn Authorize> {
+    fn parent(&self) -> Option<&dyn AuthorizedResource> {
         Some(&self.parent)
     }
 
@@ -438,13 +436,13 @@ impl oso::PolarClass for ProjectChild {
     }
 }
 
-impl AuthzApiResource for ProjectChild {
+impl ApiResource for ProjectChild {
     fn db_resource(&self) -> Option<(ResourceType, Uuid)> {
         // We do not support assigning roles to children of Projects.
         None
     }
 
-    fn parent(&self) -> Option<&dyn Authorize> {
+    fn parent(&self) -> Option<&dyn AuthorizedResource> {
         Some(&self.parent)
     }
 
diff --git a/nexus/src/authz/context.rs b/nexus/src/authz/context.rs
@@ -77,7 +77,7 @@ impl Context {
         resource: Resource,
     ) -> Result<(), Error>
     where
-        Resource: oso::ToPolar + Authorize + Clone,
+        Resource: AuthorizedResource + Clone,
     {
         let mut roles = RoleSet::new();
         resource
@@ -105,13 +105,13 @@ impl Context {
                     }
                 };
 
-                resource.on_unauthorized(&self.authz, error, actor, action)
+                Err(resource.on_unauthorized(&self.authz, error, actor, action))
             }
         }
     }
 }
 
-pub trait Authorize: Send + Sync + 'static {
+pub trait AuthorizedResource: oso::ToPolar + Send + Sync + 'static {
     /// Find all roles for the user described in `authn` that might be used to
     /// make an authorization decision on `self` (a resource)
     ///
@@ -148,7 +148,7 @@ pub trait Authorize: Send + Sync + 'static {
         error: Error,
         actor: AnyActor,
         action: Action,
-    ) -> Result<(), Error>;
+    ) -> Error;
 }
 
 #[cfg(test)]
diff --git a/nexus/src/authz/mod.rs b/nexus/src/authz/mod.rs
@@ -171,7 +171,7 @@ pub use api_resources::ProjectChild;
 pub use api_resources::FLEET;
 
 mod context;
-pub use context::Authorize;
+pub use context::AuthorizedResource;
 pub use context::Authz;
 pub use context::Context;
 
diff --git a/nexus/src/authz/oso_generic.rs b/nexus/src/authz/oso_generic.rs
@@ -11,7 +11,7 @@ use super::api_resources::FleetChild;
 use super::api_resources::Organization;
 use super::api_resources::Project;
 use super::api_resources::ProjectChild;
-use super::context::Authorize;
+use super::context::AuthorizedResource;
 use super::roles::RoleSet;
 use super::Authz;
 use crate::authn;
@@ -150,7 +150,7 @@ impl oso::PolarClass for Database {
     }
 }
 
-impl Authorize for Database {
+impl AuthorizedResource for Database {
     fn load_roles<'a, 'b, 'c, 'd, 'e, 'f>(
         &'a self,
         _: &'b OpContext,
@@ -183,7 +183,7 @@ impl Authorize for Database {
         error: Error,
         _: AnyActor,
         _: Action,
-    ) -> Result<(), Error> {
-        Err(error)
+    ) -> Error {
+        error
     }
 }
diff --git a/nexus/src/authz/roles.rs b/nexus/src/authz/roles.rs
@@ -17,8 +17,7 @@
 //! its parent Organization or the parent Fleet.  This isn't as large as it
 //! might sound, since the hierarchy is not _that_ deep, but we do have to make
 //! multiple database queries to load all this.  This is all done by
-//! [`AuthzResource::fetch_all_related_roles_for_user()`].  This is really done
-//! by the impl of [`AuthzResource`] for [`AuthzApiResource`].
+//! [`load_roles_for_resource_tree`].
 //!
 //! Once we've got the complete list of roles, we include that in the data
 //! structure we pass into Oso.   When it asks whether an actor has a role on a
@@ -35,7 +34,7 @@
 //! request, and we don't want that thread to block while we hit the database.
 //! Both of these issues could be addressed with considerably more work.
 
-use super::api_resources::AuthzApiResource;
+use super::api_resources::ApiResource;
 use crate::authn;
 use crate::context::OpContext;
 use crate::db::DataStore;
@@ -93,7 +92,7 @@ pub async fn load_roles_for_resource_tree<R>(
     roleset: &mut RoleSet,
 ) -> Result<(), Error>
 where
-    R: AuthzApiResource,
+    R: ApiResource,
 {
     // If roles can be assigned directly on this resource, load them.
     if let Some((resource_type, resource_id)) = resource.db_resource() {
diff --git a/nexus/src/context.rs b/nexus/src/context.rs
@@ -12,7 +12,7 @@ use super::db;
 use super::Nexus;
 use crate::authn::external::session_cookie::{Session, SessionStore};
 use crate::authn::Actor;
-use crate::authz::Authorize;
+use crate::authz::AuthorizedResource;
 use crate::db::model::ConsoleSession;
 use crate::db::DataStore;
 use async_trait::async_trait;
@@ -311,7 +311,7 @@ impl OpContext {
         resource: &Resource,
     ) -> Result<(), Error>
     where
-        Resource: oso::ToPolar + Authorize + Debug + Clone,
+        Resource: AuthorizedResource + Debug + Clone,
     {
         /*
          * TODO-cleanup In an ideal world, Oso would consume &Action and

Original file line number	Diff line number	Diff line change
`@@ -20,7 +20,7 @@`
`20`	`20`	`// parts we need for authorization.`
`21`	`21`
`22`	`22`	`use super::actor::AnyActor;`
`23`		`-use super::context::Authorize;`
	`23`	`+use super::context::AuthorizedResource;`
`24`	`24`	`use super::roles::{`
`25`	`25`	`load_roles_for_resource, load_roles_for_resource_tree, RoleSet,`
`26`	`26`	`};`
`@@ -37,9 +37,7 @@ use uuid::Uuid;`
`37`	`37`
`38`	`38`	`/// Describes an authz resource that corresponds to an API resource that has a`
`39`	`39`	`/// corresponding ResourceType and is stored in the database`
`40`		`-///`
`41`		-/// This is a helper trait used to impl [`AuthzResource`].
`42`		`-pub trait AuthzApiResource: Clone + Send + Sync + 'static {`
	`40`	`+pub trait ApiResource: Clone + Send + Sync + 'static {`
`43`	`41`	`/// If roles can be assigned to this resource, return the type and id of the`
`44`	`42`	`/// database record describing this resource`
`45`	`43`	`///`
`@@ -49,14 +47,14 @@ pub trait AuthzApiResource: Clone + Send + Sync + 'static {`
`49`	`47`	`/// If this resource has a parent in the API hierarchy whose assigned roles`
`50`	`48`	`/// can affect access to this resource, return the parent resource.`
`51`	`49`	/// Otherwise, returns `None`.
`52`		`- fn parent(&self) -> Option<&dyn Authorize>;`
	`50`	`+ fn parent(&self) -> Option<&dyn AuthorizedResource>;`
`53`	`51`
`54`	`52`	`/// Returns an error as though this resource were not found, suitable for`
`55`	`53`	`/// use when an actor should not be able to see that this resource exists`
`56`	`54`	`fn not_found(&self) -> Error;`
`57`	`55`	`}`
`58`	`56`
`59`		`-impl<T: AuthzApiResource + oso::PolarClass> Authorize for T {`
	`57`	`+impl<T: ApiResource + oso::PolarClass> AuthorizedResource for T {`
`60`	`58`	`fn load_roles<'a, 'b, 'c, 'd, 'e, 'f>(`
`61`	`59`	`&'a self,`
`62`	`60`	`opctx: &'b OpContext,`
`@@ -81,21 +79,21 @@ impl<T: AuthzApiResource + oso::PolarClass> Authorize for T {`
`81`	`79`	`error: Error,`
`82`	`80`	`actor: AnyActor,`
`83`	`81`	`action: Action,`
`84`		`- ) -> Result<(), Error> {`
	`82`	`+ ) -> Error {`
`85`	`83`	`if action == Action::Read {`
`86`		`- return Err(self.not_found());`
	`84`	`+ return self.not_found();`
`87`	`85`	`}`
`88`	`86`
`89`	`87`	`// If the user failed an authz check, and they can't even read this`
`90`	`88`	`// resource, then we should produce a 404 rather than a 401/403.`
`91`	`89`	`match authz.is_allowed(&actor, Action::Read, self) {`
`92`		`- Err(error) => Err(Error::internal_error(&format!(`
	`90`	`+ Err(error) => Error::internal_error(&format!(`
`93`	`91`	`"failed to compute read authorization to determine visibility: \`
`94`	`92`	`{:#}",`
`95`	`93`	`error`
`96`		`- ))),`
`97`		`- Ok(false) => Err(self.not_found()),`
`98`		`- Ok(true) => Err(error),`
	`94`	`+ )),`
	`95`	`+ Ok(false) => self.not_found(),`
	`96`	`+ Ok(true) => error,`
`99`	`97`	`}`
`100`	`98`	`}`
`101`	`99`	`}`
`@@ -163,13 +161,13 @@ impl oso::PolarClass for Fleet {`
`163`	`161`	`}`
`164`	`162`	`}`
`165`	`163`
`166`		`-impl Authorize for Fleet {`
	`164`	`+impl AuthorizedResource for Fleet {`
`167`	`165`	`fn load_roles<'a, 'b, 'c, 'd, 'e, 'f>(`
`168`	`166`	`&'a self,`
`169`		`- opctx: &'b crate::context::OpContext,`
`170`		`- datastore: &'c crate::db::DataStore,`
`171`		`- authn: &'d crate::authn::Context,`
`172`		`- roleset: &'e mut super::roles::RoleSet,`
	`167`	`+ opctx: &'b OpContext,`
	`168`	`+ datastore: &'c DataStore,`
	`169`	`+ authn: &'d authn::Context,`
	`170`	`+ roleset: &'e mut RoleSet,`
`173`	`171`	`) -> futures::future::BoxFuture<'f, Result<(), Error>>`
`174`	`172`	`where`
`175`	`173`	`'a: 'f,`
`@@ -195,8 +193,8 @@ impl Authorize for Fleet {`
`195`	`193`	`error: Error,`
`196`	`194`	`_: AnyActor,`
`197`	`195`	`_: Action,`
`198`		`- ) -> Result<(), Error> {`
`199`		`- Err(error)`
	`196`	`+ ) -> Error {`
	`197`	`+ error`
`200`	`198`	`}`
`201`	`199`	`}`
`202`	`200`
`@@ -232,12 +230,12 @@ impl oso::PolarClass for FleetChild {`
`232`	`230`	`}`
`233`	`231`	`}`
`234`	`232`
`235`		`-impl AuthzApiResource for FleetChild {`
	`233`	`+impl ApiResource for FleetChild {`
`236`	`234`	`fn db_resource(&self) -> Option<(ResourceType, Uuid)> {`
`237`	`235`	`None`
`238`	`236`	`}`
`239`	`237`
`240`		`- fn parent(&self) -> Option<&dyn Authorize> {`
	`238`	`+ fn parent(&self) -> Option<&dyn AuthorizedResource> {`
`241`	`239`	`Some(&FLEET)`
`242`	`240`	`}`
`243`	`241`
`@@ -303,12 +301,12 @@ impl oso::PolarClass for Organization {`
`303`	`301`	`}`
`304`	`302`	`}`
`305`	`303`
`306`		`-impl AuthzApiResource for Organization {`
	`304`	`+impl ApiResource for Organization {`
`307`	`305`	`fn db_resource(&self) -> Option<(ResourceType, Uuid)> {`
`308`	`306`	`Some((ResourceType::Organization, self.organization_id))`
`309`	`307`	`}`
`310`	`308`
`311`		`- fn parent(&self) -> Option<&dyn Authorize> {`
	`309`	`+ fn parent(&self) -> Option<&dyn AuthorizedResource> {`
`312`	`310`	`Some(&FLEET)`
`313`	`311`	`}`
`314`	`312`
`@@ -382,12 +380,12 @@ impl oso::PolarClass for Project {`
`382`	`380`	`}`
`383`	`381`	`}`
`384`	`382`
`385`		`-impl AuthzApiResource for Project {`
	`383`	`+impl ApiResource for Project {`
`386`	`384`	`fn db_resource(&self) -> Option<(ResourceType, Uuid)> {`
`387`	`385`	`Some((ResourceType::Project, self.project_id))`
`388`	`386`	`}`
`389`	`387`
`390`		`- fn parent(&self) -> Option<&dyn Authorize> {`
	`388`	`+ fn parent(&self) -> Option<&dyn AuthorizedResource> {`
`391`	`389`	`Some(&self.parent)`
`392`	`390`	`}`
`393`	`391`
`@@ -438,13 +436,13 @@ impl oso::PolarClass for ProjectChild {`
`438`	`436`	`}`
`439`	`437`	`}`
`440`	`438`
`441`		`-impl AuthzApiResource for ProjectChild {`
	`439`	`+impl ApiResource for ProjectChild {`
`442`	`440`	`fn db_resource(&self) -> Option<(ResourceType, Uuid)> {`
`443`	`441`	`// We do not support assigning roles to children of Projects.`
`444`	`442`	`None`
`445`	`443`	`}`
`446`	`444`
`447`		`- fn parent(&self) -> Option<&dyn Authorize> {`
	`445`	`+ fn parent(&self) -> Option<&dyn AuthorizedResource> {`
`448`	`446`	`Some(&self.parent)`
`449`	`447`	`}`
`450`	`448`
Original file line number	Diff line number	Diff line change
`@@ -77,7 +77,7 @@ impl Context {`
`77`	`77`	`resource: Resource,`
`78`	`78`	`) -> Result<(), Error>`
`79`	`79`	`where`
`80`		`- Resource: oso::ToPolar + Authorize + Clone,`
	`80`	`+ Resource: AuthorizedResource + Clone,`
`81`	`81`	`{`
`82`	`82`	`let mut roles = RoleSet::new();`
`83`	`83`	`resource`
`@@ -105,13 +105,13 @@ impl Context {`
`105`	`105`	`}`
`106`	`106`	`};`
`107`	`107`
`108`		`- resource.on_unauthorized(&self.authz, error, actor, action)`
	`108`	`+ Err(resource.on_unauthorized(&self.authz, error, actor, action))`
`109`	`109`	`}`
`110`	`110`	`}`
`111`	`111`	`}`
`112`	`112`	`}`
`113`	`113`
`114`		`-pub trait Authorize: Send + Sync + 'static {`
	`114`	`+pub trait AuthorizedResource: oso::ToPolar + Send + Sync + 'static {`
`115`	`115`	/// Find all roles for the user described in `authn` that might be used to
`116`	`116`	/// make an authorization decision on `self` (a resource)
`117`	`117`	`///`
`@@ -148,7 +148,7 @@ pub trait Authorize: Send + Sync + 'static {`
`148`	`148`	`error: Error,`
`149`	`149`	`actor: AnyActor,`
`150`	`150`	`action: Action,`
`151`		`- ) -> Result<(), Error>;`
	`151`	`+ ) -> Error;`
`152`	`152`	`}`
`153`	`153`
`154`	`154`	`#[cfg(test)]`