From ae4220c3beca720077c5c4e7eb1c44e5d9694b70 Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Fri, 2 Aug 2024 13:12:42 -0500 Subject: [PATCH 1/2] chore: audit log filter to be skipped if user is owner/admin Optimize for speed in the case the user can read all audit_logs --- coderd/database/dbauthz/dbauthz.go | 7 +++++++ coderd/database/dbauthz/dbauthz_test.go | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go index 941ab4caccfac..0beecbbd4e39d 100644 --- a/coderd/database/dbauthz/dbauthz.go +++ b/coderd/database/dbauthz/dbauthz.go @@ -1248,6 +1248,13 @@ func (q *querier) GetApplicationName(ctx context.Context) (string, error) { } func (q *querier) GetAuditLogsOffset(ctx context.Context, arg database.GetAuditLogsOffsetParams) ([]database.GetAuditLogsOffsetRow, error) { + // Shortcut if the user is an owner. The SQL filter is noticeable, + // and this is an easy win for owners. Which is the common case. + err := q.authorizeContext(ctx, policy.ActionRead, rbac.ResourceAuditLog) + if err == nil { + return q.db.GetAuditLogsOffset(ctx, arg) + } + prep, err := prepareSQLFilter(ctx, q.auth, policy.ActionRead, rbac.ResourceAuditLog.Type) if err != nil { return nil, xerrors.Errorf("(dev error) prepare sql filter: %w", err) diff --git a/coderd/database/dbauthz/dbauthz_test.go b/coderd/database/dbauthz/dbauthz_test.go index 627558dbe1f73..8a2b9855b2212 100644 --- a/coderd/database/dbauthz/dbauthz_test.go +++ b/coderd/database/dbauthz/dbauthz_test.go @@ -266,7 +266,7 @@ func (s *MethodTestSuite) TestAuditLogs() { _ = dbgen.AuditLog(s.T(), db, database.AuditLog{}) check.Args(database.GetAuditLogsOffsetParams{ LimitOpt: 10, - }).Asserts() + }).Asserts(rbac.ResourceAuditLog, policy.ActionRead) })) s.Run("GetAuthorizedAuditLogsOffset", s.Subtest(func(db database.Store, check *expects) { _ = dbgen.AuditLog(s.T(), db, database.AuditLog{}) From 8d373835f856d1ac1e72bf95e8f5841848d98da5 Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Fri, 2 Aug 2024 14:04:35 -0500 Subject: [PATCH 2/2] fixup! chore: audit log filter to be skipped if user is owner/admin --- coderd/database/dbauthz/dbauthz_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/coderd/database/dbauthz/dbauthz_test.go b/coderd/database/dbauthz/dbauthz_test.go index 8a2b9855b2212..cf22df523c684 100644 --- a/coderd/database/dbauthz/dbauthz_test.go +++ b/coderd/database/dbauthz/dbauthz_test.go @@ -273,7 +273,7 @@ func (s *MethodTestSuite) TestAuditLogs() { _ = dbgen.AuditLog(s.T(), db, database.AuditLog{}) check.Args(database.GetAuditLogsOffsetParams{ LimitOpt: 10, - }, emptyPreparedAuthorized{}).Asserts() + }, emptyPreparedAuthorized{}).Asserts(rbac.ResourceAuditLog, policy.ActionRead) })) }