coder/coderPublic

NotificationsYou must be signed in to change notification settings
Fork1.1k
Star11.6k

Commit0c7bc32

Emyrk

authored and

kylecarbs

committed

feat: Implied 'member' roles for site and organization (#1917)

* feat: Member roles are implied and never exlpicitly added* Rename "GetAllUserRoles" to "GetAuthorizationRoles"* feat: Add migration to remove implied roles* rename user auth role middleware

1 parentc4dbcf5 commit0c7bc32Copy full SHA for 0c7bc32

File tree

21 files changed

+131

-115

lines changed

coderd
- authorize.go
- coderdtest
  - coderdtest.go
- database
  - databasefake
    - databasefake.go
  - migrations
    - 000016_drop_member_roles.down.sql
    - 000016_drop_member_roles.up.sql
  - querier.go
  - queries.sql.go
  - queries
    - users.sql
- httpmw
- members.go
- organizations.go
- rbac
  - builtin.go
  - role.go
- roles.go
- roles_test.go
- users.go
- users_test.go
- workspaces_test.go
codersdk
- users.go

21 files changed

+131

-115

lines changed

`‎coderd/authorize.go‎`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -13,12 +13,12 @@ import (`
`13`	`13`	`)`
`14`	`14`
`15`	`15`	`funcAuthorizeFilter[O rbac.Objecter](apiAPI,rhttp.Request,action rbac.Action,objects []O) []O {`
`16`		`-roles:=httpmw.UserRoles(r)`
	`16`	`+roles:=httpmw.AuthorizationUserRoles(r)`
`17`	`17`	`returnrbac.Filter(r.Context(),api.Authorizer,roles.ID.String(),roles.Roles,action,objects)`
`18`	`18`	`}`
`19`	`19`
`20`	`20`	`func (apiAPI)Authorize(rw http.ResponseWriter,rhttp.Request,action rbac.Action,object rbac.Objecter)bool {`
`21`		`-roles:=httpmw.UserRoles(r)`
	`21`	`+roles:=httpmw.AuthorizationUserRoles(r)`
`22`	`22`	`err:=api.Authorizer.ByRoleName(r.Context(),roles.ID.String(),roles.Roles,action,object.RBACObject())`
`23`	`23`	`iferr!=nil {`
`24`	`24`	`httpapi.Write(rw,http.StatusForbidden, httpapi.Response{`

`‎coderd/coderdtest/coderdtest.go‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -281,7 +281,7 @@ func CreateAnotherUser(t testing.T, client codersdk.Client, organizationID uui`
`281`	`281`	`organizationID,err:=uuid.Parse(orgID)`
`282`	`282`	`require.NoError(t,err,fmt.Sprintf("parse org id %q",orgID))`
`283`	`283`	`_,err=client.UpdateOrganizationMemberRoles(context.Background(),organizationID,user.ID.String(),`
`284`		`-codersdk.UpdateRoles{Roles:append(roles,rbac.RoleOrgMember(organizationID))})`
	`284`	`+codersdk.UpdateRoles{Roles:roles})`
`285`	`285`	`require.NoError(t,err,"update org membership roles")`
`286`	`286`	`}`
`287`	`287`	`}`

`‎coderd/database/databasefake/databasefake.go‎`

Lines changed: 5 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -276,7 +276,7 @@ func (q *fakeQuerier) GetUsersByIDs(_ context.Context, ids []uuid.UUID) ([]datab`
`276`	`276`	`returnusers,nil`
`277`	`277`	`}`
`278`	`278`
`279`		`-func (q*fakeQuerier)GetAllUserRoles(_ context.Context,userID uuid.UUID) (database.GetAllUserRolesRow,error) {`
	`279`	`+func (q*fakeQuerier)GetAuthorizationUserRoles(_ context.Context,userID uuid.UUID) (database.GetAuthorizationUserRolesRow,error) {`
`280`	`280`	`q.mutex.RLock()`
`281`	`281`	`deferq.mutex.RUnlock()`
`282`	`282`
`@@ -286,6 +286,7 @@ func (q *fakeQuerier) GetAllUserRoles(_ context.Context, userID uuid.UUID) (data`
`286`	`286`	`ifu.ID==userID {`
`287`	`287`	`u:=u`
`288`	`288`	`roles=append(roles,u.RBACRoles...)`
	`289`	`+roles=append(roles,"member")`
`289`	`290`	`user=&u`
`290`	`291`	`break`
`291`	`292`	`}`
`@@ -294,14 +295,15 @@ func (q *fakeQuerier) GetAllUserRoles(_ context.Context, userID uuid.UUID) (data`
`294`	`295`	`for_,mem:=rangeq.organizationMembers {`
`295`	`296`	`ifmem.UserID==userID {`
`296`	`297`	`roles=append(roles,mem.Roles...)`
	`298`	`+roles=append(roles,"organization-member:"+mem.OrganizationID.String())`
`297`	`299`	`}`
`298`	`300`	`}`
`299`	`301`
`300`	`302`	`ifuser==nil {`
`301`		`-return database.GetAllUserRolesRow{},sql.ErrNoRows`
	`303`	`+return database.GetAuthorizationUserRolesRow{},sql.ErrNoRows`
`302`	`304`	`}`
`303`	`305`
`304`		`-return database.GetAllUserRolesRow{`
	`306`	`+return database.GetAuthorizationUserRolesRow{`
`305`	`307`	`ID:userID,`
`306`	`308`	`Username:user.Username,`
`307`	`309`	`Status:user.Status,`

`‎coderd/database/migrations/000016_drop_member_roles.down.sql‎`

Lines changed: 11 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,11 @@`
	`1`	`+--- Remove the now implied 'member' role.`
	`2`	`+UPDATE`
	`3`	`+users`
	`4`	`+SET`
	`5`	`+rbac_roles= array_append(rbac_roles,'member');`
	`6`	`+`
	`7`	`+--- Remove the now implied 'organization-member' role.`
	`8`	`+UPDATE`
	`9`	`+organization_members`
	`10`	`+SET`
	`11`	`+roles= array_append(roles,'organization-member:'\|\|organization_id::text);`

`‎coderd/database/migrations/000016_drop_member_roles.up.sql‎`

Lines changed: 11 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,11 @@`
	`1`	`+--- Remove the now implied 'member' role.`
	`2`	`+UPDATE`
	`3`	`+users`
	`4`	`+SET`
	`5`	`+rbac_roles= array_remove(rbac_roles,'member');`
	`6`	`+`
	`7`	`+--- Remove the now implied 'organization-member' role.`
	`8`	`+UPDATE`
	`9`	`+organization_members`
	`10`	`+SET`
	`11`	`+roles= array_remove(roles,'organization-member:'\|\|organization_id::text);`

`‎coderd/database/querier.go‎`

Lines changed: 3 additions & 1 deletion

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/database/queries.sql.go‎`

Lines changed: 17 additions & 9 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/database/queries/users.sql‎`

Lines changed: 13 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -134,12 +134,20 @@ WHERE`
`134`	`134`	`id= $1 RETURNING*;`
`135`	`135`
`136`	`136`
`137`		`--- name: GetAllUserRoles :one`
	`137`	`+-- name: GetAuthorizationUserRoles :one`
	`138`	`+-- This function returns roles for authorization purposes. Implied member roles`
	`139`	`+-- are included.`
`138`	`140`	`SELECT`
`139`		`--- username is returned just to help for logging purposes`
`140`		`--- status is used to enforce 'suspended' users, as all roles are ignored`
`141`		`---when suspended.`
`142`		`-id, username, status, array_cat(users.rbac_roles,organization_members.roles) ::text[]AS roles`
	`141`	`+-- username is returned just to help for logging purposes`
	`142`	`+-- status is used to enforce 'suspended' users, as all roles are ignored`
	`143`	`+--when suspended.`
	`144`	`+id, username, status,`
	`145`	`+array_cat(`
	`146`	`+-- All users are members`
	`147`	`+array_append(users.rbac_roles,'member'),`
	`148`	`+-- All org_members get the org-member role for their orgs`
	`149`	`+array_append(organization_members.roles,'organization-member:'\|\|organization_members.organization_id::text)) ::text[]`
	`150`	`+AS roles`
`143`	`151`	`FROM`
`144`	`152`	`users`
`145`	`153`	`LEFT JOIN organization_members`

`‎coderd/httpmw/apikey.go‎`

Lines changed: 14 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -31,6 +31,19 @@ func APIKey(r *http.Request) database.APIKey {`
`31`	`31`	`returnapiKey`
`32`	`32`	`}`
`33`	`33`
	`34`	`+// User roles are the 'subject' field of Authorize()`
	`35`	`+typeuserRolesKeystruct{}`
	`36`	`+`
	`37`	`+// AuthorizationUserRoles returns the roles used for authorization.`
	`38`	`+// Comes from the ExtractAPIKey handler.`
	`39`	`+funcAuthorizationUserRoles(r*http.Request) database.GetAuthorizationUserRolesRow {`
	`40`	`+apiKey,ok:=r.Context().Value(userRolesKey{}).(database.GetAuthorizationUserRolesRow)`
	`41`	`+if!ok {`
	`42`	`+panic("developer error: user roles middleware not provided")`
	`43`	`+}`
	`44`	`+returnapiKey`
	`45`	`+}`
	`46`	`+`
`34`	`47`	`// OAuth2Configs is a collection of configurations for OAuth-based authentication.`
`35`	`48`	`// This should be extended to support other authentication types in the future.`
`36`	`49`	`typeOAuth2Configsstruct {`
`@@ -178,7 +191,7 @@ func ExtractAPIKey(db database.Store, oauth *OAuth2Configs) func(http.Handler) h`
`178`	`191`	`// If the key is valid, we also fetch the user roles and status.`
`179`	`192`	`// The roles are used for RBAC authorize checks, and the status`
`180`	`193`	`// is to block 'suspended' users from accessing the platform.`
`181`		`-roles,err:=db.GetAllUserRoles(r.Context(),key.UserID)`
	`194`	`+roles,err:=db.GetAuthorizationUserRoles(r.Context(),key.UserID)`
`182`	`195`	`iferr!=nil {`
`183`	`196`	`httpapi.Write(rw,http.StatusUnauthorized, httpapi.Response{`
`184`	`197`	`Message:"roles not found",`

`‎coderd/httpmw/authorize.go‎`

Lines changed: 0 additions & 40 deletions

This file was deleted.

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit0c7bc32

File tree

21 files changed

21 files changed

`‎coderd/authorize.go‎`

`‎coderd/coderdtest/coderdtest.go‎`

`‎coderd/database/databasefake/databasefake.go‎`

`‎coderd/database/migrations/000016_drop_member_roles.down.sql‎`

`‎coderd/database/migrations/000016_drop_member_roles.up.sql‎`

`‎coderd/database/querier.go‎`

`‎coderd/database/queries.sql.go‎`

`‎coderd/database/queries/users.sql‎`

`‎coderd/httpmw/apikey.go‎`

`‎coderd/httpmw/authorize.go‎`

0 commit comments