NotificationsYou must be signed in to change notification settings
Fork927
Star10.1k

Commit11a1af5

committed

fixup test to assign org role instead of site

1 parenta233040 commit11a1af5Copy full SHA for 11a1af5

File tree

7 files changed

+81

-183

lines changed

coderd
- coderd.go
- database/dbauthz
  - dbauthz.go
- members.go
codersdk
- roles.go
enterprise/coderd

7 files changed

+81

-183

lines changed

`‎coderd/coderd.go`

Lines changed: 6 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -826,9 +826,12 @@ func New(options Options) API {`
`826`	`826`	`})`
`827`	`827`	`})`
`828`	`828`	`r.Route("/members",func(r chi.Router) {`
`829`		`-r.Get("/roles",api.assignableOrgRoles)`
`830`		`-r.With(httpmw.RequireExperiment(api.Experiments,codersdk.ExperimentCustomRoles)).`
`831`		`-Patch("/roles",api.patchOrgRoles)`
	`829`	`+r.Route("/roles",func(r chi.Router) {`
	`830`	`+r.Get("/",api.assignableOrgRoles)`
	`831`	`+r.With(httpmw.RequireExperiment(api.Experiments,codersdk.ExperimentCustomRoles)).`
	`832`	`+Patch("/",api.patchOrgRoles)`
	`833`	`+})`
	`834`	`+`
`832`	`835`	`r.Route("/{user}",func(r chi.Router) {`
`833`	`836`	`r.Use(`
`834`	`837`	`httpmw.ExtractOrganizationMemberParam(options.Database),`

`‎coderd/database/dbauthz/dbauthz.go`

Lines changed: 12 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -600,14 +600,25 @@ func (q querier) canAssignRoles(ctx context.Context, orgID uuid.UUID, added, r`
`600`	`600`	`customRoles:=make([]string,0)`
`601`	`601`	`// Validate that the roles being assigned are valid.`
`602`	`602`	`for_,r:=rangegrantedRoles {`
`603`		`-_,isOrgRole:=rbac.IsOrgRole(r)`
	`603`	`+roleOrgIDStr,isOrgRole:=rbac.IsOrgRole(r)`
`604`	`604`	`ifshouldBeOrgRoles&&!isOrgRole {`
`605`	`605`	`returnxerrors.Errorf("Must only update org roles")`
`606`	`606`	`}`
`607`	`607`	`if!shouldBeOrgRoles&&isOrgRole {`
`608`	`608`	`returnxerrors.Errorf("Must only update site wide roles")`
`609`	`609`	`}`
`610`	`610`
	`611`	`+ifshouldBeOrgRoles {`
	`612`	`+roleOrgID,err:=uuid.Parse(roleOrgIDStr)`
	`613`	`+iferr!=nil {`
	`614`	`+returnxerrors.Errorf("role %q has invalid uuid for org: %w",r,err)`
	`615`	`+}`
	`616`	`+`
	`617`	`+ifroleOrgID!=*orgID {`
	`618`	`+returnxerrors.Errorf("attempted to assign role from a different org, role %q to %q",r, (*orgID).String())`
	`619`	`+}`
	`620`	`+}`
	`621`	`+`
`611`	`622`	`// All roles should be valid roles`
`612`	`623`	`if_,err:=rbac.RoleByName(r);err!=nil {`
`613`	`624`	`customRoles=append(customRoles,r)`

`‎coderd/members.go`

Lines changed: 1 addition & 36 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,13 +1,8 @@`
`1`	`1`	`package coderd`
`2`	`2`
`3`	`3`	`import (`
`4`		`-"context"`
`5`	`4`	`"net/http"`
`6`	`5`
`7`		`-"github.com/google/uuid"`
`8`		`-`
`9`		`-"golang.org/x/xerrors"`
`10`		`-`
`11`	`6`	`"github.com/coder/coder/v2/coderd/database/db2sdk"`
`12`	`7`	`"github.com/coder/coder/v2/coderd/rbac"`
`13`	`8`
`@@ -48,7 +43,7 @@ func (api API) putMemberRoles(rw http.ResponseWriter, r http.Request) {`
`48`	`43`	`return`
`49`	`44`	`}`
`50`	`45`
`51`		`-updatedUser,err:=api.updateOrganizationMemberRoles(ctx, database.UpdateMemberRolesParams{`
	`46`	`+updatedUser,err:=api.Database.UpdateMemberRoles(ctx, database.UpdateMemberRolesParams{`
`52`	`47`	`GrantedRoles:params.Roles,`
`53`	`48`	`UserID:member.UserID,`
`54`	`49`	`OrgID:organization.ID,`
`@@ -63,36 +58,6 @@ func (api API) putMemberRoles(rw http.ResponseWriter, r http.Request) {`
`63`	`58`	`httpapi.Write(ctx,rw,http.StatusOK,convertOrganizationMember(updatedUser))`
`64`	`59`	`}`
`65`	`60`
`66`		`-func (api*API)updateOrganizationMemberRoles(ctx context.Context,args database.UpdateMemberRolesParams) (database.OrganizationMember,error) {`
`67`		`-// Enforce only site wide roles`
`68`		`-for_,r:=rangeargs.GrantedRoles {`
`69`		`-// Must be an org role for the org in the args`
`70`		`-orgID,ok:=rbac.IsOrgRole(r)`
`71`		`-if!ok {`
`72`		`-return database.OrganizationMember{},xerrors.Errorf("must only update organization roles")`
`73`		`-}`
`74`		`-`
`75`		`-roleOrg,err:=uuid.Parse(orgID)`
`76`		`-iferr!=nil {`
`77`		`-return database.OrganizationMember{},xerrors.Errorf("Role must have proper UUIDs for organization, %q does not",r)`
`78`		`-}`
`79`		`-`
`80`		`-ifroleOrg!=args.OrgID {`
`81`		`-return database.OrganizationMember{},xerrors.Errorf("Must only pass roles for org %q",args.OrgID.String())`
`82`		`-}`
`83`		`-`
`84`		`-if_,err:=rbac.RoleByName(r);err!=nil {`
`85`		`-return database.OrganizationMember{},xerrors.Errorf("%q is not a supported organization role",r)`
`86`		`-}`
`87`		`-}`
`88`		`-`
`89`		`-updatedUser,err:=api.Database.UpdateMemberRoles(ctx,args)`
`90`		`-iferr!=nil {`
`91`		`-return database.OrganizationMember{},xerrors.Errorf("Update site roles: %w",err)`
`92`		`-}`
`93`		`-returnupdatedUser,nil`
`94`		`-}`
`95`		`-`
`96`	`61`	`funcconvertOrganizationMember(mem database.OrganizationMember) codersdk.OrganizationMember {`
`97`	`62`	`convertedMember:= codersdk.OrganizationMember{`
`98`	`63`	`UserID:mem.UserID,`

`‎codersdk/roles.go`

Lines changed: 15 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -44,9 +44,21 @@ type Role struct {`
`44`	`44`	UserPermissions []Permission`json:"user_permissions" table:"user_permissions"`
`45`	`45`	`}`
`46`	`46`
`47`		`-// PatchRole will upsert a custom site wide role`
`48`		`-func (c*Client)PatchRole(ctx context.Context,reqRole) (Role,error) {`
`49`		`-res,err:=c.Request(ctx,http.MethodPatch,"/api/v2/users/roles",req)`
	`47`	`+// FullName returns the role name scoped to the organization ID. This is useful if`
	`48`	`+// printing a set of roles from different scopes, as duplicated names across multiple`
	`49`	`+// scopes will become unique.`
	`50`	`+// In practice, this is primarily used in testing.`
	`51`	`+func (rRole)FullName()string {`
	`52`	`+ifr.OrganizationID=="" {`
	`53`	`+returnr.Name`
	`54`	`+}`
	`55`	`+returnr.Name+":"+r.OrganizationID`
	`56`	`+}`
	`57`	`+`
	`58`	`+// PatchOrganizationRole will upsert a custom organization role`
	`59`	`+func (c*Client)PatchOrganizationRole(ctx context.Context,organizationID uuid.UUID,reqRole) (Role,error) {`
	`60`	`+res,err:=c.Request(ctx,http.MethodPatch,`
	`61`	`+fmt.Sprintf("/api/v2/organizations/%s/members/roles",organizationID.String()),req)`
`50`	`62`	`iferr!=nil {`
`51`	`63`	`returnRole{},err`
`52`	`64`	`}`

`‎enterprise/coderd/coderd.go`

Lines changed: 0 additions & 16 deletions

Original file line number	Diff line number	Diff line change
`@@ -327,22 +327,6 @@ func New(ctx context.Context, options Options) (_ API, err error) {`
`327`	`327`	`})`
`328`	`328`	`})`
`329`	`329`
`330`		`-r.Route("/users/roles",func(r chi.Router) {`
`331`		`-r.Use(`
`332`		`-apiKeyMiddleware,`
`333`		`-)`
`334`		`-r.Group(func(r chi.Router) {`
`335`		`-r.Use(`
`336`		`-api.customRolesEnabledMW,`
`337`		`-)`
`338`		`-r.Patch("/",api.patchRole)`
`339`		`-})`
`340`		`-// Unfortunate, but this r.Route overrides the AGPL roles route.`
`341`		`-// The AGPL does not have the entitlements to block the licensed`
`342`		`-// routes, so we need to duplicate the AGPL here.`
`343`		`-r.Get("/",api.AGPL.AssignableSiteRoles)`
`344`		`-})`
`345`		`-`
`346`	`330`	`r.Route("/users/{user}/quiet-hours",func(r chi.Router) {`
`347`	`331`	`r.Use(`
`348`	`332`	`api.autostopRequirementEnabledMW,`

`‎enterprise/coderd/roles.go`

Lines changed: 0 additions & 77 deletions

Original file line number	Diff line number	Diff line change
`@@ -107,80 +107,3 @@ func (h enterpriseCustomRoleHandler) PatchOrganizationRole(ctx context.Context,`
`107`	`107`
`108`	`108`	`returndb2sdk.Role(convertedInsert),true`
`109`	`109`	`}`
`110`		`-`
`111`		`-// patchRole will allow creating a custom role`
`112`		`-//`
`113`		`-// @Summary Upsert a custom site-wide role`
`114`		`-// @ID upsert-a-custom-site-wide-role`
`115`		`-// @Security CoderSessionToken`
`116`		`-// @Produce json`
`117`		`-// @Tags Members`
`118`		`-// @Success 200 {array} codersdk.Role`
`119`		`-// @Router /users/roles [patch]`
`120`		`-func (apiAPI)patchRole(rw http.ResponseWriter,rhttp.Request) {`
`121`		`-ctx:=r.Context()`
`122`		`-`
`123`		`-varreq codersdk.Role`
`124`		`-if!httpapi.Read(ctx,rw,r,&req) {`
`125`		`-return`
`126`		`-}`
`127`		`-`
`128`		`-iferr:=httpapi.NameValid(req.Name);err!=nil {`
`129`		`-httpapi.Write(ctx,rw,http.StatusBadRequest, codersdk.Response{`
`130`		`-Message:"Invalid role name",`
`131`		`-Detail:err.Error(),`
`132`		`-})`
`133`		`-return`
`134`		`-}`
`135`		`-`
`136`		`-iflen(req.OrganizationPermissions)>0 {`
`137`		`-// Org perms should be assigned only in org specific roles. Otherwise,`
`138`		`-// it gets complicated to keep track of who can do what.`
`139`		`-httpapi.Write(ctx,rw,http.StatusBadRequest, codersdk.Response{`
`140`		`-Message:"Invalid request, not allowed to assign organization permissions for a site wide role.",`
`141`		`-Detail:"site wide roles may not contain organization specific permissions",`
`142`		`-})`
`143`		`-return`
`144`		`-}`
`145`		`-`
`146`		`-// Make sure all permissions inputted are valid according to our policy.`
`147`		`-rbacRole:=db2sdk.RoleToRBAC(req)`
`148`		`-args,err:=rolestore.ConvertRoleToDB(rbacRole)`
`149`		`-iferr!=nil {`
`150`		`-httpapi.Write(ctx,rw,http.StatusBadRequest, codersdk.Response{`
`151`		`-Message:"Invalid request",`
`152`		`-Detail:err.Error(),`
`153`		`-})`
`154`		`-return`
`155`		`-}`
`156`		`-`
`157`		`-inserted,err:=api.Database.UpsertCustomRole(ctx, database.UpsertCustomRoleParams{`
`158`		`-Name:args.Name,`
`159`		`-DisplayName:args.DisplayName,`
`160`		`-SitePermissions:args.SitePermissions,`
`161`		`-OrgPermissions:args.OrgPermissions,`
`162`		`-UserPermissions:args.UserPermissions,`
`163`		`-})`
`164`		`-ifhttpapi.Is404Error(err) {`
`165`		`-httpapi.ResourceNotFound(rw)`
`166`		`-return`
`167`		`-}`
`168`		`-iferr!=nil {`
`169`		`-httpapi.Write(ctx,rw,http.StatusBadRequest, codersdk.Response{`
`170`		`-Message:"Failed to update role permissions",`
`171`		`-Detail:err.Error(),`
`172`		`-})`
`173`		`-return`
`174`		`-}`
`175`		`-`
`176`		`-convertedInsert,err:=rolestore.ConvertDBRole(inserted)`
`177`		`-iferr!=nil {`
`178`		`-httpapi.Write(ctx,rw,http.StatusInternalServerError, codersdk.Response{`
`179`		`-Message:"Permissions were updated, unable to read them back out of the database.",`
`180`		`-Detail:err.Error(),`
`181`		`-})`
`182`		`-return`
`183`		`-}`
`184`		`-`
`185`		`-httpapi.Write(ctx,rw,http.StatusOK,db2sdk.Role(convertedInsert))`
`186`		`-}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit11a1af5

File tree

7 files changed

7 files changed

`‎coderd/coderd.go`

`‎coderd/database/dbauthz/dbauthz.go`

`‎coderd/members.go`

`‎codersdk/roles.go`

`‎enterprise/coderd/coderd.go`

`‎enterprise/coderd/roles.go`

0 commit comments