NotificationsYou must be signed in to change notification settings
Fork927
Star10.1k

Commit35db80f

committed

feat: add hidden enterprise cmd command to list roles

This includes custom roles, and has a json ouput option formore granular permissions

1 parent92c5dfa commit35db80fCopy full SHA for 35db80f

File tree

23 files changed

+310

-61

lines changed

coderd
- database
  - dbauthz
    - dbauthz.go
    - dbauthz_test.go
  - dbmem
    - dbmem.go
  - dbmetrics
    - dbmetrics.go
  - dbmock
    - dbmock.go
  - dump.sql
  - migrations
    - 000210_custom_role_orgs.down.sql
    - 000210_custom_role_orgs.up.sql
  - models.go
  - querier.go
  - queries
    - roles.sql
  - queries.sql.go
- httpapi
  - name.go
- rbac/rolestore
  - rolestore.go
- roles.go
- roles_test.go
codersdk
- roles.go
enterprise
- cli
  - rolescmd.go
  - root.go
- coderd
  - roles.go
  - roles_test.go
site/src
- api
  - typesGenerated.ts
- testHelpers
  - entities.ts

23 files changed

+310

-61

lines changed

`‎coderd/database/dbauthz/dbauthz.go`

Lines changed: 3 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -835,11 +835,12 @@ func (q *querier) CleanTailnetTunnels(ctx context.Context) error {`
`835`	`835`	`returnq.db.CleanTailnetTunnels(ctx)`
`836`	`836`	`}`
`837`	`837`
`838`		`-func (q*querier)CustomRolesByName(ctx context.Context,lookupRoles []string) ([]database.CustomRole,error) {`
	`838`	`+// TODO: Handle org scoped lookups`
	`839`	`+func (q*querier)CustomRoles(ctx context.Context,arg database.CustomRolesParams) ([]database.CustomRole,error) {`
`839`	`840`	`iferr:=q.authorizeContext(ctx,policy.ActionRead,rbac.ResourceAssignRole);err!=nil {`
`840`	`841`	`returnnil,err`
`841`	`842`	`}`
`842`		`-returnq.db.CustomRolesByName(ctx,lookupRoles)`
	`843`	`+returnq.db.CustomRoles(ctx,arg)`
`843`	`844`	`}`
`844`	`845`
`845`	`846`	`func (q*querier)DeleteAPIKeyByID(ctx context.Context,idstring)error {`

`‎coderd/database/dbauthz/dbauthz_test.go`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -1167,8 +1167,8 @@ func (s *MethodTestSuite) TestUser() {`
`1167`	`1167`	`b:=dbgen.User(s.T(),db, database.User{})`
`1168`	`1168`	`check.Args().Asserts(rbac.ResourceSystem,policy.ActionRead).Returns(slice.New(a.ID,b.ID))`
`1169`	`1169`	`}))`
`1170`		`-s.Run("CustomRolesByName",s.Subtest(func(db database.Store,check*expects) {`
`1171`		`-check.Args([]string{}).Asserts(rbac.ResourceAssignRole,policy.ActionRead).Returns([]database.CustomRole{})`
	`1170`	`+s.Run("CustomRoles",s.Subtest(func(db database.Store,check*expects) {`
	`1171`	`+check.Args(database.CustomRolesParams{}).Asserts(rbac.ResourceAssignRole,policy.ActionRead).Returns([]database.CustomRole{})`
`1172`	`1172`	`}))`
`1173`	`1173`	`s.Run("Blank/UpsertCustomRole",s.Subtest(func(db database.Store,check*expects) {`
`1174`	`1174`	`// Blank is no perms in the role`

`‎coderd/database/dbmem/dbmem.go`

Lines changed: 14 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -1174,18 +1174,26 @@ func (*FakeQuerier) CleanTailnetTunnels(context.Context) error {`
`1174`	`1174`	`returnErrUnimplemented`
`1175`	`1175`	`}`
`1176`	`1176`
`1177`		`-func (q*FakeQuerier)CustomRolesByName(_ context.Context,lookupRoles []string) ([]database.CustomRole,error) {`
	`1177`	`+func (q*FakeQuerier)CustomRoles(_ context.Context,arg database.CustomRolesParams) ([]database.CustomRole,error) {`
`1178`	`1178`	`q.mutex.Lock()`
`1179`	`1179`	`deferq.mutex.Unlock()`
`1180`	`1180`
`1181`	`1181`	`found:=make([]database.CustomRole,0)`
`1182`	`1182`	`for_,role:=rangeq.data.customRoles {`
`1183`		`-ifslices.ContainsFunc(lookupRoles,func(sstring)bool {`
`1184`		`-returnstrings.EqualFold(s,role.Name)`
`1185`		`-}) {`
`1186`		`-role:=role`
`1187`		`-found=append(found,role)`
	`1183`	`+iflen(arg.LookupRoles)>0 {`
	`1184`	`+if!slices.ContainsFunc(arg.LookupRoles,func(sstring)bool {`
	`1185`	`+returnstrings.EqualFold(s,role.Name)`
	`1186`	`+}) {`
	`1187`	`+continue`
	`1188`	`+}`
`1188`	`1189`	`}`
	`1190`	`+`
	`1191`	`+ifarg.ExcludeOrgRoles&&role.OrganizationID.Valid {`
	`1192`	`+continue`
	`1193`	`+}`
	`1194`	`+`
	`1195`	`+role:=role`
	`1196`	`+found=append(found,role)`
`1189`	`1197`	`}`
`1190`	`1198`
`1191`	`1199`	`returnfound,nil`

`‎coderd/database/dbmetrics/dbmetrics.go`

Lines changed: 3 additions & 3 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/database/dbmock/dbmock.go`

Lines changed: 6 additions & 6 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/database/dump.sql`

Lines changed: 4 additions & 1 deletion

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/database/migrations/000210_custom_role_orgs.down.sql`

Lines changed: 3 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+ALTERTABLE custom_roles`
	`2`	`+-- This column is nullable, meaning no organization scope`
	`3`	`+DROP COLUMN organization_id;`

`‎coderd/database/migrations/000210_custom_role_orgs.up.sql`

Lines changed: 5 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,5 @@`
	`1`	`+ALTERTABLE custom_roles`
	`2`	`+-- This column is nullable, meaning no organization scope`
	`3`	`+ADD COLUMN organization_id uuid;`
	`4`	`+`
	`5`	`+COMMENT ON COLUMN custom_roles.organization_id IS'Roles can optionally be scoped to an organization'`

`‎coderd/database/models.go`

Lines changed: 2 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/database/querier.go`

Lines changed: 1 addition & 1 deletion

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/database/queries.sql.go`

Lines changed: 61 additions & 2 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/database/queries/roles.sql`

Lines changed: 11 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,14 +1,23 @@`
`1`		`--- name:CustomRolesByName :many`
	`1`	`+-- name:CustomRoles :many`
`2`	`2`	`SELECT`
`3`	`3`	`*`
`4`	`4`	`FROM`
`5`	`5`	`custom_roles`
`6`	`6`	`WHERE`
	`7`	`+ true`
	`8`	`+-- Lookup roles filter`
	`9`	`+AND CASE WHEN array_length(@lookup_roles ::text[],1)>0 THEN`
`7`	`10`	`-- Case insensitive`
`8`	`11`	`name ILIKE ANY(@lookup_roles ::text [])`
	`12`	`+ ELSE true`
	`13`	`+ END`
	`14`	`+-- Org scoping filter, to only fetch site wide roles`
	`15`	`+AND CASE WHEN @exclude_org_roles ::boolean THEN`
	`16`	`+organization_id ISnull`
	`17`	`+ELSE true`
	`18`	`+ END`
`9`	`19`	`;`
`10`	`20`
`11`		`-`
`12`	`21`	`-- name: UpsertCustomRole :one`
`13`	`22`	`INSERT INTO`
`14`	`23`	`custom_roles (`

`‎coderd/httpapi/name.go`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,7 @@ func UsernameFrom(str string) string {`
`38`	`38`	`}`
`39`	`39`
`40`	`40`	`// NameValid returns whether the input string is a valid name.`
`41`		`-// It is a generic validator for any name (user, workspace, template, etc.).`
	`41`	`+// It is a generic validator for any name (user, workspace, template,role name,etc.).`
`42`	`42`	`funcNameValid(strstring)error {`
`43`	`43`	`iflen(str)>32 {`
`44`	`44`	`returnxerrors.New("must be <= 32 characters")`

`‎coderd/rbac/rolestore/rolestore.go`

Lines changed: 3 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -72,7 +72,9 @@ func Expand(ctx context.Context, db database.Store, names []string) (rbac.Roles,`
`72`	`72`	`// If some roles are missing from the database, they are omitted from`
`73`	`73`	`// the expansion. These roles are no-ops. Should we raise some kind of`
`74`	`74`	`// warning when this happens?`
`75`		`-dbroles,err:=db.CustomRolesByName(ctx,lookup)`
	`75`	`+dbroles,err:=db.CustomRoles(ctx, database.CustomRolesParams{`
	`76`	`+LookupRoles:lookup,`
	`77`	`+})`
`76`	`78`	`iferr!=nil {`
`77`	`79`	`returnnil,xerrors.Errorf("fetch custom roles: %w",err)`
`78`	`80`	`}`

`‎coderd/roles.go`

Lines changed: 33 additions & 8 deletions

Original file line number	Diff line number	Diff line change
`@@ -3,8 +3,11 @@ package coderd`
`3`	`3`	`import (`
`4`	`4`	`"net/http"`
`5`	`5`
	`6`	`+"github.com/coder/coder/v2/coderd/database"`
	`7`	`+"github.com/coder/coder/v2/coderd/database/db2sdk"`
`6`	`8`	`"github.com/coder/coder/v2/coderd/httpmw"`
`7`	`9`	`"github.com/coder/coder/v2/coderd/rbac/policy"`
	`10`	`+"github.com/coder/coder/v2/coderd/rbac/rolestore"`
`8`	`11`	`"github.com/coder/coder/v2/codersdk"`
`9`	`12`
`10`	`13`	`"github.com/coder/coder/v2/coderd/httpapi"`
`@@ -28,8 +31,24 @@ func (api API) AssignableSiteRoles(rw http.ResponseWriter, r http.Request) {`
`28`	`31`	`return`
`29`	`32`	`}`
`30`	`33`
`31`		`-roles:=rbac.SiteRoles()`
`32`		`-httpapi.Write(ctx,rw,http.StatusOK,assignableRoles(actorRoles.Roles,roles))`
	`34`	`+dbCustomRoles,err:=api.Database.CustomRoles(ctx, database.CustomRolesParams{`
	`35`	`+// Only site wide custom roles to be included`
	`36`	`+ExcludeOrgRoles:true,`
	`37`	`+})`
	`38`	`+iferr!=nil {`
	`39`	`+httpapi.InternalServerError(rw,err)`
	`40`	`+return`
	`41`	`+}`
	`42`	`+`
	`43`	`+customRoles:=make([]rbac.Role,0,len(dbCustomRoles))`
	`44`	`+for_,customRole:=rangedbCustomRoles {`
	`45`	`+rbacRole,err:=rolestore.ConvertDBRole(customRole)`
	`46`	`+iferr==nil {`
	`47`	`+customRoles=append(customRoles,rbacRole)`
	`48`	`+}`
	`49`	`+}`
	`50`	`+`
	`51`	`+httpapi.Write(ctx,rw,http.StatusOK,assignableRoles(actorRoles.Roles,rbac.SiteRoles(),customRoles))`
`33`	`52`	`}`
`34`	`53`
`35`	`54`	`// assignableOrgRoles returns all org wide roles that can be assigned.`
`@@ -53,10 +72,10 @@ func (api API) assignableOrgRoles(rw http.ResponseWriter, r http.Request) {`
`53`	`72`	`}`
`54`	`73`
`55`	`74`	`roles:=rbac.OrganizationRoles(organization.ID)`
`56`		`-httpapi.Write(ctx,rw,http.StatusOK,assignableRoles(actorRoles.Roles,roles))`
	`75`	`+httpapi.Write(ctx,rw,http.StatusOK,assignableRoles(actorRoles.Roles,roles, []rbac.Role{}))`
`57`	`76`	`}`
`58`	`77`
`59`		`-funcassignableRoles(actorRoles rbac.ExpandableRoles,roles []rbac.Role) []codersdk.AssignableRoles {`
	`78`	`+funcassignableRoles(actorRoles rbac.ExpandableRoles,roles []rbac.Role,customRoles []rbac.Role) []codersdk.AssignableRoles {`
`60`	`79`	`assignable:=make([]codersdk.AssignableRoles,0)`
`61`	`80`	`for_,role:=rangeroles {`
`62`	`81`	`// The member role is implied, and not assignable.`
`@@ -66,11 +85,17 @@ func assignableRoles(actorRoles rbac.ExpandableRoles, roles []rbac.Role) []coder`
`66`	`85`	`continue`
`67`	`86`	`}`
`68`	`87`	`assignable=append(assignable, codersdk.AssignableRoles{`
`69`		`-SlimRole: codersdk.SlimRole{`
`70`		`-Name:role.Name,`
`71`		`-DisplayName:role.DisplayName,`
`72`		`-},`
	`88`	`+Role:db2sdk.Role(role),`
	`89`	`+Assignable:rbac.CanAssignRole(actorRoles,role.Name),`
	`90`	`+BuiltIn:true,`
	`91`	`+})`
	`92`	`+}`
	`93`	`+`
	`94`	`+for_,role:=rangecustomRoles {`
	`95`	`+assignable=append(assignable, codersdk.AssignableRoles{`
	`96`	`+Role:db2sdk.Role(role),`
`73`	`97`	`Assignable:rbac.CanAssignRole(actorRoles,role.Name),`
	`98`	`+BuiltIn:false,`
`74`	`99`	`})`
`75`	`100`	`}`
`76`	`101`	`returnassignable`

`‎coderd/roles_test.go`

Lines changed: 4 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,7 @@ import (`
`8`	`8`	`"github.com/stretchr/testify/require"`
`9`	`9`
`10`	`10`	`"github.com/coder/coder/v2/coderd/coderdtest"`
	`11`	`+"github.com/coder/coder/v2/coderd/database/db2sdk"`
`11`	`12`	`"github.com/coder/coder/v2/coderd/rbac"`
`12`	`13`	`"github.com/coder/coder/v2/codersdk"`
`13`	`14`	`"github.com/coder/coder/v2/testutil"`
`@@ -143,20 +144,17 @@ func TestListRoles(t *testing.T) {`
`143`	`144`	`}`
`144`	`145`	`}`
`145`	`146`
`146`		`-funcconvertRole(roleNamestring) codersdk.SlimRole {`
	`147`	`+funcconvertRole(roleNamestring) codersdk.Role {`
`147`	`148`	`role,_:=rbac.RoleByName(roleName)`
`148`		`-return codersdk.SlimRole{`
`149`		`-DisplayName:role.DisplayName,`
`150`		`-Name:role.Name,`
`151`		`-}`
	`149`	`+returndb2sdk.Role(role)`
`152`	`150`	`}`
`153`	`151`
`154`	`152`	`funcconvertRoles(assignableRolesmap[string]bool) []codersdk.AssignableRoles {`
`155`	`153`	`converted:=make([]codersdk.AssignableRoles,0,len(assignableRoles))`
`156`	`154`	`forroleName,assignable:=rangeassignableRoles {`
`157`	`155`	`role:=convertRole(roleName)`
`158`	`156`	`converted=append(converted, codersdk.AssignableRoles{`
`159`		`-SlimRole:role,`
	`157`	`+Role:role,`
`160`	`158`	`Assignable:assignable,`
`161`	`159`	`})`
`162`	`160`	`}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit35db80f

File tree

23 files changed

23 files changed

`‎coderd/database/dbauthz/dbauthz.go`

`‎coderd/database/dbauthz/dbauthz_test.go`

`‎coderd/database/dbmem/dbmem.go`

`‎coderd/database/dbmetrics/dbmetrics.go`

`‎coderd/database/dbmock/dbmock.go`

`‎coderd/database/dump.sql`

`‎coderd/database/migrations/000210_custom_role_orgs.down.sql`

`‎coderd/database/migrations/000210_custom_role_orgs.up.sql`

`‎coderd/database/models.go`

`‎coderd/database/querier.go`

`‎coderd/database/queries.sql.go`

`‎coderd/database/queries/roles.sql`

`‎coderd/httpapi/name.go`

`‎coderd/rbac/rolestore/rolestore.go`

`‎coderd/roles.go`

`‎coderd/roles_test.go`

0 commit comments