NotificationsYou must be signed in to change notification settings
Fork927
Star10.1k

Commit3641875

committed

chore: remove org map perms in sdk

1 parent44ddddd commit3641875Copy full SHA for 3641875

File tree

6 files changed

+46

-43

lines changed

coderd
- database
  - db2sdk
    - db2sdk.go
  - dbauthz
    - dbauthz.go
- roles.go
codersdk
- roles.go
enterprise/coderd
- roles.go
- roles_test.go

6 files changed

+46

-43

lines changed

`‎coderd/database/db2sdk/db2sdk.go`

Lines changed: 17 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -531,12 +531,16 @@ func Role(role rbac.Role) codersdk.Role {`
`531`	`531`	`iferr!=nil {`
`532`	`532`	`roleName=role.Name`
`533`	`533`	`}`
	`534`	`+`
`534`	`535`	`return codersdk.Role{`
`535`		`-Name:roleName,`
`536`		`-OrganizationID:orgIDStr,`
`537`		`-DisplayName:role.DisplayName,`
`538`		`-SitePermissions:List(role.Site,Permission),`
`539`		`-OrganizationPermissions:Map(role.Org,ListLazy(Permission)),`
	`536`	`+Name:roleName,`
	`537`	`+OrganizationID:orgIDStr,`
	`538`	`+DisplayName:role.DisplayName,`
	`539`	`+SitePermissions:List(role.Site,Permission),`
	`540`	`+// This is not perfect. If there are organization permissions in another`
	`541`	`+// organization, they will be omitted. This should not be allowed, so`
	`542`	`+// should never happen.`
	`543`	`+OrganizationPermissions:List(role.Org[orgIDStr],Permission),`
`540`	`544`	`UserPermissions:List(role.User,Permission),`
`541`	`545`	`}`
`542`	`546`	`}`
`@@ -550,11 +554,18 @@ func Permission(permission rbac.Permission) codersdk.Permission {`
`550`	`554`	`}`
`551`	`555`
`552`	`556`	`funcRoleToRBAC(role codersdk.Role) rbac.Role {`
	`557`	`+orgPerms:=map[string][]rbac.Permission{}`
	`558`	`+ifrole.OrganizationID!="" {`
	`559`	`+orgPerms=map[string][]rbac.Permission{`
	`560`	`+role.OrganizationID:List(role.OrganizationPermissions,PermissionToRBAC),`
	`561`	`+}`
	`562`	`+}`
	`563`	`+`
`553`	`564`	`return rbac.Role{`
`554`	`565`	`Name:rbac.RoleName(role.Name,role.OrganizationID),`
`555`	`566`	`DisplayName:role.DisplayName,`
`556`	`567`	`Site:List(role.SitePermissions,PermissionToRBAC),`
`557`		`-Org:Map(role.OrganizationPermissions,ListLazy(PermissionToRBAC)),`
	`568`	`+Org:orgPerms,`
`558`	`569`	`User:List(role.UserPermissions,PermissionToRBAC),`
`559`	`570`	`}`
`560`	`571`	`}`

`‎coderd/database/dbauthz/dbauthz.go`

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -614,6 +614,10 @@ func (q querier) canAssignRoles(ctx context.Context, orgID uuid.UUID, added, r`
`614`	`614`	`returnxerrors.Errorf("role %q has invalid uuid for org: %w",r,err)`
`615`	`615`	`}`
`616`	`616`
	`617`	`+iforgID==nil {`
	`618`	`+returnxerrors.Errorf("should never happen, orgID is nil, but trying to assign an organization role")`
	`619`	`+}`
	`620`	`+`
`617`	`621`	`ifroleOrgID!=*orgID {`
`618`	`622`	`returnxerrors.Errorf("attempted to assign role from a different org, role %q to %q",r,orgID.String())`
`619`	`623`	`}`

`‎coderd/roles.go`

Lines changed: 0 additions & 8 deletions

Original file line number	Diff line number	Diff line change
`@@ -55,14 +55,6 @@ func (api API) patchOrgRoles(rw http.ResponseWriter, r http.Request) {`
`55`	`55`	`return`
`56`	`56`	`}`
`57`	`57`
`58`		`-iferr:=httpapi.NameValid(req.Name);err!=nil {`
`59`		`-httpapi.Write(ctx,rw,http.StatusBadRequest, codersdk.Response{`
`60`		`-Message:"Invalid role name",`
`61`		`-Detail:err.Error(),`
`62`		`-})`
`63`		`-return`
`64`		`-}`
`65`		`-`
`66`	`58`	`updated,ok:=handler.PatchOrganizationRole(ctx,api.Database,rw,organization.ID,req)`
`67`	`59`	`if!ok {`
`68`	`60`	`return`

`‎codersdk/roles.go`

Lines changed: 3 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -39,9 +39,9 @@ type Role struct {`
`39`	`39`	OrganizationIDstring`json:"organization_id" table:"organization_id" format:"uuid"`
`40`	`40`	DisplayNamestring`json:"display_name" table:"display_name"`
`41`	`41`	SitePermissions []Permission`json:"site_permissions" table:"site_permissions"`
`42`		`-//map[<org_id>] -> Permissions`
`43`		-OrganizationPermissionsmap[string][]Permission`json:"organization_permissions" table:"org_permissions"`
`44`		-UserPermissions []Permission`json:"user_permissions" table:"user_permissions"`
	`42`	`+//OrganizationPermissions are specific for the organization in the field 'OrganizationID' above.`
	`43`	+OrganizationPermissions []Permission`json:"organization_permissions" table:"org_permissions"`
	`44`	+UserPermissions []Permission`json:"user_permissions" table:"user_permissions"`
`45`	`45`	`}`
`46`	`46`
`47`	`47`	`// FullName returns the role name scoped to the organization ID. This is useful if`

`‎enterprise/coderd/roles.go`

Lines changed: 12 additions & 15 deletions

Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,15 @@ type enterpriseCustomRoleHandler struct {`
`21`	`21`	`func (henterpriseCustomRoleHandler)PatchOrganizationRole(ctx context.Context,db database.Store,rw http.ResponseWriter,orgID uuid.UUID,role codersdk.Role) (codersdk.Role,bool) {`
`22`	`22`	`if!h.Enabled {`
`23`	`23`	`httpapi.Write(ctx,rw,http.StatusForbidden, codersdk.Response{`
`24`		`-Message:"Custom roles is not enabled",`
	`24`	`+Message:"Custom roles are not enabled",`
	`25`	`+})`
	`26`	`+return codersdk.Role{},false`
	`27`	`+}`
	`28`	`+`
	`29`	`+iferr:=httpapi.NameValid(role.Name);err!=nil {`
	`30`	`+httpapi.Write(ctx,rw,http.StatusBadRequest, codersdk.Response{`
	`31`	`+Message:"Invalid role name",`
	`32`	`+Detail:err.Error(),`
`25`	`33`	`})`
`26`	`34`	`return codersdk.Role{},false`
`27`	`35`	`}`
`@@ -43,25 +51,14 @@ func (h enterpriseCustomRoleHandler) PatchOrganizationRole(ctx context.Context,`
`43`	`51`	`return codersdk.Role{},false`
`44`	`52`	`}`
`45`	`53`
`46`		`-iflen(role.OrganizationPermissions)>1 {`
	`54`	`+ifrole.OrganizationID!=orgID.String() {`
`47`	`55`	`httpapi.Write(ctx,rw,http.StatusBadRequest, codersdk.Response{`
`48`		`-Message:"Invalid request,Only 1 organization can be assigned permissions",`
`49`		`-Detail:"roles can only contain 1 organization",`
	`56`	`+Message:"Invalid request,organization in role and url must match",`
	`57`	`+Detail:fmt.Sprintf("role org %q does not match URL %q",role.OrganizationID,orgID.String()),`
`50`	`58`	`})`
`51`	`59`	`return codersdk.Role{},false`
`52`	`60`	`}`
`53`	`61`
`54`		`-iflen(role.OrganizationPermissions)==1 {`
`55`		`-_,exists:=role.OrganizationPermissions[orgID.String()]`
`56`		`-if!exists {`
`57`		`-httpapi.Write(ctx,rw,http.StatusBadRequest, codersdk.Response{`
`58`		`-Message:fmt.Sprintf("Invalid request, expected permissions for only the organization %q",orgID.String()),`
`59`		`-Detail:fmt.Sprintf("only org id %s allowed",orgID.String()),`
`60`		`-})`
`61`		`-return codersdk.Role{},false`
`62`		`-}`
`63`		`-}`
`64`		`-`
`65`	`62`	`// Make sure all permissions inputted are valid according to our policy.`
`66`	`63`	`rbacRole:=db2sdk.RoleToRBAC(role)`
`67`	`64`	`args,err:=rolestore.ConvertRoleToDB(rbacRole)`

`‎enterprise/coderd/roles_test.go`

Lines changed: 10 additions & 11 deletions

Original file line number	Diff line number	Diff line change
`@@ -20,17 +20,16 @@ func TestCustomOrganizationRole(t *testing.T) {`
`20`	`20`	`t.Parallel()`
`21`	`21`	`templateAdminCustom:=func(orgID uuid.UUID) codersdk.Role {`
`22`	`22`	`return codersdk.Role{`
`23`		`-Name:"test-role",`
`24`		`-DisplayName:"Testing Purposes",`
	`23`	`+Name:"test-role",`
	`24`	`+DisplayName:"Testing Purposes",`
	`25`	`+OrganizationID:orgID.String(),`
`25`	`26`	`// Basically creating a template admin manually`
`26`	`27`	`SitePermissions:nil,`
`27`		`-OrganizationPermissions:map[string][]codersdk.Permission{`
`28`		`-orgID.String():codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{`
`29`		`-codersdk.ResourceTemplate: {codersdk.ActionCreate,codersdk.ActionRead,codersdk.ActionUpdate,codersdk.ActionViewInsights},`
`30`		`-codersdk.ResourceFile: {codersdk.ActionCreate,codersdk.ActionRead},`
`31`		`-codersdk.ResourceWorkspace: {codersdk.ActionRead},`
`32`		`-}),`
`33`		`-},`
	`28`	`+OrganizationPermissions:codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{`
	`29`	`+codersdk.ResourceTemplate: {codersdk.ActionCreate,codersdk.ActionRead,codersdk.ActionUpdate,codersdk.ActionViewInsights},`
	`30`	`+codersdk.ResourceFile: {codersdk.ActionCreate,codersdk.ActionRead},`
	`31`	`+codersdk.ResourceWorkspace: {codersdk.ActionRead},`
	`32`	`+}),`
`34`	`33`	`UserPermissions:nil,`
`35`	`34`	`}`
`36`	`35`	`}`
`@@ -84,7 +83,7 @@ func TestCustomOrganizationRole(t *testing.T) {`
`84`	`83`	`}),"role missing from org role list")`
`85`	`84`
`86`	`85`	`require.Len(t,foundRole.SitePermissions,0)`
`87`		`-require.Len(t,foundRole.OrganizationPermissions[first.OrganizationID.String()],7)`
	`86`	`+require.Len(t,foundRole.OrganizationPermissions,7)`
`88`	`87`	`require.Len(t,foundRole.UserPermissions,0)`
`89`	`88`	`})`
`90`	`89`
`@@ -122,7 +121,7 @@ func TestCustomOrganizationRole(t *testing.T) {`
`122`	`121`
`123`	`122`	`// Verify functionality is lost`
`124`	`123`	`_,err=owner.PatchOrganizationRole(ctx,first.OrganizationID,templateAdminCustom(first.OrganizationID))`
`125`		`-require.ErrorContains(t,err,"rolesis not enabled")`
	`124`	`+require.ErrorContains(t,err,"rolesare not enabled")`
`126`	`125`
`127`	`126`	`// Assign the custom template admin role`
`128`	`127`	`tmplAdmin,_:=coderdtest.CreateAnotherUser(t,owner,first.OrganizationID,role.FullName())`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit3641875

File tree

6 files changed

6 files changed

`‎coderd/database/db2sdk/db2sdk.go`

`‎coderd/database/dbauthz/dbauthz.go`

`‎coderd/roles.go`

`‎codersdk/roles.go`

`‎enterprise/coderd/roles.go`

`‎enterprise/coderd/roles_test.go`

0 commit comments