NotificationsYou must be signed in to change notification settings
Fork928
Star10.1k

Commit5ccf508

authored

chore: create type for unique role names (#13506)

* chore: create type for unique role namesUsing `string` was confusing when something should be combined withorg context, and when not to. Naming this new name, "RoleIdentifier"

1 parentc9cca9d commit5ccf508Copy full SHA for 5ccf508

File tree

50 files changed

+551

-456

lines changed

cli
- server_createadminuser.go
- server_createadminuser_test.go
coderd
- audit.go
- coderdtest
  - authorize.go
  - coderdtest.go
- database
  - db2sdk
    - db2sdk.go
  - dbauthz
  - dbfake
    - dbfake.go
  - dbgen
    - dbgen.go
  - dbmem
    - dbmem.go
  - modelmethods.go
- httpmw
- identityprovider
  - tokens.go
- members.go
- organizations.go
- rbac
- roles.go
- roles_test.go
- searchquery
  - search_test.go
- userauth.go
- users.go
- users_test.go
- workspacebuilds.go
- workspacebuilds_test.go
- workspaces_test.go
- workspacestats
  - batcher_internal_test.go
codersdk
- rbacroles.go
enterprise
- coderd
- tailnet
  - pgcoord.go

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

50 files changed

+551

-456

lines changed

`‎cli/server_createadminuser.go`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -192,7 +192,7 @@ func (r RootCmd) newCreateAdminUserCommand() serpent.Command {`
`192`	`192`	`HashedPassword: []byte(hashedPassword),`
`193`	`193`	`CreatedAt:dbtime.Now(),`
`194`	`194`	`UpdatedAt:dbtime.Now(),`
`195`		`-RBACRoles: []string{rbac.RoleOwner()},`
	`195`	`+RBACRoles: []string{rbac.RoleOwner().String()},`
`196`	`196`	`LoginType:database.LoginTypePassword,`
`197`	`197`	`})`
`198`	`198`	`iferr!=nil {`
`@@ -222,7 +222,7 @@ func (r RootCmd) newCreateAdminUserCommand() serpent.Command {`
`222`	`222`	`UserID:newUser.ID,`
`223`	`223`	`CreatedAt:dbtime.Now(),`
`224`	`224`	`UpdatedAt:dbtime.Now(),`
`225`		`-Roles: []string{rbac.ScopedRoleOrgAdmin(org.ID)},`
	`225`	`+Roles: []string{rbac.RoleOrgAdmin()},`
`226`	`226`	`})`
`227`	`227`	`iferr!=nil {`
`228`	`228`	`returnxerrors.Errorf("insert organization member: %w",err)`

`‎cli/server_createadminuser_test.go`

Lines changed: 3 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,7 @@ import (`
`17`	`17`	`"github.com/coder/coder/v2/coderd/database/dbtime"`
`18`	`18`	`"github.com/coder/coder/v2/coderd/rbac"`
`19`	`19`	`"github.com/coder/coder/v2/coderd/userpassword"`
	`20`	`+"github.com/coder/coder/v2/codersdk"`
`20`	`21`	`"github.com/coder/coder/v2/pty/ptytest"`
`21`	`22`	`"github.com/coder/coder/v2/testutil"`
`22`	`23`	`)`
`@@ -56,7 +57,7 @@ func TestServerCreateAdminUser(t *testing.T) {`
`56`	`57`	`require.NoError(t,err)`
`57`	`58`	`require.True(t,ok,"password does not match")`
`58`	`59`
`59`		`-require.EqualValues(t, []string{rbac.RoleOwner()},user.RBACRoles,"user does not have owner role")`
	`60`	`+require.EqualValues(t, []string{codersdk.RoleOwner},user.RBACRoles,"user does not have owner role")`
`60`	`61`
`61`	`62`	`// Check that user is admin in every org.`
`62`	`63`	`orgs,err:=db.GetOrganizations(ctx)`
`@@ -71,7 +72,7 @@ func TestServerCreateAdminUser(t *testing.T) {`
`71`	`72`	`orgIDs2:=make(map[uuid.UUID]struct{},len(orgMemberships))`
`72`	`73`	`for_,membership:=rangeorgMemberships {`
`73`	`74`	`orgIDs2[membership.OrganizationID]=struct{}{}`
`74`		`-assert.Equal(t, []string{rbac.ScopedRoleOrgAdmin(membership.OrganizationID)},membership.Roles,"user is not org admin")`
	`75`	`+assert.Equal(t, []string{rbac.RoleOrgAdmin()},membership.Roles,"user is not org admin")`
`75`	`76`	`}`
`76`	`77`
`77`	`78`	`require.Equal(t,orgIDs,orgIDs2,"user is not in all orgs")`

`‎coderd/audit.go`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -199,7 +199,8 @@ func (api *API) convertAuditLog(ctx context.Context, dblog database.GetAuditLogs`
`199`	`199`	`Roles: []codersdk.SlimRole{},`
`200`	`200`	`}`
`201`	`201`
`202`		`-for_,roleName:=rangedblog.UserRoles {`
	`202`	`+for_,input:=rangedblog.UserRoles {`
	`203`	`+roleName,_:=rbac.RoleNameFromString(input)`
`203`	`204`	`rbacRole,_:=rbac.RoleByName(roleName)`
`204`	`205`	`user.Roles=append(user.Roles,db2sdk.SlimRole(rbacRole))`
`205`	`206`	`}`

`‎coderd/coderdtest/authorize.go`

Lines changed: 5 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -60,10 +60,13 @@ func AssertRBAC(t testing.T, api coderd.API, client *codersdk.Client) RBACAsse`
`60`	`60`	`roles,err:=api.Database.GetAuthorizationUserRoles(ctx,key.UserID)`
`61`	`61`	`require.NoError(t,err,"fetch user roles")`
`62`	`62`
	`63`	`+roleNames,err:=roles.RoleNames()`
	`64`	`+require.NoError(t,err)`
	`65`	`+`
`63`	`66`	`returnRBACAsserter{`
`64`	`67`	`Subject: rbac.Subject{`
`65`	`68`	`ID:key.UserID.String(),`
`66`		`-Roles:rbac.RoleNames(roles.Roles),`
	`69`	`+Roles:rbac.RoleIdentifiers(roleNames),`
`67`	`70`	`Groups:roles.Groups,`
`68`	`71`	`Scope:rbac.ScopeName(key.Scope),`
`69`	`72`	`},`
`@@ -435,7 +438,7 @@ func randomRBACType() string {`
`435`	`438`	`funcRandomRBACSubject() rbac.Subject {`
`436`	`439`	`return rbac.Subject{`
`437`	`440`	`ID:uuid.NewString(),`
`438`		`-Roles: rbac.RoleNames{rbac.RoleMember()},`
	`441`	`+Roles: rbac.RoleIdentifiers{rbac.RoleMember()},`
`439`	`442`	`Groups: []string{namesgenerator.GetRandomName(1)},`
`440`	`443`	`Scope:rbac.ScopeAll,`
`441`	`444`	`}`

`‎coderd/coderdtest/coderdtest.go`

Lines changed: 26 additions & 20 deletions

Original file line number	Diff line number	Diff line change
`@@ -55,6 +55,7 @@ import (`
`55`	`55`	`"github.com/coder/coder/v2/coderd/autobuild"`
`56`	`56`	`"github.com/coder/coder/v2/coderd/awsidentity"`
`57`	`57`	`"github.com/coder/coder/v2/coderd/database"`
	`58`	`+"github.com/coder/coder/v2/coderd/database/db2sdk"`
`58`	`59`	`"github.com/coder/coder/v2/coderd/database/dbauthz"`
`59`	`60`	`"github.com/coder/coder/v2/coderd/database/dbrollup"`
`60`	`61`	`"github.com/coder/coder/v2/coderd/database/dbtestutil"`
`@@ -663,21 +664,25 @@ func CreateFirstUser(t testing.TB, client *codersdk.Client) codersdk.CreateFirst`
`663`	`664`
`664`	`665`	`// CreateAnotherUser creates and authenticates a new user.`
`665`	`666`	`// Roles can include org scoped roles with 'roleName:<organization_id>'`
`666`		`-funcCreateAnotherUser(t testing.TB,clientcodersdk.Client,organizationID uuid.UUID,roles...string) (codersdk.Client, codersdk.User) {`
	`667`	`+funcCreateAnotherUser(t testing.TB,clientcodersdk.Client,organizationID uuid.UUID,roles...rbac.RoleIdentifier) (codersdk.Client, codersdk.User) {`
`667`	`668`	`returncreateAnotherUserRetry(t,client,organizationID,5,roles)`
`668`	`669`	`}`
`669`	`670`
`670`		`-funcCreateAnotherUserMutators(t testing.TB,clientcodersdk.Client,organizationID uuid.UUID,roles []string,mutators...func(rcodersdk.CreateUserRequest)) (*codersdk.Client, codersdk.User) {`
	`671`	`+funcCreateAnotherUserMutators(t testing.TB,clientcodersdk.Client,organizationID uuid.UUID,roles []rbac.RoleIdentifier,mutators...func(rcodersdk.CreateUserRequest)) (*codersdk.Client, codersdk.User) {`
`671`	`672`	`returncreateAnotherUserRetry(t,client,organizationID,5,roles,mutators...)`
`672`	`673`	`}`
`673`	`674`
`674`	`675`	`// AuthzUserSubject does not include the user's groups.`
`675`	`676`	`funcAuthzUserSubject(user codersdk.User,orgID uuid.UUID) rbac.Subject {`
`676`		`-roles:=make(rbac.RoleNames,0,len(user.Roles))`
	`677`	`+roles:=make(rbac.RoleIdentifiers,0,len(user.Roles))`
`677`	`678`	`// Member role is always implied`
`678`	`679`	`roles=append(roles,rbac.RoleMember())`
`679`	`680`	`for_,r:=rangeuser.Roles {`
`680`		`-roles=append(roles,r.Name)`
	`681`	`+orgID,_:=uuid.Parse(r.OrganizationID)// defaults to nil`
	`682`	`+roles=append(roles, rbac.RoleIdentifier{`
	`683`	`+Name:r.Name,`
	`684`	`+OrganizationID:orgID,`
	`685`	`+})`
`681`	`686`	`}`
`682`	`687`	`// We assume only 1 org exists`
`683`	`688`	`roles=append(roles,rbac.ScopedRoleOrgMember(orgID))`
`@@ -690,7 +695,7 @@ func AuthzUserSubject(user codersdk.User, orgID uuid.UUID) rbac.Subject {`
`690`	`695`	`}`
`691`	`696`	`}`
`692`	`697`
`693`		`-funccreateAnotherUserRetry(t testing.TB,clientcodersdk.Client,organizationID uuid.UUID,retriesint,roles []string,mutators...func(rcodersdk.CreateUserRequest)) (*codersdk.Client, codersdk.User) {`
	`698`	`+funccreateAnotherUserRetry(t testing.TB,clientcodersdk.Client,organizationID uuid.UUID,retriesint,roles []rbac.RoleIdentifier,mutators...func(rcodersdk.CreateUserRequest)) (*codersdk.Client, codersdk.User) {`
`694`	`699`	`req:= codersdk.CreateUserRequest{`
`695`	`700`	`Email:namesgenerator.GetRandomName(10)+"@coder.com",`
`696`	`701`	`Username:RandomUsername(t),`
`@@ -748,36 +753,37 @@ func createAnotherUserRetry(t testing.TB, client *codersdk.Client, organizationI`
`748`	`753`
`749`	`754`	`iflen(roles)>0 {`
`750`	`755`	`// Find the roles for the org vs the site wide roles`
`751`		`-orgRoles:=make(map[string][]string)`
`752`		`-varsiteRoles []string`
	`756`	`+orgRoles:=make(map[uuid.UUID][]rbac.RoleIdentifier)`
	`757`	`+varsiteRoles []rbac.RoleIdentifier`
`753`	`758`
`754`	`759`	`for_,roleName:=rangeroles {`
`755`		`-roleName:=roleName`
`756`		`-orgID,ok:=rbac.IsOrgRole(roleName)`
`757`		`-roleName,_,err=rbac.RoleSplit(roleName)`
`758`		`-require.NoError(t,err,"split org role name")`
	`760`	`+ok:=roleName.IsOrgRole()`
`759`	`761`	`ifok {`
`760`		`-roleName,_,err=rbac.RoleSplit(roleName)`
`761`		`-require.NoError(t,err,"split rolename")`
`762`		`-orgRoles[orgID]=append(orgRoles[orgID],roleName)`
	`762`	`+orgRoles[roleName.OrganizationID]=append(orgRoles[roleName.OrganizationID],roleName)`
`763`	`763`	`}else {`
`764`	`764`	`siteRoles=append(siteRoles,roleName)`
`765`	`765`	`}`
`766`	`766`	`}`
`767`	`767`	`// Update the roles`
`768`	`768`	`for_,r:=rangeuser.Roles {`
`769`		`-siteRoles=append(siteRoles,r.Name)`
	`769`	`+orgID,_:=uuid.Parse(r.OrganizationID)`
	`770`	`+siteRoles=append(siteRoles, rbac.RoleIdentifier{`
	`771`	`+Name:r.Name,`
	`772`	`+OrganizationID:orgID,`
	`773`	`+})`
	`774`	`+}`
	`775`	`+`
	`776`	`+onlyName:=func(role rbac.RoleIdentifier)string {`
	`777`	`+returnrole.Name`
`770`	`778`	`}`
`771`	`779`
`772`		`-user,err=client.UpdateUserRoles(context.Background(),user.ID.String(), codersdk.UpdateRoles{Roles:siteRoles})`
	`780`	`+user,err=client.UpdateUserRoles(context.Background(),user.ID.String(), codersdk.UpdateRoles{Roles:db2sdk.List(siteRoles,onlyName)})`
`773`	`781`	`require.NoError(t,err,"update site roles")`
`774`	`782`
`775`	`783`	`// Update org roles`
`776`	`784`	`fororgID,roles:=rangeorgRoles {`
`777`		`-organizationID,err:=uuid.Parse(orgID)`
`778`		`-require.NoError(t,err,fmt.Sprintf("parse org id %q",orgID))`
`779`		`-_,err=client.UpdateOrganizationMemberRoles(context.Background(),organizationID,user.ID.String(),`
`780`		`-codersdk.UpdateRoles{Roles:roles})`
	`785`	`+_,err=client.UpdateOrganizationMemberRoles(context.Background(),orgID,user.ID.String(),`
	`786`	`+codersdk.UpdateRoles{Roles:db2sdk.List(roles,onlyName)})`
`781`	`787`	`require.NoError(t,err,"update org membership roles")`
`782`	`788`	`}`
`783`	`789`	`}`

`‎coderd/database/db2sdk/db2sdk.go`

Lines changed: 16 additions & 14 deletions

Original file line number	Diff line number	Diff line change
`@@ -170,7 +170,12 @@ func User(user database.User, organizationIDs []uuid.UUID) codersdk.User {`
`170`	`170`	`}`
`171`	`171`
`172`	`172`	`for_,roleName:=rangeuser.RBACRoles {`
`173`		`-rbacRole,err:=rbac.RoleByName(roleName)`
	`173`	`+// TODO: Currently the api only returns site wide roles.`
	`174`	`+// Should it return organization roles?`
	`175`	`+rbacRole,err:=rbac.RoleByName(rbac.RoleIdentifier{`
	`176`	`+Name:roleName,`
	`177`	`+OrganizationID:uuid.Nil,`
	`178`	`+})`
`174`	`179`	`iferr==nil {`
`175`	`180`	`convertedUser.Roles=append(convertedUser.Roles,SlimRole(rbacRole))`
`176`	`181`	`}else {`
`@@ -519,29 +524,26 @@ func ProvisionerDaemon(dbDaemon database.ProvisionerDaemon) codersdk.Provisioner`
`519`	`524`	`}`
`520`	`525`
`521`	`526`	`funcSlimRole(role rbac.Role) codersdk.SlimRole {`
`522`		`-roleName,orgIDStr,err:=rbac.RoleSplit(role.Name)`
`523`		`-iferr!=nil {`
`524`		`-roleName=role.Name`
	`527`	`+orgID:=""`
	`528`	`+ifrole.Identifier.OrganizationID!=uuid.Nil {`
	`529`	`+orgID=role.Identifier.OrganizationID.String()`
`525`	`530`	`}`
`526`	`531`
`527`	`532`	`return codersdk.SlimRole{`
`528`	`533`	`DisplayName:role.DisplayName,`
`529`		`-Name:roleName,`
`530`		`-OrganizationID:orgIDStr,`
	`534`	`+Name:role.Identifier.Name,`
	`535`	`+OrganizationID:orgID,`
`531`	`536`	`}`
`532`	`537`	`}`
`533`	`538`
`534`	`539`	`funcRBACRole(role rbac.Role) codersdk.Role {`
`535`		`-roleName,orgIDStr,err:=rbac.RoleSplit(role.Name)`
`536`		`-iferr!=nil {`
`537`		`-roleName=role.Name`
`538`		`-}`
`539`		`-orgPerms:=role.Org[orgIDStr]`
	`540`	`+slim:=SlimRole(role)`
`540`	`541`
	`542`	`+orgPerms:=role.Org[slim.OrganizationID]`
`541`	`543`	`return codersdk.Role{`
`542`		`-Name:roleName,`
`543`		`-OrganizationID:orgIDStr,`
`544`		`-DisplayName:role.DisplayName,`
	`544`	`+Name:slim.Name,`
	`545`	`+OrganizationID:slim.OrganizationID,`
	`546`	`+DisplayName:slim.DisplayName,`
`545`	`547`	`SitePermissions:List(role.Site,RBACPermission),`
`546`	`548`	`OrganizationPermissions:List(orgPerms,RBACPermission),`
`547`	`549`	`UserPermissions:List(role.User,RBACPermission),`

`‎coderd/database/dbauthz/customroles_test.go`

Lines changed: 3 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,7 @@ func TestUpsertCustomRoles(t *testing.T) {`
`35`	`35`	`}`
`36`	`36`
`37`	`37`	`canAssignRole:= rbac.Role{`
`38`		`-Name:"can-assign",`
	`38`	`+Identifier:rbac.RoleIdentifier{Name:"can-assign"},`
`39`	`39`	`DisplayName:"",`
`40`	`40`	`Site:rbac.Permissions(map[string][]policy.Action{`
`41`	`41`	`rbac.ResourceAssignRole.Type: {policy.ActionRead,policy.ActionCreate},`
`@@ -51,7 +51,7 @@ func TestUpsertCustomRoles(t *testing.T) {`
`51`	`51`	`all=append(all,t)`
`52`	`52`	`case rbac.ExpandableRoles:`
`53`	`53`	`all=append(all,must(t.Expand())...)`
`54`		`-casestring:`
	`54`	`+caserbac.RoleIdentifier:`
`55`	`55`	`all=append(all,must(rbac.RoleByName(t)))`
`56`	`56`	`default:`
`57`	`57`	`panic("unknown type")`
`@@ -80,7 +80,7 @@ func TestUpsertCustomRoles(t *testing.T) {`
`80`	`80`	`{`
`81`	`81`	`// No roles, so no assign role`
`82`	`82`	`name:"no-roles",`
`83`		`-subject:rbac.RoleNames([]string{}),`
	`83`	`+subject: rbac.RoleIdentifiers{},`
`84`	`84`	`errorContains:"forbidden",`
`85`	`85`	`},`
`86`	`86`	`{`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit5ccf508

File tree

50 files changed

Some content is hidden

50 files changed

`‎cli/server_createadminuser.go`

`‎cli/server_createadminuser_test.go`

`‎coderd/audit.go`

`‎coderd/coderdtest/authorize.go`

`‎coderd/coderdtest/coderdtest.go`

`‎coderd/database/db2sdk/db2sdk.go`

`‎coderd/database/dbauthz/customroles_test.go`

0 commit comments