NotificationsYou must be signed in to change notification settings
Fork928
Star10.1k

Commit7ee9294

committed

refactor name to RoleIdentifier

1 parent3c44caa commit7ee9294Copy full SHA for 7ee9294

File tree

30 files changed

+177

-177

lines changed

coderd
- coderdtest
  - authorize.go
  - coderdtest.go
- database
  - db2sdk
    - db2sdk.go
  - dbauthz
  - dbfake
    - dbfake.go
  - dbgen
    - dbgen.go
  - modelmethods.go
- httpmw
  - authorize_test.go
  - workspaceagent.go
- identityprovider
  - tokens.go
- members.go
- rbac
- userauth.go
- users_test.go
enterprise
- coderd
- tailnet
  - pgcoord.go

30 files changed

+177

-177

lines changed

`‎coderd/coderdtest/authorize.go`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -66,7 +66,7 @@ func AssertRBAC(t testing.T, api coderd.API, client *codersdk.Client) RBACAsse`
`66`	`66`	`returnRBACAsserter{`
`67`	`67`	`Subject: rbac.Subject{`
`68`	`68`	`ID:key.UserID.String(),`
`69`		`-Roles:rbac.RoleNames(roleNames),`
	`69`	`+Roles:rbac.RoleIdentifiers(roleNames),`
`70`	`70`	`Groups:roles.Groups,`
`71`	`71`	`Scope:rbac.ScopeName(key.Scope),`
`72`	`72`	`},`
`@@ -438,7 +438,7 @@ func randomRBACType() string {`
`438`	`438`	`funcRandomRBACSubject() rbac.Subject {`
`439`	`439`	`return rbac.Subject{`
`440`	`440`	`ID:uuid.NewString(),`
`441`		`-Roles: rbac.RoleNames{rbac.RoleMember()},`
	`441`	`+Roles: rbac.RoleIdentifiers{rbac.RoleMember()},`
`442`	`442`	`Groups: []string{namesgenerator.GetRandomName(1)},`
`443`	`443`	`Scope:rbac.ScopeAll,`
`444`	`444`	`}`

`‎coderd/coderdtest/coderdtest.go`

Lines changed: 9 additions & 9 deletions

Original file line number	Diff line number	Diff line change
`@@ -665,22 +665,22 @@ func CreateFirstUser(t testing.TB, client *codersdk.Client) codersdk.CreateFirst`
`665`	`665`
`666`	`666`	`// CreateAnotherUser creates and authenticates a new user.`
`667`	`667`	`// Roles can include org scoped roles with 'roleName:<organization_id>'`
`668`		`-funcCreateAnotherUser(t testing.TB,clientcodersdk.Client,organizationID uuid.UUID,roles...rbac.RoleName) (codersdk.Client, codersdk.User) {`
	`668`	`+funcCreateAnotherUser(t testing.TB,clientcodersdk.Client,organizationID uuid.UUID,roles...rbac.RoleIdentifier) (codersdk.Client, codersdk.User) {`
`669`	`669`	`returncreateAnotherUserRetry(t,client,organizationID,5,roles)`
`670`	`670`	`}`
`671`	`671`
`672`		`-funcCreateAnotherUserMutators(t testing.TB,clientcodersdk.Client,organizationID uuid.UUID,roles []rbac.RoleName,mutators...func(rcodersdk.CreateUserRequest)) (*codersdk.Client, codersdk.User) {`
	`672`	`+funcCreateAnotherUserMutators(t testing.TB,clientcodersdk.Client,organizationID uuid.UUID,roles []rbac.RoleIdentifier,mutators...func(rcodersdk.CreateUserRequest)) (*codersdk.Client, codersdk.User) {`
`673`	`673`	`returncreateAnotherUserRetry(t,client,organizationID,5,roles,mutators...)`
`674`	`674`	`}`
`675`	`675`
`676`	`676`	`// AuthzUserSubject does not include the user's groups.`
`677`	`677`	`funcAuthzUserSubject(user codersdk.User,orgID uuid.UUID) rbac.Subject {`
`678`		`-roles:=make(rbac.RoleNames,0,len(user.Roles))`
	`678`	`+roles:=make(rbac.RoleIdentifiers,0,len(user.Roles))`
`679`	`679`	`// Member role is always implied`
`680`	`680`	`roles=append(roles,rbac.RoleMember())`
`681`	`681`	`for_,r:=rangeuser.Roles {`
`682`	`682`	`orgID,_:=uuid.Parse(r.OrganizationID)// defaults to nil`
`683`		`-roles=append(roles, rbac.RoleName{`
	`683`	`+roles=append(roles, rbac.RoleIdentifier{`
`684`	`684`	`Name:r.Name,`
`685`	`685`	`OrganizationID:orgID,`
`686`	`686`	`})`
`@@ -696,7 +696,7 @@ func AuthzUserSubject(user codersdk.User, orgID uuid.UUID) rbac.Subject {`
`696`	`696`	`}`
`697`	`697`	`}`
`698`	`698`
`699`		`-funccreateAnotherUserRetry(t testing.TB,clientcodersdk.Client,organizationID uuid.UUID,retriesint,roles []rbac.RoleName,mutators...func(rcodersdk.CreateUserRequest)) (*codersdk.Client, codersdk.User) {`
	`699`	`+funccreateAnotherUserRetry(t testing.TB,clientcodersdk.Client,organizationID uuid.UUID,retriesint,roles []rbac.RoleIdentifier,mutators...func(rcodersdk.CreateUserRequest)) (*codersdk.Client, codersdk.User) {`
`700`	`700`	`req:= codersdk.CreateUserRequest{`
`701`	`701`	`Email:namesgenerator.GetRandomName(10)+"@coder.com",`
`702`	`702`	`Username:RandomUsername(t),`
`@@ -754,8 +754,8 @@ func createAnotherUserRetry(t testing.TB, client *codersdk.Client, organizationI`
`754`	`754`
`755`	`755`	`iflen(roles)>0 {`
`756`	`756`	`// Find the roles for the org vs the site wide roles`
`757`		`-orgRoles:=make(map[uuid.UUID][]rbac.RoleName)`
`758`		`-varsiteRoles []rbac.RoleName`
	`757`	`+orgRoles:=make(map[uuid.UUID][]rbac.RoleIdentifier)`
	`758`	`+varsiteRoles []rbac.RoleIdentifier`
`759`	`759`
`760`	`760`	`for_,roleName:=rangeroles {`
`761`	`761`	`ok:=roleName.IsOrgRole()`
`@@ -768,13 +768,13 @@ func createAnotherUserRetry(t testing.TB, client *codersdk.Client, organizationI`
`768`	`768`	`// Update the roles`
`769`	`769`	`for_,r:=rangeuser.Roles {`
`770`	`770`	`orgID,_:=uuid.Parse(r.OrganizationID)`
`771`		`-siteRoles=append(siteRoles, rbac.RoleName{`
	`771`	`+siteRoles=append(siteRoles, rbac.RoleIdentifier{`
`772`	`772`	`Name:r.Name,`
`773`	`773`	`OrganizationID:orgID,`
`774`	`774`	`})`
`775`	`775`	`}`
`776`	`776`
`777`		`-onlyName:=func(role rbac.RoleName)string {`
	`777`	`+onlyName:=func(role rbac.RoleIdentifier)string {`
`778`	`778`	`returnrole.Name`
`779`	`779`	`}`
`780`	`780`

`‎coderd/database/db2sdk/db2sdk.go`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -172,7 +172,7 @@ func User(user database.User, organizationIDs []uuid.UUID) codersdk.User {`
`172`	`172`	`for_,roleName:=rangeuser.RBACRoles {`
`173`	`173`	`// TODO: Currently the api only returns site wide roles.`
`174`	`174`	`// Should it return organization roles?`
`175`		`-rbacRole,err:=rbac.RoleByName(rbac.RoleName{`
	`175`	`+rbacRole,err:=rbac.RoleByName(rbac.RoleIdentifier{`
`176`	`176`	`Name:roleName,`
`177`	`177`	`OrganizationID:uuid.Nil,`
`178`	`178`	`})`

`‎coderd/database/dbauthz/customroles_test.go`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -80,7 +80,7 @@ func TestUpsertCustomRoles(t *testing.T) {`
`80`	`80`	`{`
`81`	`81`	`// No roles, so no assign role`
`82`	`82`	`name:"no-roles",`
`83`		`-subject:rbac.RoleNames([]string{}),`
	`83`	`+subject:rbac.RoleIdentifiers([]string{}),`
`84`	`84`	`errorContains:"forbidden",`
`85`	`85`	`},`
`86`	`86`	`{`

`‎coderd/database/dbauthz/dbauthz.go`

Lines changed: 51 additions & 51 deletions

Original file line number	Diff line number	Diff line change
`@@ -162,7 +162,7 @@ var (`
`162`	`162`	`ID:uuid.Nil.String(),`
`163`	`163`	`Roles:rbac.Roles([]rbac.Role{`
`164`	`164`	`{`
`165`		`-Name: rbac.RoleName{Name:"provisionerd"},`
	`165`	`+Name: rbac.RoleIdentifier{Name:"provisionerd"},`
`166`	`166`	`DisplayName:"Provisioner Daemon",`
`167`	`167`	`Site:rbac.Permissions(map[string][]policy.Action{`
`168`	`168`	`// TODO: Add ProvisionerJob resource type.`
`@@ -191,7 +191,7 @@ var (`
`191`	`191`	`ID:uuid.Nil.String(),`
`192`	`192`	`Roles:rbac.Roles([]rbac.Role{`
`193`	`193`	`{`
`194`		`-Name: rbac.RoleName{Name:"autostart"},`
	`194`	`+Name: rbac.RoleIdentifier{Name:"autostart"},`
`195`	`195`	`DisplayName:"Autostart Daemon",`
`196`	`196`	`Site:rbac.Permissions(map[string][]policy.Action{`
`197`	`197`	`rbac.ResourceSystem.Type: {policy.WildcardSymbol},`
`@@ -213,7 +213,7 @@ var (`
`213`	`213`	`ID:uuid.Nil.String(),`
`214`	`214`	`Roles:rbac.Roles([]rbac.Role{`
`215`	`215`	`{`
`216`		`-Name: rbac.RoleName{Name:"hangdetector"},`
	`216`	`+Name: rbac.RoleIdentifier{Name:"hangdetector"},`
`217`	`217`	`DisplayName:"Hang Detector Daemon",`
`218`	`218`	`Site:rbac.Permissions(map[string][]policy.Action{`
`219`	`219`	`rbac.ResourceSystem.Type: {policy.WildcardSymbol},`
`@@ -232,7 +232,7 @@ var (`
`232`	`232`	`ID:uuid.Nil.String(),`
`233`	`233`	`Roles:rbac.Roles([]rbac.Role{`
`234`	`234`	`{`
`235`		`-Name: rbac.RoleName{Name:"system"},`
	`235`	`+Name: rbac.RoleIdentifier{Name:"system"},`
`236`	`236`	`DisplayName:"Coder",`
`237`	`237`	`Site:rbac.Permissions(map[string][]policy.Action{`
`238`	`238`	`rbac.ResourceWildcard.Type: {policy.ActionRead},`
`@@ -307,9 +307,9 @@ func As(ctx context.Context, actor rbac.Subject) context.Context {`
`307`	`307`	`// running the insertFunc. The insertFunc is expected to return the object that`
`308`	`308`	`// was inserted.`
`309`	`309`	`funcinsert[`
`310`		`-ObjectTypeany,`
`311`		`-ArgumentTypeany,`
`312`		`-Insertfunc(ctx context.Context,argArgumentType) (ObjectType,error),`
	`310`	`+ObjectTypeany,`
	`311`	`+ArgumentTypeany,`
	`312`	`+Insertfunc(ctx context.Context,argArgumentType) (ObjectType,error),`
`313`	`313`	`](`
`314`	`314`	`logger slog.Logger,`
`315`	`315`	`authorizer rbac.Authorizer,`
`@@ -320,9 +320,9 @@ func insert[`
`320`	`320`	`}`
`321`	`321`
`322`	`322`	`funcinsertWithAction[`
`323`		`-ObjectTypeany,`
`324`		`-ArgumentTypeany,`
`325`		`-Insertfunc(ctx context.Context,argArgumentType) (ObjectType,error),`
	`323`	`+ObjectTypeany,`
	`324`	`+ArgumentTypeany,`
	`325`	`+Insertfunc(ctx context.Context,argArgumentType) (ObjectType,error),`
`326`	`326`	`](`
`327`	`327`	`logger slog.Logger,`
`328`	`328`	`authorizer rbac.Authorizer,`
`@@ -349,10 +349,10 @@ func insertWithAction[`
`349`	`349`	`}`
`350`	`350`
`351`	`351`	`funcdeleteQ[`
`352`		`-ObjectType rbac.Objecter,`
`353`		`-ArgumentTypeany,`
`354`		`-Fetchfunc(ctx context.Context,argArgumentType) (ObjectType,error),`
`355`		`-Deletefunc(ctx context.Context,argArgumentType)error,`
	`352`	`+ObjectType rbac.Objecter,`
	`353`	`+ArgumentTypeany,`
	`354`	`+Fetchfunc(ctx context.Context,argArgumentType) (ObjectType,error),`
	`355`	`+Deletefunc(ctx context.Context,argArgumentType)error,`
`356`	`356`	`](`
`357`	`357`	`logger slog.Logger,`
`358`	`358`	`authorizer rbac.Authorizer,`
`@@ -364,10 +364,10 @@ func deleteQ[`
`364`	`364`	`}`
`365`	`365`
`366`	`366`	`funcupdateWithReturn[`
`367`		`-ObjectType rbac.Objecter,`
`368`		`-ArgumentTypeany,`
`369`		`-Fetchfunc(ctx context.Context,argArgumentType) (ObjectType,error),`
`370`		`-UpdateQueryfunc(ctx context.Context,argArgumentType) (ObjectType,error),`
	`367`	`+ObjectType rbac.Objecter,`
	`368`	`+ArgumentTypeany,`
	`369`	`+Fetchfunc(ctx context.Context,argArgumentType) (ObjectType,error),`
	`370`	`+UpdateQueryfunc(ctx context.Context,argArgumentType) (ObjectType,error),`
`371`	`371`	`](`
`372`	`372`	`logger slog.Logger,`
`373`	`373`	`authorizer rbac.Authorizer,`
`@@ -378,10 +378,10 @@ func updateWithReturn[`
`378`	`378`	`}`
`379`	`379`
`380`	`380`	`funcupdate[`
`381`		`-ObjectType rbac.Objecter,`
`382`		`-ArgumentTypeany,`
`383`		`-Fetchfunc(ctx context.Context,argArgumentType) (ObjectType,error),`
`384`		`-Execfunc(ctx context.Context,argArgumentType)error,`
	`381`	`+ObjectType rbac.Objecter,`
	`382`	`+ArgumentTypeany,`
	`383`	`+Fetchfunc(ctx context.Context,argArgumentType) (ObjectType,error),`
	`384`	`+Execfunc(ctx context.Context,argArgumentType)error,`
`385`	`385`	`](`
`386`	`386`	`logger slog.Logger,`
`387`	`387`	`authorizer rbac.Authorizer,`
`@@ -399,9 +399,9 @@ func update[`
`399`	`399`	`// user cannot read the resource. This is because the resource details are`
`400`	`400`	`// required to run a proper authorization check.`
`401`	`401`	`funcfetchWithAction[`
`402`		`-ArgumentTypeany,`
`403`		`-ObjectType rbac.Objecter,`
`404`		`-DatabaseFuncfunc(ctx context.Context,argArgumentType) (ObjectType,error),`
	`402`	`+ArgumentTypeany,`
	`403`	`+ObjectType rbac.Objecter,`
	`404`	`+DatabaseFuncfunc(ctx context.Context,argArgumentType) (ObjectType,error),`
`405`	`405`	`](`
`406`	`406`	`logger slog.Logger,`
`407`	`407`	`authorizer rbac.Authorizer,`
`@@ -432,9 +432,9 @@ func fetchWithAction[`
`432`	`432`	`}`
`433`	`433`
`434`	`434`	`funcfetch[`
`435`		`-ArgumentTypeany,`
`436`		`-ObjectType rbac.Objecter,`
`437`		`-DatabaseFuncfunc(ctx context.Context,argArgumentType) (ObjectType,error),`
	`435`	`+ArgumentTypeany,`
	`436`	`+ObjectType rbac.Objecter,`
	`437`	`+DatabaseFuncfunc(ctx context.Context,argArgumentType) (ObjectType,error),`
`438`	`438`	`](`
`439`	`439`	`logger slog.Logger,`
`440`	`440`	`authorizer rbac.Authorizer,`
`@@ -447,10 +447,10 @@ func fetch[`
`447`	`447`	`// from SQL 'exec' functions which only return an error.`
`448`	`448`	`// See fetchAndQuery for more information.`
`449`	`449`	`funcfetchAndExec[`
`450`		`-ObjectType rbac.Objecter,`
`451`		`-ArgumentTypeany,`
`452`		`-Fetchfunc(ctx context.Context,argArgumentType) (ObjectType,error),`
`453`		`-Execfunc(ctx context.Context,argArgumentType)error,`
	`450`	`+ObjectType rbac.Objecter,`
	`451`	`+ArgumentTypeany,`
	`452`	`+Fetchfunc(ctx context.Context,argArgumentType) (ObjectType,error),`
	`453`	`+Execfunc(ctx context.Context,argArgumentType)error,`
`454`	`454`	`](`
`455`	`455`	`logger slog.Logger,`
`456`	`456`	`authorizer rbac.Authorizer,`
`@@ -473,10 +473,10 @@ func fetchAndExec[`
`473`	`473`	`// before the query runs. The returns from the fetch are only used to`
`474`	`474`	`// assert rbac. The final return of this function comes from the Query function.`
`475`	`475`	`funcfetchAndQuery[`
`476`		`-ObjectType rbac.Objecter,`
`477`		`-ArgumentTypeany,`
`478`		`-Fetchfunc(ctx context.Context,argArgumentType) (ObjectType,error),`
`479`		`-Queryfunc(ctx context.Context,argArgumentType) (ObjectType,error),`
	`476`	`+ObjectType rbac.Objecter,`
	`477`	`+ArgumentTypeany,`
	`478`	`+Fetchfunc(ctx context.Context,argArgumentType) (ObjectType,error),`
	`479`	`+Queryfunc(ctx context.Context,argArgumentType) (ObjectType,error),`
`480`	`480`	`](`
`481`	`481`	`logger slog.Logger,`
`482`	`482`	`authorizer rbac.Authorizer,`
`@@ -510,9 +510,9 @@ func fetchAndQuery[`
`510`	`510`	`// fetchWithPostFilter is like fetch, but works with lists of objects.`
`511`	`511`	`// SQL filters are much more optimal.`
`512`	`512`	`funcfetchWithPostFilter[`
`513`		`-ArgumentTypeany,`
`514`		`-ObjectType rbac.Objecter,`
`515`		`-DatabaseFuncfunc(ctx context.Context,argArgumentType) ([]ObjectType,error),`
	`513`	`+ArgumentTypeany,`
	`514`	`+ObjectType rbac.Objecter,`
	`515`	`+DatabaseFuncfunc(ctx context.Context,argArgumentType) ([]ObjectType,error),`
`516`	`516`	`](`
`517`	`517`	`authorizer rbac.Authorizer,`
`518`	`518`	`action policy.Action,`
`@@ -584,33 +584,33 @@ func (q *querier) authorizeUpdateFileTemplate(ctx context.Context, file database`
`584`	`584`
`585`	`585`	`// convertToOrganizationRoles converts a set of scoped role names to their unique`
`586`	`586`	`// scoped names.`
`587`		`-func (q*querier)convertToOrganizationRoles(organizationID uuid.UUID,names []string) ([]rbac.RoleName,error) {`
`588`		`-uniques:=make([]rbac.RoleName,0,len(names))`
	`587`	`+func (q*querier)convertToOrganizationRoles(organizationID uuid.UUID,names []string) ([]rbac.RoleIdentifier,error) {`
	`588`	`+uniques:=make([]rbac.RoleIdentifier,0,len(names))`
`589`	`589`	`for_,name:=rangenames {`
`590`	`590`	`// This check is a developer safety check. Old code might try to invoke this code path with`
`591`	`591`	`// organization id suffixes. Catch this and return a nice error so it can be fixed.`
`592`	`592`	`ifstrings.Contains(name,":") {`
`593`	`593`	`returnnil,xerrors.Errorf("attempt to assign a role %q, remove the ':<organization_id> suffix",name)`
`594`	`594`	`}`
`595`	`595`
`596`		`-uniques=append(uniques, rbac.RoleName{Name:name,OrganizationID:organizationID})`
	`596`	`+uniques=append(uniques, rbac.RoleIdentifier{Name:name,OrganizationID:organizationID})`
`597`	`597`	`}`
`598`	`598`
`599`	`599`	`returnuniques,nil`
`600`	`600`	`}`
`601`	`601`
`602`	`602`	`// convertToDeploymentRoles converts string role names into deployment wide roles.`
`603`		`-func (q*querier)convertToDeploymentRoles(names []string) []rbac.RoleName {`
`604`		`-uniques:=make([]rbac.RoleName,0,len(names))`
	`603`	`+func (q*querier)convertToDeploymentRoles(names []string) []rbac.RoleIdentifier {`
	`604`	`+uniques:=make([]rbac.RoleIdentifier,0,len(names))`
`605`	`605`	`for_,name:=rangenames {`
`606`		`-uniques=append(uniques, rbac.RoleName{Name:name})`
	`606`	`+uniques=append(uniques, rbac.RoleIdentifier{Name:name})`
`607`	`607`	`}`
`608`	`608`
`609`	`609`	`returnuniques`
`610`	`610`	`}`
`611`	`611`
`612`	`612`	`// canAssignRoles handles assigning built in and custom roles.`
`613`		`-func (qquerier)canAssignRoles(ctx context.Context,orgIDuuid.UUID,added,removed []rbac.RoleName)error {`
	`613`	`+func (qquerier)canAssignRoles(ctx context.Context,orgIDuuid.UUID,added,removed []rbac.RoleIdentifier)error {`
`614`	`614`	`actor,ok:=ActorFromContext(ctx)`
`615`	`615`	`if!ok {`
`616`	`616`	`returnNoActorError`
`@@ -624,7 +624,7 @@ func (q querier) canAssignRoles(ctx context.Context, orgID uuid.UUID, added, r`
`624`	`624`	`}`
`625`	`625`
`626`	`626`	`grantedRoles:=append(added,removed...)`
`627`		`-customRoles:=make([]rbac.RoleName,0)`
	`627`	`+customRoles:=make([]rbac.RoleIdentifier,0)`
`628`	`628`	`// Validate that the roles being assigned are valid.`
`629`	`629`	`for_,r:=rangegrantedRoles {`
`630`	`630`	`isOrgRole:=r.OrganizationID!=uuid.Nil`
`@@ -652,7 +652,7 @@ func (q querier) canAssignRoles(ctx context.Context, orgID uuid.UUID, added, r`
`652`	`652`	`}`
`653`	`653`	`}`
`654`	`654`
`655`		`-customRolesMap:=make(map[rbac.RoleName]struct{},len(customRoles))`
	`655`	`+customRolesMap:=make(map[rbac.RoleIdentifier]struct{},len(customRoles))`
`656`	`656`	`for_,r:=rangecustomRoles {`
`657`	`657`	`customRolesMap[r]=struct{}{}`
`658`	`658`	`}`
`@@ -2501,7 +2501,7 @@ func (q *querier) InsertOrganizationMember(ctx context.Context, arg database.Ins`
`2501`	`2501`
`2502`	`2502`	`// All roles are added roles. Org member is always implied.`
`2503`	`2503`	`addedRoles:=append(orgRoles,rbac.ScopedRoleOrgMember(arg.OrganizationID))`
`2504`		`-err=q.canAssignRoles(ctx,&arg.OrganizationID,addedRoles, []rbac.RoleName{})`
	`2504`	`+err=q.canAssignRoles(ctx,&arg.OrganizationID,addedRoles, []rbac.RoleIdentifier{})`
`2505`	`2505`	`iferr!=nil {`
`2506`	`2506`	`return database.OrganizationMember{},err`
`2507`	`2507`	`}`
`@@ -2587,8 +2587,8 @@ func (q *querier) InsertTemplateVersionWorkspaceTag(ctx context.Context, arg dat`
`2587`	`2587`
`2588`	`2588`	`func (q*querier)InsertUser(ctx context.Context,arg database.InsertUserParams) (database.User,error) {`
`2589`	`2589`	`// Always check if the assigned roles can actually be assigned by this actor.`
`2590`		`-impliedRoles:=append([]rbac.RoleName{rbac.RoleMember()},q.convertToDeploymentRoles(arg.RBACRoles)...)`
`2591`		`-err:=q.canAssignRoles(ctx,nil,impliedRoles, []rbac.RoleName{})`
	`2590`	`+impliedRoles:=append([]rbac.RoleIdentifier{rbac.RoleMember()},q.convertToDeploymentRoles(arg.RBACRoles)...)`
	`2591`	`+err:=q.canAssignRoles(ctx,nil,impliedRoles, []rbac.RoleIdentifier{})`
`2592`	`2592`	`iferr!=nil {`
`2593`	`2593`	`return database.User{},err`
`2594`	`2594`	`}`

`‎coderd/database/dbauthz/dbauthz_test.go`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -82,7 +82,7 @@ func TestInTX(t *testing.T) {`
`82`	`82`	`},slog.Make(),coderdtest.AccessControlStorePointer())`
`83`	`83`	`actor:= rbac.Subject{`
`84`	`84`	`ID:uuid.NewString(),`
`85`		`-Roles: rbac.RoleNames{rbac.RoleOwner()},`
	`85`	`+Roles: rbac.RoleIdentifiers{rbac.RoleOwner()},`
`86`	`86`	`Groups: []string{},`
`87`	`87`	`Scope:rbac.ScopeAll,`
`88`	`88`	`}`
`@@ -136,7 +136,7 @@ func TestDBAuthzRecursive(t *testing.T) {`
`136`	`136`	`},slog.Make(),coderdtest.AccessControlStorePointer())`
`137`	`137`	`actor:= rbac.Subject{`
`138`	`138`	`ID:uuid.NewString(),`
`139`		`-Roles: rbac.RoleNames{rbac.RoleOwner()},`
	`139`	`+Roles: rbac.RoleIdentifiers{rbac.RoleOwner()},`
`140`	`140`	`Groups: []string{},`
`141`	`141`	`Scope:rbac.ScopeAll,`
`142`	`142`	`}`

`‎coderd/database/dbauthz/setup_test.go`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -123,7 +123,7 @@ func (s MethodTestSuite) Subtest(testCaseF func(db database.Store, check expec`
`123`	`123`	`az:=dbauthz.New(db,rec,slog.Make(),coderdtest.AccessControlStorePointer())`
`124`	`124`	`actor:= rbac.Subject{`
`125`	`125`	`ID:testActorID.String(),`
`126`		`-Roles: rbac.RoleNames{rbac.RoleOwner()},`
	`126`	`+Roles: rbac.RoleIdentifiers{rbac.RoleOwner()},`
`127`	`127`	`Groups: []string{},`
`128`	`128`	`Scope:rbac.ScopeAll,`
`129`	`129`	`}`

`‎coderd/database/dbfake/dbfake.go`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@ import (`
`26`	`26`
`27`	`27`	`varownerCtx=dbauthz.As(context.Background(), rbac.Subject{`
`28`	`28`	`ID:"owner",`
`29`		`-Roles:rbac.Roles(must(rbac.RoleNames{rbac.RoleOwner()}.Expand())),`
	`29`	`+Roles:rbac.Roles(must(rbac.RoleIdentifiers{rbac.RoleOwner()}.Expand())),`
`30`	`30`	`Groups: []string{},`
`31`	`31`	`Scope:rbac.ExpandableScope(rbac.ScopeAll),`
`32`	`32`	`})`

`‎coderd/database/dbgen/dbgen.go`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -33,7 +33,7 @@ import (`
`33`	`33`	`// genCtx is to give all generator functions permission if the db is a dbauthz db.`
`34`	`34`	`vargenCtx=dbauthz.As(context.Background(), rbac.Subject{`
`35`	`35`	`ID:"owner",`
`36`		`-Roles:rbac.Roles(must(rbac.RoleNames{rbac.RoleOwner()}.Expand())),`
	`36`	`+Roles:rbac.Roles(must(rbac.RoleIdentifiers{rbac.RoleOwner()}.Expand())),`
`37`	`37`	`Groups: []string{},`
`38`	`38`	`Scope:rbac.ExpandableScope(rbac.ScopeAll),`
`39`	`39`	`})`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit7ee9294

File tree

30 files changed

30 files changed

`‎coderd/coderdtest/authorize.go`

`‎coderd/coderdtest/coderdtest.go`

`‎coderd/database/db2sdk/db2sdk.go`

`‎coderd/database/dbauthz/customroles_test.go`

`‎coderd/database/dbauthz/dbauthz.go`

`‎coderd/database/dbauthz/dbauthz_test.go`

`‎coderd/database/dbauthz/setup_test.go`

`‎coderd/database/dbfake/dbfake.go`

`‎coderd/database/dbgen/dbgen.go`

0 commit comments