NotificationsYou must be signed in to change notification settings
Fork1k
Star11.1k

Commit8f62311

authored

chore: remove organization_id suffix from org_member roles in database (#13473)

Organization member's table is already scoped to an organization.Rolename should avoid having the org_id appended.Wipes all existing organization role assignments, which should not be used anyway.

1 parentfade8ba commit8f62311Copy full SHA for 8f62311

File tree

38 files changed

+200

-118

lines changed

cli
- server_createadminuser.go
- server_createadminuser_test.go
coderd
- apidoc
  - docs.go
  - swagger.json
- authorize_test.go
- batchstats
  - batcher_internal_test.go
- coderdtest
  - coderdtest.go
- database
  - db2sdk
    - db2sdk.go
  - dbauthz
  - dbmem
    - dbmem.go
  - dump.sql
  - migrations
    - 000215_scoped_org_db_roles.down.sql
    - 000215_scoped_org_db_roles.up.sql
  - queries.sql.go
  - queries
    - users.sql
- httpmw
  - authorize_test.go
  - organizationparam_test.go
- members.go
- organizations.go
- rbac
- roles_test.go
- users_test.go
codersdk
- roles.go
docs/api
enterprise/coderd
site/src/api
- typesGenerated.ts

38 files changed

+200

-118

lines changed

`‎cli/server_createadminuser.go‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -222,7 +222,7 @@ func (r RootCmd) newCreateAdminUserCommand() serpent.Command {`
`222`	`222`	`UserID:newUser.ID,`
`223`	`223`	`CreatedAt:dbtime.Now(),`
`224`	`224`	`UpdatedAt:dbtime.Now(),`
`225`		`-Roles: []string{rbac.RoleOrgAdmin(org.ID)},`
	`225`	`+Roles: []string{rbac.ScopedRoleOrgAdmin(org.ID)},`
`226`	`226`	`})`
`227`	`227`	`iferr!=nil {`
`228`	`228`	`returnxerrors.Errorf("insert organization member: %w",err)`

`‎cli/server_createadminuser_test.go‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -71,7 +71,7 @@ func TestServerCreateAdminUser(t *testing.T) {`
`71`	`71`	`orgIDs2:=make(map[uuid.UUID]struct{},len(orgMemberships))`
`72`	`72`	`for_,membership:=rangeorgMemberships {`
`73`	`73`	`orgIDs2[membership.OrganizationID]=struct{}{}`
`74`		`-assert.Equal(t, []string{rbac.RoleOrgAdmin(membership.OrganizationID)},membership.Roles,"user is not org admin")`
	`74`	`+assert.Equal(t, []string{rbac.ScopedRoleOrgAdmin(membership.OrganizationID)},membership.Roles,"user is not org admin")`
`75`	`75`	`}`
`76`	`76`
`77`	`77`	`require.Equal(t,orgIDs,orgIDs2,"user is not in all orgs")`

`‎coderd/apidoc/docs.go‎`

Lines changed: 3 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/apidoc/swagger.json‎`

Lines changed: 3 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/authorize_test.go‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -27,7 +27,7 @@ func TestCheckPermissions(t *testing.T) {`
`27`	`27`	`memberClient,_:=coderdtest.CreateAnotherUser(t,adminClient,adminUser.OrganizationID)`
`28`	`28`	`memberUser,err:=memberClient.User(ctx,codersdk.Me)`
`29`	`29`	`require.NoError(t,err)`
`30`		`-orgAdminClient,_:=coderdtest.CreateAnotherUser(t,adminClient,adminUser.OrganizationID,rbac.RoleOrgAdmin(adminUser.OrganizationID))`
	`30`	`+orgAdminClient,_:=coderdtest.CreateAnotherUser(t,adminClient,adminUser.OrganizationID,rbac.ScopedRoleOrgAdmin(adminUser.OrganizationID))`
`31`	`31`	`orgAdminUser,err:=orgAdminClient.User(ctx,codersdk.Me)`
`32`	`32`	`require.NoError(t,err)`
`33`	`33`

`‎coderd/batchstats/batcher_internal_test.go‎`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -177,7 +177,7 @@ func setupDeps(t *testing.T, store database.Store, ps pubsub.Pubsub) deps {`
`177`	`177`	`_,err:=store.InsertOrganizationMember(context.Background(), database.InsertOrganizationMemberParams{`
`178`	`178`	`OrganizationID:org.ID,`
`179`	`179`	`UserID:user.ID,`
`180`		`-Roles: []string{rbac.RoleOrgMember(org.ID)},`
	`180`	`+Roles: []string{rbac.ScopedRoleOrgMember(org.ID)},`
`181`	`181`	`})`
`182`	`182`	`require.NoError(t,err)`
`183`	`183`	`tv:=dbgen.TemplateVersion(t,store, database.TemplateVersion{`

`‎coderd/coderdtest/coderdtest.go‎`

Lines changed: 4 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -663,6 +663,7 @@ func CreateFirstUser(t testing.TB, client *codersdk.Client) codersdk.CreateFirst`
`663`	`663`	`}`
`664`	`664`
`665`	`665`	`// CreateAnotherUser creates and authenticates a new user.`
	`666`	`+// Roles can include org scoped roles with 'roleName:<organization_id>'`
`666`	`667`	`funcCreateAnotherUser(t testing.TB,clientcodersdk.Client,organizationID uuid.UUID,roles...string) (codersdk.Client, codersdk.User) {`
`667`	`668`	`returncreateAnotherUserRetry(t,client,organizationID,5,roles)`
`668`	`669`	`}`
`@@ -680,7 +681,7 @@ func AuthzUserSubject(user codersdk.User, orgID uuid.UUID) rbac.Subject {`
`680`	`681`	`roles=append(roles,r.Name)`
`681`	`682`	`}`
`682`	`683`	`// We assume only 1 org exists`
`683`		`-roles=append(roles,rbac.RoleOrgMember(orgID))`
	`684`	`+roles=append(roles,rbac.ScopedRoleOrgMember(orgID))`
`684`	`685`
`685`	`686`	`return rbac.Subject{`
`686`	`687`	`ID:user.ID.String(),`
`@@ -754,6 +755,8 @@ func createAnotherUserRetry(t testing.TB, client *codersdk.Client, organizationI`
`754`	`755`	`for_,roleName:=rangeroles {`
`755`	`756`	`roleName:=roleName`
`756`	`757`	`orgID,ok:=rbac.IsOrgRole(roleName)`
	`758`	`+roleName,_,err=rbac.RoleSplit(roleName)`
	`759`	`+require.NoError(t,err,"split org role name")`
`757`	`760`	`ifok {`
`758`	`761`	`orgRoles[orgID]=append(orgRoles[orgID],roleName)`
`759`	`762`	`}else {`

`‎coderd/database/db2sdk/db2sdk.go‎`

Lines changed: 13 additions & 7 deletions

Original file line number	Diff line number	Diff line change
`@@ -204,13 +204,6 @@ func Group(group database.Group, members []database.User) codersdk.Group {`
`204`	`204`	`}`
`205`	`205`	`}`
`206`	`206`
`207`		`-funcSlimRole(role rbac.Role) codersdk.SlimRole {`
`208`		`-return codersdk.SlimRole{`
`209`		`-DisplayName:role.DisplayName,`
`210`		`-Name:role.Name,`
`211`		`-}`
`212`		`-}`
`213`		`-`
`214`	`207`	`funcTemplateInsightsParameters(parameterRows []database.GetTemplateParameterInsightsRow) ([]codersdk.TemplateParameterUsage,error) {`
`215`	`208`	`// Use a stable sort, similarly to how we would sort in the query, note that`
`216`	`209`	`// we don't sort in the query because order varies depending on the table`
`@@ -525,6 +518,19 @@ func ProvisionerDaemon(dbDaemon database.ProvisionerDaemon) codersdk.Provisioner`
`525`	`518`	`returnresult`
`526`	`519`	`}`
`527`	`520`
	`521`	`+funcSlimRole(role rbac.Role) codersdk.SlimRole {`
	`522`	`+roleName,orgIDStr,err:=rbac.RoleSplit(role.Name)`
	`523`	`+iferr!=nil {`
	`524`	`+roleName=role.Name`
	`525`	`+}`
	`526`	`+`
	`527`	`+return codersdk.SlimRole{`
	`528`	`+DisplayName:role.DisplayName,`
	`529`	`+Name:roleName,`
	`530`	`+OrganizationID:orgIDStr,`
	`531`	`+}`
	`532`	`+}`
	`533`	`+`
`528`	`534`	`funcRBACRole(role rbac.Role) codersdk.Role {`
`529`	`535`	`roleName,orgIDStr,err:=rbac.RoleSplit(role.Name)`
`530`	`536`	`iferr!=nil {`

`‎coderd/database/dbauthz/customroles_test.go‎`

Lines changed: 3 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -153,7 +153,7 @@ func TestUpsertCustomRoles(t *testing.T) {`
`153`	`153`	`UUID:uuid.New(),`
`154`	`154`	`Valid:true,`
`155`	`155`	`},`
`156`		`-subject:merge(canAssignRole,rbac.RoleOrgAdmin(orgID.UUID)),`
	`156`	`+subject:merge(canAssignRole,rbac.ScopedRoleOrgAdmin(orgID.UUID)),`
`157`	`157`	`org:codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{`
`158`	`158`	`codersdk.ResourceWorkspace: {codersdk.ActionRead},`
`159`	`159`	`}),`
`@@ -162,7 +162,7 @@ func TestUpsertCustomRoles(t *testing.T) {`
`162`	`162`	`{`
`163`	`163`	`name:"user-escalation",`
`164`	`164`	`// These roles do not grant user perms`
`165`		`-subject:merge(canAssignRole,rbac.RoleOrgAdmin(orgID.UUID)),`
	`165`	`+subject:merge(canAssignRole,rbac.ScopedRoleOrgAdmin(orgID.UUID)),`
`166`	`166`	`user:codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{`
`167`	`167`	`codersdk.ResourceWorkspace: {codersdk.ActionRead},`
`168`	`168`	`}),`
`@@ -190,7 +190,7 @@ func TestUpsertCustomRoles(t *testing.T) {`
`190`	`190`	`},`
`191`	`191`	`{`
`192`	`192`	`name:"read-workspace-in-org",`
`193`		`-subject:merge(canAssignRole,rbac.RoleOrgAdmin(orgID.UUID)),`
	`193`	`+subject:merge(canAssignRole,rbac.ScopedRoleOrgAdmin(orgID.UUID)),`
`194`	`194`	`organizationID:orgID,`
`195`	`195`	`org:codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{`
`196`	`196`	`codersdk.ResourceWorkspace: {codersdk.ActionRead},`

`‎coderd/database/dbauthz/dbauthz.go‎`

Lines changed: 16 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -2472,7 +2472,7 @@ func (q *querier) InsertOrganization(ctx context.Context, arg database.InsertOrg`
`2472`	`2472`
`2473`	`2473`	`func (q*querier)InsertOrganizationMember(ctx context.Context,arg database.InsertOrganizationMemberParams) (database.OrganizationMember,error) {`
`2474`	`2474`	`// All roles are added roles. Org member is always implied.`
`2475`		`-addedRoles:=append(arg.Roles,rbac.RoleOrgMember(arg.OrganizationID))`
	`2475`	`+addedRoles:=append(arg.Roles,rbac.ScopedRoleOrgMember(arg.OrganizationID))`
`2476`	`2476`	`err:=q.canAssignRoles(ctx,&arg.OrganizationID,addedRoles, []string{})`
`2477`	`2477`	`iferr!=nil {`
`2478`	`2478`	`return database.OrganizationMember{},err`
`@@ -2847,8 +2847,22 @@ func (q *querier) UpdateMemberRoles(ctx context.Context, arg database.UpdateMemb`
`2847`	`2847`	`return database.OrganizationMember{},err`
`2848`	`2848`	`}`
`2849`	`2849`
	`2850`	`+// The 'rbac' package expects role names to be scoped.`
	`2851`	`+// Convert the argument roles for validation.`
	`2852`	`+scopedGranted:=make([]string,0,len(arg.GrantedRoles))`
	`2853`	`+for_,grantedRole:=rangearg.GrantedRoles {`
	`2854`	`+// This check is a developer safety check. Old code might try to invoke this code path with`
	`2855`	`+// organization id suffixes. Catch this and return a nice error so it can be fixed.`
	`2856`	`+_,foundOrg,_:=rbac.RoleSplit(grantedRole)`
	`2857`	`+iffoundOrg!="" {`
	`2858`	`+return database.OrganizationMember{},xerrors.Errorf("attempt to assign a role %q, remove the ':<organization_id> suffix",grantedRole)`
	`2859`	`+}`
	`2860`	`+`
	`2861`	`+scopedGranted=append(scopedGranted,rbac.RoleName(grantedRole,arg.OrgID.String()))`
	`2862`	`+}`
	`2863`	`+`
`2850`	`2864`	`// The org member role is always implied.`
`2851`		`-impliedTypes:=append(arg.GrantedRoles,rbac.RoleOrgMember(arg.OrgID))`
	`2865`	`+impliedTypes:=append(scopedGranted,rbac.ScopedRoleOrgMember(arg.OrgID))`
`2852`	`2866`	`added,removed:=rbac.ChangeRoleSet(member.Roles,impliedTypes)`
`2853`	`2867`	`err=q.canAssignRoles(ctx,&arg.OrgID,added,removed)`
`2854`	`2868`	`iferr!=nil {`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit8f62311

File tree

38 files changed

38 files changed

`‎cli/server_createadminuser.go‎`

`‎cli/server_createadminuser_test.go‎`

`‎coderd/apidoc/docs.go‎`

`‎coderd/apidoc/swagger.json‎`

`‎coderd/authorize_test.go‎`

`‎coderd/batchstats/batcher_internal_test.go‎`

`‎coderd/coderdtest/coderdtest.go‎`

`‎coderd/database/db2sdk/db2sdk.go‎`

`‎coderd/database/dbauthz/customroles_test.go‎`

`‎coderd/database/dbauthz/dbauthz.go‎`

0 commit comments