NotificationsYou must be signed in to change notification settings
Fork1.1k
Star11.6k

Commit91a4a98

authored

chore: add an unassign action for roles (#16728)

1 parentbf5b002 commit91a4a98Copy full SHA for 91a4a98

File tree

18 files changed

+214

-240

lines changed

coderd
- apidoc
  - docs.go
  - swagger.json
- database
  - dbauthz
  - queries.sql.go
  - queries
    - roles.sql
- members.go
- rbac
  - object_gen.go
  - policy
    - policy.go
  - roles.go
  - roles_test.go
codersdk
- rbacresources_gen.go
docs/reference/api
- members.md
- schemas.md
enterprise/coderd
- roles.go
site/src/api
- rbacresourcesGenerated.ts
- typesGenerated.ts

18 files changed

+214

-240

lines changed

`‎coderd/apidoc/docs.go‎`

Lines changed: 2 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/apidoc/swagger.json‎`

Lines changed: 2 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/database/dbauthz/customroles_test.go‎`

Lines changed: 53 additions & 69 deletions

Original file line number	Diff line number	Diff line change
`@@ -34,11 +34,12 @@ func TestInsertCustomRoles(t *testing.T) {`
`34`	`34`	`}`
`35`	`35`	`}`
`36`	`36`
`37`		`-canAssignRole:= rbac.Role{`
	`37`	`+canCreateCustomRole:= rbac.Role{`
`38`	`38`	`Identifier: rbac.RoleIdentifier{Name:"can-assign"},`
`39`	`39`	`DisplayName:"",`
`40`	`40`	`Site:rbac.Permissions(map[string][]policy.Action{`
`41`		`-rbac.ResourceAssignRole.Type: {policy.ActionRead,policy.ActionCreate},`
	`41`	`+rbac.ResourceAssignRole.Type: {policy.ActionRead},`
	`42`	`+rbac.ResourceAssignOrgRole.Type: {policy.ActionRead,policy.ActionCreate},`
`42`	`43`	`}),`
`43`	`44`	`}`
`44`	`45`
`@@ -61,37 +62,37 @@ func TestInsertCustomRoles(t *testing.T) {`
`61`	`62`	`returnall`
`62`	`63`	`}`
`63`	`64`
`64`		`-orgID:= uuid.NullUUID{`
`65`		`-UUID:uuid.New(),`
`66`		`-Valid:true,`
`67`		`-}`
	`65`	`+orgID:=uuid.New()`
	`66`	`+`
`68`	`67`	`testCases:= []struct {`
`69`	`68`	`namestring`
`70`	`69`
`71`	`70`	`subject rbac.ExpandableRoles`
`72`	`71`
`73`	`72`	`// Perms to create on new custom role`
`74`		`-organizationID uuid.NullUUID`
	`73`	`+organizationID uuid.UUID`
`75`	`74`	`site []codersdk.Permission`
`76`	`75`	`org []codersdk.Permission`
`77`	`76`	`user []codersdk.Permission`
`78`	`77`	`errorContainsstring`
`79`	`78`	`}{`
`80`	`79`	`{`
`81`	`80`	`// No roles, so no assign role`
`82`		`-name:"no-roles",`
`83`		`-subject: rbac.RoleIdentifiers{},`
`84`		`-errorContains:"forbidden",`
	`81`	`+name:"no-roles",`
	`82`	`+organizationID:orgID,`
	`83`	`+subject: rbac.RoleIdentifiers{},`
	`84`	`+errorContains:"forbidden",`
`85`	`85`	`},`
`86`	`86`	`{`
`87`	`87`	`// This works because the new role has 0 perms`
`88`		`-name:"empty",`
`89`		`-subject:merge(canAssignRole),`
	`88`	`+name:"empty",`
	`89`	`+organizationID:orgID,`
	`90`	`+subject:merge(canCreateCustomRole),`
`90`	`91`	`},`
`91`	`92`	`{`
`92`	`93`	`name:"mixed-scopes",`
`93`		`-subject:merge(canAssignRole,rbac.RoleOwner()),`
`94`	`94`	`organizationID:orgID,`
	`95`	`+subject:merge(canCreateCustomRole,rbac.RoleOwner()),`
`95`	`96`	`site:codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{`
`96`	`97`	`codersdk.ResourceWorkspace: {codersdk.ActionRead},`
`97`	`98`	`}),`
`@@ -101,27 +102,30 @@ func TestInsertCustomRoles(t *testing.T) {`
`101`	`102`	`errorContains:"organization roles specify site or user permissions",`
`102`	`103`	`},`
`103`	`104`	`{`
`104`		`-name:"invalid-action",`
`105`		`-subject:merge(canAssignRole,rbac.RoleOwner()),`
`106`		`-site:codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{`
	`105`	`+name:"invalid-action",`
	`106`	`+organizationID:orgID,`
	`107`	`+subject:merge(canCreateCustomRole,rbac.RoleOwner()),`
	`108`	`+org:codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{`
`107`	`109`	`// Action does not go with resource`
`108`	`110`	`codersdk.ResourceWorkspace: {codersdk.ActionViewInsights},`
`109`	`111`	`}),`
`110`	`112`	`errorContains:"invalid action",`
`111`	`113`	`},`
`112`	`114`	`{`
`113`		`-name:"invalid-resource",`
`114`		`-subject:merge(canAssignRole,rbac.RoleOwner()),`
`115`		`-site:codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{`
	`115`	`+name:"invalid-resource",`
	`116`	`+organizationID:orgID,`
	`117`	`+subject:merge(canCreateCustomRole,rbac.RoleOwner()),`
	`118`	`+org:codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{`
`116`	`119`	`"foobar": {codersdk.ActionViewInsights},`
`117`	`120`	`}),`
`118`	`121`	`errorContains:"invalid resource",`
`119`	`122`	`},`
`120`	`123`	`{`
`121`	`124`	`// Not allowing these at this time.`
`122`		`-name:"negative-permission",`
`123`		`-subject:merge(canAssignRole,rbac.RoleOwner()),`
`124`		`-site: []codersdk.Permission{`
	`125`	`+name:"negative-permission",`
	`126`	`+organizationID:orgID,`
	`127`	`+subject:merge(canCreateCustomRole,rbac.RoleOwner()),`
	`128`	`+org: []codersdk.Permission{`
`125`	`129`	`{`
`126`	`130`	`Negate:true,`
`127`	`131`	`ResourceType:codersdk.ResourceWorkspace,`
`@@ -131,89 +135,69 @@ func TestInsertCustomRoles(t *testing.T) {`
`131`	`135`	`errorContains:"no negative permissions",`
`132`	`136`	`},`
`133`	`137`	`{`
`134`		`-name:"wildcard",// not allowed`
`135`		`-subject:merge(canAssignRole,rbac.RoleOwner()),`
`136`		`-site:codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{`
	`138`	`+name:"wildcard",// not allowed`
	`139`	`+organizationID:orgID,`
	`140`	`+subject:merge(canCreateCustomRole,rbac.RoleOwner()),`
	`141`	`+org:codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{`
`137`	`142`	`codersdk.ResourceWorkspace: {"*"},`
`138`	`143`	`}),`
`139`	`144`	`errorContains:"no wildcard symbols",`
`140`	`145`	`},`
`141`	`146`	`// escalation checks`
`142`	`147`	`{`
`143`		`-name:"read-workspace-escalation",`
`144`		`-subject:merge(canAssignRole),`
`145`		`-site:codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{`
	`148`	`+name:"read-workspace-escalation",`
	`149`	`+organizationID:orgID,`
	`150`	`+subject:merge(canCreateCustomRole),`
	`151`	`+org:codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{`
`146`	`152`	`codersdk.ResourceWorkspace: {codersdk.ActionRead},`
`147`	`153`	`}),`
`148`	`154`	`errorContains:"not allowed to grant this permission",`
`149`	`155`	`},`
`150`	`156`	`{`
`151`		`-name:"read-workspace-outside-org",`
`152`		`-organizationID: uuid.NullUUID{`
`153`		`-UUID:uuid.New(),`
`154`		`-Valid:true,`
`155`		`-},`
`156`		`-subject:merge(canAssignRole,rbac.ScopedRoleOrgAdmin(orgID.UUID)),`
	`157`	`+name:"read-workspace-outside-org",`
	`158`	`+organizationID:uuid.New(),`
	`159`	`+subject:merge(canCreateCustomRole,rbac.ScopedRoleOrgAdmin(orgID)),`
`157`	`160`	`org:codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{`
`158`	`161`	`codersdk.ResourceWorkspace: {codersdk.ActionRead},`
`159`	`162`	`}),`
`160`		`-errorContains:"forbidden",`
	`163`	`+errorContains:"not allowed to grant this permission",`
`161`	`164`	`},`
`162`	`165`	`{`
`163`	`166`	`name:"user-escalation",`
`164`	`167`	`// These roles do not grant user perms`
`165`		`-subject:merge(canAssignRole,rbac.ScopedRoleOrgAdmin(orgID.UUID)),`
	`168`	`+organizationID:orgID,`
	`169`	`+subject:merge(canCreateCustomRole,rbac.ScopedRoleOrgAdmin(orgID)),`
`166`	`170`	`user:codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{`
`167`	`171`	`codersdk.ResourceWorkspace: {codersdk.ActionRead},`
`168`	`172`	`}),`
`169`		`-errorContains:"not allowed to grant this permission",`
	`173`	`+errorContains:"organization roles specify site or user permissions",`
`170`	`174`	`},`
`171`	`175`	`{`
`172`		`-name:"template-admin-escalation",`
`173`		`-subject:merge(canAssignRole,rbac.RoleTemplateAdmin()),`
	`176`	`+name:"site-escalation",`
	`177`	`+organizationID:orgID,`
	`178`	`+subject:merge(canCreateCustomRole,rbac.RoleTemplateAdmin()),`
`174`	`179`	`site:codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{`
`175`		`-codersdk.ResourceWorkspace: {codersdk.ActionRead},// ok!`
`176`	`180`	`codersdk.ResourceDeploymentConfig: {codersdk.ActionUpdate},// not ok!`
`177`	`181`	`}),`
`178`		`-user:codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{`
`179`		`-codersdk.ResourceWorkspace: {codersdk.ActionRead},// ok!`
`180`		`-}),`
`181`		`-errorContains:"deployment_config",`
	`182`	`+errorContains:"organization roles specify site or user permissions",`
`182`	`183`	`},`
`183`	`184`	`// ok!`
`184`	`185`	`{`
`185`		`-name:"read-workspace-template-admin",`
`186`		`-subject:merge(canAssignRole,rbac.RoleTemplateAdmin()),`
`187`		`-site:codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{`
	`186`	`+name:"read-workspace-template-admin",`
	`187`	`+organizationID:orgID,`
	`188`	`+subject:merge(canCreateCustomRole,rbac.RoleTemplateAdmin()),`
	`189`	`+org:codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{`
`188`	`190`	`codersdk.ResourceWorkspace: {codersdk.ActionRead},`
`189`	`191`	`}),`
`190`	`192`	`},`
`191`	`193`	`{`
`192`	`194`	`name:"read-workspace-in-org",`
`193`		`-subject:merge(canAssignRole,rbac.ScopedRoleOrgAdmin(orgID.UUID)),`
`194`	`195`	`organizationID:orgID,`
	`196`	`+subject:merge(canCreateCustomRole,rbac.ScopedRoleOrgAdmin(orgID)),`
`195`	`197`	`org:codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{`
`196`	`198`	`codersdk.ResourceWorkspace: {codersdk.ActionRead},`
`197`	`199`	`}),`
`198`	`200`	`},`
`199`		`-{`
`200`		`-name:"user-perms",`
`201`		`-// This is weird, but is ok`
`202`		`-subject:merge(canAssignRole,rbac.RoleMember()),`
`203`		`-user:codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{`
`204`		`-codersdk.ResourceWorkspace: {codersdk.ActionRead},`
`205`		`-}),`
`206`		`-},`
`207`		`-{`
`208`		`-name:"site+user-perms",`
`209`		`-subject:merge(canAssignRole,rbac.RoleMember(),rbac.RoleTemplateAdmin()),`
`210`		`-site:codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{`
`211`		`-codersdk.ResourceWorkspace: {codersdk.ActionRead},`
`212`		`-}),`
`213`		`-user:codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{`
`214`		`-codersdk.ResourceWorkspace: {codersdk.ActionRead},`
`215`		`-}),`
`216`		`-},`
`217`	`201`	`}`
`218`	`202`
`219`	`203`	`for_,tc:=rangetestCases {`
`@@ -234,7 +218,7 @@ func TestInsertCustomRoles(t *testing.T) {`
`234`	`218`	`_,err:=az.InsertCustomRole(ctx, database.InsertCustomRoleParams{`
`235`	`219`	`Name:"test-role",`
`236`	`220`	`DisplayName:"",`
`237`		`-OrganizationID:tc.organizationID,`
	`221`	`+OrganizationID:uuid.NullUUID{UUID:tc.organizationID,Valid:true},`
`238`	`222`	`SitePermissions:db2sdk.List(tc.site,convertSDKPerm),`
`239`	`223`	`OrgPermissions:db2sdk.List(tc.org,convertSDKPerm),`
`240`	`224`	`UserPermissions:db2sdk.List(tc.user,convertSDKPerm),`
`@@ -249,11 +233,11 @@ func TestInsertCustomRoles(t *testing.T) {`
`249`	`233`	`LookupRoles: []database.NameOrganizationPair{`
`250`	`234`	`{`
`251`	`235`	`Name:"test-role",`
`252`		`-OrganizationID:tc.organizationID.UUID,`
	`236`	`+OrganizationID:tc.organizationID,`
`253`	`237`	`},`
`254`	`238`	`},`
`255`	`239`	`ExcludeOrgRoles:false,`
`256`		`-OrganizationID: uuid.UUID{},`
	`240`	`+OrganizationID:uuid.Nil,`
`257`	`241`	`})`
`258`	`242`	`require.NoError(t,err)`
`259`	`243`	`require.Len(t,roles,1)`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit91a4a98

File tree

18 files changed

18 files changed

`‎coderd/apidoc/docs.go‎`

`‎coderd/apidoc/swagger.json‎`

`‎coderd/database/dbauthz/customroles_test.go‎`

0 commit comments