NotificationsYou must be signed in to change notification settings
Fork927
Star10.1k

Commitcc87a0c

authored

feat: Implied 'member' roles for site and organization (#1917)

* feat: Member roles are implied and never exlpicitly added* Rename "GetAllUserRoles" to "GetAuthorizationRoles"* feat: Add migration to remove implied roles* rename user auth role middleware

1 parent2878346 commitcc87a0cCopy full SHA for cc87a0c

File tree

21 files changed

+131

-115

lines changed

coderd
- authorize.go
- coderdtest
  - coderdtest.go
- database
  - databasefake
    - databasefake.go
  - migrations
    - 000016_drop_member_roles.down.sql
    - 000016_drop_member_roles.up.sql
  - querier.go
  - queries
    - users.sql
  - queries.sql.go
- httpmw
- members.go
- organizations.go
- rbac
  - builtin.go
  - role.go
- roles.go
- roles_test.go
- users.go
- users_test.go
- workspaces_test.go
codersdk
- users.go

21 files changed

+131

-115

lines changed

`‎coderd/authorize.go`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -13,12 +13,12 @@ import (`
`13`	`13`	`)`
`14`	`14`
`15`	`15`	`funcAuthorizeFilter[O rbac.Objecter](apiAPI,rhttp.Request,action rbac.Action,objects []O) []O {`
`16`		`-roles:=httpmw.UserRoles(r)`
	`16`	`+roles:=httpmw.AuthorizationUserRoles(r)`
`17`	`17`	`returnrbac.Filter(r.Context(),api.Authorizer,roles.ID.String(),roles.Roles,action,objects)`
`18`	`18`	`}`
`19`	`19`
`20`	`20`	`func (apiAPI)Authorize(rw http.ResponseWriter,rhttp.Request,action rbac.Action,object rbac.Objecter)bool {`
`21`		`-roles:=httpmw.UserRoles(r)`
	`21`	`+roles:=httpmw.AuthorizationUserRoles(r)`
`22`	`22`	`err:=api.Authorizer.ByRoleName(r.Context(),roles.ID.String(),roles.Roles,action,object.RBACObject())`
`23`	`23`	`iferr!=nil {`
`24`	`24`	`httpapi.Write(rw,http.StatusForbidden, httpapi.Response{`

`‎coderd/coderdtest/coderdtest.go`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -281,7 +281,7 @@ func CreateAnotherUser(t testing.T, client codersdk.Client, organizationID uui`
`281`	`281`	`organizationID,err:=uuid.Parse(orgID)`
`282`	`282`	`require.NoError(t,err,fmt.Sprintf("parse org id %q",orgID))`
`283`	`283`	`_,err=client.UpdateOrganizationMemberRoles(context.Background(),organizationID,user.ID.String(),`
`284`		`-codersdk.UpdateRoles{Roles:append(roles,rbac.RoleOrgMember(organizationID))})`
	`284`	`+codersdk.UpdateRoles{Roles:roles})`
`285`	`285`	`require.NoError(t,err,"update org membership roles")`
`286`	`286`	`}`
`287`	`287`	`}`

`‎coderd/database/databasefake/databasefake.go`

Lines changed: 5 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -276,7 +276,7 @@ func (q *fakeQuerier) GetUsersByIDs(_ context.Context, ids []uuid.UUID) ([]datab`
`276`	`276`	`returnusers,nil`
`277`	`277`	`}`
`278`	`278`
`279`		`-func (q*fakeQuerier)GetAllUserRoles(_ context.Context,userID uuid.UUID) (database.GetAllUserRolesRow,error) {`
	`279`	`+func (q*fakeQuerier)GetAuthorizationUserRoles(_ context.Context,userID uuid.UUID) (database.GetAuthorizationUserRolesRow,error) {`
`280`	`280`	`q.mutex.RLock()`
`281`	`281`	`deferq.mutex.RUnlock()`
`282`	`282`
`@@ -286,6 +286,7 @@ func (q *fakeQuerier) GetAllUserRoles(_ context.Context, userID uuid.UUID) (data`
`286`	`286`	`ifu.ID==userID {`
`287`	`287`	`u:=u`
`288`	`288`	`roles=append(roles,u.RBACRoles...)`
	`289`	`+roles=append(roles,"member")`
`289`	`290`	`user=&u`
`290`	`291`	`break`
`291`	`292`	`}`
`@@ -294,14 +295,15 @@ func (q *fakeQuerier) GetAllUserRoles(_ context.Context, userID uuid.UUID) (data`
`294`	`295`	`for_,mem:=rangeq.organizationMembers {`
`295`	`296`	`ifmem.UserID==userID {`
`296`	`297`	`roles=append(roles,mem.Roles...)`
	`298`	`+roles=append(roles,"organization-member:"+mem.OrganizationID.String())`
`297`	`299`	`}`
`298`	`300`	`}`
`299`	`301`
`300`	`302`	`ifuser==nil {`
`301`		`-return database.GetAllUserRolesRow{},sql.ErrNoRows`
	`303`	`+return database.GetAuthorizationUserRolesRow{},sql.ErrNoRows`
`302`	`304`	`}`
`303`	`305`
`304`		`-return database.GetAllUserRolesRow{`
	`306`	`+return database.GetAuthorizationUserRolesRow{`
`305`	`307`	`ID:userID,`
`306`	`308`	`Username:user.Username,`
`307`	`309`	`Status:user.Status,`

`‎coderd/database/migrations/000016_drop_member_roles.down.sql`

Lines changed: 11 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,11 @@`
	`1`	`+--- Remove the now implied 'member' role.`
	`2`	`+UPDATE`
	`3`	`+users`
	`4`	`+SET`
	`5`	`+rbac_roles= array_append(rbac_roles,'member');`
	`6`	`+`
	`7`	`+--- Remove the now implied 'organization-member' role.`
	`8`	`+UPDATE`
	`9`	`+organization_members`
	`10`	`+SET`
	`11`	`+roles= array_append(roles,'organization-member:'\|\|organization_id::text);`

`‎coderd/database/migrations/000016_drop_member_roles.up.sql`

Lines changed: 11 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,11 @@`
	`1`	`+--- Remove the now implied 'member' role.`
	`2`	`+UPDATE`
	`3`	`+users`
	`4`	`+SET`
	`5`	`+rbac_roles= array_remove(rbac_roles,'member');`
	`6`	`+`
	`7`	`+--- Remove the now implied 'organization-member' role.`
	`8`	`+UPDATE`
	`9`	`+organization_members`
	`10`	`+SET`
	`11`	`+roles= array_remove(roles,'organization-member:'\|\|organization_id::text);`

`‎coderd/database/querier.go`

Lines changed: 3 additions & 1 deletion

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/database/queries.sql.go`

Lines changed: 17 additions & 9 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/database/queries/users.sql`

Lines changed: 13 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -134,12 +134,20 @@ WHERE`
`134`	`134`	`id= $1 RETURNING*;`
`135`	`135`
`136`	`136`
`137`		`--- name: GetAllUserRoles :one`
	`137`	`+-- name: GetAuthorizationUserRoles :one`
	`138`	`+-- This function returns roles for authorization purposes. Implied member roles`
	`139`	`+-- are included.`
`138`	`140`	`SELECT`
`139`		`--- username is returned just to help for logging purposes`
`140`		`--- status is used to enforce 'suspended' users, as all roles are ignored`
`141`		`---when suspended.`
`142`		`-id, username, status, array_cat(users.rbac_roles,organization_members.roles) ::text[]AS roles`
	`141`	`+-- username is returned just to help for logging purposes`
	`142`	`+-- status is used to enforce 'suspended' users, as all roles are ignored`
	`143`	`+--when suspended.`
	`144`	`+id, username, status,`
	`145`	`+array_cat(`
	`146`	`+-- All users are members`
	`147`	`+array_append(users.rbac_roles,'member'),`
	`148`	`+-- All org_members get the org-member role for their orgs`
	`149`	`+array_append(organization_members.roles,'organization-member:'\|\|organization_members.organization_id::text)) ::text[]`
	`150`	`+AS roles`
`143`	`151`	`FROM`
`144`	`152`	`users`
`145`	`153`	`LEFT JOIN organization_members`

`‎coderd/httpmw/apikey.go`

Lines changed: 14 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -31,6 +31,19 @@ func APIKey(r *http.Request) database.APIKey {`
`31`	`31`	`returnapiKey`
`32`	`32`	`}`
`33`	`33`
	`34`	`+// User roles are the 'subject' field of Authorize()`
	`35`	`+typeuserRolesKeystruct{}`
	`36`	`+`
	`37`	`+// AuthorizationUserRoles returns the roles used for authorization.`
	`38`	`+// Comes from the ExtractAPIKey handler.`
	`39`	`+funcAuthorizationUserRoles(r*http.Request) database.GetAuthorizationUserRolesRow {`
	`40`	`+apiKey,ok:=r.Context().Value(userRolesKey{}).(database.GetAuthorizationUserRolesRow)`
	`41`	`+if!ok {`
	`42`	`+panic("developer error: user roles middleware not provided")`
	`43`	`+}`
	`44`	`+returnapiKey`
	`45`	`+}`
	`46`	`+`
`34`	`47`	`// OAuth2Configs is a collection of configurations for OAuth-based authentication.`
`35`	`48`	`// This should be extended to support other authentication types in the future.`
`36`	`49`	`typeOAuth2Configsstruct {`
`@@ -178,7 +191,7 @@ func ExtractAPIKey(db database.Store, oauth *OAuth2Configs) func(http.Handler) h`
`178`	`191`	`// If the key is valid, we also fetch the user roles and status.`
`179`	`192`	`// The roles are used for RBAC authorize checks, and the status`
`180`	`193`	`// is to block 'suspended' users from accessing the platform.`
`181`		`-roles,err:=db.GetAllUserRoles(r.Context(),key.UserID)`
	`194`	`+roles,err:=db.GetAuthorizationUserRoles(r.Context(),key.UserID)`
`182`	`195`	`iferr!=nil {`
`183`	`196`	`httpapi.Write(rw,http.StatusUnauthorized, httpapi.Response{`
`184`	`197`	`Message:"roles not found",`

`‎coderd/httpmw/authorize.go`

Lines changed: 0 additions & 40 deletions

This file was deleted.

`‎coderd/httpmw/authorize_test.go`

Lines changed: 8 additions & 8 deletions

Original file line number	Diff line number	Diff line change
`@@ -31,23 +31,23 @@ func TestExtractUserRoles(t *testing.T) {`
`31`	`31`	`{`
`32`	`32`	`Name:"Member",`
`33`	`33`	`AddUser:func(db database.Store) (database.User, []string,string) {`
`34`		`-roles:= []string{rbac.RoleMember()}`
	`34`	`+roles:= []string{}`
`35`	`35`	`user,token:=addUser(t,db,roles...)`
`36`		`-returnuser,roles,token`
	`36`	`+returnuser,append(roles,rbac.RoleMember()),token`
`37`	`37`	`},`
`38`	`38`	`},`
`39`	`39`	`{`
`40`	`40`	`Name:"Admin",`
`41`	`41`	`AddUser:func(db database.Store) (database.User, []string,string) {`
`42`		`-roles:= []string{rbac.RoleMember(),rbac.RoleAdmin()}`
	`42`	`+roles:= []string{rbac.RoleAdmin()}`
`43`	`43`	`user,token:=addUser(t,db,roles...)`
`44`		`-returnuser,roles,token`
	`44`	`+returnuser,append(roles,rbac.RoleMember()),token`
`45`	`45`	`},`
`46`	`46`	`},`
`47`	`47`	`{`
`48`	`48`	`Name:"OrgMember",`
`49`	`49`	`AddUser:func(db database.Store) (database.User, []string,string) {`
`50`		`-roles:= []string{rbac.RoleMember()}`
	`50`	`+roles:= []string{}`
`51`	`51`	`user,token:=addUser(t,db,roles...)`
`52`	`52`	`org,err:=db.InsertOrganization(context.Background(), database.InsertOrganizationParams{`
`53`	`53`	`ID:uuid.New(),`
`@@ -58,7 +58,7 @@ func TestExtractUserRoles(t *testing.T) {`
`58`	`58`	`})`
`59`	`59`	`require.NoError(t,err)`
`60`	`60`
`61`		`-orgRoles:= []string{rbac.RoleOrgMember(org.ID)}`
	`61`	`+orgRoles:= []string{}`
`62`	`62`	`_,err=db.InsertOrganizationMember(context.Background(), database.InsertOrganizationMemberParams{`
`63`	`63`	`OrganizationID:org.ID,`
`64`	`64`	`UserID:user.ID,`
`@@ -67,7 +67,7 @@ func TestExtractUserRoles(t *testing.T) {`
`67`	`67`	`Roles:orgRoles,`
`68`	`68`	`})`
`69`	`69`	`require.NoError(t,err)`
`70`		`-returnuser,append(roles,orgRoles...),token`
	`70`	`+returnuser,append(roles,append(orgRoles,rbac.RoleMember(),rbac.RoleOrgMember(org.ID))...),token`
`71`	`71`	`},`
`72`	`72`	`},`
`73`	`73`	`}`
`@@ -86,7 +86,7 @@ func TestExtractUserRoles(t *testing.T) {`
`86`	`86`	`httpmw.ExtractAPIKey(db,&httpmw.OAuth2Configs{}),`
`87`	`87`	`)`
`88`	`88`	`rtr.Get("/",func(_ http.ResponseWriter,r*http.Request) {`
`89`		`-roles:=httpmw.UserRoles(r)`
	`89`	`+roles:=httpmw.AuthorizationUserRoles(r)`
`90`	`90`	`require.ElementsMatch(t,user.ID,roles.ID)`
`91`	`91`	`require.ElementsMatch(t,expRoles,roles.Roles)`
`92`	`92`	`})`

`‎coderd/members.go`

Lines changed: 3 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,9 @@ func (api API) putMemberRoles(rw http.ResponseWriter, r http.Request) {`
`34`	`34`	`return`
`35`	`35`	`}`
`36`	`36`
`37`		`-added,removed:=rbac.ChangeRoleSet(member.Roles,params.Roles)`
	`37`	`+// The org-member role is always implied.`
	`38`	`+impliedTypes:=append(params.Roles,rbac.RoleOrgMember(organization.ID))`
	`39`	`+added,removed:=rbac.ChangeRoleSet(member.Roles,impliedTypes)`
`38`	`40`	`for_,roleName:=rangeadded {`
`39`	`41`	`// Assigning a role requires the create permission.`
`40`	`42`	`if!api.Authorize(rw,r,rbac.ActionCreate,rbac.ResourceOrgRoleAssignment.WithID(roleName).InOrg(organization.ID)) {`

`‎coderd/organizations.go`

Lines changed: 1 addition & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -73,13 +73,11 @@ func (api API) postOrganizations(rw http.ResponseWriter, r http.Request) {`
`73`	`73`	`CreatedAt:database.Now(),`
`74`	`74`	`UpdatedAt:database.Now(),`
`75`	`75`	`Roles: []string{`
`76`		`-// Also assign member role incase they get demoted from admin`
`77`		`-rbac.RoleOrgMember(organization.ID),`
`78`	`76`	`rbac.RoleOrgAdmin(organization.ID),`
`79`	`77`	`},`
`80`	`78`	`})`
`81`	`79`	`iferr!=nil {`
`82`		`-returnxerrors.Errorf("create organizationmember: %w",err)`
	`80`	`+returnxerrors.Errorf("create organizationadmin: %w",err)`
`83`	`81`	`}`
`84`	`82`	`returnnil`
`85`	`83`	`})`

`‎coderd/rbac/builtin.go`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -63,7 +63,7 @@ var (`
`63`	`63`	`member:func(_string)Role {`
`64`	`64`	`returnRole{`
`65`	`65`	`Name:member,`
`66`		`-DisplayName:"Member",`
	`66`	`+DisplayName:"",`
`67`	`67`	`Site:permissions(map[Object][]Action{`
`68`	`68`	`// All users can read all other users and know they exist.`
`69`	`69`	`ResourceUser: {ActionRead},`
`@@ -116,7 +116,7 @@ var (`
`116`	`116`	`orgMember:func(organizationIDstring)Role {`
`117`	`117`	`returnRole{`
`118`	`118`	`Name:roleName(orgMember,organizationID),`
`119`		`-DisplayName:"Organization Member",`
	`119`	`+DisplayName:"",`
`120`	`120`	`Org:map[string][]Permission{`
`121`	`121`	`organizationID: {`
`122`	`122`	`{`

`‎coderd/rbac/role.go`

Lines changed: 3 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,9 @@ type Permission struct {`
`17`	`17`	`// Users of this package should instead only use the role names, and`
`18`	`18`	`// this package will expand the role names into their json payloads.`
`19`	`19`	`typeRolestruct {`
`20`		-Namestring`json:"name"`
	`20`	+Namestring`json:"name"`
	`21`	`+// DisplayName is used for UI purposes. If the role has no display name,`
	`22`	`+// that means the UI should never display it.`
`21`	`23`	DisplayNamestring`json:"display_name"`
`22`	`24`	Site []Permission`json:"site"`
`23`	`25`	`// Org is a map of orgid to permissions. We represent orgid as a string.`

`‎coderd/roles.go`

Lines changed: 5 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -45,7 +45,7 @@ func (api API) checkPermissions(rw http.ResponseWriter, r http.Request) {`
`45`	`45`	`}`
`46`	`46`
`47`	`47`	`// use the roles of the user specified, not the person making the request.`
`48`		`-roles,err:=api.Database.GetAllUserRoles(r.Context(),user.ID)`
	`48`	`+roles,err:=api.Database.GetAuthorizationUserRoles(r.Context(),user.ID)`
`49`	`49`	`iferr!=nil {`
`50`	`50`	`httpapi.Forbidden(rw)`
`51`	`51`	`return`
`@@ -91,6 +91,10 @@ func convertRole(role rbac.Role) codersdk.Role {`
`91`	`91`	`funcconvertRoles(roles []rbac.Role) []codersdk.Role {`
`92`	`92`	`converted:=make([]codersdk.Role,0,len(roles))`
`93`	`93`	`for_,role:=rangeroles {`
	`94`	`+// Roles without display names should never be shown to the ui.`
	`95`	`+ifrole.DisplayName=="" {`
	`96`	`+continue`
	`97`	`+}`
`94`	`98`	`converted=append(converted,convertRole(role))`
`95`	`99`	`}`
`96`	`100`	`returnconverted`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitcc87a0c

File tree

21 files changed

21 files changed

`‎coderd/authorize.go`

`‎coderd/coderdtest/coderdtest.go`

`‎coderd/database/databasefake/databasefake.go`

`‎coderd/database/migrations/000016_drop_member_roles.down.sql`

`‎coderd/database/migrations/000016_drop_member_roles.up.sql`

`‎coderd/database/querier.go`

`‎coderd/database/queries.sql.go`

`‎coderd/database/queries/users.sql`

`‎coderd/httpmw/apikey.go`

`‎coderd/httpmw/authorize.go`

`‎coderd/httpmw/authorize_test.go`

`‎coderd/members.go`

`‎coderd/organizations.go`

`‎coderd/rbac/builtin.go`

`‎coderd/rbac/role.go`

`‎coderd/roles.go`

0 commit comments