Commite54e31e

gcp-cherry-pick-bot[bot]

and

aslilac

authored

chore: add an unassign action for roles (cherry-pick#16728) (#16791)

Cherry-picked chore: add an unassign action for roles (#16728)Co-authored-by: ケイラ <mckayla@hey.com>

1 parent32dc903 commite54e31eCopy full SHA for e54e31e

File tree

18 files changed

+214

-240

lines changed

coderd
- apidoc
  - docs.go
  - swagger.json
- database
  - dbauthz
  - queries
    - roles.sql
  - queries.sql.go
- members.go
- rbac
  - object_gen.go
  - policy
    - policy.go
  - roles.go
  - roles_test.go
codersdk
- rbacresources_gen.go
docs/reference/api
- members.md
- schemas.md
enterprise/coderd
- roles.go
site/src/api
- rbacresourcesGenerated.ts
- typesGenerated.ts

18 files changed

+214

-240

lines changed

`‎coderd/apidoc/docs.go`

Lines changed: 2 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/apidoc/swagger.json`

Lines changed: 2 additions & 0 deletions

Some generated files are not rendered by default. Learn more aboutcustomizing how changed files appear on GitHub.

`‎coderd/database/dbauthz/customroles_test.go`

Lines changed: 53 additions & 69 deletions

Original file line number	Diff line number	Diff line change
`@@ -34,11 +34,12 @@ func TestInsertCustomRoles(t *testing.T) {`
`34`	`34`	`}`
`35`	`35`	`}`
`36`	`36`
`37`		`-canAssignRole:= rbac.Role{`
	`37`	`+canCreateCustomRole:= rbac.Role{`
`38`	`38`	`Identifier: rbac.RoleIdentifier{Name:"can-assign"},`
`39`	`39`	`DisplayName:"",`
`40`	`40`	`Site:rbac.Permissions(map[string][]policy.Action{`
`41`		`-rbac.ResourceAssignRole.Type: {policy.ActionRead,policy.ActionCreate},`
	`41`	`+rbac.ResourceAssignRole.Type: {policy.ActionRead},`
	`42`	`+rbac.ResourceAssignOrgRole.Type: {policy.ActionRead,policy.ActionCreate},`
`42`	`43`	`}),`
`43`	`44`	`}`
`44`	`45`
`@@ -61,37 +62,37 @@ func TestInsertCustomRoles(t *testing.T) {`
`61`	`62`	`returnall`
`62`	`63`	`}`
`63`	`64`
`64`		`-orgID:= uuid.NullUUID{`
`65`		`-UUID:uuid.New(),`
`66`		`-Valid:true,`
`67`		`-}`
	`65`	`+orgID:=uuid.New()`
	`66`	`+`
`68`	`67`	`testCases:= []struct {`
`69`	`68`	`namestring`
`70`	`69`
`71`	`70`	`subject rbac.ExpandableRoles`
`72`	`71`
`73`	`72`	`// Perms to create on new custom role`
`74`		`-organizationID uuid.NullUUID`
	`73`	`+organizationID uuid.UUID`
`75`	`74`	`site []codersdk.Permission`
`76`	`75`	`org []codersdk.Permission`
`77`	`76`	`user []codersdk.Permission`
`78`	`77`	`errorContainsstring`
`79`	`78`	`}{`
`80`	`79`	`{`
`81`	`80`	`// No roles, so no assign role`
`82`		`-name:"no-roles",`
`83`		`-subject: rbac.RoleIdentifiers{},`
`84`		`-errorContains:"forbidden",`
	`81`	`+name:"no-roles",`
	`82`	`+organizationID:orgID,`
	`83`	`+subject: rbac.RoleIdentifiers{},`
	`84`	`+errorContains:"forbidden",`
`85`	`85`	`},`
`86`	`86`	`{`
`87`	`87`	`// This works because the new role has 0 perms`
`88`		`-name:"empty",`
`89`		`-subject:merge(canAssignRole),`
	`88`	`+name:"empty",`
	`89`	`+organizationID:orgID,`
	`90`	`+subject:merge(canCreateCustomRole),`
`90`	`91`	`},`
`91`	`92`	`{`
`92`	`93`	`name:"mixed-scopes",`
`93`		`-subject:merge(canAssignRole,rbac.RoleOwner()),`
`94`	`94`	`organizationID:orgID,`
	`95`	`+subject:merge(canCreateCustomRole,rbac.RoleOwner()),`
`95`	`96`	`site:codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{`
`96`	`97`	`codersdk.ResourceWorkspace: {codersdk.ActionRead},`
`97`	`98`	`}),`
`@@ -101,27 +102,30 @@ func TestInsertCustomRoles(t *testing.T) {`
`101`	`102`	`errorContains:"organization roles specify site or user permissions",`
`102`	`103`	`},`
`103`	`104`	`{`
`104`		`-name:"invalid-action",`
`105`		`-subject:merge(canAssignRole,rbac.RoleOwner()),`
`106`		`-site:codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{`
	`105`	`+name:"invalid-action",`
	`106`	`+organizationID:orgID,`
	`107`	`+subject:merge(canCreateCustomRole,rbac.RoleOwner()),`
	`108`	`+org:codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{`
`107`	`109`	`// Action does not go with resource`
`108`	`110`	`codersdk.ResourceWorkspace: {codersdk.ActionViewInsights},`
`109`	`111`	`}),`
`110`	`112`	`errorContains:"invalid action",`
`111`	`113`	`},`
`112`	`114`	`{`
`113`		`-name:"invalid-resource",`
`114`		`-subject:merge(canAssignRole,rbac.RoleOwner()),`
`115`		`-site:codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{`
	`115`	`+name:"invalid-resource",`
	`116`	`+organizationID:orgID,`
	`117`	`+subject:merge(canCreateCustomRole,rbac.RoleOwner()),`
	`118`	`+org:codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{`
`116`	`119`	`"foobar": {codersdk.ActionViewInsights},`
`117`	`120`	`}),`
`118`	`121`	`errorContains:"invalid resource",`
`119`	`122`	`},`
`120`	`123`	`{`
`121`	`124`	`// Not allowing these at this time.`
`122`		`-name:"negative-permission",`
`123`		`-subject:merge(canAssignRole,rbac.RoleOwner()),`
`124`		`-site: []codersdk.Permission{`
	`125`	`+name:"negative-permission",`
	`126`	`+organizationID:orgID,`
	`127`	`+subject:merge(canCreateCustomRole,rbac.RoleOwner()),`
	`128`	`+org: []codersdk.Permission{`
`125`	`129`	`{`
`126`	`130`	`Negate:true,`
`127`	`131`	`ResourceType:codersdk.ResourceWorkspace,`
`@@ -131,89 +135,69 @@ func TestInsertCustomRoles(t *testing.T) {`
`131`	`135`	`errorContains:"no negative permissions",`
`132`	`136`	`},`
`133`	`137`	`{`
`134`		`-name:"wildcard",// not allowed`
`135`		`-subject:merge(canAssignRole,rbac.RoleOwner()),`
`136`		`-site:codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{`
	`138`	`+name:"wildcard",// not allowed`
	`139`	`+organizationID:orgID,`
	`140`	`+subject:merge(canCreateCustomRole,rbac.RoleOwner()),`
	`141`	`+org:codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{`
`137`	`142`	`codersdk.ResourceWorkspace: {"*"},`
`138`	`143`	`}),`
`139`	`144`	`errorContains:"no wildcard symbols",`
`140`	`145`	`},`
`141`	`146`	`// escalation checks`
`142`	`147`	`{`
`143`		`-name:"read-workspace-escalation",`
`144`		`-subject:merge(canAssignRole),`
`145`		`-site:codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{`
	`148`	`+name:"read-workspace-escalation",`
	`149`	`+organizationID:orgID,`
	`150`	`+subject:merge(canCreateCustomRole),`
	`151`	`+org:codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{`
`146`	`152`	`codersdk.ResourceWorkspace: {codersdk.ActionRead},`
`147`	`153`	`}),`
`148`	`154`	`errorContains:"not allowed to grant this permission",`
`149`	`155`	`},`
`150`	`156`	`{`
`151`		`-name:"read-workspace-outside-org",`
`152`		`-organizationID: uuid.NullUUID{`
`153`		`-UUID:uuid.New(),`
`154`		`-Valid:true,`
`155`		`-},`
`156`		`-subject:merge(canAssignRole,rbac.ScopedRoleOrgAdmin(orgID.UUID)),`
	`157`	`+name:"read-workspace-outside-org",`
	`158`	`+organizationID:uuid.New(),`
	`159`	`+subject:merge(canCreateCustomRole,rbac.ScopedRoleOrgAdmin(orgID)),`
`157`	`160`	`org:codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{`
`158`	`161`	`codersdk.ResourceWorkspace: {codersdk.ActionRead},`
`159`	`162`	`}),`
`160`		`-errorContains:"forbidden",`
	`163`	`+errorContains:"not allowed to grant this permission",`
`161`	`164`	`},`
`162`	`165`	`{`
`163`	`166`	`name:"user-escalation",`
`164`	`167`	`// These roles do not grant user perms`
`165`		`-subject:merge(canAssignRole,rbac.ScopedRoleOrgAdmin(orgID.UUID)),`
	`168`	`+organizationID:orgID,`
	`169`	`+subject:merge(canCreateCustomRole,rbac.ScopedRoleOrgAdmin(orgID)),`
`166`	`170`	`user:codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{`
`167`	`171`	`codersdk.ResourceWorkspace: {codersdk.ActionRead},`
`168`	`172`	`}),`
`169`		`-errorContains:"not allowed to grant this permission",`
	`173`	`+errorContains:"organization roles specify site or user permissions",`
`170`	`174`	`},`
`171`	`175`	`{`
`172`		`-name:"template-admin-escalation",`
`173`		`-subject:merge(canAssignRole,rbac.RoleTemplateAdmin()),`
	`176`	`+name:"site-escalation",`
	`177`	`+organizationID:orgID,`
	`178`	`+subject:merge(canCreateCustomRole,rbac.RoleTemplateAdmin()),`
`174`	`179`	`site:codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{`
`175`		`-codersdk.ResourceWorkspace: {codersdk.ActionRead},// ok!`
`176`	`180`	`codersdk.ResourceDeploymentConfig: {codersdk.ActionUpdate},// not ok!`
`177`	`181`	`}),`
`178`		`-user:codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{`
`179`		`-codersdk.ResourceWorkspace: {codersdk.ActionRead},// ok!`
`180`		`-}),`
`181`		`-errorContains:"deployment_config",`
	`182`	`+errorContains:"organization roles specify site or user permissions",`
`182`	`183`	`},`
`183`	`184`	`// ok!`
`184`	`185`	`{`
`185`		`-name:"read-workspace-template-admin",`
`186`		`-subject:merge(canAssignRole,rbac.RoleTemplateAdmin()),`
`187`		`-site:codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{`
	`186`	`+name:"read-workspace-template-admin",`
	`187`	`+organizationID:orgID,`
	`188`	`+subject:merge(canCreateCustomRole,rbac.RoleTemplateAdmin()),`
	`189`	`+org:codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{`
`188`	`190`	`codersdk.ResourceWorkspace: {codersdk.ActionRead},`
`189`	`191`	`}),`
`190`	`192`	`},`
`191`	`193`	`{`
`192`	`194`	`name:"read-workspace-in-org",`
`193`		`-subject:merge(canAssignRole,rbac.ScopedRoleOrgAdmin(orgID.UUID)),`
`194`	`195`	`organizationID:orgID,`
	`196`	`+subject:merge(canCreateCustomRole,rbac.ScopedRoleOrgAdmin(orgID)),`
`195`	`197`	`org:codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{`
`196`	`198`	`codersdk.ResourceWorkspace: {codersdk.ActionRead},`
`197`	`199`	`}),`
`198`	`200`	`},`
`199`		`-{`
`200`		`-name:"user-perms",`
`201`		`-// This is weird, but is ok`
`202`		`-subject:merge(canAssignRole,rbac.RoleMember()),`
`203`		`-user:codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{`
`204`		`-codersdk.ResourceWorkspace: {codersdk.ActionRead},`
`205`		`-}),`
`206`		`-},`
`207`		`-{`
`208`		`-name:"site+user-perms",`
`209`		`-subject:merge(canAssignRole,rbac.RoleMember(),rbac.RoleTemplateAdmin()),`
`210`		`-site:codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{`
`211`		`-codersdk.ResourceWorkspace: {codersdk.ActionRead},`
`212`		`-}),`
`213`		`-user:codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{`
`214`		`-codersdk.ResourceWorkspace: {codersdk.ActionRead},`
`215`		`-}),`
`216`		`-},`
`217`	`201`	`}`
`218`	`202`
`219`	`203`	`for_,tc:=rangetestCases {`
`@@ -234,7 +218,7 @@ func TestInsertCustomRoles(t *testing.T) {`
`234`	`218`	`_,err:=az.InsertCustomRole(ctx, database.InsertCustomRoleParams{`
`235`	`219`	`Name:"test-role",`
`236`	`220`	`DisplayName:"",`
`237`		`-OrganizationID:tc.organizationID,`
	`221`	`+OrganizationID:uuid.NullUUID{UUID:tc.organizationID,Valid:true},`
`238`	`222`	`SitePermissions:db2sdk.List(tc.site,convertSDKPerm),`
`239`	`223`	`OrgPermissions:db2sdk.List(tc.org,convertSDKPerm),`
`240`	`224`	`UserPermissions:db2sdk.List(tc.user,convertSDKPerm),`
`@@ -249,11 +233,11 @@ func TestInsertCustomRoles(t *testing.T) {`
`249`	`233`	`LookupRoles: []database.NameOrganizationPair{`
`250`	`234`	`{`
`251`	`235`	`Name:"test-role",`
`252`		`-OrganizationID:tc.organizationID.UUID,`
	`236`	`+OrganizationID:tc.organizationID,`
`253`	`237`	`},`
`254`	`238`	`},`
`255`	`239`	`ExcludeOrgRoles:false,`
`256`		`-OrganizationID: uuid.UUID{},`
	`240`	`+OrganizationID:uuid.Nil,`
`257`	`241`	`})`
`258`	`242`	`require.NoError(t,err)`
`259`	`243`	`require.Len(t,roles,1)`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commite54e31e

File tree

18 files changed

18 files changed

`‎coderd/apidoc/docs.go`

`‎coderd/apidoc/swagger.json`

`‎coderd/database/dbauthz/customroles_test.go`

0 commit comments