Jun 7, 2024 · Jun 6, 2024 · Jun 6, 2024 · Jun 6, 2024 · Jun 7, 2024 · Jun 7, 2024
diff --git a/coderd/apidoc/docs.go b/coderd/apidoc/docs.go
diff --git a/coderd/apidoc/swagger.json b/coderd/apidoc/swagger.json
diff --git a/coderd/audit/diff.go b/coderd/audit/diff.go
 database.AuditOAuthConvertState |
 database.HealthSettings |
 database.OAuth2ProviderApp |
 database.OAuth2ProviderAppSecret
 database.OAuth2ProviderAppSecret |
 database.CustomRole
 }

 // Map is a map of changed fields in an audited resource. It maps field names to
diff --git a/coderd/audit/request.go b/coderd/audit/request.go
 return typed.Name
 case database.OAuth2ProviderAppSecret:
 return typed.DisplaySecret
 case database.CustomRole:
 return typed.Name
 default:
 panic(fmt.Sprintf("unknown resource %T for ResourceTarget", tgt))
 }
 return typed.ID
 case database.OAuth2ProviderAppSecret:
 return typed.ID
 case database.CustomRole:
 return typed.ID
 default:
 panic(fmt.Sprintf("unknown resource %T for ResourceID", tgt))
 }
 return database.ResourceTypeOauth2ProviderApp
 case database.OAuth2ProviderAppSecret:
 return database.ResourceTypeOauth2ProviderAppSecret
 case database.CustomRole:
 return database.ResourceTypeCustomRole
 default:
 panic(fmt.Sprintf("unknown resource %T for ResourceType", typed))
 }
 return false
 case database.OAuth2ProviderAppSecret:
 return false
 case database.CustomRole:
 return true
 default:
 panic(fmt.Sprintf("unknown resource %T for ResourceRequiresOrgID", tgt))
 }
diff --git a/coderd/coderdtest/coderdtest.go b/coderd/coderdtest/coderdtest.go
 roleName, _, err = rbac.RoleSplit(roleName)
 require.NoError(t, err, "split org role name")
 if ok {
 roleName, _, err = rbac.RoleSplit(roleName)
 require.NoError(t, err, "split rolename")
 orgRoles[orgID] = append(orgRoles[orgID], roleName)
 } else {
 siteRoles = append(siteRoles, roleName)
diff --git a/coderd/database/dbauthz/customroles_test.go b/coderd/database/dbauthz/customroles_test.go
 } else {
 require.NoError(t, err)

 // Verifywe can fetchtherole
 // Verifythe role is fetched withthelookup filter.
 roles, err := az.CustomRoles(ctx, database.CustomRolesParams{
 LookupRoles: []database.NameOrganizationPair{
 {
diff --git a/coderd/database/dbmem/dbmem.go b/coderd/database/dbmem/dbmem.go
 }

 role := database.CustomRole{
 ID:              uuid.New(),
 Name:            arg.Name,
 DisplayName:     arg.DisplayName,
 OrganizationID:  arg.OrganizationID,
diff --git a/coderd/database/dump.sql b/coderd/database/dump.sql
diff --git a/coderd/database/migrations/000218_org_custom_role_audit.down.sql b/coderd/database/migrations/000218_org_custom_role_audit.down.sql
 DROP INDEX idx_custom_roles_id;
 ALTER TABLE custom_roles DROP COLUMN id;
diff --git a/coderd/database/migrations/000218_org_custom_role_audit.up.sql b/coderd/database/migrations/000218_org_custom_role_audit.up.sql
 -- (name) is the primary key, this column is almost exclusively for auditing.
 -- Audit logs require a uuid as the unique identifier for a resource.
 ALTER TABLE custom_roles ADD COLUMN id uuid DEFAULT gen_random_uuid() NOT NULL;
 COMMENT ON COLUMN custom_roles.id IS 'Custom roles ID is used purely for auditing purposes. Name is a better unique identifier.';

 -- Ensure unique uuids.
 CREATE INDEX idx_custom_roles_id ON custom_roles (id);
 ALTER TYPE resource_type ADD VALUE IF NOT EXISTS 'custom_role';
diff --git a/coderd/database/models.go b/coderd/database/models.go
diff --git a/coderd/database/queries.sql.go b/coderd/database/queries.sql.go
diff --git a/coderd/roles.go b/coderd/roles.go
 // roles. Ideally only included in the enterprise package, but the routes are
 // intermixed with AGPL endpoints.
 type CustomRoleHandler interface {
 PatchOrganizationRole(ctx context.Context,db database.Store, rwhttp.ResponseWriter, orgID uuid.UUID, role codersdk.Role) (codersdk.Role, bool)
 PatchOrganizationRole(ctx context.Context,rw http.ResponseWriter, r *http.Request, orgID uuid.UUID, role codersdk.Role) (codersdk.Role, bool)
 }

 type agplCustomRoleHandler struct{}

 func (agplCustomRoleHandler) PatchOrganizationRole(ctx context.Context,_ database.Store, rwhttp.ResponseWriter, _ uuid.UUID, _ codersdk.Role) (codersdk.Role, bool) {
 func (agplCustomRoleHandler) PatchOrganizationRole(ctx context.Context,rw http.ResponseWriter, _ *http.Request, _ uuid.UUID, _ codersdk.Role) (codersdk.Role, bool) {
 httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{
 Message: "Creating and updating custom roles is an Enterprise feature. Contact sales!",
 })
 return
 }

 updated, ok := handler.PatchOrganizationRole(ctx,api.Database, rw, organization.ID, req)
 updated, ok := handler.PatchOrganizationRole(ctx,rw, r, organization.ID, req)
 if !ok {
 return
 }
diff --git a/codersdk/audit.go b/codersdk/audit.go
 ResourceTypeOAuth2ProviderApp ResourceType = "oauth2_provider_app"
 // nolint:gosec // This is not a secret.
 ResourceTypeOAuth2ProviderAppSecret ResourceType = "oauth2_provider_app_secret"
 ResourceTypeCustomRole              ResourceType = "custom_role"
 )

 func (r ResourceType) FriendlyString() string {
 return "oauth2 app"
 case ResourceTypeOAuth2ProviderAppSecret:
 return "oauth2 app secret"
 case ResourceTypeCustomRole:
 return "custom role"
 default:
 return "unknown"
 }
Original file line number	Diff line number	Diff line change
Expand Up		@@ -21,7 +21,8 @@ type Auditable interface {
		database.AuditOAuthConvertState \|
		database.HealthSettings \|
		database.OAuth2ProviderApp \|
		database.OAuth2ProviderAppSecret
		database.OAuth2ProviderAppSecret \|
		database.CustomRole
		}

		// Map is a map of changed fields in an audited resource. It maps field names to
Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -103,6 +103,8 @@ func ResourceTarget[T Auditable](tgt T) string {
		return typed.Name
		case database.OAuth2ProviderAppSecret:
		return typed.DisplaySecret
		case database.CustomRole:
		return typed.Name
		default:
		panic(fmt.Sprintf("unknown resource %T for ResourceTarget", tgt))
		}
Expand DownExpand Up		@@ -140,6 +142,8 @@ func ResourceID[T Auditable](tgt T) uuid.UUID {
		return typed.ID
		case database.OAuth2ProviderAppSecret:
		return typed.ID
		case database.CustomRole:
		return typed.ID
		default:
		panic(fmt.Sprintf("unknown resource %T for ResourceID", tgt))
		}
Expand DownExpand Up		@@ -175,6 +179,8 @@ func ResourceType[T Auditable](tgt T) database.ResourceType {
		return database.ResourceTypeOauth2ProviderApp
		case database.OAuth2ProviderAppSecret:
		return database.ResourceTypeOauth2ProviderAppSecret
		case database.CustomRole:
		return database.ResourceTypeCustomRole
		default:
		panic(fmt.Sprintf("unknown resource %T for ResourceType", typed))
		}
Expand DownExpand Up		@@ -211,6 +217,8 @@ func ResourceRequiresOrgID[T Auditable]() bool {
		return false
		case database.OAuth2ProviderAppSecret:
		return false
		case database.CustomRole:
		return true
		default:
		panic(fmt.Sprintf("unknown resource %T for ResourceRequiresOrgID", tgt))
		}
Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -758,6 +758,8 @@ func createAnotherUserRetry(t testing.TB, client *codersdk.Client, organizationI
		roleName, _, err = rbac.RoleSplit(roleName)
		require.NoError(t, err, "split org role name")
		if ok {
		roleName, _, err = rbac.RoleSplit(roleName)
		require.NoError(t, err, "split rolename")
		orgRoles[orgID] = append(orgRoles[orgID], roleName)
		} else {
		siteRoles = append(siteRoles, roleName)
Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -244,7 +244,7 @@ func TestUpsertCustomRoles(t *testing.T) {
		} else {
		require.NoError(t, err)

		// Verifywe can fetchtherole
		// Verifythe role is fetched withthelookup filter.
		roles, err := az.CustomRoles(ctx, database.CustomRolesParams{
		LookupRoles: []database.NameOrganizationPair{
		{
Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -8415,6 +8415,7 @@ func (q *FakeQuerier) UpsertCustomRole(_ context.Context, arg database.UpsertCus
		}

		role := database.CustomRole{
		ID: uuid.New(),
		Name: arg.Name,
		DisplayName: arg.DisplayName,
		OrganizationID: arg.OrganizationID,
Expand Down
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		DROP INDEX idx_custom_roles_id;
		ALTER TABLE custom_roles DROP COLUMN id;
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,8 @@
		-- (name) is the primary key, this column is almost exclusively for auditing.
		-- Audit logs require a uuid as the unique identifier for a resource.
		ALTER TABLE custom_roles ADD COLUMN id uuid DEFAULT gen_random_uuid() NOT NULL;
		COMMENT ON COLUMN custom_roles.id IS 'Custom roles ID is used purely for auditing purposes. Name is a better unique identifier.';

		-- Ensure unique uuids.
		CREATE INDEX idx_custom_roles_id ON custom_roles (id);
		ALTER TYPE resource_type ADD VALUE IF NOT EXISTS 'custom_role';
Original file line number	Diff line number	Diff line change
Expand Up		@@ -20,12 +20,12 @@ import (
		// roles. Ideally only included in the enterprise package, but the routes are
		// intermixed with AGPL endpoints.
		type CustomRoleHandler interface {
		PatchOrganizationRole(ctx context.Context,db database.Store, rwhttp.ResponseWriter, orgID uuid.UUID, role codersdk.Role) (codersdk.Role, bool)
		PatchOrganizationRole(ctx context.Context,rw http.ResponseWriter, r *http.Request, orgID uuid.UUID, role codersdk.Role) (codersdk.Role, bool)
		}

		type agplCustomRoleHandler struct{}

		func (agplCustomRoleHandler) PatchOrganizationRole(ctx context.Context,_ database.Store, rwhttp.ResponseWriter, _ uuid.UUID, _ codersdk.Role) (codersdk.Role, bool) {
		func (agplCustomRoleHandler) PatchOrganizationRole(ctx context.Context,rw http.ResponseWriter, _ *http.Request, _ uuid.UUID, _ codersdk.Role) (codersdk.Role, bool) {
		httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{
		Message: "Creating and updating custom roles is an Enterprise feature. Contact sales!",
		})
Expand DownExpand Up		@@ -54,7 +54,7 @@ func (api API) patchOrgRoles(rw http.ResponseWriter, r http.Request) {
		return
		}

		updated, ok := handler.PatchOrganizationRole(ctx,api.Database, rw, organization.ID, req)
		updated, ok := handler.PatchOrganizationRole(ctx,rw, r, organization.ID, req)
		if !ok {
		return
		}
Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -30,6 +30,7 @@ const (
		ResourceTypeOAuth2ProviderApp ResourceType = "oauth2_provider_app"
		// nolint:gosec // This is not a secret.
		ResourceTypeOAuth2ProviderAppSecret ResourceType = "oauth2_provider_app_secret"
		ResourceTypeCustomRole ResourceType = "custom_role"
		)

		func (r ResourceType) FriendlyString() string {
Expand DownExpand Up		@@ -66,6 +67,8 @@ func (r ResourceType) FriendlyString() string {
		return "oauth2 app"
		case ResourceTypeOAuth2ProviderAppSecret:
		return "oauth2 app secret"
		case ResourceTypeCustomRole:
		return "custom role"
		default:
		return "unknown"
		}
Expand Down