NotificationsYou must be signed in to change notification settings
Fork927
Star10.1k

chore: implement deleting custom roles#14101

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Jump to bottom

Merged

Emyrk merged 9 commits intomainfromstevenmasley/delete_role

Aug 7, 2024

Merged

chore: implement deleting custom roles#14101

Emyrk merged 9 commits intomainfromstevenmasley/delete_role

Aug 7, 2024

Conversation

Copy link

Member

Emyrk commentedAug 1, 2024•
edited
Loading

When deleting a custom role, the role can still be assigned to a user.

github-actionsbot assignedEmyrk

Aug 1, 2024

Emyrk mentioned this pull request

Aug 1, 2024

chore: refactor patch custom organization route to live in enterprise#14099

Merged

Copy link

MemberAuthor

Emyrk commentedAug 1, 2024•
edited
Loading

This stack of pull requests is managed by Graphite.Learn more about stacking.

Join@Emyrk and the rest of your teammates onGraphite

Emyrk force-pushed thestevenmasley/delete_role branch from31f7fe5 tocb91471Compare

August 1, 2024 20:07

Emyrk force-pushed thestevenmasley/org_role_routes branch from43cbd73 to938634dCompare

August 2, 2024 19:42

Emyrk force-pushed thestevenmasley/delete_role branch fromcb91471 to9225eb1Compare

August 2, 2024 20:16

Base automatically changed fromstevenmasley/org_role_routes tomain

August 5, 2024 18:42

Emyrk force-pushed thestevenmasley/delete_role branch from9225eb1 to2aa9875Compare

August 6, 2024 16:57

Emyrk marked this pull request as ready for review

August 6, 2024 19:22

jaaydenh reviewed

Aug 6, 2024

View reviewed changes

coderd/apidoc/docs.go OutdatedShow resolvedHide resolved

Emyrk force-pushed thestevenmasley/delete_role branch from9d2a42f tof4739c9Compare

August 6, 2024 19:41

Emyrk requested a review fromf0ssel

August 6, 2024 19:54

aslilac approved these changes

Aug 6, 2024

View reviewed changes

Copy link

Member

aslilac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

lgtm!

enterprise/coderd/roles.go Outdated

Comment on lines 166 to 170

		OrganizationID: organization.ID,
		},
		},
		ExcludeOrgRoles: false,
		OrganizationID: organization.ID,

Copy link

Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

weird duplication ofOrganizationID 🤔

Copy link

MemberAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Yea, it actually is not necessary, but we have a linter that makes you fill out all fields in a struct. This felt more intuitive that doinguuid.Nil. But you have to do something, or the linter yells at you 😢

Copy link

Contributor

f0sselAug 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

tldr on why this field can't be removed?

enterprise/coderd/roles.go

		httpapi.InternalServerError(rw, err)
		return
		}
		aReq.New = database.CustomRole{}

Copy link

Member

aslilacAug 6, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

clever 😄

f0ssel approved these changes

Aug 7, 2024

View reviewed changes

coderd/database/dbauthz/dbauthz.go OutdatedShow resolvedHide resolved

coderd/database/dbauthz/dbauthz_test.go OutdatedShow resolvedHide resolved

coderd/database/migrations/000240_delete_user_roles.up.sql Outdated

Comment on lines 1 to 35

		-- When a custom role is deleted, we need to remove the assigned role
		-- from all organization members that have it.
		-- This action cannot be reverted, so deleting a custom role should be
		-- done with caution.
		CREATE OR REPLACE FUNCTION remove_organization_member_role()
		RETURNS TRIGGER AS
		$$
		BEGIN
		-- Delete the role from all organization members that have it.
		-- TODO: When site wide custom roles are supported, if the
		--organization_id is null, we should remove the role from the 'users'
		--table instead.
		IF OLD.organization_id IS NOT NULL THEN
		UPDATE organization_members
		-- this is a noop if the role is not assigned to the member
		SET roles = array_remove(roles, OLD.name)
		WHERE
		-- Scope to the correct organization
		organization_members.organization_id = OLD.organization_id;
		END IF;
		RETURN OLD;
		END;
		$$ LANGUAGE plpgsql;


		-- Attach the function to deleting the custom role
		CREATE TRIGGER remove_organization_member_custom_role
		BEFORE DELETE ON custom_roles FOR EACH ROW
		EXECUTE PROCEDURE remove_organization_member_role();


		COMMENT ON TRIGGER
		remove_organization_member_custom_role
		ON custom_roles IS
		'When a custom_role is deleted, this trigger removes the role from all organization members.';

Copy link

Contributor

f0sselAug 7, 2024•
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I generally prefer this logic to live in app code in some sort of helper function, probably in a tx. I don't think this has to be changed here since I'm not sure how the team at large feels about this kind of design, but wanted to point out that I think it's easier to follow execution flow and also easier to update the behavior as well since changing this behavior now requires knowledge of sql triggers.

I see the benefits from a data integrity standpoint. Does this serve as some sort of performance advantage as well?

Copy link

MemberAuthor

EmyrkAug 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Yea, I generally agree with you. In this case the data integrity is a security critical thing though.

Currently when making a new custom_role, you have to have a superset of the permissions to make it. So you cannot make a role that has greater privilege than yourself.

You could imagine a scenario where a role is created with a small set of perms, then deleted. Then a new role is created with the same name that has more permissions, and because a user had the old role, they are granted this new one.

At present, this would be less malicious, and more likely a mistake based on our roles, but the problem still remains.

So essentially, I choose the trigger as a security guarantee. We have some prior art for this for deletinguser api keys.

A golang helper function just feels less safe imo.

enterprise/coderd/roles.go Outdated

Comment on lines 166 to 170

		OrganizationID: organization.ID,
		},
		},
		ExcludeOrgRoles: false,
		OrganizationID: organization.ID,

Copy link

Contributor

f0sselAug 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

tldr on why this field can't be removed?

enterprise/coderd/roles_test.goShow resolvedHide resolved

Emyrk added9 commits

August 7, 2024 12:20

chore: implement deleting custom roles

6a140af

add trigger to delete role from organization members on delete

cff829b

update dbauthz test

19ca988

add to unit test

9063675

add pg comment

6b0ac00

typo

817bb4b

add unit test for site wide custom role deletE

5033ee8

chore: add comments to explain populated field

3b9790a

bump migration

e8f57fe

Emyrk force-pushed thestevenmasley/delete_role branch frome72061a toe8f57feCompare

August 7, 2024 17:21

Copy link

MemberAuthor

Emyrk commentedAug 7, 2024

tldr on why this field can't be removed?

We have a linter that requires all struct fields be explicitly set. So you could putuuid.Nil and it would still work, just felt like it might confuse someone else to see auuid.Nil 🤷‍♂️