8000 chore: add an unassign action for roles (cherry-pick #16728) (#16791) · lloydchang/coder-coder@e54e31e · GitHub
[go: up one dir, main page]
Skip to content

Commit e54e31e

Browse files
gcp-cherry-pick-bot[bot]aslilac
gcp-cherry-pick-bot[bot]
and
aslilac
authored
chore: add an unassign action for roles (cherry-pick coder#16728) (coder#16791)
Cherry-picked chore: add an unassign action for roles (coder#16728) Co-authored-by: ケイラ <mckayla@hey.com>
1 parent 32dc903 commit e54e31e

File tree

18 files changed

+214
-240
lines changed
  • codersdk
  • docs/reference/api
  • enterprise/coderd
  • site/src/api

    • 18 files changed

    +214
    -240
    lines changed

    coderd/apidoc/docs.go

    Lines changed: 2 additions & 0 deletions
    Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

    coderd/apidoc/swagger.json

    Lines changed: 2 additions & 0 deletions
    Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

    coderd/database/dbauthz/customroles_test.go

    Lines changed: 53 additions & 69 deletions
    Original file line numberDiff line numberDiff line change
    @@ -34,11 +34,12 @@ func TestInsertCustomRoles(t *testing.T) {
    3434
    }
    3535
    }
    3636

    37-
    canAssignRole := rbac.Role{
    37+
    canCreateCustomRole := rbac.Role{
    3838
    Identifier: rbac.RoleIdentifier{Name: "can-assign"},
    3939
    DisplayName: "",
    4040
    Site: rbac.Permissions(map[string][]policy.Action{
    41-
    rbac.ResourceAssignRole.Type: {policy.ActionRead, policy.ActionCreate},
    41+
    rbac.ResourceAssignRole.Type: {policy.ActionRead},
    42+
    rbac.ResourceAssignOrgRole.Type: {policy.ActionRead, policy.ActionCreate},
    4243
    }),
    4344
    }
    4445

    @@ -61,37 +62,37 @@ func TestInsertCustomRoles(t *testing.T) {
    6162
    return all
    6263
    }
    6364

    64-
    orgID := uuid.NullUUID{
    65-
    UUID: uuid.New(),
    66-
    Valid: true,
    67-
    }
    65+
    orgID := uuid.New()
    66+
    6867
    testCases := []struct {
    6968
    name string
    7069

    7170
    subject rbac.ExpandableRoles
    7271

    7372
    // Perms to create on new custom role
    74-
    organizationID uuid.NullUUID
    73+
    organizationID uuid.UUID
    7574
    site []codersdk.Permission
    7675
    org []codersdk.Permission
    7776
    user []codersdk.Permission
    7877
    errorContains string
    7978
    }{
    8079
    {
    8180
    // No roles, so no assign role
    82-
    name: "no-roles",
    83-
    subject: rbac.RoleIdentifiers{},
    84-
    errorContains: "forbidden",
    81+
    name: "no-roles",
    82+
    organizationID: orgID,
    83+
    subject: rbac.RoleIdentifiers{},
    84+
    errorContains: "forbidden",
    8585
    },
    8686
    {
    8787
    // This works because the new role has 0 perms
    88-
    name: "empty",
    89-
    subject: merge(canAssignRole),
    88+
    name: "empty",
    89+
    organizationID: orgID,
    90+
    subject: merge(canCreateCustomRole),
    9091
    },
    9192
    {
    9293
    name: "mixed-scopes",
    93-
    subject: merge(canAssignRole, rbac.RoleOwner()),
    9494
    organizationID: orgID,
    95+
    subject: merge(canCreateCustomRole, rbac.RoleOwner()),
    9596
    site: codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{
    9697
    codersdk.ResourceWorkspace: {codersdk.ActionRead},
    9798
    }),
    @@ -101,27 +102,30 @@ func TestInsertCustomRoles(t *testing.T) {
    101102
    errorContains: "organization roles specify site or user permissions",
    102103
    },
    103104
    {
    104-
    name: "invalid-action",
    105-
    subject: merge(canAssignRole, rbac.RoleOwner()),
    106-
    site: codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{
    105+
    name: "invalid-action",
    106+
    organizationID: orgID,
    107+
    subject: merge(canCreateCustomRole, rbac.RoleOwner()),
    108+
    org: codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{
    107109
    // Action does not go with resource
    108110
    codersdk.ResourceWorkspace: {codersdk.ActionViewInsights},
    109111
    }),
    110112
    errorContains: "invalid action",
    111113
    },
    112114
    {
    113-
    name: "invalid-resource",
    114-
    subject: merge(canAssignRole, rbac.RoleOwner()),
    115-
    site: codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{
    115+
    name: "invalid-resource",
    116+
    organizationID: orgID,
    117+
    subject: merge(canCreateCustomRole, rbac.RoleOwner()),
    118+
    org: codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{
    116119
    "foobar": {codersdk.ActionViewInsights},
    117120
    }),
    118121
    errorContains: "invalid resource",
    119122
    },
    120123
    {
    121124
    // Not allowing these at this time.
    122-
    name: "negative-permission",
    123-
    subject: merge(canAssignRole, rbac.RoleOwner()),
    124-
    site: []codersdk.Permission{
    125+
    name: "negative-permission",
    126+
    organizationID: orgID,
    127+
    subject: merge(canCreateCustomRole, rbac.RoleOwner()),
    128+
    org: []codersdk.Permission{
    125129
    {
    126130
    Negate: true,
    127131
    ResourceType: codersdk.ResourceWorkspace,
    @@ -131,89 +135,69 @@ func TestInsertCustomRoles(t *testing.T) {
    131135
    errorContains: "no negative permissions",
    132136
    },
    133137
    {
    134-
    name: "wildcard", // not allowed
    135-
    subject: merge(canAssignRole, rbac.RoleOwner()),
    136-
    site: codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{
    138+
    name: "wildcard", // not allowed
    139+
    organizationID: orgID,
    140+
    subject: merge(canCreateCustomRole, rbac.RoleOwner()),
    141+
    org: codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{
    137142
    codersdk.ResourceWorkspace: {"*"},
    138143
    }),
    139144
    errorContains: "no wildcard symbols",
    140145
    },
    141146
    // escalation checks
    142147
    {
    143-
    name: "read-workspace-escalation",
    144-
    subject: merge(canAssignRole),
    145-
    site: codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{
    148+
    name: "read-workspace-escalation",
    149+
    organizationID: orgID,
    150+
    subject: merge(canCreateCustomRole),
    151+
    org: codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{
    146152
    codersdk.ResourceWorkspace: {codersdk.ActionRead},
    147153
    }),
    148154
    errorContains: "not allowed to grant this permission",
    149155
    },
    150156
    {
    151-
    name: "read-workspace-outside-org",
    152-
    organizationID: uuid.NullUUID{
    153-
    UUID: uuid.New(),
    154-
    Valid: true,
    155-
    },
    156-
    subject: merge(canAssignRole, rbac.ScopedRoleOrgAdmin(orgID.UUID)),
    157+
    name: "read-workspace-outside-org",
    158+
    organizationID: uuid.New(),
    159+
    subject: merge(canCreateCustomRole, rbac.ScopedRoleOrgAdmin(orgID)),
    157160
    org: codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{
    158161
    codersdk.ResourceWorkspace: {codersdk.ActionRead},
    159162
    }),
    160-
    errorContains: "forbidden",
    163+
    errorContains: "not allowed to grant this permission",
    161164
    },
    162165
    {
    163166
    name: "user-escalation",
    164167
    // These roles do not grant user perms
    165-
    subject: merge(canAssignRole, rbac.ScopedRoleOrgAdmin(orgID.UUID)),
    168+
    organizationID: orgID,
    169+
    subject: merge(canCreateCustomRole, rbac.ScopedRoleOrgAdmin(orgID)),
    166170
    user: codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{
    167171
    codersdk.ResourceWorkspace: {codersdk.ActionRead},
    168172
    }),
    169-
    errorContains: "not allowed to grant this permission",
    173+
    errorContains: "organization roles specify site or user permissions",
    170174
    },
    171175
    {
    172-
    name: "template-admin-escalation",
    173-
    subject: merge(canAssignRole, rbac.RoleTemplateAdmin()),
    176+
    name: "site-escalation",
    177+
    organizationID: orgID,
    178+
    subject: merge(canCreateCustomRole, rbac.RoleTemplateAdmin()),
    174179
    site: codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{
    175-
    codersdk.ResourceWorkspace: {codersdk.ActionRead}, // ok!
    176180
    codersdk.ResourceDeploymentConfig: {codersdk.ActionUpdate}, // not ok!
    177181
    }),
    178-
    user: codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{
    179-
    codersdk.ResourceWorkspace: {codersdk.ActionRead}, // ok!
    180-
    }),
    181-
    errorContains: "deployment_config",
    182+
    errorContains: "organization roles specify site or user permissions",
    182183
    },
    183184
    // ok!
    184185
    {
    185-
    name: "read-workspace-template-admin",
    186-
    subject: merge(canAssignRole, rbac.RoleTemplateAdmin()),
    187-
    site: codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{
    186+
    name: "read-workspace-template-admin",
    187+
    organizationID: orgID,
    188+
    subject: merge(canCreateCustomRole, rbac.RoleTemplateAdmin()),
    189+
    org: codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{
    188190
    codersdk.ResourceWorkspace: {codersdk.ActionRead},
    189191
    }),
    190192
    },
    191193
    {
    192194
    name: "read-workspace-in-org",
    193-
    subject: merge(canAssignRole, rbac.ScopedRoleOrgAdmin(orgID.UUID)),
    194195
    organizationID: orgID,
    196+
    subject: merge(canCreateCustomRole, rbac.ScopedRoleOrgAdmin(orgID)),
    195197
    org: codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{
    196198
    codersdk.ResourceWorkspace: {codersdk.ActionRead},
    197199
    }),
    198200
    },
    199-
    {
    200-
    name: "user-perms",
    201-
    // This is weird, but is ok
    202-
    subject: merge(canAssignRole, rbac.RoleMember()),
    203-
    user: codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{
    204-
    codersdk.ResourceWorkspace: {codersdk.ActionRead},
    205-
    }),
    206-
    },
    207-
    {
    208-
    name: "site+user-perms",
    209-
    subject: merge(canAssignRole, rbac.RoleMember(), rbac.RoleTemplateAdmin()),
    210-
    site: codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{
    211-
    codersdk.ResourceWorkspace: {codersdk.ActionRead},
    212-
    }),
    213-
    user: codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{
    214-
    codersdk.ResourceWorkspace: {codersdk.ActionRead},
    215-
    }),
    216-
    },
    217201
    }
    218202

    219203
    for _, tc := range testCases {
    @@ -234,7 +218,7 @@ func TestInsertCustomRoles(t *testing.T) {
    234218
    _, err := az.InsertCustomRole(ctx, database.InsertCustomRoleParams{
    235219
    Name: "test-role",
    236220
    DisplayName: "",
    237-
    OrganizationID: tc.organizationID,
    221+
    OrganizationID: uuid.NullUUID{UUID: tc.organizationID, Valid: true},
    238222
    SitePermissions: db2sdk.List(tc.site, convertSDKPerm),
    239223
    OrgPermissions: db2sdk.List(tc.org, convertSDKPerm),
    240224
    UserPermissions: db2sdk.List(tc.user, convertSDKPerm),
    @@ -249,11 +233,11 @@ func TestInsertCustomRoles(t *testing.T) {
    249233
    LookupRoles: []database.NameOrganizationPair{
    250234
    {
    251235
    Name: "test-role",
    252-
    OrganizationID: tc.organizationID.UUID,
    236+
    OrganizationID: tc.organizationID,
    253237
    },
    254238
    },
    255239
    ExcludeOrgRoles: false,
    256-
    OrganizationID: uuid.UUID{},
    240+
    OrganizationID: uuid.Nil,
    257241
    })
    258242
    require.NoError(t, err)
    259243
    require.Len(t, roles, 1)

    0 commit comments

    Comments
     (0)
    0