WIP

Emyrk · Emyrk · commit 49dd486f2a73 · 2024-06-05T15:26:36.000-05:00
diff --git a/coderd/database/dbauthz/customroles_test.go b/coderd/database/dbauthz/customroles_test.go
@@ -38,7 +38,7 @@ func TestUpsertCustomRoles(t *testing.T) {
 		Name:        "can-assign",
 		DisplayName: "",
 		Site: rbac.Permissions(map[string][]policy.Action{
-			rbac.ResourceAssignRole.Type: {policy.ActionCreate},
+			rbac.ResourceAssignRole.Type: {policy.ActionRead, policy.ActionCreate},
 		}),
 	}
 
@@ -243,6 +243,19 @@ func TestUpsertCustomRoles(t *testing.T) {
 				require.ErrorContains(t, err, tc.errorContains)
 			} else {
 				require.NoError(t, err)
+
+				roles, err := az.CustomRoles(ctx, database.CustomRolesParams{
+					LookupRoles: []database.NameOrganizationPair{
+						{
+							Name:           "test-role",
+							OrganizationID: tc.organizationID.UUID,
+						},
+					},
+					ExcludeOrgRoles: false,
+					OrganizationID:  uuid.UUID{},
+				})
+				require.NoError(t, err)
+				require.Len(t, roles, 1)
 			}
 		})
 	}
diff --git a/coderd/database/dbmem/dbmem.go b/coderd/database/dbmem/dbmem.go
@@ -1186,8 +1186,16 @@ func (q *FakeQuerier) CustomRoles(_ context.Context, arg database.CustomRolesPar
 	for _, role := range q.data.customRoles {
 		role := role
 		if len(arg.LookupRoles) > 0 {
-			if !slices.ContainsFunc(arg.LookupRoles, func(s string) bool {
-				return strings.EqualFold(s, role.Name)
+			if !slices.ContainsFunc(arg.LookupRoles, func(s database.NameOrganizationPair) bool {
+				if !strings.EqualFold(s.Name, role.Name) {
+					return false
+				}
+
+				if s.OrganizationID == uuid.Nil {
+					return true
+				}
+
+				return s.OrganizationID == arg.OrganizationID
 			}) {
 				continue
 			}
diff --git a/coderd/database/migrations/000216_org_custom_role_audit.up.sql b/coderd/database/migrations/000216_org_custom_role_audit.up.sql
@@ -1,3 +1,6 @@
+-- A role does not need to belong to an organization
+ALTER TABLE custom_roles ALTER COLUMN organization_id DROP NOT NULL;
+
 -- (name) is the primary key, this column is almost exclusively for auditing.
 ALTER TABLE custom_roles ADD COLUMN id uuid DEFAULT gen_random_uuid() NOT NULL;
 
diff --git a/coderd/database/queries.sql.go b/coderd/database/queries.sql.go
diff --git a/coderd/database/queries/roles.sql b/coderd/database/queries/roles.sql
@@ -7,8 +7,8 @@ WHERE
   true
   -- Lookup roles filter expects the role names to be in the rbac package
   -- format. Eg: name[:<organization_id>]
-  AND CASE WHEN array_length(@lookup_roles :: text[], 1) > 0  THEN
-    name ILIKE ANY(@lookup_roles :: text [])
+  AND CASE WHEN array_length(@lookup_roles :: name_organization_pair_list[], 1) > 0  THEN
+	(name, organization_id) ILIKE ANY (@lookup_roles::name_organization_pair_list[])
     ELSE true
   END
   -- Org scoping filter, to only fetch site wide roles
diff --git a/coderd/database/sqlc.yaml b/coderd/database/sqlc.yaml
@@ -28,6 +28,9 @@ sql:
         emit_enum_valid_method: true
         emit_all_enum_values: true
         overrides:
+          - db_type: "name_organization_pair_list"
+            go_type:
+              type: "NameOrganizationPair"
           - column: "custom_roles.site_permissions"
             go_type:
               type: "CustomRolePermissions"
diff --git a/coderd/database/types.go b/coderd/database/types.go
@@ -113,6 +113,26 @@ func (m StringMapOfInt) Value() (driver.Value, error) {
 	return json.Marshal(m)
 }
 
+// NameOrganizationPair is used as a lookup tuple for custom role rows.
+type NameOrganizationPair struct {
+	Name string `db:"name" json:"name"`
+	// OrganizationID if unset will assume a null column value
+	OrganizationID uuid.UUID `db:"organization_id" json:"organization_id"`
+}
+
+func (a *NameOrganizationPair) Scan(src interface{}) error {
+	return xerrors.Errorf("unexpected type %T", src)
+}
+
+func (a NameOrganizationPair) Value() (driver.Value, error) {
+	var orgID interface{} = a.OrganizationID
+	if a.OrganizationID == uuid.Nil {
+		orgID = nil
+	}
+
+	return []interface{}{a.Name, orgID}, nil
+}
+
 type CustomRolePermissions []CustomRolePermission
 
 func (a *CustomRolePermissions) Scan(src interface{}) error {
diff --git a/coderd/rbac/rolestore/rolestore.go b/coderd/rbac/rolestore/rolestore.go
@@ -69,11 +69,34 @@ func Expand(ctx context.Context, db database.Store, names []string) (rbac.Roles,
 	}
 
 	if len(lookup) > 0 {
+		// The set of roles coming in are formatted as 'rolename[:<org_id>]'.
+		// In the database, org roles are scoped with an organization column.
+		lookupArgs := make([]database.NameOrganizationPair, 0, len(lookup))
+		for _, name := range lookup {
+			roleName, orgID, err := rbac.RoleSplit(name)
+			if err != nil {
+				continue
+			}
+
+			parsedOrgID := uuid.Nil // Default to no org ID
+			if orgID != "" {
+				parsedOrgID, err = uuid.Parse(orgID)
+				if err != nil {
+					continue
+				}
+			}
+
+			lookupArgs = append(lookupArgs, database.NameOrganizationPair{
+				Name:           roleName,
+				OrganizationID: parsedOrgID,
+			})
+		}
+
 		// If some roles are missing from the database, they are omitted from
 		// the expansion. These roles are no-ops. Should we raise some kind of
 		// warning when this happens?
 		dbroles, err := db.CustomRoles(ctx, database.CustomRolesParams{
-			LookupRoles:     lookup,
+			LookupRoles:     lookupArgs,
 			ExcludeOrgRoles: false,
 			OrganizationID:  uuid.Nil,
 		})
