Handle assigning/removing roles

Emyrk · Emyrk · commit 1f7d5d360eb7 · 2022-08-09T11:00:11.000-05:00
diff --git a/coderd/coderd_test.go b/coderd/coderd_test.go
@@ -542,9 +542,6 @@ func TestAuthorizeAllEndpoints(t *testing.T) {
 					if routeAssertions.AssertObject.OrgID != "" {
 						assert.Equal(t, routeAssertions.AssertObject.OrgID, authorizer.Called.Object.OrgID, "resource org")
 					}
-					if routeAssertions.AssertObject.ResourceID != "" {
-						assert.Equal(t, routeAssertions.AssertObject.ResourceID, authorizer.Called.Object.ResourceID, "resource ID")
-					}
 				}
 			} else {
 				assert.Nil(t, authorizer.Called, "authorize not expected")
diff --git a/coderd/members.go b/coderd/members.go
@@ -21,6 +21,7 @@ func (api *API) putMemberRoles(rw http.ResponseWriter, r *http.Request) {
 	organization := httpmw.OrganizationParam(r)
 	member := httpmw.OrganizationMemberParam(r)
 	apiKey := httpmw.APIKey(r)
+	actorRoles := httpmw.AuthorizationUserRoles(r)
 
 	if apiKey.UserID == member.UserID {
 		httpapi.Write(rw, http.StatusBadRequest, codersdk.Response{
@@ -41,17 +42,24 @@ func (api *API) putMemberRoles(rw http.ResponseWriter, r *http.Request) {
 	// TODO: Handle added and removed roles.
 
 	// Assigning a role requires the create permission.
-	if !api.Authorize(r, rbac.ActionCreate, rbac.ResourceOrgRoleAssignment.InOrg(organization.ID)) {
+	if len(added) > 0 && !api.Authorize(r, rbac.ActionCreate, rbac.ResourceOrgRoleAssignment.InOrg(organization.ID)) {
 		httpapi.Forbidden(rw)
 		return
 	}
 
 	// Removing a role requires the delete permission.
-	if !api.Authorize(r, rbac.ActionDelete, rbac.ResourceOrgRoleAssignment.InOrg(organization.ID)) {
+	if len(removed) > 0 && !api.Authorize(r, rbac.ActionDelete, rbac.ResourceOrgRoleAssignment.InOrg(organization.ID)) {
 		httpapi.Forbidden(rw)
 		return
 	}
 
+	// Just treat adding & removing as "assigning" for now.
+	for _, roleName := range append(added, removed...) {
+		if !rbac.CanAssignRole(actorRoles.Roles, roleName) {
+			httpapi.Forbidden(rw)
+		}
+	}
+
 	updatedUser, err := api.updateOrganizationMemberRoles(r.Context(), database.UpdateMemberRolesParams{
 		GrantedRoles: params.Roles,
 		UserID:       user.ID,
diff --git a/coderd/rbac/builtin.go b/coderd/rbac/builtin.go
@@ -145,6 +145,58 @@ var (
 	}
 )
 
+var (
+	// assignRoles is a map of roles that can be assigned if a user has a given
+	// role.
+	// The first key is the actor role, the second is the roles they can assign.
+	//	map[actor_role][assign_role]<can_assign>
+	assignRoles = map[string]map[string]bool{
+		admin: {
+			admin:     true,
+			auditor:   true,
+			member:    true,
+			orgAdmin:  true,
+			orgMember: true,
+		},
+		orgAdmin: {
+			orgAdmin:  true,
+			orgMember: true,
+		},
+	}
+)
+
+// CanAssignRole is a helper function that returns true if the user can assign
+// the specified role. This also can be used for removing a role.
+// This is a simple implementation for now.
+func CanAssignRole(roles []string, assignedRole string) bool {
+	assigned, assignedOrg, err := roleSplit(assignedRole)
+	if err != nil {
+		return false
+	}
+
+	for _, longRole := range roles {
+		role, orgID, err := roleSplit(longRole)
+		if err != nil {
+			continue
+		}
+
+		if orgID != "" && orgID != assignedOrg {
+			// Org roles only apply to the org they are assigned to.
+			continue
+		}
+
+		allowed, ok := assignRoles[role]
+		if !ok {
+			continue
+		}
+
+		if allowed[assigned] {
+			return true
+		}
+	}
+	return false
+}
+
 // RoleByName returns the permissions associated with a given role name.
 // This allows just the role names to be stored and expanded when required.
 func RoleByName(name string) (Role, error) {
diff --git a/coderd/rbac/object.go b/coderd/rbac/object.go
@@ -88,7 +88,7 @@ var (
 	}
 
 	// ResourceOrganizationMember is a user's membership in an organization.
-	// Has ONLY an organization owner. The resource ID is the user's ID
+	// Has ONLY an organization owner.
 	//	create/delete  = Create/delete member from org.
 	//	update  = Update organization member
 	//	read	= View member
diff --git a/coderd/roles.go b/coderd/roles.go
@@ -74,10 +74,9 @@ func (api *API) checkPermissions(rw http.ResponseWriter, r *http.Request) {
 		}
 		err := api.Authorizer.ByRoleName(r.Context(), roles.ID.String(), roles.Roles, rbac.Action(v.Action),
 			rbac.Object{
-				ResourceID: v.Object.ResourceID,
-				Owner:      v.Object.OwnerID,
-				OrgID:      v.Object.OrganizationID,
-				Type:       v.Object.ResourceType,
+				Owner: v.Object.OwnerID,
+				OrgID: v.Object.OrganizationID,
+				Type:  v.Object.ResourceType,
 			})
 		response[k] = err == nil
 	}
diff --git a/coderd/users.go b/coderd/users.go
@@ -504,7 +504,7 @@ func (api *API) userRoles(rw http.ResponseWriter, r *http.Request) {
 func (api *API) putUserRoles(rw http.ResponseWriter, r *http.Request) {
 	// User is the user to modify.
 	user := httpmw.UserParam(r)
-	roles := httpmw.AuthorizationUserRoles(r)
+	actorRoles := httpmw.AuthorizationUserRoles(r)
 	apiKey := httpmw.APIKey(r)
 
 	if apiKey.UserID == user.ID {
@@ -526,21 +526,28 @@ func (api *API) putUserRoles(rw http.ResponseWriter, r *http.Request) {
 
 	// The member role is always implied.
 	impliedTypes := append(params.Roles, rbac.RoleMember())
-	added, removed := rbac.ChangeRoleSet(roles.Roles, impliedTypes)
+	added, removed := rbac.ChangeRoleSet(user.RBACRoles, impliedTypes)
 	// TODO: Handle added and removed roles.
 
 	// Assigning a role requires the create permission.
-	if !api.Authorize(r, rbac.ActionCreate, rbac.ResourceRoleAssignment) {
+	if len(added) > 0 && !api.Authorize(r, rbac.ActionCreate, rbac.ResourceRoleAssignment) {
 		httpapi.Forbidden(rw)
 		return
 	}
 
 	// Removing a role requires the delete permission.
-	if !api.Authorize(r, rbac.ActionDelete, rbac.ResourceRoleAssignment) {
+	if len(removed) > 0 && !api.Authorize(r, rbac.ActionDelete, rbac.ResourceRoleAssignment) {
 		httpapi.Forbidden(rw)
 		return
 	}
 
+	// Just treat adding & removing as "assigning" for now.
+	for _, roleName := range append(added, removed...) {
+		if !rbac.CanAssignRole(actorRoles.Roles, roleName) {
+			httpapi.Forbidden(rw)
+		}
+	}
+
 	updatedUser, err := api.updateSiteUserRoles(r.Context(), database.UpdateUserRolesParams{
 		GrantedRoles: params.Roles,
 		ID:           user.ID,

Original file line number	Diff line number	Diff line change
`@@ -542,9 +542,6 @@ func TestAuthorizeAllEndpoints(t *testing.T) {`
`542`	`542`	`if routeAssertions.AssertObject.OrgID != "" {`
`543`	`543`	`assert.Equal(t, routeAssertions.AssertObject.OrgID, authorizer.Called.Object.OrgID, "resource org")`
`544`	`544`	`}`
`545`		`- if routeAssertions.AssertObject.ResourceID != "" {`
`546`		`- assert.Equal(t, routeAssertions.AssertObject.ResourceID, authorizer.Called.Object.ResourceID, "resource ID")`
`547`		`- }`
`548`	`545`	`}`
`549`	`546`	`} else {`
`550`	`547`	`assert.Nil(t, authorizer.Called, "authorize not expected")`
Original file line number	Diff line number	Diff line change
`@@ -88,7 +88,7 @@ var (`
`88`	`88`	`}`
`89`	`89`
`90`	`90`	`// ResourceOrganizationMember is a user's membership in an organization.`
`91`		`- // Has ONLY an organization owner. The resource ID is the user's ID`
	`91`	`+ // Has ONLY an organization owner.`
`92`	`92`	`// create/delete = Create/delete member from org.`
`93`	`93`	`// update = Update organization member`
`94`	`94`	`// read = View member`
Original file line number	Diff line number	Diff line change
`@@ -74,10 +74,9 @@ func (api API) checkPermissions(rw http.ResponseWriter, r http.Request) {`
`74`	`74`	`}`
`75`	`75`	`err := api.Authorizer.ByRoleName(r.Context(), roles.ID.String(), roles.Roles, rbac.Action(v.Action),`
`76`	`76`	`rbac.Object{`
`77`		`- ResourceID: v.Object.ResourceID,`
`78`		`- Owner: v.Object.OwnerID,`
`79`		`- OrgID: v.Object.OrganizationID,`
`80`		`- Type: v.Object.ResourceType,`
	`77`	`+ Owner: v.Object.OwnerID,`
	`78`	`+ OrgID: v.Object.OrganizationID,`
	`79`	`+ Type: v.Object.ResourceType,`
`81`	`80`	`})`
`82`	`81`	`response[k] = err == nil`
`83`	`82`	`}`