chore: remove org map perms in sdk

Emyrk · Emyrk · commit 3f56f51aa60d · 2024-05-28T14:18:10.000-05:00
diff --git a/coderd/database/db2sdk/db2sdk.go b/coderd/database/db2sdk/db2sdk.go
@@ -531,12 +531,16 @@ func Role(role rbac.Role) codersdk.Role {
 	if err != nil {
 		roleName = role.Name
 	}
+
 	return codersdk.Role{
-		Name:                    roleName,
-		OrganizationID:          orgIDStr,
-		DisplayName:             role.DisplayName,
-		SitePermissions:         List(role.Site, Permission),
-		OrganizationPermissions: Map(role.Org, ListLazy(Permission)),
+		Name:            roleName,
+		OrganizationID:  orgIDStr,
+		DisplayName:     role.DisplayName,
+		SitePermissions: List(role.Site, Permission),
+		// This is not perfect. If there are organization permissions in another
+		// organization, they will be omitted. This should not be allowed, so
+		// should never happen.
+		OrganizationPermissions: List(role.Org[orgIDStr], Permission),
 		UserPermissions:         List(role.User, Permission),
 	}
 }
@@ -550,11 +554,18 @@ func Permission(permission rbac.Permission) codersdk.Permission {
 }
 
 func RoleToRBAC(role codersdk.Role) rbac.Role {
+	orgPerms := map[string][]rbac.Permission{}
+	if role.OrganizationID != "" {
+		orgPerms = map[string][]rbac.Permission{
+			role.OrganizationID: List(role.OrganizationPermissions, PermissionToRBAC),
+		}
+	}
+
 	return rbac.Role{
 		Name:        rbac.RoleName(role.Name, role.OrganizationID),
 		DisplayName: role.DisplayName,
 		Site:        List(role.SitePermissions, PermissionToRBAC),
-		Org:         Map(role.OrganizationPermissions, ListLazy(PermissionToRBAC)),
+		Org:         orgPerms,
 		User:        List(role.UserPermissions, PermissionToRBAC),
 	}
 }
diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go
@@ -614,6 +614,10 @@ func (q *querier) canAssignRoles(ctx context.Context, orgID *uuid.UUID, added, r
 				return xerrors.Errorf("role %q has invalid uuid for org: %w", r, err)
 			}
 
+			if orgID == nil {
+				return xerrors.Errorf("should never happen, orgID is nil, but trying to assign an organization role")
+			}
+
 			if roleOrgID != *orgID {
 				return xerrors.Errorf("attempted to assign role from a different org, role %q to %q", r, orgID.String())
 			}
diff --git a/coderd/roles.go b/coderd/roles.go
@@ -55,14 +55,6 @@ func (api *API) patchOrgRoles(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if err := httpapi.NameValid(req.Name); err != nil {
-		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
-			Message: "Invalid role name",
-			Detail:  err.Error(),
-		})
-		return
-	}
-
 	updated, ok := handler.PatchOrganizationRole(ctx, api.Database, rw, organization.ID, req)
 	if !ok {
 		return
diff --git a/codersdk/roles.go b/codersdk/roles.go
@@ -39,9 +39,9 @@ type Role struct {
 	OrganizationID  string       `json:"organization_id" table:"organization_id" format:"uuid"`
 	DisplayName     string       `json:"display_name" table:"display_name"`
 	SitePermissions []Permission `json:"site_permissions" table:"site_permissions"`
-	// map[<org_id>] -> Permissions
-	OrganizationPermissions map[string][]Permission `json:"organization_permissions" table:"org_permissions"`
-	UserPermissions         []Permission            `json:"user_permissions" table:"user_permissions"`
+	// OrganizationPermissions are specific for the organization in the field 'OrganizationID' above.
+	OrganizationPermissions []Permission `json:"organization_permissions" table:"org_permissions"`
+	UserPermissions         []Permission `json:"user_permissions" table:"user_permissions"`
 }
 
 // FullName returns the role name scoped to the organization ID. This is useful if
diff --git a/enterprise/coderd/roles.go b/enterprise/coderd/roles.go
@@ -21,7 +21,15 @@ type enterpriseCustomRoleHandler struct {
 func (h enterpriseCustomRoleHandler) PatchOrganizationRole(ctx context.Context, db database.Store, rw http.ResponseWriter, orgID uuid.UUID, role codersdk.Role) (codersdk.Role, bool) {
 	if !h.Enabled {
 		httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{
-			Message: "Custom roles is not enabled",
+			Message: "Custom roles are not enabled",
+		})
+		return codersdk.Role{}, false
+	}
+
+	if err := httpapi.NameValid(role.Name); err != nil {
+		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+			Message: "Invalid role name",
+			Detail:  err.Error(),
 		})
 		return codersdk.Role{}, false
 	}
@@ -43,25 +51,14 @@ func (h enterpriseCustomRoleHandler) PatchOrganizationRole(ctx context.Context,
 		return codersdk.Role{}, false
 	}
 
-	if len(role.OrganizationPermissions) > 1 {
+	if role.OrganizationID != orgID.String() {
 		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
-			Message: "Invalid request, Only 1 organization can be assigned permissions",
-			Detail:  "roles can only contain 1 organization",
+			Message: "Invalid request, organization in role and url must match",
+			Detail:  fmt.Sprintf("role org %q does not match URL %q", role.OrganizationID, orgID.String()),
 		})
 		return codersdk.Role{}, false
 	}
 
-	if len(role.OrganizationPermissions) == 1 {
-		_, exists := role.OrganizationPermissions[orgID.String()]
-		if !exists {
-			httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
-				Message: fmt.Sprintf("Invalid request, expected permissions for only the organization %q", orgID.String()),
-				Detail:  fmt.Sprintf("only org id %s allowed", orgID.String()),
-			})
-			return codersdk.Role{}, false
-		}
-	}
-
 	// Make sure all permissions inputted are valid according to our policy.
 	rbacRole := db2sdk.RoleToRBAC(role)
 	args, err := rolestore.ConvertRoleToDB(rbacRole)
diff --git a/enterprise/coderd/roles_test.go b/enterprise/coderd/roles_test.go
@@ -20,17 +20,16 @@ func TestCustomOrganizationRole(t *testing.T) {
 	t.Parallel()
 	templateAdminCustom := func(orgID uuid.UUID) codersdk.Role {
 		return codersdk.Role{
-			Name:        "test-role",
-			DisplayName: "Testing Purposes",
+			Name:           "test-role",
+			DisplayName:    "Testing Purposes",
+			OrganizationID: orgID.String(),
 			// Basically creating a template admin manually
 			SitePermissions: nil,
-			OrganizationPermissions: map[string][]codersdk.Permission{
-				orgID.String(): codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{
-					codersdk.ResourceTemplate:  {codersdk.ActionCreate, codersdk.ActionRead, codersdk.ActionUpdate, codersdk.ActionViewInsights},
-					codersdk.ResourceFile:      {codersdk.ActionCreate, codersdk.ActionRead},
-					codersdk.ResourceWorkspace: {codersdk.ActionRead},
-				}),
-			},
+			OrganizationPermissions: codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{
+				codersdk.ResourceTemplate:  {codersdk.ActionCreate, codersdk.ActionRead, codersdk.ActionUpdate, codersdk.ActionViewInsights},
+				codersdk.ResourceFile:      {codersdk.ActionCreate, codersdk.ActionRead},
+				codersdk.ResourceWorkspace: {codersdk.ActionRead},
+			}),
 			UserPermissions: nil,
 		}
 	}
@@ -84,7 +83,7 @@ func TestCustomOrganizationRole(t *testing.T) {
 		}), "role missing from org role list")
 
 		require.Len(t, foundRole.SitePermissions, 0)
-		require.Len(t, foundRole.OrganizationPermissions[first.OrganizationID.String()], 7)
+		require.Len(t, foundRole.OrganizationPermissions, 7)
 		require.Len(t, foundRole.UserPermissions, 0)
 	})
 
@@ -122,7 +121,7 @@ func TestCustomOrganizationRole(t *testing.T) {
 
 		// Verify functionality is lost
 		_, err = owner.PatchOrganizationRole(ctx, first.OrganizationID, templateAdminCustom(first.OrganizationID))
-		require.ErrorContains(t, err, "roles is not enabled")
+		require.ErrorContains(t, err, "roles are not enabled")
 
 		// Assign the custom template admin role
 		tmplAdmin, _ := coderdtest.CreateAnotherUser(t, owner, first.OrganizationID, role.FullName())

Original file line number	Diff line number	Diff line change
`@@ -614,6 +614,10 @@ func (q querier) canAssignRoles(ctx context.Context, orgID uuid.UUID, added, r`
`614`	`614`	`return xerrors.Errorf("role %q has invalid uuid for org: %w", r, err)`
`615`	`615`	`}`
`616`	`616`
	`617`	`+ if orgID == nil {`
	`618`	`+ return xerrors.Errorf("should never happen, orgID is nil, but trying to assign an organization role")`
	`619`	`+ }`
	`620`	`+`
`617`	`621`	`if roleOrgID != *orgID {`
`618`	`622`	`return xerrors.Errorf("attempted to assign role from a different org, role %q to %q", r, orgID.String())`
`619`	`623`	`}`