Rename "GetAllUserRoles" to "GetAuthorizationRoles"

Emyrk · Emyrk · commit 51521cad4c6e · 2022-05-31T09:27:25.000-05:00
diff --git a/coderd/authorize.go b/coderd/authorize.go
@@ -13,12 +13,12 @@ import (
 )
 
 func AuthorizeFilter[O rbac.Objecter](api *API, r *http.Request, action rbac.Action, objects []O) []O {
-	roles := httpmw.UserRoles(r)
+	roles := httpmw.UserAuthorizationRoles(r)
 	return rbac.Filter(r.Context(), api.Authorizer, roles.ID.String(), roles.Roles, action, objects)
 }
 
 func (api *API) Authorize(rw http.ResponseWriter, r *http.Request, action rbac.Action, object rbac.Objecter) bool {
-	roles := httpmw.UserRoles(r)
+	roles := httpmw.UserAuthorizationRoles(r)
 	err := api.Authorizer.ByRoleName(r.Context(), roles.ID.String(), roles.Roles, action, object.RBACObject())
 	if err != nil {
 		httpapi.Write(rw, http.StatusForbidden, httpapi.Response{
diff --git a/coderd/database/databasefake/databasefake.go b/coderd/database/databasefake/databasefake.go
@@ -276,7 +276,7 @@ func (q *fakeQuerier) GetUsersByIDs(_ context.Context, ids []uuid.UUID) ([]datab
 	return users, nil
 }
 
-func (q *fakeQuerier) GetAllUserRoles(_ context.Context, userID uuid.UUID) (database.GetAllUserRolesRow, error) {
+func (q *fakeQuerier) GetAuthorizationUserRoles(_ context.Context, userID uuid.UUID) (database.GetAuthorizationUserRolesRow, error) {
 	q.mutex.RLock()
 	defer q.mutex.RUnlock()
 
@@ -300,10 +300,10 @@ func (q *fakeQuerier) GetAllUserRoles(_ context.Context, userID uuid.UUID) (data
 	}
 
 	if user == nil {
-		return database.GetAllUserRolesRow{}, sql.ErrNoRows
+		return database.GetAuthorizationUserRolesRow{}, sql.ErrNoRows
 	}
 
-	return database.GetAllUserRolesRow{
+	return database.GetAuthorizationUserRolesRow{
 		ID:       userID,
 		Username: user.Username,
 		Status:   user.Status,
diff --git a/coderd/database/querier.go b/coderd/database/querier.go
diff --git a/coderd/database/queries.sql.go b/coderd/database/queries.sql.go
diff --git a/coderd/database/queries/users.sql b/coderd/database/queries/users.sql
@@ -134,7 +134,9 @@ WHERE
 	id = $1 RETURNING *;
 
 
--- name: GetAllUserRoles :one
+-- name: GetAuthorizationUserRoles :one
+-- This function returns roles for authorization purposes. Implied member roles
+-- are included.
 SELECT
 	-- username is returned just to help for logging purposes
 	-- status is used to enforce 'suspended' users, as all roles are ignored
diff --git a/coderd/httpmw/apikey.go b/coderd/httpmw/apikey.go
@@ -34,9 +34,10 @@ func APIKey(r *http.Request) database.APIKey {
 // User roles are the 'subject' field of Authorize()
 type userRolesKey struct{}
 
-// UserRoles returns the API key from the ExtractUserRoles handler.
-func UserRoles(r *http.Request) database.GetAllUserRolesRow {
-	apiKey, ok := r.Context().Value(userRolesKey{}).(database.GetAllUserRolesRow)
+// UserAuthorizationRoles returns the roles used for authorization.
+// Comes from the ExtractAPIKey handler.
+func UserAuthorizationRoles(r *http.Request) database.GetAuthorizationUserRolesRow {
+	apiKey, ok := r.Context().Value(userRolesKey{}).(database.GetAuthorizationUserRolesRow)
 	if !ok {
 		panic("developer error: user roles middleware not provided")
 	}
@@ -190,7 +191,7 @@ func ExtractAPIKey(db database.Store, oauth *OAuth2Configs) func(http.Handler) h
 			// If the key is valid, we also fetch the user roles and status.
 			// The roles are used for RBAC authorize checks, and the status
 			// is to block 'suspended' users from accessing the platform.
-			roles, err := db.GetAllUserRoles(r.Context(), key.UserID)
+			roles, err := db.GetAuthorizationUserRoles(r.Context(), key.UserID)
 			if err != nil {
 				httpapi.Write(rw, http.StatusUnauthorized, httpapi.Response{
 					Message: "roles not found",
diff --git a/coderd/httpmw/authorize_test.go b/coderd/httpmw/authorize_test.go
@@ -86,7 +86,7 @@ func TestExtractUserRoles(t *testing.T) {
 				httpmw.ExtractAPIKey(db, &httpmw.OAuth2Configs{}),
 			)
 			rtr.Get("/", func(_ http.ResponseWriter, r *http.Request) {
-				roles := httpmw.UserRoles(r)
+				roles := httpmw.UserAuthorizationRoles(r)
 				require.ElementsMatch(t, user.ID, roles.ID)
 				require.ElementsMatch(t, expRoles, roles.Roles)
 			})
diff --git a/coderd/roles.go b/coderd/roles.go
@@ -45,7 +45,7 @@ func (api *API) checkPermissions(rw http.ResponseWriter, r *http.Request) {
 	}
 
 	// use the roles of the user specified, not the person making the request.
-	roles, err := api.Database.GetAllUserRoles(r.Context(), user.ID)
+	roles, err := api.Database.GetAuthorizationUserRoles(r.Context(), user.ID)
 	if err != nil {
 		httpapi.Forbidden(rw)
 		return
@@ -91,6 +91,10 @@ func convertRole(role rbac.Role) codersdk.Role {
 func convertRoles(roles []rbac.Role) []codersdk.Role {
 	converted := make([]codersdk.Role, 0, len(roles))
 	for _, role := range roles {
+		// Roles without display names should never be shown to the ui.
+		if role.DisplayName == "" {
+			continue
+		}
 		converted = append(converted, convertRole(role))
 	}
 	return converted
diff --git a/coderd/users.go b/coderd/users.go
@@ -473,7 +473,7 @@ func (api *API) userRoles(rw http.ResponseWriter, r *http.Request) {
 func (api *API) putUserRoles(rw http.ResponseWriter, r *http.Request) {
 	// User is the user to modify.
 	user := httpmw.UserParam(r)
-	roles := httpmw.UserRoles(r)
+	roles := httpmw.UserAuthorizationRoles(r)
 
 	var params codersdk.UpdateRoles
 	if !httpapi.Read(rw, r, &params) {

Original file line number	Diff line number	Diff line change
`@@ -13,12 +13,12 @@ import (`
`13`	`13`	`)`
`14`	`14`
`15`	`15`	`func AuthorizeFilter[O rbac.Objecter](api API, r http.Request, action rbac.Action, objects []O) []O {`
`16`		`- roles := httpmw.UserRoles(r)`
	`16`	`+ roles := httpmw.UserAuthorizationRoles(r)`
`17`	`17`	`return rbac.Filter(r.Context(), api.Authorizer, roles.ID.String(), roles.Roles, action, objects)`
`18`	`18`	`}`
`19`	`19`
`20`	`20`	`func (api API) Authorize(rw http.ResponseWriter, r http.Request, action rbac.Action, object rbac.Objecter) bool {`
`21`		`- roles := httpmw.UserRoles(r)`
	`21`	`+ roles := httpmw.UserAuthorizationRoles(r)`
`22`	`22`	`err := api.Authorizer.ByRoleName(r.Context(), roles.ID.String(), roles.Roles, action, object.RBACObject())`
`23`	`23`	`if err != nil {`
`24`	`24`	`httpapi.Write(rw, http.StatusForbidden, httpapi.Response{`
Original file line number	Diff line number	Diff line change
`@@ -276,7 +276,7 @@ func (q *fakeQuerier) GetUsersByIDs(_ context.Context, ids []uuid.UUID) ([]datab`
`276`	`276`	`return users, nil`
`277`	`277`	`}`
`278`	`278`
`279`		`-func (q *fakeQuerier) GetAllUserRoles(_ context.Context, userID uuid.UUID) (database.GetAllUserRolesRow, error) {`
	`279`	`+func (q *fakeQuerier) GetAuthorizationUserRoles(_ context.Context, userID uuid.UUID) (database.GetAuthorizationUserRolesRow, error) {`
`280`	`280`	`q.mutex.RLock()`
`281`	`281`	`defer q.mutex.RUnlock()`
`282`	`282`
`@@ -300,10 +300,10 @@ func (q *fakeQuerier) GetAllUserRoles(_ context.Context, userID uuid.UUID) (data`
`300`	`300`	`}`
`301`	`301`
`302`	`302`	`if user == nil {`
`303`		`- return database.GetAllUserRolesRow{}, sql.ErrNoRows`
	`303`	`+ return database.GetAuthorizationUserRolesRow{}, sql.ErrNoRows`
`304`	`304`	`}`
`305`	`305`
`306`		`- return database.GetAllUserRolesRow{`
	`306`	`+ return database.GetAuthorizationUserRolesRow{`
`307`	`307`	`ID: userID,`
`308`	`308`	`Username: user.Username,`
`309`	`309`	`Status: user.Status,`
Original file line number	Diff line number	Diff line change
`@@ -86,7 +86,7 @@ func TestExtractUserRoles(t *testing.T) {`
`86`	`86`	`httpmw.ExtractAPIKey(db, &httpmw.OAuth2Configs{}),`
`87`	`87`	`)`
`88`	`88`	`rtr.Get("/", func(_ http.ResponseWriter, r *http.Request) {`
`89`		`- roles := httpmw.UserRoles(r)`
	`89`	`+ roles := httpmw.UserAuthorizationRoles(r)`
`90`	`90`	`require.ElementsMatch(t, user.ID, roles.ID)`
`91`	`91`	`require.ElementsMatch(t, expRoles, roles.Roles)`
`92`	`92`	`})`