more fixups

Emyrk · Emyrk · commit 769ac83729fb · 2024-06-10T13:23:04.000-05:00
diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go
@@ -307,9 +307,9 @@ func As(ctx context.Context, actor rbac.Subject) context.Context {
 // running the insertFunc. The insertFunc is expected to return the object that
 // was inserted.
 func insert[
-ObjectType any,
-ArgumentType any,
-Insert func(ctx context.Context, arg ArgumentType) (ObjectType, error),
+	ObjectType any,
+	ArgumentType any,
+	Insert func(ctx context.Context, arg ArgumentType) (ObjectType, error),
 ](
 	logger slog.Logger,
 	authorizer rbac.Authorizer,
@@ -320,9 +320,9 @@ Insert func(ctx context.Context, arg ArgumentType) (ObjectType, error),
 }
 
 func insertWithAction[
-ObjectType any,
-ArgumentType any,
-Insert func(ctx context.Context, arg ArgumentType) (ObjectType, error),
+	ObjectType any,
+	ArgumentType any,
+	Insert func(ctx context.Context, arg ArgumentType) (ObjectType, error),
 ](
 	logger slog.Logger,
 	authorizer rbac.Authorizer,
@@ -349,10 +349,10 @@ Insert func(ctx context.Context, arg ArgumentType) (ObjectType, error),
 }
 
 func deleteQ[
-ObjectType rbac.Objecter,
-ArgumentType any,
-Fetch func(ctx context.Context, arg ArgumentType) (ObjectType, error),
-Delete func(ctx context.Context, arg ArgumentType) error,
+	ObjectType rbac.Objecter,
+	ArgumentType any,
+	Fetch func(ctx context.Context, arg ArgumentType) (ObjectType, error),
+	Delete func(ctx context.Context, arg ArgumentType) error,
 ](
 	logger slog.Logger,
 	authorizer rbac.Authorizer,
@@ -364,10 +364,10 @@ Delete func(ctx context.Context, arg ArgumentType) error,
 }
 
 func updateWithReturn[
-ObjectType rbac.Objecter,
-ArgumentType any,
-Fetch func(ctx context.Context, arg ArgumentType) (ObjectType, error),
-UpdateQuery func(ctx context.Context, arg ArgumentType) (ObjectType, error),
+	ObjectType rbac.Objecter,
+	ArgumentType any,
+	Fetch func(ctx context.Context, arg ArgumentType) (ObjectType, error),
+	UpdateQuery func(ctx context.Context, arg ArgumentType) (ObjectType, error),
 ](
 	logger slog.Logger,
 	authorizer rbac.Authorizer,
@@ -378,10 +378,10 @@ UpdateQuery func(ctx context.Context, arg ArgumentType) (ObjectType, error),
 }
 
 func update[
-ObjectType rbac.Objecter,
-ArgumentType any,
-Fetch func(ctx context.Context, arg ArgumentType) (ObjectType, error),
-Exec func(ctx context.Context, arg ArgumentType) error,
+	ObjectType rbac.Objecter,
+	ArgumentType any,
+	Fetch func(ctx context.Context, arg ArgumentType) (ObjectType, error),
+	Exec func(ctx context.Context, arg ArgumentType) error,
 ](
 	logger slog.Logger,
 	authorizer rbac.Authorizer,
@@ -399,9 +399,9 @@ Exec func(ctx context.Context, arg ArgumentType) error,
 // user cannot read the resource. This is because the resource details are
 // required to run a proper authorization check.
 func fetchWithAction[
-ArgumentType any,
-ObjectType rbac.Objecter,
-DatabaseFunc func(ctx context.Context, arg ArgumentType) (ObjectType, error),
+	ArgumentType any,
+	ObjectType rbac.Objecter,
+	DatabaseFunc func(ctx context.Context, arg ArgumentType) (ObjectType, error),
 ](
 	logger slog.Logger,
 	authorizer rbac.Authorizer,
@@ -432,9 +432,9 @@ DatabaseFunc func(ctx context.Context, arg ArgumentType) (ObjectType, error),
 }
 
 func fetch[
-ArgumentType any,
-ObjectType rbac.Objecter,
-DatabaseFunc func(ctx context.Context, arg ArgumentType) (ObjectType, error),
+	ArgumentType any,
+	ObjectType rbac.Objecter,
+	DatabaseFunc func(ctx context.Context, arg ArgumentType) (ObjectType, error),
 ](
 	logger slog.Logger,
 	authorizer rbac.Authorizer,
@@ -447,10 +447,10 @@ DatabaseFunc func(ctx context.Context, arg ArgumentType) (ObjectType, error),
 // from SQL 'exec' functions which only return an error.
 // See fetchAndQuery for more information.
 func fetchAndExec[
-ObjectType rbac.Objecter,
-ArgumentType any,
-Fetch func(ctx context.Context, arg ArgumentType) (ObjectType, error),
-Exec func(ctx context.Context, arg ArgumentType) error,
+	ObjectType rbac.Objecter,
+	ArgumentType any,
+	Fetch func(ctx context.Context, arg ArgumentType) (ObjectType, error),
+	Exec func(ctx context.Context, arg ArgumentType) error,
 ](
 	logger slog.Logger,
 	authorizer rbac.Authorizer,
@@ -473,10 +473,10 @@ Exec func(ctx context.Context, arg ArgumentType) error,
 // **before** the query runs. The returns from the fetch are only used to
 // assert rbac. The final return of this function comes from the Query function.
 func fetchAndQuery[
-ObjectType rbac.Objecter,
-ArgumentType any,
-Fetch func(ctx context.Context, arg ArgumentType) (ObjectType, error),
-Query func(ctx context.Context, arg ArgumentType) (ObjectType, error),
+	ObjectType rbac.Objecter,
+	ArgumentType any,
+	Fetch func(ctx context.Context, arg ArgumentType) (ObjectType, error),
+	Query func(ctx context.Context, arg ArgumentType) (ObjectType, error),
 ](
 	logger slog.Logger,
 	authorizer rbac.Authorizer,
@@ -510,9 +510,9 @@ Query func(ctx context.Context, arg ArgumentType) (ObjectType, error),
 // fetchWithPostFilter is like fetch, but works with lists of objects.
 // SQL filters are much more optimal.
 func fetchWithPostFilter[
-ArgumentType any,
-ObjectType rbac.Objecter,
-DatabaseFunc func(ctx context.Context, arg ArgumentType) ([]ObjectType, error),
+	ArgumentType any,
+	ObjectType rbac.Objecter,
+	DatabaseFunc func(ctx context.Context, arg ArgumentType) ([]ObjectType, error),
 ](
 	authorizer rbac.Authorizer,
 	action policy.Action,
diff --git a/coderd/rbac/authz_internal_test.go b/coderd/rbac/authz_internal_test.go
@@ -394,7 +394,7 @@ func TestAuthorizeDomain(t *testing.T) {
 		ID:    "me",
 		Scope: must(ExpandScope(ScopeAll)),
 		Roles: Roles{{
-			Name: "deny-all",
+			Name: RoleIdentifier{Name: "deny-all"},
 			// List out deny permissions explicitly
 			Site: []Permission{
 				{
@@ -607,7 +607,7 @@ func TestAuthorizeDomain(t *testing.T) {
 		Scope: must(ExpandScope(ScopeAll)),
 		Roles: Roles{
 			{
-				Name: "ReadOnlyOrgAndUser",
+				Name: RoleIdentifier{Name: "ReadOnlyOrgAndUser"},
 				Site: []Permission{},
 				Org: map[string][]Permission{
 					defOrg.String(): {{
@@ -701,7 +701,7 @@ func TestAuthorizeLevels(t *testing.T) {
 		Roles: Roles{
 			must(RoleByName(RoleOwner())),
 			{
-				Name: "org-deny:" + defOrg.String(),
+				Name: RoleIdentifier{Name: "org-deny:", OrganizationID: defOrg},
 				Org: map[string][]Permission{
 					defOrg.String(): {
 						{
@@ -713,7 +713,7 @@ func TestAuthorizeLevels(t *testing.T) {
 				},
 			},
 			{
-				Name: "user-deny-all",
+				Name: RoleIdentifier{Name: "user-deny-all"},
 				// List out deny permissions explicitly
 				User: []Permission{
 					{
@@ -761,7 +761,7 @@ func TestAuthorizeLevels(t *testing.T) {
 		Scope: must(ExpandScope(ScopeAll)),
 		Roles: Roles{
 			{
-				Name: "site-noise",
+				Name: RoleIdentifier{Name: "site-noise"},
 				Site: []Permission{
 					{
 						Negate:       true,
@@ -772,7 +772,7 @@ func TestAuthorizeLevels(t *testing.T) {
 			},
 			must(RoleByName(ScopedRoleOrgAdmin(defOrg))),
 			{
-				Name: "user-deny-all",
+				Name: RoleIdentifier{Name: "user-deny-all"},
 				// List out deny permissions explicitly
 				User: []Permission{
 					{
@@ -896,7 +896,7 @@ func TestAuthorizeScope(t *testing.T) {
 		},
 		Scope: Scope{
 			Role: Role{
-				Name:        "workspace_agent",
+				Name:        RoleIdentifier{Name: "workspace_agent"},
 				DisplayName: "Workspace Agent",
 				Site: Permissions(map[string][]policy.Action{
 					// Only read access for workspaces.
@@ -985,7 +985,7 @@ func TestAuthorizeScope(t *testing.T) {
 		},
 		Scope: Scope{
 			Role: Role{
-				Name:        "create_workspace",
+				Name:        RoleIdentifier{Name: "create_workspace"},
 				DisplayName: "Create Workspace",
 				Site: Permissions(map[string][]policy.Action{
 					// Only read access for workspaces.
diff --git a/coderd/rbac/rolestore/rolestore_test.go b/coderd/rbac/rolestore/rolestore_test.go
@@ -35,7 +35,7 @@ func TestExpandCustomRoleRoles(t *testing.T) {
 	})
 
 	ctx := testutil.Context(t, testutil.WaitShort)
-	roles, err := rolestore.Expand(ctx, db, []string{rbac.RoleIdentifier(roleName, org.ID.String())})
+	roles, err := rolestore.Expand(ctx, db, []rbac.RoleIdentifier{{Name: roleName, OrganizationID: org.ID}})
 	require.NoError(t, err)
 	require.Len(t, roles, 1, "role found")
 }
diff --git a/coderd/roles_test.go b/coderd/roles_test.go
@@ -51,20 +51,20 @@ func TestListRoles(t *testing.T) {
 				x, err := member.ListSiteRoles(ctx)
 				return x, err
 			},
-			ExpectedRoles: convertRoles(map[string]bool{
-				"owner":          false,
-				"auditor":        false,
-				"template-admin": false,
-				"user-admin":     false,
+			ExpectedRoles: convertRoles(map[rbac.RoleIdentifier]bool{
+				rbac.RoleIdentifier{Name: codersdk.RoleOwner}:         false,
+				rbac.RoleIdentifier{Name: codersdk.RoleAuditor}:       false,
+				rbac.RoleIdentifier{Name: codersdk.RoleTemplateAdmin}: false,
+				rbac.RoleIdentifier{Name: codersdk.RoleUserAdmin}:     false,
 			}),
 		},
 		{
 			Name: "OrgMemberListOrg",
 			APICall: func(ctx context.Context) ([]codersdk.AssignableRoles, error) {
 				return member.ListOrganizationRoles(ctx, owner.OrganizationID)
 			},
-			ExpectedRoles: convertRoles(map[string]bool{
-				rbac.ScopedRoleOrgAdmin(owner.OrganizationID): false,
+			ExpectedRoles: convertRoles(map[rbac.RoleIdentifier]bool{
+				rbac.RoleIdentifier{Name: codersdk.RoleOrganizationAdmin, OrganizationID: owner.OrganizationID}: false,
 			}),
 		},
 		{
@@ -80,20 +80,20 @@ func TestListRoles(t *testing.T) {
 			APICall: func(ctx context.Context) ([]codersdk.AssignableRoles, error) {
 				return orgAdmin.ListSiteRoles(ctx)
 			},
-			ExpectedRoles: convertRoles(map[string]bool{
-				"owner":          false,
-				"auditor":        false,
-				"template-admin": false,
-				"user-admin":     false,
+			ExpectedRoles: convertRoles(map[rbac.RoleIdentifier]bool{
+				rbac.RoleIdentifier{Name: codersdk.RoleOwner}:         false,
+				rbac.RoleIdentifier{Name: codersdk.RoleAuditor}:       false,
+				rbac.RoleIdentifier{Name: codersdk.RoleTemplateAdmin}: false,
+				rbac.RoleIdentifier{Name: codersdk.RoleUserAdmin}:     false,
 			}),
 		},
 		{
 			Name: "OrgAdminListOrg",
 			APICall: func(ctx context.Context) ([]codersdk.AssignableRoles, error) {
 				return orgAdmin.ListOrganizationRoles(ctx, owner.OrganizationID)
 			},
-			ExpectedRoles: convertRoles(map[string]bool{
-				rbac.ScopedRoleOrgAdmin(owner.OrganizationID): true,
+			ExpectedRoles: convertRoles(map[rbac.RoleIdentifier]bool{
+				rbac.RoleIdentifier{Name: codersdk.RoleOrganizationAdmin, OrganizationID: owner.OrganizationID}: true,
 			}),
 		},
 		{
@@ -109,20 +109,20 @@ func TestListRoles(t *testing.T) {
 			APICall: func(ctx context.Context) ([]codersdk.AssignableRoles, error) {
 				return client.ListSiteRoles(ctx)
 			},
-			ExpectedRoles: convertRoles(map[string]bool{
-				"owner":          true,
-				"auditor":        true,
-				"template-admin": true,
-				"user-admin":     true,
+			ExpectedRoles: convertRoles(map[rbac.RoleIdentifier]bool{
+				rbac.RoleIdentifier{Name: codersdk.RoleOwner}:         true,
+				rbac.RoleIdentifier{Name: codersdk.RoleAuditor}:       true,
+				rbac.RoleIdentifier{Name: codersdk.RoleTemplateAdmin}: true,
+				rbac.RoleIdentifier{Name: codersdk.RoleUserAdmin}:     true,
 			}),
 		},
 		{
 			Name: "AdminListOrg",
 			APICall: func(ctx context.Context) ([]codersdk.AssignableRoles, error) {
 				return client.ListOrganizationRoles(ctx, owner.OrganizationID)
 			},
-			ExpectedRoles: convertRoles(map[string]bool{
-				rbac.ScopedRoleOrgAdmin(owner.OrganizationID): true,
+			ExpectedRoles: convertRoles(map[rbac.RoleIdentifier]bool{
+				rbac.RoleIdentifier{Name: codersdk.RoleOrganizationAdmin, OrganizationID: owner.OrganizationID}: true,
 			}),
 		},
 	}
@@ -200,12 +200,12 @@ func TestListCustomRoles(t *testing.T) {
 	})
 }
 
-func convertRole(roleName string) codersdk.Role {
+func convertRole(roleName rbac.RoleIdentifier) codersdk.Role {
 	role, _ := rbac.RoleByName(roleName)
 	return db2sdk.RBACRole(role)
 }
 
-func convertRoles(assignableRoles map[string]bool) []codersdk.AssignableRoles {
+func convertRoles(assignableRoles map[rbac.RoleIdentifier]bool) []codersdk.AssignableRoles {
 	converted := make([]codersdk.AssignableRoles, 0, len(assignableRoles))
 	for roleName, assignable := range assignableRoles {
 		role := convertRole(roleName)
diff --git a/coderd/searchquery/search_test.go b/coderd/searchquery/search_test.go
@@ -11,7 +11,6 @@ import (
 	"github.com/stretchr/testify/require"
 
 	"github.com/coder/coder/v2/coderd/database"
-	"github.com/coder/coder/v2/coderd/rbac"
 	"github.com/coder/coder/v2/coderd/searchquery"
 	"github.com/coder/coder/v2/codersdk"
 )
@@ -381,7 +380,7 @@ func TestSearchUsers(t *testing.T) {
 			Expected: database.GetUsersParams{
 				Search:   "user-name",
 				Status:   []database.UserStatus{database.UserStatusActive},
-				RbacRole: []string{rbac.RoleOwner()},
+				RbacRole: []string{codersdk.RoleOwner},
 			},
 		},
 		{
@@ -390,7 +389,7 @@ func TestSearchUsers(t *testing.T) {
 			Expected: database.GetUsersParams{
 				Search:   "user name",
 				Status:   []database.UserStatus{database.UserStatusSuspended},
-				RbacRole: []string{rbac.RoleMember()},
+				RbacRole: []string{codersdk.RoleMember},
 			},
 		},
 		{
@@ -399,7 +398,7 @@ func TestSearchUsers(t *testing.T) {
 			Expected: database.GetUsersParams{
 				Search:   "user-name",
 				Status:   []database.UserStatus{database.UserStatusActive},
-				RbacRole: []string{rbac.RoleOwner()},
+				RbacRole: []string{codersdk.RoleOwner},
 			},
 		},
 		{
diff --git a/coderd/workspacebuilds_test.go b/coderd/workspacebuilds_test.go
@@ -224,7 +224,7 @@ func TestWorkspaceBuilds(t *testing.T) {
 		t.Parallel()
 		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
 		first := coderdtest.CreateFirstUser(t, client)
-		second, secondUser := coderdtest.CreateAnotherUser(t, client, first.OrganizationID, "owner")
+		second, secondUser := coderdtest.CreateAnotherUser(t, client, first.OrganizationID, rbac.RoleOwner())
 
 		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
 		defer cancel()
diff --git a/coderd/workspaces_test.go b/coderd/workspaces_test.go
@@ -484,7 +484,7 @@ func TestWorkspacesSortOrder(t *testing.T) {
 
 	client, db := coderdtest.NewWithDatabase(t, nil)
 	firstUser := coderdtest.CreateFirstUser(t, client)
-	secondUserClient, secondUser := coderdtest.CreateAnotherUserMutators(t, client, firstUser.OrganizationID, []string{"owner"}, func(r *codersdk.CreateUserRequest) {
+	secondUserClient, secondUser := coderdtest.CreateAnotherUserMutators(t, client, firstUser.OrganizationID, []rbac.RoleIdentifier{rbac.RoleOwner()}, func(r *codersdk.CreateUserRequest) {
 		r.Username = "zzz"
 	})
 

Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,7 @@ func TestExpandCustomRoleRoles(t *testing.T) {`
`35`	`35`	`})`
`36`	`36`
`37`	`37`	`ctx := testutil.Context(t, testutil.WaitShort)`
`38`		`- roles, err := rolestore.Expand(ctx, db, []string{rbac.RoleIdentifier(roleName, org.ID.String())})`
	`38`	`+ roles, err := rolestore.Expand(ctx, db, []rbac.RoleIdentifier{{Name: roleName, OrganizationID: org.ID}})`
`39`	`39`	`require.NoError(t, err)`
`40`	`40`	`require.Len(t, roles, 1, "role found")`
`41`	`41`	`}`