add groups acl

sreya · sreya · commit 82b1faf4ab00 · 2022-09-27T00:20:09.000Z
diff --git a/coderd/database/databasefake/databasefake.go b/coderd/database/databasefake/databasefake.go
@@ -1233,7 +1233,7 @@ func (q *fakeQuerier) GetTemplates(_ context.Context) ([]database.Template, erro
 	return templates, nil
 }
 
-func (q *fakeQuerier) UpdateTemplateUserACLByID(_ context.Context, id uuid.UUID, acl database.UserACL) error {
+func (q *fakeQuerier) UpdateTemplateUserACLByID(_ context.Context, id uuid.UUID, acl database.ACL) error {
 	q.mutex.RLock()
 	defer q.mutex.RUnlock()
 
@@ -1247,6 +1247,20 @@ func (q *fakeQuerier) UpdateTemplateUserACLByID(_ context.Context, id uuid.UUID,
 	return sql.ErrNoRows
 }
 
+func (q *fakeQuerier) UpdateTemplateGroupACLByID(_ context.Context, id uuid.UUID, acl database.ACL) error {
+	q.mutex.RLock()
+	defer q.mutex.RUnlock()
+
+	for i, t := range q.templates {
+		if t.ID == id {
+			t = t.SetGroupACL(acl)
+			q.templates[i] = t
+			return nil
+		}
+	}
+	return sql.ErrNoRows
+}
+
 func (q *fakeQuerier) GetTemplateUserRoles(_ context.Context, id uuid.UUID) ([]database.TemplateUser, error) {
 	q.mutex.RLock()
 	defer q.mutex.RUnlock()
@@ -1286,6 +1300,45 @@ func (q *fakeQuerier) GetTemplateUserRoles(_ context.Context, id uuid.UUID) ([]d
 	return users, nil
 }
 
+func (q *fakeQuerier) GetTemplateGroupRoles(_ context.Context, id uuid.UUID) ([]database.TemplateGroup, error) {
+	q.mutex.RLock()
+	defer q.mutex.RUnlock()
+
+	var template database.Template
+	for _, t := range q.templates {
+		if t.ID == id {
+			template = t
+			break
+		}
+	}
+
+	if template.ID == uuid.Nil {
+		return nil, sql.ErrNoRows
+	}
+
+	acl := template.UserACL()
+
+	groups := make([]database.TemplateGroup, 0, len(acl))
+	for k, v := range acl {
+		user, err := q.GetGroupByID(context.Background(), uuid.MustParse(k))
+		if err != nil && xerrors.Is(err, sql.ErrNoRows) {
+			return nil, xerrors.Errorf("get user by ID: %w", err)
+		}
+		// We don't delete users from the map if they
+		// get deleted so just skip.
+		if xerrors.Is(err, sql.ErrNoRows) {
+			continue
+		}
+
+		groups = append(groups, database.TemplateGroup{
+			Group: user,
+			Role:  v,
+		})
+	}
+
+	return groups, nil
+}
+
 func (q *fakeQuerier) GetOrganizationMemberByUserID(_ context.Context, arg database.GetOrganizationMemberByUserIDParams) (database.OrganizationMember, error) {
 	q.mutex.RLock()
 	defer q.mutex.RUnlock()
@@ -1766,7 +1819,8 @@ func (q *fakeQuerier) InsertTemplate(_ context.Context, arg database.InsertTempl
 		MinAutostartInterval: arg.MinAutostartInterval,
 		CreatedBy:            arg.CreatedBy,
 	}
-	template = template.SetUserACL(database.UserACL{})
+	template = template.SetUserACL(database.ACL{})
+	template = template.SetGroupACL(database.ACL{})
 	q.templates = append(q.templates, template)
 	return template, nil
 }
diff --git a/coderd/database/modelmethods.go b/coderd/database/modelmethods.go
@@ -7,13 +7,10 @@ import (
 	"github.com/coder/coder/coderd/rbac"
 )
 
-// UserACL is a map of user_ids to permissions.
-type UserACL map[string]TemplateRole
+// ACL is a map of user_ids to permissions.
+type ACL map[string]TemplateRole
 
-// Group is a map of user_ids to permissions.
-type GroupACL map[string]TemplateRole
-
-func (u UserACL) Actions() map[string][]rbac.Action {
+func (u ACL) Actions() map[string][]rbac.Action {
 	aclRBAC := make(map[string][]rbac.Action, len(u))
 	for k, v := range u {
 		aclRBAC[k] = templateRoleToActions(v)
@@ -22,8 +19,8 @@ func (u UserACL) Actions() map[string][]rbac.Action {
 	return aclRBAC
 }
 
-func (t Template) UserACL() UserACL {
-	var acl UserACL
+func (t Template) UserACL() ACL {
+	var acl ACL
 	if len(t.userACL) == 0 {
 		return acl
 	}
@@ -36,9 +33,31 @@ func (t Template) UserACL() UserACL {
 	return acl
 }
 
-func (t Template) GroupACL() Gr
+func (t Template) GroupACL() ACL {
+	var acl ACL
+	if len(t.groupACL) == 0 {
+		return acl
+	}
+
+	err := json.Unmarshal(t.groupACL, &acl)
+	if err != nil {
+		panic(fmt.Sprintf("failed to unmarshal template.userACL: %v", err.Error()))
+	}
+
+	return acl
+}
+
+func (t Template) SetGroupACL(acl ACL) Template {
+	raw, err := json.Marshal(acl)
+	if err != nil {
+		panic(fmt.Sprintf("marshal user acl: %v", err))
+	}
+
+	t.userACL = raw
+	return t
+}
 
-func (t Template) SetUserACL(acl UserACL) Template {
+func (t Template) SetUserACL(acl ACL) Template {
 	raw, err := json.Marshal(acl)
 	if err != nil {
 		panic(fmt.Sprintf("marshal user acl: %v", err))
@@ -74,7 +93,9 @@ func (s APIKeyScope) ToRBAC() rbac.Scope {
 
 func (t Template) RBACObject() rbac.Object {
 	obj := rbac.ResourceTemplate
-	return obj.InOrg(t.OrganizationID).WithACLUserList(t.UserACL().Actions())
+	return obj.InOrg(t.OrganizationID).
+		WithACLUserList(t.UserACL().Actions()).
+		WithGroupACL(t.GroupACL().Actions())
 }
 
 func (TemplateVersion) RBACObject(template Template) rbac.Object {
diff --git a/coderd/database/modelqueries.go b/coderd/database/modelqueries.go
@@ -16,7 +16,9 @@ type customQuerier interface {
 }
 
 type templateQuerier interface {
-	UpdateTemplateUserACLByID(ctx context.Context, id uuid.UUID, acl UserACL) error
+	UpdateTemplateUserACLByID(ctx context.Context, id uuid.UUID, acl ACL) error
+	UpdateTemplateGroupACLByID(ctx context.Context, id uuid.UUID, acl ACL) error
+	GetTemplateGroupRoles(ctx context.Context, id uuid.UUID) ([]TemplateGroup, error)
 	GetTemplateUserRoles(ctx context.Context, id uuid.UUID) ([]TemplateUser, error)
 }
 
@@ -25,7 +27,7 @@ type TemplateUser struct {
 	Role TemplateRole `db:"role"`
 }
 
-func (q *sqlQuerier) UpdateTemplateUserACLByID(ctx context.Context, id uuid.UUID, acl UserACL) error {
+func (q *sqlQuerier) UpdateTemplateUserACLByID(ctx context.Context, id uuid.UUID, acl ACL) error {
 	raw, err := json.Marshal(acl)
 	if err != nil {
 		return xerrors.Errorf("marshal user acl: %w", err)
@@ -81,3 +83,65 @@ func (q *sqlQuerier) GetTemplateUserRoles(ctx context.Context, id uuid.UUID) ([]
 
 	return tus, nil
 }
+
+type TemplateGroup struct {
+	Group
+	Role TemplateRole
+}
+
+func (q *sqlQuerier) UpdateTemplateGroupACLByID(ctx context.Context, id uuid.UUID, acl ACL) error {
+	raw, err := json.Marshal(acl)
+	if err != nil {
+		return xerrors.Errorf("marshal user acl: %w", err)
+	}
+
+	const query = `
+UPDATE
+	templates
+SET
+	group_acl = $2
+WHERE
+	id = $1`
+
+	_, err = q.db.ExecContext(ctx, query, id.String(), raw)
+	if err != nil {
+		return xerrors.Errorf("update user acl: %w", err)
+	}
+
+	return nil
+}
+
+func (q *sqlQuerier) GetTemplateGroupRoles(ctx context.Context, id uuid.UUID) ([]TemplateGroup, error) {
+	const query = `
+	SELECT
+		perms.value as role, group.*
+	FROM
+		groups
+	JOIN
+		(
+			SELECT
+				*
+			FROM
+				jsonb_each_text(
+					(
+						SELECT
+							templates.group
+						FROM
+							templates
+						WHERE
+							id = $1
+					)
+				)
+		) AS perms
+	ON
+		groups.id::text = perms.key;
+	`
+
+	var tgs []TemplateGroup
+	err := q.db.SelectContext(ctx, &tgs, query, id.String())
+	if err != nil {
+		return nil, xerrors.Errorf("select context: %w", err)
+	}
+
+	return tgs, nil
+}
diff --git a/coderd/database/models.go b/coderd/database/models.go
diff --git a/coderd/database/queries.sql.go b/coderd/database/queries.sql.go
diff --git a/coderd/database/sqlc.yaml b/coderd/database/sqlc.yaml
@@ -40,4 +40,4 @@ rename:
   ids: IDs
   jwt: JWT
   user_acl: userACL
-  group_acl: userACL
+  group_acl: groupACL
diff --git a/coderd/rbac/authz_internal_test.go b/coderd/rbac/authz_internal_test.go
@@ -244,29 +244,29 @@ func TestAuthorizeDomain(t *testing.T) {
 
 	testAuthorize(t, "GroupACLList", user, []authTestCase{
 		{
-			resource: ResourceWorkspace.WithOwner(unuseID.String()).InOrg(unuseID).WithGroups(map[string][]Action{
+			resource: ResourceWorkspace.WithOwner(unuseID.String()).InOrg(unuseID).WithGroupACL(map[string][]Action{
 				allUsersGroup: allActions(),
 			}),
 			actions: allActions(),
 			allow:   true,
 		},
 		{
-			resource: ResourceWorkspace.WithOwner(unuseID.String()).InOrg(unuseID).WithGroups(map[string][]Action{
+			resource: ResourceWorkspace.WithOwner(unuseID.String()).InOrg(unuseID).WithGroupACL(map[string][]Action{
 				allUsersGroup: {WildcardSymbol},
 			}),
 			actions: allActions(),
 			allow:   true,
 		},
 		{
-			resource: ResourceWorkspace.WithOwner(unuseID.String()).InOrg(unuseID).WithGroups(map[string][]Action{
+			resource: ResourceWorkspace.WithOwner(unuseID.String()).InOrg(unuseID).WithGroupACL(map[string][]Action{
 				allUsersGroup: {ActionRead, ActionUpdate},
 			}),
 			actions: []Action{ActionCreate, ActionDelete},
 			allow:   false,
 		},
 		{
 			// By default users cannot update templates
-			resource: ResourceTemplate.InOrg(defOrg).WithGroups(map[string][]Action{
+			resource: ResourceTemplate.InOrg(defOrg).WithGroupACL(map[string][]Action{
 				allUsersGroup: {ActionUpdate},
 			}),
 			actions: []Action{ActionRead, ActionUpdate},
diff --git a/coderd/rbac/object.go b/coderd/rbac/object.go
@@ -208,7 +208,7 @@ func (z Object) WithACLUserList(acl map[string][]Action) Object {
 	}
 }
 
-func (z Object) WithGroups(groups map[string][]Action) Object {
+func (z Object) WithGroupACL(groups map[string][]Action) Object {
 	return Object{
 		Owner:        z.Owner,
 		OrgID:        z.OrgID,
diff --git a/coderd/templates.go b/coderd/templates.go
@@ -466,7 +466,7 @@ func (api *API) patchTemplateMeta(rw http.ResponseWriter, r *http.Request) {
 
 	// Only users who are able to create templates (aka template admins)
 	// are able to control user permissions.
-	if (len(req.UserPerms) > 0 || req.IsPrivate != nil) &&
+	if len(req.UserPerms) > 0 &&
 		!api.Authorize(r, rbac.ActionCreate, template) {
 		httpapi.ResourceNotFound(rw)
 		return
@@ -872,7 +872,7 @@ func (api *API) convertTemplate(
 	}
 }
 
-func convertTemplateACL(acl database.UserACL) map[string]codersdk.TemplateRole {
+func convertTemplateACL(acl database.ACL) map[string]codersdk.TemplateRole {
 	userACL := make(map[string]codersdk.TemplateRole, len(acl))
 	for k, v := range acl {
 		userACL[k] = convertDatabaseTemplateRole(v)
diff --git a/coderd/templates_test.go b/coderd/templates_test.go
@@ -406,7 +406,6 @@ func TestPatchTemplateMeta(t *testing.T) {
 			Icon:                       "/icons/new-icon.png",
 			MaxTTLMillis:               12 * time.Hour.Milliseconds(),
 			MinAutostartIntervalMillis: time.Minute.Milliseconds(),
-			IsPrivate:                  boolPtr(true),
 		}
 		// It is unfortunate we need to sleep, but the test can fail if the
 		// updatedAt is too close together.
@@ -423,7 +422,6 @@ func TestPatchTemplateMeta(t *testing.T) {
 		assert.Equal(t, req.Icon, updated.Icon)
 		assert.Equal(t, req.MaxTTLMillis, updated.MaxTTLMillis)
 		assert.Equal(t, req.MinAutostartIntervalMillis, updated.MinAutostartIntervalMillis)
-		assert.True(t, updated.IsPrivate)
 
 		// Extra paranoid: did it _really_ happen?
 		updated, err = client.Template(ctx, template.ID)
@@ -434,7 +432,6 @@ func TestPatchTemplateMeta(t *testing.T) {
 		assert.Equal(t, req.Icon, updated.Icon)
 		assert.Equal(t, req.MaxTTLMillis, updated.MaxTTLMillis)
 		assert.Equal(t, req.MinAutostartIntervalMillis, updated.MinAutostartIntervalMillis)
-		assert.Equal(t, *req.IsPrivate, updated.IsPrivate)
 
 		require.Len(t, auditor.AuditLogs, 4)
 		assert.Equal(t, database.AuditActionWrite, auditor.AuditLogs[3].Action)
diff --git a/codersdk/templates.go b/codersdk/templates.go

Original file line number	Diff line number	Diff line change
`@@ -208,7 +208,7 @@ func (z Object) WithACLUserList(acl map[string][]Action) Object {`
`208`	`208`	`}`
`209`	`209`	`}`
`210`	`210`
`211`		`-func (z Object) WithGroups(groups map[string][]Action) Object {`
	`211`	`+func (z Object) WithGroupACL(groups map[string][]Action) Object {`
`212`	`212`	`return Object{`
`213`	`213`	`Owner: z.Owner,`
`214`	`214`	`OrgID: z.OrgID,`