feat: add cli command to edit custom roles

Emyrk · Emyrk · commit b64b01610cec · 2024-05-21T08:27:29.000-10:00
diff --git a/cli/cliui/parameter.go b/cli/cliui/parameter.go
@@ -43,7 +43,10 @@ func RichParameter(inv *serpent.Invocation, templateVersionParameter codersdk.Te
 			return "", err
 		}
 
-		values, err := MultiSelect(inv, options)
+		values, err := MultiSelect(inv, MultiSelectOptions{
+			Options:  options,
+			Defaults: options,
+		})
 		if err == nil {
 			v, err := json.Marshal(&values)
 			if err != nil {
diff --git a/cli/cliui/select.go b/cli/cliui/select.go
@@ -21,7 +21,7 @@ func init() {
     {{- .CurrentOpt.Value}}
     {{- color "reset"}}
 {{end}}
-
+{{- if .Message }}{{- color "default+hb"}}{{ .Message }}{{ .FilterMessage }}{{color "reset"}}{{ end }}
 {{- if not .ShowAnswer }}
 {{- if .Config.Icons.Help.Text }}
 {{- if .FilterMessage }}{{ "Search:" }}{{ .FilterMessage }}
@@ -44,18 +44,20 @@ func init() {
     {{- " "}}{{- .CurrentOpt.Value}}
 {{end}}
 {{- if .ShowHelp }}{{- color .Config.Icons.Help.Format }}{{ .Config.Icons.Help.Text }} {{ .Help }}{{color "reset"}}{{"\n"}}{{end}}
+{{- if .Message }}{{- color "default+hb"}}{{ .Message }}{{ .FilterMessage }}{{color "reset"}}{{ end }}
 {{- if not .ShowAnswer }}
   {{- "\n"}}
   {{- range $ix, $option := .PageEntries}}
     {{- template "option" $.IterateOption $ix $option}}
   {{- end}}
-{{- end}}`
+{{- end }}`
 }
 
 type SelectOptions struct {
 	Options []string
 	// Default will be highlighted first if it's a valid option.
 	Default    string
+	Message    string
 	Size       int
 	HideSearch bool
 }
@@ -122,6 +124,7 @@ func Select(inv *serpent.Invocation, opts SelectOptions) (string, error) {
 		Options:  opts.Options,
 		Default:  defaultOption,
 		PageSize: opts.Size,
+		Message:  opts.Message,
 	}, &value, survey.WithIcons(func(is *survey.IconSet) {
 		is.Help.Text = "Type to search"
 		if opts.HideSearch {
@@ -138,15 +141,22 @@ func Select(inv *serpent.Invocation, opts SelectOptions) (string, error) {
 	return value, err
 }
 
-func MultiSelect(inv *serpent.Invocation, items []string) ([]string, error) {
+type MultiSelectOptions struct {
+	Message  string
+	Options  []string
+	Defaults []string
+}
+
+func MultiSelect(inv *serpent.Invocation, opts MultiSelectOptions) ([]string, error) {
 	// Similar hack is applied to Select()
 	if flag.Lookup("test.v") != nil {
-		return items, nil
+		return opts.Defaults, nil
 	}
 
 	prompt := &survey.MultiSelect{
-		Options: items,
-		Default: items,
+		Message: opts.Message,
+		Options: opts.Options,
+		Default: opts.Defaults,
 	}
 
 	var values []string
diff --git a/cli/cliui/select_test.go b/cli/cliui/select_test.go
@@ -107,7 +107,10 @@ func newMultiSelect(ptty *ptytest.PTY, items []string) ([]string, error) {
 	var values []string
 	cmd := &serpent.Command{
 		Handler: func(inv *serpent.Invocation) error {
-			selectedItems, err := cliui.MultiSelect(inv, items)
+			selectedItems, err := cliui.MultiSelect(inv, cliui.MultiSelectOptions{
+				Options:  items,
+				Defaults: items,
+			})
 			if err == nil {
 				values = selectedItems
 			}
diff --git a/coderd/util/slice/slice.go b/coderd/util/slice/slice.go
@@ -4,6 +4,15 @@ import (
 	"golang.org/x/exp/constraints"
 )
 
+// ToStrings works for any type where the base type is a string.
+func ToStrings[T ~string](a []T) []string {
+	tmp := make([]string, 0, len(a))
+	for _, v := range a {
+		tmp = append(tmp, string(v))
+	}
+	return tmp
+}
+
 // Omit creates a new slice with the arguments omitted from the list.
 func Omit[T comparable](a []T, omits ...T) []T {
 	tmp := make([]T, 0, len(a))
diff --git a/codersdk/rbacresources_gen.go b/codersdk/rbacresources_gen.go
diff --git a/enterprise/cli/roleedit.go b/enterprise/cli/roleedit.go
@@ -0,0 +1,251 @@
+package cli
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"os"
+	"strings"
+
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/v2/cli"
+	"github.com/coder/coder/v2/cli/cliui"
+	"github.com/coder/coder/v2/coderd/util/slice"
+	"github.com/coder/coder/v2/codersdk"
+	"github.com/coder/serpent"
+)
+
+func (r *RootCmd) editRole() *serpent.Command {
+	formatter := cliui.NewOutputFormatter(
+		cliui.ChangeFormatterData(
+			cliui.TableFormat([]codersdk.Role{}, []string{"name", "display_name", "site_permissions", "org_permissions", "user_permissions"}),
+			func(data any) (any, error) {
+				return []codersdk.Role{data.(codersdk.Role)}, nil
+			},
+		),
+		cliui.JSONFormat(),
+	)
+
+	var (
+		dryRun bool
+	)
+
+	client := new(codersdk.Client)
+	cmd := &serpent.Command{
+		Use:   "edit <role_name>",
+		Short: "Edit a custom role",
+		Long: cli.FormatExamples(
+			cli.Example{
+				Description: "Run with an input.json file",
+				Command:     "coder roles edit custom_name < role.json",
+			},
+		),
+		Options: []serpent.Option{
+			cliui.SkipPromptOption(),
+			{
+				Name:        "dry-run",
+				Description: "Does all the work, but does not submit the final updated role.",
+				Flag:        "dry-run",
+				Value:       serpent.BoolOf(&dryRun),
+			},
+		},
+		Middleware: serpent.Chain(
+			serpent.RequireNArgs(1),
+			r.InitClient(client),
+		),
+		Handler: func(inv *serpent.Invocation) error {
+			ctx := inv.Context()
+			roles, err := client.ListSiteRoles(ctx)
+			if err != nil {
+				return xerrors.Errorf("listing roles: %w", err)
+			}
+
+			// Make sure the role actually exists first
+			var originalRole codersdk.AssignableRoles
+			for _, r := range roles {
+				if strings.EqualFold(inv.Args[0], r.Name) {
+					originalRole = r
+					break
+				}
+			}
+
+			if originalRole.Name == "" {
+				_, err = cliui.Prompt(inv, cliui.PromptOptions{
+					Text:      "No role exists with that name, do you want to create one?",
+					Default:   "yes",
+					IsConfirm: true,
+				})
+				if err != nil {
+					return xerrors.Errorf("abort: %w", err)
+				}
+
+				originalRole.Role = codersdk.Role{
+					Name: inv.Args[0],
+				}
+			}
+
+			var customRole *codersdk.Role
+			// Either interactive, or take input mode.
+			fi, _ := os.Stdin.Stat()
+			if (fi.Mode() & os.ModeCharDevice) == 0 {
+				bytes, err := io.ReadAll(os.Stdin)
+				if err != nil {
+					return xerrors.Errorf("reading stdin: %w", err)
+				}
+
+				err = json.Unmarshal(bytes, customRole)
+				if err != nil {
+					return xerrors.Errorf("parsing stdin json: %w", err)
+				}
+			} else {
+				// Interactive mode
+				if len(originalRole.OrganizationPermissions) > 0 {
+					return xerrors.Errorf("unable to edit role in interactive mode, it contains organization permissions")
+				}
+
+				if len(originalRole.UserPermissions) > 0 {
+					return xerrors.Errorf("unable to edit role in interactive mode, it contains user permissions")
+				}
+
+				customRole, err = interactiveEdit(inv, &originalRole.Role)
+				if err != nil {
+					return xerrors.Errorf("editing role: %w", err)
+				}
+			}
+
+			totalOrg := 0
+			for _, o := range customRole.OrganizationPermissions {
+				totalOrg += len(o)
+			}
+			preview := fmt.Sprintf("perms: %d site, %d over %d orgs, %d user",
+				len(customRole.SitePermissions), totalOrg, len(customRole.OrganizationPermissions), len(customRole.UserPermissions))
+			_, err = cliui.Prompt(inv, cliui.PromptOptions{
+				Text:      "Are you sure you wish to update the role? " + preview,
+				Default:   "yes",
+				IsConfirm: true,
+			})
+			if err != nil {
+				return xerrors.Errorf("abort: %w", err)
+			}
+
+			var updated codersdk.Role
+			if dryRun {
+				// Do not actually post
+				updated = *customRole
+			} else {
+				updated, err = client.PatchRole(ctx, *customRole)
+				if err != nil {
+					return fmt.Errorf("patch role: %w", err)
+				}
+			}
+
+			_, err = formatter.Format(ctx, updated)
+			if err != nil {
+				return xerrors.Errorf("formatting: %w", err)
+			}
+			return nil
+		},
+	}
+
+	formatter.AttachOptions(&cmd.Options)
+	return cmd
+}
+
+func interactiveEdit(inv *serpent.Invocation, role *codersdk.Role) (*codersdk.Role, error) {
+	allowedResources := []codersdk.RBACResource{
+		codersdk.ResourceTemplate,
+		codersdk.ResourceWorkspace,
+		codersdk.ResourceUser,
+		codersdk.ResourceGroup,
+	}
+
+	const done = "Finish and submit changes"
+	const abort = "Cancel changes"
+
+	// Now starts the role editing "game".
+customRoleLoop:
+	for {
+		selected, err := cliui.Select(inv, cliui.SelectOptions{
+			Message: "Select which resources to edit permissions",
+			Options: append(permissionPreviews(role, allowedResources), done, abort),
+		})
+		if err != nil {
+			return role, xerrors.Errorf("selecting resource: %w", err)
+		}
+		switch selected {
+		case done:
+			break customRoleLoop
+		case abort:
+			return role, xerrors.Errorf("edit role %q aborted", role.Name)
+		default:
+			strs := strings.Split(selected, "::")
+			resource := strings.TrimSpace(strs[0])
+
+			actions, err := cliui.MultiSelect(inv, cliui.MultiSelectOptions{
+				Message:  fmt.Sprintf("Select actions to allow across the whole deployment for resources=%q", resource),
+				Options:  slice.ToStrings(codersdk.RBACResourceActions[codersdk.RBACResource(resource)]),
+				Defaults: defaultActions(role, resource),
+			})
+			if err != nil {
+				return role, xerrors.Errorf("selecting actions for resource %q: %w", resource, err)
+			}
+			applyResourceActions(role, resource, actions)
+			// back to resources!
+		}
+	}
+	// This println is required because the prompt ends us on the same line as some text.
+	_, _ = fmt.Println()
+
+	return role, nil
+}
+
+func applyResourceActions(role *codersdk.Role, resource string, actions []string) {
+	// Construct new site perms with only new perms for the resource
+	keep := make([]codersdk.Permission, 0)
+	for _, perm := range role.SitePermissions {
+		perm := perm
+		if string(perm.ResourceType) != resource {
+			keep = append(keep, perm)
+		}
+	}
+
+	// Add new perms
+	for _, action := range actions {
+		keep = append(keep, codersdk.Permission{
+			Negate:       false,
+			ResourceType: codersdk.RBACResource(resource),
+			Action:       codersdk.RBACAction(action),
+		})
+	}
+
+	role.SitePermissions = keep
+}
+
+func defaultActions(role *codersdk.Role, resource string) []string {
+	defaults := make([]string, 0)
+	for _, perm := range role.SitePermissions {
+		if string(perm.ResourceType) == resource {
+			defaults = append(defaults, string(perm.Action))
+		}
+	}
+	return defaults
+}
+
+func permissionPreviews(role *codersdk.Role, resources []codersdk.RBACResource) []string {
+	previews := make([]string, 0, len(resources))
+	for _, resource := range resources {
+		previews = append(previews, permissionPreview(role, resource))
+	}
+	return previews
+}
+
+func permissionPreview(role *codersdk.Role, resource codersdk.RBACResource) string {
+	count := 0
+	for _, perm := range role.SitePermissions {
+		if perm.ResourceType == resource {
+			count++
+		}
+	}
+	return fmt.Sprintf("%s :: %d permissions", resource, count)
+}
diff --git a/enterprise/cli/rolescmd.go b/enterprise/cli/rolescmd.go
@@ -26,6 +26,7 @@ func (r *RootCmd) roles() *serpent.Command {
 		Hidden: true,
 		Children: []*serpent.Command{
 			r.showRole(),
+			r.editRole(),
 		},
 	}
 	return cmd
diff --git a/scripts/rbacgen/codersdk.gotmpl b/scripts/rbacgen/codersdk.gotmpl

Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,7 @@ func (r RootCmd) roles() serpent.Command {`
`26`	`26`	`Hidden: true,`
`27`	`27`	`Children: []*serpent.Command{`
`28`	`28`	`r.showRole(),`
	`29`	`+ r.editRole(),`
`29`	`30`	`},`
`30`	`31`	`}`
`31`	`32`	`return cmd`