feat: allow setting quotas on Everyone group

sreya · sreya · commit de06b53e21eb · 2023-08-15T22:54:20.000Z
diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go
@@ -916,11 +916,11 @@ func (q *querier) GetGroupByOrgAndName(ctx context.Context, arg database.GetGrou
 	return fetch(q.log, q.auth, q.db.GetGroupByOrgAndName)(ctx, arg)
 }
 
-func (q *querier) GetGroupMembers(ctx context.Context, groupID uuid.UUID) ([]database.User, error) {
-	if _, err := q.GetGroupByID(ctx, groupID); err != nil { // AuthZ check
+func (q *querier) GetGroupMembers(ctx context.Context, arg database.GetGroupMembersParams) ([]database.User, error) {
+	if _, err := q.GetGroupByID(ctx, arg.ID); err != nil { // AuthZ check
 		return nil, err
 	}
-	return q.db.GetGroupMembers(ctx, groupID)
+	return q.db.GetGroupMembers(ctx, arg)
 }
 
 func (q *querier) GetGroupsByOrganizationID(ctx context.Context, organizationID uuid.UUID) ([]database.Group, error) {
diff --git a/coderd/database/dbfake/dbfake.go b/coderd/database/dbfake/dbfake.go
@@ -1376,13 +1376,13 @@ func (q *FakeQuerier) GetGroupByOrgAndName(_ context.Context, arg database.GetGr
 	return database.Group{}, sql.ErrNoRows
 }
 
-func (q *FakeQuerier) GetGroupMembers(_ context.Context, groupID uuid.UUID) ([]database.User, error) {
+func (q *FakeQuerier) GetGroupMembers(_ context.Context, arg database.GetGroupMembersParams) ([]database.User, error) {
 	q.mutex.RLock()
 	defer q.mutex.RUnlock()
 
 	var members []database.GroupMember
 	for _, member := range q.groupMembers {
-		if member.GroupID == groupID {
+		if member.GroupID == arg.ID {
 			members = append(members, member)
 		}
 	}
diff --git a/coderd/database/dbmetrics/dbmetrics.go b/coderd/database/dbmetrics/dbmetrics.go
diff --git a/coderd/database/dbmock/dbmock.go b/coderd/database/dbmock/dbmock.go
diff --git a/coderd/database/modelmethods.go b/coderd/database/modelmethods.go
@@ -362,3 +362,7 @@ func ConvertWorkspaceRows(rows []GetWorkspacesRow) []Workspace {
 
 	return workspaces
 }
+
+func (g Group) IsEveryoneGroup() bool {
+	return g.ID == g.OrganizationID
+}
diff --git a/coderd/database/querier.go b/coderd/database/querier.go
diff --git a/coderd/database/queries.sql.go b/coderd/database/queries.sql.go
diff --git a/coderd/database/queries/groupmembers.sql b/coderd/database/queries/groupmembers.sql
@@ -3,12 +3,26 @@ SELECT
 	users.*
 FROM
 	users
-JOIN
+LEFT JOIN
 	group_members
 ON
-	users.id = group_members.user_id
+	CASE WHEN @id:: uuid != @organization_id :: uuid THEN
+	group_members.user_id = users.id
+	END
+LEFT JOIN
+	organization_members
+ON
+    CASE WHEN @id :: uuid = @organization_id :: uuid THEN
+        organization_members.user_id = users.id
+    END
 WHERE
-	group_members.group_id = $1
+    CASE WHEN @id :: uuid != @organization_id :: uuid THEN
+        group_members.group_id = @id
+    ELSE true END
+AND
+    CASE WHEN @id :: uuid = @organization_id :: uuid THEN
+        organization_members.organization_id = @organization_id
+    ELSE true END
 AND
 	users.status = 'active'
 AND
diff --git a/coderd/database/queries/groups.sql b/coderd/database/queries/groups.sql
@@ -26,9 +26,7 @@ SELECT
 FROM
 	groups
 WHERE
-	organization_id = $1
-AND
-	id != $1;
+	organization_id = $1;
 
 -- name: InsertGroup :one
 INSERT INTO groups (
diff --git a/enterprise/coderd/groups.go b/enterprise/coderd/groups.go
@@ -102,16 +102,26 @@ func (api *API) patchGroup(rw http.ResponseWriter, r *http.Request) {
 	)
 	defer commitAudit()
 
-	currentMembers, currentMembersErr := api.Database.GetGroupMembers(ctx, group.ID)
-	if currentMembersErr != nil {
-		httpapi.InternalServerError(rw, currentMembersErr)
+	var req codersdk.PatchGroupRequest
+	if !httpapi.Read(ctx, rw, r, &req) {
 		return
 	}
 
-	aReq.Old = group.Auditable(currentMembers)
+	// If the name matches the existing group name pretend we aren't
+	// updating the name at all.
+	if req.Name == group.Name {
+		req.Name = ""
+	}
 
-	var req codersdk.PatchGroupRequest
-	if !httpapi.Read(ctx, rw, r, &req) {
+	// TODO:
+	// - Test no add/remove users to everyone group.
+	// - Test no update everyone group name.
+	// - Test no update everyone display name.
+
+	if group.ID == group.OrganizationID && (req.Name != "" || req.DisplayName != nil) {
+		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+			Message: fmt.Sprintf("Cannot rename the %q group!", database.AllUsersGroup),
+		})
 		return
 	}
 
@@ -122,16 +132,27 @@ func (api *API) patchGroup(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	// If the name matches the existing group name pretend we aren't
-	// updating the name at all.
-	if req.Name == group.Name {
-		req.Name = ""
-	}
-
 	users := make([]string, 0, len(req.AddUsers)+len(req.RemoveUsers))
 	users = append(users, req.AddUsers...)
 	users = append(users, req.RemoveUsers...)
 
+	if len(users) > 0 && group.Name == database.AllUsersGroup {
+		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+			Message: fmt.Sprintf("Cannot add or remove users from the %q group!", database.AllUsersGroup),
+		})
+		return
+	}
+
+	currentMembers, currentMembersErr := api.Database.GetGroupMembers(ctx, database.GetGroupMembersParams{
+		ID:             group.ID,
+		OrganizationID: group.OrganizationID,
+	})
+	if currentMembersErr != nil {
+		httpapi.InternalServerError(rw, currentMembersErr)
+		return
+	}
+	aReq.Old = group.Auditable(currentMembers)
+
 	for _, id := range users {
 		if _, err := uuid.Parse(id); err != nil {
 			httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
@@ -156,6 +177,7 @@ func (api *API) patchGroup(rw http.ResponseWriter, r *http.Request) {
 			return
 		}
 	}
+
 	if req.Name != "" && req.Name != group.Name {
 		_, err := api.Database.GetGroupByOrgAndName(ctx, database.GetGroupByOrgAndNameParams{
 			OrganizationID: group.OrganizationID,
@@ -230,7 +252,9 @@ func (api *API) patchGroup(rw http.ResponseWriter, r *http.Request) {
 			}
 		}
 		return nil
-	}, nil)
+	}, &sql.TxOptions{
+		Isolation: sql.LevelRepeatableRead,
+	})
 	if database.IsUniqueViolation(err) {
 		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
 			Message: "Cannot add the same user to a group twice!",
@@ -250,7 +274,10 @@ func (api *API) patchGroup(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	patchedMembers, err := api.Database.GetGroupMembers(ctx, group.ID)
+	patchedMembers, err := api.Database.GetGroupMembers(ctx, database.GetGroupMembersParams{
+		ID:             group.ID,
+		OrganizationID: group.OrganizationID,
+	})
 	if err != nil {
 		httpapi.InternalServerError(rw, err)
 		return
@@ -283,21 +310,24 @@ func (api *API) deleteGroup(rw http.ResponseWriter, r *http.Request) {
 	)
 	defer commitAudit()
 
-	groupMembers, getMembersErr := api.Database.GetGroupMembers(ctx, group.ID)
-	if getMembersErr != nil {
-		httpapi.InternalServerError(rw, getMembersErr)
-		return
-	}
-
-	aReq.Old = group.Auditable(groupMembers)
-
 	if group.Name == database.AllUsersGroup {
 		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
 			Message: fmt.Sprintf("%q is a reserved group and cannot be deleted!", database.AllUsersGroup),
 		})
 		return
 	}
 
+	groupMembers, getMembersErr := api.Database.GetGroupMembers(ctx, database.GetGroupMembersParams{
+		ID:             group.ID,
+		OrganizationID: group.OrganizationID,
+	})
+	if getMembersErr != nil {
+		httpapi.InternalServerError(rw, getMembersErr)
+		return
+	}
+
+	aReq.Old = group.Auditable(groupMembers)
+
 	err := api.Database.DeleteGroupByID(ctx, group.ID)
 	if err != nil {
 		httpapi.InternalServerError(rw, err)
@@ -336,7 +366,10 @@ func (api *API) group(rw http.ResponseWriter, r *http.Request) {
 		group = httpmw.GroupParam(r)
 	)
 
-	users, err := api.Database.GetGroupMembers(ctx, group.ID)
+	users, err := api.Database.GetGroupMembers(ctx, database.GetGroupMembersParams{
+		ID:             group.ID,
+		OrganizationID: group.OrganizationID,
+	})
 	if err != nil && !xerrors.Is(err, sql.ErrNoRows) {
 		httpapi.InternalServerError(rw, err)
 		return
@@ -381,7 +414,10 @@ func (api *API) groups(rw http.ResponseWriter, r *http.Request) {
 
 	resp := make([]codersdk.Group, 0, len(groups))
 	for _, group := range groups {
-		members, err := api.Database.GetGroupMembers(ctx, group.ID)
+		members, err := api.Database.GetGroupMembers(ctx, database.GetGroupMembersParams{
+			ID:             group.ID,
+			OrganizationID: group.OrganizationID,
+		})
 		if err != nil {
 			httpapi.InternalServerError(rw, err)
 			return
diff --git a/enterprise/coderd/templates.go b/enterprise/coderd/templates.go
@@ -58,7 +58,10 @@ func (api *API) templateAvailablePermissions(rw http.ResponseWriter, r *http.Req
 	sdkGroups := make([]codersdk.Group, 0, len(groups))
 	for _, group := range groups {
 		// nolint:gocritic
-		members, err := api.Database.GetGroupMembers(dbauthz.AsSystemRestricted(ctx), group.ID)
+		members, err := api.Database.GetGroupMembers(dbauthz.AsSystemRestricted(ctx), database.GetGroupMembersParams{
+			ID:             group.ID,
+			OrganizationID: group.OrganizationID,
+		})
 		if err != nil {
 			httpapi.InternalServerError(rw, err)
 			return
@@ -128,7 +131,10 @@ func (api *API) templateACL(rw http.ResponseWriter, r *http.Request) {
 		// them read the group members.
 		// We should probably at least return more truncated user data here.
 		// nolint:gocritic
-		members, err = api.Database.GetGroupMembers(dbauthz.AsSystemRestricted(ctx), group.ID)
+		members, err = api.Database.GetGroupMembers(dbauthz.AsSystemRestricted(ctx), database.GetGroupMembersParams{
+			ID:             group.ID,
+			OrganizationID: group.OrganizationID,
+		})
 		if err != nil {
 			httpapi.InternalServerError(rw, err)
 			return
diff --git a/site/src/pages/GroupsPage/GroupPage.tsx b/site/src/pages/GroupsPage/GroupPage.tsx
@@ -124,6 +124,7 @@ export const GroupPage: React.FC = () => {
                     <Button startIcon={<SettingsOutlined />}>Settings</Button>
                   </Link>
                   <Button
+                    disabled={group?.id == group?.organization_id}
                     onClick={() => {
                       send("DELETE")
                     }}
@@ -146,7 +147,13 @@ export const GroupPage: React.FC = () => {
             </PageHeader>
 
             <Stack spacing={1}>
-              <Maybe condition={canUpdateGroup}>
+              <Maybe
+                condition={
+                  canUpdateGroup &&
+                  group !== undefined &&
+                  group?.id != group?.organization_id
+                }
+              >
                 <AddGroupMember
                   isLoading={state.matches("addingMember")}
                   onSubmit={(user, reset) => {
@@ -217,7 +224,8 @@ export const GroupPage: React.FC = () => {
                                           userId: member.id,
                                         })
                                       },
-                                      disabled: false,
+                                      disabled:
+                                        group.id == group.organization_id,
                                     },
                                   ]}
                                 />
diff --git a/site/src/pages/GroupsPage/SettingsGroupPageView.tsx b/site/src/pages/GroupsPage/SettingsGroupPageView.tsx
@@ -12,6 +12,7 @@ import { useTranslation } from "react-i18next"
 import { getFormHelpers, nameValidator, onChangeTrimmed } from "utils/formUtils"
 import * as Yup from "yup"
 import { Stack } from "components/Stack/Stack"
+import { GroupRemove } from "@mui/icons-material"
 
 type FormData = {
   name: string
@@ -56,6 +57,7 @@ const UpdateGroupForm: FC<{
             autoFocus
             fullWidth
             label="Name"
+            disabled={group.id == group.organization_id}
           />
           <TextField
             {...getFieldHelpers(
@@ -67,6 +69,7 @@ const UpdateGroupForm: FC<{
             autoFocus
             fullWidth
             label="Display Name"
+            disabled={group.id == group.organization_id}
           />
           <LazyIconField
             {...getFieldHelpers("avatar_url")}

Original file line number	Diff line number	Diff line change
`@@ -916,11 +916,11 @@ func (q *querier) GetGroupByOrgAndName(ctx context.Context, arg database.GetGrou`
`916`	`916`	`return fetch(q.log, q.auth, q.db.GetGroupByOrgAndName)(ctx, arg)`
`917`	`917`	`}`
`918`	`918`
`919`		`-func (q *querier) GetGroupMembers(ctx context.Context, groupID uuid.UUID) ([]database.User, error) {`
`920`		`- if _, err := q.GetGroupByID(ctx, groupID); err != nil { // AuthZ check`
	`919`	`+func (q *querier) GetGroupMembers(ctx context.Context, arg database.GetGroupMembersParams) ([]database.User, error) {`
	`920`	`+ if _, err := q.GetGroupByID(ctx, arg.ID); err != nil { // AuthZ check`
`921`	`921`	`return nil, err`
`922`	`922`	`}`
`923`		`- return q.db.GetGroupMembers(ctx, groupID)`
	`923`	`+ return q.db.GetGroupMembers(ctx, arg)`
`924`	`924`	`}`
`925`	`925`
`926`	`926`	`func (q *querier) GetGroupsByOrganizationID(ctx context.Context, organizationID uuid.UUID) ([]database.Group, error) {`
Original file line number	Diff line number	Diff line change
`@@ -1376,13 +1376,13 @@ func (q *FakeQuerier) GetGroupByOrgAndName(_ context.Context, arg database.GetGr`
`1376`	`1376`	`return database.Group{}, sql.ErrNoRows`
`1377`	`1377`	`}`
`1378`	`1378`
`1379`		`-func (q *FakeQuerier) GetGroupMembers(_ context.Context, groupID uuid.UUID) ([]database.User, error) {`
	`1379`	`+func (q *FakeQuerier) GetGroupMembers(_ context.Context, arg database.GetGroupMembersParams) ([]database.User, error) {`
`1380`	`1380`	`q.mutex.RLock()`
`1381`	`1381`	`defer q.mutex.RUnlock()`
`1382`	`1382`
`1383`	`1383`	`var members []database.GroupMember`
`1384`	`1384`	`for _, member := range q.groupMembers {`
`1385`		`- if member.GroupID == groupID {`
	`1385`	`+ if member.GroupID == arg.ID {`
`1386`	`1386`	`members = append(members, member)`
`1387`	`1387`	`}`
`1388`	`1388`	`}`
Original file line number	Diff line number	Diff line change
`@@ -362,3 +362,7 @@ func ConvertWorkspaceRows(rows []GetWorkspacesRow) []Workspace {`
`362`	`362`
`363`	`363`	`return workspaces`
`364`	`364`	`}`
	`365`	`+`
	`366`	`+func (g Group) IsEveryoneGroup() bool {`
	`367`	`+ return g.ID == g.OrganizationID`
	`368`	`+}`