Skip to content

Commit e9285dd

Browse files
aslilacaslilac
committed
chore: add an unassign action for roles
1 parent 7c035a4 commit e9285dd

File tree

18 files changed

+214
-241
lines changed

18 files changed

+214
-241
lines changed

coderd/apidoc/docs.go

Lines changed: 2 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/apidoc/swagger.json

Lines changed: 2 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

coderd/database/dbauthz/customroles_test.go

Lines changed: 52 additions & 69 deletions
Original file line numberDiff line numberDiff line change
@@ -34,11 +34,11 @@ func TestInsertCustomRoles(t *testing.T) {
3434
}
3535
}
3636

37-
canAssignRole := rbac.Role{
37+
canCreateCustomRole := rbac.Role{
3838
Identifier: rbac.RoleIdentifier{Name: "can-assign"},
3939
DisplayName: "",
4040
Site: rbac.Permissions(map[string][]policy.Action{
41-
rbac.ResourceAssignRole.Type: {policy.ActionRead, policy.ActionCreate},
41+
rbac.ResourceAssignOrgRole.Type: {policy.ActionRead, policy.ActionCreate},
4242
}),
4343
}
4444

@@ -61,37 +61,37 @@ func TestInsertCustomRoles(t *testing.T) {
6161
return all
6262
}
6363

64-
orgID := uuid.NullUUID{
65-
UUID: uuid.New(),
66-
Valid: true,
67-
}
64+
orgID := uuid.New()
65+
6866
testCases := []struct {
6967
name string
7068

7169
subject rbac.ExpandableRoles
7270

7371
// Perms to create on new custom role
74-
organizationID uuid.NullUUID
72+
organizationID uuid.UUID
7573
site []codersdk.Permission
7674
org []codersdk.Permission
7775
user []codersdk.Permission
7876
errorContains string
7977
}{
8078
{
8179
// No roles, so no assign role
82-
name: "no-roles",
83-
subject: rbac.RoleIdentifiers{},
84-
errorContains: "forbidden",
80+
name: "no-roles",
81+
organizationID: orgID,
82+
subject: rbac.RoleIdentifiers{},
83+
errorContains: "forbidden",
8584
},
8685
{
8786
// This works because the new role has 0 perms
88-
name: "empty",
89-
subject: merge(canAssignRole),
87+
name: "empty",
88+
organizationID: orgID,
89+
subject: merge(canCreateCustomRole),
9090
},
9191
{
9292
name: "mixed-scopes",
93-
subject: merge(canAssignRole, rbac.RoleOwner()),
9493
organizationID: orgID,
94+
subject: merge(canCreateCustomRole, rbac.RoleOwner()),
9595
site: codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{
9696
codersdk.ResourceWorkspace: {codersdk.ActionRead},
9797
}),
@@ -101,27 +101,30 @@ func TestInsertCustomRoles(t *testing.T) {
101101
errorContains: "organization roles specify site or user permissions",
102102
},
103103
{
104-
name: "invalid-action",
105-
subject: merge(canAssignRole, rbac.RoleOwner()),
106-
site: codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{
104+
name: "invalid-action",
105+
organizationID: orgID,
106+
subject: merge(canCreateCustomRole, rbac.RoleOwner()),
107+
org: codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{
107108
// Action does not go with resource
108109
codersdk.ResourceWorkspace: {codersdk.ActionViewInsights},
109110
}),
110111
errorContains: "invalid action",
111112
},
112113
{
113-
name: "invalid-resource",
114-
subject: merge(canAssignRole, rbac.RoleOwner()),
115-
site: codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{
114+
name: "invalid-resource",
115+
organizationID: orgID,
116+
subject: merge(canCreateCustomRole, rbac.RoleOwner()),
117+
org: codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{
116118
"foobar": {codersdk.ActionViewInsights},
117119
}),
118120
errorContains: "invalid resource",
119121
},
120122
{
121123
// Not allowing these at this time.
122-
name: "negative-permission",
123-
subject: merge(canAssignRole, rbac.RoleOwner()),
124-
site: []codersdk.Permission{
124+
name: "negative-permission",
125+
organizationID: orgID,
126+
subject: merge(canCreateCustomRole, rbac.RoleOwner()),
127+
org: []codersdk.Permission{
125128
{
126129
Negate: true,
127130
ResourceType: codersdk.ResourceWorkspace,
@@ -131,89 +134,69 @@ func TestInsertCustomRoles(t *testing.T) {
131134
errorContains: "no negative permissions",
132135
},
133136
{
134-
name: "wildcard", // not allowed
135-
subject: merge(canAssignRole, rbac.RoleOwner()),
136-
site: codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{
137+
name: "wildcard", // not allowed
138+
organizationID: orgID,
139+
subject: merge(canCreateCustomRole, rbac.RoleOwner()),
140+
org: codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{
137141
codersdk.ResourceWorkspace: {"*"},
138142
}),
139143
errorContains: "no wildcard symbols",
140144
},
141145
// escalation checks
142146
{
143-
name: "read-workspace-escalation",
144-
subject: merge(canAssignRole),
145-
site: codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{
147+
name: "read-workspace-escalation",
148+
organizationID: orgID,
149+
subject: merge(canCreateCustomRole),
150+
org: codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{
146151
codersdk.ResourceWorkspace: {codersdk.ActionRead},
147152
}),
148153
errorContains: "not allowed to grant this permission",
149154
},
150155
{
151-
name: "read-workspace-outside-org",
152-
organizationID: uuid.NullUUID{
153-
UUID: uuid.New(),
154-
Valid: true,
155-
},
156-
subject: merge(canAssignRole, rbac.ScopedRoleOrgAdmin(orgID.UUID)),
156+
name: "read-workspace-outside-org",
157+
organizationID: uuid.New(),
158+
subject: merge(canCreateCustomRole, rbac.ScopedRoleOrgAdmin(orgID)),
157159
org: codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{
158160
codersdk.ResourceWorkspace: {codersdk.ActionRead},
159161
}),
160-
errorContains: "forbidden",
162+
errorContains: "not allowed to grant this permission",
161163
},
162164
{
163165
name: "user-escalation",
164166
// These roles do not grant user perms
165-
subject: merge(canAssignRole, rbac.ScopedRoleOrgAdmin(orgID.UUID)),
167+
organizationID: orgID,
168+
subject: merge(canCreateCustomRole, rbac.ScopedRoleOrgAdmin(orgID)),
166169
user: codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{
167170
codersdk.ResourceWorkspace: {codersdk.ActionRead},
168171
}),
169-
errorContains: "not allowed to grant this permission",
172+
errorContains: "organization roles specify site or user permissions",
170173
},
171174
{
172-
name: "template-admin-escalation",
173-
subject: merge(canAssignRole, rbac.RoleTemplateAdmin()),
175+
name: "site-escalation",
176+
organizationID: orgID,
177+
subject: merge(canCreateCustomRole, rbac.RoleTemplateAdmin()),
174178
site: codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{
175-
codersdk.ResourceWorkspace: {codersdk.ActionRead}, // ok!
176179
codersdk.ResourceDeploymentConfig: {codersdk.ActionUpdate}, // not ok!
177180
}),
178-
user: codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{
179-
codersdk.ResourceWorkspace: {codersdk.ActionRead}, // ok!
180-
}),
181-
errorContains: "deployment_config",
181+
errorContains: "organization roles specify site or user permissions",
182182
},
183183
// ok!
184184
{
185-
name: "read-workspace-template-admin",
186-
subject: merge(canAssignRole, rbac.RoleTemplateAdmin()),
187-
site: codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{
185+
name: "read-workspace-template-admin",
186+
organizationID: orgID,
187+
subject: merge(canCreateCustomRole, rbac.RoleTemplateAdmin()),
188+
org: codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{
188189
codersdk.ResourceWorkspace: {codersdk.ActionRead},
189190
}),
190191
},
191192
{
192193
name: "read-workspace-in-org",
193-
subject: merge(canAssignRole, rbac.ScopedRoleOrgAdmin(orgID.UUID)),
194194
organizationID: orgID,
195+
subject: merge(canCreateCustomRole, rbac.ScopedRoleOrgAdmin(orgID)),
195196
org: codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{
196197
codersdk.ResourceWorkspace: {codersdk.ActionRead},
197198
}),
198199
},
199-
{
200-
name: "user-perms",
201-
// This is weird, but is ok
202-
subject: merge(canAssignRole, rbac.RoleMember()),
203-
user: codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{
204-
codersdk.ResourceWorkspace: {codersdk.ActionRead},
205-
}),
206-
},
207-
{
208-
name: "site+user-perms",
209-
subject: merge(canAssignRole, rbac.RoleMember(), rbac.RoleTemplateAdmin()),
210-
site: codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{
211-
codersdk.ResourceWorkspace: {codersdk.ActionRead},
212-
}),
213-
user: codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{
214-
codersdk.ResourceWorkspace: {codersdk.ActionRead},
215-
}),
216-
},
217200
}
218201

219202
for _, tc := range testCases {
@@ -234,7 +217,7 @@ func TestInsertCustomRoles(t *testing.T) {
234217
_, err := az.InsertCustomRole(ctx, database.InsertCustomRoleParams{
235218
Name: "test-role",
236219
DisplayName: "",
237-
OrganizationID: tc.organizationID,
220+
OrganizationID: uuid.NullUUID{UUID: tc.organizationID, Valid: true},
238221
SitePermissions: db2sdk.List(tc.site, convertSDKPerm),
239222
OrgPermissions: db2sdk.List(tc.org, convertSDKPerm),
240223
UserPermissions: db2sdk.List(tc.user, convertSDKPerm),
@@ -249,11 +232,11 @@ func TestInsertCustomRoles(t *testing.T) {
249232
LookupRoles: []database.NameOrganizationPair{
250233
{
251234
Name: "test-role",
252-
OrganizationID: tc.organizationID.UUID,
235+
OrganizationID: tc.organizationID,
253236
},
254237
},
255238
ExcludeOrgRoles: false,
256-
OrganizationID: uuid.UUID{},
239+
OrganizationID: uuid.Nil,
257240
})
258241
require.NoError(t, err)
259242
require.Len(t, roles, 1)

0 commit comments

Comments
 (0)