Rename OrgOwner -> OrgID

Emyrk · Emyrk · commit fced411a51a4 · 2022-04-11T12:45:45.000-05:00
diff --git a/coderd/authz/README.md b/coderd/authz/README.md
@@ -4,7 +4,7 @@ Package `authz` implements AuthoriZation for Coder.
 
 ## Overview
 
-Authorization defines what **permission** an **subject** has to perform **actions** to **objects**:
+Authorization defines what **permission** a **subject** has to perform **actions** to **objects**:
 - **Permission** is binary: *yes* (allowed) or *no* (denied).
 - **Subject** in this case is anything that implements interface `authz.Subject`.
 - **Action** here is an enumerated list of actions, but we stick to `Create`, `Read`, `Update`, and `Delete` here.
diff --git a/coderd/authz/authz.go b/coderd/authz/authz.go
@@ -33,8 +33,8 @@ func Authorize(subj Subject, obj Object, action Action) error {
 		}
 
 		// Grab org roles if the resource is owned by a given organization.
-		if obj.OrgOwner != "" {
-			orgID := obj.OrgOwner
+		if obj.OrgID != "" {
+			orgID := obj.OrgID
 			if v, ok := r.Org[orgID]; ok {
 				merged.Org[orgID] = append(merged.Org[orgID], v...)
 			}
diff --git a/coderd/authz/authz_test.go b/coderd/authz/authz_test.go
@@ -16,7 +16,7 @@ func TestAuthorizeDomain(t *testing.T) {
 
 	user := authz.SubjectTODO{
 		UserID: "me",
-		Roles:  []authz.Role{authz.RoleSiteMember, authz.RoleOrgMember(defOrg)},
+		Roles:  []authz.Role{authz.RoleMember, authz.RoleOrgMember(defOrg)},
 	}
 
 	testAuthorize(t, "Member", user, []authTestCase{
@@ -117,7 +117,7 @@ func TestAuthorizeDomain(t *testing.T) {
 		UserID: "me",
 		Roles: []authz.Role{
 			authz.RoleOrgAdmin(defOrg),
-			authz.RoleSiteMember,
+			authz.RoleMember,
 		},
 	}
 
@@ -163,8 +163,8 @@ func TestAuthorizeDomain(t *testing.T) {
 	user = authz.SubjectTODO{
 		UserID: "me",
 		Roles: []authz.Role{
-			authz.RoleSiteAdmin,
-			authz.RoleSiteMember,
+			authz.RoleAdmin,
+			authz.RoleMember,
 		},
 	}
 
@@ -378,7 +378,7 @@ func TestAuthorizeLevels(t *testing.T) {
 	user := authz.SubjectTODO{
 		UserID: "me",
 		Roles: []authz.Role{
-			authz.RoleSiteAdmin,
+			authz.RoleAdmin,
 			authz.RoleOrgDenyAll(defOrg),
 			{
 				Name: "user-deny-all",
diff --git a/coderd/authz/example_test.go b/coderd/authz/example_test.go
@@ -19,7 +19,7 @@ func TestExample(t *testing.T) {
 		UserID: "alice",
 		Roles: []authz.Role{
 			authz.RoleOrgAdmin("default"),
-			authz.RoleSiteMember,
+			authz.RoleMember,
 		},
 	}
 
diff --git a/coderd/authz/object.go b/coderd/authz/object.go
@@ -16,19 +16,20 @@ package authz
 // that represents the set of workspaces you are trying to get access too.
 // Do not export this type, as it can be created from a resource type constant.
 type Object struct {
-	ID       string
-	Owner    string
-	OrgOwner string
+	ID    string `json:"id"`
+	Owner string `json:"owner"`
+	// OrgID specifies which org the object is a part of.
+	OrgID string `json:"org_owner"`
 
 	// ObjectType is "workspace", "project", "devurl", etc
-	ObjectType ResourceType
+	ObjectType ResourceType `json:"object_type"`
 	// TODO: SharedUsers?
 }
 
 // InOrg adds an org OwnerID to the resource
 //nolint:revive
 func (z Object) InOrg(orgID string) Object {
-	z.OrgOwner = orgID
+	z.OrgID = orgID
 	return z
 }
 
diff --git a/coderd/authz/resources.go b/coderd/authz/resources.go
@@ -19,7 +19,7 @@ func (z ResourceType) All() Object {
 //nolint:revive
 func (r ResourceType) InOrg(orgID string) Object {
 	return Object{
-		OrgOwner:   orgID,
+		OrgID:      orgID,
 		ObjectType: r,
 	}
 }
diff --git a/coderd/authz/role.go b/coderd/authz/role.go
@@ -31,24 +31,24 @@ type Role struct {
 // Roles are stored as structs, so they can be serialized and stored. Until we store them elsewhere,
 // const's will do just fine.
 var (
-	// RoleSiteAdmin is a role that allows everything everywhere.
-	RoleSiteAdmin = Role{
+	// RoleAdmin is a role that allows everything everywhere.
+	RoleAdmin = Role{
 		Name: "admin",
 		Site: permissions(map[ResourceType][]Action{
 			Wildcard: {Wildcard},
 		}),
 	}
 
-	// RoleSiteMember is a role that allows access to user-level resources.
-	RoleSiteMember = Role{
+	// RoleMember is a role that allows access to user-level resources.
+	RoleMember = Role{
 		Name: "member",
 		User: permissions(map[ResourceType][]Action{
 			Wildcard: {Wildcard},
 		}),
 	}
 
-	// RoleSiteAuditor is an example on how to give more precise permissions
-	RoleSiteAuditor = Role{
+	// RoleAuditor is an example on how to give more precise permissions
+	RoleAuditor = Role{
 		Name: "auditor",
 		Site: permissions(map[ResourceType][]Action{
 			// TODO: @emyrk when audit logs are added, add back a read perm

Original file line number	Diff line number	Diff line change
`@@ -33,8 +33,8 @@ func Authorize(subj Subject, obj Object, action Action) error {`
`33`	`33`	`}`
`34`	`34`
`35`	`35`	`// Grab org roles if the resource is owned by a given organization.`
`36`		`- if obj.OrgOwner != "" {`
`37`		`- orgID := obj.OrgOwner`
	`36`	`+ if obj.OrgID != "" {`
	`37`	`+ orgID := obj.OrgID`
`38`	`38`	`if v, ok := r.Org[orgID]; ok {`
`39`	`39`	`merged.Org[orgID] = append(merged.Org[orgID], v...)`
`40`	`40`	`}`
Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,7 @@ func TestExample(t *testing.T) {`
`19`	`19`	`UserID: "alice",`
`20`	`20`	`Roles: []authz.Role{`
`21`	`21`	`authz.RoleOrgAdmin("default"),`
`22`		`- authz.RoleSiteMember,`
	`22`	`+ authz.RoleMember,`
`23`	`23`	`},`
`24`	`24`	`}`
`25`	`25`
Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,7 @@ func (z ResourceType) All() Object {`
`19`	`19`	`//nolint:revive`
`20`	`20`	`func (r ResourceType) InOrg(orgID string) Object {`
`21`	`21`	`return Object{`
`22`		`- OrgOwner: orgID,`
	`22`	`+ OrgID: orgID,`
`23`	`23`	`ObjectType: r,`
`24`	`24`	`}`
`25`	`25`	`}`