Skip to content

feat: implement custom site-wide roles in the database #13289

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 26 commits into from
Closed

feat: implement custom site-wide roles in the database #13289

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
26 commits
Select commit Hold shift + click to select a range
5640dc8
chore: add migration to create a custom_roles table
Emyrk May 15, 2024
60274ad
add custom role expansion from db
Emyrk May 15, 2024
863f477
commit back querier.go, whoops!
Emyrk May 15, 2024
27e90cd
Add route to insert new roles
Emyrk May 15, 2024
3ad641c
adding esclation and validation checks on custom roles
Emyrk May 15, 2024
e0b7070
add test for custom roles
Emyrk May 16, 2024
5eaf6b0
add comment
Emyrk May 16, 2024
8fb8a1b
add dbauthz test
Emyrk May 16, 2024
8107dc7
add custom role esclation tests
Emyrk May 16, 2024
f5cd901
add built in role validation tests
Emyrk May 16, 2024
ce87f77
add test comment
Emyrk May 16, 2024
d41e95a
update comment
Emyrk May 16, 2024
171dbf0
cleanup
Emyrk May 16, 2024
52e097c
fixup rolename expansion
Emyrk May 16, 2024
71db49d
fmt
Emyrk May 16, 2024
1c6939e
add db fixture
Emyrk May 16, 2024
ea9b9be
typo
Emyrk May 16, 2024
aa85df1
Make gen
Emyrk May 16, 2024
2b0cba6
thread safe role cache'
Emyrk May 16, 2024
0d91366
More lint
Emyrk May 16, 2024
06a17c1
graphite pulled code from another branch??
Emyrk May 16, 2024
8ccf30c
unsure how to nolint this use of the owner
Emyrk May 16, 2024
490e9d9
fix gen
Emyrk May 16, 2024
1eec6e2
fmt.Errorf to xerrors
Emyrk May 16, 2024
5803346
fix imports
Emyrk May 16, 2024
3c8f79f
add import
Emyrk May 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
fmt.Errorf to xerrors
  • Loading branch information
@Emyrk
Emyrk committed May 16, 2024
commit 1eec6e2cb3c21c404283f63a41ee5e6e3a2a66d6
4 changes: 2 additions & 2 deletions coderd/rbac/object.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,10 +36,10 @@ type Object struct {
func (z Object) ValidAction(action policy.Action) error {
perms, ok := policy.RBACPermissions[z.Type]
if !ok {
return fmt.Errorf("invalid type %q", z.Type)
return xerrors.Errorf("invalid type %q", z.Type)
}
if _, ok := perms.Actions[action]; !ok {
return fmt.Errorf("invalid action %q for type %q", action, z.Type)
return xerrors.Errorf("invalid action %q for type %q", action, z.Type)
}

return nil
Expand Down
10 changes: 5 additions & 5 deletions coderd/rbac/roles.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -387,13 +387,13 @@ func (perm Permission) Valid() error {

resource, ok := policy.RBACPermissions[perm.ResourceType]
if !ok {
return fmt.Errorf("invalid resource type %q", perm.ResourceType)
return xerrors.Errorf("invalid resource type %q", perm.ResourceType)
}

if perm.Action != policy.WildcardSymbol {
_, ok := resource.Actions[perm.Action]
if !ok {
return fmt.Errorf("invalid action %q for resource %q", perm.Action, perm.ResourceType)
return xerrors.Errorf("invalid action %q for resource %q", perm.Action, perm.ResourceType)
}
}
return nil
Expand Down Expand Up @@ -430,21 +430,21 @@ func (role Role) Valid() error {
var errs []error
for _, perm := range role.Site {
if err := perm.Valid(); err != nil {
errs = append(errs, fmt.Errorf("site: %w", err))
errs = append(errs, xerrors.Errorf("site: %w", err))
}
}

for orgID, permissions := range role.Org {
for _, perm := range permissions {
if err := perm.Valid(); err != nil {
errs = append(errs, fmt.Errorf("org=%q: %w", orgID, err))
errs = append(errs, xerrors.Errorf("org=%q: %w", orgID, err))
}
}
}

for _, perm := range role.User {
if err := perm.Valid(); err != nil {
errs = append(errs, fmt.Errorf("user: %w", err))
errs = append(errs, xerrors.Errorf("user: %w", err))
}
}

Expand Down
2 changes: 1 addition & 1 deletion coderd/rbac/roles_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -389,7 +389,7 @@ func TestRolePermissions(t *testing.T) {
},
// Some admin style resources
{
Name: "Licences",
Name: "Licenses",
Actions: []policy.Action{policy.ActionCreate, policy.ActionRead, policy.ActionDelete},
Resource: rbac.ResourceLicense,
AuthorizeMap: map[bool][]authSubject{
Expand Down
2 changes: 1 addition & 1 deletion enterprise/coderd/roles_test.go
View file
Open in desktop
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd like to see more tests:

  • What happens if we have existing custom roles and our license expires?
  • What happens if we patch a role and leave out certain fields in the request? Do the unspecified values get overwritten in the DB?

Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ func TestCustomRole(t *testing.T) {

ctx := testutil.Context(t, testutil.WaitMedium)

//nolint:gocritic -- owner is required for this
//nolint:gocritic // owner is required for this
role, err := owner.UpsertCustomSiteRole(ctx, codersdk.Role{
Name: "test-role",
DisplayName: "Testing Purposes",
Expand Down
8 changes: 4 additions & 4 deletions scripts/rbacgen/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -148,7 +148,7 @@ func generateRbacObjects(templateSource string) ([]byte, error) {
// Parse the policy.go file for the action enums
f, err := parser.ParseFile(token.NewFileSet(), "./coderd/rbac/policy/policy.go", nil, parser.ParseComments)
if err != nil {
return nil, fmt.Errorf("parsing policy.go: %w", err)
return nil, xerrors.Errorf("parsing policy.go: %w", err)
}
actionMap := fileActions(f)
actionList := make([]ActionDetails, 0)
Expand Down Expand Up @@ -176,14 +176,14 @@ func generateRbacObjects(templateSource string) ([]byte, error) {
x++
v, ok := actionMap[string(action)]
if !ok {
errorList = append(errorList, fmt.Errorf("action value %q does not have a constant a matching enum constant", action))
errorList = append(errorList, xerrors.Errorf("action value %q does not have a constant a matching enum constant", action))
}
return v
},
"concat": func(strs ...string) string { return strings.Join(strs, "") },
}).Parse(templateSource)
if err != nil {
return nil, fmt.Errorf("parse template: %w", err)
return nil, xerrors.Errorf("parse template: %w", err)
}

// Convert to sorted list for autogen consistency.
Expand All @@ -203,7 +203,7 @@ func generateRbacObjects(templateSource string) ([]byte, error) {

err = tpl.Execute(&out, list)
if err != nil {
return nil, fmt.Errorf("execute template: %w", err)
return nil, xerrors.Errorf("execute template: %w", err)
}

if len(errorList) > 0 {
Expand Down