coder · Emyrk · Jun 20, 2024 · Jun 17, 2024
diff --git a/coderd/apidoc/docs.go b/coderd/apidoc/docs.go
diff --git a/coderd/apidoc/swagger.json b/coderd/apidoc/swagger.json
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -860,6 +860,7 @@ func New(options *Options) *API {
 							r.Use(
 								httpmw.ExtractOrganizationMemberParam(options.Database),
 							)
+							r.Delete("/", api.deleteOrganizationMember)
 							r.Put("/roles", api.putMemberRoles)
 							r.Post("/workspaces", api.postWorkspacesByOrganization)
 						})

diff --git a/coderd/database/dbauthz/dbauthz.go b/coderd/database/dbauthz/dbauthz.go
@@ -1035,6 +1035,16 @@ func (q *querier) DeleteOrganization(ctx context.Context, id uuid.UUID) error {
 	return deleteQ(q.log, q.auth, q.db.GetOrganizationByID, q.db.DeleteOrganization)(ctx, id)
 }
 
+func (q *querier) DeleteOrganizationMember(ctx context.Context, arg database.DeleteOrganizationMemberParams) error {
+	return deleteQ[database.OrganizationMember](q.log, q.auth, func(ctx context.Context, arg database.DeleteOrganizationMemberParams) (database.OrganizationMember, error) {
+		member, err := database.ExpectOne(q.OrganizationMembers(ctx, database.OrganizationMembersParams(arg)))
+		if err != nil {
+			return database.OrganizationMember{}, err
+		}
+		return member.OrganizationMember, nil
+	}, q.db.DeleteOrganizationMember)(ctx, arg)
+}
+
 func (q *querier) DeleteReplicasUpdatedBefore(ctx context.Context, updatedAt time.Time) error {
 	if err := q.authorizeContext(ctx, policy.ActionDelete, rbac.ResourceSystem); err != nil {
 		return err

diff --git a/coderd/database/dbauthz/dbauthz_test.go b/coderd/database/dbauthz/dbauthz_test.go
@@ -628,6 +628,23 @@ func (s *MethodTestSuite) TestOrganization() {
 			rbac.ResourceAssignOrgRole.InOrg(o.ID), policy.ActionAssign,
 			rbac.ResourceOrganizationMember.InOrg(o.ID).WithID(u.ID), policy.ActionCreate)
 	}))
+	s.Run("DeleteOrganizationMember", s.Subtest(func(db database.Store, check *expects) {
+		o := dbgen.Organization(s.T(), db, database.Organization{})
+		u := dbgen.User(s.T(), db, database.User{})
+		member := dbgen.OrganizationMember(s.T(), db, database.OrganizationMember{UserID: u.ID, OrganizationID: o.ID})
+
+		check.Args(database.DeleteOrganizationMemberParams{
+			OrganizationID: o.ID,
+			UserID:         u.ID,
+		}).Asserts(
+			// Reads the org member before it tries to delete it
+			member, policy.ActionRead,
+			member, policy.ActionDelete).
+			// SQL Filter returns a 404
+			WithNotAuthorized("no rows").
+			WithCancelled("no rows").
+			Errors(sql.ErrNoRows)
+	}))
 	s.Run("UpdateOrganization", s.Subtest(func(db database.Store, check *expects) {
 		o := dbgen.Organization(s.T(), db, database.Organization{
 			Name: "something-unique",

diff --git a/coderd/database/dbmem/dbmem.go b/coderd/database/dbmem/dbmem.go
@@ -1632,6 +1632,24 @@ func (q *FakeQuerier) DeleteOrganization(_ context.Context, id uuid.UUID) error
 	return sql.ErrNoRows
 }
 
+func (q *FakeQuerier) DeleteOrganizationMember(_ context.Context, arg database.DeleteOrganizationMemberParams) error {
+	err := validateDatabaseType(arg)
+	if err != nil {
+		return err
+	}
+
+	q.mutex.Lock()
+	defer q.mutex.Unlock()
+
+	deleted := slices.DeleteFunc(q.data.organizationMembers, func(member database.OrganizationMember) bool {
+		return member.OrganizationID == arg.OrganizationID && member.UserID == arg.UserID
+	})
+	if len(deleted) == 0 {
+		return sql.ErrNoRows
+	}
+	return nil
+}
+
 func (q *FakeQuerier) DeleteReplicasUpdatedBefore(_ context.Context, before time.Time) error {
 	q.mutex.Lock()
 	defer q.mutex.Unlock()

diff --git a/coderd/database/dbmetrics/dbmetrics.go b/coderd/database/dbmetrics/dbmetrics.go
diff --git a/coderd/database/dbmock/dbmock.go b/coderd/database/dbmock/dbmock.go
diff --git a/coderd/database/querier.go b/coderd/database/querier.go
diff --git a/coderd/database/queries.sql.go b/coderd/database/queries.sql.go
diff --git a/coderd/database/queries/organizationmembers.sql b/coderd/database/queries/organizationmembers.sql
@@ -36,6 +36,15 @@ INSERT INTO
 VALUES
 	($1, $2, $3, $4, $5) RETURNING *;
 
+-- name: DeleteOrganizationMember :exec
+DELETE
+	FROM
+		organization_members
+	WHERE
+		organization_id = @organization_id AND
+		user_id = @user_id
+;
+
 
 -- name: GetOrganizationIDsByMemberIDs :many
 SELECT

diff --git a/coderd/members.go b/coderd/members.go
@@ -62,6 +62,38 @@ func (api *API) postOrganizationMember(rw http.ResponseWriter, r *http.Request)
 	httpapi.Write(ctx, rw, http.StatusOK, resp[0])
 }
 
+// @Summary Remove organization member
+// @ID remove-organization-member
+// @Security CoderSessionToken
+// @Produce json
+// @Tags Members
+// @Param organization path string true "Organization ID"
+// @Param user path string true "User ID, name, or me"
+// @Success 200 {object} codersdk.OrganizationMember
+// @Router /organizations/{organization}/members/{user} [delete]
+func (api *API) deleteOrganizationMember(rw http.ResponseWriter, r *http.Request) {
+	var (
+		ctx          = r.Context()
+		organization = httpmw.OrganizationParam(r)
+		member       = httpmw.OrganizationMemberParam(r)
+	)
+
+	err := api.Database.DeleteOrganizationMember(ctx, database.DeleteOrganizationMemberParams{
+		OrganizationID: organization.ID,
+		UserID:         member.UserID,
+	})
+	if httpapi.Is404Error(err) {
+		httpapi.ResourceNotFound(rw)
+		return
+	}
+	if err != nil {
+		httpapi.InternalServerError(rw, err)
+		return
+	}
+
+	httpapi.Write(ctx, rw, http.StatusOK, "organization member removed")
+}
+
 // @Summary List organization members
 // @ID list-organization-members
 // @Security CoderSessionToken

diff --git a/coderd/members_test.go b/coderd/members_test.go
@@ -1,6 +1,7 @@
 package coderd_test
 
 import (
+	"net/http"
 	"testing"
 
 	"github.com/google/uuid"
@@ -114,6 +115,63 @@ func TestListMembers(t *testing.T) {
 	})
 }
 
+func TestRemoveMember(t *testing.T) {
+	t.Parallel()
+
+	t.Run("OK", func(t *testing.T) {
+		t.Parallel()
+		owner := coderdtest.New(t, nil)
+		first := coderdtest.CreateFirstUser(t, owner)
+		orgAdminClient, orgAdmin := coderdtest.CreateAnotherUser(t, owner, first.OrganizationID, rbac.ScopedRoleOrgAdmin(first.OrganizationID))
+		_, user := coderdtest.CreateAnotherUser(t, owner, first.OrganizationID)
+
+		ctx := testutil.Context(t, testutil.WaitMedium)
+		// Verify the org of 3 members
+		members, err := orgAdminClient.OrganizationMembers(ctx, first.OrganizationID)
+		require.NoError(t, err)
+		require.Len(t, members, 3)
+		require.ElementsMatch(t,
+			[]uuid.UUID{first.UserID, user.ID, orgAdmin.ID},
+			db2sdk.List(members, onlyIDs))
+
+		// Delete a member
+		err = orgAdminClient.DeleteOrganizationMember(ctx, first.OrganizationID, user.Username)
+		require.NoError(t, err)
+
+		members, err = orgAdminClient.OrganizationMembers(ctx, first.OrganizationID)
+		require.NoError(t, err)
+		require.Len(t, members, 2)
+		require.ElementsMatch(t,
+			[]uuid.UUID{first.UserID, orgAdmin.ID},
+			db2sdk.List(members, onlyIDs))
+	})
+
+	t.Run("MemberNotInOrg", func(t *testing.T) {
+		t.Parallel()
+		owner := coderdtest.New(t, nil)
+		first := coderdtest.CreateFirstUser(t, owner)
+		orgAdminClient, _ := coderdtest.CreateAnotherUser(t, owner, first.OrganizationID, rbac.ScopedRoleOrgAdmin(first.OrganizationID))
+
+		ctx := testutil.Context(t, testutil.WaitMedium)
+		// nolint:gocritic // requires owner to make a new org
+		org, _ := owner.CreateOrganization(ctx, codersdk.CreateOrganizationRequest{
+			Name:        "other",
+			DisplayName: "",
+			Description: "",
+			Icon:        "",
+		})
+
+		_, user := coderdtest.CreateAnotherUser(t, owner, org.ID)
+
+		// Delete a user that is not in the organization
+		err := orgAdminClient.DeleteOrganizationMember(ctx, first.OrganizationID, user.Username)
+		require.Error(t, err)
+		var apiError *codersdk.Error
+		require.ErrorAs(t, err, &apiError)
+		require.Equal(t, http.StatusNotFound, apiError.StatusCode())
+	})
+}
+
 func onlyIDs(u codersdk.OrganizationMemberWithName) uuid.UUID {
 	return u.UserID
 }
diff --git a/codersdk/users.go b/codersdk/users.go
@@ -393,6 +393,19 @@ func (c *Client) PostOrganizationMember(ctx context.Context, organizationID uuid
 	return member, json.NewDecoder(res.Body).Decode(&member)
 }
 
+// DeleteOrganizationMember removes a user from an organization
+func (c *Client) DeleteOrganizationMember(ctx context.Context, organizationID uuid.UUID, user string) error {
+	res, err := c.Request(ctx, http.MethodDelete, fmt.Sprintf("/api/v2/organizations/%s/members/%s", organizationID, user), nil)
+	if err != nil {
+		return err
+	}
+	defer res.Body.Close()
+	if res.StatusCode != http.StatusOK {
+		return ReadBodyAsError(res)
+	}
+	return nil
+}
+
 // OrganizationMembers lists all members in an organization
 func (c *Client) OrganizationMembers(ctx context.Context, organizationID uuid.UUID) ([]OrganizationMemberWithName, error) {
 	res, err := c.Request(ctx, http.MethodGet, fmt.Sprintf("/api/v2/organizations/%s/members/", organizationID), nil)