Skip to content

chore: prevent removing members from the default organization #14094

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Aug 5, 2024
Merged

chore: prevent removing members from the default organization #14094

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
d3fb463
chore: prevent removing members from the default organization
Emyrk Aug 1, 2024
15e7ca2
chore: fixup test that it now requires enterprise
Emyrk Aug 1, 2024
b3f6c78
fmt
Emyrk Aug 1, 2024
fb5a6cd
move test to enterprise
Emyrk Aug 2, 2024
419cb44
make fmt
Emyrk Aug 2, 2024
476ed7d
add unit test to verify not deleting org member from default org
Emyrk Aug 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 0 additions & 46 deletions cli/organizationmembers_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,49 +34,3 @@ func TestListOrganizationMembers(t *testing.T) {
require.Contains(t, buf.String(), owner.UserID.String())
})
}

func TestRemoveOrganizationMembers(t *testing.T) {
t.Parallel()

t.Run("OK", func(t *testing.T) {
t.Parallel()

ownerClient := coderdtest.New(t, &coderdtest.Options{})
owner := coderdtest.CreateFirstUser(t, ownerClient)
orgAdminClient, _ := coderdtest.CreateAnotherUser(t, ownerClient, owner.OrganizationID, rbac.ScopedRoleOrgAdmin(owner.OrganizationID))
_, user := coderdtest.CreateAnotherUser(t, ownerClient, owner.OrganizationID)

ctx := testutil.Context(t, testutil.WaitMedium)

inv, root := clitest.New(t, "organization", "members", "remove", "-O", owner.OrganizationID.String(), user.Username)
clitest.SetupConfig(t, orgAdminClient, root)

buf := new(bytes.Buffer)
inv.Stdout = buf
err := inv.WithContext(ctx).Run()
require.NoError(t, err)

members, err := orgAdminClient.OrganizationMembers(ctx, owner.OrganizationID)
require.NoError(t, err)

require.Len(t, members, 2)
})

t.Run("UserNotExists", func(t *testing.T) {
t.Parallel()

ownerClient := coderdtest.New(t, &coderdtest.Options{})
owner := coderdtest.CreateFirstUser(t, ownerClient)
orgAdminClient, _ := coderdtest.CreateAnotherUser(t, ownerClient, owner.OrganizationID, rbac.ScopedRoleOrgAdmin(owner.OrganizationID))

ctx := testutil.Context(t, testutil.WaitMedium)

inv, root := clitest.New(t, "organization", "members", "remove", "-O", owner.OrganizationID.String(), "random_name")
clitest.SetupConfig(t, orgAdminClient, root)

buf := new(bytes.Buffer)
inv.Stdout = buf
err := inv.WithContext(ctx).Run()
require.ErrorContains(t, err, "must be an existing uuid or username")
})
}
13 changes: 13 additions & 0 deletions coderd/members.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,19 @@ func (api *API) deleteOrganizationMember(rw http.ResponseWriter, r *http.Request
aReq.Old = member.OrganizationMember.Auditable(member.Username)
defer commitAudit()

if organization.IsDefault {
// Multi-organizations is currently an experiment, which means it is feasible
// for a deployment to enable, then disable this. To maintain backwards
// compatibility, this safety is necessary.
// TODO: Remove this check when multi-organizations is fully supported.
httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ideally I'd like to have a test confirm this path behavior

Message: "Removing members from the default organization is not supported.",
Detail: "Multi-organizations is currently an experiment, and until it is fully supported, the default org should be protected.",
Validations: nil,
})
return
}

if member.UserID == apiKey.UserID {
httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{Message: "cannot remove self from an organization"})
return
Expand Down
43 changes: 15 additions & 28 deletions coderd/members_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,54 +30,41 @@ func TestAddMember(t *testing.T) {
})
}

func TestListMembers(t *testing.T) {
func TestDeleteMember(t *testing.T) {
t.Parallel()

t.Run("OK", func(t *testing.T) {
t.Run("NotAllowed", func(t *testing.T) {
t.Parallel()
owner := coderdtest.New(t, nil)
first := coderdtest.CreateFirstUser(t, owner)
_, user := coderdtest.CreateAnotherUser(t, owner, first.OrganizationID)

client, user := coderdtest.CreateAnotherUser(t, owner, first.OrganizationID, rbac.ScopedRoleOrgAdmin(first.OrganizationID))

ctx := testutil.Context(t, testutil.WaitShort)
members, err := client.OrganizationMembers(ctx, first.OrganizationID)
require.NoError(t, err)
require.Len(t, members, 2)
require.ElementsMatch(t,
[]uuid.UUID{first.UserID, user.ID},
db2sdk.List(members, onlyIDs))
ctx := testutil.Context(t, testutil.WaitMedium)
// Deleting members from the default org is not allowed.
// If this behavior changes, and we allow deleting members from the default org,
// this test should be updated to check there is no error.
// nolint:gocritic // must be an owner to see the user
err := owner.DeleteOrganizationMember(ctx, first.OrganizationID, user.Username)
require.ErrorContains(t, err, "Multi-organizations is currently an experiment")
})
}

func TestRemoveMember(t *testing.T) {
func TestListMembers(t *testing.T) {
t.Parallel()

t.Run("OK", func(t *testing.T) {
t.Parallel()
owner := coderdtest.New(t, nil)
first := coderdtest.CreateFirstUser(t, owner)
orgAdminClient, orgAdmin := coderdtest.CreateAnotherUser(t, owner, first.OrganizationID, rbac.ScopedRoleOrgAdmin(first.OrganizationID))
_, user := coderdtest.CreateAnotherUser(t, owner, first.OrganizationID)

ctx := testutil.Context(t, testutil.WaitMedium)
// Verify the org of 3 members
members, err := orgAdminClient.OrganizationMembers(ctx, first.OrganizationID)
require.NoError(t, err)
require.Len(t, members, 3)
require.ElementsMatch(t,
[]uuid.UUID{first.UserID, user.ID, orgAdmin.ID},
db2sdk.List(members, onlyIDs))

// Delete a member
err = orgAdminClient.DeleteOrganizationMember(ctx, first.OrganizationID, user.Username)
require.NoError(t, err)
client, user := coderdtest.CreateAnotherUser(t, owner, first.OrganizationID, rbac.ScopedRoleOrgAdmin(first.OrganizationID))

members, err = orgAdminClient.OrganizationMembers(ctx, first.OrganizationID)
ctx := testutil.Context(t, testutil.WaitShort)
members, err := client.OrganizationMembers(ctx, first.OrganizationID)
require.NoError(t, err)
require.Len(t, members, 2)
require.ElementsMatch(t,
[]uuid.UUID{first.UserID, orgAdmin.ID},
[]uuid.UUID{first.UserID, user.ID},
db2sdk.List(members, onlyIDs))
})
}
Expand Down
58 changes: 58 additions & 0 deletions enterprise/cli/organizationmembers_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,64 @@ import (
"github.com/coder/coder/v2/testutil"
)

func TestRemoveOrganizationMembers(t *testing.T) {
t.Parallel()

t.Run("OK", func(t *testing.T) {
t.Parallel()
dv := coderdtest.DeploymentValues(t)
dv.Experiments = []string{string(codersdk.ExperimentMultiOrganization)}

ownerClient, _ := coderdenttest.New(t, &coderdenttest.Options{
Options: &coderdtest.Options{
DeploymentValues: dv,
},
LicenseOptions: &coderdenttest.LicenseOptions{
Features: license.Features{
codersdk.FeatureMultipleOrganizations: 1,
},
},
})

secondOrganization := coderdenttest.CreateOrganization(t, ownerClient, coderdenttest.CreateOrganizationOptions{})
orgAdminClient, _ := coderdtest.CreateAnotherUser(t, ownerClient, secondOrganization.ID, rbac.ScopedRoleOrgAdmin(secondOrganization.ID))
_, user := coderdtest.CreateAnotherUser(t, ownerClient, secondOrganization.ID)

ctx := testutil.Context(t, testutil.WaitMedium)

inv, root := clitest.New(t, "organization", "members", "remove", "-O", secondOrganization.ID.String(), user.Username)
clitest.SetupConfig(t, orgAdminClient, root)

buf := new(bytes.Buffer)
inv.Stdout = buf
err := inv.WithContext(ctx).Run()
require.NoError(t, err)

members, err := orgAdminClient.OrganizationMembers(ctx, secondOrganization.ID)
require.NoError(t, err)

require.Len(t, members, 2)
})

t.Run("UserNotExists", func(t *testing.T) {
t.Parallel()

ownerClient := coderdtest.New(t, &coderdtest.Options{})
owner := coderdtest.CreateFirstUser(t, ownerClient)
orgAdminClient, _ := coderdtest.CreateAnotherUser(t, ownerClient, owner.OrganizationID, rbac.ScopedRoleOrgAdmin(owner.OrganizationID))

ctx := testutil.Context(t, testutil.WaitMedium)

inv, root := clitest.New(t, "organization", "members", "remove", "-O", owner.OrganizationID.String(), "random_name")
clitest.SetupConfig(t, orgAdminClient, root)

buf := new(bytes.Buffer)
inv.Stdout = buf
err := inv.WithContext(ctx).Run()
require.ErrorContains(t, err, "must be an existing uuid or username")
})
}

func TestEnterpriseListOrganizationMembers(t *testing.T) {
t.Parallel()

Expand Down
41 changes: 41 additions & 0 deletions enterprise/members_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,47 @@ import (
func TestEnterpriseMembers(t *testing.T) {
t.Parallel()

t.Run("Remove", func(t *testing.T) {
t.Parallel()
dv := coderdtest.DeploymentValues(t)
dv.Experiments = []string{string(codersdk.ExperimentMultiOrganization)}
owner, first := coderdenttest.New(t, &coderdenttest.Options{
Options: &coderdtest.Options{
DeploymentValues: dv,
},
LicenseOptions: &coderdenttest.LicenseOptions{
Features: license.Features{
codersdk.FeatureMultipleOrganizations: 1,
},
},
})

secondOrg := coderdenttest.CreateOrganization(t, owner, coderdenttest.CreateOrganizationOptions{})

orgAdminClient, orgAdmin := coderdtest.CreateAnotherUser(t, owner, secondOrg.ID, rbac.ScopedRoleOrgAdmin(secondOrg.ID))
_, user := coderdtest.CreateAnotherUser(t, owner, secondOrg.ID)

ctx := testutil.Context(t, testutil.WaitMedium)
// Verify the org of 3 members
members, err := orgAdminClient.OrganizationMembers(ctx, secondOrg.ID)
require.NoError(t, err)
require.Len(t, members, 3)
require.ElementsMatch(t,
[]uuid.UUID{first.UserID, user.ID, orgAdmin.ID},
db2sdk.List(members, onlyIDs))

// Delete a member
err = orgAdminClient.DeleteOrganizationMember(ctx, secondOrg.ID, user.Username)
require.NoError(t, err)

members, err = orgAdminClient.OrganizationMembers(ctx, secondOrg.ID)
require.NoError(t, err)
require.Len(t, members, 2)
require.ElementsMatch(t,
[]uuid.UUID{first.UserID, orgAdmin.ID},
db2sdk.List(members, onlyIDs))
})

t.Run("PostUser", func(t *testing.T) {
t.Parallel()

Expand Down
Loading