Skip to content

fix: allow group members to read group information #14200

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 24 commits into from
Aug 13, 2024
Merged

fix: allow group members to read group information #14200

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
2c6d037
- allow group members to read basic Group info
hugodutka Aug 6, 2024
2409072
rename ReducedGroup.member_count to ReducedGroup.total_member_count
hugodutka Aug 6, 2024
5391c15
use the reduced groups for user endpoint on the AccountPage
hugodutka Aug 6, 2024
5fcc218
rename UserWithGroupAndOrgID to GroupMemberRBACHelper
hugodutka Aug 7, 2024
2878c21
add the group_members_expanded db view
hugodutka Aug 9, 2024
3aa2a23
add comment on migration
hugodutka Aug 9, 2024
e428d40
rewrite group member queries to use the group_members_expanded view
hugodutka Aug 9, 2024
13ca3a9
add the RBAC ResourceGroupMember and add it to relevant roles
hugodutka Aug 9, 2024
1027d9f
rewrite GetGroupMembersByGroupID permission checks
hugodutka Aug 9, 2024
0aea7f8
- make the GroupMember type contain all user fields
hugodutka Aug 9, 2024
e5c5f3f
simplify RBAC check on group member count
hugodutka Aug 9, 2024
16e95d0
add the MemberTotalCount field to codersdk.Group
hugodutka Aug 9, 2024
d3b4d7c
remove the reduced groups endpoint, revert frontend to use the groups…
hugodutka Aug 9, 2024
b06f943
revert "simplify RBAC check on group member count" - new query didn't…
hugodutka Aug 9, 2024
4a65874
display `group.total_member_count` instead of `group.members.length` …
hugodutka Aug 9, 2024
1f4dcc7
adjust `total_member_count` on `MockGroup`
hugodutka Aug 9, 2024
f1513e0
fixes after rebase
hugodutka Aug 9, 2024
9ef0e0d
simplify RBAC check on GetGroupMembersCountByGroupID
hugodutka Aug 9, 2024
7627933
fix tests
hugodutka Aug 12, 2024
1080b29
resolve lint error
hugodutka Aug 12, 2024
19486da
update the groupsauth test to work with new group member permissions
hugodutka Aug 12, 2024
5373dd7
fix a mistake in test
hugodutka Aug 12, 2024
08646da
make ErrUserDeleted private
hugodutka Aug 13, 2024
4ec6adb
`dbgen.GroupMember` now fails when a supplied user or group doesn't e…
hugodutka Aug 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
simplify RBAC check on group member count
  • Loading branch information
@hugodutka
hugodutka committed Aug 12, 2024
commit e5c5f3f8a9e03591bb45cd48a10e7d58ae95d1e1
18 changes: 2 additions & 16 deletions coderd/database/dbauthz/dbauthz.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1400,22 +1400,8 @@ func (q *querier) GetGroupMembersByGroupID(ctx context.Context, id uuid.UUID) ([
return fetchWithPostFilter(q.auth, policy.ActionRead, q.db.GetGroupMembersByGroupID)(ctx, id)
}

func (q *querier) GetGroupMembersCountByGroupID(ctx context.Context, groupID uuid.UUID) (int64, error) {
group, err := q.GetGroupByID(ctx, groupID)
if err != nil {
return 0, err
}
memberCount, err := q.db.GetGroupMembersCountByGroupID(ctx, groupID)
if err != nil {
return 0, err
}
if err := q.authorizeContext(ctx, policy.ActionRead, database.GroupMembersCountRBACHelper{
GroupID: groupID,
OrganizationID: group.OrganizationID,
}); err != nil {
return 0, err
}
return memberCount, nil
func (q *querier) GetGroupMembersCountByGroupID(ctx context.Context, groupID uuid.UUID) (database.GetGroupMembersCountByGroupIDRow, error) {
return fetch(q.log, q.auth, q.db.GetGroupMembersCountByGroupID)(ctx, groupID)
}

func (q *querier) GetGroups(ctx context.Context) ([]database.Group, error) {
Expand Down
16 changes: 12 additions & 4 deletions coderd/database/dbmem/dbmem.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2536,12 +2536,20 @@ func (q *FakeQuerier) GetGroupMembersByGroupID(_ context.Context, id uuid.UUID)
return members, nil
}

func (q *FakeQuerier) GetGroupMembersCountByGroupID(ctx context.Context, groupID uuid.UUID) (int64, error) {
users, err := q.GetGroupMembersByGroupID(ctx, groupID)
func (q *FakeQuerier) GetGroupMembersCountByGroupID(ctx context.Context, groupID uuid.UUID) (database.GetGroupMembersCountByGroupIDRow, error) {
members, err := q.GetGroupMembersByGroupID(ctx, groupID)
if err != nil {
return 0, err
return database.GetGroupMembersCountByGroupIDRow{}, err
}
group, err := q.GetGroupByID(ctx, groupID)
if err != nil {
return database.GetGroupMembersCountByGroupIDRow{}, err
}
return int64(len(users)), nil
return database.GetGroupMembersCountByGroupIDRow{
OrganizationID: group.OrganizationID,
GroupID: groupID,
MemberCount: int64(len(members)),
}, nil
}

func (q *FakeQuerier) GetGroups(_ context.Context) ([]database.Group, error) {
Expand Down
2 changes: 1 addition & 1 deletion coderd/database/dbmetrics/dbmetrics.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions coderd/database/dbmock/dbmock.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

27 changes: 10 additions & 17 deletions coderd/database/modelmethods.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -172,34 +172,27 @@ func (v TemplateVersion) RBACObjectNoTemplate() rbac.Object {
return rbac.ResourceTemplate.InOrg(v.OrganizationID)
}

func (g Group) RBACObject() rbac.Object {
return rbac.ResourceGroup.WithID(g.ID).
InOrg(g.OrganizationID).
func groupRBACObject(groupID, organizationID uuid.UUID) rbac.Object {
return rbac.ResourceGroup.WithID(groupID).
InOrg(organizationID).
// Group members can read the group.
WithGroupACL(map[string][]policy.Action{
g.ID.String(): {
groupID.String(): {
policy.ActionRead,
},
})
}

func (gm GroupMember) RBACObject() rbac.Object {
return rbac.ResourceGroupMember.WithID(gm.UserID).InOrg(gm.OrganizationID).WithOwner(gm.UserID.String())
func (g Group) RBACObject() rbac.Object {
return groupRBACObject(g.ID, g.OrganizationID)
}

type GroupMembersCountRBACHelper struct {
GroupID uuid.UUID
OrganizationID uuid.UUID
func (gm GroupMember) RBACObject() rbac.Object {
return rbac.ResourceGroupMember.WithID(gm.UserID).InOrg(gm.OrganizationID).WithOwner(gm.UserID.String())
Comment on lines +186 to +187
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

}

func (r GroupMembersCountRBACHelper) RBACObject() rbac.Object {
return rbac.ResourceGroup.WithID(r.GroupID).InOrg(r.OrganizationID).
// Group members can read the member count.
WithGroupACL(map[string][]policy.Action{
r.GroupID.String(): {
policy.ActionRead,
},
})
func (r GetGroupMembersCountByGroupIDRow) RBACObject() rbac.Object {
return groupRBACObject(r.GroupID, r.OrganizationID)
}

func (w GetWorkspaceByAgentIDRow) RBACObject() rbac.Object {
Expand Down
3 changes: 2 additions & 1 deletion coderd/database/querier.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

28 changes: 22 additions & 6 deletions coderd/database/queries.sql.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

12 changes: 11 additions & 1 deletion coderd/database/queries/groupmembers.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,17 @@ SELECT * FROM group_members_expanded;
SELECT * FROM group_members_expanded WHERE group_id = @group_id;

-- name: GetGroupMembersCountByGroupID :one
SELECT COUNT(*) FROM group_members_expanded WHERE group_id = @group_id;
SELECT
gme.organization_id,
gme.group_id,
COUNT(*) as member_count
FROM
group_members_expanded gme
WHERE
gme.group_id = @group_id
-- This aggregation is guaranteed to return a single row
GROUP BY
gme.organization_id, gme.group_id;

-- InsertUserGroupsByName adds a user to all provided groups, if they exist.
-- name: InsertUserGroupsByName :exec
Expand Down
2 changes: 1 addition & 1 deletion enterprise/coderd/groups.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -453,7 +453,7 @@ func (api *API) reducedGroupsByUserAndOrganization(rw http.ResponseWriter, r *ht
return
}

resp = append(resp, db2sdk.ReducedGroup(group, int(memberCount)))
resp = append(resp, db2sdk.ReducedGroup(group, int(memberCount.MemberCount)))
}

httpapi.Write(ctx, rw, http.StatusOK, resp)
Expand Down