whitney-coder
diff --git a/‎coderd/coderd.go
+5 b/‎coderd/coderd.go
+5
diff --git a/‎coderd/database/databasefake/databasefake.go
+16 b/‎coderd/database/databasefake/databasefake.go
+16
diff --git a/‎coderd/database/querier.go
+1 b/‎coderd/database/querier.go
+1
diff --git a/‎coderd/database/queries.sql.go
+39-1 b/‎coderd/database/queries.sql.go
+39-1
diff --git a/‎coderd/database/queries/organizationmembers.sql
+9 b/‎coderd/database/queries/organizationmembers.sql
+9
diff --git a/‎coderd/rbac/builtin.go
+6-19 b/‎coderd/rbac/builtin.go
+6-19
diff --git a/‎coderd/users.go
+74-4 b/‎coderd/users.go
+74-4
diff --git a/‎coderd/users_test.go
+57 b/‎coderd/users_test.go
+57
@@ -153,6 +153,7 @@ func New(options *Options) (http.Handler, func()) {
 				r.Get("/listen", api.provisionerDaemonsListen)
 			})
 		})
+
 		r.Route("/users", func(r chi.Router) {
 			r.Get("/first", api.firstUser)
 			r.Post("/first", api.postFirstUser)
@@ -173,6 +174,10 @@ func New(options *Options) (http.Handler, func()) {
 					r.Use(httpmw.ExtractUserParam(options.Database))
 					r.Get("/", api.userByName)
 					r.Put("/profile", api.putUserProfile)
+					// TODO: @emyrk Might want to move these to a /roles group instead of /user.
+					//		As we include more roles like org roles, it makes less sense to scope these here.
+					r.Put("/roles", api.putUserRoles)
+					r.Get("/roles", api.getUserRoles)
 					r.Get("/organizations", api.organizationsByUser)
 					r.Post("/organizations", api.postOrganizationsByUser)
 					r.Post("/keys", api.postAPIKey)
 
@@ -689,6 +689,21 @@ func (q *fakeQuerier) GetOrganizationMemberByUserID(_ context.Context, arg datab
 	return database.OrganizationMember{}, sql.ErrNoRows
 }
 
+func (q *fakeQuerier) GetOrganizationMembershipsByUserID(ctx context.Context, userID uuid.UUID) ([]database.OrganizationMember, error) {
+	q.mutex.RLock()
+	defer q.mutex.RUnlock()
+
+	var memberships []database.OrganizationMember
+	for _, organizationMember := range q.organizationMembers {
+		mem := organizationMember
+		if mem.UserID != userID {
+			continue
+		}
+		memberships = append(memberships, mem)
+	}
+	return memberships, nil
+}
+
 func (q *fakeQuerier) GetProvisionerDaemons(_ context.Context) ([]database.ProvisionerDaemon, error) {
 	q.mutex.RLock()
 	defer q.mutex.RUnlock()
@@ -1118,6 +1133,7 @@ func (q *fakeQuerier) InsertUser(_ context.Context, arg database.InsertUserParam
 		CreatedAt:      arg.CreatedAt,
 		UpdatedAt:      arg.UpdatedAt,
 		Username:       arg.Username,
+		RbacRoles:      arg.RbacRoles,
 	}
 	q.users = append(q.users, user)
 	return user, nil
 
@@ -20,3 +20,12 @@ INSERT INTO
 	)
 VALUES
 	($1, $2, $3, $4, $5) RETURNING *;
+
+
+-- name: GetOrganizationMembershipsByUserID :many
+SELECT
+	*
+FROM
+	organization_members
+WHERE
+  user_id = $1;
@@ -12,9 +12,8 @@ const (
 	member  string = "member"
 	auditor string = "auditor"
 
-	orgAdmin   string = "organization-admin"
-	orgMember  string = "organization-member"
-	orgManager string = "organization-manager"
+	orgAdmin  string = "organization-admin"
+	orgMember string = "organization-member"
 )
 
 // RoleName is a string that represents a registered rbac role. We want to store
@@ -26,7 +25,7 @@ type RoleName = string
 
 // The functions below ONLY need to exist for roles that are "defaulted" in some way.
 // Any other roles (like auditor), can be listed and let the user select/assigned.
-// Once we have a database implementation, the "default" roles be be defined on the
+// Once we have a database implementation, the "default" roles can be defined on the
 // site and orgs, and these functions can be removed.
 
 func RoleAdmin() RoleName {
@@ -49,10 +48,9 @@ func RoleOrgMember(organizationID uuid.UUID) RoleName {
 var (
 	// builtInRoles are just a hard coded set for now. Ideally we store these in
 	// the database. Right now they are functions because the org id should scope
-	// certain roles. If we store them in the database, we will need to store
-	// them such that the "org" permissions are dynamically changed by the
-	// scopeID passed in. This isn't a hard problem to solve, it's just easier
-	// as a function right now.
+	// certain roles. When we store them in the database, each organization should
+	// create the roles that are assignable in the org. This isn't a hard problem to solve,
+	// it's just easier as a function right now.
 	//
 	// This map will be replaced by database storage defined by this ticket.
 	// https://github.com/coder/coder/issues/1194
@@ -120,17 +118,6 @@ var (
 				},
 			}
 		},
-
-		orgManager: func(organizationID string) Role {
-			return Role{
-				Name: roleName(orgMember, organizationID),
-				Org: map[string][]Permission{
-					organizationID: permissions(map[Object][]Action{
-						ResourceWorkspace: {WildcardSymbol},
-					}),
-				},
-			}
-		},
 	}
 )
 
 
@@ -11,8 +11,6 @@ import (
 	"strconv"
 	"time"
 
-	"github.com/coder/coder/coderd/rbac"
-
 	"github.com/go-chi/chi/v5"
 	"github.com/go-chi/render"
 	"github.com/google/uuid"
@@ -23,6 +21,7 @@ import (
 	"github.com/coder/coder/coderd/gitsshkey"
 	"github.com/coder/coder/coderd/httpapi"
 	"github.com/coder/coder/coderd/httpmw"
+	"github.com/coder/coder/coderd/rbac"
 	"github.com/coder/coder/coderd/userpassword"
 	"github.com/coder/coder/codersdk"
 	"github.com/coder/coder/cryptorand"
@@ -300,6 +299,69 @@ func (api *api) putUserProfile(rw http.ResponseWriter, r *http.Request) {
 	httpapi.Write(rw, http.StatusOK, convertUser(updatedUserProfile))
 }
 
+func (api *api) getUserRoles(rw http.ResponseWriter, r *http.Request) {
+	user := httpmw.UserParam(r)
+
+	resp := codersdk.UserRoles{
+		Roles: user.RbacRoles,
+	}
+
+	memberships, err := api.Database.GetOrganizationMembershipsByUserID(r.Context(), user.ID)
+	if err != nil {
+		httpapi.Write(rw, http.StatusInternalServerError, httpapi.Response{
+			Message: fmt.Sprintf("get user memberships: %s", err),
+		})
+		return
+	}
+
+	for _, mem := range memberships {
+		resp.Roles = append(resp.Roles, mem.Roles...)
+	}
+
+	httpapi.Write(rw, http.StatusOK, resp)
+}
+
+func (api *api) putUserRoles(rw http.ResponseWriter, r *http.Request) {
+	// User is the user to modify
+	// TODO: Until rbac authorize is implemented, only be able to change your
+	//		own roles. This also means you can grant yourself whatever roles you want.
+	user := httpmw.UserParam(r)
+	apiKey := httpmw.APIKey(r)
+	if apiKey.UserID != user.ID {
+		httpapi.Write(rw, http.StatusUnauthorized, httpapi.Response{
+			Message: fmt.Sprintf("modifying other users is not supported at this time"),
+		})
+		return
+	}
+
+	var params codersdk.GrantUserRoles
+	if !httpapi.Read(rw, r, &params) {
+		return
+	}
+
+	for _, r := range params.Roles {
+		if _, err := rbac.RoleByName(r); err != nil {
+			httpapi.Write(rw, http.StatusBadRequest, httpapi.Response{
+				Message: fmt.Sprintf("%q is not a supported role", r),
+			})
+			return
+		}
+	}
+
+	updatedUser, err := api.Database.GrantUserRole(r.Context(), database.GrantUserRoleParams{
+		GrantedRoles: params.Roles,
+		ID:           user.ID,
+	})
+	if err != nil {
+		httpapi.Write(rw, http.StatusInternalServerError, httpapi.Response{
+			Message: fmt.Sprintf("get user: %s", err),
+		})
+		return
+	}
+
+	httpapi.Write(rw, http.StatusOK, convertUser(updatedUser))
+}
+
 // Returns organizations the parameterized user has access to.
 func (api *api) organizationsByUser(rw http.ResponseWriter, r *http.Request) {
 	user := httpmw.UserParam(r)
@@ -396,7 +458,11 @@ func (api *api) postOrganizationsByUser(rw http.ResponseWriter, r *http.Request)
 			UserID:         user.ID,
 			CreatedAt:      database.Now(),
 			UpdatedAt:      database.Now(),
-			Roles:          []string{"organization-admin"},
+			Roles: []string{
+				// Also assign member role incase they get demoted from admin
+				rbac.RoleOrgMember(organization.ID),
+				rbac.RoleOrgAdmin(organization.ID),
+			},
 		})
 		if err != nil {
 			return xerrors.Errorf("create organization member: %w", err)
@@ -889,6 +955,7 @@ func (api *api) createAPIKey(rw http.ResponseWriter, r *http.Request, params dat
 func (api *api) createUser(ctx context.Context, req codersdk.CreateUserRequest) (database.User, uuid.UUID, error) {
 	var user database.User
 	return user, req.OrganizationID, api.Database.InTx(func(db database.Store) error {
+		var orgRoles []string
 		// If no organization is provided, create a new one for the user.
 		if req.OrganizationID == uuid.Nil {
 			organization, err := db.InsertOrganization(ctx, database.InsertOrganizationParams{
@@ -901,7 +968,10 @@ func (api *api) createUser(ctx context.Context, req codersdk.CreateUserRequest)
 				return xerrors.Errorf("create organization: %w", err)
 			}
 			req.OrganizationID = organization.ID
+			orgRoles = append(orgRoles, rbac.RoleOrgAdmin(req.OrganizationID))
 		}
+		// Always also be a member
+		orgRoles = append(orgRoles, rbac.RoleOrgMember(req.OrganizationID))
 
 		params := database.InsertUserParams{
 			ID:        uuid.New(),
@@ -947,7 +1017,7 @@ func (api *api) createUser(ctx context.Context, req codersdk.CreateUserRequest)
 			CreatedAt:      database.Now(),
 			UpdatedAt:      database.Now(),
 			// By default give them membership to the organization
-			Roles: []string{rbac.RoleOrgMember(req.OrganizationID)},
+			Roles: orgRoles,
 		})
 		if err != nil {
 			return xerrors.Errorf("create organization member: %w", err)
 
@@ -7,6 +7,8 @@ import (
 	"sort"
 	"testing"
 
+	"github.com/coder/coder/coderd/rbac"
+
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/require"
 
@@ -286,6 +288,61 @@ func TestUpdateUserProfile(t *testing.T) {
 	})
 }
 
+func TestGrantRoles(t *testing.T) {
+	t.Parallel()
+	t.Run("FirstUserRoles", func(t *testing.T) {
+		t.Parallel()
+		ctx := context.Background()
+		client := coderdtest.New(t, nil)
+		first := coderdtest.CreateFirstUser(t, client)
+
+		roles, err := client.GetUserRoles(ctx, codersdk.Me)
+		require.NoError(t, err)
+		require.ElementsMatch(t, roles.Roles, []string{
+			rbac.RoleAdmin(),
+			rbac.RoleMember(),
+			rbac.RoleOrgMember(first.OrganizationID),
+			rbac.RoleOrgAdmin(first.OrganizationID),
+		}, "should be a member and admin")
+	})
+
+	t.Run("GrantAdmin", func(t *testing.T) {
+		t.Parallel()
+		ctx := context.Background()
+		admin := coderdtest.New(t, nil)
+		first := coderdtest.CreateFirstUser(t, admin)
+
+		member := coderdtest.CreateAnotherUser(t, admin, first.OrganizationID)
+		roles, err := member.GetUserRoles(ctx, codersdk.Me)
+		require.NoError(t, err)
+		require.ElementsMatch(t, roles.Roles, []string{
+			rbac.RoleMember(),
+			rbac.RoleOrgMember(first.OrganizationID),
+		}, "should be a member and admin")
+
+		// Grant
+		// TODO: @emyrk this should be 'admin.GrantUserRoles' once proper authz
+		//		is enforced.
+		_, err = member.GrantUserRoles(ctx, codersdk.Me, codersdk.GrantUserRoles{
+			Roles: []string{
+				rbac.RoleAdmin(),
+				rbac.RoleOrgAdmin(first.OrganizationID),
+			},
+		})
+		require.NoError(t, err, "grant member admin role")
+
+		roles, err = member.GetUserRoles(ctx, codersdk.Me)
+		require.NoError(t, err)
+		require.ElementsMatch(t, roles.Roles, []string{
+			rbac.RoleMember(),
+			rbac.RoleOrgMember(first.OrganizationID),
+
+			rbac.RoleAdmin(),
+			rbac.RoleOrgAdmin(first.OrganizationID),
+		}, "should be a member and admin")
+	})
+}
+
 func TestUserByName(t *testing.T) {
 	t.Parallel()
 	client := coderdtest.New(t, nil)