coder · Emyrk · Apr 25, 2022 · Apr 27, 2022 · Apr 27, 2022 · Apr 27, 2022
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -153,6 +153,7 @@ func New(options *Options) (http.Handler, func()) {
 				r.Get("/listen", api.provisionerDaemonsListen)
 			})
 		})
+
 		r.Route("/users", func(r chi.Router) {
 			r.Get("/first", api.firstUser)
 			r.Post("/first", api.postFirstUser)
@@ -173,6 +174,10 @@ func New(options *Options) (http.Handler, func()) {
 					r.Use(httpmw.ExtractUserParam(options.Database))
 					r.Get("/", api.userByName)
 					r.Put("/profile", api.putUserProfile)
+					// TODO: @emyrk Might want to move these to a /roles group instead of /user.
+					//		As we include more roles like org roles, it makes less sense to scope these here.
+					r.Put("/roles", api.putUserRoles)
+					r.Get("/roles", api.getUserRoles)
 					r.Get("/organizations", api.organizationsByUser)
 					r.Post("/organizations", api.postOrganizationsByUser)
 					r.Post("/keys", api.postAPIKey)

diff --git a/coderd/database/databasefake/databasefake.go b/coderd/database/databasefake/databasefake.go
@@ -689,6 +689,21 @@ func (q *fakeQuerier) GetOrganizationMemberByUserID(_ context.Context, arg datab
 	return database.OrganizationMember{}, sql.ErrNoRows
 }
 
+func (q *fakeQuerier) GetOrganizationMembershipsByUserID(ctx context.Context, userID uuid.UUID) ([]database.OrganizationMember, error) {
+	q.mutex.RLock()
+	defer q.mutex.RUnlock()
+
+	var memberships []database.OrganizationMember
+	for _, organizationMember := range q.organizationMembers {
+		mem := organizationMember
+		if mem.UserID != userID {
+			continue
+		}
+		memberships = append(memberships, mem)
+	}
+	return memberships, nil
+}
+
 func (q *fakeQuerier) GetProvisionerDaemons(_ context.Context) ([]database.ProvisionerDaemon, error) {
 	q.mutex.RLock()
 	defer q.mutex.RUnlock()
@@ -1118,11 +1133,42 @@ func (q *fakeQuerier) InsertUser(_ context.Context, arg database.InsertUserParam
 		CreatedAt:      arg.CreatedAt,
 		UpdatedAt:      arg.UpdatedAt,
 		Username:       arg.Username,
+		RbacRoles:      arg.RbacRoles,
 	}
 	q.users = append(q.users, user)
 	return user, nil
 }
 
+func (q *fakeQuerier) GrantUserRole(ctx context.Context, arg database.GrantUserRoleParams) (database.User, error) {
+	q.mutex.Lock()
+	defer q.mutex.Unlock()
+
+	for index, user := range q.users {
+		if user.ID != arg.ID {
+			continue
+		}
+
+		// Append the new roles
+		user.RbacRoles = append(user.RbacRoles, arg.GrantedRoles...)
+		// Remove duplicates and sort
+		uniqueRoles := make([]string, 0, len(user.RbacRoles))
+		exist := make(map[string]struct{})
+		for _, r := range user.RbacRoles {
+			if _, ok := exist[r]; ok {
+				continue
+			}
+			exist[r] = struct{}{}
+			uniqueRoles = append(uniqueRoles, r)
+		}
+		sort.Strings(uniqueRoles)
+		user.RbacRoles = uniqueRoles
+
+		q.users[index] = user
+		return user, nil
+	}
+	return database.User{}, sql.ErrNoRows
+}
+
 func (q *fakeQuerier) UpdateUserProfile(_ context.Context, arg database.UpdateUserProfileParams) (database.User, error) {
 	q.mutex.Lock()
 	defer q.mutex.Unlock()

diff --git a/coderd/database/dump.sql b/coderd/database/dump.sql
diff --git a/coderd/database/migrations/000007_rbac_user_roles.down.sql b/coderd/database/migrations/000007_rbac_user_roles.down.sql
@@ -0,0 +1,2 @@
+ALTER TABLE ONLY workspaces
+	DROP COLUMN IF EXISTS rbac_roles;
diff --git a/coderd/database/migrations/000007_rbac_user_roles.up.sql b/coderd/database/migrations/000007_rbac_user_roles.up.sql
@@ -0,0 +1,18 @@
+ALTER TABLE ONLY users
+	ADD COLUMN IF NOT EXISTS rbac_roles text[] DEFAULT '{}' NOT NULL;
+
+-- All users are site members. So give them the standard role.
+-- Also give them membership to the first org we retrieve. We should only have
+-- 1 organization at this point in the product.
+UPDATE
+    users
+SET
+    rbac_roles = ARRAY ['member', 'organization-member:' || (SELECT id FROM organizations LIMIT 1)];
+
+-- Give the first user created the admin role
+UPDATE
+	users
+SET
+	rbac_roles = rbac_roles || ARRAY ['admin']
+WHERE
+	id = (SELECT id FROM users ORDER BY created_at ASC LIMIT 1)
diff --git a/coderd/database/models.go b/coderd/database/models.go
diff --git a/coderd/database/querier.go b/coderd/database/querier.go
diff --git a/coderd/database/queries.sql.go b/coderd/database/queries.sql.go
diff --git a/coderd/database/queries/organizationmembers.sql b/coderd/database/queries/organizationmembers.sql
@@ -20,3 +20,12 @@ INSERT INTO
 	)
 VALUES
 	($1, $2, $3, $4, $5) RETURNING *;
+
+
+-- name: GetOrganizationMembershipsByUserID :many
+SELECT
+	*
+FROM
+	organization_members
+WHERE
+  user_id = $1;
diff --git a/coderd/database/queries/users.sql b/coderd/database/queries/users.sql
@@ -33,10 +33,11 @@ INSERT INTO
 		username,
 		hashed_password,
 		created_at,
-		updated_at
+		updated_at,
+		rbac_roles
 	)
 VALUES
-	($1, $2, $3, $4, $5, $6) RETURNING *;
+	($1, $2, $3, $4, $5, $6, $7) RETURNING *;
 
 -- name: UpdateUserProfile :one
 UPDATE
@@ -48,6 +49,16 @@ SET
 WHERE
 	id = $1 RETURNING *;
 
+-- name: GrantUserRole :one
+UPDATE
+    users
+SET
+	-- Append new roles and remove duplicates just to keep things clean.
+	rbac_roles = ARRAY(SELECT DISTINCT UNNEST(rbac_roles || @granted_roles :: text[]))
+WHERE
+ 	id = @id
+RETURNING *;
+
 -- name: GetUsers :many
 SELECT
 	*

diff --git a/coderd/rbac/authz.go b/coderd/rbac/authz.go
@@ -38,6 +38,23 @@ type authSubject struct {
 	Roles []Role `json:"roles"`
 }
 
+// AuthorizeByRoleName will expand all roleNames into roles before calling Authorize().
+// This is the function intended to be used outside this package.
+// The role is fetched from the builtin map located in memory.
+func (a RegoAuthorizer) AuthorizeByRoleName(ctx context.Context, subjectID string, roleNames []RoleName, action Action, object Object) error {
+	roles := make([]Role, 0, len(roleNames))
+	for _, n := range roleNames {
+		r, err := RoleByName(n)
+		if err != nil {
+			return xerrors.Errorf("get role permissions: %w", err)
+		}
+		roles = append(roles, r)
+	}
+	return a.Authorize(ctx, subjectID, roles, action, object)
+}
+
+// Authorize allows passing in custom Roles.
+// This is really helpful for unit testing, as we can create custom roles to exercise edge cases.
 func (a RegoAuthorizer) Authorize(ctx context.Context, subjectID string, roles []Role, action Action, object Object) error {
 	input := map[string]interface{}{
 		"subject": authSubject{
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		ALTER TABLE ONLY workspaces
		DROP COLUMN IF EXISTS rbac_roles;