Skip to content

chore: add built in organization roles to match site #13938

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Jul 19, 2024
Merged

chore: add built in organization roles to match site #13938

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
c071985
chore: add built in organization roles to match site
Emyrk Jul 18, 2024
3685b18
fixup some testS
Emyrk Jul 18, 2024
2ab3be7
add unit tests, also give user read perm
Emyrk Jul 19, 2024
a1124d1
update test with permission asserts
Emyrk Jul 19, 2024
4718636
update test with permission asserts
Emyrk Jul 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion coderd/authorize_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,7 @@ func TestCheckPermissions(t *testing.T) {
Client: orgAdminClient,
UserID: orgAdminUser.ID,
Check: map[string]bool{
readAllUsers: false,
readAllUsers: true,
readMyself: true,
readOwnWorkspaces: true,
readOrgWorkspaces: true,
Expand Down
17 changes: 10 additions & 7 deletions coderd/members_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,20 +33,23 @@ func TestAddMember(t *testing.T) {
// Make a user not in the second organization
_, user := coderdtest.CreateAnotherUser(t, owner, first.OrganizationID)

members, err := owner.OrganizationMembers(ctx, org.ID)
// Use scoped user admin in org to add the user
client, userAdmin := coderdtest.CreateAnotherUser(t, owner, org.ID, rbac.ScopedRoleOrgUserAdmin(org.ID))

members, err := client.OrganizationMembers(ctx, org.ID)
require.NoError(t, err)
require.Len(t, members, 1) // Verify just the 1 member
require.Len(t, members, 2) // Verify the 2 members at the start

// Add user to org
_, err = owner.PostOrganizationMember(ctx, org.ID, user.Username)
_, err = client.PostOrganizationMember(ctx, org.ID, user.Username)
require.NoError(t, err)

members, err = owner.OrganizationMembers(ctx, org.ID)
members, err = client.OrganizationMembers(ctx, org.ID)
require.NoError(t, err)
// Owner + new member
require.Len(t, members, 2)
// Owner + user admin + new member
require.Len(t, members, 3)
require.ElementsMatch(t,
[]uuid.UUID{first.UserID, user.ID},
[]uuid.UUID{first.UserID, user.ID, userAdmin.ID},
db2sdk.List(members, onlyIDs))
})

Expand Down
113 changes: 102 additions & 11 deletions coderd/rbac/roles.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,8 +27,11 @@ const (
customSiteRole string = "custom-site-role"
customOrganizationRole string = "custom-organization-role"

orgAdmin string = "organization-admin"
orgMember string = "organization-member"
orgAdmin string = "organization-admin"
orgMember string = "organization-member"
orgAuditor string = "organization-auditor"
orgUserAdmin string = "organization-user-admin"
orgTemplateAdmin string = "organization-template-admin"
)

func init() {
Expand Down Expand Up @@ -144,18 +147,38 @@ func RoleOrgMember() string {
return orgMember
}

func RoleOrgAuditor() string {
return orgAuditor
}

func RoleOrgUserAdmin() string {
return orgUserAdmin
}

func RoleOrgTemplateAdmin() string {
return orgTemplateAdmin
}

// ScopedRoleOrgAdmin is the org role with the organization ID
// Deprecated This was used before organization scope was included as a
// field in all user facing APIs. Usage of 'ScopedRoleOrgAdmin()' is preferred.
func ScopedRoleOrgAdmin(organizationID uuid.UUID) RoleIdentifier {
return RoleIdentifier{Name: orgAdmin, OrganizationID: organizationID}
return RoleIdentifier{Name: RoleOrgAdmin(), OrganizationID: organizationID}
}

// ScopedRoleOrgMember is the org role with the organization ID
// Deprecated This was used before organization scope was included as a
// field in all user facing APIs. Usage of 'ScopedRoleOrgMember()' is preferred.
func ScopedRoleOrgMember(organizationID uuid.UUID) RoleIdentifier {
return RoleIdentifier{Name: orgMember, OrganizationID: organizationID}
return RoleIdentifier{Name: RoleOrgMember(), OrganizationID: organizationID}
}

func ScopedRoleOrgAuditor(organizationID uuid.UUID) RoleIdentifier {
return RoleIdentifier{Name: RoleOrgAuditor(), OrganizationID: organizationID}
}

func ScopedRoleOrgUserAdmin(organizationID uuid.UUID) RoleIdentifier {
return RoleIdentifier{Name: RoleOrgUserAdmin(), OrganizationID: organizationID}
}

func ScopedRoleOrgTemplateAdmin(organizationID uuid.UUID) RoleIdentifier {
return RoleIdentifier{Name: RoleOrgTemplateAdmin(), OrganizationID: organizationID}
}

func allPermsExcept(excepts ...Objecter) []Permission {
Expand Down Expand Up @@ -365,7 +388,11 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
return Role{
Identifier: RoleIdentifier{Name: orgAdmin, OrganizationID: organizationID},
DisplayName: "Organization Admin",
Site: []Permission{},
Site: Permissions(map[string][]policy.Action{
// To assign organization members, we need to be able to read
// users at the site wide to know they exist.
ResourceUser.Type: {policy.ActionRead},
}),
Comment on lines +391 to +395
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is unfortunate, but to add a user to an org, we need to know that user exists.

Org: map[string][]Permission{
// Org admins should not have workspace exec perms.
organizationID.String(): append(allPermsExcept(ResourceWorkspace, ResourceWorkspaceDormant, ResourceAssignRole), Permissions(map[string][]policy.Action{
Expand All @@ -377,8 +404,7 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
}
},

// orgMember has an empty set of permissions, this just implies their membership
// in an organization.
// orgMember is an implied role to any member in an organization.
orgMember: func(organizationID uuid.UUID) Role {
return Role{
Identifier: RoleIdentifier{Name: orgMember, OrganizationID: organizationID},
Expand Down Expand Up @@ -406,6 +432,59 @@ func ReloadBuiltinRoles(opts *RoleOptions) {
},
}
},
orgAuditor: func(organizationID uuid.UUID) Role {
return Role{
Identifier: RoleIdentifier{Name: orgAuditor, OrganizationID: organizationID},
DisplayName: "Organization Auditor",
Site: []Permission{},
Org: map[string][]Permission{
organizationID.String(): Permissions(map[string][]policy.Action{
ResourceAuditLog.Type: {policy.ActionRead},
}),
},
User: []Permission{},
}
},
orgUserAdmin: func(organizationID uuid.UUID) Role {
// Manages organization members and groups.
return Role{
Identifier: RoleIdentifier{Name: orgUserAdmin, OrganizationID: organizationID},
DisplayName: "Organization User Admin",
Site: Permissions(map[string][]policy.Action{
// To assign organization members, we need to be able to read
// users at the site wide to know they exist.
ResourceUser.Type: {policy.ActionRead},
}),
Comment on lines +453 to +457
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This needs to be fixed by only needing the org member read permission. But ExtractUser is currently used in organization routes, where an org member should probably be sufficient.

Org: map[string][]Permission{
organizationID.String(): Permissions(map[string][]policy.Action{
// Assign, remove, and read roles in the organization.
ResourceAssignOrgRole.Type: {policy.ActionAssign, policy.ActionDelete, policy.ActionRead},
ResourceOrganizationMember.Type: {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete},
ResourceGroup.Type: ResourceGroup.AvailableActions(),
}),
},
User: []Permission{},
}
},
orgTemplateAdmin: func(organizationID uuid.UUID) Role {
// Manages organization members and groups.
return Role{
Identifier: RoleIdentifier{Name: orgTemplateAdmin, OrganizationID: organizationID},
DisplayName: "Organization Template Admin",
Site: []Permission{},
Org: map[string][]Permission{
organizationID.String(): Permissions(map[string][]policy.Action{
ResourceTemplate.Type: {policy.ActionCreate, policy.ActionRead, policy.ActionUpdate, policy.ActionDelete, policy.ActionViewInsights},
ResourceFile.Type: {policy.ActionCreate, policy.ActionRead},
ResourceWorkspace.Type: {policy.ActionRead},
// Assigning template perms requires this permission.
ResourceOrganizationMember.Type: {policy.ActionRead},
ResourceGroup.Type: {policy.ActionRead},
}),
},
User: []Permission{},
}
},
}
}

Expand All @@ -421,6 +500,9 @@ var assignRoles = map[string]map[string]bool{
member: true,
orgAdmin: true,
orgMember: true,
orgAuditor: true,
orgUserAdmin: true,
orgTemplateAdmin: true,
templateAdmin: true,
userAdmin: true,
customSiteRole: true,
Expand All @@ -432,6 +514,9 @@ var assignRoles = map[string]map[string]bool{
member: true,
orgAdmin: true,
orgMember: true,
orgAuditor: true,
orgUserAdmin: true,
orgTemplateAdmin: true,
templateAdmin: true,
userAdmin: true,
customSiteRole: true,
Expand All @@ -444,8 +529,14 @@ var assignRoles = map[string]map[string]bool{
orgAdmin: {
orgAdmin: true,
orgMember: true,
orgAuditor: true,
orgUserAdmin: true,
orgTemplateAdmin: true,
customOrganizationRole: true,
},
orgUserAdmin: {
orgMember: true,
},
}

// ExpandableRoles is any type that can be expanded into a []Role. This is implemented
Expand Down
Loading
Loading