synced/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2025-07-08 11:39:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: Rename 'admin' to 'owner' (#3498)

Browse Source 
Co-authored-by: Colin Adler <colin1adler@gmail.com>
This commit is contained in:
Steven Masley
2022-08-15 14:40:19 -05:00
committed by GitHub
parent 2306d2c709
commit 01dd35f1ba
16 changed files with 98 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
coderd/database/migrations/000034_remove_admin_role.down.sql Normal file
View File

@ -0,0 +1,22 @@
UPDATE
users
SET
-- Replace 'template-admin' and 'user-admin' role with 'admin'
rbac_roles = array_append(
array_remove(
array_remove(rbac_roles, 'template-admin'),
'user-admin'
), 'admin')
WHERE
-- Only on existing admins. If they have either role, make them an admin
ARRAY ['template-admin', 'user-admin'] && rbac_roles;
UPDATE
users
SET
-- Replace 'owner' with 'admin'
rbac_roles = array_replace(rbac_roles, 'owner', 'admin')
WHERE
-- Only on the owner
'owner' = ANY(rbac_roles);

20
coderd/database/migrations/000034_remove_admin_role.up.sql Normal file
View File

@ -0,0 +1,20 @@
UPDATE
users
SET
-- Replace the role 'admin' with the role 'owner'
rbac_roles = array_replace(rbac_roles, 'admin', 'owner')
WHERE
-- Update the first user with the role 'admin'. This should be the first
-- user ever, but if that user was demoted from an admin, then choose
-- the next best user.
id = (SELECT id FROM users WHERE 'admin' = ANY(rbac_roles) ORDER BY created_at ASC LIMIT 1);
UPDATE
users
SET
-- Replace 'admin' role with 'template-admin' and 'user-admin'
rbac_roles = array_cat(array_remove(rbac_roles, 'admin'), ARRAY ['template-admin', 'user-admin'])
WHERE
-- Only on existing admins
'admin' = ANY(rbac_roles);

2
coderd/httpmw/authorize_test.go
View File

@ -40,7 +40,7 @@ func TestExtractUserRoles(t *testing.T) {
{
Name: "Admin",
AddUser: func(db database.Store) (database.User, []string, string) {
roles := []string{rbac.RoleAdmin()}
roles := []string{rbac.RoleOwner()}
user, token := addUser(t, db, roles...)
return user, append(roles, rbac.RoleMember()), token
},

4
coderd/provisionerjobs_internal_test.go
View File

@ -17,9 +17,9 @@ import (
"cdr.dev/slog"
"cdr.dev/slog/sloggers/slogtest"
"github.com/coder/coder/coderd/database"
"github.com/coder/coder/coderd/database/databasefake"
"github.com/coder/coder/coderd/rbac"
"github.com/coder/coder/codersdk"
"github.com/coder/coder/testutil"
)
@ -77,7 +77,7 @@ func TestProvisionerJobLogs_Unit(t *testing.T) {
require.NoError(t, err)
_, err = fDB.InsertUser(ctx, database.InsertUserParams{
ID: userID,
RBACRoles: []string{"admin"},
RBACRoles: []string{rbac.RoleOwner()},
})
require.NoError(t, err)
_, err = fDB.InsertWorkspaceBuild(ctx, database.InsertWorkspaceBuildParams{

6
coderd/rbac/authz_internal_test.go
View File

@ -87,7 +87,7 @@ func TestFilter(t *testing.T) {
{
Name: "Admin",
SubjectID: userIDs[0].String(),
Roles: []string{RoleOrgMember(orgIDs[0]), "auditor", RoleAdmin(), RoleMember()},
Roles: []string{RoleOrgMember(orgIDs[0]), "auditor", RoleOwner(), RoleMember()},
ObjectType: ResourceWorkspace.Type,
Action: ActionRead,
},
@ -292,7 +292,7 @@ func TestAuthorizeDomain(t *testing.T) {
user = subject{
UserID: "me",
Roles: []Role{
must(RoleByName(RoleAdmin())),
must(RoleByName(RoleOwner())),
must(RoleByName(RoleMember())),
},
}
@ -499,7 +499,7 @@ func TestAuthorizeLevels(t *testing.T) {
user := subject{
UserID: "me",
Roles: []Role{
must(RoleByName(RoleAdmin())),
must(RoleByName(RoleOwner())),
{
Name: "org-deny:" + defOrg.String(),
Org: map[string][]Permission{

16
coderd/rbac/builtin.go
View File

@ -9,7 +9,7 @@ import (
)
const (
admin string = "admin"
owner string = "owner"
member string = "member"
templateAdmin string = "template-admin"
userAdmin string = "user-admin"
@ -24,8 +24,8 @@ const (
// Once we have a database implementation, the "default" roles can be defined on the
// site and orgs, and these functions can be removed.
func RoleAdmin() string {
return roleName(admin, "")
func RoleOwner() string {
return roleName(owner, "")
}
func RoleTemplateAdmin() string {
@ -59,10 +59,10 @@ var (
// https://github.com/coder/coder/issues/1194
builtInRoles = map[string]func(orgID string) Role{
// admin grants all actions to all resources.
admin: func(_ string) Role {
owner: func(_ string) Role {
return Role{
Name: admin,
DisplayName: "Admin",
Name: owner,
DisplayName: "Owner",
Site: permissions(map[Object][]Action{
ResourceWildcard: {WildcardSymbol},
}),
@ -187,8 +187,8 @@ var (
// The first key is the actor role, the second is the roles they can assign.
// map[actor_role][assign_role]<can_assign>
assignRoles = map[string]map[string]bool{
admin: {
admin: true,
owner: {
owner: true,
auditor: true,
member: true,
orgAdmin: true,

2
coderd/rbac/builtin_internal_test.go
View File

@ -16,7 +16,7 @@ func TestRoleByName(t *testing.T) {
testCases := []struct {
Role Role
}{
{Role: builtInRoles[admin]("")},
{Role: builtInRoles[owner]("")},
{Role: builtInRoles[member]("")},
{Role: builtInRoles[templateAdmin]("")},
{Role: builtInRoles[userAdmin]("")},

8
coderd/rbac/builtin_test.go
View File

@ -41,7 +41,7 @@ func BenchmarkRBACFilter(b *testing.B) {
{
Name: "Admin",
// Give some extra roles that an admin might have
Roles: []string{rbac.RoleOrgMember(orgs[0]), "auditor", rbac.RoleAdmin(), rbac.RoleMember()},
Roles: []string{rbac.RoleOrgMember(orgs[0]), "auditor", rbac.RoleOwner(), rbac.RoleMember()},
UserID: users[0],
},
{
@ -119,7 +119,7 @@ func TestRolePermissions(t *testing.T) {
memberMe := authSubject{Name: "member_me", UserID: currentUser.String(), Roles: []string{rbac.RoleMember()}}
orgMemberMe := authSubject{Name: "org_member_me", UserID: currentUser.String(), Roles: []string{rbac.RoleMember(), rbac.RoleOrgMember(orgID)}}
admin := authSubject{Name: "admin", UserID: adminID.String(), Roles: []string{rbac.RoleMember(), rbac.RoleAdmin()}}
admin := authSubject{Name: "admin", UserID: adminID.String(), Roles: []string{rbac.RoleMember(), rbac.RoleOwner()}}
orgAdmin := authSubject{Name: "org_admin", UserID: adminID.String(), Roles: []string{rbac.RoleMember(), rbac.RoleOrgMember(orgID), rbac.RoleOrgAdmin(orgID)}}
otherOrgMember := authSubject{Name: "org_member_other", UserID: uuid.NewString(), Roles: []string{rbac.RoleMember(), rbac.RoleOrgMember(otherOrg)}}
@ -358,7 +358,7 @@ func TestIsOrgRole(t *testing.T) {
OrgID string
}{
// Not org roles
{RoleName: rbac.RoleAdmin()},
{RoleName: rbac.RoleOwner()},
{RoleName: rbac.RoleMember()},
{RoleName: "auditor"},
@ -413,7 +413,7 @@ func TestListRoles(t *testing.T) {
// Always use constant strings, as if the names change, we need to write
// a SQL migration to change the name on the backend.
require.ElementsMatch(t, []string{
"admin",
"owner",
"member",
"auditor",
"template-admin",

2
coderd/roles_test.go
View File

@ -120,7 +120,7 @@ func TestListRoles(t *testing.T) {
require.NoError(t, err, "create org")
const forbidden = "Forbidden"
siteRoles := convertRoles(rbac.RoleAdmin(), "auditor", "template-admin", "user-admin")
siteRoles := convertRoles(rbac.RoleOwner(), "auditor", "template-admin", "user-admin")
orgRoles := convertRoles(rbac.RoleOrgAdmin(admin.OrganizationID))
testCases := []struct {

4
coderd/templates_test.go
View File

@ -38,8 +38,8 @@ func TestTemplate(t *testing.T) {
t.Parallel()
client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerD: true})
user := coderdtest.CreateFirstUser(t, client)
member := coderdtest.CreateAnotherUser(t, client, user.OrganizationID, rbac.RoleAdmin())
memberWithDeleted := coderdtest.CreateAnotherUser(t, client, user.OrganizationID, rbac.RoleAdmin())
member := coderdtest.CreateAnotherUser(t, client, user.OrganizationID, rbac.RoleOwner())
memberWithDeleted := coderdtest.CreateAnotherUser(t, client, user.OrganizationID, rbac.RoleOwner())
version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
coderdtest.AwaitTemplateVersionJob(t, client, version.ID)

2
coderd/users.go
View File

@ -102,7 +102,7 @@ func (api *API) postFirstUser(rw http.ResponseWriter, r *http.Request) {
// and add some rbac bypass when calling api functions this way??
// Add the admin role to this first user.
_, err = api.Database.UpdateUserRoles(r.Context(), database.UpdateUserRolesParams{
GrantedRoles: []string{rbac.RoleAdmin()},
GrantedRoles: []string{rbac.RoleOwner()},
ID: user.ID,
})
if err != nil {

8
coderd/users_internal_test.go
View File

@ -53,11 +53,11 @@ func TestSearchUsers(t *testing.T) {
},
{
Name: "OnlyParams",
Query: "status:acTIve sEArch:User-Name role:Admin",
Query: "status:acTIve sEArch:User-Name role:Owner",
Expected: database.GetUsersParams{
Search: "user-name",
Status: []database.UserStatus{database.UserStatusActive},
RbacRole: []string{rbac.RoleAdmin()},
RbacRole: []string{rbac.RoleOwner()},
},
},
{
@ -71,11 +71,11 @@ func TestSearchUsers(t *testing.T) {
},
{
Name: "QuotedKey",
Query: `"status":acTIve "sEArch":User-Name "role":Admin`,
Query: `"status":acTIve "sEArch":User-Name "role":Owner`,
Expected: database.GetUsersParams{
Search: "user-name",
Status: []database.UserStatus{database.UserStatusActive},
RbacRole: []string{rbac.RoleAdmin()},
RbacRole: []string{rbac.RoleOwner()},
},
},
{

26
coderd/users_test.go
View File

@ -279,7 +279,7 @@ func TestPostUsers(t *testing.T) {
client := coderdtest.New(t, nil)
first := coderdtest.CreateFirstUser(t, client)
notInOrg := coderdtest.CreateAnotherUser(t, client, first.OrganizationID)
other := coderdtest.CreateAnotherUser(t, client, first.OrganizationID, rbac.RoleAdmin(), rbac.RoleMember())
other := coderdtest.CreateAnotherUser(t, client, first.OrganizationID, rbac.RoleOwner(), rbac.RoleMember())
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
defer cancel()
@ -513,7 +513,7 @@ func TestGrantSiteRoles(t *testing.T) {
Name: "UserNotExists",
Client: admin,
AssignToUser: uuid.NewString(),
Roles: []string{rbac.RoleAdmin()},
Roles: []string{rbac.RoleOwner()},
Error: true,
StatusCode: http.StatusBadRequest,
},
@ -539,7 +539,7 @@ func TestGrantSiteRoles(t *testing.T) {
Client: admin,
OrgID: first.OrganizationID,
AssignToUser: codersdk.Me,
Roles: []string{rbac.RoleAdmin()},
Roles: []string{rbac.RoleOwner()},
Error: true,
StatusCode: http.StatusBadRequest,
},
@ -629,7 +629,7 @@ func TestInitialRoles(t *testing.T) {
roles, err := client.GetUserRoles(ctx, codersdk.Me)
require.NoError(t, err)
require.ElementsMatch(t, roles.Roles, []string{
rbac.RoleAdmin(),
rbac.RoleOwner(),
}, "should be a member and admin")
require.ElementsMatch(t, roles.OrganizationRoles[first.OrganizationID], []string{
@ -744,7 +744,7 @@ func TestUsersFilter(t *testing.T) {
for i := 0; i < 15; i++ {
roles := []string{}
if i%2 == 0 {
roles = append(roles, rbac.RoleAdmin())
roles = append(roles, rbac.RoleOwner())
}
if i%3 == 0 {
roles = append(roles, "auditor")
@ -823,12 +823,12 @@ func TestUsersFilter(t *testing.T) {
{
Name: "Admins",
Filter: codersdk.UsersRequest{
Role: rbac.RoleAdmin(),
Role: rbac.RoleOwner(),
Status: codersdk.UserStatusSuspended + "," + codersdk.UserStatusActive,
},
FilterF: func(_ codersdk.UsersRequest, u codersdk.User) bool {
for _, r := range u.Roles {
if r.Name == rbac.RoleAdmin() {
if r.Name == rbac.RoleOwner() {
return true
}
}
@ -838,12 +838,12 @@ func TestUsersFilter(t *testing.T) {
{
Name: "AdminsUppercase",
Filter: codersdk.UsersRequest{
Role: "ADMIN",
Role: "OWNER",
Status: codersdk.UserStatusSuspended + "," + codersdk.UserStatusActive,
},
FilterF: func(_ codersdk.UsersRequest, u codersdk.User) bool {
for _, r := range u.Roles {
if r.Name == rbac.RoleAdmin() {
if r.Name == rbac.RoleOwner() {
return true
}
}
@ -863,11 +863,11 @@ func TestUsersFilter(t *testing.T) {
{
Name: "SearchQuery",
Filter: codersdk.UsersRequest{
SearchQuery: "i role:admin status:active",
SearchQuery: "i role:owner status:active",
},
FilterF: func(_ codersdk.UsersRequest, u codersdk.User) bool {
for _, r := range u.Roles {
if r.Name == rbac.RoleAdmin() {
if r.Name == rbac.RoleOwner() {
return (strings.ContainsAny(u.Username, "iI") || strings.ContainsAny(u.Email, "iI")) &&
u.Status == codersdk.UserStatusActive
}
@ -878,11 +878,11 @@ func TestUsersFilter(t *testing.T) {
{
Name: "SearchQueryInsensitive",
Filter: codersdk.UsersRequest{
SearchQuery: "i Role:Admin STATUS:Active",
SearchQuery: "i Role:Owner STATUS:Active",
},
FilterF: func(_ codersdk.UsersRequest, u codersdk.User) bool {
for _, r := range u.Roles {
if r.Name == rbac.RoleAdmin() {
if r.Name == rbac.RoleOwner() {
return (strings.ContainsAny(u.Username, "iI") || strings.ContainsAny(u.Email, "iI")) &&
u.Status == codersdk.UserStatusActive
}

6
coderd/workspaces_test.go
View File

@ -102,7 +102,7 @@ func TestAdminViewAllWorkspaces(t *testing.T) {
// This other user is not in the first user's org. Since other is an admin, they can
// still see the "first" user's workspace.
other := coderdtest.CreateAnotherUser(t, client, otherOrg.ID, rbac.RoleAdmin())
other := coderdtest.CreateAnotherUser(t, client, otherOrg.ID, rbac.RoleOwner())
otherWorkspaces, err := other.Workspaces(ctx, codersdk.WorkspaceFilter{})
require.NoError(t, err, "(other) fetch workspaces")
@ -137,7 +137,7 @@ func TestPostWorkspacesByOrganization(t *testing.T) {
client := coderdtest.New(t, nil)
first := coderdtest.CreateFirstUser(t, client)
other := coderdtest.CreateAnotherUser(t, client, first.OrganizationID, rbac.RoleMember(), rbac.RoleAdmin())
other := coderdtest.CreateAnotherUser(t, client, first.OrganizationID, rbac.RoleMember(), rbac.RoleOwner())
ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
defer cancel()
@ -406,7 +406,7 @@ func TestWorkspaceFilter(t *testing.T) {
users := make([]coderUser, 0)
for i := 0; i < 10; i++ {
userClient := coderdtest.CreateAnotherUser(t, client, first.OrganizationID, rbac.RoleAdmin())
userClient := coderdtest.CreateAnotherUser(t, client, first.OrganizationID, rbac.RoleOwner())
user, err := userClient.User(ctx, codersdk.Me)
require.NoError(t, err, "fetch me")