synced/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2025-07-18 14:17:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: refactor patch custom organization route to live in enterprise (#14099)

Browse Source 
* chore: refactor patch custom organization route to live in enterprise
This commit is contained in:
Steven Masley
2024-08-05 13:42:11 -05:00
committed by GitHub
parent a77a9ab0a6
commit 173dc0e35f
9 changed files with 220 additions and 113 deletions
Download Patch File Download Diff File Expand all files Collapse all files

97
enterprise/coderd/roles.go
View File

@ -1,7 +1,6 @@
package coderd
import (
"context"
"fmt"
"net/http"
@ -11,86 +10,94 @@ import (
"github.com/coder/coder/v2/coderd/database"
"github.com/coder/coder/v2/coderd/database/db2sdk"
"github.com/coder/coder/v2/coderd/httpapi"
"github.com/coder/coder/v2/coderd/httpmw"
"github.com/coder/coder/v2/coderd/rbac"
"github.com/coder/coder/v2/coderd/rbac/policy"
"github.com/coder/coder/v2/codersdk"
)
type enterpriseCustomRoleHandler struct {
API *API
Enabled bool
}
func (h enterpriseCustomRoleHandler) PatchOrganizationRole(ctx context.Context, rw http.ResponseWriter, r *http.Request, orgID uuid.UUID, role codersdk.PatchRoleRequest) (codersdk.Role, bool) {
if !h.Enabled {
httpapi.Write(ctx, rw, http.StatusForbidden, codersdk.Response{
Message: "Custom roles are not enabled",
})
return codersdk.Role{}, false
}
// patchRole will allow creating a custom organization role
//
// @Summary Upsert a custom organization role
// @ID upsert-a-custom-organization-role
// @Security CoderSessionToken
// @Accept json
// @Produce json
// @Param organization path string true "Organization ID" format(uuid)
// @Param request body codersdk.PatchRoleRequest true "Upsert role request"
// @Tags Members
// @Success 200 {array} codersdk.Role
// @Router /organizations/{organization}/members/roles [patch]
func (api *API) patchOrgRoles(rw http.ResponseWriter, r *http.Request) {
var (
db = h.API.Database
auditor = h.API.AGPL.Auditor.Load()
ctx = r.Context()
db = api.Database
auditor = api.AGPL.Auditor.Load()
organization = httpmw.OrganizationParam(r)
aReq, commitAudit = audit.InitRequest[database.CustomRole](rw, &audit.RequestParams{
Audit: *auditor,
Log: h.API.Logger,
Log: api.Logger,
Request: r,
Action: database.AuditActionWrite,
OrganizationID: orgID,
OrganizationID: organization.ID,
})
)
defer commitAudit()
// This check is not ideal, but we cannot enforce a unique role name in the db against
// the built-in role names.
if rbac.ReservedRoleName(role.Name) {
httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
Message: "Reserved role name",
Detail: fmt.Sprintf("%q is a reserved role name, and not allowed to be used", role.Name),
})
return codersdk.Role{}, false
var req codersdk.PatchRoleRequest
if !httpapi.Read(ctx, rw, r, &req) {
return
}
if err := httpapi.NameValid(role.Name); err != nil {
// This check is not ideal, but we cannot enforce a unique role name in the db against
// the built-in role names.
if rbac.ReservedRoleName(req.Name) {
httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
Message: "Reserved role name",
Detail: fmt.Sprintf("%q is a reserved role name, and not allowed to be used", req.Name),
})
return
}
if err := httpapi.NameValid(req.Name); err != nil {
httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
Message: "Invalid role name",
Detail: err.Error(),
})
return codersdk.Role{}, false
return
}
// Only organization permissions are allowed to be granted
if len(role.SitePermissions) > 0 {
if len(req.SitePermissions) > 0 {
httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
Message: "Invalid request, not allowed to assign site wide permissions for an organization role.",
Detail: "organization scoped roles may not contain site wide permissions",
})
return codersdk.Role{}, false
return
}
if len(role.UserPermissions) > 0 {
if len(req.UserPermissions) > 0 {
httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
Message: "Invalid request, not allowed to assign user permissions for an organization role.",
Detail: "organization scoped roles may not contain user permissions",
})
return codersdk.Role{}, false
return
}
originalRoles, err := db.CustomRoles(ctx, database.CustomRolesParams{
LookupRoles: []database.NameOrganizationPair{
{
Name: role.Name,
OrganizationID: orgID,
Name: req.Name,
OrganizationID: organization.ID,
},
},
ExcludeOrgRoles: false,
OrganizationID: orgID,
OrganizationID: organization.ID,
})
// If it is a 404 (not found) error, ignore it.
if err != nil && !httpapi.Is404Error(err) {
httpapi.InternalServerError(rw, err)
return codersdk.Role{}, false
return
}
if len(originalRoles) == 1 {
// For auditing changes to a role.
@ -98,30 +105,30 @@ func (h enterpriseCustomRoleHandler) PatchOrganizationRole(ctx context.Context,
}
inserted, err := db.UpsertCustomRole(ctx, database.UpsertCustomRoleParams{
Name: role.Name,
DisplayName: role.DisplayName,
Name: req.Name,
DisplayName: req.DisplayName,
OrganizationID: uuid.NullUUID{
UUID: orgID,
UUID: organization.ID,
Valid: true,
},
SitePermissions: db2sdk.List(role.SitePermissions, sdkPermissionToDB),
OrgPermissions: db2sdk.List(role.OrganizationPermissions, sdkPermissionToDB),
UserPermissions: db2sdk.List(role.UserPermissions, sdkPermissionToDB),
SitePermissions: db2sdk.List(req.SitePermissions, sdkPermissionToDB),
OrgPermissions: db2sdk.List(req.OrganizationPermissions, sdkPermissionToDB),
UserPermissions: db2sdk.List(req.UserPermissions, sdkPermissionToDB),
})
if httpapi.Is404Error(err) {
httpapi.ResourceNotFound(rw)
return codersdk.Role{}, false
return
}
if err != nil {
httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
Message: "Failed to update role permissions",
Detail: err.Error(),
})
return codersdk.Role{}, false
return
}
aReq.New = inserted
return db2sdk.Role(inserted), true
httpapi.Write(ctx, rw, http.StatusOK, db2sdk.Role(inserted))
}
func sdkPermissionToDB(p codersdk.Permission) database.CustomRolePermission {