feat: Add user roles, but do not yet enforce them (#1200)

* chore: Rework roles to be expandable by name alone
2025-07-15 22:20:27 +00:00 · 2022-04-29 09:04:19 -05:00
parent ba4c3ce3b9
commit 35211e2190
26 changed files with 1150 additions and 232 deletions
--- a/coderd/database/databasefake/databasefake.go
+++ b/coderd/database/databasefake/databasefake.go
@ -743,6 +743,43 @@ func (q *fakeQuerier) GetOrganizationIDsByMemberIDs(_ context.Context, ids []uui
 	return getOrganizationIDsByMemberIDRows, nil
 }

+func (q *fakeQuerier) GetOrganizationMembershipsByUserID(_ context.Context, userID uuid.UUID) ([]database.OrganizationMember, error) {
+	q.mutex.RLock()
+	defer q.mutex.RUnlock()
+
+	var memberships []database.OrganizationMember
+	for _, organizationMember := range q.organizationMembers {
+		mem := organizationMember
+		if mem.UserID != userID {
+			continue
+		}
+		memberships = append(memberships, mem)
+	}
+	return memberships, nil
+}
+
+func (q *fakeQuerier) UpdateMemberRoles(_ context.Context, arg database.UpdateMemberRolesParams) (database.OrganizationMember, error) {
+	for i, mem := range q.organizationMembers {
+		if mem.UserID == arg.UserID && mem.OrganizationID == arg.OrgID {
+			uniqueRoles := make([]string, 0, len(arg.GrantedRoles))
+			exist := make(map[string]struct{})
+			for _, r := range arg.GrantedRoles {
+				if _, ok := exist[r]; ok {
+					continue
+				}
+				exist[r] = struct{}{}
+				uniqueRoles = append(uniqueRoles, r)
+			}
+			sort.Strings(uniqueRoles)
+
+			mem.Roles = uniqueRoles
+			q.organizationMembers[i] = mem
+			return mem, nil
+		}
+	}
+	return database.OrganizationMember{}, sql.ErrNoRows
+}
+
 func (q *fakeQuerier) GetProvisionerDaemons(_ context.Context) ([]database.ProvisionerDaemon, error) {
 	q.mutex.RLock()
 	defer q.mutex.RUnlock()
@ -1173,11 +1210,42 @@ func (q *fakeQuerier) InsertUser(_ context.Context, arg database.InsertUserParam
 		UpdatedAt:      arg.UpdatedAt,
 		Username:       arg.Username,
 		Status:         database.UserStatusActive,
+		RBACRoles:      arg.RBACRoles,
 	}
 	q.users = append(q.users, user)
 	return user, nil
 }

+func (q *fakeQuerier) UpdateUserRoles(_ context.Context, arg database.UpdateUserRolesParams) (database.User, error) {
+	q.mutex.Lock()
+	defer q.mutex.Unlock()
+
+	for index, user := range q.users {
+		if user.ID != arg.ID {
+			continue
+		}
+
+		// Set new roles
+		user.RBACRoles = arg.GrantedRoles
+		// Remove duplicates and sort
+		uniqueRoles := make([]string, 0, len(user.RBACRoles))
+		exist := make(map[string]struct{})
+		for _, r := range user.RBACRoles {
+			if _, ok := exist[r]; ok {
+				continue
+			}
+			exist[r] = struct{}{}
+			uniqueRoles = append(uniqueRoles, r)
+		}
+		sort.Strings(uniqueRoles)
+		user.RBACRoles = uniqueRoles
+
+		q.users[index] = user
+		return user, nil
+	}
+	return database.User{}, sql.ErrNoRows
+}
+
 func (q *fakeQuerier) UpdateUserProfile(_ context.Context, arg database.UpdateUserProfileParams) (database.User, error) {
 	q.mutex.Lock()
 	defer q.mutex.Unlock()
--- a/coderd/database/dump.sql
+++ b/coderd/database/dump.sql
@ -227,7 +227,8 @@ CREATE TABLE users (
    hashed_password bytea NOT NULL,
    created_at timestamp with time zone NOT NULL,
    updated_at timestamp with time zone NOT NULL,
-    status user_status DEFAULT 'active'::public.user_status NOT NULL
+    status user_status DEFAULT 'active'::public.user_status NOT NULL,
+    rbac_roles text[] DEFAULT '{}'::text[] NOT NULL
 );

 CREATE TABLE workspace_agents (
--- a/coderd/database/migrations/000008_rbac_roles.down.sql
+++ b/coderd/database/migrations/000008_rbac_roles.down.sql
@ -0,0 +1,2 @@
+ALTER TABLE ONLY users
+	DROP COLUMN IF EXISTS rbac_roles;
--- a/coderd/database/migrations/000008_rbac_roles.up.sql
+++ b/coderd/database/migrations/000008_rbac_roles.up.sql
@ -0,0 +1,18 @@
+ALTER TABLE ONLY users
+	ADD COLUMN IF NOT EXISTS rbac_roles text[] DEFAULT '{}' NOT NULL;
+
+-- All users are site members. So give them the standard role.
+-- Also give them membership to the first org we retrieve. We should only have
+-- 1 organization at this point in the product.
+UPDATE
+    users
+SET
+    rbac_roles = ARRAY ['member', 'organization-member:' || (SELECT id FROM organizations LIMIT 1)];
+
+-- Give the first user created the admin role
+UPDATE
+	users
+SET
+	rbac_roles = rbac_roles || ARRAY ['admin']
+WHERE
+	id = (SELECT id FROM users ORDER BY created_at ASC LIMIT 1)
--- a/coderd/database/models.go
+++ b/coderd/database/models.go
@ -398,6 +398,7 @@ type User struct {
 	CreatedAt      time.Time  `db:"created_at" json:"created_at"`
 	UpdatedAt      time.Time  `db:"updated_at" json:"updated_at"`
 	Status         UserStatus `db:"status" json:"status"`
+	RBACRoles      []string   `db:"rbac_roles" json:"rbac_roles"`
 }

 type Workspace struct {
--- a/coderd/database/querier.go
+++ b/coderd/database/querier.go
@ -19,6 +19,7 @@ type querier interface {
 	GetOrganizationByName(ctx context.Context, name string) (Organization, error)
 	GetOrganizationIDsByMemberIDs(ctx context.Context, ids []uuid.UUID) ([]GetOrganizationIDsByMemberIDsRow, error)
 	GetOrganizationMemberByUserID(ctx context.Context, arg GetOrganizationMemberByUserIDParams) (OrganizationMember, error)
+	GetOrganizationMembershipsByUserID(ctx context.Context, userID uuid.UUID) ([]OrganizationMember, error)
 	GetOrganizations(ctx context.Context) ([]Organization, error)
 	GetOrganizationsByUserID(ctx context.Context, userID uuid.UUID) ([]Organization, error)
 	GetParameterSchemasByJobID(ctx context.Context, jobID uuid.UUID) ([]ParameterSchema, error)
@ -78,6 +79,7 @@ type querier interface {
 	InsertWorkspaceResource(ctx context.Context, arg InsertWorkspaceResourceParams) (WorkspaceResource, error)
 	UpdateAPIKeyByID(ctx context.Context, arg UpdateAPIKeyByIDParams) error
 	UpdateGitSSHKey(ctx context.Context, arg UpdateGitSSHKeyParams) error
+	UpdateMemberRoles(ctx context.Context, arg UpdateMemberRolesParams) (OrganizationMember, error)
 	UpdateProvisionerDaemonByID(ctx context.Context, arg UpdateProvisionerDaemonByIDParams) error
 	UpdateProvisionerJobByID(ctx context.Context, arg UpdateProvisionerJobByIDParams) error
 	UpdateProvisionerJobWithCancelByID(ctx context.Context, arg UpdateProvisionerJobWithCancelByIDParams) error
@ -86,6 +88,7 @@ type querier interface {
 	UpdateTemplateDeletedByID(ctx context.Context, arg UpdateTemplateDeletedByIDParams) error
 	UpdateTemplateVersionByID(ctx context.Context, arg UpdateTemplateVersionByIDParams) error
 	UpdateUserProfile(ctx context.Context, arg UpdateUserProfileParams) (User, error)
+	UpdateUserRoles(ctx context.Context, arg UpdateUserRolesParams) (User, error)
 	UpdateUserStatus(ctx context.Context, arg UpdateUserStatusParams) (User, error)
 	UpdateWorkspaceAgentConnectionByID(ctx context.Context, arg UpdateWorkspaceAgentConnectionByIDParams) error
 	UpdateWorkspaceAutostart(ctx context.Context, arg UpdateWorkspaceAutostartParams) error
--- a/coderd/database/queries.sql.go
+++ b/coderd/database/queries.sql.go
@ -375,6 +375,44 @@ func (q *sqlQuerier) GetOrganizationMemberByUserID(ctx context.Context, arg GetO
 	return i, err
 }

+const getOrganizationMembershipsByUserID = `-- name: GetOrganizationMembershipsByUserID :many
+SELECT
+	user_id, organization_id, created_at, updated_at, roles
+FROM
+	organization_members
+WHERE
+  user_id = $1
+`
+
+func (q *sqlQuerier) GetOrganizationMembershipsByUserID(ctx context.Context, userID uuid.UUID) ([]OrganizationMember, error) {
+	rows, err := q.db.QueryContext(ctx, getOrganizationMembershipsByUserID, userID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []OrganizationMember
+	for rows.Next() {
+		var i OrganizationMember
+		if err := rows.Scan(
+			&i.UserID,
+			&i.OrganizationID,
+			&i.CreatedAt,
+			&i.UpdatedAt,
+			pq.Array(&i.Roles),
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Close(); err != nil {
+		return nil, err
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
 const insertOrganizationMember = `-- name: InsertOrganizationMember :one
 INSERT INTO
 	organization_members (
@ -415,6 +453,37 @@ func (q *sqlQuerier) InsertOrganizationMember(ctx context.Context, arg InsertOrg
 	return i, err
 }

+const updateMemberRoles = `-- name: UpdateMemberRoles :one
+UPDATE
+	organization_members
+SET
+	-- Remove all duplicates from the roles.
+	roles = ARRAY(SELECT DISTINCT UNNEST($1 :: text[]))
+WHERE
+		user_id = $2
+		AND organization_id = $3
+RETURNING user_id, organization_id, created_at, updated_at, roles
+`
+
+type UpdateMemberRolesParams struct {
+	GrantedRoles []string  `db:"granted_roles" json:"granted_roles"`
+	UserID       uuid.UUID `db:"user_id" json:"user_id"`
+	OrgID        uuid.UUID `db:"org_id" json:"org_id"`
+}
+
+func (q *sqlQuerier) UpdateMemberRoles(ctx context.Context, arg UpdateMemberRolesParams) (OrganizationMember, error) {
+	row := q.db.QueryRowContext(ctx, updateMemberRoles, pq.Array(arg.GrantedRoles), arg.UserID, arg.OrgID)
+	var i OrganizationMember
+	err := row.Scan(
+		&i.UserID,
+		&i.OrganizationID,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+		pq.Array(&i.Roles),
+	)
+	return i, err
+}
+
 const getOrganizationByID = `-- name: GetOrganizationByID :one
 SELECT
 	id, name, description, created_at, updated_at
@ -1821,7 +1890,7 @@ func (q *sqlQuerier) UpdateTemplateVersionByID(ctx context.Context, arg UpdateTe

 const getUserByEmailOrUsername = `-- name: GetUserByEmailOrUsername :one
 SELECT
-	id, email, username, hashed_password, created_at, updated_at, status
+	id, email, username, hashed_password, created_at, updated_at, status, rbac_roles
 FROM
 	users
 WHERE
@ -1847,13 +1916,14 @@ func (q *sqlQuerier) GetUserByEmailOrUsername(ctx context.Context, arg GetUserBy
 		&i.CreatedAt,
 		&i.UpdatedAt,
 		&i.Status,
+		pq.Array(&i.RBACRoles),
 	)
 	return i, err
 }

 const getUserByID = `-- name: GetUserByID :one
 SELECT
-	id, email, username, hashed_password, created_at, updated_at, status
+	id, email, username, hashed_password, created_at, updated_at, status, rbac_roles
 FROM
 	users
 WHERE
@ -1873,6 +1943,7 @@ func (q *sqlQuerier) GetUserByID(ctx context.Context, id uuid.UUID) (User, error
 		&i.CreatedAt,
 		&i.UpdatedAt,
 		&i.Status,
+		pq.Array(&i.RBACRoles),
 	)
 	return i, err
 }
@ -1893,7 +1964,7 @@ func (q *sqlQuerier) GetUserCount(ctx context.Context) (int64, error) {

 const getUsers = `-- name: GetUsers :many
 SELECT
-	id, email, username, hashed_password, created_at, updated_at, status
+	id, email, username, hashed_password, created_at, updated_at, status, rbac_roles
 FROM
 	users
 WHERE
@ -1978,6 +2049,7 @@ func (q *sqlQuerier) GetUsers(ctx context.Context, arg GetUsersParams) ([]User,
 			&i.CreatedAt,
 			&i.UpdatedAt,
 			&i.Status,
+			pq.Array(&i.RBACRoles),
 		); err != nil {
 			return nil, err
 		}
@ -2000,10 +2072,11 @@ INSERT INTO
 		username,
 		hashed_password,
 		created_at,
-		updated_at
+		updated_at,
+		rbac_roles
 	)
 VALUES
-	($1, $2, $3, $4, $5, $6) RETURNING id, email, username, hashed_password, created_at, updated_at, status
+	($1, $2, $3, $4, $5, $6, $7) RETURNING id, email, username, hashed_password, created_at, updated_at, status, rbac_roles
 `

 type InsertUserParams struct {
@ -2013,6 +2086,7 @@ type InsertUserParams struct {
 	HashedPassword []byte    `db:"hashed_password" json:"hashed_password"`
 	CreatedAt      time.Time `db:"created_at" json:"created_at"`
 	UpdatedAt      time.Time `db:"updated_at" json:"updated_at"`
+	RBACRoles      []string  `db:"rbac_roles" json:"rbac_roles"`
 }

 func (q *sqlQuerier) InsertUser(ctx context.Context, arg InsertUserParams) (User, error) {
@ -2023,6 +2097,7 @@ func (q *sqlQuerier) InsertUser(ctx context.Context, arg InsertUserParams) (User
 		arg.HashedPassword,
 		arg.CreatedAt,
 		arg.UpdatedAt,
+		pq.Array(arg.RBACRoles),
 	)
 	var i User
 	err := row.Scan(
@ -2033,6 +2108,7 @@ func (q *sqlQuerier) InsertUser(ctx context.Context, arg InsertUserParams) (User
 		&i.CreatedAt,
 		&i.UpdatedAt,
 		&i.Status,
+		pq.Array(&i.RBACRoles),
 	)
 	return i, err
 }
@ -2045,7 +2121,7 @@ SET
 	username = $3,
 	updated_at = $4
 WHERE
-	id = $1 RETURNING id, email, username, hashed_password, created_at, updated_at, status
+	id = $1 RETURNING id, email, username, hashed_password, created_at, updated_at, status, rbac_roles
 `

 type UpdateUserProfileParams struct {
@ -2071,6 +2147,39 @@ func (q *sqlQuerier) UpdateUserProfile(ctx context.Context, arg UpdateUserProfil
 		&i.CreatedAt,
 		&i.UpdatedAt,
 		&i.Status,
+		pq.Array(&i.RBACRoles),
+	)
+	return i, err
+}
+
+const updateUserRoles = `-- name: UpdateUserRoles :one
+UPDATE
+    users
+SET
+	-- Remove all duplicates from the roles.
+	rbac_roles = ARRAY(SELECT DISTINCT UNNEST($1 :: text[]))
+WHERE
+ 	id = $2
+RETURNING id, email, username, hashed_password, created_at, updated_at, status, rbac_roles
+`
+
+type UpdateUserRolesParams struct {
+	GrantedRoles []string  `db:"granted_roles" json:"granted_roles"`
+	ID           uuid.UUID `db:"id" json:"id"`
+}
+
+func (q *sqlQuerier) UpdateUserRoles(ctx context.Context, arg UpdateUserRolesParams) (User, error) {
+	row := q.db.QueryRowContext(ctx, updateUserRoles, pq.Array(arg.GrantedRoles), arg.ID)
+	var i User
+	err := row.Scan(
+		&i.ID,
+		&i.Email,
+		&i.Username,
+		&i.HashedPassword,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+		&i.Status,
+		pq.Array(&i.RBACRoles),
 	)
 	return i, err
 }
@ -2082,7 +2191,7 @@ SET
 	status = $2,
 	updated_at = $3
 WHERE
-	id = $1 RETURNING id, email, username, hashed_password, created_at, updated_at, status
+	id = $1 RETURNING id, email, username, hashed_password, created_at, updated_at, status, rbac_roles
 `

 type UpdateUserStatusParams struct {
@ -2102,6 +2211,7 @@ func (q *sqlQuerier) UpdateUserStatus(ctx context.Context, arg UpdateUserStatusP
 		&i.CreatedAt,
 		&i.UpdatedAt,
 		&i.Status,
+		pq.Array(&i.RBACRoles),
 	)
 	return i, err
 }
--- a/coderd/database/queries/organizationmembers.sql
+++ b/coderd/database/queries/organizationmembers.sql
@ -21,6 +21,15 @@ INSERT INTO
 VALUES
 	($1, $2, $3, $4, $5) RETURNING *;

+
+-- name: GetOrganizationMembershipsByUserID :many
+SELECT
+	*
+FROM
+	organization_members
+WHERE
+  user_id = $1;
+
 -- name: GetOrganizationIDsByMemberIDs :many
 SELECT
    user_id, array_agg(organization_id) :: uuid [ ] AS "organization_IDs"
@ -30,3 +39,14 @@ WHERE
    user_id = ANY(@ids :: uuid [ ])
 GROUP BY
    user_id;
+
+-- name: UpdateMemberRoles :one
+UPDATE
+	organization_members
+SET
+	-- Remove all duplicates from the roles.
+	roles = ARRAY(SELECT DISTINCT UNNEST(@granted_roles :: text[]))
+WHERE
+		user_id = @user_id
+		AND organization_id = @org_id
+RETURNING *;
--- a/coderd/database/queries/users.sql
+++ b/coderd/database/queries/users.sql
@ -33,10 +33,11 @@ INSERT INTO
 		username,
 		hashed_password,
 		created_at,
-		updated_at
+		updated_at,
+		rbac_roles
 	)
 VALUES
-	($1, $2, $3, $4, $5, $6) RETURNING *;
+	($1, $2, $3, $4, $5, $6, $7) RETURNING *;

 -- name: UpdateUserProfile :one
 UPDATE
@ -48,6 +49,16 @@ SET
 WHERE
 	id = $1 RETURNING *;

+-- name: UpdateUserRoles :one
+UPDATE
+    users
+SET
+	-- Remove all duplicates from the roles.
+	rbac_roles = ARRAY(SELECT DISTINCT UNNEST(@granted_roles :: text[]))
+WHERE
+ 	id = @id
+RETURNING *;
+
 -- name: GetUsers :many
 SELECT
 	*
--- a/coderd/database/sqlc.yaml
+++ b/coderd/database/sqlc.yaml
@ -28,3 +28,4 @@ rename:
  parameter_type_system_hcl: ParameterTypeSystemHCL
  userstatus: UserStatus
  gitsshkey: GitSSHKey
+  rbac_roles: RBACRoles