chore: remove UpsertCustomRole in favor of Insert + Update (#14217)

* chore: remove UpsertCustomRole in favor of Insert + Update --------- Co-authored-by: Jaayden Halko <jaayden.halko@gmail.com>
2025-07-06 15:41:45 +00:00 · 2024-08-13 12:53:47 -05:00
parent 712a1b50d8
commit 84fdfd2a18
39 changed files with 1085 additions and 452 deletions
--- a/enterprise/coderd/coderd.go
+++ b/enterprise/coderd/coderd.go
@ -269,7 +269,8 @@ func New(ctx context.Context, options *Options) (_ *API, err error) {
 				httpmw.RequireExperiment(api.AGPL.Experiments, codersdk.ExperimentCustomRoles),
 				httpmw.ExtractOrganizationParam(api.Database),
 			)
-			r.Patch("/organizations/{organization}/members/roles", api.patchOrgRoles)
+			r.Post("/organizations/{organization}/members/roles", api.postOrgRoles)
+			r.Put("/organizations/{organization}/members/roles", api.putOrgRoles)
 			r.Delete("/organizations/{organization}/members/roles/{roleName}", api.deleteOrgRole)
 		})

--- a/enterprise/coderd/roles.go
+++ b/enterprise/coderd/roles.go
@ -1,6 +1,7 @@
 package coderd

 import (
+	"context"
 	"fmt"
 	"net/http"

@ -17,19 +18,19 @@ import (
 	"github.com/coder/coder/v2/codersdk"
 )

-// patchRole will allow creating a custom organization role
+// postOrgRoles will allow creating a custom organization role
 //
-// @Summary Upsert a custom organization role
-// @ID upsert-a-custom-organization-role
+// @Summary Insert a custom organization role
+// @ID insert-a-custom-organization-role
 // @Security CoderSessionToken
 // @Accept json
 // @Produce json
 // @Param organization path string true "Organization ID" format(uuid)
-// @Param request body codersdk.PatchRoleRequest true "Upsert role request"
+// @Param request body codersdk.CustomRoleRequest true "Insert role request"
 // @Tags Members
 // @Success 200 {array} codersdk.Role
-// @Router /organizations/{organization}/members/roles [patch]
-func (api *API) patchOrgRoles(rw http.ResponseWriter, r *http.Request) {
+// @Router /organizations/{organization}/members/roles [post]
+func (api *API) postOrgRoles(rw http.ResponseWriter, r *http.Request) {
 	var (
 		ctx               = r.Context()
 		db                = api.Database
@ -39,74 +40,22 @@ func (api *API) patchOrgRoles(rw http.ResponseWriter, r *http.Request) {
 			Audit:          *auditor,
 			Log:            api.Logger,
 			Request:        r,
-			Action:         database.AuditActionWrite,
+			Action:         database.AuditActionCreate,
 			OrganizationID: organization.ID,
 		})
 	)
 	defer commitAudit()

-	var req codersdk.PatchRoleRequest
+	var req codersdk.CustomRoleRequest
 	if !httpapi.Read(ctx, rw, r, &req) {
 		return
 	}

-	// This check is not ideal, but we cannot enforce a unique role name in the db against
-	// the built-in role names.
-	if rbac.ReservedRoleName(req.Name) {
-		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
-			Message: "Reserved role name",
-			Detail:  fmt.Sprintf("%q is a reserved role name, and not allowed to be used", req.Name),
-		})
+	if !validOrganizationRoleRequest(ctx, req, rw) {
 		return
 	}

-	if err := httpapi.NameValid(req.Name); err != nil {
-		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
-			Message: "Invalid role name",
-			Detail:  err.Error(),
-		})
-		return
-	}
-
-	// Only organization permissions are allowed to be granted
-	if len(req.SitePermissions) > 0 {
-		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
-			Message: "Invalid request, not allowed to assign site wide permissions for an organization role.",
-			Detail:  "organization scoped roles may not contain site wide permissions",
-		})
-		return
-	}
-
-	if len(req.UserPermissions) > 0 {
-		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
-			Message: "Invalid request, not allowed to assign user permissions for an organization role.",
-			Detail:  "organization scoped roles may not contain user permissions",
-		})
-		return
-	}
-
-	originalRoles, err := db.CustomRoles(ctx, database.CustomRolesParams{
-		LookupRoles: []database.NameOrganizationPair{
-			{
-				Name:           req.Name,
-				OrganizationID: organization.ID,
-			},
-		},
-		ExcludeOrgRoles: false,
-		// Linter requires all fields to be set. This field is not actually required.
-		OrganizationID: organization.ID,
-	})
-	// If it is a 404 (not found) error, ignore it.
-	if err != nil && !httpapi.Is404Error(err) {
-		httpapi.InternalServerError(rw, err)
-		return
-	}
-	if len(originalRoles) == 1 {
-		// For auditing changes to a role.
-		aReq.Old = originalRoles[0]
-	}
-
-	inserted, err := db.UpsertCustomRole(ctx, database.UpsertCustomRoleParams{
+	inserted, err := db.InsertCustomRole(ctx, database.InsertCustomRoleParams{
 		Name:        req.Name,
 		DisplayName: req.DisplayName,
 		OrganizationID: uuid.NullUUID{
@ -133,6 +82,91 @@ func (api *API) patchOrgRoles(rw http.ResponseWriter, r *http.Request) {
 	httpapi.Write(ctx, rw, http.StatusOK, db2sdk.Role(inserted))
 }

+// patchRole will allow creating a custom organization role
+//
+// @Summary Upsert a custom organization role
+// @ID upsert-a-custom-organization-role
+// @Security CoderSessionToken
+// @Accept json
+// @Produce json
+// @Param organization path string true "Organization ID" format(uuid)
+// @Param request body codersdk.CustomRoleRequest true "Upsert role request"
+// @Tags Members
+// @Success 200 {array} codersdk.Role
+// @Router /organizations/{organization}/members/roles [put]
+func (api *API) putOrgRoles(rw http.ResponseWriter, r *http.Request) {
+	var (
+		ctx               = r.Context()
+		db                = api.Database
+		auditor           = api.AGPL.Auditor.Load()
+		organization      = httpmw.OrganizationParam(r)
+		aReq, commitAudit = audit.InitRequest[database.CustomRole](rw, &audit.RequestParams{
+			Audit:          *auditor,
+			Log:            api.Logger,
+			Request:        r,
+			Action:         database.AuditActionWrite,
+			OrganizationID: organization.ID,
+		})
+	)
+	defer commitAudit()
+
+	var req codersdk.CustomRoleRequest
+	if !httpapi.Read(ctx, rw, r, &req) {
+		return
+	}
+
+	if !validOrganizationRoleRequest(ctx, req, rw) {
+		return
+	}
+
+	originalRoles, err := db.CustomRoles(ctx, database.CustomRolesParams{
+		LookupRoles: []database.NameOrganizationPair{
+			{
+				Name:           req.Name,
+				OrganizationID: organization.ID,
+			},
+		},
+		ExcludeOrgRoles: false,
+		// Linter requires all fields to be set. This field is not actually required.
+		OrganizationID: organization.ID,
+	})
+	// If it is a 404 (not found) error, ignore it.
+	if err != nil && !httpapi.Is404Error(err) {
+		httpapi.InternalServerError(rw, err)
+		return
+	}
+	if len(originalRoles) == 1 {
+		// For auditing changes to a role.
+		aReq.Old = originalRoles[0]
+	}
+
+	updated, err := db.UpdateCustomRole(ctx, database.UpdateCustomRoleParams{
+		Name:        req.Name,
+		DisplayName: req.DisplayName,
+		OrganizationID: uuid.NullUUID{
+			UUID:  organization.ID,
+			Valid: true,
+		},
+		SitePermissions: db2sdk.List(req.SitePermissions, sdkPermissionToDB),
+		OrgPermissions:  db2sdk.List(req.OrganizationPermissions, sdkPermissionToDB),
+		UserPermissions: db2sdk.List(req.UserPermissions, sdkPermissionToDB),
+	})
+	if httpapi.Is404Error(err) {
+		httpapi.ResourceNotFound(rw)
+		return
+	}
+	if err != nil {
+		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+			Message: "Failed to update role permissions",
+			Detail:  err.Error(),
+		})
+		return
+	}
+	aReq.New = updated
+
+	httpapi.Write(ctx, rw, http.StatusOK, db2sdk.Role(updated))
+}
+
 // deleteOrgRole will remove a custom role from an organization
 //
 // @Summary Delete a custom organization role
@ -220,3 +254,42 @@ func sdkPermissionToDB(p codersdk.Permission) database.CustomRolePermission {
 		Action:       policy.Action(p.Action),
 	}
 }
+
+func validOrganizationRoleRequest(ctx context.Context, req codersdk.CustomRoleRequest, rw http.ResponseWriter) bool {
+	// This check is not ideal, but we cannot enforce a unique role name in the db against
+	// the built-in role names.
+	if rbac.ReservedRoleName(req.Name) {
+		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+			Message: "Reserved role name",
+			Detail:  fmt.Sprintf("%q is a reserved role name, and not allowed to be used", req.Name),
+		})
+		return false
+	}
+
+	if err := httpapi.NameValid(req.Name); err != nil {
+		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+			Message: "Invalid role name",
+			Detail:  err.Error(),
+		})
+		return false
+	}
+
+	// Only organization permissions are allowed to be granted
+	if len(req.SitePermissions) > 0 {
+		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+			Message: "Invalid request, not allowed to assign site wide permissions for an organization role.",
+			Detail:  "organization scoped roles may not contain site wide permissions",
+		})
+		return false
+	}
+
+	if len(req.UserPermissions) > 0 {
+		httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
+			Message: "Invalid request, not allowed to assign user permissions for an organization role.",
+			Detail:  "organization scoped roles may not contain user permissions",
+		})
+		return false
+	}
+
+	return true
+}
--- a/enterprise/coderd/roles_test.go
+++ b/enterprise/coderd/roles_test.go
@ -57,7 +57,7 @@ func TestCustomOrganizationRole(t *testing.T) {
 		ctx := testutil.Context(t, testutil.WaitMedium)

 		//nolint:gocritic // owner is required for this
-		role, err := owner.PatchOrganizationRole(ctx, templateAdminCustom(first.OrganizationID))
+		role, err := owner.CreateOrganizationRole(ctx, templateAdminCustom(first.OrganizationID))
 		require.NoError(t, err, "upsert role")

 		// Assign the custom template admin role
@ -111,7 +111,7 @@ func TestCustomOrganizationRole(t *testing.T) {
 		ctx := testutil.Context(t, testutil.WaitMedium)

 		//nolint:gocritic // owner is required for this
-		role, err := owner.PatchOrganizationRole(ctx, templateAdminCustom(first.OrganizationID))
+		role, err := owner.CreateOrganizationRole(ctx, templateAdminCustom(first.OrganizationID))
 		require.NoError(t, err, "upsert role")

 		// Remove the license to block enterprise functionality
@ -124,7 +124,7 @@ func TestCustomOrganizationRole(t *testing.T) {
 		}

 		// Verify functionality is lost
-		_, err = owner.PatchOrganizationRole(ctx, templateAdminCustom(first.OrganizationID))
+		_, err = owner.UpdateOrganizationRole(ctx, templateAdminCustom(first.OrganizationID))
 		require.ErrorContains(t, err, "Custom Roles is an Enterprise feature")

 		// Assign the custom template admin role
@ -152,7 +152,7 @@ func TestCustomOrganizationRole(t *testing.T) {

 		ctx := testutil.Context(t, testutil.WaitMedium)
 		//nolint:gocritic // owner is required for this
-		role, err := owner.PatchOrganizationRole(ctx, templateAdminCustom(first.OrganizationID))
+		role, err := owner.CreateOrganizationRole(ctx, templateAdminCustom(first.OrganizationID))
 		require.NoError(t, err, "upsert role")

 		// Assign the custom template admin role
@ -169,7 +169,7 @@ func TestCustomOrganizationRole(t *testing.T) {
 		newRole.SitePermissions = nil
 		newRole.OrganizationPermissions = nil
 		newRole.UserPermissions = nil
-		_, err = owner.PatchOrganizationRole(ctx, newRole)
+		_, err = owner.UpdateOrganizationRole(ctx, newRole)
 		require.NoError(t, err, "upsert role with override")

 		// The role should no longer have template perms
@ -203,7 +203,7 @@ func TestCustomOrganizationRole(t *testing.T) {
 		ctx := testutil.Context(t, testutil.WaitMedium)

 		//nolint:gocritic // owner is required for this
-		_, err := owner.PatchOrganizationRole(ctx, codersdk.Role{
+		_, err := owner.CreateOrganizationRole(ctx, codersdk.Role{
 			Name:                    "Bad_Name", // No underscores allowed
 			DisplayName:             "Testing Purposes",
 			OrganizationID:          first.OrganizationID.String(),
@ -232,7 +232,7 @@ func TestCustomOrganizationRole(t *testing.T) {
 		ctx := testutil.Context(t, testutil.WaitMedium)

 		//nolint:gocritic // owner is required for this
-		_, err := owner.PatchOrganizationRole(ctx, codersdk.Role{
+		_, err := owner.CreateOrganizationRole(ctx, codersdk.Role{
 			Name:                    "owner", // Reserved
 			DisplayName:             "Testing Purposes",
 			OrganizationID:          first.OrganizationID.String(),
@ -270,7 +270,7 @@ func TestCustomOrganizationRole(t *testing.T) {
 		}

 		//nolint:gocritic // owner is required for this
-		_, err := owner.PatchOrganizationRole(ctx, siteRole)
+		_, err := owner.CreateOrganizationRole(ctx, siteRole)
 		require.ErrorContains(t, err, "site wide permissions")

 		userRole := templateAdminCustom(first.OrganizationID)
@ -282,7 +282,7 @@ func TestCustomOrganizationRole(t *testing.T) {
 		}

 		//nolint:gocritic // owner is required for this
-		_, err = owner.PatchOrganizationRole(ctx, userRole)
+		_, err = owner.UpdateOrganizationRole(ctx, userRole)
 		require.ErrorContains(t, err, "not allowed to assign user permissions")
 	})

@ -307,7 +307,7 @@ func TestCustomOrganizationRole(t *testing.T) {
 		newRole.OrganizationID = "0000" // This is not a valid uuid

 		//nolint:gocritic // owner is required for this
-		_, err := owner.PatchOrganizationRole(ctx, newRole)
+		_, err := owner.CreateOrganizationRole(ctx, newRole)
 		require.ErrorContains(t, err, "Resource not found")
 	})

@ -329,7 +329,7 @@ func TestCustomOrganizationRole(t *testing.T) {
 		orgAdmin, orgAdminUser := coderdtest.CreateAnotherUser(t, owner, first.OrganizationID, rbac.ScopedRoleOrgAdmin(first.OrganizationID))
 		ctx := testutil.Context(t, testutil.WaitMedium)

-		createdRole, err := orgAdmin.PatchOrganizationRole(ctx, templateAdminCustom(first.OrganizationID))
+		createdRole, err := orgAdmin.CreateOrganizationRole(ctx, templateAdminCustom(first.OrganizationID))
 		require.NoError(t, err, "upsert role")

 		//nolint:gocritic // org_admin cannot assign to themselves
@ -389,7 +389,7 @@ func TestCustomOrganizationRole(t *testing.T) {
 		orgAdmin, orgAdminUser := coderdtest.CreateAnotherUser(t, owner, first.OrganizationID, rbac.ScopedRoleOrgAdmin(first.OrganizationID))
 		ctx := testutil.Context(t, testutil.WaitMedium)

-		createdRole, err := orgAdmin.PatchOrganizationRole(ctx, templateAdminCustom(first.OrganizationID))
+		createdRole, err := orgAdmin.CreateOrganizationRole(ctx, templateAdminCustom(first.OrganizationID))
 		require.NoError(t, err, "upsert role")

 		customRoleIdentifier := rbac.RoleIdentifier{
--- a/enterprise/coderd/templates_test.go
+++ b/enterprise/coderd/templates_test.go
@ -751,7 +751,7 @@ func TestTemplates(t *testing.T) {
 		})

 		//nolint:gocritic // owner required to make custom roles
-		orgTemplateAdminRole, err := ownerClient.PatchOrganizationRole(ctx, codersdk.Role{
+		orgTemplateAdminRole, err := ownerClient.CreateOrganizationRole(ctx, codersdk.Role{
 			Name:           "org-template-admin",
 			OrganizationID: secondOrg.ID.String(),
 			OrganizationPermissions: codersdk.CreatePermissions(map[codersdk.RBACResource][]codersdk.RBACAction{
--- a/enterprise/coderd/userauth_test.go
+++ b/enterprise/coderd/userauth_test.go
@ -705,7 +705,7 @@ func TestEnterpriseUserLogin(t *testing.T) {

 		ctx := testutil.Context(t, testutil.WaitShort)
 		//nolint:gocritic // owner required
-		customRole, err := ownerClient.PatchOrganizationRole(ctx, codersdk.Role{
+		customRole, err := ownerClient.CreateOrganizationRole(ctx, codersdk.Role{
 			Name:                    "custom-role",
 			OrganizationID:          owner.OrganizationID.String(),
 			OrganizationPermissions: []codersdk.Permission{},
--- a/enterprise/coderd/users_test.go
+++ b/enterprise/coderd/users_test.go
@ -271,7 +271,7 @@ func TestAssignCustomOrgRoles(t *testing.T) {

 	ctx := testutil.Context(t, testutil.WaitShort)
 	// Create a custom role as an organization admin that allows making templates.
-	auditorRole, err := client.PatchOrganizationRole(ctx, codersdk.Role{
+	auditorRole, err := client.CreateOrganizationRole(ctx, codersdk.Role{
 		Name:            "org-template-admin",
 		OrganizationID:  owner.OrganizationID.String(),
 		DisplayName:     "Template Admin",