feat: Implement list roles & enforce authorize examples (#1273)

coderd/rbac/builtin.go

@@ -145,6 +145,49 @@ func IsOrgRole(roleName string) (string, bool) {
 	return "", false
 }
 
+// OrganizationRoles lists all roles that can be applied to an organization user
+// in the given organization. This is the list of available roles,
+// and specific to an organization.
+//
+// This should be a list in a database, but until then we build
+// the list from the builtins.
+func OrganizationRoles(organizationID uuid.UUID) []string {
+	var roles []string
+	for _, roleF := range builtInRoles {
+		role := roleF(organizationID.String()).Name
+		_, scope, err := roleSplit(role)
+		if err != nil {
+			// This should never happen
+			continue
+		}
+		if scope == organizationID.String() {
+			roles = append(roles, role)
+		}
+	}
+	return roles
+}
+
+// SiteRoles lists all roles that can be applied to a user.
+// This is the list of available roles, and not specific to a user
+//
+// This should be a list in a database, but until then we build
+// the list from the builtins.
+func SiteRoles() []string {
+	var roles []string
+	for _, roleF := range builtInRoles {
+		role := roleF("random")
+		_, scope, err := roleSplit(role.Name)
+		if err != nil {
+			// This should never happen
+			continue
+		}
+		if scope == "" {
+			roles = append(roles, role.Name)
+		}
+	}
+	return roles
+}
+
 // roleName is a quick helper function to return
 // 	role_name:scopeID
 // If no scopeID is required, only 'role_name' is returned

coderd/rbac/builtin_test.go

@@ -1,6 +1,7 @@
 package rbac_test
 
 import (
+	"fmt"
 	"testing"
 
 	"github.com/google/uuid"
@@ -60,3 +61,23 @@ func TestIsOrgRole(t *testing.T) {
 		})
 	}
 }
+
+func TestListRoles(t *testing.T) {
+	t.Parallel()
+
+	// If this test is ever failing, just update the list to the roles
+	// expected from the builtin set.
+	require.ElementsMatch(t, []string{
+		"admin",
+		"member",
+		"auditor",
+	},
+		rbac.SiteRoles())
+
+	orgID := uuid.New()
+	require.ElementsMatch(t, []string{
+		fmt.Sprintf("organization-admin:%s", orgID.String()),
+		fmt.Sprintf("organization-member:%s", orgID.String()),
+	},
+		rbac.OrganizationRoles(orgID))
+}

coderd/rbac/object.go

@@ -17,6 +17,13 @@ var (
 		Type: "template",
 	}
 
+	// ResourceUserRole might be expanded later to allow more granular permissions
+	// to modifying roles. For now, this covers all possible roles, so having this permission
+	// allows granting/deleting **ALL** roles.
+	ResourceUserRole = Object{
+		Type: "user_role",
+	}
+
 	// ResourceWildcard represents all resource types
 	ResourceWildcard = Object{
 		Type: WildcardSymbol,